VFS Virus Scanner idea...
bdavids1 at gmu.edu
bdavids1 at gmu.edu
Thu Sep 12 20:48:00 GMT 2002
Ah, I'll clarify...
Point #1 is how it is done on NetWare. The OS has event handlers for
things such as read & write requests. The Anti-Virus runs multiple
threads, one of which intercepts all write requests (if you're really
paranoid you can also catch all read requests). The file handle, or
something like that is put in a queue which is serviced by another anti-
virus thread that actually does the scanning. Or something pretty much
along those lines. I'll go back through some old coredumps from when
we had some AV software problems and refresh my memory..
As you suggest, it does eat up a lot of resources although it's still
pretty fast. There's no other way to do real-time scanning, other than
to look at every write request that comes in. If you're not doing
that, then it's not real-time.
Point #2 - Server side anti-virus is a good thing, but is not a
substitute for client side anti-virus. Don't think for a moment that
you're safe from viruses because your server is running AV software.
I guess my argument is similar to the "don't think you don't have to
install patches because you're running a firewall" argument. Where I
work, upper management put all of the emphasis on server side anti-
virus. Well, until it was clearly shown why that was a bad idea.
Point #3 - In some ways I think server side anti-virus is pointless.
It does prevent the sharing of viruses through the server, which is
where it *is* useful. At the same time, if the goal is to prevent
viruses from wiping out the data you have on your servers, server side
AV doesn't protect you. Any connected workstation can get infected
with a virus that deletes every server based file it has authorization
to delete. Thus the server side AV only gives the illusion of
protection.
I guess it depends if you're looking to slow/prevent the spread of
viruses, or if you're looking to reduce/eliminate the damage they do.
If you think server side av reduces/eliminates damage, I think you're
(not you specifically, more the generic you) making an incorrect
assumption.
I only say this from first hand experience - I have the restore
requests to back it up. =)
Brian Davidson
More information about the samba-technical
mailing list