Fanotify is a file access notification system built-in to many common Linux kernels. This kernel feature allows Sophos Anti-Virus to scan files on-access and, if necessary, block access to threats. This article gives further details on the supported environments for Fanotify and Sophos Anti-Virus for Linux.
Applies to the following Sophos products and versions
Operating systems Linux
Support for Fanotify is included in Sophos Anti-Virus version 9.7.x and higher. Fanotify provides notification and interception of file system events, and can be used for on-access file scanning as an alternative to the Sophos-provided Talpa kernel interface.
Sophos Anti-Virus uses Fanotify as the interception method automatically when a pre-compiled Talpa Binary Pack cannot be found or compiled locally, provided that Fanotify is enabled as a fall back method.
Fanotify is available on 2.6.37+ kernels.
Fanotify can be set as the default kernel interface for on-access scanning, in preference to Talpa, by following these steps:
/opt/sophos-av/bin/savconfig set PreferFanotify true
systemctl restart sav-protect.service
If you want SAV for Linux to attempt to enable Fanotify automatically:
/opt/sophos-av/bin/savconfig set DisableFanotify false
Use of Fanotify with Sophos Anti-Virus for Linux is fully supported for on-access scanning; however please note the following:
If you experience any unexpected behaviour or issues with Fanotify, please contact Sophos support.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.