While it is not recommended to scan everything under /var (or /var at all), the reason it fails is because you have /var submounts (/var/log, /var/tmp). This is currently a known bug in clamav (I reported it: https://bugzilla.clamav.net/show_bug.cgi?id=12306 ), and the workaround in your case is:
OnAccessIncludePath /var/log OnAccessIncludePath /var/tmp OnAccessIncludePath /var and then, if you don't want /var/log and /var/tmp, add these in the exclude: ExcludePath ^/var/log ExcludePath ^/var/tmp Franky Op Dinsdag, 24-09-2019 om 15:30 schreef CROFT Ian: Hi We have a need to have OnAccessScanning on our RHEL servers but with some path exclusions. So as I read the manuals etc it seems I have to use the OnAccessIncludePath rather than the OnAccessMountPath. So the filesystem layout is as such :- / /boot /home /var /var/log /var/tmp /var/log/audit So I have set up the following IncludePath entries in scan.conf OnAccessIncludePath /boot OnAccessIncludePath /dev OnAccessIncludePath /etc OnAccessIncludePath /home OnAccessIncludePath /opt OnAccessIncludePath /usr OnAccessIncludePath /var When then starting the clamd:scan service all path seem to be ok apart from /var which gave the following error ERROR: ScanOnAccess: Could not watch path ‘/var’, No space left on device. So I increased the number in /proc/sys/fs/inotify/max_user_watches from 8192 to 32768 ( Only 21551 total directories in the whole of the server so should cover it ) So now it doesn’t give me the message about space but gives this message :- ERROR: ScanOnAccess: Could not watch path ‘/var’, Success And is still not monitoring for anything under /var ( eicar test files not being picked up. ) All other paths seem to be working ok. Does anybody know where I am going wrong ? Cheers Ian Ian CROFT Senior Infrastructure Support Analyst Sopra Steria Sopra Steria 101 Dalton Avenue Birchwood Park, Cheshire Warrington WA3 6YF - United Kingdom Phone: 07966 825245 ian.cro...@soprasteria.com - www.soprasteria.co.uk [1] [2] [3] [4] Before printing, think about the environment. The content of this message may be confidential, legally privileged and protected by law. Unauthorized use, copying or disclosure of any of it may be unlawful. If you are not the intended recipient please notify the sender and remove it from your system. While attachments to this e-mail are checked for viruses, we do not accept any liability for any damage sustained by viruses. Sopra Steria is the trading name of the following companies (all registered in England & Wales): (i) Sopra Steria Limited (No. 04077975) (ii) Sopra Group Ltd (No. 01643041) (iii) Sopra Group Holding Ltd (No. 01588948) Links: ------ [1] http://www.soprasteria.co.uk [2] https://www.linkedin.com/company/soprasteria [3] https://twitter.com/SopraSteria_uk [4] http://blog.soprasteria.co.uk/
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
