Hi there,
On Tue, 20 Oct 2020, Leveille, Gerald via clamav-users wrote:
G.W. Haywood wrote:
Leveille, Gerald wrote:
> I would like to know what would be the best way to do a virus scan of
> changed or new files only. I want to run a daily scan of changed and
> new files during weekdays and run a full scan on weekends.
>
> I did some search and was able to find a few ways of doing it but I
> would also like your suggestions.
It would help to know on what operating system(s) you plan to do this...
Sorry, this is on RHEL Linux 7.8.
I already have a script doing full daily scans but I want to change the
weekdays scans.
It very much depends on the situation you're facing.
If the machine to be scanned is somehow considered to be at risk of
compromise, then if I were going to do something like this I would
probably use 'rsync' to produce a directory on another machine which
contains the files to be scanned, then pass the directory name to its
local clamd (e.g. via clamdscan) and let it get on with it. This does
presuppose that you have another, trusted machine which is pretty much
a mirror of the machine being scanned so that rsync can do a full file
checksum to see if files have changed rather than relying on the inode
(directory) information which can be abused. It won't be blazing fast
but you can if you wish get plenty of logging on the scanning machine.
Granted I know nothing about what your machines do, and if they store
and/or share (especially with other operating systems) any untrusted
data there might be a case for scanning. But as you'll have gathered
if you've read any of my rambles on this list you'll know that I have
doubts about the utility of general system scanning. In particular,
using 'find' for example doesn't take into account that an intruder
who's worth his salt will go to great lengths to avoid changing the
directory information about things he manipulates. If he's any good,
looking for things which 'have changed' will only find the things you
aren't actually looking for, and if the scanner is on the same machine
he will almost certainly have nobbled it anyway. The 'ls', 'ps' and
'top' commands for example won't show you the binaries he's installed
and the processes he's running because he'll have nobbled all those as
well - within a fraction of a second of gaining access. Yes, he might
have nobbled rsync too, but it's a bit less likely and you're in with
a chance of testing for it.
My first experience of this sort of thing was over twenty years ago,
courtesy of the Red Hat Linux FTP server. That prompted me to move
over to Slackware and start a _long_ learning process, the pace of
which has not, er, slackened to this day. I'm not saying that the
Red Hat of today compares with the colander that it was in the late
20th century, but it's worth keeping in mind that, if you're serious
about security, you can't actually rely on anything that you haven't
thoroughly checked out yourself - and sometimes not even then.
The 64 dollar question now is "Why do you want to scan the system?"
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
