Virus honeypot with quarantine

Jason Haar Jason.Haar at
Tue May 1 21:50:27 GMT 2001

On Tue, May 01, 2001 at 09:18:07AM -0400, Michael Gerdts wrote:
> While analyzing samba logs on a test server, I have found several machines
> that are crawling through guest accessible shares.  Each one of them was a
> rogue machine that was in violation of our virus scanning software policy.
> I now realize how easy it is to identify potentially virus-infected
> machines.  I would like to be able to change that from "potentially" to
> "definitely".  My first thoughts were to provide a mechanism within samba
> that has shares that appear to be writable, but any changed files are
> actually written off to a quarantined area.  The original file should never
> be changed.

Why go through the effort of running a virus scanner? No-one should be
messing with the files anyway.

Just run a cronjob that checks the "live" writable area against a CRC
database, and sends an alarm when something changes. That way you will catch
any network virus, and any user writing into that area should be severely
scolded anyway - so why differentiate?


Jason Haar

Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417

More information about the samba-technical mailing list