Anti-virus in docker container - does fanotify works between host and container?

I have a solution with a patched ClamAV.

1. Must use ClamAV < 0.102.0 because of the splitting of scanning and detection: detected files can't be scanned because the path is observed from the container point of view
2. OnAccessMount doesn't work because you have to list each mount in ClamAV config then restart and docker creates mounts on the fly
3. Must use overlayfs not LVM so ClamAV can access the mount
4. OnAccessIncludePath doesn't work because the file and folder enumeration method doesn't traverse file systems (doesn't scan beyond mount for path specified)

I was able to get OnAccessIncludePath working with a patch I posted to clamav-devel mailing list: https://lists.gt.net/clamav/devel/77347#77347.

I ended up with one process using fanotify for static mounts and one using inotify to monitor /var/lib/docker ephemeral mounts. Having 2 instances is still much better than 1 per container. I did a fair bit of load testing and have had the patch in production since about the time I mailed the list.

Sophos didn't work for me but I gave up pretty quickly.