Antivirus on-access scanning for Linux using ClamAV and Fanotify

Gomhotep depends on Go 1.6 and ClamAV to run. It's also important to install freshclam so ClamAV signatures are kept up to date. On Ubuntu (16.04 LTS) install it with:

sudo apt-get install clamav libclamav-dev clamav-freshclam golang

1) Edit config/gomhotep.yml.

Fanotify notifies events on a mounted filesystem so we need to provide a mountpoint to it. Currently Gomhotep supports only a single mount point (per gomhotep process).

Therefore, for mount_point use an existing mountpoint (like /) or create a temporary bind mount:

mkdir /tmp/gomhotep_base /tmp/gomhotep
sudo mount --bind /tmp/gomhotep_base /tmp/gomhotep/

and then update mount_point to /tmp/gomhotep/

2) Copy config/gomhotep.yml to /etc/gomhotep/

go build gomhotep.go
sudo ./gomhotep

Gomhotep will start the ClamAV scanning workers (defaults to 3 from num_routines on config/gomhotep.yml) and load ClamAV's signature database on each.

After a couple of seconds it will display its status:

[0] initializing ClamAV database...
[1] initializing ClamAV database...
[2] initializing ClamAV database...
loaded 6471891 signatures
loaded 6471891 signatures
loaded 6471891 signatures

As soon as signatures are loaded it's ready to start scanning!

Download the EICAR Anti-Virus Test File and place it anywhere on the chosen mount_point.

A malware found message should be displayed:

Gomhotep is a personal research project on filesystem event monitoring and not intended for production use