Sheikji Nazirudeen wrote: > Hello: > I am in the process of scanning HP and Sun servers. I am running into > issues wherein, it takes a long time for the scan to complete. Is there any > way apart from exculding certain file extensions to increase the speed. I > would be much interested in a software solution. Let me know.
This is an opportunity to ask the providers a related question: Does ClamAV use every pattern file record and all heuristics on every file it scans? It makes little sense to use Phishing/Image spam/Scam/Windows-only patterns, and certain heuristics operations on Sparc ELF binaries in /usr/sbin on Sun servers, for example. And to answer in part your question, one performance hit is scanning NFS mounted directories and there's usually ways to avoid that. And if you have very large directories as was the case where I worked, limiting the scan to only those files that have changed since the last scan helps. Arrange your scanning so that there are few startup costs. Each time clamscan starts up it has to load all the databases from scratch so get the most from this expense. Clamd running as an unprivileged user cannot be used to scan a lot of file areas. Consider a limited life instance of running clamd with greater privileges and with a config file that forces this clamd instance to operate only in protected space regards its own socket files, temp files, working area, and database files. Prune if possible unlikely candidates from the database files. If you have any form of a "SoBig" virus in your Sun server binaries you should already know about it without having to run clamav's tools. If you have a good tripwire like tool then you can eliminate a lot of files from scanning requirements and improve your intrusion detection capacity. Even if I didn't have ClamAV I'd still run TripWire or aset for this added security. Various archive files such as .z, .bz2, .gz, .tgz, for example, that have not changed in a way that TripWire like tools can detect are probably good candidates to ignore for future scanning, assuming they have been scanned and found clean at the time they were TripWired. ClamAV is optimized as a mail scanner for incoming mail. It is less useful for mail that has been delivered to an mbox file, and is very Windows-centric in terms of viruses it's looking for. In the final analysis it may not be the best tool for scanning Unix file systems, or may require other processes to augment it's effort. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
