⚝
One Hat Cyber Team
⚝
Your IP:
216.73.216.93
Server IP:
65.108.141.171
Server:
Linux server.heloix.com 5.4.0-214-generic #234-Ubuntu SMP Fri Mar 14 23:50:27 UTC 2025 x86_64
Server Software:
Apache
PHP Version:
7.4.33
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
usr
/
share
/
doc
/
clamav-docs
/
html
/
manual
/
Edit File: OnAccess.html
<!DOCTYPE HTML> <html lang="en" class="clamav" dir="ltr"> <head> <!-- Book generated using mdBook --> <meta charset="UTF-8"> <title>On-Access Scanning - ClamAV Documentation</title> <!-- Custom HTML head --> <meta name="description" content="An open source malware detection toolkit and antivirus engine."> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="theme-color" content="#ffffff"> <link rel="shortcut icon" href="../favicon.png"> <link rel="stylesheet" href="../css/variables.css"> <link rel="stylesheet" href="../css/general.css"> <link rel="stylesheet" href="../css/chrome.css"> <link rel="stylesheet" href="../css/print.css" media="print"> <!-- Fonts --> <link rel="stylesheet" href="../FontAwesome/css/font-awesome.css"> <link rel="stylesheet" href="../fonts/fonts.css"> <!-- Highlight.js Stylesheets --> <link rel="stylesheet" href="../highlight.css"> <link rel="stylesheet" href="../tomorrow-night.css"> <link rel="stylesheet" href="../ayu-highlight.css"> <!-- Custom theme stylesheets --> <!-- MathJax --> <script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML"></script> </head> <body class="sidebar-visible no-js"> <div id="body-container"> <!-- Provide site root to javascript --> <script> var path_to_root = "../"; var default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? "clamav" : "clamav"; </script> <!-- Work around some values being stored in localStorage wrapped in quotes --> <script> try { var theme = localStorage.getItem('mdbook-theme'); var sidebar = localStorage.getItem('mdbook-sidebar'); if (theme.startsWith('"') && theme.endsWith('"')) { localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1)); } if (sidebar.startsWith('"') && sidebar.endsWith('"')) { localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1)); } } catch (e) { } </script> <!-- Set the theme before any content is loaded, prevents flash --> <script> var theme; try { theme = localStorage.getItem('mdbook-theme'); } catch (e) { } if (theme === null || theme === undefined) { theme = default_theme; } var html = document.querySelector('html'); html.classList.remove('clamav') html.classList.add(theme); var body = document.querySelector('body'); body.classList.remove('no-js') body.classList.add('js'); </script> <input type="checkbox" id="sidebar-toggle-anchor" class="hidden"> <!-- Hide / unhide sidebar before it is displayed --> <script> var body = document.querySelector('body'); var sidebar = null; var sidebar_toggle = document.getElementById("sidebar-toggle-anchor"); if (document.body.clientWidth >= 1080) { try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch (e) { } sidebar = sidebar || 'visible'; } else { sidebar = 'hidden'; } sidebar_toggle.checked = sidebar === 'visible'; body.classList.remove('sidebar-visible'); body.classList.add("sidebar-" + sidebar); </script> <nav id="sidebar" class="sidebar" aria-label="Table of contents"> <div class="sidebar-scrollbox"> <ol class="chapter"><li class="chapter-item expanded "><a href="../Introduction.html"><strong aria-hidden="true">1.</strong> Introduction</a></li><li class="chapter-item expanded "><a href="../manual/Installing.html"><strong aria-hidden="true">2.</strong> Installing</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/Installing/Packages.html"><strong aria-hidden="true">2.1.</strong> Packages</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Docker.html"><strong aria-hidden="true">2.2.</strong> Docker</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Installing-from-source-Unix.html"><strong aria-hidden="true">2.3.</strong> Unix from source (v0.104+)</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Installing-from-source-Unix-old.html"><strong aria-hidden="true">2.4.</strong> Unix from source (v0.103-)</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Installing-from-source-Windows.html"><strong aria-hidden="true">2.5.</strong> Windows from source</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Community-projects.html"><strong aria-hidden="true">2.6.</strong> Community Projects</a></li><li class="chapter-item expanded "><a href="../manual/Installing/Add-clamav-user.html"><strong aria-hidden="true">2.7.</strong> Add a service user account</a></li></ol></li><li class="chapter-item expanded "><a href="../manual/Usage.html"><strong aria-hidden="true">3.</strong> Usage</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/Usage/Configuration.html"><strong aria-hidden="true">3.1.</strong> Configuration</a></li><li class="chapter-item expanded "><a href="../manual/Usage/SignatureManagement.html"><strong aria-hidden="true">3.2.</strong> Updating Signature Databases</a></li><li class="chapter-item expanded "><a href="../manual/Usage/Scanning.html"><strong aria-hidden="true">3.3.</strong> Scanning</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/OnAccess.html" class="active"><strong aria-hidden="true">3.3.1.</strong> On-Access Scanning</a></li></ol></li><li class="chapter-item expanded "><a href="../manual/Usage/Services.html"><strong aria-hidden="true">3.4.</strong> Running ClamAV Services</a></li><li class="chapter-item expanded "><a href="../manual/Usage/ReportABug.html"><strong aria-hidden="true">3.5.</strong> Report a Bug</a></li></ol></li><li class="chapter-item expanded "><a href="../manual/Signatures.html"><strong aria-hidden="true">4.</strong> Signatures</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/Signatures/DatabaseInfo.html"><strong aria-hidden="true">4.1.</strong> CVD Info File</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/DynamicConfig.html"><strong aria-hidden="true">4.2.</strong> Dynamic Configuration Settings</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/AuthenticodeRules.html"><strong aria-hidden="true">4.3.</strong> Trusted and Revoked EXE Certificates</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/FileTypeMagic.html"><strong aria-hidden="true">4.4.</strong> File Type Recognition</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/AllowLists.html"><strong aria-hidden="true">4.5.</strong> Allow Lists</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/HashSignatures.html"><strong aria-hidden="true">4.6.</strong> Hash-based Signatures</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/BodySignatureFormat.html"><strong aria-hidden="true">4.7.</strong> Content-based Signature Format</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/Signatures/LogicalSignatures.html"><strong aria-hidden="true">4.7.1.</strong> Logical Signatures</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/ExtendedSignatures.html"><strong aria-hidden="true">4.7.2.</strong> Extended Signatures</a></li></ol></li><li class="chapter-item expanded "><a href="../manual/Signatures/YaraRules.html"><strong aria-hidden="true">4.8.</strong> YARA Rules</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/PhishSigs.html"><strong aria-hidden="true">4.9.</strong> Phishing Signatures</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/BytecodeSignatures.html"><strong aria-hidden="true">4.10.</strong> Bytecode Signatures</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/ContainerMetadata.html"><strong aria-hidden="true">4.11.</strong> Container Metadata Signatures</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/EncryptedArchives.html"><strong aria-hidden="true">4.12.</strong> Archive Passwords (experimental)</a></li><li class="chapter-item expanded "><a href="../manual/Signatures/SignatureNames.html"><strong aria-hidden="true">4.13.</strong> Signature Names</a></li></ol></li><li class="chapter-item expanded "><a href="../manual/Development.html"><strong aria-hidden="true">5.</strong> For Developers</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../manual/Development/github-pr-basics.html"><strong aria-hidden="true">5.1.</strong> Pull Request Basics</a></li><li class="chapter-item expanded "><a href="../manual/Development/clamav-git-work-flow.html"><strong aria-hidden="true">5.2.</strong> ClamAV Git Work Flow</a></li><li class="chapter-item expanded "><a href="../manual/Development/personal-forks.html"><strong aria-hidden="true">5.3.</strong> Working with Your Fork</a></li><li class="chapter-item expanded "><a href="../manual/Development/testing-pull-requests.html"><strong aria-hidden="true">5.4.</strong> Reviewing Pull Requests</a></li><li class="chapter-item expanded "><a href="../manual/Development/development-builds.html"><strong aria-hidden="true">5.5.</strong> Building for Development</a></li><li class="chapter-item expanded "><a href="../manual/Development/build-installer-packages.html"><strong aria-hidden="true">5.6.</strong> Building the Installer Packages</a></li><li class="chapter-item expanded "><a href="../manual/Development/tips-and-tricks.html"><strong aria-hidden="true">5.7.</strong> Dev Tips & Tricks</a></li><li class="chapter-item expanded "><a href="../manual/Development/performance-profiling.html"><strong aria-hidden="true">5.8.</strong> Performance Profiling</a></li><li class="chapter-item expanded "><a href="../manual/Development/code-coverage.html"><strong aria-hidden="true">5.9.</strong> Computing Code Coverage</a></li><li class="chapter-item expanded "><a href="../manual/Development/fuzzing-sanitizers.html"><strong aria-hidden="true">5.10.</strong> Fuzzing Sanitizers</a></li><li class="chapter-item expanded "><a href="../manual/Development/libclamav.html"><strong aria-hidden="true">5.11.</strong> libclamav</a></li><li class="chapter-item expanded "><a href="../manual/Development/Contribute.html"><strong aria-hidden="true">5.12.</strong> Contribute</a></li></ol></li><li class="chapter-item expanded "><a href="../faq/faq.html"><strong aria-hidden="true">6.</strong> Frequently Asked Questions</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../faq/faq-whichversion.html"><strong aria-hidden="true">6.1.</strong> Selecting the Right Version of ClamAV for You</a></li><li class="chapter-item expanded "><a href="../faq/faq-freshclam.html"><strong aria-hidden="true">6.2.</strong> FreshClam (Signature Updater)</a></li><li class="chapter-item expanded "><a href="../faq/faq-cvd.html"><strong aria-hidden="true">6.3.</strong> Signature Database (CVD)</a></li><li class="chapter-item expanded "><a href="../faq/faq-malware-fp-reports.html"><strong aria-hidden="true">6.4.</strong> Malware and False Positive Report</a></li><li class="chapter-item expanded "><a href="../faq/faq-misc.html"><strong aria-hidden="true">6.5.</strong> Misc</a></li><li class="chapter-item expanded "><a href="../faq/faq-ml.html"><strong aria-hidden="true">6.6.</strong> Mailing Lists</a></li><li class="chapter-item expanded "><a href="../faq/faq-safebrowsing.html"><strong aria-hidden="true">6.7.</strong> Safe Browsing</a></li><li class="chapter-item expanded "><a href="../faq/faq-troubleshoot.html"><strong aria-hidden="true">6.8.</strong> Troubleshooting</a></li><li class="chapter-item expanded "><a href="../faq/faq-scan-alerts.html"><strong aria-hidden="true">6.9.</strong> Interpreting Scan Alerts</a></li><li class="chapter-item expanded "><a href="../faq/faq-upgrade.html"><strong aria-hidden="true">6.10.</strong> Upgrading</a></li><li class="chapter-item expanded "><a href="../faq/faq-rust.html"><strong aria-hidden="true">6.11.</strong> Rust</a></li><li class="chapter-item expanded "><a href="../faq/faq-win32.html"><strong aria-hidden="true">6.12.</strong> Win32</a></li><li class="chapter-item expanded "><a href="../faq/faq-pua.html"><strong aria-hidden="true">6.13.</strong> PUA (Potentially Unwanted Application)</a></li><li class="chapter-item expanded "><a href="../faq/faq-ignore.html"><strong aria-hidden="true">6.14.</strong> Ignore</a></li><li class="chapter-item expanded "><a href="../faq/faq-uninstall.html"><strong aria-hidden="true">6.15.</strong> Uninstall</a></li><li class="chapter-item expanded "><a href="../faq/faq-eol.html"><strong aria-hidden="true">6.16.</strong> ClamAV EOL Policy</a></li></ol></li><li class="chapter-item expanded "><li class="spacer"></li><li class="chapter-item expanded "><a href="../community_resources/CommunityResources.html"><strong aria-hidden="true">7.</strong> Community Resources</a></li><li class="chapter-item expanded affix "><li class="spacer"></li><li class="chapter-item expanded "><a href="../appendix/Appendix.html"><strong aria-hidden="true">8.</strong> Appendix</a></li><li><ol class="section"><li class="chapter-item expanded "><a href="../appendix/Terminology.html"><strong aria-hidden="true">8.1.</strong> Terminology</a></li><li class="chapter-item expanded "><a href="../appendix/CvdPrivateMirror.html"><strong aria-hidden="true">8.2.</strong> Hosting a Private Database Mirror</a></li><li class="chapter-item expanded "><a href="../appendix/Authenticode.html"><strong aria-hidden="true">8.3.</strong> Microsoft Authenticode Signature Verification</a></li><li class="chapter-item expanded "><a href="../appendix/FileTypes.html"><strong aria-hidden="true">8.4.</strong> ClamAV File Types and Target Types</a></li><li class="chapter-item expanded "><a href="../appendix/FunctionalityLevels.html"><strong aria-hidden="true">8.5.</strong> ClamAV Versions and Functionality Levels</a></li></ol></li></ol> </div> <div id="sidebar-resize-handle" class="sidebar-resize-handle"></div> </nav> <!-- Track and set sidebar scroll position --> <script> var sidebarScrollbox = document.querySelector('#sidebar .sidebar-scrollbox'); sidebarScrollbox.addEventListener('click', function (e) { if (e.target.tagName === 'A') { sessionStorage.setItem('sidebar-scroll', sidebarScrollbox.scrollTop); } }, { passive: true }); var sidebarScrollTop = sessionStorage.getItem('sidebar-scroll'); sessionStorage.removeItem('sidebar-scroll'); if (sidebarScrollTop) { // preserve sidebar scroll position when navigating via links within sidebar sidebarScrollbox.scrollTop = sidebarScrollTop; } else { // scroll sidebar to current active section when navigating via "next/previous chapter" buttons var activeSection = document.querySelector('#sidebar .active'); if (activeSection) { activeSection.scrollIntoView({ block: 'center' }); } } </script> <div id="page-wrapper" class="page-wrapper"> <div class="page"> <div id="menu-bar-hover-placeholder"></div> <div id="menu-bar" class="menu-bar sticky"> <div class="left-buttons"> <label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar"> <i class="fa fa-bars"></i> </label> <button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list"> <i class="fa fa-paint-brush"></i> </button> <ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu"> <li role="none"><button role="menuitem" class="theme" id="clamav">Dark</button></li> <li role="none"><button role="menuitem" class="theme" id="clamav_light">Light</button></li> </ul> <button id="search-toggle" class="icon-button" type="button" title="Search. (Shortkey: s)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="S" aria-controls="searchbar"> <i class="fa fa-search"></i> </button> </div> <h1 class="menu-title">ClamAV Documentation</h1> <div class="right-buttons"> <a href="../print.html" title="Print this book" aria-label="Print this book"> <i id="print-button" class="fa fa-print"></i> </a> </div> </div> <div id="search-wrapper" class="hidden"> <form id="searchbar-outer" class="searchbar-outer"> <input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header"> </form> <div id="searchresults-outer" class="searchresults-outer hidden"> <div id="searchresults-header" class="searchresults-header"></div> <ul id="searchresults"> </ul> </div> </div> <!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM --> <script> document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible'); document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible'); Array.from(document.querySelectorAll('#sidebar a')).forEach(function (link) { link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1); }); </script> <div id="content" class="content"> <main> <h1 id="on-access-scanning"><a class="header" href="#on-access-scanning">On-Access Scanning</a></h1> <h2 id="purpose"><a class="header" href="#purpose">Purpose</a></h2> <p>This guide is for users interested in leveraging and understanding ClamAV's On-Access Scanning feature. It will walk through how to set up and use the On-Access Scanner and step through some common issues and their solutions.</p> <h2 id="requirements"><a class="header" href="#requirements">Requirements</a></h2> <p>On-Access is only available on Linux systems. On Linux, On-Access requires a <code>kernel version >= 3.8</code>. This is because it leverages a kernel api called <a href="http://man7.org/linux/man-pages/man7/fanotify.7.html">fanotify</a> to block processes from attempting to access malicious files. This prevention occurs in kernel-space, and thus offers stronger protection than a purely user-space solution.</p> <h4 id="for-versions--01020"><a class="header" href="#for-versions--01020">For Versions >= 0.102.0</a></h4> <p>It also requires <code>Curl version >= 7.45 </code> to ensure support for all curl options used by clamonacc. Users on Linux operating systems that package older versions of libcurl have a number of options:</p> <ol> <li>Wait for your package maintainer to provide a newer version of libcurl.</li> <li>Install a newer version of libcurl <a href="https://curl.haxx.se/download.html">from source</a>.</li> <li>Disable installation of <code>clamonacc</code> and On-Access Scanning capabilities with the <code>./configure</code> flag <code>--disable-clamonacc</code>.</li> </ol> <h2 id="general-use"><a class="header" href="#general-use">General Use</a></h2> <p>To use ClamAV's On-Access Scanner, operation will vary depending on version.</p> <h4 id="for-versions--01020-1"><a class="header" href="#for-versions--01020-1">For Versions >= 0.102.0</a></h4> <p>You will need to run the <code>clamd</code> and <code>clamonacc</code> applications side by side. First, you will need to configure and run <code>clamd</code>. For instructions on how to do that, see <a href="Usage/Configuration.html#clamdconf">the clamd configuration guide</a>. One important thing to note while configuring <code>clamd.conf</code> is that--like <code>clamdscan</code>--the <code>clamonacc</code> application will connect to <code>clamd</code> using the <code>clamd.conf</code> settings for either <code>LocalSocket</code> or <code>TCPAddr</code>/<code>TCPSocket</code>. Another important thing to note, is that when using a <code>clamd.conf</code> that specifies a <code>LocalSocket</code>, then <code>clamd</code> will need to be run under a user with the right permissions to scan the files you plan on including in your watch-path.</p> <p>Next, you will need to configure <code>clamonacc</code>. For a very simple configuration, follow these steps:</p> <pre><code>1. Open `clamd.conf` for editing 2. Specify the path(s) you would like to recursively watch by setting the `OnAccessIncludePath` option 3. Set `OnAccessPrevention` to `yes` 4. Check what username `clamd` is running under 5. Set `OnAccessExcludeUname` to `clamd`'s uname 6. Save your work and close `clamd.conf` </code></pre> <p>For slightly more nuanced configurations, which may be adapted to your use case better, please check out the <a href="#configuration-and-recipes">recipe guide below</a>.</p> <p>Then, run <code>clamonacc</code> with elevated permissions:</p> <pre><code class="language-bash">sudo clamonacc </code></pre> <p>If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with <code>OnAccessIncludePath</code>. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. <code>cat eicar.txt</code>). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level.</p> <p>Finally, you will have to restart both <code>clamd</code> and <code>clamonacc</code>. If default <code>clamonacc</code> performance is not to your liking, and your system has the resources available, we reccomend increasing the values for the following <code>clamd.conf</code> configuration options to increase performance:</p> <ul> <li><code>MaxQueue</code></li> <li><code>MaxThreads</code></li> <li><code>OnAccessMaxThreads</code></li> </ul> <h4 id="for-versions--0101x"><a class="header" href="#for-versions--0101x">For Versions <= 0.101.x</a></h4> <p>You will only need to run the <code>clamd</code> application in older versions. First, we reccomend you configure <code>clamd</code> for your environment. For instructions on how to do that, see <a href="Usage/Configuration.html#clamdconf">the clamd configuration guide</a>.</p> <p>Next, you will need to configure On Access Scanning using the <code>clamd.conf</code> file. For a very simple configuration follow these steps:</p> <pre><code>1. Open `clamd.conf` for editing 2. Set the `ScanOnAccess` option to `yes` 3. Specify the path(s) you would like to recursively watch by setting the `OnAccessIncludePath` option 4. Set `OnAccessPrevention` to `yes` 6. Save your work and close `clamd.conf` </code></pre> <p>For slightly more nuanced configurations, which may be adapted to your use case better, please check out the <a href="#configuration-and-recipes">recipe guide below</a>.</p> <p>Then, run <code>clamd</code> with elevated permissions:</p> <pre><code class="language-bash">sudo clamd </code></pre> <p>If all went well, the On-Access scanner will fork to the background, and will now be actively protecting the path(s) specified with <code>OnAccessIncludePath</code>. You can test this by dropping an eicar file into the specified path, and attempting to read/access it (e.g. <code>cat eicar.txt</code>). This will result in an "Operation not permitted" message, triggered by fanotify blocking the access attempt at the kernel level.</p> <h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2> <p>Some OS distributors have disabled fanotify, despite kernel support. You can check for fanotify support on your kernel by running the command:</p> <pre><code class="language-bash">cat /boot/config-<kernel_version> | grep FANOTIFY </code></pre> <p>You should see the following:</p> <pre><code class="language-bash">CONFIG_FANOTIFY=y CONFIG_FANOTIFY_ACCESS_PERMISSIONS=y </code></pre> <p>If you see this...</p> <pre><code class="language-bash">CONFIG_FANOTIFY_ACCESS_PERMISSIONS is not set </code></pre> <p>... then ClamAV's On-Access Scanner will still function, scanning and alerting on files normally in real time. However, it will be unable to block access attempts on malicious files. We call this <code>notify-only</code> mode.</p> <p>ClamAV's On-Access Scanning system uses a scheme called Dynamic Directory Determination (DDD for short) which is a shorthand way of saying that it tracks the layout of every directory specified with <code>OnAccessIncludePath</code> dynamically, and recursively, in real time. It does this by leveraging <a href="http://man7.org/linux/man-pages/man7/inotify.7.html"><code>inotify</code></a> which by default has a limited number of watch-points available for use by a process at any given time. Given the complexity of some directory hierarchies, ClamAV may warn you that it has exhausted its supply of <code>inotify</code> watch-points (8192 by default). To increase the number of <code>inotify</code> watch-points available for use by ClamAV (to 524288), run the following command:</p> <pre><code class="language-bash">echo 524288 | sudo tee -a /proc/sys/fs/inotify/max_user_watches </code></pre> <p>The <code>OnAccessIncludePath</code> option will not accept <code>/</code> as a valid path. This is because fanotify works by blocking a process' access to a file until a access_ok or access_denied determination has been made by the original fanotify calling process. Thus, by placing fanotify watch-points on the entire filesystem, key system files may have their access blocked to key processes at the kernel level, which will result in a system lockup.</p> <p>This restriction was made to prevent users from "shooting themselves in the foot." However, clever users will find it's possible to circumvent this restriction by using multiple <code>OnAccessIncludePath</code> options to recursively protect most of the filesystem anyways, or better still, simply the paths they truly care about.</p> <p>The <code>OnAccessMountPath</code> option uses a different fanotify api configuration which makes it incompatible with <code>OnAccessIncludePath</code> and the DDD System. Therefore, <code>inotify</code> watch-point limitations will not be a concern when using this option. Unfortunately, this also means that the following options cannot be used in conjunction with <code>OnAccessMountPath</code>:</p> <ul> <li><code>OnAccessExtraScanning</code> - is built around catching <code>inotify</code> events.</li> <li><code>OnAccessExcludePath</code> - is built upon the DDD System.</li> <li><code>OnAccessPrevention</code> - would lock up the system if <code>/</code> was selected for <code>OnAccessMountPath</code>. If you need <code>OnAccessPrevention</code>, you should use <code>OnAccessIncludePath</code> instead of <code>OnAccessMountPath</code>.</li> </ul> <h2 id="configuration-and-recipes"><a class="header" href="#configuration-and-recipes">Configuration and Recipes</a></h2> <p>More nuanced behavior can be coerced from ClamAV's On-Access Scanner via careful modification to <code>clamd.conf</code>. Each option related to On-Access Scanning is easily identified by looking for the <code>OnAccess</code> prefix pre-pended to each option. The default <code>clamd.conf</code> file contains descriptions of each option, along with any documented limitations or safety features.</p> <p>Below are examples of common use cases, recipes for the correct minimal configuration, and the expected behavioral result.</p> <h3 id="use-case-0x0"><a class="header" href="#use-case-0x0">Use Case 0x0</a></h3> <ul> <li>User needs to watch the entire file system, but blocking malicious access attempts isn't a concern</li> </ul> <pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x OnAccessMountPath / OnAccessExcludeRootUID yes OnAccessExcludeUname clamav ## versions >= 0.102 </code></pre> <p>This configuration will put the On-Access Scanner into <code>notify-only</code> mode. It will also ensure only non-root, non-clam, user processes will trigger scans against the filesystem.</p> <h3 id="use-case-0x1"><a class="header" href="#use-case-0x1">Use Case 0x1</a></h3> <ul> <li>System Administrator needs to watch the home directory of multiple Users, but not all users. Blocking access attempts is un-needed.</li> </ul> <pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x OnAccessIncludePath /home OnAccessExcludePath /home/user2 OnAccessExcludePath /home/user4 OnAccessExcludeUname clamav ## versions >= 0.102 </code></pre> <p>With this configuration, the On-Access Scanner will watch the entirety of the <code>/home</code> directory recursively in <code>notify-only</code> mode. However, it will recursively exclude the <code>/home/user2</code> and <code>/home/user4</code> directories.</p> <h3 id="use-case-0x2"><a class="header" href="#use-case-0x2">Use Case 0x2</a></h3> <ul> <li>The user needs to protect a single directory non-recursively and ensure all access attempts on malicious files are blocked.</li> </ul> <pre><code class="language-bash"> ScanOnAccess yes ## versions <= 0.101.x OnAccessIncludePath /home/user/Downloads OnAccessExcludeUname clamav ## versions >= 0.102 OnAccessPrevention yes OnAccessDisableDDD yes </code></pre> <p>The configuration above will result in non-recursive real-time protection of the <code>/home/user/Downloads</code> directory by ClamAV's On-Access Scanner. Any access attempts that ClamAV detects on malicious files within the top level of the directory hierarchy will be blocked by fanotify at the kernel level.</p> <h2 id="command-line-options-for-versions--0102"><a class="header" href="#command-line-options-for-versions--0102">Command Line Options for Versions >= 0.102</a></h2> <p>Beyond <code>clamd.conf</code> configuration, you can change the behavior of the On-Access scanner by passing in a number of command line options. A list of all options can be retrieved with <code>--help</code>, but below is a list and explanation of some of options you might find most useful.</p> <ul> <li><code>--log=FILE</code> (<code>-l FILE</code>) - passing this option is important if you want a record of scan results, otherwise <code>clamonacc</code> will operate silently.</li> <li><code>--verbose</code> (<code>-v</code>) - primarily for debugging as this will increase the amount of noise in your log by quite a lot, but useful for troubleshooting potential connection problems</li> <li><code>--foreground</code> (<code>-F</code>) - forces <code>clamonacc</code> to not for the background, which is useful for debugging potential issues with during startup or runtime</li> <li><code>--include-list=FILE</code> (<code>-e FILE</code>) - allows users to pass a list of directories for clamonacc to watch, each directory must be a full path and separated by a newline</li> <li><code>--exclude-list=FILE</code> (<code>-e FILE</code>) - same as include-list option, but for excluding at startup</li> <li><code>--remove</code> - after an infected verdict, an attempt will be made to remove the infected file</li> <li><code>--move=DIRECTORY</code> - just like the remove option, but infected file will be moved to the specified quarantine location instead</li> <li><code>--copy=DIRECTORY</code> - just like the move, except infected file is also left in place</li> </ul> </main> <nav class="nav-wrapper" aria-label="Page navigation"> <!-- Mobile navigation buttons --> <a rel="prev" href="../manual/Usage/Scanning.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left"> <i class="fa fa-angle-left"></i> </a> <a rel="next prefetch" href="../manual/Usage/Services.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right"> <i class="fa fa-angle-right"></i> </a> <div style="clear: both"></div> </nav> </div> </div> <nav class="nav-wide-wrapper" aria-label="Page navigation"> <a rel="prev" href="../manual/Usage/Scanning.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left"> <i class="fa fa-angle-left"></i> </a> <a rel="next prefetch" href="../manual/Usage/Services.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right"> <i class="fa fa-angle-right"></i> </a> </nav> </div> <script> window.playground_line_numbers = true; </script> <script> window.playground_copyable = true; </script> <script src="../ace.js"></script> <script src="../editor.js"></script> <script src="../mode-rust.js"></script> <script src="../theme-dawn.js"></script> <script src="../theme-tomorrow_night.js"></script> <script src="../elasticlunr.min.js"></script> <script src="../mark.min.js"></script> <script src="../searcher.js"></script> <script src="../clipboard.min.js"></script> <script src="../highlight.js"></script> <script src="../book.js"></script> <!-- Custom JS scripts --> </div> </body> </html>
Simpan