On Mar 19, 2011, at 8:51 AM, G.W. Haywood wrote: > my preference would be to scan files before they > are written to the filesystem, or at least very soon thereafter, so as > to keep to a minimum the risk that an unscanned, dangerous file might > be served to a vulnerable machine. Viruses and similar have a nasty > habit of propagating in an almost explosive fashion; a problem with a > solution as simple as erasing a file can rapidly become one of almost > biblical proportions, involving reinstallations of dozens of operating > systems and much hunting for long-lost backups. It's up to the OP to > make the judgement of course.
I think I am going to do an overnight scan of the first 200kb of every file on the system using the MaxScanSize directive and periodic scans throughout the day using the output of a FIND search on recently modified/introduced files (-cmin and -mmin). Hopefully, this means that *every* file on the server is given at least a cursory examination every day and if something new and wicked shows up there is at least some chance of finding it early (i.e., before the more comprehensive overnight scan). (Unrelated question: is there a built-in way to have a timestamp added to the scan summary?) ----------------- Russ Tyndall Wake Forest, NC _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
