As with any system, really. Start with "where do files change via arbitrary user activity?" * /home * /tmp, /var/tmp (if different)
Then consider "which applications is the system running that could write arbitrary data and to where?" * webserver vhost document roots, if you're running PHP apps like Wordpress * mailserver, if you've got mailboxes on the system that accept mail from outside * any target directories for anything else you might be running You may want to include /bin, /usr/bin and friends in case something does get on your system but DO NOT delete or quarantine files there as you WILL break your system; log and alert in whatever way you deem necessary. In terms of rootkits - possibly/sort of, but there are different and more specific tools for those. Generally: * yum/dnf update frequently * leave SELinux in enforcing mode and learn how to respond to AVC denials * only open ports you need to to the Internet * try not to run Wordpress or other PHP CMS type applications, or if you do, make damned sure you keep them bang up to date. And make sure you keep every plugin and add-on up to date. If you have users running web apps, force them to keep them updated. If they don't, get rid of them. * if you find changes in system directories or files in /dev, burn the machine and start again. I'm sure other opinions will be forthcoming! Graeme ________________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Eduardo Lúcio Amorim Costa via clamav-users <clamav-users@lists.clamav.net> Sent: 01 February 2020 05:28 To: ClamAV users ML Cc: Eduardo Lúcio Amorim Costa Subject: [clamav-users] What would be a basic scan of my file system (Linux, CentOS 7)? Okay friends! I didn't have the best start with ClanAV, but I would really like to try using it in my infrastructure. I have two questions... I - What would be a "basic scan" of my file system (Linux, CentOS 7) using clamscan? That is, what parameters should I use and what directories should I scan? II - Is ClamAV able to deal with "specific" Linux dangers such as rootkits, etc? Thanks! =D -- Eduardo Lúcio LightBase Consultoria em Software Público eduardo.lu...@lightbase.com.br<mailto:eduardo.lu...@lightbase.com.br> +55-61-3347-1949 - http://brlight.org<http://brlight.org/> - Brasil-DF [http://www.lightbase.com.br/wp-content/uploads/2015/12/BrLightBase_Logomarca.jpg] Software livre! Abrace essa idéia! [https://docs.google.com/uc?export=download&id=0B-PslcEmd46YWEhHenJJRGpKZU0&revid=0B-PslcEmd46YaExYMU9ZdGVXM2ZlSUdhMERLcXY1Qmd3enhrPQ] "Aqueles que negam liberdade aos outros não a merecem para si mesmos." Abraham Lincoln _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
