Hi there, On Mon, 19 Nov 2007 Ian G Batten wrote:
> On 18 Nov 07, at 0614, Dennis Peterson wrote: > > > > Have you considered scannning only files that have changed (md5sum > > difference, for example) since the last time they were scanned? > > There's no need to scan a file endlessly - only if it has changed > > since the previous scan. > > Hmm. Firstly, computing an MD5 sum of a file is just as much I/O, > and probably as much CPU, as just scanning it anyway. That's rather doubtful, given that you're looking for just one MD5 sum and something in the region of 200,000 virus signatures. > And secondly, if there has been a pattern update since the previous > scan it's possible that the file will now be positive, even if it > was negative when first scanned. Naturally one would expect to use different schemes for scanning user directories and system directories. In the context of scanning system files, the presumption is that if you've computed the checksum and the result is what you expected, then the file is as it's supposed to be. This is so whether or not it might give a positive on a later scan, in that case it would presumably be a false positive. Of course we aren't considering here the case where you might be looking, say, for vulnerable libraries compiled statically into random executables. -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
