On-access Scanning

There is a special thread in clamd that performs on-access scanning under Linux and shares internal virus database with the daemon. By default, this thread will only notify you when potential threats are discovered. If you turn on prevention via clamd.conf then you must follow some important rules when using it: The default configuration utilizes inotify to recursively keep track of directories. If you need to protect more than 8192 directories it will be necessary to change inotify's max_user_watches value.

This can be done temporarily with:
    $ sysctl fs.inotify.max_user_watches=<n>
Where <n> is the new maximum desired.

To watch your entire filesystem add the following lines to clamd.conf:
	ScanOnAccess yes
	OnAccessMountPath /
Similarly, to protect your home directory add the following lines to clamd.conf:
	ScanOnAccess yes
	OnAccessIncludePath /home
	OnAccessExcludePath /home/user/temp/dir/of/your/mail/scanning/software
	OnAccessPrevention yes
For more configuration options, type 'man clamd.conf' or reference the example clamd.conf.

Cisco 2015-10-07