Latest AV code

Trever L. Adams trever at middleearth.sapphiresunday.org
Wed Dec 27 22:10:40 UTC 2017 

On 12/27/2017 02:32 PM, Trever L. Adams wrote:
> It did. I may have done a ->next on one of the fsp structures. I don't
> remember. It was working. This functionality (getting actual POSIX
> file name for scanning and possibly other security related vfs modules
> is essential. I am seeing the same problem for open. Both were
> working, both need actual POSIX file names of all objects that are
> file system backed.
>
> Trever
I know this worked because the appropriate renames took place. If I
remove some checks that are in the system now (checking to see if it is
a stream and not the default) the file and attached streams get removed
(I think this is on open, I didn't check closely enough last night).
However, this is a problem because the file may be legitimate, the other
streams may also be as well. It should be possible to scan the actual
stream by actual file system name and remove it.

vfs_virusfilter is getting a close event for streams other than default.
However, I currently have no way of knowing what the file system file
actually is.

Thank you.
Trever
>
> On December 27, 2017 2:10:41 PM MST, "Ralph Böhme" <slow at samba.org>
> wrote:
>
>     On Tue, Dec 26, 2017 at 11:01:59PM -0700, Trever L. Adams via samba-technical wrote:
>
>         On 12/26/2017 01:41 PM, Jim Brown via samba-technical wrote:
>
>             Trever ret variable is not a boolean. The check 'if (ret)'
>             should be 'if (ret != 0)'. The check 'if (!ret)' should be
>             'if (ret == 0)'. ok variable is a boolean. You should use
>             'if (!ok)' for a false test - and not either (ok == false)
>             or (ok != true). Jim 
>
>         Jim, thank you. I have taken care of these. 
>
>
>     Great, thanks! And thanks Jim for pointing those out. Guess I should have given
>     you a more explicit hint towards "Please read README.Coding", sorry.
>
No. I was just somehow not noticing them. I am sorry.
>
>         However, in testing, I am finding that the streams scanning
>         code no longer works as expected.   virusfilter_vfs_close: Not
>         scanned: only file backed streams can be scanned:
>         /home/DATA/trever/eicartestingstream.txt(1/0) In the past, the
>         file name showed what vfs_streams_depot was doing:
>         /home/DATA/.streams/0F/17/02FD000000000000EF005C0400000000:attached.txt:$DATA
>
>
>
>     Well, vfs_streams_depot doesn't implement the close VFS operation. Not in master
>     nor in older vesions, so this can't ever have worked.
>
>     -slow
>
>
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 886 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171227/7b8c33b6/signature.sig>

More information about the samba-technical mailing list