Ian G Batten wrote: > On 18 Nov 07, at 0614, Dennis Peterson wrote: >> Have you considered scannning only files that have changed (md5sum >> difference, for >> example) since the last time they were scanned? There's no need to >> scan a file >> endlessly - only if it has changed since the previous scan. > > Hmm. Firstly, computing an MD5 sum of a file is just as much I/O, > and probably as much CPU, as just scanning it anyway.
Many of us already use an intrusion detection tool such as TripWire as a matter of security policy so this is a non-issue. > And secondly, > if there has been a pattern update since the previous scan it's > possible that the file will now be positive, even if it was negative > when first scanned. Can we have a reality check, please. When is the last time you found a virus in /sbin after a new pattern file has been made available? This scenario is more likely for user space than system space and can be accommodated by policy. It doesn't impact intelligent scanning. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
