On-access virus checking in Samba

James Sutherland jas88 at cam.ac.uk
Wed May 17 06:12:41 GMT 2000

On Tue, 16 May 2000, Simon  Harrison wrote:

> With a process monitoring file opens and changing return values, you may not
> be able to crash the kernel, but if the kernel is unable to open key system
> files (because the scanner is blocking the path to them) isn't it as good as
> crashed? 

This is application level monitoring (a la strace) - it would never block
the kernel from doing anything. At worst, it would block the applications
being monitored/controlled - i.e. Samba, ftpd etc.

> I would prefer any false positive virus reports to occur in such a way
> that I could recover from them remotely, and not have to maintain a
> list of system files to exclude from scanning or whatever.

No need; you just keep a set of processes which are exempt (init, syslog,
inetd, telnet, sshd...), so you only monitor the file server daemons.

> But OK, it's not as bad as having a virus scanner as a kernel module!
> Whether to patch Samba or Linux comes down to a simple comparison
> between:
> 1) [any unix] server + Windows (Microsoft) workstations
> 2) Linux server + Any workstations
> It was on this basis that I thought patching Samba would be more universally
> useful, meaning that Windows has a proportionally larger share of the
> desktop market than Linux has of the unix market.  Samba is also dead easy
> to patch, unlike the Linux kernel, and I've already got this all working. 
> Thing is that now, after a day or so hacking I don't know what to do with
> it!

Most of this work has already been completed for Solaris as well, I'm
told; it will probably get written for *BSD later. It's not universal by
any means, but this does cover quite a few of the *nix platforms.

It's not just a case of "all Microsoft platforms" either - only "all
platforms connecting using SMB". It doesn't cover FTP/HTTP, NFS, NCP...


More information about the samba-technical mailing list