Virus honeypot with quarantine
Michael Gerdts
Michael.Gerdts at usa.alcatel.com
Tue May 1 16:18:07 GMT 2001
On Tue, May 01, 2001 at 06:46:07AM -0700, Simo Sorce wrote:
> what happen if a second clients wants to modify (thus read the file) before the virus scanner has approved the modified file?
> will you serve the old one?
> or will you make it fail the request until the antivirus ends?
The data that is on the share will be useless files. Clients will never
see any modified file. The intent is to put uninfected files on a guest
accessible share that appears to be RW. Any file that is written to is
NEVER read from a SMB client to prevent the spread of virii from this
share. So...
smb.conf looks like:
[share]
comment = Virus Trap
browesable = yes
guest ok = yes
writabe = yes
path = /export/share
vfs object = /opt/samba/lib/libquarantine.so
vfs options = qdir=/export/%S/%m/%u
The following sequence of events could happen when clienta and clientb
access \\smbserver\share\foo.exe.
clienta: open("\\smbserver\share\foo.exe", "r")
/export/share/foo.exe is opened.
clienta: open("\\smbserver\share\foo.exe", "w")
/quarantine/clienta/share/guest/foo.exe.1 is opened.
writes are done to the quarantine area
clienta: open("\\smbserver\share\foo.exe", "r")
/export/share/foo.exe is opened.
clienta does not see the modified version
clientb: open("\\smbserver\share\foo.exe", "r")
/export/share/foo.exe is opened.
clientb does not see the modified version
clientb: open("\\smbserver\share\foo.exe", "rw")
/export/share/foo.exe is copied to
/quarantine/clientb/share/guest/foo.exe.1
/quarantine/clientb/share/guest/foo.exe.1 is opened.
writes are done to the quarantine area
clientb: open("\\smbserver\share\foo.exe", "rw")
/export/share/foo.exe is copied to
/quarantine/clientb/share/guest/foo.exe.2
/quarantine/clientb/share/guest/foo.exe.1 is opened.
writes are done to the quarantine area
clienta: open("\\smbserver\share\foo.exe", "r")
/export/share/foo.exe is opened.
clienta does not see the modified version
clientb: open("\\smbserver\share\foo.exe", "r")
/export/share/foo.exe is opened.
clientb does not see the modified version
Is that more clear?
Mike
More information about the samba-technical
mailing list