VFS Virus Scanner idea...
rvt at dds.nl
rvt at dds.nl
Sat Sep 14 22:22:00 GMT 2002
Citeren bdavids1 at gmu.edu:
> Ah, I'll clarify...
>
> Point #1 is how it is done on NetWare. The OS has event handlers for
> things such as read & write requests. The Anti-Virus runs multiple
> threads, one of which intercepts all write requests (if you're really
> paranoid you can also catch all read requests). The file handle, or
> something like that is put in a queue which is serviced by another anti-
> virus thread that actually does the scanning. Or something pretty much
> along those lines. I'll go back through some old coredumps from when
> we had some AV software problems and refresh my memory..
>
> As you suggest, it does eat up a lot of resources although it's still
> pretty fast. There's no other way to do real-time scanning, other than
> to look at every write request that comes in. If you're not doing
> that, then it's not real-time.
>
> Point #2 - Server side anti-virus is a good thing, but is not a
> substitute for client side anti-virus. Don't think for a moment that
> you're safe from viruses because your server is running AV software.
> I guess my argument is similar to the "don't think you don't have to
> install patches because you're running a firewall" argument. Where I
> work, upper management put all of the emphasis on server side anti-
> virus. Well, until it was clearly shown why that was a bad idea.
I Agree.
>
> Point #3 - In some ways I think server side anti-virus is pointless.
> It does prevent the sharing of viruses through the server, which is
> where it *is* useful. At the same time, if the goal is to prevent
> viruses from wiping out the data you have on your servers, server side
> AV doesn't protect you. Any connected workstation can get infected
> with a virus that deletes every server based file it has authorization
> to delete. Thus the server side AV only gives the illusion of
> protection.
ou can tell the AV software to disconnect a client when it stores to many files
with viruses on the server and thus protecting the server a bit. I thought
about it but never implemented it in ly VFS module. Also found on openantivirus
wich uses the kaspersky scanner engine.
>
> I guess it depends if you're looking to slow/prevent the spread of
> viruses, or if you're looking to reduce/eliminate the damage they do.
> If you think server side av reduces/eliminates damage, I think you're
> (not you specifically, more the generic you) making an incorrect
> assumption.
>
> I only say this from first hand experience - I have the restore
> requests to back it up. =)
>
> Brian Davidson
>
>
More information about the samba-technical
mailing list