Greetings, We are using a clamscan to recursively scan local filesystems on our entry/exit points (jump boxes, DMZ servers) via a cronjob excluding certain OS filesystems (proc, sysfs). We don't have any network filesystems mounted on these devices.
To satisfy guidelines for our system we need to run HBMC detection on all devices. That said an AOR (acceptance of risk) is allowed if a valid technical argument can be made. So what I'm looking for is any fodder as to why the following postulation is valid: "Scanning devices on the trusted network, both local and NFS shares, isn't beneficial for our information system." Some background to help: (1) Homogeneous Linux network with monthly patching of security updates - no windows devices anywhere. (2) Private Network with no internet access or external access to interconnected systems except from jump boxes and DMZ devices which are behind a firewall and have clamscan running on them among other defensive and offensive controls. (3) NFS shares are local to each system segment and are over 7TB of flat files and data files. What I'm kinda looking for is information on efficacy of clamav signatures on catching anything given our setup but also is clamav really meant to be a file scanner as opposed to a mail server "interceptor" since how many signatures will really be detected given our setup and workloads. I can and have googled and found some fodder but wanted to post the question here if anyone has written an AOR against using clamav or any HBMC scanning in similar setups - our approved scanning software is only clamav due to requirements also for FLOSS products. Many thanks! _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
