Right, that's why I suggested to make a full scan daily/weekly. Scanning is not bulletproof neither, as the virus signature comes by definition after the virus creation. If you have some trust in your OS provider then additional basic tools like rpm -qV, dpkg -V or debsums (even if not perfect) could be used to verify the authenticity of the package files in your reference snapshot. Elfsign could be used to check binaries, if they are signed (on Solaris they are, not sure on Linux), and the kernel could enforce the check on execution if desired (still on Solaris). Auditd is also available... but I stop here because, questionning who we can trust, we could end up with the chain of trust and the TPM chip... secured by God's signature as you know.
Anyway, as the initial idea was to stop scanning during work hours, I think my suggestions (to scan changed files only during these hours) were still safer... Pierre On 6 Jan 2021 at 12:53, Paul Kosinski via clamav-users wrote: The problem with only scanning files that have changed since they were last scanned is that there usually have been virus signature updates in the meantime. So you could have an "old" file that contains what was a zero-day virus at the time it was scanned, and now there is a signature that would detect it. On Wed, 06 Jan 2021 11:56:47 +0100 "Pierre Dehaen" <deha...@drever.be> wrote: > Hi, > > On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote: > > > > My goal is to terminate scan of big number of files like '/' on CPU busy > > > hours. > > Do not scan everything under the root directory. > > Use zfs, make regular snapshots, scan once, then use zfs diff to find the > new/changed(/removed) files, scan these only. > > Or make a full scan every week if desired, then use a auditing program to > regularly search for > the files that were added/updated(/removed), scan these only. These auditing > programs use > hash signatures which are faster to compute than doing full virus scans, but > they will anyway > make a lot of i/o as they will read all files. If you are really constrained > by the i/o you could run > a less secure but lighter audit based on the file attributes (size, > ownership, mode, dates...) > and once a day/week a full audit... > > There are many options... > > HTH, > Pierre > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
