Enable quarantine and priv sep

templates/Fedora/34/etc/clamd.d/scan.conf

@@ -220,6 +220,7 @@ TCPAddr 127.0.0.1
 # Run as another user (clamd must be started by root for this option to work)
 # Default: don't drop privileges
 # User clamscan
+User clamscan
 
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
@@ -739,7 +740,6 @@ OnAccessMountPath {{ item.mount }}
 # root user from triggering a scan (unless OnAccessPrevention is enabled).
 # Default: no
 #OnAccessExcludeRootUID no
-OnAccessExcludeRootUID yes
 
 # With this option you can whitelist specific UIDs. Processes with these UIDs
 # will be able to access all files without triggering scans or permission
@@ -762,9 +762,9 @@ OnAccessExcludeRootUID yes
 # OnAccessExcludeUID option.
 # Default: disabled
 #OnAccessExcludeUname clamav
-# XXX OnAccessExcludeUname clamilt
-# XXX OnAccessExcludeUname clamscan
-# XXX OnAccessExcludeUname clamupdate
+OnAccessExcludeUname clamilt
+OnAccessExcludeUname clamscan
+OnAccessExcludeUname clamupdate
 
 # Number of times the OnAccess client will retry a failed scan due to
 # connection problems (or other issues).

templates/Fedora/34/usr/lib/systemd/system/clamav-clamonacc.service

@@ -0,0 +1,15 @@
+# clamonacc systemd service file primarily the work of ChadDevOps & Aaron Brighton
+# See: https://medium.com/@aaronbrighton/installation-configuration-of-clamav-antivirus-on-ubuntu-18-04-a6416bab3b41#a340
+
+[Unit]
+Description=ClamAV On-Access Scanner
+Documentation=man:clamonacc(8) man:clamd.conf(5) https://www.clamav.net/documents
+After=clamd@scan.service syslog.target network.target
+
+[Service]
+Type=simple
+User=root
+ExecStart=/usr/sbin/clamonacc -F --config-file=/etc/clamd.d/scan.conf --move=/root/quarantine/ --fdpass
+
+[Install]
+WantedBy=multi-user.target