On-access Scanning

There is a special thread in clamd that performs on-access scanning under Linux and shares internal virus database with the daemon. By default, this thread will only notify you when potential threats are discovered. If you turn on prevention via clamd.conf then you must follow some important rules when using it:

• Always stop the daemon cleanly - using the SHUTDOWN command or the
  SIGTERM signal. In other case you can lose access to protected files until the system is restarted.
• Never protect the directory your mail-scanner software uses for attachment unpacking. Access to all infected files will be automatically blocked and the scanner (including clamd!) will not be able to detect any viruses. In the result all infected mails may be delivered.
• Watch your entire filesystem only using the clamd.conf OnAccessMountPath option. While this will disable on-access prevention, it will avoid potential system lockups caused by fanotify's blocking functionality.
• Using the On-Access Scanner to watch a virtual filesystem will result in undefined behaviour.

The default configuration utilizes inotify to recursively keep track of directories. If you need to protect more than 8192 directories it will be necessary to change inotify's max_user_watches value.

This can be done temporarily with:

    $ sysctl fs.inotify.max_user_watches=<n>

Where <n> is the new maximum desired.

To watch your entire filesystem add the following lines to clamd.conf:

	ScanOnAccess yes
	OnAccessMountPath /

Similarly, to protect your home directory add the following lines to clamd.conf:

	ScanOnAccess yes
	OnAccessIncludePath /home
	OnAccessExcludePath /home/user/temp/dir/of/your/mail/scanning/software
	OnAccessPrevention yes

For more configuration options, type 'man clamd.conf' or reference the example clamd.conf.