VFS Virus Scanner idea...

rvt at dds.nl rvt at dds.nl
Sat Sep 14 22:22:00 GMT 2002 

Citeren bdavids1 at gmu.edu:

> Ah, I'll clarify...
> 
> Point #1 is how it is done on NetWare.  The OS has event handlers for 
> things such as read & write requests.  The Anti-Virus runs multiple 
> threads, one of which intercepts all write requests (if you're really 
> paranoid you can also catch all read requests).  The file handle, or 
> something like that is put in a queue which is serviced by another anti-
> virus thread that actually does the scanning.  Or something pretty much 
> along those lines.  I'll go back through some old coredumps from when 
> we had some AV software problems and refresh my memory..
> 
> As you suggest, it does eat up a lot of resources although it's still 
> pretty fast.  There's no other way to do real-time scanning, other than 
> to look at every write request that comes in.  If you're not doing 
> that, then it's not real-time.
> 
> Point #2 - Server side anti-virus is a good thing, but is not a 
> substitute for client side anti-virus.  Don't think for a moment that 
> you're safe from viruses because your server is running AV software.
> I guess my argument is similar to the "don't think you don't have to 
> install patches because you're running a firewall" argument.  Where I 
> work, upper management put all of the emphasis on server side anti-
> virus.  Well, until it was clearly shown why that was a bad idea. 
I Agree.

> 
> Point #3 - In some ways I think server side anti-virus is pointless.  
> It does prevent the sharing of viruses through the server, which is 
> where it *is* useful.  At the same time, if the goal is to prevent 
> viruses from wiping out the data you have on your servers, server side 
> AV doesn't protect you.  Any connected workstation can get infected 
> with a virus that deletes every server based file it has authorization 
> to delete.  Thus the server side AV only gives the illusion of 
> protection.
ou can tell the AV software to disconnect a client when it stores to many files 
with viruses on the server and thus protecting the server a bit. I thought 
about it but never implemented it in ly VFS module. Also found on openantivirus 
wich uses the kaspersky scanner engine.

> 
> I guess it depends if you're looking to slow/prevent the spread of 
> viruses, or if you're looking to reduce/eliminate the damage they do.  
> If you think server side av reduces/eliminates damage, I think you're 
> (not you specifically, more the generic you) making an incorrect 
> assumption.  
> 
> I only say this from first hand experience - I have the restore 
> requests to back it up. =)
> 
> Brian Davidson
> 
>

More information about the samba-technical mailing list