[Clamav-devel] fanotify based on-access scanning doesn't work as expected

Steven Morgan smorgan at sourcefire.com
Wed Jul 2 13:24:09 EDT 2014


Martin,

You are correct. I've opened ticket 11049 on bugzilla.clamav.net to track
the issues.

Thanks,
Steve


On Mon, Jun 30, 2014 at 12:10 PM, Martin Wilck <martin.wilck at ts.fujitsu.com>
wrote:

> Hello,
>
> I have recently made some experiments with on-access scanning with
> clamd, using clamav 0.98.3 from Fedora 19.
>
> The documentation of the "OnAccessIncludePath" option says "Set the
> include paths (all files inside them will be scanned)".
>
> The clamd code calls fanotify_mark() with
> fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will
> only receive events for *immediate* children of a directory listed as
> "OnAccessIncludePath" (see fanotify_mark(2)).
>
> Is that really meant by "all files inside them will be scanned"? My
> expectation would have been that by specifying "/home" as
> OnAccessIncludePath, all user's home directories would be scanned
> (rather than just regular files directly under /home, which is probably
> an empty set).
>
> Why doesn't clamd use FAN_MARK_MOUNT instead?
>
> Regards
> Martin
>
> PS: I'd also be curious to understand why FAN_ACCESS (notification on
> read) is used by clamd. For the commen case of files that are read more
> often than written, this would result some files being re-scanned over
> and over again. Why not scan files as they are written, at least for a
> host's local, non-removable file systems?
>
> --
> Dr. Martin Wilck
> PRIMERGY System Software Engineer
> x86 Server Engineering
>
> FUJITSU
> Fujitsu Technology Solutions GmbH
> Heinz-Nixdorf-Ring 1
> 33106 Paderborn, Germany
> Phone:                  ++49 5251 525 2796
> Fax:                    ++49 5251 525 2820
> Email:                  martin.wilck at ts.fujitsu.com
> Internet:               http://ts.fujitsu.com
> Company Details:        http://ts.fujitsu.com/imprint
> _______________________________________________
> http://lurker.clamav.net/list/clamav-devel.html
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
>


More information about the clamav-devel mailing list