It is possible to integrate ClamAV and Tripwire to get to a scan-once
environment. Include puppet or CFEngine for a more complete tool.
dp
On 3/20/18 5:01 AM, Micah Snyder (micasnyd) wrote:
Good morning Tsutomu,
Al is quite correct. clamd and clamdscan maintain no memory of what has been
scanned before.
In your ordinary use case, you simply run clamdscan over whatever you want to
scan. You can exclude specific directories in your configuration if you want
to point clamdscan at a high level directory to scan many items.
In truth, I've never tried accessing the files as they were scanned, but I do
not believe that there any reason why the files would be locked by ClamAV
except in the following case.
On newer versions of Linux that have been built with CONFIG_FANOTIFY=y enabled, you can
configure clamd to monitor directories. An additional option may be enabled that we call
"OnAccessPrevention" can intentionally block access to the file until it has
been scanned and will deny access if the file is flagged. OnAccessPrevention requires
your kernel has been built with CONFIG_FANOTIFY_ACCESS_PERMISSION=y. If you're
interested in trying this out, please read
http://blog.clamav.net/2016/03/configuring-on-access-scanning-in-clamav.html
Sadly, OnAccess scanning and prevention only exist for Linux at this time.
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
