I'm looking for a good way to see if Avira Anti-virus (www.avira.com) is leaving any traces behind after a scan. I am working in an environment where it is critical that nothing be modified, and that the box is disconnected from the network as per user specifications. The concept was to use cksum to monitor all files on a box, then pipe output to a text file, and diff the pre- and post-Avira cksums.
I have tried:
$ find . | xargs cksum | sort > cksum_A.txt
And
$ find . \! -type p -exec cksum {} \; > cksum_A.txt
I deleted all temporary and permanent instances of the cksum_A.txt and cksum_B.txt from both files, as it would certainly be used as a difference.
In multiple cases without running the anti-virus in-between, './.local/share/gvfs-metadata...' and './.gconf/apps/nautilus...' were found to have been modified according to diff.
The question is, is there a better way to identify artifacting on a bit-level? Or just disregard these files and move on?
Thanks!
Mason
You probably want to run from single-user mode, or at least switch off the GUI, to run the scan, as GUI applications and daemons may well write files in between.