Virus honeypot with quarantine
Jason.Haar at trimble.co.nz
Tue May 1 21:50:27 GMT 2001
On Tue, May 01, 2001 at 09:18:07AM -0400, Michael Gerdts wrote:
> While analyzing samba logs on a test server, I have found several machines
> that are crawling through guest accessible shares. Each one of them was a
> rogue machine that was in violation of our virus scanning software policy.
> I now realize how easy it is to identify potentially virus-infected
> machines. I would like to be able to change that from "potentially" to
> "definitely". My first thoughts were to provide a mechanism within samba
> that has shares that appear to be writable, but any changed files are
> actually written off to a quarantined area. The original file should never
> be changed.
Why go through the effort of running a virus scanner? No-one should be
messing with the files anyway.
Just run a cronjob that checks the "live" writable area against a CRC
database, and sends an alarm when something changes. That way you will catch
any network virus, and any user writing into that area should be severely
scolded anyway - so why differentiate?
Unix/Special Projects, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
More information about the samba-technical