Re: [clamav-users] Question regarding clamonacc: Blocking file writes/copy operations in watched directories

Mon, 09 Feb 2026 05:41:51 -0800 



The Requirement: My project requires strict prevention of malicious
files entering the monitored directory.  Specifically, I need
clamonacc to block the copy operation itself or immediately
quarantine/remove the file upon the close_write event, rather than
waiting for a subsequent read/open access to trigger the scan.


Does this confg option
    OnAccessExtraScanning BOOL
       Toggles extra scanning and notifications when a file or directory
       is created or moved.
       Requires the  DDD system to kick-off extra scans.
       Default: no
help ?

------------------

More generally, I can understand your desire.

However, what happens if a file is placed in the monitored directory
and *then* the database is updated to recognise that file as malware ?
You now have a bad file in the directory, so you need to rescan it
when you read/open it even if it was scanned when it was written.

Have you considered putting *incoming* files into a quarantine directory,
scanning them and then 'mv'ing them into the special safe directory ?

[ There are also practical problems with scanning a file as it is written.
  To be sure that the file does not have harmful content, you would need
  to scan it for *every* file system write command - even for EICAR
  if you write every character separately, it is not going to trigger
  until (nearly?) every character has been written.
  Is it safe to wait until the file is closed to scan it ?
  If so a system crash could leave the malware accessible on reboot.
  If not, scanning during/after every write system call would be very
  slow, if feasible.                                                  ]


- Question: Is there a specific configuration in clamd.conf (such
as specific OnAccess settings) that I might be missing to enforce
blocking during the write/copy phase?



--
Andrew C. Aitchison                      Kendal, UK
                   [email protected]
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat














    











					Reply via email to