SUSE Support

Here When You Need Us

OnAccess-Scan functionality of clamav - ERROR: ClamInotif: could not watch path

This document (000021125) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP4

Situation

When in the process of implementing clamav in an on-access configuration, the scanner cannot access a specific directory and, the following error message is received:
  
# clamonacc --verbose --foreground
ClamClient: client setup for continuous scanning
Clamonacc: daemon is local
ClamFanotif: kernel-level blocking feature enabled ... preventing malicious files access attempts
ClamFanotif: max file size limited to 5242880 bytes
ClamScanQueue: initializing event queue consumer ... (2) threads in thread pool
Clamonacc: beginning event loops
ClamInotif: starting inotify event loop ...
ClamFanotif: starting fanotify event loop with process id (13672) ... 
ClamInotif: dynamically determining directory hierarchy...
ClamScanQueue: waiting to consume events ...
ClamInotif: watching '/EXAMPLE' (and all sub-directories)
Excluding temp directory: /tmp/clamav
ClamInotif: NVM, didn't actually need to exclude '/tmp/clamav'
ERROR: ClamInotif: could not watch path '/EXAMPLE', 3    <---- here

The /etc/clamd.conf configuration file looks similar to the following:
  
# /etc/clamd.conf
LogSyslog yes
LogFacility LOG_LOCAL6
PidFile /var/lib/clamav/clamd.pid
LocalSocket /var/lib/clamav/clamd-socket
User vscan
TemporaryDirectory /tmp/clamav 
OnAccessPrevention True        
OnAccessExcludeRootUID True
OnAccessExcludeUname vscan
MaxThreads 4
MaxQueue 8
OnAccessMaxThreads 2           
OnAccessIncludePath /EXAMPLE   <---- here

Resolution

In order to work around this issue, there are two possibilities:

1.    A more granular configuration can be specified for the directories to be watched or

2.    Mention the submounts first. For example, in the /etc/clamd.conf file, instead of:
  
OnAccessIncludePath /EXAMPLE

The following can be used:
  
OnAccessIncludePath /EXAMPLE/submount1
OnAccessIncludePath /EXAMPLE

Cause

According to the official On-Access Scanning documentation, it is not possible to monitor the entire system (/). The OnAccessIncludePath option will not accept / as a valid path, for example.

As also mentioned in this bug, it seems to be a small issue in how the watches are set up.

Additional Information

  • https://bugzilla.clamav.net/show_bug.cgi?id=12306#c6
  • https://docs.clamav.net/manual/OnAccess.html?highlight=OnAccessIncludePath#troubleshooting
  • https://documentation.suse.com/sles-sap/15-SP4/html/SLES-SAP-guide/cha-clamsap.html
  • https://www.suse.com/support/kb/doc/?id=000019755

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021125
  • Creation Date: 29-Jun-2023
  • Modified Date:29-Jun-2023
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community
tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ
tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center