How to scan only last 24 hours files with clamav

Question

I've create a bash script to scan whole server for virus via clamav. The script has been running via cron every night. Because of this I want to scan only the files that has been added last 24 hours. For now I am using this command in my script:

find /home -type f -mmin -1440  -print0 | xargs -0 -r clamscan --infected

But it's too slow, is the find command the reason of being slow? If so what is the better way to scan only last 24 hours files with clamscan? Does clamav have any option to doing this?

Any Help would be much appreciated.

Answer 1

I stumbled onto this page, when I was looking for a clamscan script. I followed above advice and got it working with:

#!/usr/bin/bash
# Create Hourly Cron Job With Clamscan

# Directories to scan
scan_dir="/home"

# Temporary file
list_file=$(mktemp -t clamscan.XXXXXX) || exit 1

# Location of log file
log_file="/var/log/clamav/hourly_clamscan.log"

# Make list of new files
if [ -f  "$log_file" ]
then
        # use newer files then logfile
        find "$scan_dir" -type f -cnewer "$log_file" -fprint "$list_file"
else
        # scan last 60 minutes
        find "$scan_dir" -type f -cmin -60 -fprint "$list_file"
fi

if [ -s "$list_file" ]
then
        # Scan files and remove (--remove) infected
        clamscan -i -f "$list_file" --remove=yes > "$log_file"

        # If there were infected files detected, send email alert
        if [ `cat $log_file | grep Infected | grep -v 0 | wc -l` != 0 ]
        then
                HOSTNAME=`hostname`
                echo "$(egrep "FOUND" $log_file)" | mail -s "VIRUS PROBLEM on $HOSTNAME" -r     clam@nas.local you@yourhost.com
        fi
else
        # remove the empty file, contains no info
        rm -f "$list_file"
fi
exit

It was an hourly script in my case, but should work for daily (modify the second find).

Answer 2

Depending on how many files are actually affected, I don't think that 2 hours is that long for a virus scan. Anyway, you could try to improve the speed the following way:

Output the find result into a file instead of piping it into xargs and then use clamscan with with the --file-list=FILE option. This would possibly improve the run time because clamav would only need to start and initialize once` instead of multiple times. Please leave a comment and tell me how much this sped things up if at all.

Another option (or an additional one) would be to limit your scan to certain vulnerable file types, but personally, I don't like this approach.

Answer 3

I haven't tested this out yet, but I'm planning on integrating my clamscan run with my backup run. My backup tool produces a list of files modified in order to perform an incremental backup, so why recompute the same file list twice?

I use dirvish to create my backups, which uses rsync underneath. In the end, I get a log.bz2 giving me a report of all files backed-up including the list of files that got backed-up.

This genclamfilelist.sh script will extract the file list from the log.bz2 of the latest backup and print it out:

#!/bin/sh

AWK=/usr/bin/awk
BUNZIP2=/bin/bunzip2
HEAD=/usr/bin/head
HOSTNAME=/bin/hostname
LS=/bin/ls
SED=/bin/sed

SNAPSHOT_HOME=/path/to/dirvish/snapshots

   for vaultHome in ${SNAPSHOT_HOME}/*; do

      # vault naming convention: <hostname>-<sharename>
      vaultName="`echo ${vaultHome} | ${SED} -e 's/^.*\/\([^\/]\+\)$/\1/'`"
      vaultHost="`echo ${vaultName} | ${SED} -e 's/\([^\-]\+\)\-.*$/\1/'`"

      # only proceed if vault being considered is for the same host
      if [ "${vaultHost}" = "`${HOSTNAME}`" ]; then
         logfile="`${LS} -1t ${vaultHome}/20??????-???? \
                      | ${HEAD} -1 \
                      | ${SED} -e 's/^\(.*\)\:$/\1/'`/log.bz2"

         if [ -f ${logfile} ]; then
            ${BUNZIP2} -c ${logfile} | ${AWK} '
               /^$/ {
                  if (start) {
                     start=0
                  }
               }

               {
                  if (start) {
                     print $0
                  }
               }

               /^receiving\ file\ list\ \.\.\.\ done$/ {
                  start=1
               }' | ${SED} -e "s/^\(.*\)$/\/\1/"
         fi
         # else skip - no log file found, probably backup didn't run or failed
      fi
      # else skip - another vault
   done

exit 0

This /etc/cron.d/clamav cron script will use the file list:

# /etc/cron.d/clamav: crontab fragment for clamav
CLAMAV_FILELIST=/tmp/clamav_filelist_`/bin/hostname`.txt

# run every night
0 19 * * *     root      /usr/bin/test -f ${CLAMAV_FILELIST} && /usr/bin/clamscan --any-desired-options --file-list=${CLAMAV_FILELIST} && /bin/rm ${CLAMAV_FILELIST}

Since I use dirvish, I modified its /etc/dirvish/dirvish-cronjob to call the first script to generate the file list for use by the last script:

# ...
/usr/sbin/dirvish-expire --quiet && /usr/sbin/dirvish-runall --quiet rc=$?

# v--- BEGIN ADDING NEW LINES
touch /tmp/clamav_filelist_`hostname`.txt
chmod 400 /tmp/clamav_filelist_`hostname`.txt
/usr/local/bin/genclamfilelist.sh >> /tmp/clamav_filelist_`hostname`.txt
# ^--- END ADDING NEW LINES

umount /mnt/backup0 || rc=$?
# ...