VFS module - filter everyone etc.
rainer at openantivirus.org
Thu Apr 24 17:10:29 GMT 2003
Stefan (metze) Metzmacher wrote:
>> Thanks for your input and work on the VFS stuff! Hm, actually at least
>> for 2.2.8(a) it seems doing on-access scanning via VFS has more
>> "overhead" than doing it as a linux kernel module. First test showed
>> 8sec vs ~20sec. But I need to do some more reasearch on that.
> Do you know that on a simple klick in the Windows explorer
> a file is opened 3 times :-(
Yes, I know. If you click on an infected file, Win98 tries to open the
file up to 6x until "Acess denied" box will appear.
> in my vfs_antivir module I have a cache that stores the stat buffer and
> and if the times and the size didn't change the file is not scaned again.
> maybe I need to add a timeout for the cached objects
> maybe 5-10 secs
For my samba-vscan stuff I did sth similar, called last recently
accessed file mechanism. It also stores whether the file has been
"marked" as being infected or not (see scenario as mentioned above).
Also a timeout is used (I used 5sec as default value). It's not yet
perfect, but seems to work. Unfortunately, the performance loss with
on-acess scanning is very big (> 50%).
The test I mentioned above was done with clean files (> 2000 Office
files, approx 500 MB), accessed via smbclient -N -Tc backup.tar. A
similar test was done with ELF files, the result is available at
I'll redo the test with Kaspersky AntiVirus, because it's currently the
only product, which I can use via LKML and Samba VFS.
Btw, you're very welcome to contribute your antivir module to the
samba-vscan project :) Unfortunately, the samba-vscan framework is
currently neither completed nor documented *sigh*
More information about the samba-technical