diff --git a/docs/config_file_description/README.md b/docs/config_file_description/README.md index 430beea2..97ea3f9d 100644 --- a/docs/config_file_description/README.md +++ b/docs/config_file_description/README.md @@ -147,7 +147,7 @@ Available options:
  • notify – just display in dashboard
  • cleanup – cleanup malicious file (default)
    • enable_scan_inotify: True -# enable (True (default)) or disable (False) real-time scanning for modified files using inotify library +# enable (True (default)) or disable (False) real-time scanning for modified files. Uses fanotify as the primary monitoring mechanism (kernel 3.10+) with legacy inotify fallback. The config option name is kept for backward compatibility. enable_scan_pure_ftpd: True # enable (True (default)) or disable (False) real-time scanning for files uploaded through PureFTPd enable_scan_modsec: True @@ -164,7 +164,9 @@ that were uploaded via http/https. Note that it requires notify_on_detect: False # notify (True) or not (False) (default value) an admin when malware is detected optimize_realtime_scan: True -# enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here +# enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here. +

    +Starting from imunify-realtime-av 8.0.7, the realtime scanner automatically filters out file operations from system services (MySQL/MariaDB, PostgreSQL, Redis, Apache, etc.) to significantly reduce CPU overhead on busy servers. The system service threshold is auto-detected from the OS configuration — no manual setup is required. sends_file_for_analysis: True # send (True) (default value) or not (False) malicious and suspicious files to the Imunify team for analysis i360_clamd: False diff --git a/docs/control_panel_integration/README.md b/docs/control_panel_integration/README.md index 153d94c4..c62b45f4 100644 --- a/docs/control_panel_integration/README.md +++ b/docs/control_panel_integration/README.md @@ -233,7 +233,7 @@ By default, root is considered to be the only admin user. ### 2.5 Integration with Malware Scanner -To scan files for changes (to detect malware) using inotify, configure which directories to watch and which to ignore in the `integration.conf` file: +To configure which directories the realtime malware scanner should watch and which to ignore, edit the `integration.conf` file: * configure `[malware].basedir` – a root directory to watch (recursively) * configure `[malware].pattern_to_watch` – only directories that match this ([Python](https://docs.python.org/3/howto/regex.html#regex-howto)) regex in the basedir are actually going to be watched diff --git a/docs/dashboard/README.md b/docs/dashboard/README.md index 0042c6db..0b9e1780 100644 --- a/docs/dashboard/README.md +++ b/docs/dashboard/README.md @@ -524,7 +524,7 @@ This is also a real time file scanner for vulnerability and it can: * scan files uploaded via HTTP/HTTPS -* scan files for changes via [inotify](https://en.wikipedia.org/wiki/Inotify) +* scan files for changes in real time (using [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) with legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback) * scan on-demand (any folder needed) @@ -1636,14 +1636,17 @@ Read [CXS integration](/ids_integration/#cxs-integration) documentation carefull ![](/images/SettingsMalware2.png) -* _Automatically scan all modified files_ – enables real-time scanning for modified files using [inotify](https://en.wikipedia.org/wiki/Inotify) library. The Scanner searches for modified files in user’s DocumentRoot directories. +* _Automatically scan all modified files_ – enables real-time scanning for modified files. The scanner uses [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) (kernel 3.10+) as the primary file monitoring mechanism, with a legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback for older systems. The Scanner searches for modified files in user’s DocumentRoot directories. ::: tip Note - It requires inotify to be installed and may put an additional load on a system. + Real-time scanning may put additional load on a system. See the _Optimize real-time scan_ option below for ways to reduce this. ::: -* _Optimize real-time scan_ – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watchs. +* _Optimize real-time scan_ – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watches. :::tip Note File change API can work only with ext4 file system. ::: + :::tip Note + Starting from **imunify-realtime-av 8.0.7**, the realtime scanner automatically filters out file operations from system services (MySQL/MariaDB, PostgreSQL, Redis, etc.) to significantly reduce CPU overhead. No configuration is needed — the system service threshold is auto-detected from the OS configuration. + ::: | | | | | |--------------------------|:-----------:|:------------:|:-------------------:| diff --git a/docs/faq_and_known_issues/README.md b/docs/faq_and_known_issues/README.md index 947f97b0..a15f091e 100644 --- a/docs/faq_and_known_issues/README.md +++ b/docs/faq_and_known_issues/README.md @@ -371,7 +371,7 @@ grep 'IM360 WAF: Testing the IM360 ModSecurity ruleset' /var/log/imunify360/cons ### 16. How to check "automatically scan all modified files" works? -To check "automatically scan all modified files" (i.e inotify scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the _Malicious_ tab shortly. +To check "automatically scan all modified files" (the realtime scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the _Malicious_ tab shortly. You can get a malware sample file on the [eicar.org](http://www.eicar.org/). @@ -593,7 +593,7 @@ Proactive Defense will prevent `include`/`require``ignored.txt` file contains additional regular expression patterns specifying what filesystem paths should not be monitored by inotify/fanotify realtime scanner. +The `ignored.txt` file contains additional regular expression patterns specifying what filesystem paths should not be monitored by the realtime scanner. Patterns can be absolute: