Hi there, On Wed, 21 Oct 2020, Andrew C Aitchison via clamav-users wrote:
I was assuming that clamav's on-access scanning used the same mechanism as inotify.
No need to assume anything: https://www.clamav.net/documents/on-access-scanning It's documented there that it uses fanotify, only works on Linux and requires Linux kernel version >= 3.8 to work. The fanotify man page has a comparison with the inotify API.
I imagine that scan-on-write produces less load than scan-on-read (for most user files - obviously not for logfiles that are never read) - at the price of nissing the most recent virus definitions,
Well I _do_ read my log files(!) and if I ever scanned anything I'd exclude logfiles from the scan as a matter of routine. I think your cost assessment is about right, modulo the database update frequency.
and that using clamav's on-access scanning has the advantage of catching the nasties before the file is used, unlike the inotify-bsed solutions, which avoid the latency that on-access scanning produces ...
Not sure that I follow all that, but the perceived advantage of having a potential to catch any nasties must necessarily be discounted by the probability that it will catch anything when it actually looks for it. Rough order of magnitude I guess a one in three chance on a good day.
My one piece of advice for anyone thinking of off-line scanning would be to work out what you will do when your scanner finds a nasty.
Excellent advice. :) -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
