Hello, I have recently made some experiments with on-access scanning with clamd, using clamav 0.98.3 from Fedora 19.
The documentation of the "OnAccessIncludePath" option says "Set the include paths (all files inside them will be scanned)". The clamd code calls fanotify_mark() with fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will only receive events for *immediate* children of a directory listed as "OnAccessIncludePath" (see fanotify_mark(2)). Is that really meant by "all files inside them will be scanned"? My expectation would have been that by specifying "/home" as OnAccessIncludePath, all user's home directories would be scanned (rather than just regular files directly under /home, which is probably an empty set). Why doesn't clamd use FAN_MARK_MOUNT instead? Regards Martin PS: I'd also be curious to understand why FAN_ACCESS (notification on read) is used by clamd. For the commen case of files that are read more often than written, this would result some files being re-scanned over and over again. Why not scan files as they are written, at least for a host's local, non-removable file systems? -- Dr. Martin Wilck PRIMERGY System Software Engineer x86 Server Engineering FUJITSU Fujitsu Technology Solutions GmbH Heinz-Nixdorf-Ring 1 33106 Paderborn, Germany Phone: ++49 5251 525 2796 Fax: ++49 5251 525 2820 Email: [email protected] Internet: http://ts.fujitsu.com Company Details: http://ts.fujitsu.com/imprint _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
