Virus honeypot with quarantine

Simo Sorce idra at
Tue May 1 13:46:07 GMT 2001

what happen if a second clients wants to modify (thus read the file) before the virus scanner has approved the modified file?
will you serve the old one?
or will you make it fail the request until the antivirus ends?

On Tue, May 01, 2001 at 09:18:07AM -0400, Michael Gerdts wrote:
> While analyzing samba logs on a test server, I have found several machines
> that are crawling through guest accessible shares.  Each one of them was a
> rogue machine that was in violation of our virus scanning software policy.
> I now realize how easy it is to identify potentially virus-infected
> machines.  I would like to be able to change that from "potentially" to
> "definitely".  My first thoughts were to provide a mechanism within samba
> that has shares that appear to be writable, but any changed files are
> actually written off to a quarantined area.  The original file should never
> be changed.
> Presumably this could be done with the VFS layer.  I think that the
> open call would be the only think that needed to be modified.  Its behavior
> would be:
>     If mode is:
>         read-only -
> 	write-only - create the quarantine file
> 			/quarantine/%S/%m/%u/origfilename.unique_id
> 		     open the quarantine file
> 	read-write - copy file to quarantine file
> 		     open the quarantine file
> I would then run a virus scanning program on the UNIX server to identify
> infected files in quarantine area. 
> Is there anything that I am missing that I should be aware of?
> Mike

Simo Sorce
 Unix IS user friendly, it is just selective about who his friends are.

More information about the samba-technical mailing list