A family of Linux malware that stayed under the radar for more than 5 years: "Unboxing Linux/Mumblehard: Muttering spam from your servers" <http://www.welivesecurity.com/2015/04/29/unboxing-linuxmumblehard-muttering-spam-servers/>
-Al- On Wed, Apr 29, 2015 at 10:27AM, G.W. Haywood wrote: > > Hi there, > > On Wed, 29 Apr 2015, John McGowan wrote: > >> ... >> I suspect that most people use clamdscan to do "one off" scanning, >> (mail servers, etc) > > My suspicion is that most people don't do it at all on Linux boxes. > > There is absolutely no point in scanning the entire filesystem on a > typical Linux box for millions of Windows viruses, since they won't be > there. It would be a complete waste of effort and resources, and I > certainly never do it on the dozens of Linux boxes that I run. > > There might be a case for scanning parts of a Linux filesystem if it's > used for example as a file server for Windows clients. Amongst other > scanners I use clamd via a Sendmail milter to scan both incoming and > outgoing mail on my mail servers, but mainly because the third-party > signatures catch lots of unwanted mail. And even now there are a few > people Out There who are still using Windows boxes; it would be bad if > any person in my employ unwittingly passed a virus-ridden message from > one Windows user to another, even if the machines which my people use > are completely immune to infection by practically all of the malware > for which the mail systems are scanning. The mail is scanned on the > fly and it never gets as far as being written to the filesystem if any > of the scanners detects something which one might consider unpleasant. > >> ... I'm looking for more of a traditional daily "scan the entire >> file system" solution. > > I'm not sure that there's anything 'traditional' about scanning Linux > boxes for viruses. I've never found one in that way, but I've found > literally many thousands by scanning Windows boxes in the same way. > > Incidentally if you do scan a Linux filesystem, don't scan things like > /proc and /dev because you might not like the results. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
