4

I run a clamav scan weekly on my servers. There is one server with a raid6 cluster of 30TB of disk space where the scan take more than 24h to run.

So I wonder how can I run clamscan on the whole filesystem, taking advantage of the several cores the server has? The server has good i/o capacities and I would like the scan to go as fast as the hardware can go.

I know about the --multiscan parameter of clamdscan. The main issue I have with clamdscan is that it cannot process files that the clamav user cannot access, and it seems discouraged to run the daemon as root.

I saw some people are using parallel to achieve this but I could not find a clean command that would really scan the whole filesystem.

azmeuk
  • 195
  • 1
  • 3
  • 17

2 Answers2

4

You've got two separate questions:

  1. Parallelize clamdscan - apart from combining --multiscan and --fdscan there's little you can do. Alternatively, you can run multiple instances of clamscan on separate folders independently from the daemon.
  2. Scan files that clamd can't access - this isn't possible. clamd requires at least read access to any files that you want to scan and report, and write access to any files you want to scan and clean. I'd run the daemon with read access only and handle the reports manually. If you don't trust ClamAV to be able to handle malicious files you should use another scanner.
Zac67
  • 13,684
0
  1. Best way would be to run multiple instances of the clamsdcan, ensuring that all daemons are have affinity to different cores and all of them use different physical devices (i.e. disks) and even better - separate bus channels. The I/O would be the bottleneck in this task.
  2. Ensure you're scanning what you're really need. Scanning archives or disk images would be CPU, I/O and RAM hungry, because the process should read (i/o), unpack (CPU, RAM to map files, I/O to write cache) and scan them after. Might be good idea to exclude ISO files, MKV files, jpgs.
  3. You might wand consider scanning only recently changed files, because scanning big ISO that no one changes every scan.
Andrey Bondarenko
  • 36