On-access virus checking in Samba

David Ford david at kalifornia.com
Tue May 16 23:59:45 GMT 2000


Simon Harrison wrote:

> With a process monitoring file opens and changing return values, you may not
> be able to crash the kernel, but if the kernel is unable to open key system
> files (because the scanner is blocking the path to them) isn't it as good as
> crashed?  I would prefer any false positive virus reports to occur in such a
> way that I could recover from them remotely, and not have to maintain a list
> of system files to exclude from scanning or whatever.

The kernel doesn't open files.[1]  The kernel will happily move about it's
business regardless of what the userland virus checking daemon is doing.  The
kernel sends a notification event to the userland process which choose to
respond with given information.  The kernel masks that information over the top
of existing file flags, etc.

The above is a very vague but simplified description.  Do not take it
literally.

> Whether to patch Samba or Linux comes down to a simple comparison
> between:
>
> 1) [any unix] server + Windows (Microsoft) workstations
> 2) Linux server + Any workstations
>
> It was on this basis that I thought patching Samba would be more universally
> useful, meaning that Windows has a proportionally larger share of the
> desktop market than Linux has of the unix market.  Samba is also dead easy
> to patch, unlike the Linux kernel, and I've already got this all working.
> Thing is that now, after a day or so hacking I don't know what to do with
> it!

Except we are still restricted to only checking things if requested via samba.
This doesn't do the least bit of good for ftp, nfs, email, or any other form.
You have a great idea, but it's a niche application.  Patching the kernel is
quite easy, often more easy because of the clean design.  Neither
implementation is a 100% solution.  Yours covers multiple kernel types.  His
covers multiple file access types.  The solution you choose depends on the
system you implement.

-d

[1] except for init and modprobe.




More information about the samba-technical mailing list