@@ -106,7 +106,7 @@ void *onas_fan_th(void *arg)

 	short int scan;

 	int sizelimit = 0, extinfo;

 	STATBUF sb;

-        uint64_t fan_mask = FAN_ACCESS_PERM | FAN_OPEN_PERM | FAN_EVENT_ON_CHILD;

+        uint64_t fan_mask = FAN_EVENT_ON_CHILD;

         fd_set rfds;

 	char buf[4096];

 	ssize_t bread;

@@ -145,26 +145,17 @@ void *onas_fan_th(void *arg)

 	return NULL;

     }

-    if (optget(tharg->opts, "OnAccessPreventRead")->enabled) {

-	    logg("ScanOnAccess: preventing read attempts on malicious files.\n");

-	    fan_mask |= FAN_ACCESS_PERM;

+    if (!optget(tharg->opts, "OnAccessNotifyOnly")->enabled && !optget(tharg->opts, "OnAccessMountPath")->enabled) {

+	    logg("ScanOnAccess: preventing access attempts on malicious files.\n");

+	    fan_mask |= FAN_ACCESS_PERM | FAN_OPEN_PERM;

     } else {

-	    logg("ScanOnAccess: notifying for read attempts.\n");

-	    fan_mask |= FAN_ACCESS;

-    }

-

-    if (optget(tharg->opts, "OnAccessPreventOpen")->enabled) {

-	    logg("ScanOnAccess: preventing open attempts on malicious files.\n");

-	    fan_mask |= FAN_OPEN_PERM; 

-    } else {

-	    logg("ScanOnAccess: notifying for open attempts.\n");

-	    fan_mask |= FAN_OPEN; 

+	    logg("ScanOnAccess: notifying only for access attempts.\n");

+	    fan_mask |= FAN_ACCESS | FAN_OPEN;

     }

     if ((pt = optget(tharg->opts, "OnAccessMountPath"))->enabled) {

 	    while(pt) {

-		    if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT,

-					    FAN_OPEN | FAN_ACCESS | FAN_EVENT_ON_CHILD, onas_fan_fd, pt->strarg) != 0) {

+		    if(fanotify_mark(onas_fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, fan_mask, onas_fan_fd, pt->strarg) != 0) {

 			    logg("!ScanOnAccess: Can't include mountpoint '%s'\n", pt->strarg);

 			    return NULL;

 		    } else

@@ -592,17 +592,12 @@ Example

 # Default: no

 #OnAccessDisableDDD yes

-# Modifies fanotify blocking behaviour when handling read permission events.

-# If turned on, fanotify will prevent any read attempt if the file is a virus.

+# Modifies fanotify blocking behaviour when handling permission events.

+# If turned on, fanotify will only notify if the file scanned is a virus,

+# and not perform any blocking.

 # (On-access scan only)

-# Default: yes

-#OnAccessPreventRead no

-

-# Modifies fanotify blocking behaviour when handling open permission events.

-# If turned on, fanotify will prevent any open attempt if the file is a virus.

-# (On-access scan only)

-# Default: yes

-#OnAccessPreventOpen no

+# Default: no

+#OnAccessNotifyOnly yes

 ##

 ## Bytecode

@@ -404,9 +404,7 @@ const struct clam_option __clam_options[] = {

     { "OnAccessDisableDDD", "disable-ddd", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option toggles the dynamic directory determination system for on-access scanning (Linux only).", "no" },

-    { "OnAccessPreventRead", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies is fanotify will prevent read attempts on malicious files (Linux only)", "yes" },

-

-    { "OnAccessPreventOpen", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD, "This option specifies if fanotify will prevent open attempts for malicious files (Linux only)", "yes" },

+    { "OnAccessNotifyOnly", "notify-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option changes fanotify behavior to not prevent access attempts on malicious files and simply notify the user instead (On Access scan only).", "no" },

     /* FIXME: mark these as private and don't output into clamd.conf/man */

     { "DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", "" },