From 6cc3f71ade6fbd773017100ca1150c4640b4a384 Mon Sep 17 00:00:00 2001 From: Dmitriy Leonov Date: Tue, 7 Apr 2026 14:11:45 +0100 Subject: [PATCH 1/2] docs: document realtime scanner system service filtering in 8.0.7 - config_file_description: add note about automatic system service filtering to optimize_realtime_scan option - dashboard: add tip about 8.0.7 auto-filtering to Optimize real-time scan setting Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/config_file_description/README.md | 4 +++- docs/dashboard/README.md | 5 ++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/config_file_description/README.md b/docs/config_file_description/README.md index 430beea2..d7ee1818 100644 --- a/docs/config_file_description/README.md +++ b/docs/config_file_description/README.md @@ -164,7 +164,9 @@ that were uploaded via http/https. Note that it requires notify_on_detect: False # notify (True) or not (False) (default value) an admin when malware is detected optimize_realtime_scan: True -# enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here +# enable (True) (default value) or disable (False) the File Change API and fanotify support to reduce the system load while watching for file changes in comparison with inotify watch. You can find the comparison table here. +

+Starting from imunify-realtime-av 8.0.7, the realtime scanner automatically filters out file operations from system services (MySQL/MariaDB, PostgreSQL, Redis, Apache, etc.) to significantly reduce CPU overhead on busy servers. The system service threshold is auto-detected from the OS configuration — no manual setup is required. sends_file_for_analysis: True # send (True) (default value) or not (False) malicious and suspicious files to the Imunify team for analysis i360_clamd: False diff --git a/docs/dashboard/README.md b/docs/dashboard/README.md index 0042c6db..403456ed 100644 --- a/docs/dashboard/README.md +++ b/docs/dashboard/README.md @@ -1640,10 +1640,13 @@ Read [CXS integration](/ids_integration/#cxs-integration) documentation carefull ::: tip Note It requires inotify to be installed and may put an additional load on a system. ::: -* _Optimize real-time scan_ – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watchs. +* _Optimize real-time scan_ – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watches. :::tip Note File change API can work only with ext4 file system. ::: + :::tip Note + Starting from **imunify-realtime-av 8.0.7**, the realtime scanner automatically filters out file operations from system services (MySQL/MariaDB, PostgreSQL, Redis, etc.) to significantly reduce CPU overhead. No configuration is needed — the system service threshold is auto-detected from the OS configuration. + ::: | | | | | |--------------------------|:-----------:|:------------:|:-------------------:| From 59a66c712ce8027e3c8e3d90befcd10b43c590f7 Mon Sep 17 00:00:00 2001 From: Dmitriy Leonov Date: Tue, 7 Apr 2026 14:15:31 +0100 Subject: [PATCH 2/2] docs: update realtime scanner references from inotify to fanotify The realtime scanner (im-rt2) uses fanotify as the primary file monitoring mechanism since its initial release, with inotify only as a legacy fallback. Update documentation to reflect this: - dashboard: clarify fanotify is primary, inotify is fallback - config: update enable_scan_inotify description (name kept for compat) - control_panel_integration: remove inotify-specific wording - faq: replace "inotify scanner" and "inotify/fanotify" references Co-Authored-By: Claude Opus 4.6 (1M context) --- docs/config_file_description/README.md | 2 +- docs/control_panel_integration/README.md | 2 +- docs/dashboard/README.md | 6 +++--- docs/faq_and_known_issues/README.md | 6 +++--- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/config_file_description/README.md b/docs/config_file_description/README.md index d7ee1818..97ea3f9d 100644 --- a/docs/config_file_description/README.md +++ b/docs/config_file_description/README.md @@ -147,7 +147,7 @@ Available options:
  • notify – just display in dashboard
  • cleanup – cleanup malicious file (default)
    • enable_scan_inotify: True -# enable (True (default)) or disable (False) real-time scanning for modified files using inotify library +# enable (True (default)) or disable (False) real-time scanning for modified files. Uses fanotify as the primary monitoring mechanism (kernel 3.10+) with legacy inotify fallback. The config option name is kept for backward compatibility. enable_scan_pure_ftpd: True # enable (True (default)) or disable (False) real-time scanning for files uploaded through PureFTPd enable_scan_modsec: True diff --git a/docs/control_panel_integration/README.md b/docs/control_panel_integration/README.md index 153d94c4..c62b45f4 100644 --- a/docs/control_panel_integration/README.md +++ b/docs/control_panel_integration/README.md @@ -233,7 +233,7 @@ By default, root is considered to be the only admin user. ### 2.5 Integration with Malware Scanner -To scan files for changes (to detect malware) using inotify, configure which directories to watch and which to ignore in the `integration.conf` file: +To configure which directories the realtime malware scanner should watch and which to ignore, edit the `integration.conf` file: * configure `[malware].basedir` – a root directory to watch (recursively) * configure `[malware].pattern_to_watch` – only directories that match this ([Python](https://docs.python.org/3/howto/regex.html#regex-howto)) regex in the basedir are actually going to be watched diff --git a/docs/dashboard/README.md b/docs/dashboard/README.md index 403456ed..0b9e1780 100644 --- a/docs/dashboard/README.md +++ b/docs/dashboard/README.md @@ -524,7 +524,7 @@ This is also a real time file scanner for vulnerability and it can: * scan files uploaded via HTTP/HTTPS -* scan files for changes via [inotify](https://en.wikipedia.org/wiki/Inotify) +* scan files for changes in real time (using [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) with legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback) * scan on-demand (any folder needed) @@ -1636,9 +1636,9 @@ Read [CXS integration](/ids_integration/#cxs-integration) documentation carefull ![](/images/SettingsMalware2.png) -* _Automatically scan all modified files_ – enables real-time scanning for modified files using [inotify](https://en.wikipedia.org/wiki/Inotify) library. The Scanner searches for modified files in user’s DocumentRoot directories. +* _Automatically scan all modified files_ – enables real-time scanning for modified files. The scanner uses [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) (kernel 3.10+) as the primary file monitoring mechanism, with a legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback for older systems. The Scanner searches for modified files in user’s DocumentRoot directories. ::: tip Note - It requires inotify to be installed and may put an additional load on a system. + Real-time scanning may put additional load on a system. See the _Optimize real-time scan_ option below for ways to reduce this. ::: * _Optimize real-time scan_ – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watches. :::tip Note diff --git a/docs/faq_and_known_issues/README.md b/docs/faq_and_known_issues/README.md index 947f97b0..a15f091e 100644 --- a/docs/faq_and_known_issues/README.md +++ b/docs/faq_and_known_issues/README.md @@ -371,7 +371,7 @@ grep 'IM360 WAF: Testing the IM360 ModSecurity ruleset' /var/log/imunify360/cons ### 16. How to check "automatically scan all modified files" works? -To check "automatically scan all modified files" (i.e inotify scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the _Malicious_ tab shortly. +To check "automatically scan all modified files" (the realtime scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the _Malicious_ tab shortly. You can get a malware sample file on the [eicar.org](http://www.eicar.org/). @@ -593,7 +593,7 @@ Proactive Defense will prevent `include`/`require``ignored.txt` file contains additional regular expression patterns specifying what filesystem paths should not be monitored by inotify/fanotify realtime scanner. +The `ignored.txt` file contains additional regular expression patterns specifying what filesystem paths should not be monitored by the realtime scanner. Patterns can be absolute: