[clamav-users] Clamd OnAccess + OnAccessPrevention performance questions (linux)...

Ian clamav at zestysoft.com
Fri Oct 11 11:44:59 EDT 2019

1) Does OnAccessPrevention mean that it blocks access to files when they are in the queue, while scanned, and forevermore if detected as malicious, or is it a subset of this?  Conversely, if OnAccessPrevention is disabled, can I expect a performance boost since there should be no blocking at any point in the processing pipeline?

2) I’ve seen log entries like this when OnAccessPrevention is disabled, but it’s not clear if this was a file clamd would have temporarily blocked access to had it been able to get a lock on the file before it was removed?

ScanOnAccess: /tmp/MLbtUsOc (deleted): (null) FOUND

I assume linux doesn’t provide a means where clamd can easily hook into kernel file create events to do something like create additional hard links to transient files so that it can leisurely scan them while letting the originating app think it has deleted the file and move on?

3) Is OnAccessPrevention global?  There are directories where I’d like to know about findings but not otherwise act on, however I would prefer to enable prevention for other areas of the system.

Related, is it possible to have different actions depending on different types/families of malicious files?  For instance if I’m running a linux system, I may be more concerned with native binaries than Windows executables.

4) LeaveTemporaryFiles — is there a version of this but only when a detection is found?  Or a LeaveHardlinks for found items that I can later investigate myself?

Thanks and sorry for the grouping of questions — I didn’t want to spam the list with different threads.

More information about the clamav-users mailing list