Virus honeypot with quarantine

Michael Gerdts Michael.Gerdts at
Tue May 1 13:18:07 GMT 2001

While analyzing samba logs on a test server, I have found several machines
that are crawling through guest accessible shares.  Each one of them was a
rogue machine that was in violation of our virus scanning software policy.

I now realize how easy it is to identify potentially virus-infected
machines.  I would like to be able to change that from "potentially" to
"definitely".  My first thoughts were to provide a mechanism within samba
that has shares that appear to be writable, but any changed files are
actually written off to a quarantined area.  The original file should never
be changed.

Presumably this could be done with the VFS layer.  I think that the
open call would be the only think that needed to be modified.  Its behavior
would be:

    If mode is:

        read-only -

	write-only - create the quarantine file
		     open the quarantine file
	read-write - copy file to quarantine file
		     open the quarantine file

I would then run a virus scanning program on the UNIX server to identify
infected files in quarantine area. 

Is there anything that I am missing that I should be aware of?


More information about the samba-technical mailing list