SeaFile v13 & ClamAV container

mokaz · May 7, 2026, 9:05pm

Hi all,

I recently faced an issue where it seems that a user having uploaded a file that triggered a “VIRUS FOUND” reply from the sidecar ClamAV container got 403 FORBIDDEN on every subsequent requests attempts.

My setup is exactly detailed here: Deploy ClamAV with Seafile - Seafile Admin Manual

According from where the 403 started to happen in the logs, I would vouch for a Web based upload of the triggering file.

However, and here are my questions:

is it expected that an “instream” AV trigger would subsequently block the given user?
if so, is this a behavior I could alter? I’d rather go for at rest scans only, not disrupting any user activity in transit.

Let me know,
Regards,
m.

daniel.pan · May 8, 2026, 12:24am

The behavior you’re seeing involves two different parts of the Seafile-ClamAV integration.

1. Is the subsequent blocking expected?

While a 403 Forbidden error is expected for the specific upload request that contains a virus (when “Scan on upload” is enabled), Seafile does not have a built-in mechanism to automatically ban a user or block their subsequent requests across the board.

If the user is getting 403 errors on every subsequent request, it is highly likely that an external security tool in your stack (such as Fail2Ban) is monitoring the Seafile logs, seeing the security-related errors, and blocking the user’s IP at the firewall or reverse proxy level. You should check your fail2ban logs or reverse proxy security configurations.

2. How to switch to “at rest” scans only?

To stop Seafile from scanning files during the upload process (instream) while keeping the background periodic scans, you need to adjust your seafile.conf:

Disable Scan on Upload:
Ensure that the following setting is set to false (or removed, as it defaults to false) in the [fileserver] section:
```
[fileserver]
check_virus_on_web_upload = false
```
Keep Background Scanning:
Ensure your [virus_scan] section remains configured as you have it now. This section controls the background process that runs periodically (based on scan_interval) to scan files at rest.
```
[virus_scan]
scan_command = clamdscan
virus_code = 1
nonvirus_code = 0
scan_interval = 5
...
```

For more details on these configuration options, you can refer to the official manual:

mokaz · May 8, 2026, 5:38am

Hi Dainel,

Thanks a lot for your help. Yes I’d concur with you on the seen behaviors – I “think” that the user got a few 403’s on trying to upload that given file (a vintage .exe application), which most probably the browser retried a few time. After a certain amount of 403 errors within a given time frame, a SeaFile fronting WAF would trigger and “block” the user for a certain amount of time..

So yes, I’d guess that avoiding such 403’s from the source of truth in our case (SeaFile) would be my go to.

Implemented the changes, will test and report.

Thanks again,
Kind regards,
m.

mokaz · May 11, 2026, 6:09am

Hi Daniel,

A quick feedback post, it seems that the above given solution render’s what I’ve been looking for indeed. A none disruptive at rest scan with informative outputs SysOps would need to handle.

Perfect !

Thanks,
Regards,
m.