Mailing List Archive: [clamav-users] ClamAV Scanning Best Practice

Hello All,

We have started using ClamAV for SUSE Linux servers in one of our project. I have a few points that needs clarification w.r.t Antivirus best practices.

1. How frequently is it recommended to perform complete scan (clamscan) on servers. From my testing I understand that each scan on a server takes about 5-7 hours. Is it recommended to scan Linux servers daily or weekly basis?
2. Will there be a performance impact on servers when the scan is running for such long hours?
3. We have planned to write a script which automates the scanning of servers i.e.

* run clamscan command and share its output by email
* Drop clamscan output on the terminal
* Ex: clamscan -r / -i <this command scans all files, directories and prints only infected files>
While testing the above command, infected files and also error messages are printed.
Is there a better command to scan the entire system, and just show the scan summary rather than printing error messages.

Regards,
SS

Hi there,

On Thu, 20 Aug 2020, Shoaib, Syed via clamav-users wrote:

> ... Antivirus best practices.
>
> 1. How frequently is it recommended to perform complete scan
> (clamscan) on servers.

Without a great deal more information the question makes no sense.

> ... each scan on a server takes about 5-7 hours. Is it recommended
> to scan Linux servers daily or weekly basis?

See my answer to (1).

> 2. Will there be a performance impact on servers when the scan is
> running for such long hours?

Yes, of course there will. See my answer to (1).

> 3. We have planned to write a script ...
>
> * run clamscan command and share its output by email
> * Drop clamscan output on the terminal
> * Ex: clamscan -r / -i ...

Do not do that on a Linux box. On Linux and other Unix-like systems
there are exposed in the filesystem all sorts of things which really
do not need to be scanned, some of which should not be scanned under
any circumstances. If you do things like this you represent a bigger
danger to the system than the threats you imagine you're looking for
and you'll probably come up with false positives which confuse you.

> ... Is there a better command to scan the entire system, and just
> show the scan summary rather than printing error messages.

See my answer to (3).

What are the servers? What are they doing? What are the risks?

Before you can make any real use of ClamAV on a Linux box you need to
establish the risks. What do you think you're looking for? Where do
you think it might be, and how you think it might manage to get there
in the first place? Take steps to prevent that from happening in all
the areas where that's possible. Then use ClamAV to scan only things
which are at risk. For example you might have an FTP server which is
receiving data from unknown sources; make sure that nothing can write
outside the FTP root and then scan only what's inside. It's up to you
to decide when that needs to be done and what action to take if ClamAV
finds anything. You might be running a public mail server so you want
to look for threats in the messages; you can connect the MTA to clamd
through a milter and for example quarantine messages which are flaged
as suspicious. What you need to do and when you need to do it depends
on the risks. You're the only one who knows those at the moment.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml