Hi there, On Sun, 26 Jan 2020, Eduardo Lúcio Amorim Costa via clamav-users wrote:
Is it correct to assume that the "clamd@scan" service, once started, can find threats that already exist on my server? ...
Your question says: "can find" - Strictly speaking, yes this is correct. But the question and my answer need some qualification.
... Is it correct to assume that the "clamd@scan" service in its normal operation will eventually find that threat and notify me (log, mail, etc...)?
"will eventually find" - No, this is certainly not correct. You need (1) Something which will show it to clamd. This is 'running a scan', there is more than one way to do it. Consider also the probability that ClamAV will find a threat even if you know it is there somewhere. This is not magic. In the end it all boils down to a comparison operation. So you also need (2) Something which causes clamd to detect the threat _if_ it sees it. This is either a signature in a database, or some ClamAV code. My estimate is that on a good day you have about a one in three chance that ClamAV will find a random threat. There are not-so-good days, we call them "zero days", on which you have no chance at all; and unless something is done to cause ClamAV to recognize that threat (either by a change to a database, or to the code) ClamAV will never detect it - no matter how many times it sees it. Please spend some quality time with the documentation. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
