VFS Virus Scanner idea...
Christopher R. Hertel
crh at ubiqx.mn.org
Thu Sep 12 20:19:00 GMT 2002
On Thu, Sep 12, 2002 at 03:42:12PM -0400, bdavids1 at gmu.edu wrote:
> I manage some NetWare servers. Yes, there is such software. It uses
> the File System Event Services API Novell has. Just hooks into every
> write, or every read & every write (depending on how you configure anti-
> virus software).
Hmmm... that seems like a lot of overhead and, since read/writes may be
small, the data might be in packets too small to clearly see the
fingerprints.
> There are some gotchas when it comes to server based anti-virus.
> Assuming you have up to date virus definitions, the server will not
> allow a virus to be written to the server. An infected workstation
> still may create lots of problems for you though. Lovebug on high end
> workstations produced about 5000 packets per second to the fileserver
> (scanning directories for files it could infect).
Right, but that's like saying that locking the house at night doesn't
protect the neighbors. How would you propose checking the files on the
server? Best case would be that the client would check the file content
as it arrives. Worst case (and something that was discussed at my
meeting...ouch) would be to have the clients scan the server filesystem.
That would generate a lot of network traffic, and would not be very fast.
So, as you suggest, the best is to have the client scan its own files and
let the server scan the files it holds.
> Viruses that delete files or overwrite them with nulls are still able
> to execute on unprotected workstations, and can destroy data stored on
> a fileserver. There is no way for a server to detect the difference
> between a well intentioned delete request and a malicious one.
Yes, but that doesn't mean that server-side anti-virus is useless. I am
confused here. You seem to be arguing against scanning for viruses on the
server side. Your arguements are correct, but the conclusion doesn't make
sense.
Confused,
Chris -)-----
--
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list