Ian G Batten wrote: > On 19 Nov 07, at 1228, G.W. Haywood wrote: > >> Hi there, >> >> On Mon, 19 Nov 2007 Ian G Batten wrote: >> >>> On 18 Nov 07, at 0614, Dennis Peterson wrote: >>>> Have you considered scannning only files that have changed (md5sum >>>> difference, for example) since the last time they were scanned? >>>> There's no need to scan a file endlessly - only if it has changed >>>> since the previous scan. >>> Hmm. Firstly, computing an MD5 sum of a file is just as much I/O, >>> and probably as much CPU, as just scanning it anyway. >> That's rather doubtful, given that you're looking for just one MD5 sum >> and something in the region of 200,000 virus signatures. > > That was my gut feel. But see below. Yes, there are all sorts of > factors (openssl isn't ultra optimised, initial load involves some > libraries, etc, etc). But I don't think these numbers support the > doubts. > > mailhost-new# time /usr/sfw/bin/openssl md5 /etc/termcap > MD5(/etc/termcap)= c7c115fea262f53f9b5938f08a69ab65 > > real 0.3 > user 0.0 > sys 0.0 > mailhost-new# time /usr/local/bin/clamdscan /etc/termcap > /etc/termcap: OK > > ----------- SCAN SUMMARY ----------- > Infected files: 0 > Time: 0.003 sec (0 m 0 s) > > real 0.1 > user 0.0 > sys 0.0 > mailhost-new#
It would be helpful to back out the startup costs of running this by scanning whole directories, and also to use the correct tool for each operation. I don't think anyone is suggesting md5sum be run thousands of times to gather checksums. The appropriate tool for that is something like TripWire. Secondly, clamdscan is not going to work for global file system scanning unless clamd is running as root and that is such a bad idea it isn't worth exploring except in very controlled circumstances. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
