On-access virus checking in Samba

Simon Harrison smh at dr.com
Tue May 16 23:25:41 GMT 2000

With a process monitoring file opens and changing return values, you may not
be able to crash the kernel, but if the kernel is unable to open key system
files (because the scanner is blocking the path to them) isn't it as good as
crashed?  I would prefer any false positive virus reports to occur in such a
way that I could recover from them remotely, and not have to maintain a list
of system files to exclude from scanning or whatever.

But OK, it's not as bad as having a virus scanner as a kernel module!

Whether to patch Samba or Linux comes down to a simple comparison

1) [any unix] server + Windows (Microsoft) workstations
2) Linux server + Any workstations

It was on this basis that I thought patching Samba would be more universally
useful, meaning that Windows has a proportionally larger share of the
desktop market than Linux has of the unix market.  Samba is also dead easy
to patch, unlike the Linux kernel, and I've already got this all working. 
Thing is that now, after a day or so hacking I don't know what to do with


On Tue, 16 May 2000, Simon  Harrison wrote:

> Thanks for the information, but in this way bugs in the virus scanner can
> crash the kernel!  Since virus scanners are non-trivial I wouldn't fancy
> having the stability issues of changing a kernel in this way.  I suppose
> depends on how it will be implemented.

NO! It doesn't involve plugging your virus scanner into the kernel.
It works in a similar way to strace et al - one process monitors another,
and gets told what that process is up to. We plan to extend this to allow
the monitoring process to modify parameters, change the return value, etc.
It shouldn't compromise the kernel in any way - the modifications
kernel-side are minimal.

> Samba gives a cross-platform solution, and I think the biggest threat is
> from networked Windows PCs (which are not likely to be running NFS
> By patching Samba instead of the kernel I get to cover AIX, Solaris,
> FreeBSD, SCO etc...

True - provided it's a cross platform virus scanner :-)

Also, the PCs could well be running NFS clients - or Netware clients.
Equally, you could have Macs over AppleTalk or NCP, DOS clients using


FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

More information about the samba-technical mailing list