OnAccess scanning needs review and revision. Path inclusion/exclusion does not work as expected, among other issues. A member of the ClamAV user community, Martin Wilck, recently pointed out some of the problems on the ClamAV mailing list:

Hello,

I have recently made some experiments with on-access scanning with
clamd, using clamav 0.98.3 from Fedora 19.

The documentation of the "OnAccessIncludePath" option says "Set the
include paths (all files inside them will be scanned)".

The clamd code calls fanotify_mark() with
fan_mask=(FAN_ACCESS|FAN_EVENT_ON_CHILD). This means that clamd will
only receive events for *immediate* children of a directory listed as
"OnAccessIncludePath" (see fanotify_mark(2)).

Is that really meant by "all files inside them will be scanned"? My
expectation would have been that by specifying "/home" as
OnAccessIncludePath, all user's home directories would be scanned
(rather than just regular files directly under /home, which is probably
an empty set).

Why doesn't clamd use FAN_MARK_MOUNT instead?

Regards
Martin

PS: I'd also be curious to understand why FAN_ACCESS (notification on
read) is used by clamd. For the commen case of files that are read more
often than written, this would result some files being re-scanned over
and over again. Why not scan files as they are written, at least for a
host's local, non-removable file systems?

--
Dr. Martin Wilck