Results 1 to 4 of 4

Thread: clamd ScanOnAccess no longer working

  1. #1

    Default clamd ScanOnAccess no longer working

    Hi,

    I've previously had ScanOnAccess working for clamd (0.99.2) on LEAP 42.1. However I recently noticed that ScanOnAccess stopped working. When I look in the logs for clamd I can see:

    ScanOnAccess: Max file size limited to 10485760 bytes
    ScanOnAccess: Protecting directory '/home/justin' (and all sub-directories)
    ERROR: ScanOnAccess: Could not watch path '/home/justin', Success

    I'm running it as root (rather than vscan). I've checked the kernel supports FANOTIFY. ScanOnAccess still works for a volume e.g.

    OnAccessMountPath /home

    but on a specific path does not e.g.

    OnAccessIncludePath /home/justin

    I would prefer to use a specific path because then I can get OnAccessPrevention to work. Which it did at one time using (I believe) the same versions. Obviously there's been kernel updates (could it be that FANOTIFY has changed).

    Anyone else coming across this?

    Justin
    Last edited by malcolmlewis; 18-May-2017 at 08:22. Reason: Update prefix as 42.1 is EOL

  2. #2

    Default Re: clamd ScanOnAccess no longer working

    Hi,

    I've got a little further. It seems to be the presence of sockets (as files) that is causing the issue. The problem is in clamd itself and not inotify or fanotify though. It wants to watch them(?) but isn't storing any information about them, and then gets confused. Know how it feels.

    Good to see the authors of clamd have not burdened other developers with their preconceptions of the software's operation by including any comments :-)

    Interesting...

    Justin

  3. #3

    Default Re: clamd ScanOnAccess no longer working

    Hi,

    understand what the problem is now. clamd uses fts_children to examine the contents of directories to set up lists of files to watch. It examines the 'fts_info' field on 'FTSENT' to detect the directories. It does this assuming that it's a bitmask (e.g. 0x1, 0x2, 0x4, 0x8) but in fact they're just separate integer values. So therefore it sees sockets (FTSENT.fts_info == FT_DEFAULT /* 3 */; )as directories (FTSENT.fts_info == FT_D /* 1 */; ) and gets confused later on.

    I swear I had this working at one point. Though I'm getting quite old now. Remembering to leave enough time to make it to the toilet is challenge enough.

    The workaround I've come up with is exclude the '.config' directory as this contains all the sockets (for me) e.g.

    OnAccessExcludePath /home/justin/.config

    in '/etc/clamd.conf'.

    I intend to contact the authors of clamd and bring this to their attention.

    Regards,

    J.
    Last edited by justinware; 17-May-2017 at 01:24. Reason: smegging smileys for irritating young people (i.e. all of them)

  4. #4

    Default Re: clamd ScanOnAccess no longer working

    Just to conclude this thread. This is a known bug in clamd (bug 11602) and has been fixed in dev. Awaiting a future release.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •