samba virus wrapper

Barry Smoke barry at arhosting.com
Fri Oct 12 20:01:02 GMT 2001 

o.k...mcafee works great on linux...
It is our qmail scanner now....
but, in order to even half assed protect the server, I would have to be
running a cron job hourly(or sooner) on every samba share.

Is there any way to queue files written to a samba share, so that they are
not immediately scanned, but are scanned as soon as possible....then if
infected, mcafee can clean, and notify the user that wrote the file, or the
sys admin.  If un-cleanable, send it to /var/infected, or something.


-----Original Message-----
From: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org]On
Behalf Of David Collier-Brown
Sent: Friday, October 12, 2001 12:35 PM
To: Barry Smoke; samba at lists.samba.org
Subject: Re: samba virus wrapper


Barry Smoke wrote:
| We were invaded by multiple viruses on our samba server today.
...
|						Some of these
| latest viruses also invade network connections also, and I
| have seen discussion of this on this list.  I was able to
| protect against nimda with the veto files global option, but
| all of our jpegs are now3 .vbs from another virus
...
| There are several scanners that work on linux, but that I
| know of, none that can integrate into samba to provide on the
| fly scanning of anything written to the server.

	Hmmn: this could be done by a vfs module, which
	on open(file,O_WRONLY|O_RDWR|O_APPEND) opens the file
	with  mode 700 (or chmods it to 700), writes the
	data and then chmods it to 0 and passes it to a
	commercial virus scanner.  On completion, it's
	permission are reset to normal.

	1) This will make all writes slow.
	2) There is a window during writing during which
	   a program running as the same user can read it,
	   virus and all.
	3) There is also a window induced by MS Windows apps
	   sometimes writing to a madcap name and then issuing
	   a rename.  If the rename occurs before the virus scan
	   completes, something Will Go Wrong.
	4) depending on the virus scanner, scanning log
	   files which are being appended to will eat CPU.

	Many of these issues can be resolved by a virus-scanning
	company: if you already have McAfee, I recommend you
	have a word with them.

--dave
--
David Collier-Brown,           | Always do right. This will gratify
Americas Customer Engineering, | some people and astonish the rest.
SunPS Integration Services.    |                      -- Mark Twain
(905) 415-2849                 | davecb at canada.sun.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list