[clamav-users] CentOS 7 fanotify and Clamd
Nick Couchman
nick.e.couchman at gmail.com
Thu Mar 16 15:35:10 UTC 2017
I'm trying to get on-access scanning working in clamav on CentOS 7. I'm
running CentOS 7.3, kernel 3.10.0-514.6.2.el7.x86_64, and can confirm that
the kernel is compiled with fanotify support:
# grep -i fanotify /boot/config-3.10.0-514.6.2.el7.x86_64
CONFIG_FANOTIFY=y
CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y
I also have SELinux set to Permissive mode, and, just in case, ran the
setsebool options for enabling antivirus support in SELinux.
I've configured clamd to start as root, which is required for fanotify, and
have the following options configured:
ScanOnAccess yes
OnAccessMountPath /
OnAccessMountPath /fstest
OnAccessIncludePath /home
OnAccessIncludePath /fstest
I've got clamd started and verified it's running, and I get the following
output in the log file:
Thu Mar 16 11:29:52 2017 -> ScanOnAccess: notifying only for access
attempts.
Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Protecting '/' and rest of mount.
Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Protecting '/fstest' and rest of
mount.
Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Max file size limited to 5242880
bytes
So, it seems like it should be configured correctly and working? But, if I
download the eicar test virus (eicar.com, eicar.com.txt, eicar.zip), and
then copy it around, cat it, etc., in either the /home directory or the
/fstest directory, nothing happens. No entries in the log files, no
warnings - nothing to indicate that clamd is getting notified of the file
access attempt, let alone actually scanning it.
What am I missing??
Thanks!
-Nick
More information about the clamav-users
mailing list