On 10/10/2011 5:28 AM, Matus UHLAR - fantomas wrote: >> On 9/30/2011 10:56 PM, Nathan Gibbs wrote: >>> clamscan itself isn't that smart, but if you are using unix, find could >>> feed a list of things to clamscan. > On 03.10.11 11:34, Bowie Bailey wrote: > >Just keep in mind that it is quite easy to arbitrarily change a file's >> timestamp in linux, so it would be possible for a malicious program to >> modify a file and then update the timestamp so that it looks like the >> file has not been modified. > luckily un*x filesystems have ctime (inode change time) which changes > everytime someone does this, so find can use -ctime option to get even > such files
That is much safer than using mtime, but ctime can still be modified if a hacker/malicious program has root access. (From Hacking Linux Exposed http://www.hackinglinuxexposed.com/articles/20021205.html) $ date 09201419 $ touch 09201419 somefile $ date 12041200 $ ls -l somefile; ls -lc somefile -rw------- 1 bri bri 20481 Sep 17 14:19 somefile -rw------- 1 bri bri 20481 Sep 17 14:19 somefile So it all depends on how paranoid you want to be. -- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml