Overview

Fanotify is a file access notification system built-in to many common Linux kernels. This kernel feature allows Sophos Anti-Virus to scan files on-access and, if necessary, block access to threats. This article gives further details on the supported environments for fanotify and Sophos Anti-Virus for Linux.

The following sections are covered:

• About Fanotify
• Enabling fanotify as the default kernel interface
• Using fanotify as a fall back method
• Further information
• Known limitations of fanotify
• Feedback and contact

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux v9.7+

Sophos Anti-Virus for Linux v10.0+ (Sophos Central only)

Operating systems
Linux

Note: Debian does not support fanotify.

About Fanotify

Support for fanotify is included in Sophos Anti-Virus version 9.7.x and higher. Fanotify provides notification and interception of file system events, and can be used for on-access file scanning as an alternative to the Sophos-provided Talpa kernel interface.

Fanotify is available on 2.6.37+ kernels.

Enabling fanotify as the default kernel interface

Fanotify can be set as the default kernel interface for on-access scanning, in preference to Talpa, by following these steps:

1. Run the following command:
   /opt/sophos-av/bin/savconfig set PreferFanotify true
2. Restart SAV:
   /etc/init.d/sav-protect restart

Using fanotify as a fall back method

If you don’t want SAV for Linux to attempt to enable fanotify automatically, run the following command:

/opt/sophos-av/bin/savconfig set DisableFanotify true


Restart SAV:
/etc/init.d/sav-protect restart

Further information

Use of fanotify with Sophos Anti-Virus for Linux is fully supported for on-access scanning; however please note the following:

• Fanotify is built-in to the kernel and not developed by Sophos. Behavior with fanotify may differ to Talpa
• Fanotify is updated via kernel updates. Behavior with fanotify may differ depending on kernel version
• Some distributions, including Debian, may turn off fanotify within their Kernels. Sophos has no control over this. For Debian, compile Talpa Binary Packs locally, refer to Sophos Anti-Virus for Linux: Locally compiling Talpa Binary Packs for On-Access scanning

If you experience any unexpected behaviour or issues with fanotify, please contact Sophos support.

Known limitations of fanotify

• NFSv4 access is blocked when scanning with fanotify (except in RHEL 7.2 +) – This is a filesystem issue.
  • Workaround - Use Talpa with NFSv4 instead of fanotify, or switch to NFSv3
  • It may also be possible to exclude nfs4 filesystems with: /opt/sophos-av/bin/savconfig add ExcludeFilesystems nfs4
• 30s delay of file create and Operation not permitted errors with fanotify and cifs – This is a known kernel issue.
  • Workaround – Disable CIFS oplocks, exclude the CIFS share from on-access scanning, or use Talpa instead of fanotify

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.