Andrew C Aitchison via clamav-users <clamav-users@lists.clamav.net> wrote: > > No. clamD scans data passed to it by clamdscan, usually over a socket or > pipe.
Ah... I missed INSTREAM in the clamd man page. Locally, though, surely SCAN/CONTSCAN/etc, are nuch more efficient. And remotely, sending the entire contents of the system over the net isn't practical at scale. > That does mean that any malware which is missed in the first run > will not be detected in subsequent runs. True. I suppose we'd want to do monthly full scans. > 3000 machines per week, gives you about 3.36 minutes for each machine to > send all its local data to the scanning machine. > Instead I would run a local, mirror, repository of the database > and use freshclam on each machine to keep its database in sync with your > mirror, then run clamd and a clamdscan cron? script on each machine. We've already got a local mirror. Is there a way to get clamd/clamdscan to work without permission problems beside running clamd as root? Does --fdpass get around that? > I would also look at on-access scanning. I tried it but got permission errors on anything not world-accessible. I suspect the overall performance hit would be too high. > Scanning files as they are used might mean more or less work > than scanning every file every week. Except full dumps are going to cause everything to be scanned. -Dave _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
