Anti-Virus – Scan Full Filesystem in Parallel with Clamscan

anti-virusclamavmulti-coreparallel-computing

I run a clamav scan weekly on my servers. There is one server with a raid6 cluster of 30TB of disk space where the scan take more than 24h to run.

So I wonder how can I run clamscan on the whole filesystem, taking advantage of the several cores the server has? The server has good i/o capacities and I would like the scan to go as fast as the hardware can go.

I know about the --multiscan parameter of clamdscan. The main issue I have with clamdscan is that it cannot process files that the clamav user cannot access, and it seems discouraged to run the daemon as root.

I saw some people are using parallel to achieve this but I could not find a clean command that would really scan the whole filesystem.

Best Answer

You've got two separate questions:

Parallelize clamdscan - apart from combining --multiscan and --fdscan there's little you can do. Alternatively, you can run multiple instances of clamscan on separate folders independently from the daemon.
Scan files that clamd can't access - this isn't possible. clamd requires at least read access to any files that you want to scan and report, and write access to any files you want to scan and clean. I'd run the daemon with read access only and handle the reports manually. If you don't trust ClamAV to be able to handle malicious files you should use another scanner.

Related Solutions

Centos – Using the antivirus clamav with clamfs in order to scan a file system

I've noticed the trouble might come from apparmor. I was trying to setup clamfs for my home dir and it just kept complaining. Then I created an apparmor config file for it worked :)

$ cat /etc/apparmor.d/usr.bin.clamfs

In simplicity I copied clamav armor and modified to clamfs - guesswork:

#include <tunables/global>

/usr/bin/clamfs {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  # LP: #433764:
  capability dac_override,

  @{PROC}/filesystems r,
  owner @{PROC}/[0-9]*/status r,

  /etc/clamfs/* r,
  /etc/fuse.conf r,

  /usr/bin/clamfs mr,

  /tmp/ rw,
  /tmp/** krw,

  /var/run/clamav/clamd.ctl rw,

  # Allow home dir to be scanned
  /media/disk/* rw,
  /media/disk/** rw,

  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.bin.clamfs>
}

I also copied the /etc/init.d/skeleton to /etc/init.d/clamfs-home and edited to my intuition's best liking, made it executable and called update-rc.d clamfs-home defaults. Then executed with /etc/init.d/clamfs-home start and yay! Let's see if it comes back after reboot. What I'm wondering about is how to run clamfs with a non-root user...

Enable Google Safe Browsing in ClamAV

I contacted ClamAV team, it was a bug in their code.

See https://bugzilla.clamav.net/show_bug.cgi?id=2514

Best Answer

Related Solutions

Centos – Using the antivirus clamav with clamfs in order to scan a file system

Enable Google Safe Browsing in ClamAV

Related Topic