Hello, I’m trying to implement on access scanning for docker containers using overlayfs by running ClamAV outside of a container. I’m using Amazon Linux 2 which is currently at 0.101.4.
If I set "OnAccessMountPath /“ an eicar test file downloaded and read via a container isn’t detected. If I read the file created within the container from outside the container it is detected. If I set “OnAccessIncludePath /var/lib/docker/overlay2” I get: Tue Oct 8 15:22:12 2019 -> ScanOnAccess: Protecting directory '/var/lib/docker/overlay2' (and all sub-directories) Tue Oct 8 15:22:12 2019 -> ERROR: ScanOnAccess: Could not watch path '/var/lib/docker/overlay2', Success I also tried "OnAccessIncludePath /var/lib/docker/overlay2/<uuid>/merged“ which isn’t practical because the uuid is generated when the container starts but it does work. I see that 0.102.0 has significant changes to on access scanning so I’m trying to test that but the configure script isn’t detecting fanotify support. I have kernel-devel and glibc-headers installed. I’ve also confirmed fanotify support with "cat /boot/config-<kernel_version> | grep FANOTIFY”. I get an error from the configure script: ./configure: line 30024: auto=yes: command not found Here’s the full configure output: https://pastebin.com/0xYqhr2V <https://pastebin.com/0xYqhr2V>. This was my attempt to fix it but it didn’t work: https://pastebin.com/k2kCrmHP <https://pastebin.com/k2kCrmHP>. Thanks, Arthur
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
