[Samba] On access scanning with samba-vscan

Sat Sep 2 10:43:55 GMT 2006

Okan,

> I am trying to configure Samba as blocking virus transfer so that shares can be
> safe. I am using redhat el3 and fc4. I want to install samba-vscan, clamd. I
> have tried to install it from tar packages but i couldn't succeed it.

My colleage has been using the rpm's from samba.org on fc4 without a glitch.
I've been using clamav as my samba scanner on SuSE for quite some time
now, with nice results. It does have it's impact though...

On your share go:
[share]
vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

Now vscan-clamav.conf:
------------------------------------------------------------
#
# /etc/samba/vscan-clamav.conf
#

[samba-vscan]
; run-time configuration for vscan-samba using
; clamd
; all options are set to default values

; do not scan files larger than X bytes. If set to 0 (default),
; this feature is disable (i.e. all files are scanned)
max file size = 10485760

; log all file access (yes/no). If set to yes, every access will
; be logged. If set to no (default), only access to infected files
; will be logged
verbose file logging = no

; if set to yes (default), a file will be scanned while opening
scan on open = yes
; if set to yes, a file will be scanned while closing (default is yes)
scan on close = yes

; if communication to clamd fails, should access to file denied?
; (default: yes)
deny access on error = no

; if daemon failes with a minor error (corruption, etc.),
; should access to file denied?
; (default: yes)
deny access on minor error = no

; send a warning message via Windows Messenger service
; when virus is found?
; (default: yes)
send warning message = yes

; what to do with an infected file
; quarantine: try to move to quantine directory
; delete:     delete infected file
; nothing:    do nothing (default)
infected file action = quarantine

; where to put infected files - you really want to change this!
quarantine directory  = /opt/clamav/quarantine
; prefix for files in quarantine
quarantine prefix = vir-

; as Windows tries to open a file multiple time in a (very) short time
; of period, samba-vscan use a last recently used file mechanism to avoid
; multiple scans of a file. This setting specified the maximum number of
; elements of the last recently used file list. (default: 100)
max lru files entries = 100

; an entry is invalidad after lru file entry lifetime (in seconds).
; (Default: 5)
lru file entry lifetime = 5

; exclude files from being scanned based on the MIME-type! Semi-colon
; seperated list (default: empty list). Use this with care!
exclude file types =

; socket name of clamd (default: /var/run/clamd). Setting will be ignored if
; libclamav is used
clamd socket name = /tmp/clamd

; limits, if vscan-clamav was build for using the clamav library (libclamav)
; instead of clamd

; maximum number of files in archive (default: 1000)
libclamav max files in archive = 1000

; maximum archived file size, in bytes (default: 10 MB)
libclamav max archived file size = 5242880

; maximum recursion level (default: 5)
libclamav max recursion level = 5
-------------------
This should do the trick quite nicely I think...
Obviously you need a running clam daemon for this to work.

Note that this is a working example for me using ClamAV.
You *should* have some examples on your system
(/usr/share/doc/somewhere) that target other scanners too... You
should be able to use any of them.

I'm currently working on making Norman AV working with Samba :)

Hope this helps,
-- 
Rory Vieira
rory dot vieira at gmail dot com