clamav-users October 2011 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [clamav-users] Scan files by date

Re: [clamav-users] Scan files by date

From: Bowie Bailey <Bowie_Bailey_at_nospam>
Date: Mon Oct 10 2011 - 15:36:52 GMT
To: clamav-users@lists.clamav.net

On 10/10/2011 5:28 AM, Matus UHLAR - fantomas wrote:
>> On 9/30/2011 10:56 PM, Nathan Gibbs wrote:
>>> clamscan itself isn't that smart, but if you are using unix, find could
>>> feed a list of things to clamscan.
> On 03.10.11 11:34, Bowie Bailey wrote:
> >Just keep in mind that it is quite easy to arbitrarily change a file's
>> timestamp in linux, so it would be possible for a malicious program to
>> modify a file and then update the timestamp so that it looks like the
>> file has not been modified.
> luckily un*x filesystems have ctime (inode change time) which changes
> everytime someone does this, so find can use -ctime option to get even
> such files

That is much safer than using mtime, but ctime can still be modified if
a hacker/malicious program has root access.

(From Hacking Linux Exposed
http://www.hackinglinuxexposed.com/articles/20021205.html)
  $ date 09201419
  $ touch 09201419 somefile
  $ date 12041200
  $ ls -l somefile; ls -lc somefile
  -rw------- 1 bri bri 20481 Sep 17 14:19 somefile
  -rw------- 1 bri bri 20481 Sep 17 14:19 somefile

So it all depends on how paranoid you want to be.

-- Bowie _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml