I'm implementing anti-virus solution for Linux with ClamAV daemon running in On-Access mode, watching the created/opened files for malicious content at the host system AND in docker containers, running at the host. What limitations I've found so far:
- fanotify doesn't work for files inside containers (by design)
- fanotify works per mount point (per filesystem)
- fanotify doesn't allow to implement OnAccessPrevention, using
OnAccessMountPathdirective in ClamAV config - inotify allows to implement OnAccessPrevention
- inotify will not allow to watch
/and Clamav will exit with error:
clamd: ERROR: ScanOnAccess: Not including path '/' while DDD is enabled
clamd: ERROR: ScanOnAccess: Please use the OnAccessMountPath option to watch '/'
To use OnAccessPrevention, you'll need to use OnAccessIncludePath (inotify) instead of OnAccessMountPath (fanotify).
- full signatures database is huge and must be loaded in memory (850Mb)
- scanning for windows signatures on linux box doesn't make any sense (I'm not scanning email)
So far, I've ended up with running two ClamAV daemons as described at this SO answer: one for /var/lib/docker in inotify mode - OnAccessIncludePath directive in config and another for / in fanotify mode - OnAccessMountPath directive in config
Can I run only one daemon for entire host, which will do the scanning and will print notifications when maliciuos file was found?
References:
