Support On Write Close for ClamAV

davetha · Jan 24, 2019 · 432e63d · 432e63d
1 parent 2b4d381
commit 432e63d
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/clamd/onaccess_fan.c b/clamd/onaccess_fan.c
@@ -154,6 +154,9 @@ void *onas_fan_th(void *arg)
     if (optget(tharg->opts, "OnAccessPrevention")->enabled && !optget(tharg->opts, "OnAccessMountPath")->enabled) {
         logg("ScanOnAccess: preventing access attempts on malicious files.\n");
         fan_mask |= FAN_ACCESS_PERM | FAN_OPEN_PERM;
+    } else if ( optget(tharg->opts, "OnWriteClose")->enabled ) {
+	   logg("OnWriteClose: notifying only upon close of a writable file\n");
+           fan_mask = FAN_CLOSE_WRITE;
     } else {
         logg("ScanOnAccess: notifying only for access attempts.\n");
         fan_mask |= FAN_ACCESS | FAN_OPEN;

diff --git a/shared/optparser.c b/shared/optparser.c
@@ -420,6 +420,8 @@ const struct clam_option __clam_options[] = {
 
     {"OnAccessExtraScanning", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Enables extra scanning and notification after catching certain inotify events. Only works with the DDD system enabled.", "yes"},
 
+    {"OnWriteClose", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "This option changes the behavior of fanotify ScanOnAccess to only scan when a file opened for writing is closed. Good for environments with a very large read/write ratio.", "yes" },
+
     /* FIXME: mark these as private and don't output into clamd.conf/man */
     {"DevACOnly", "dev-ac-only", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, FLAG_HIDDEN, OPT_CLAMD | OPT_CLAMSCAN, "", ""},