VFS module - filter everyone etc.

Rainer Link rainer at openantivirus.org
Thu Apr 24 17:10:29 GMT 2003

Stefan (metze) Metzmacher wrote:

>> Thanks for your input and work on the VFS stuff! Hm, actually at least 
>> for 2.2.8(a) it seems doing on-access scanning via VFS has more 
>> "overhead" than doing it as a linux kernel module. First test showed 
>> 8sec vs ~20sec. But I need to do some more reasearch on that.
> Do you know that on a simple klick in the Windows explorer
> a file is opened 3 times :-(

Yes, I know. If you click on an infected file, Win98 tries to open the 
file up to 6x until "Acess denied" box will appear.

> in my vfs_antivir module I have a cache that stores the stat buffer and
> and if the times and the size didn't change the file is not scaned again.
> maybe I need to add a timeout for the cached objects
> maybe 5-10 secs

For my samba-vscan stuff I did sth similar, called last recently 
accessed file mechanism. It also stores whether the file has been 
"marked" as being infected or not (see scenario as mentioned above). 
Also a timeout is used (I used 5sec as default value). It's not yet 
perfect, but seems to work. Unfortunately, the performance loss with 
on-acess scanning is very big (> 50%).

The test I mentioned above was done with clean files (> 2000 Office 
files, approx 500 MB), accessed via smbclient -N -Tc backup.tar. A 
similar test was done with ELF files, the result is available at

I'll redo the test with Kaspersky AntiVirus, because it's currently the 
only product, which I can use via LKML and Samba VFS.

Btw, you're very welcome to contribute your antivir module to the 
samba-vscan project :) Unfortunately, the samba-vscan framework is 
currently neither completed nor documented *sigh*

best regards,
Rainer Link

More information about the samba-technical mailing list