Malware scanning of /home in Silverblue

Hi All,

I’m working on a risk exemption to permit Silverblue to be used by engineering and operations personnel at my company. The one risk case that I don’t have anything for is catching and reporting malware (I’m thinking of infected .docs, spreadsheets, pdfs) in /home. These can come from web downloads, email downloads, malicious flatpaks, or software installed in toolbox. I need this to be on-access or at least cron-able.

I experimented with layering clamav, clamav-update, and clamd then running clamonacc and it destroyed the CPU and battery life so that’s not an option. Our normal antivirus refuses to work properly in the core OS and in a container.

Not everyone who would be using this solution would be using thunderbird so an add-on there is not going to solve my needs. In addition, a chunk of files are transferred via Slack so that also negates an email-based solution. We also upload files via git so this also forces me into a /home scanning solution.

In case I’m missing something, I’m reaching out to see if anyone has any nifty ideas.

Thanks!

Edit: Yes, I had on access scanning restricted to /home

Does your normal antivirus use a kernel module? That’s gonna be hard

I haven’t used clamonacc, but it looks at quick glance that that works on all file access, scanning when someone tries to open something. Might be possible to limit to scanning on file write — so it’d catch new potential malware landing?

That would be good. I don’t see an option in clamd.conf for that, unfortunately.

A follow-on thought here would be that the majority of malware that would exist in /home are risks to others, not the workstation itself. e.g. we could process an infected doc or PDF but it wouldn’t bother us. I’d rather be proactive about finding and addressing these vs being “a disease carrier” but it may be enough to allow it’s use in certain circumstances. The benefit of an atomic OS with containers is what is also causing this situation.