OnAccess-Scan functionality of clamav - ERROR: ClamInotif: could not watch path
This document (000021125) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server for SAP Applications 15 SP4
Situation
# clamonacc --verbose --foreground ClamClient: client setup for continuous scanning Clamonacc: daemon is local ClamFanotif: kernel-level blocking feature enabled ... preventing malicious files access attempts ClamFanotif: max file size limited to 5242880 bytes ClamScanQueue: initializing event queue consumer ... (2) threads in thread pool Clamonacc: beginning event loops ClamInotif: starting inotify event loop ... ClamFanotif: starting fanotify event loop with process id (13672) ... ClamInotif: dynamically determining directory hierarchy... ClamScanQueue: waiting to consume events ... ClamInotif: watching '/EXAMPLE' (and all sub-directories) Excluding temp directory: /tmp/clamav ClamInotif: NVM, didn't actually need to exclude '/tmp/clamav' ERROR: ClamInotif: could not watch path '/EXAMPLE', 3 <---- here
The /etc/clamd.conf configuration file looks similar to the following:
# /etc/clamd.conf LogSyslog yes LogFacility LOG_LOCAL6 PidFile /var/lib/clamav/clamd.pid LocalSocket /var/lib/clamav/clamd-socket User vscan TemporaryDirectory /tmp/clamav OnAccessPrevention True OnAccessExcludeRootUID True OnAccessExcludeUname vscan MaxThreads 4 MaxQueue 8 OnAccessMaxThreads 2 OnAccessIncludePath /EXAMPLE <---- here
Resolution
1. A more granular configuration can be specified for the directories to be watched or
2. Mention the submounts first. For example, in the /etc/clamd.conf file, instead of:
OnAccessIncludePath /EXAMPLE
The following can be used:
OnAccessIncludePath /EXAMPLE/submount1 OnAccessIncludePath /EXAMPLE
Cause
According to the official ClamAV On-Access Scanning documentation, it is not possible to monitor the entire system (/). The OnAccessIncludePath option will not accept / as a valid path, for example.
Also according to a comment in ClamAV Bug# 12306 it appears to be a small issue in how the watches are set up.
Note the old ClamAV bugzilla was shutdown in favor of GitHub Issues for all new ClamAV bug reports.
Additional Information
- https://docs.clamav.net/manual/OnAccess.html?highlight=OnAccessIncludePath#troubleshooting
- https://documentation.suse.com/sles-sap/15-SP4/html/SLES-SAP-guide/cha-clamsap.html
- https://www.suse.com/support/kb/doc/?id=000019755
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021125
- Creation Date: 29-Jun-2023
- Modified Date:12-Jun-2025
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
