Great, now it just needs on-access scanning to scan files as they are accessed, and a GTK 4 with Adwaita user interface.

What is wrong with its current on-access scanning that has been available for years?

I didn't know it had on-access scanning. Maybe it does, but then it is something that I've missed.
I thought you had to configure like a email client or email server to run the scanner.

Step by step instructions, on how to configure ClamAV:



You can ignore the following sections:

"Section 5 - Adding more databases/signatures repositories".

"Section 7 - Using the milter".

Also, leave PUA detection disabled (the default option).


I am using ClamAV as a desktop user, and it is nice.

OnAccessScan works fine, and when a virus is detected, you get a nice pop up message in the desktop environment you use.


ClamAV is owned by Cisco.

TBH maybe should not comment about a whishlist of features if you have not looked into it.
clamav is not really meant to be used as a client antivirus, but a server antivirus, mostly for mail and other communications, but also for file servers and such looking for problematic files stored from clients.
But it really is mostly optimized for a per-file scanning scenarios where a program like a mail server sends attachments to be scanned on demand.

That said, clamav had already on-access-support by the help of Dazuko, an out-of-tree kernel module back around 20 years ago. Remember trying it out. Not fun experience.
That module went defunct, and the kernel introduced a bit later inotify and later fanotify instead that makes it possible to "subscribe" to files-system-actions but also block access, and clamav re-introduced experimental support for on-access based on that back in 2011, and more wide availability back in 2015 according to the blog post they wrote about it which was a short web-search away when I tried to refresh my memory about it.

It still however seems to be a PITA to set up. You need to run the process "clamonacc" that needs to be able to access the files it should monitor. But is just as any other daemon not advice to be run as root because of possibility for attack vectors. Unclear if the clamd process needs to also have access to files in default configuration, as clamonacc by default is not started with "--fdpass".
And is still seems to be more done for monitoring parts of a filesystem, like a file share on a file server or home directory.

But I also guess the reason it is a PITA to set up a on access antivirus is a part of the reason many parrot the saying that linux not really need this kind of antivirus solution anyway, and things like periodic scanning is just as good or even better.

I have the source but I am holding off, I might do some reading. I am not sure if this is going to daemonize by default. Not sure if it's going to show up in /etc/rc.d/ to become active on boot. I had an older package of this a bit ago, it had bits and pieces all over the place on the system, it even showed up as a null user when I went init 4 to sddm.

I wonder if this shows up as an extra somewhere as an addition to stuff like rkhunter when performing a system audit with lynis.

Holy cow my CPU pegged to 100% building this. Was built relatively quick though.


This is going to take some time to setup, but it's an interesting project to work on. Not in the business of setting up any sort of servers but I am interested in the aspects of how it behaves on a system.

No I think I remember this showing in a query if it was installed on a lynis audit system run. I mostly just want to see the thing in action.

The package I had initially seemed pretty old.

I'm not surprised. Its necessity isn't always warranted so not many know of it immediately.

So you're wishlisting a feature without looking if it already has that feature?