Dear All, We are managing a set of servers running Debian plus VMware Server (free version). All of them are pretty busy since each of them run several VMware Virtual Servers.
I am trying to come up with a way (aka Best Practice) of having all these machines virus scanned on a regular basis. What we have in place right now is a cronjob that updates the virus database every 3 hours by calling freshclam: 0 0-23/3 * * * /usr/local/bin/freshclam --quiet > /dev/null 2>&1 And another cronjob which every 12th and 24th of each month executes a fullscan. The fullscan is triggered by this command: nice clamscan -r -i -l /var/log/clamavlogs/scan-results.log / Basically, we identify VMware Virtual Disks (.vmdk files) as infected. I saw this thread, and already decided not to scan VMware Virtual Disks: http://lurker.clamav.net/thread/20041211.113120.eff2b90a.en.html#20041211.113120.eff2b90a Then I figured that something like this for the full scan may make sense: clamscan -r -i -l logfile.log /bin /dev /initrd.img /lost+found /sbin /usr /vmlinuz /boot /etc /initrd /lib /opt /root /srv /tmp /var But I am not really sure this approach is the best in terms of performance. I have been reading around for a while and saw a few times people recommending the DAEMON mode versus the clamscan mode. I am confused about what the daemon does; it seems to me that the daemon is listening there and you will connect to it in order to specify which files to scan. That does not make a big difference to the clamscan command. I must be missing something here. I think that it would be nice if we could come up with some best practices while having a general purpose server being automatically scanned. Let me throw a few questions to break the ice: 1) Daemon Mode vs. Clamscan Mode. [1.1] What is the difference between them? [1.2] Which one performs better to scan a big number of files regularly? 2) Frequency [2.1] How often shall clamav update the virus database? [2.2] Is freshclam a good method or there is other better? [2.3] How often should a whole system scan be executed? 3) Resource utilization [3.1] Is it advisable to call clamscan using NICE to lower the impact on the system? [3.2] Is it possible/advisable to limit the amount of RAM/CPU? Thank you so much! unai _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
