On Nov 26 11:35, Nick Holland wrote: > I have a similar situation at $DAYJOB. Not OpenBSD, but an OS that > similarly has little malware written for it (and an environment with > lots of softer targets than the OS anyway). For LOTS of reasons, we > didn't want to put AV on the "important" systems, but we needed to > hit that checkbox that says, "AV scans!" > > Our compliance people work with me pretty well, and what we came up > was to run the AV against our BACKUPS of those boxes. We rsync > the data from the systems to a central backup, and we run the AV on > that box against the data. Increased the backup by a few GB/box and > grabbed the binaries, too, and ta-da, we got a pretty good AV scan > taking place with /zero/ additional impact on the systems.
This is a great idea. For realtime, we can protect critical content with something like mtree(8) output verified with signify(1), running in security(8) daily.