On Mar 16, 2011, at 2:36 PM, Bryan Burke wrote: >> find [path to directory] [path to second directory] ! -type d -mmin -60 > >> [path to output file later read by clamav] > > This might not be too much of an issue, but thought I'd point it out: You > might change > "! -type d" to "-type f" (better to be more specific), because I don't think > you want to > scan device files, pipes, links, etc.
Ah, thanks. I did not know whether I should exclude those other types, but I *knew* I did not want directories. Studying the FIND man page a little, I am wondering whether I should actually be using -cmin instead of -mmin. cmin (according to the man page) returns files that have had a "...change of file status information.." in the results. A little testing shows that it includes files in the results that have been newly introduced into the file system, in addition to files that have been modified. This would solve the issue of an "old" baddie being copied onto the machine with an "old" modification date. I'm sure it does not get around the risk of faking file times, though. ----------------- Russ Tyndall Wake Forest, NC _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
