I'm trying to get on-access scanning working in clamav on CentOS 7. I'm running CentOS 7.3, kernel 3.10.0-514.6.2.el7.x86_64, and can confirm that the kernel is compiled with fanotify support:
# grep -i fanotify /boot/config-3.10.0-514.6.2.el7.x86_64 CONFIG_FANOTIFY=y CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y I also have SELinux set to Permissive mode, and, just in case, ran the setsebool options for enabling antivirus support in SELinux. I've configured clamd to start as root, which is required for fanotify, and have the following options configured: ScanOnAccess yes OnAccessMountPath / OnAccessMountPath /fstest OnAccessIncludePath /home OnAccessIncludePath /fstest I've got clamd started and verified it's running, and I get the following output in the log file: Thu Mar 16 11:29:52 2017 -> ScanOnAccess: notifying only for access attempts. Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Protecting '/' and rest of mount. Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Protecting '/fstest' and rest of mount. Thu Mar 16 11:29:52 2017 -> ScanOnAccess: Max file size limited to 5242880 bytes So, it seems like it should be configured correctly and working? But, if I download the eicar test virus (eicar.com, eicar.com.txt, eicar.zip), and then copy it around, cat it, etc., in either the /home directory or the /fstest directory, nothing happens. No entries in the log files, no warnings - nothing to indicate that clamd is getting notified of the file access attempt, let alone actually scanning it. What am I missing?? Thanks! -Nick _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
