clamd ScanOnAccess no longer working

Hi,

I’ve previously had ScanOnAccess working for clamd (0.99.2) on LEAP 42.1. However I recently noticed that ScanOnAccess stopped working. When I look in the logs for clamd I can see:

ScanOnAccess: Max file size limited to 10485760 bytes
ScanOnAccess: Protecting directory ‘/home/justin’ (and all sub-directories)
ERROR: ScanOnAccess: Could not watch path ‘/home/justin’, Success

I’m running it as root (rather than vscan). I’ve checked the kernel supports FANOTIFY. ScanOnAccess still works for a volume e.g.

OnAccessMountPath /home

but on a specific path does not e.g.

OnAccessIncludePath /home/justin

I would prefer to use a specific path because then I can get OnAccessPrevention to work. Which it did at one time using (I believe) the same versions. Obviously there’s been kernel updates (could it be that FANOTIFY has changed).

Anyone else coming across this?

Justin

Hi,

I’ve got a little further. It seems to be the presence of sockets (as files) that is causing the issue. The problem is in clamd itself and not inotify or fanotify though. It wants to watch them(?) but isn’t storing any information about them, and then gets confused. Know how it feels.

Good to see the authors of clamd have not burdened other developers with their preconceptions of the software’s operation by including any comments :slight_smile:

Interesting…

Justin

Hi,

understand what the problem is now. clamd uses fts_children to examine the contents of directories to set up lists of files to watch. It examines the ‘fts_info’ field on ‘FTSENT’ to detect the directories. It does this assuming that it’s a bitmask (e.g. 0x1, 0x2, 0x4, 0x8) but in fact they’re just separate integer values. So therefore it sees sockets (FTSENT.fts_info == FT_DEFAULT /* 3 /; )as directories (FTSENT.fts_info == FT_D / 1 */; ) and gets confused later on.

I swear I had this working at one point. Though I’m getting quite old now. Remembering to leave enough time to make it to the toilet is challenge enough.

The workaround I’ve come up with is exclude the ‘.config’ directory as this contains all the sockets (for me) e.g.

OnAccessExcludePath /home/justin/.config

in ‘/etc/clamd.conf’.

I intend to contact the authors of clamd and bring this to their attention.

Regards,

J.

Just to conclude this thread. This is a known bug in clamd (bug 11602) and has been fixed in dev. Awaiting a future release.