> I am not using clamonacc. I run my own program that uses fanotify, just like > clamonacc does, and gets list of files that are modifed\added. > I send that list to clamscan or clamdscan.
A bit like incrond (which uses inotify() ) > The problem is limitation of fanotify which is that "The fanotify API does > not report file accesses and modifications that may occur because of mmap(2), > msync(2), and munmap(2)." Same goes for inotify() -- just checked. So whenever a process alters a file using mmap()/munmap() or msync(), your program (or rather inotify/fanotify) doesn't detect any change, and thus the file wont be in the list passed to clamscan or clamdscan. > Now my assumption is mmap, msync, munmap deals with memory mapped files. So > questions I have are: > "does clamav scan memory mapped files?" Yes: After all, a file is just a file. In the end, it's all on disk. > Further details: If run clamscan or clamdscan on "/"; it would scan all files > so it does not matter. > But how does clamonacc overcomes this limitation since it uses fanotify? I doesn't (from the clamonacc man page): The clamonacc daemon registers for file access notifications from the Linux kernel and in response, submits scans to the clamd scanning daemon for a verdict. On-Access requires a kernel version >= 3.8, because it leverages a kernel api called --> fanotify <-- to block processes from attempting to access malicious files. > If it does, is there a way to ask clamav to scan just memory mapped files? I'm not sure if this can easily be detected. I guess one could monitor mmap() calls via dtrace, but I'm just guessing! -- Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netz | Netzwerk-Administration Invalidenstraße 120/121 | D-10115 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de https://www.charite.de _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
