We were running into an issue where larger files were not able to be moved after scanning with ClamAV. Our hypothesis was that perhaps the process has not released access to the file and we were experiencing a race condition.
Upon investigating I attempted to monitor the file we were scanning using lsof on repeat mode. To my suprise, upon scanning a 900MB file with clamscan and clamdscan, lsof never lists the file as being opened by....anything... I am not a linux expert per say but I found this quite odd, I would assume that the file must be opened somehow by something in order to be scanned. I tested the efficacy of this by scanning the EICAR test file and it correctly reported 1 infection, so I know the files are actually being scanned. So I ask, what is actually going on here? Am I completely missing something obvious? Is there some kind of "cache" in play here? Why am I not able to see my file being opened by clamav when its being scanned? Any help would be appreciated Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
