Linux, is on-access scanning running?

Question

Hi,

I have Sophos AV for Linux 9.6.1 installed on a debian 6 based distribution Univention UCS 3.2.

Because of this rarely known distribution UCS, there is no automatic support for on-access scanning. To activate this I first would have to compile the binaries for talpa or I just activate fanotify. I decided for fanotify even though it's in beta state, because the kernel version 3.10.x fits the prerequirements.

fanotify now is set as activated, set as prefered and service sav-protect is restarted

Syslog --> On-access scanning enabled using fanotify

savdstatus --> Sophos Anti-Virus is active and on-access scanning is running

Unfortunately it seems that on-access scanning doesn't work. When I copy the test virus file eicar.com, I can't find a virus warning in syslog or a warning sent by mail. When I do an on-demand scanning, the virus warnings in syslog and by mail are shown.

What's wrong there?

Is it possible that fanotify isn't activated in the kernel without Sophos AV recognizing it?

Thanks,

Peter

This thread was automatically locked due to age.

DouglasLeeder · Accepted Answer

Unfortunately the kernel has too configuration optiosn for fanotify (notify only and permission events), and SAV 9.6.1 has a bug (DEF97135) where it doesn't correctly detect kernels configured with only notify fanotify and not permissions.

Unfortunately debian kernels use this configuration, so 9.6.1 will think fanotify is available and try to use, but won't detect anything.

You will need to use Talpa; which will require install kernel headers and build tools so that a TBP can be built locally. You will also need to set PreferFanotify to false.

SAV 9.7.0 should correctly detect the kernel doesn't support fanotify-based scanning and switch to Talpa.