VFS Virus Scanner idea...

bdavids1 at gmu.edu bdavids1 at gmu.edu
Thu Sep 12 20:48:00 GMT 2002 

Ah, I'll clarify...

Point #1 is how it is done on NetWare.  The OS has event handlers for 
things such as read & write requests.  The Anti-Virus runs multiple 
threads, one of which intercepts all write requests (if you're really 
paranoid you can also catch all read requests).  The file handle, or 
something like that is put in a queue which is serviced by another anti-
virus thread that actually does the scanning.  Or something pretty much 
along those lines.  I'll go back through some old coredumps from when 
we had some AV software problems and refresh my memory..

As you suggest, it does eat up a lot of resources although it's still 
pretty fast.  There's no other way to do real-time scanning, other than 
to look at every write request that comes in.  If you're not doing 
that, then it's not real-time.

Point #2 - Server side anti-virus is a good thing, but is not a 
substitute for client side anti-virus.  Don't think for a moment that 
you're safe from viruses because your server is running AV software.

I guess my argument is similar to the "don't think you don't have to 
install patches because you're running a firewall" argument.  Where I 
work, upper management put all of the emphasis on server side anti-
virus.  Well, until it was clearly shown why that was a bad idea. 

Point #3 - In some ways I think server side anti-virus is pointless.  
It does prevent the sharing of viruses through the server, which is 
where it *is* useful.  At the same time, if the goal is to prevent 
viruses from wiping out the data you have on your servers, server side 
AV doesn't protect you.  Any connected workstation can get infected 
with a virus that deletes every server based file it has authorization 
to delete.  Thus the server side AV only gives the illusion of 
protection.

I guess it depends if you're looking to slow/prevent the spread of 
viruses, or if you're looking to reduce/eliminate the damage they do.  
If you think server side av reduces/eliminates damage, I think you're 
(not you specifically, more the generic you) making an incorrect 
assumption.  

I only say this from first hand experience - I have the restore 
requests to back it up. =)

Brian Davidson

More information about the samba-technical mailing list