Virus honeypot with quarantine
Michael Gerdts
Michael.Gerdts at usa.alcatel.com
Tue May 1 13:18:07 GMT 2001
While analyzing samba logs on a test server, I have found several machines
that are crawling through guest accessible shares. Each one of them was a
rogue machine that was in violation of our virus scanning software policy.
I now realize how easy it is to identify potentially virus-infected
machines. I would like to be able to change that from "potentially" to
"definitely". My first thoughts were to provide a mechanism within samba
that has shares that appear to be writable, but any changed files are
actually written off to a quarantined area. The original file should never
be changed.
Presumably this could be done with the VFS layer. I think that the
open call would be the only think that needed to be modified. Its behavior
would be:
If mode is:
read-only - default_vfs_ops.open()
write-only - create the quarantine file
/quarantine/%S/%m/%u/origfilename.unique_id
open the quarantine file
read-write - copy file to quarantine file
open the quarantine file
I would then run a virus scanning program on the UNIX server to identify
infected files in quarantine area.
Is there anything that I am missing that I should be aware of?
Mike
More information about the samba-technical
mailing list