On Thu, 26 Nov 2020 11:35:45 -0500 Nick Holland <n...@holland-consulting.net> wrote:
> On 2020-11-25 17:10, Brogan Beard wrote: > [...] > > Something to consider: run the AV against your boxes -- elsewhere! > > I have a similar situation at $DAYJOB. Not OpenBSD, but an OS that > similarly has little malware written for it (and an environment with > lots of softer targets than the OS anyway). For LOTS of reasons, we > didn't want to put AV on the "important" systems, but we needed to > hit that checkbox that says, "AV scans!" > > Our compliance people work with me pretty well, and what we came up > was to run the AV against our BACKUPS of those boxes. We rsync > the data from the systems to a central backup, and we run the AV on > that box against the data. Increased the backup by a few GB/box and > grabbed the binaries, too, and ta-da, we got a pretty good AV scan > taking place with /zero/ additional impact on the systems. > > Yes, perhaps not as "real time" as a system which hooks into the OS > and watches every disk read and write, but I don't think you even > want that on a Unix-like OS (even if it was possible on many Unix- > like OSs). > > Nick. > You can, but it's not really easy. I'm not the one who does it at $JOB, so don't ask me how. -- Edward Ahlsen-Girard Ft Walton Beach, FL
