On 18 Nov 07, at 0614, Dennis Peterson wrote: > > Have you considered scannning only files that have changed (md5sum > difference, for > example) since the last time they were scanned? There's no need to > scan a file > endlessly - only if it has changed since the previous scan.
Hmm. Firstly, computing an MD5 sum of a file is just as much I/O, and probably as much CPU, as just scanning it anyway. And secondly, if there has been a pattern update since the previous scan it's possible that the file will now be positive, even if it was negative when first scanned. If you trust the mtime/atime/ctime triplet (if, say, the storage is coming off an NFS applicance that you're comfortable isn't prone to infection) then I suppose you could do something with looking at those and only scanning if those haven't changed and the file is older than some ``anything bad will have been spotted by now'' horizon. ian _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
