Fanotify is a file access notification system built-in to later Linux kernels. This kernel feature allows Sophos Anti-Virus to scan files On-Access and if necessary block access to threats. This article gives further details on the supported environments for Fanotify and Sophos Anti-Virus
Known to apply to the following Sophos product(s) and version(s) Sophos Anti-Virus for Linux v9.0
Operating systems Linux
Support for Fanotify is included in Sophos Anti-Virus version 9.7.x and higher. This provides an alternative to Talpa - the current On-Access kernel interface.
With Fanotify, On-Access scanning is available on any 2.6.37+ kernel. It will not be necessary for Sophos to include a binary pack for each kernel/new distribution or for a module to be compiled locally.
Default kernel interface module
At present Talpa is still the default kernel interface module for On-Access scanning. Sophos provide Talpa Binary Packs for all supported distributions/kernels - so Fanotify is not used by default.
To enable the Fanotify functionality, follow the steps below. Fanotify will be used as a fallback method if a Talpa Binary Pack cannot be loaded/compiled.
/opt/sophos-av/bin/savconfig set DisableFanotify false
Restart SAV: /etc/init.d/sav-protect restart
Using Fanotify as the default kernel interface
If required, Fanotify can be set as the default kernel interface and will be used in preference to Talpa. These steps should be followed for users wishing to use Fanotify functionality instead of Talpa.
/opt/sophos-av/bin/savconfig set PreferFanotify true
Use of Fanotify with Sophos Anti-Virus is fully supported for on-access scanning, however the following caveats apply:
If you experience any unexpected behaviour or issues with Fanotify please contact Sophos support, known issues are listed below.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.