Unai Rodriguez wrote: > Dear All, > > We are managing a set of servers running Debian plus VMware Server (free > version). All of them are pretty busy since each of them run several > VMware Virtual Servers. > > I am trying to come up with a way (aka Best Practice) of having all > these machines virus scanned on a regular basis. > > What we have in place right now is a cronjob that updates the virus > database every 3 hours by calling freshclam: > > 0 0-23/3 * * * /usr/local/bin/freshclam --quiet > /dev/null 2>&1 > > And another cronjob which every 12th and 24th of each month executes a > fullscan. The fullscan is triggered by this command: > > nice clamscan -r -i -l /var/log/clamavlogs/scan-results.log /
Have you considered scannning only files that have changed (md5sum difference, for example) since the last time they were scanned? There's no need to scan a file endlessly - only if it has changed since the previous scan. In certain circumstances you can avoid scanning whole directories by checking the md5 checksum of the directory listing thusly: ls -lat directory_name |md5sum >md5.report. If the md5sum output has changed between runs of this tool then you probably have a reason to scan that directory. Using tools like TripWire are useful, too, as they will tell you exactly which file has changed since the last scan. Scanning monthly means that for a few seconds each month you are secure in knowing your files are clean. Worst case though, is for a virus to be implanted seconds after your scan as it has a full month to play with your system. This is where intrusion detection tools help. TripWire type tools will tell you an intrusion has been successful. Perhaps Snort will tell you this, too - I've seen only that it will tell you of intrusion attempts but not successes, and it's no surprise there are attempts. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
