@@ -84,7 +84,14 @@ static int onas_fan_scanfile(int fan_fd, const char *fname, struct fanotify_even

 	else

 	    logg("ScanOnAccess: %s: %s FOUND\n", fname, virname);

 	virusaction(fname, virname, tharg->opts);

-	res.response = FAN_DENY;

+

+	if(!optget(tharg->opts, "OnAccessPreventRead")->enabled && fmd->mask & FAN_ACCESS_PERM) {

+		res.response = FAN_ALLOW;

+	} else if(!optget(tharg->opts, "OnAccessPreventOpen")->enabled && fmd->mask & FAN_OPEN_PERM) {

+		res.response = FAN_ALLOW;

+	} else {

+		res.response = FAN_DENY;

+	}

     }

     if(fmd->mask & FAN_ALL_PERM_EVENTS) {

@@ -144,6 +151,22 @@ void *onas_fan_th(void *arg)

 	return NULL;

     }

+    if (optget(tharg->opts, "OnAccessPreventRead")->enabled) {

+	    logg("ScanOnAccess: preventing read attempts on malicious files.\n");

+	    fan_mask |= FAN_ACCESS_PERM;

+    } else {

+	    logg("ScanOnAccess: notifying for read attempts.\n");

+	    fan_mask |= FAN_ACCESS;

+    }

+

+    if (optget(tharg->opts, "OnAccessPreventOpen")->enabled) {

+	    logg("ScanOnAccess: preventing open attempts on malicious files.\n");

+	    fan_mask |= FAN_OPEN_PERM; 

+    } else {

+	    logg("ScanOnAccess: notifying for open attempts.\n");

+	    fan_mask |= FAN_OPEN; 

+    }

+

     if (!optget(tharg->opts, "OnAccessDisableDDD")->enabled) {

 	    do {

 		    if(pthread_attr_init(&ddd_attr)) break;

@@ -584,6 +584,17 @@ Example

 # Default: no

 #OnAccessDisableDDD yes

+# Modifies fanotify blocking behaviour when handling read permission events.

+# If turned on, fanotify will prevent any read attempt if the file is a virus.

+# (On-access scan only)

+# Default: yes

+#OnAccessPreventRead no

+

+# Modifies fanotify blocking behaviour when handling open permission events.

+# If turned on, fanotify will prevent any open attempt if the file is a virus.

+# (On-access scan only)

+# Default: yes

+#OnAccessPreventOpen no

 ##

 ## Bytecode

@@ -394,7 +394,7 @@ const struct clam_option __clam_options[] = {

     { "OnAccessIncludePath", "on-access-include", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option specifies a directory (including all files and directories\ninside it), which should be scanned on access. This option can\nbe used multiple times.", "/home\n/students" },

-    { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times.", "/home/bofh\n/root" },

+    { "OnAccessExcludePath", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "This option allows excluding directories from on-access scanning. It can\nbe used multiple times. Only works with DDD system.", "/home/bofh\n/root" },

     { "OnAccessExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD, "With this option you can whitelist specific UIDs. Processes with these UIDs\nwill be able to access all files.\nThis option can be used multiple times (one per line).", "0" },

@@ -402,6 +402,10 @@ const struct clam_option __clam_options[] = {

     { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only)", "no" },

+    { "OnAccessPreventRead", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies is fanotify will prevent read attempts on malicious files (Linux only)", "yes" },

+

+    { "OnAccessPreventOpen", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies if fanotify will prevent open attempts for malicious files (Linux only)", "yes" },

+

     /* FIXME: mark these as private and don't output into clamd.conf/man */

     { "DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },