Mailing List Archive: ClamAV: users

Scan files by date

Index | Next | Previous | View Threaded

brohler at purdue

Sep 30, 2011, 6:37 PM

Post #1 of 8 (712 views)
Permalink

Scan files by date

I have a large number of files (9TB) with over a million files and thousands of directories. I would like to scan the group one time so I have a good baseline. After that I would like to scan files that are less than 365 days old. Can I use clamscan to scan files by date?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

nathan at cmpublishers

Sep 30, 2011, 7:56 PM

Post #2 of 8 (693 views)
Permalink

Re: Scan files by date [In reply to]

On 9/30/2011 9:37 PM, Rohler, Brian L wrote:
> I have a large number of files (9TB) with over a million files and
> thousands of directories. I would like to scan the group one time so
> I have a good baseline. After that I would like to scan files that
> are less than 365 days old. Can I use clamscan to scan files by
> date?

clamscan itself isn't that smart, but if you are using unix, find could
feed a list of things to clamscan.

--
Sincerely,

Nathan Gibbs

Systems Administrator
Christ Media
http://www.cmpublishers.com

Attachments:

signature.asc (0.25 KB)

Bowie_Bailey at BUC

Oct 3, 2011, 8:34 AM

Post #3 of 8 (678 views)
Permalink

Re: Scan files by date [In reply to]

On 9/30/2011 10:56 PM, Nathan Gibbs wrote:
> On 9/30/2011 9:37 PM, Rohler, Brian L wrote:
>> I have a large number of files (9TB) with over a million files and
>> thousands of directories. I would like to scan the group one time so
>> I have a good baseline. After that I would like to scan files that
>> are less than 365 days old. Can I use clamscan to scan files by
>> date?
>
> clamscan itself isn't that smart, but if you are using unix, find could
> feed a list of things to clamscan.

Just keep in mind that it is quite easy to arbitrarily change a file's
timestamp in linux, so it would be possible for a malicious program to
modify a file and then update the timestamp so that it looks like the
file has not been modified.

--
Bowie

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

steveb_clamav at sanesecurity

Oct 4, 2011, 5:19 AM

Post #4 of 8 (679 views)
Permalink

Re: Scan files by date [In reply to]

> I have a large number of files (9TB) with over a million files and
> thousands of directories. I would like to scan the group one time so I
> have a good baseline. After that I would like to scan files that are less
> than 365 days old. Can I use clamscan to scan files by date?

Along these lines, pdf files changed in the last 2 days

find *.pdf -mtime -2 -type f -print0 | xargs -0 clamdscan

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

uhlar at fantomas

Oct 10, 2011, 2:28 AM

Post #5 of 8 (642 views)
Permalink

Re: Scan files by date [In reply to]

>> On 9/30/2011 9:37 PM, Rohler, Brian L wrote:
>>> I have a large number of files (9TB) with over a million files and
>>> thousands of directories. I would like to scan the group one time so
>>> I have a good baseline. After that I would like to scan files that
>>> are less than 365 days old. Can I use clamscan to scan files by
>>> date?

>On 9/30/2011 10:56 PM, Nathan Gibbs wrote:
>> clamscan itself isn't that smart, but if you are using unix, find could
>> feed a list of things to clamscan.

On 03.10.11 11:34, Bowie Bailey wrote:
>Just keep in mind that it is quite easy to arbitrarily change a file's
>timestamp in linux, so it would be possible for a malicious program to
>modify a file and then update the timestamp so that it looks like the
>file has not been modified.

luckily un*x filesystems have ctime (inode change time) which changes
everytime someone does this, so find can use -ctime option to get even
such files

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ged at jubileegroup

Oct 10, 2011, 3:24 AM

Post #6 of 8 (642 views)
Permalink

Re: Scan files by date [In reply to]

Hi there,

On Mon, 10 Oct 2011 Matus UHLAR wrote:

> luckily un*x filesystems have ctime (inode change time) which changes
> everytime someone does this, so find can use -ctime option to get even
> such files

However metadata support in some filesystems supported under un*x can be
patchy, and some in implementations the ctime value can be misleading.

http://en.wikipedia.org/wiki/Comparison_of_file_systems#Metadata

--

73,
Ged.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Bowie_Bailey at BUC

Oct 10, 2011, 8:36 AM

Post #7 of 8 (645 views)
Permalink

Re: Scan files by date [In reply to]

On 10/10/2011 5:28 AM, Matus UHLAR - fantomas wrote:
>> On 9/30/2011 10:56 PM, Nathan Gibbs wrote:
>>> clamscan itself isn't that smart, but if you are using unix, find could
>>> feed a list of things to clamscan.
> On 03.10.11 11:34, Bowie Bailey wrote:
> >Just keep in mind that it is quite easy to arbitrarily change a file's
>> timestamp in linux, so it would be possible for a malicious program to
>> modify a file and then update the timestamp so that it looks like the
>> file has not been modified.
> luckily un*x filesystems have ctime (inode change time) which changes
> everytime someone does this, so find can use -ctime option to get even
> such files

That is much safer than using mtime, but ctime can still be modified if
a hacker/malicious program has root access.

(From Hacking Linux Exposed
http://www.hackinglinuxexposed.com/articles/20021205.html)
$ date 09201419
$ touch 09201419 somefile
$ date 12041200
$ ls -l somefile; ls -lc somefile
-rw------- 1 bri bri 20481 Sep 17 14:19 somefile
-rw------- 1 bri bri 20481 Sep 17 14:19 somefile

So it all depends on how paranoid you want to be.

--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

uhlar at fantomas

Oct 14, 2011, 3:31 AM

Post #8 of 8 (620 views)
Permalink

Re: Scan files by date [In reply to]

>On 10/10/2011 5:28 AM, Matus UHLAR - fantomas wrote:
>>> On 9/30/2011 10:56 PM, Nathan Gibbs wrote:
>>>> clamscan itself isn't that smart, but if you are using unix, find could
>>>> feed a list of things to clamscan.
>> On 03.10.11 11:34, Bowie Bailey wrote:
>> >Just keep in mind that it is quite easy to arbitrarily change a file's
>>> timestamp in linux, so it would be possible for a malicious program to
>>> modify a file and then update the timestamp so that it looks like the
>>> file has not been modified.
>> luckily un*x filesystems have ctime (inode change time) which changes
>> everytime someone does this, so find can use -ctime option to get even
>> such files

On 10.10.11 11:36, Bowie Bailey wrote:
>That is much safer than using mtime, but ctime can still be modified if
>a hacker/malicious program has root access.

if a hacker/malicious program has root access, it's quite irelevant
whether what data will clamav get...

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads