[Clamav-devel] On write close scan with Fanotify

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Jan 25 16:24:40 EST 2019


Hi David,

Interesting idea. I can appreciate the use case to only scan files that are new or modified.  Anyone who uses it though should be aware that that ClamAV's on-access scanning would have to be enabled 100% of the time.  In addition, they wouldn't be protected unless a signature for the malware has been deployed before infection.  I would recommend also configuring a regularly scheduled scan to double check existing files.

On the topic of on-access scanning:
    Mickey is actively working on separating the on-access scan feature into a separate utility.  At present, clamd must be run as root to enable on-access scanning.  Making a separate tool that interfaces with clamd, similar to clamdscan and clamav-milter, is a small step towards sandboxing the scanning engine in an unprivileged process.  I've attached the link you provided for review to our on-access scanner development task.

You may want to hold off on putting in a pull request or adding any documentation until the new on-access tool is complete and has been merged into dev/0.102.

-Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 24, 2019, at 4:13 PM, David Collins <davetha at gmail.com<mailto:davetha at gmail.com>> wrote:

Hi,
I work with a large environment that is extremely file open heavy.
Over the years, we have either avoided access scanning all together,
or had clam hook into file upload events in specific daemons (mail,
ftp etc..).

Many proprietary AV solutions support scan on close which work well on
environments similar to mine.

I've written a fully usable PoC, including a OnWriteClose option to
toggle it on and off.  Before I start writing documentation for the
option, I'd like to see if this is a feature the ClamAV would value.

Link to clamav-devel fork&commit
https://github.com/davetha/clamav-devel/commit/432e63dcb5559b43532abbc83adcaf9e780901e5
Thanks in advance!
_______________________________________________
clamav-devel mailing list
clamav-devel at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Please submit your patches to our Bugzilla: http://bugzilla.clamav.net

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




More information about the clamav-devel mailing list