Re: [clamav-users] Terminate clamscan after specific time

[Andrew C Aitchison via clamav-users]

On Thu, 7 Jan 2021, G.W. Haywood via clamav-users wrote:


Hi there,

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


Can you send link to your posts about root directory scan?


https://marc.info/?l=clamav-users=1=2


The footer of every message from the list has a link
  https://lists.clamav.net/mailman/listinfo/clamav-users
which points to the archive at
  https://lists.clamav.net/pipermail/clamav-users/

--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


Can you send link to your posts about root directory scan?


https://marc.info/?l=clamav-users=1=2

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Pierre Dehaen]

Right, that's why I suggested to make a full scan daily/weekly. 

Scanning is not bulletproof neither, as the virus signature comes by definition 
after the virus 
creation. If you have some trust in your OS provider then additional basic 
tools like rpm -qV, 
dpkg -V or debsums (even if not perfect) could be used to verify the 
authenticity of the 
package files in your reference snapshot. Elfsign could be used to check 
binaries, if they are 
signed (on Solaris they are, not sure on Linux), and the kernel could enforce 
the check on 
execution if desired (still on Solaris). Auditd is also available... but I stop 
here because, 
questionning who we can trust, we could end up with the chain of trust and the 
TPM chip... 
secured by God's signature as you know.

Anyway, as the initial idea was to stop scanning during work hours, I think my 
suggestions (to 
scan changed files only during these hours) were still safer...

Pierre


On 6 Jan 2021 at 12:53, Paul Kosinski via clamav-users wrote:

The problem with only scanning files that have changed since they were
last scanned is that there usually have been virus signature updates in
the meantime. So you could have an "old" file that contains what was a
zero-day virus at the time it was scanned, and now there is a signature
that would detect it.


On Wed, 06 Jan 2021 11:56:47 +0100
"Pierre Dehaen"  wrote:

> Hi,
> 
> On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:
> 
> > > My goal is to terminate scan of big number of files like '/' on CPU busy 
> > > hours.  
> > Do not scan everything under the root directory.  
> 
> Use zfs, make regular snapshots, scan once, then use zfs diff to find the 
> new/changed(/removed) files, scan these only.
> 
> Or make a full scan every week if desired, then use a auditing program to 
> regularly search for 
> the files that were added/updated(/removed), scan these only. These auditing 
> programs use 
> hash signatures which are faster to compute than doing full virus scans, but 
> they will anyway 
> make a lot of i/o as they will read all files. If you are really constrained 
> by the i/o you could run 
> a less secure but lighter audit based on the file attributes (size, 
> ownership, mode, dates...) 
> and once a day/week a full audit...
> 
> There are many options...
> 
> HTH,
> Pierre

> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Paul Kosinski via clamav-users]

The problem with only scanning files that have changed since they were
last scanned is that there usually have been virus signature updates in
the meantime. So you could have an "old" file that contains what was a
zero-day virus at the time it was scanned, and now there is a signature
that would detect it.


On Wed, 06 Jan 2021 11:56:47 +0100
"Pierre Dehaen"  wrote:

> Hi,
> 
> On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:
> 
> > > My goal is to terminate scan of big number of files like '/' on CPU busy 
> > > hours.  
> > Do not scan everything under the root directory.  
> 
> Use zfs, make regular snapshots, scan once, then use zfs diff to find the 
> new/changed(/removed) files, scan these only.
> 
> Or make a full scan every week if desired, then use a auditing program to 
> regularly search for 
> the files that were added/updated(/removed), scan these only. These auditing 
> programs use 
> hash signatures which are faster to compute than doing full virus scans, but 
> they will anyway 
> make a lot of i/o as they will read all files. If you are really constrained 
> by the i/o you could run 
> a less secure but lighter audit based on the file attributes (size, 
> ownership, mode, dates...) 
> and once a day/week a full audit...
> 
> There are many options...
> 
> HTH,
> Pierre

> 

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

Hi Ged,

Can you send link to your posts about root directory scan?

Thanks,

Zvi

On Wed, Jan 6, 2021 at 2:20 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Wed, 6 Jan 2021, Andrew C Aitchison via clamav-users wrote:
> > On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:
> >
> >> My goal is to terminate scan of big number of files like '/' on CPU
> >
> > Would it be better to *pause* the scan if/when the computer gets busy ?
>
> There are many ways to tweak the scheduling of processes, but it makes
> no sense to optimize doing something that is fundamentally daft.  Even
> after it's been optimized, it's still daft.
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 6 Jan 2021, Andrew C Aitchison via clamav-users wrote:

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


My goal is to terminate scan of big number of files like '/' on CPU


Would it be better to *pause* the scan if/when the computer gets busy ?


There are many ways to tweak the scheduling of processes, but it makes
no sense to optimize doing something that is fundamentally daft.  Even
after it's been optimized, it's still daft.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Andrew C Aitchison via clamav-users]

Would it be better to *pause* the scan if/when the computer gets busy ?

If you "nice" the scan it will only run when the cpu is less busy;
if you have "ionice" you can make it run when the disk is less busy.

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


Hi ,

My goal is to terminate scan of big number of files like '/' on CPU
busy hours.  Then to continue approximately from the interrupted
directory on nonbusy hours.  Seems that I have to put some code in
clamscan/manager.c

Thanks,

Zvi


On Tue, Jan 5, 2021 at 6:01 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
> 
> On Tue, 5 Jan 2021, Zvi Kave via clamav-users wrote:
> 
> >Seems that the parameter --max-scantime=#n aborts scan on every file

> after #n ms.
> >But it continues to the next file, instead of clamscan termination +
> summary as I need.
> 
> You can easily start another process, which sleeps for your desired

> number of seconds and then kills the clamscan process.  You won't get
> the exact summary which clamscan gives when it terminates normally, but
> you will get the output about what's been found so you can approximate
> the report e.g. by piping the output of the clamscan process to a file
> (perhaps asking for verbose reporting from libclamav and/or clamscan as
> well as reporting clean files) and doing a little bit of scripting.
> 
> This does seem to me to be a strange thing to want to do.  If you can

> explain exactly what the problem is and why you think this is the
> solution we might be able to offer alternatives or other suggestions.


--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Pierre Dehaen]

Hi,

On 6 Jan 2021 at 9:58, G.W. Haywood via clamav-users wrote:

> > My goal is to terminate scan of big number of files like '/' on CPU busy 
> > hours.
> Do not scan everything under the root directory.

Use zfs, make regular snapshots, scan once, then use zfs diff to find the 
new/changed(/removed) files, scan these only.

Or make a full scan every week if desired, then use a auditing program to 
regularly search for 
the files that were added/updated(/removed), scan these only. These auditing 
programs use 
hash signatures which are faster to compute than doing full virus scans, but 
they will anyway 
make a lot of i/o as they will read all files. If you are really constrained by 
the i/o you could run 
a less secure but lighter audit based on the file attributes (size, ownership, 
mode, dates...) 
and once a day/week a full audit...

There are many options...

HTH,
Pierre

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[G.W. Haywood via clamav-users]

Hi there,

On Wed, 6 Jan 2021, Zvi Kave via clamav-users wrote:


My goal is to terminate scan of big number of files like '/' on CPU busy hours.


Do not scan everything under the root directory.

See my other posts in the list archives for reasons.


Seems that I have to put some code in clamscan/manager.c


No, you have to think about what you are doing.

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

Hi ,

My goal is to terminate scan of big number of files like '/' on CPU busy
hours.
Then to continue approximately from the interrupted directory on nonbusy
hours.
Seems that I have to put some code in clamscan/manager.c

Thanks,

Zvi


On Tue, Jan 5, 2021 at 6:01 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi there,
>
> On Tue, 5 Jan 2021, Zvi Kave via clamav-users wrote:
>
> >Seems that the parameter --max-scantime=#n aborts scan on every file
> after #n ms.
> >But it continues to the next file, instead of clamscan termination +
> summary as I need.
>
> You can easily start another process, which sleeps for your desired
> number of seconds and then kills the clamscan process.  You won't get
> the exact summary which clamscan gives when it terminates normally, but
> you will get the output about what's been found so you can approximate
> the report e.g. by piping the output of the clamscan process to a file
> (perhaps asking for verbose reporting from libclamav and/or clamscan as
> well as reporting clean files) and doing a little bit of scripting.
>
> This does seem to me to be a strange thing to want to do.  If you can
> explain exactly what the problem is and why you think this is the
> solution we might be able to offer alternatives or other suggestions.
>
> If all else fails you have the source code.  It would be possible to
> get clamscan to respond to a signal in the way you describe.
>
> An Englishman asked an Irishman for directions to somewhere.
>
> The Irishman replied, "If I was going there, I wouldn't start from here".
>
> :)
>
> --
>
> 73,
> Ged.
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Richard Graham via clamav-users]

On Tue, Jan 5, 2021 at 5:01 PM G.W. Haywood via clamav-users <
clamav-users@lists.clamav.net> wrote:

> ...
> An Englishman asked an Irishman for directions to somewhere.
>
> The Irishman replied, "If I was going there, I wouldn't start from here".
>
> :)
>
> Reminds me of another Irishman...

Visitor:  "Have you lived here your entire life?"
Irishman:  "No, I live down the lane a bit."
Visitor: "Your whole life?"
Irishman: "Well, not yet."

:-)

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[G.W. Haywood via clamav-users]

Hi there,

On Tue, 5 Jan 2021, Zvi Kave via clamav-users wrote:


   Seems that the parameter --max-scantime=#n aborts scan on every file after 
#n ms.
   But it continues to the next file, instead of clamscan termination + summary 
as I need.


You can easily start another process, which sleeps for your desired
number of seconds and then kills the clamscan process.  You won't get
the exact summary which clamscan gives when it terminates normally, but
you will get the output about what's been found so you can approximate
the report e.g. by piping the output of the clamscan process to a file
(perhaps asking for verbose reporting from libclamav and/or clamscan as
well as reporting clean files) and doing a little bit of scripting.

This does seem to me to be a strange thing to want to do.  If you can
explain exactly what the problem is and why you think this is the
solution we might be able to offer alternatives or other suggestions.

If all else fails you have the source code.  It would be possible to
get clamscan to respond to a signal in the way you describe.

An Englishman asked an Irishman for directions to somewhere.

The Irishman replied, "If I was going there, I wouldn't start from here".

:)

--

73,
Ged.

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

Hi Micah,

Seems that the parameter --max-scantime=#n aborts scan on every file
after #n ms.
But it continues to the next file, instead of clamscan termination +
summary as I need.

Thanks,

 Zvi

On Mon, Dec 28, 2020 at 6:04 PM Zvi Kave via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Hi,
>
> Is there a way to Terminate clamscan after specific time with summary ?
>
> Regards,
>
> Zvi
>
>
> 
>
> ___
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

  
  
Micah,


I did not pay attention to this parameter.


Thank you for discovering it,


Zvi



On 1/5/2021 3:53 AM, Micah Snyder
  (micasnyd) via clamav-users wrote:


  
  
  
  
Zvi,
 
Yes, clamscan has a --max-scantime=#n
  option, which is measured in milliseconds.  Clamscan will
  check the time limit periodically and abort the scan if the
  time limit has been exceeded.  There is a similar config
  option for clamd in clamd.conf.
 
Disclaimer: the limit is not precise as
  clamscan may be busy decompressing or parsing a file in
  between checks.  It’s useful mostly when scanning large
  archives and such to abort partway through a long scan. 
   Ideally it would monitor the scan in a watchdog process or
  something so it could abort the scan more precisely but
  unfortunately it doesn’t work that way.
  
 
Regards,
Micah
 

  

  From: clamav-users

On Behalf Of Zvi Kave via clamav-users
Sent: Monday, December 28, 2020 8:04 AM
To: clamav-users@lists.clamav.net
Cc: Zvi Kave 
Subject: [clamav-users] Terminate clamscan after
specific time

  
   
  
Hi,
Is there a way to Terminate clamscan after specific time
  with summary ?
Regards,
Zvi
  

  
  
  
  
___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


  


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Terminate clamscan after specific time

[Micah Snyder (micasnyd) via clamav-users]

Zvi,

Yes, clamscan has a --max-scantime=#n option, which is measured in 
milliseconds.  Clamscan will check the time limit periodically and abort the 
scan if the time limit has been exceeded.  There is a similar config option for 
clamd in clamd.conf.

Disclaimer: the limit is not precise as clamscan may be busy decompressing or 
parsing a file in between checks.  It’s useful mostly when scanning large 
archives and such to abort partway through a long scan.   Ideally it would 
monitor the scan in a watchdog process or something so it could abort the scan 
more precisely but unfortunately it doesn’t work that way.

Regards,
Micah

From: clamav-users  On Behalf Of Zvi 
Kave via clamav-users
Sent: Monday, December 28, 2020 8:04 AM
To: clamav-users@lists.clamav.net
Cc: Zvi Kave 
Subject: [clamav-users] Terminate clamscan after specific time


Hi,

Is there a way to Terminate clamscan after specific time with summary ?

Regards,

Zvi

___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

Hi,

Is there a way to Terminate clamscan after specific time with summary ?

Regards,

Zvi



___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Terminate clamscan after specific time

[Zvi Kave via clamav-users]

  
  
Hi,


Is there a way to Terminate clamscan after specific timeout with
  summary ?


Regards,


Zvi

  


___

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml