docs: update realtime scanner references from inotify to fanotify

dmleonov-cloudlinux · claude · dmleonov-cloudlinux · commit 59a66c712ce8 · 2026-04-07T14:15:31.000+01:00
The realtime scanner (im-rt2) uses fanotify as the primary file
monitoring mechanism since its initial release, with inotify only as
a legacy fallback. Update documentation to reflect this:

- dashboard: clarify fanotify is primary, inotify is fallback
- config: update enable_scan_inotify description (name kept for compat)
- control_panel_integration: remove inotify-specific wording
- faq: replace "inotify scanner" and "inotify/fanotify" references

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/docs/config_file_description/README.md b/docs/config_file_description/README.md
@@ -147,7 +147,7 @@ Available options:
 <li><span class="notranslate"><b>notify</b></span> – just display in dashboard</li>
 <li><span class="notranslate"><b>cleanup</b></span> – cleanup malicious file (default)</li></ul></td></tr>
 <tr><td><span class="notranslate">enable_scan_inotify: True</span></td>
-<td># enable (<span class="notranslate">True</span> (default)) or disable (<span class="notranslate">False</span>) real-time scanning for modified files using <a href="https://en.wikipedia.org/wiki/Inotify" target="_blank">inotify</a> library</td></tr>
+<td># enable (<span class="notranslate">True</span> (default)) or disable (<span class="notranslate">False</span>) real-time scanning for modified files. Uses <a href="https://man7.org/linux/man-pages/man7/fanotify.7.html" target="_blank">fanotify</a> as the primary monitoring mechanism (kernel 3.10+) with legacy <a href="https://en.wikipedia.org/wiki/Inotify" target="_blank">inotify</a> fallback. The config option name is kept for backward compatibility.</td></tr>
 <tr><td><span class="notranslate">enable_scan_pure_ftpd: True</span></td>
 <td># enable (<span class="notranslate">True</span> (default)) or disable (<span class="notranslate">False</span>) real-time scanning for files uploaded through PureFTPd</td></tr>
 <tr><td><span class="notranslate">enable_scan_modsec: True</span></td>
diff --git a/docs/control_panel_integration/README.md b/docs/control_panel_integration/README.md
@@ -233,7 +233,7 @@ By default, root is considered to be the only admin user.
 
 ### 2.5 Integration with Malware Scanner
 
-To scan files for changes (to detect malware) using inotify, configure which directories to watch and which to ignore in the <span class="notranslate">`integration.conf`</span> file:
+To configure which directories the realtime malware scanner should watch and which to ignore, edit the <span class="notranslate">`integration.conf`</span> file:
 
 * configure <span class="notranslate">`[malware].basedir`</span> – a root directory to watch (recursively)
 * configure <span class="notranslate">`[malware].pattern_to_watch`</span> – only directories that match this ([Python](https://docs.python.org/3/howto/regex.html#regex-howto)) regex in the basedir are actually going to be watched
diff --git a/docs/dashboard/README.md b/docs/dashboard/README.md
@@ -524,7 +524,7 @@ This is also a real time file scanner for vulnerability and it can:
 
 * scan files uploaded via HTTP/HTTPS
 
-* scan files for changes via [inotify](https://en.wikipedia.org/wiki/Inotify)
+* scan files for changes in real time (using [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) with legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback)
 
 * scan on-demand (any folder needed)
 
@@ -1636,9 +1636,9 @@ Read [CXS integration](/ids_integration/#cxs-integration) documentation carefull
 
 ![](/images/SettingsMalware2.png)
 
-* <span class="notranslate">_Automatically scan all modified files_</span> – enables real-time scanning for modified files using [inotify](https://en.wikipedia.org/wiki/Inotify) library. The Scanner searches for modified files in user’s DocumentRoot directories.
+* <span class="notranslate">_Automatically scan all modified files_</span> – enables real-time scanning for modified files. The scanner uses [fanotify](https://man7.org/linux/man-pages/man7/fanotify.7.html) (kernel 3.10+) as the primary file monitoring mechanism, with a legacy [inotify](https://en.wikipedia.org/wiki/Inotify) fallback for older systems. The Scanner searches for modified files in user’s DocumentRoot directories.
   ::: tip Note
-  It requires inotify to be installed and may put an additional load on a system.
+  Real-time scanning may put additional load on a system. See the _Optimize real-time scan_ option below for ways to reduce this.
   :::
 * <span class="notranslate">_Optimize real-time scan_</span> – enables the [File Change API](https://docs.cloudlinux.com/cloudlinux_os_kernel/#file-change-api) and **fanotify** support to reduce the system load while watching for file changes in comparison with inotify watches.
     :::tip Note
diff --git a/docs/faq_and_known_issues/README.md b/docs/faq_and_known_issues/README.md
@@ -371,7 +371,7 @@ grep 'IM360 WAF: Testing the IM360 ModSecurity ruleset' /var/log/imunify360/cons
 
 ### 16. How to check "automatically scan all modified files" works?
 
-To check "automatically scan all modified files" (i.e inotify scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the <span class="notranslate">_Malicious_</span> tab shortly.
+To check "automatically scan all modified files" (the realtime scanner), upload a malware sample to some account's webroot via SSH and check if it will appear in the <span class="notranslate">_Malicious_</span> tab shortly.
 
 You can get a malware sample file on the [eicar.org](http://www.eicar.org/).
 
@@ -593,7 +593,7 @@ Proactive Defense will prevent <span class="notranslate">`include`/`require`</sp
 There is a separate ignore list for false-positive hits: see [Ignore List](/dashboard/#ignore-list)
 :::
 
-The `watched.txt` file contains additional shell-like glob patterns specifying what file system directories should be monitored by inotify/fanotify realtime scanner.
+The `watched.txt` file contains additional shell-like glob patterns specifying what file system directories should be monitored by the realtime scanner.
 
 Patterns can be absolute:
 
@@ -621,7 +621,7 @@ All patterns listed here have higher priority than stock watched and excluded li
 After making changes to this file, run the `imunify360-agent malware rebuild patterns` command.
 :::
 
-The <span class="notranslate">`ignored.txt`</span> file contains additional regular expression patterns specifying what filesystem paths should not be monitored by inotify/fanotify realtime scanner.
+The <span class="notranslate">`ignored.txt`</span> file contains additional regular expression patterns specifying what filesystem paths should not be monitored by the realtime scanner.
 
 Patterns can be absolute:
 
