Hi there,
On Thu, 22 Oct 2020, Andrew C Aitchison via clamav-users wrote:
On Wed, 21 Oct 2020, G.W. Haywood via clamav-users wrote:
On Wed, 21 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> and that using clamav's on-access scanning has the advantage of catching the
> nasties before the file is used, unlike the inotify-bsed solutions, which
> avoid the latency that on-access scanning produces ...
Not sure that I follow all that, but the perceived advantage of having
a potential to catch any nasties must necessarily be discounted by the
probability that it will catch anything when it actually looks for it.
Rough order of magnitude I guess a one in three chance on a good day.
I meant that on-access scanning may block the nasty before the vulnerable
program parses/executes the exploit, but an inotify-based solution
will give the nasty file to the vulnerable program at the same time as, if
not before, the scanner gets to check it.
Perhaps - you might have to be a bit more, er, creative with inotify
but it can generate an event on file create, which fanotify won't do.
The creativity would mostly mostly about preventing access to a newly
created file until it's been scanned and pronounced OK. I don't know
how you'd handle modifications which turn benign files into malicious
ones, and that sort of thing seems to be more common lately.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
