While you can still use OnAccessScanning to alert on detection, prevention isn't possible with your kernel configuration.
I'm still curious about how/why you're seeing scans outside of the specified directories. I'll look into that a bit more. On Thu, Feb 25, 2016 at 11:08 AM, kamil kapturkiewicz <hor...@wp.pl> wrote: > Dnia Czwartek, 25 Lutego 2016 16:53 Mickey Sola <ms...@sourcefire.com> > napisaĆ(a) > > Hi Kamil, > > > > A few things: what OS and kernel version are you using? what are the > > results of opening the eicar file with vi (or your editor of choice)? are > > /home/ and or /var/ftp/ mount points? if so, are there symlinks within > > those directory hierarchies? is your kernel configured with > > CONFIG_FANOTIFY_ACCESS_PERMISSIONS? > > > > Also, extra scanning won't work without DDD since it's piggyback's off of > > the inotify events caught by that system (events which otherwise aren't > > caught by fanotify). > > > > - Mickey > > > > 1. Debian Jessie 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux > 2. I Can open eicar file without any problems. > 3. System is installed on single / partition. > 4. cat /boot/config-3.16.0-4-amd64 | grep FANOTIFY > CONFIG_FANOTIFY=y > # CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set > > so I presume, SoA will not work with this kernel. > > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
