samba virus wrapper
Barry Smoke
barry at arhosting.com
Fri Oct 12 20:01:02 GMT 2001
o.k...mcafee works great on linux...
It is our qmail scanner now....
but, in order to even half assed protect the server, I would have to be
running a cron job hourly(or sooner) on every samba share.
Is there any way to queue files written to a samba share, so that they are
not immediately scanned, but are scanned as soon as possible....then if
infected, mcafee can clean, and notify the user that wrote the file, or the
sys admin. If un-cleanable, send it to /var/infected, or something.
-----Original Message-----
From: samba-admin at lists.samba.org [mailto:samba-admin at lists.samba.org]On
Behalf Of David Collier-Brown
Sent: Friday, October 12, 2001 12:35 PM
To: Barry Smoke; samba at lists.samba.org
Subject: Re: samba virus wrapper
Barry Smoke wrote:
| We were invaded by multiple viruses on our samba server today.
...
| Some of these
| latest viruses also invade network connections also, and I
| have seen discussion of this on this list. I was able to
| protect against nimda with the veto files global option, but
| all of our jpegs are now3 .vbs from another virus
...
| There are several scanners that work on linux, but that I
| know of, none that can integrate into samba to provide on the
| fly scanning of anything written to the server.
Hmmn: this could be done by a vfs module, which
on open(file,O_WRONLY|O_RDWR|O_APPEND) opens the file
with mode 700 (or chmods it to 700), writes the
data and then chmods it to 0 and passes it to a
commercial virus scanner. On completion, it's
permission are reset to normal.
1) This will make all writes slow.
2) There is a window during writing during which
a program running as the same user can read it,
virus and all.
3) There is also a window induced by MS Windows apps
sometimes writing to a madcap name and then issuing
a rename. If the rename occurs before the virus scan
completes, something Will Go Wrong.
4) depending on the virus scanner, scanning log
files which are being appended to will eat CPU.
Many of these issues can be resolved by a virus-scanning
company: if you already have McAfee, I recommend you
have a word with them.
--dave
--
David Collier-Brown, | Always do right. This will gratify
Americas Customer Engineering, | some people and astonish the rest.
SunPS Integration Services. | -- Mark Twain
(905) 415-2849 | davecb at canada.sun.com
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list