[ My previous reply did not reach the list, for reasons I do understand. ]
On Tue, 21 Mar 2023, Tim McConnell wrote:
Hi Andrew,
So maybe I'm mis understanding something. I'm expecting the scan to run
once daily at 01:00. Is that not what clamonacc does? I keep getting
told to remove it but Debian installed it as a dependency so what's
going to break if I do?
It looks as though the clamav-daemon package contains two daemons,
clamonacc and clamd. You *probably* do want clamd: it runs permanently,
taking up about 1.2 gigabytes of memory and provides a malware
scanning service that saves about 15 seconds start up time on every scan.
Not significant when you run a full disk scan, but if you do a single scan
file from time to time it does make a difference.
There is a third ClamAV daemon - clamav-freshclam which keeps the
virus database up to date; you certainly want that one too.
As for the question: "Do you have a plan for what you will do when it
finds a potentially malicious file ?"
Yes I will analyze it and if it is a malicious file I will remove it
after sending it to ClamAV (in case it's new)after Googling how to
safely remove it.
Good. There are options to automatically delete or quarantine suspect
files; either can stop you system from working or destroy data.
I'm still baffled by the Whitelist not working in ClamTK but I think if
I create a cronjob manually to run instead of the scheduled task from
ClamTK I can get those DIRs to be ignored and hopefully speed up the
scan?
I have never used ClamTK.
Running clamscan or clamdscan, from cron, on selected directory trees
makes sense, but do be careful to make sure false positives do no harm,
and remember that false negatives do happen frequently, so a clean scan
result proves little.
Thanks,
--
Tim McConnell <tmcconnell...@gmail.com>
On Sun, 2023-03-19 at 21:40 +0000, Andrew C Aitchison wrote:
On Sun, 19 Mar 2023, Tim McConnell via clamav-users wrote:
Hi Marc,
So apparently it was a bug(?) in ClamTK. The errors have gone away
(for
now).
The big problem is I want Clam to do what Clamonacc does so
removing it shouldn't be an option?
I want it to run at certain times to check for malicious files,
etc.
That is not what clamonacc does. clamonacc scans each file as it is
accesses by some other process (reaf, write or both). The name means
CLAM scan ON ACCess.
Do you have a plan for what you will do when it finds a potentially
malicious file ? It is very important that you think catefully about
that.
I'll re-enable the schedule via ClamTK and see if it still hogs the
CPU.
If it does I may have to find another AV solution.
How long does it taketo scan a terabtye disk ?
If it is full of little files (smaller than MaxScanSize and
MaxFileSize)
it will have to read the whole disk at the very least.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
