Differences between Talpa and Fanotify

We recently ran into an issue with Talpa after a Linux kernel update. We don't have gcc installed on the servers which had the update, so building the new Talpa modules failed. I've read through the KB article regarding Fanotify and I'm thinking of switching to that for all servers. 

According to KB article 118216:

Further information

Use of Fanotify with Sophos Anti-Virus for Linux is fully supported for on-access scanning; however please note the following:

  • Fanotify is built-in to the kernel and not developed by Sophos. Behavior with Fanotify may differ to Talpa
  • Fanotify is updated via kernel updates. Behavior with Fanotify may differ depending on kernel version
  • Some distributions, including Debian (7 and 8), may turn off Fanotify within their Kernels. Sophos has no control over this. For Debian, compile Talpa Binary Packs locally, refer to Sophos Anti-Virus for Linux: Locally compiling Talpa Binary Packs for On-Access scanning

If you experience any unexpected behaviour or issues with Fanotify, please contact Sophos support.

Known limitations of Fanotify

  • Scanning of NFSv4 is not supported with Fanotify -  This is a filesystem limitation. Please note that in some cases it may appear to work. Please refer to KB 118932 for details of Fanotify support.
    • Workaround - Use Talpa with NFSv4 instead of Fanotify, or switch to NFSv3
    • It may also be possible to exclude nfs4 filesystems with: /opt/sophos-av/bin/savconfig add ExcludeFilesystems nfs4
  • 30s delay of file create and Operation not permitted errors with Fanotify and cifs – This is a known kernel issue.
    • Workaround – Disable CIFS oplocks, exclude the CIFS share from on-access scanning, or use Talpa instead of Fanotify

Is there any way to tell what behavior might be different with Fanotify? I realize that future kernel updates may change things, but are there any differences using Fanotify other than scanning NFSv4 and CIFS mounts? We have no network mounts so if that's the only difference Fanotify would be fine.

  • Hi  

    If your Kernel supports Fanotify, then IMO, it is a good option. However, I should make you aware of this

  • In reply to Yashraj:

    Thanks, I don't think this will be a big issue going forward. I've seen that Sophos tries to have prebuilt modules within 4 weeks of a new kernel. We also may be implementing containerization soon so I think sticking to Talpa would be best. We can install gcc if we run into a situation where there are no prebuild modules.