[Clamav-devel] fanotify based on-access scanning doesn't work as expected
smorgan at sourcefire.com
Wed Jul 2 13:24:09 EDT 2014
You are correct. I've opened ticket 11049 on bugzilla.clamav.net to track
On Mon, Jun 30, 2014 at 12:10 PM, Martin Wilck <martin.wilck at ts.fujitsu.com>
> I have recently made some experiments with on-access scanning with
> clamd, using clamav 0.98.3 from Fedora 19.
> The documentation of the "OnAccessIncludePath" option says "Set the
> include paths (all files inside them will be scanned)".
> The clamd code calls fanotify_mark() with
> fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will
> only receive events for *immediate* children of a directory listed as
> "OnAccessIncludePath" (see fanotify_mark(2)).
> Is that really meant by "all files inside them will be scanned"? My
> expectation would have been that by specifying "/home" as
> OnAccessIncludePath, all user's home directories would be scanned
> (rather than just regular files directly under /home, which is probably
> an empty set).
> Why doesn't clamd use FAN_MARK_MOUNT instead?
> PS: I'd also be curious to understand why FAN_ACCESS (notification on
> read) is used by clamd. For the commen case of files that are read more
> often than written, this would result some files being re-scanned over
> and over again. Why not scan files as they are written, at least for a
> host's local, non-removable file systems?
> Dr. Martin Wilck
> PRIMERGY System Software Engineer
> x86 Server Engineering
> Fujitsu Technology Solutions GmbH
> Heinz-Nixdorf-Ring 1
> 33106 Paderborn, Germany
> Phone: ++49 5251 525 2796
> Fax: ++49 5251 525 2820
> Email: martin.wilck at ts.fujitsu.com
> Internet: http://ts.fujitsu.com
> Company Details: http://ts.fujitsu.com/imprint
> Please submit your patches to our Bugzilla: http://bugs.clamav.net
More information about the clamav-devel