On Thu, 2009-01-22 at 21:24 +0100, Ralph Angenendt wrote: > Adam Tauno Williams wrote: > > > What do you do with clamav on a linux server? > > You scan the server for malware. > When? Every day via crontab? That can be much too late. Every hour? That can > be much too late. Every 10 minutes? That can be much too late - and your > server is busy scanning the file system. Verses never??? That's just silly; your making perfect an obstacle of the good. If it finds something then you KNOW you have a problem and the time frame in which it occurred: you can then access and respond and [potentially] notify. Verses what? No knowledge? The alternative is to host the malware indefinitely in blissful ignorance - or until someone else detects and reports your server. CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS. > > The mantra "LINUX doesn't suffer from malware" is just bollocks. Lots > > of malware is served from LINUX servers. Scanning a server for > > signatures is just another way to proof (not prove) that a server has > > not been compromised and that data accessed by the server is secure. > > Which is what things like PCI/DSS is about - protecting the *data*. > I never said "LINUX doesn't suffer from malware". But clamav itself is not > able to scan in real time. Looks like dazuko has gotten a bit better, I don't > know about clamuko. But by "just installing clamav, you gain nothing > protection wise. Yes, you gain the ability to detect a compromised server.