VFS Virus Scanner idea...

Christopher R. Hertel crh at ubiqx.mn.org
Thu Sep 12 20:19:00 GMT 2002

On Thu, Sep 12, 2002 at 03:42:12PM -0400, bdavids1 at gmu.edu wrote:
> I manage some NetWare servers.  Yes, there is such software.  It uses 
> the File System Event Services API Novell has.  Just hooks into every 
> write, or every read & every write (depending on how you configure anti-
> virus software).

Hmmm... that seems like a lot of overhead and, since read/writes may be 
small, the data might be in packets too small to clearly see the 

> There are some gotchas when it comes to server based anti-virus.  
> Assuming you have up to date virus definitions, the server will not 
> allow a virus to be written to the server.  An infected workstation 
> still may create lots of problems for you though.  Lovebug on high end 
> workstations produced about 5000 packets per second to the fileserver 
> (scanning directories for files it could infect).

Right, but that's like saying that locking the house at night doesn't
protect the neighbors.  How would you propose checking the files on the
server?  Best case would be that the client would check the file content
as it arrives.  Worst case (and something that was discussed at my
meeting...ouch) would be to have the clients scan the server filesystem.
That would generate a lot of network traffic, and would not be very fast.

So, as you suggest, the best is to have the client scan its own files and 
let the server scan the files it holds.

> Viruses that delete files or overwrite them with nulls are still able 
> to execute on unprotected workstations, and can destroy data stored on 
> a fileserver.  There is no way for a server to detect the difference 
> between a well intentioned delete request and a malicious one.

Yes, but that doesn't mean that server-side anti-virus is useless.  I am
confused here.  You seem to be arguing against scanning for viruses on the
server side.  Your arguements are correct, but the conclusion doesn't make 


Chris -)-----

Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list