> Studying the FIND man page a little, I am wondering whether I should actually > be using -cmin instead of -mmin. cmin (according to the man page) returns > files that have had a "...change of file status information.." in the > results. > > A little testing shows that it includes files in the results that have been > newly introduced into the file system, in addition to files that have been > modified. This would solve the issue of an "old" baddie being copied onto the > machine with an "old" modification date.
If I remember correctly, one of those is the time of file data modification, the other of file metadata modification. So, you might make your test more inclusive and do something like "-cmin -# -o -mmin -#" where the #s are the time specs you use; i.e. use both. > I'm sure it does not get around the risk of faking file times, though. It doesn't I'm pretty sure. I think all three fields (atime, mtime, and ctime) are all changeable by the owner of the file. -- Bryan Burke IT Administrator Department of Electrical Engineering and Computer Science University of Tennessee, Knoxville bbu...@eecs.utk.edu (865) 974-4694 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
