On Thu, Sep 9, 2021 at 1:45 PM Maarten Broekman <maarten.broekman@gmail.com> wrote:

It depends on the OS, but if you have something like AppArmor or GrSecurity, you may need to grant the appropriate permissions there to allow access even for root.

Thanks for the info.

I disabled apparmor (systemctl disable apparmor) and rebooted but still got the 'could not watch /var/www' error, so re-enabled it again.

/var is a separate partition with www being a "regular" subdir under that. We use autofs to mount some shared directories under www for the webserver and after disabling autofs, the error has went away. So, I don't know if autofs itself is the issue, or maybe something could be altered with the autofs mount options to get this working with the network mounts. It probably makes more sense to have those files scanned on the NAS rather than over a network link so maybe the point is moot. If excluding them works on the web server, then that's probably fine.

This is /etc/auto.master:

/- /etc/auto.sshfs --timeout=30,--ghost

This is a reduced /etc/auto.sshfs. All four entries are basically the same just different mounts/locations on the NAS:

/var/www/wordpress/incoming -fstype=fuse,user,idmap=user,transform_symlinks,allow_other,uid=www-data,gid=www-data,ro,nodev,nonempty,noatime,allow_other,max_read=65536,port=61122,identityfile=/root/.ssh/nas_sshfs :sshfs\#user_sftp@nas.mycorp.com\:/incoming/

I added OnAccessExcludePath for the autofs mounts in clamd.config which seems to be working but still get some errors for files under that mount (scan failed with error code 34) which I still need to research.

On Thu, Sep 9, 2021 at 2:34 PM Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net> wrote:

Hi!

No worries about sounding complainy. I'm glad you're reaching out for help.

I recommend always running clamonacc using the --fdpass command line argument, provided it is available on your system Some

Thanks! I've adjusted the unit file to use --fdpass