Including /etc and /usr in on access scan causes system hang

[funxiun]

Describe the bug
When the directories /etc or /usr are included in on access scan, the machine locks up.

How to reproduce the problem
When I add /etc or /usr to the OnAccessIncludePath list the machine locks up.
OnAccessIncludePath /etc (or OnAccessIncludePath /usr) can be the only entry in the list which causes a lockup.

I already found out when using OnAccessIncludePath /usr and exclude /usr/lib64 in the exclusion list, the machine stays stable.

SELinux is enabled, antivirus_can_scan_system and clamd_use_jit are set.
Running SELinux in permissive mode with clamav on access scan enabled with above settings, still causes the machine to lock up.

Test machine has 4GB of RAM. Deployed a second test machine with 8GB of RAM.
Both machines are clean RHEL8.5 installs for ClamAV testing purposes.

Tested with ClamAV 0.103.5 (included with RHEL8 EPEL) but I've also tested with the latest stable version 0.104.2 but gives the same negative results.

Checking configuration files in /etc

Config file: clamd.d/scan.conf

LogFile = "/var/log/clamd.scan"
LogTime = "yes"
LogSyslog = "yes"
TemporaryDirectory = "/tmp"
LocalSocket = "/run/clamd.scan/clamd.sock"
LocalSocketGroup = "virusgroup"
ExcludePath = "^/proc/", "^/sys/", "^/dev/"
User = "clamscan"
OnAccessIncludePath = "/home", "/boot", "/root", "/etc", "/usr", "/opt"
OnAccessExcludePath = "^/proc/", "^/sys/", "^/dev/", "/usr/lib64"
OnAccessExcludeUname = "clamupdate"
OnAccessPrevention = "yes"
OnAccessMaxThreads = "10"
OnAccessDenyOnError = "yes"

Config file: freshclam.conf

DatabaseMirror = "database.clamav.net"

mail/clamav-milter.conf not found

Software settings

Version: 0.103.5
Optional features supported: MEMPOOL IPv6 AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav
bytecode.cvd: version 333, sigs: 92, built on Mon Mar 8 16:21:51 2021
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 14:32:42 2021
daily.cld: version 26510, sigs: 1978138, built on Tue Apr 12 10:20:48 2022
Total number of signatures: 8625657

Platform information

uname: Linux 4.18.0-348.7.1.el8_5.x86_64 #1 SMP Wed Dec 8 21:51:17 EST 2021 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a217e7e0800000002080500

Build information

GNU C: 8.5.0 20210514 (Red Hat 8.5.0-4) (8.5.0)
CPPFLAGS: -I/usr/include/libprelude
CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
CXXFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed -lprelude
Configure: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-milter' '--disable-clamav' '--disable-static' '--disable-zlib-vcheck' '--disable-unrar' '--enable-id-check' '--enable-dns' '--with-dbdir=/var/lib/clamav' '--with-group=clamupdate' '--with-user=clamupdate' '--disable-rpath' '--disable-silent-rules' '--enable-clamdtop' '--enable-prelude' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CXXFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'LDFLAGS=-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--as-needed' 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
sizeof(void*) = 8
Engine flevel: 126, dconf: 126

[funxiun]

I removed RHEL from the topic title because I can confirm that I was able to repreduce this on CentOS 8 and Debian.
On Debian (Ubuntu 21.10 to be exact) I used the exact same configuration and that also caused a system freeze.

I was also pointed to this ArchLinux wiki page where you can read the following:

# Prevention doesn't work with OnAccessMountPath.
# It works with OnAccessIncludePath, as long as /usr and /etc are not included.
# Including /var while activating prevention is also not recommended, because
# this would slow down package installation by a factor of 1000.

Although I'm not using OnAccessMountPath nor having any experience with ArchLinux I find it interesting they explicitly mention /etc and /usr to exclude from scanning.

Could this also mean that OnAccessPrevention can't scan /etc and /usr too?