Latest AV code
Trever L. Adams
trever at middleearth.sapphiresunday.org
Thu Dec 28 00:03:22 UTC 2017
On 12/27/2017 03:10 PM, Trever L. Adams wrote:
> On 12/27/2017 02:32 PM, Trever L. Adams wrote:
>> It did. I may have done a ->next on one of the fsp structures. I
>> don't remember. It was working. This functionality (getting actual
>> POSIX file name for scanning and possibly other security related vfs
>> modules is essential. I am seeing the same problem for open. Both
>> were working, both need actual POSIX file names of all objects that
>> are file system backed.
>>
>> Trever
> I know this worked because the appropriate renames took place. If I
> remove some checks that are in the system now (checking to see if it
> is a stream and not the default) the file and attached streams get
> removed (I think this is on open, I didn't check closely enough last
> night). However, this is a problem because the file may be legitimate,
> the other streams may also be as well. It should be possible to scan
> the actual stream by actual file system name and remove it.
>
> vfs_virusfilter is getting a close event for streams other than
> default. However, I currently have no way of knowing what the file
> system file actually is.
>
> Thank you.
> Trever
Alright, I have the quarantine functionality working. It works with a
default relative to connection path of .quarantine and I believe can be
set to anything absolute.
I am still trying to get this to scan file backed streams (such as
vfs_streams_depot). Like I said, without an exit strategy for
non-filebacked streams, I believe it works on open but erases the file
and all streams, not just the stream. So, it works for now, it just
ignores ALL streams. This can be fixed if there is a way to find the
backing file systems file full path name. If it ever replaces the
smb_fname/base_name in the stack-able modules, then all is good, if not,
I will need to add some code to try and use whatever functionality is
provided to export this.
This is NOT a full patch. It is relative to the last full work Ralph did
as I would like another review of it in patch form before I squash down
and send the entire thing as five patches.
Thank you.
Trever
-------------- next part --------------
A non-text attachment was scrubbed...
Name: latest-av.patch
Type: text/x-patch
Size: 49354 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171227/33cdc19d/latest-av.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 886 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171227/33cdc19d/signature.sig>
More information about the samba-technical
mailing list