[Samba] Samba + Antivirus

Maurício Ramos Mauricio.Ramos at wedotechnologies.com
Fri Mar 12 07:39:54 MST 2010 

Hello Alexander, List…

Yes that´s the mistake! Now things are working just fine!!

We are using the “Eicar Test Virus” in 2 files. Both are not allowed access and the others are ok.

Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: samba-vscan (vscan-clamav 0.3.6c beta5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: samba-vscan (vscan-clamav 0.3.6c beta5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: INFO: connect to service tmp by user mauramos
Mar 12 11:01:30 rhel5 smbd_vscan-clamav[29609]: ALERT - Scan result: '/tmp/teste_clamav.txt' infected with virus 'Eicar-Test-Signature', client: '172.26.129.129'
Mar 12 11:01:30 rhel5 smbd_vscan-clamav[29609]: ERROR: quarantining file '/tmp/teste_clamav.txt' to '/home/clamav/quarantine/vir-ao7wgD' failed, reason: Operação não permitida
Mar 12 11:02:17 rhel5 smbd_vscan-clamav[29609]: ALERT - Scan result: '/tmp/teste_antivirus_samba_clamav.txt' infected with virus 'Eicar-Test-Signature', client: '172.26.129.129'
Mar 12 11:02:17 rhel5 smbd_vscan-clamav[29609]: ERROR: quarantining file '/tmp/teste_antivirus_samba_clamav.txt' to '/home/clamav/quarantine/vir-kmBxUg' failed, reason: Operação não permitida

[root at rhel5 tmp]# more teste_clamav.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
[root at rhel5 tmp]# more teste_antivirus_samba_clamav.txt
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

File clamd.log records the detected vírus…

[root at rhel5 clamav]# tail -f clamd.log
Fri Mar 12 10:57:40 2010 -> Algorithmic detection enabled.
Fri Mar 12 10:57:40 2010 -> Portable Executable support enabled.
Fri Mar 12 10:57:40 2010 -> ELF support enabled.
Fri Mar 12 10:57:40 2010 -> Mail files support enabled.
Fri Mar 12 10:57:40 2010 -> OLE2 support enabled.
Fri Mar 12 10:57:40 2010 -> PDF support enabled.
Fri Mar 12 10:57:40 2010 -> HTML support enabled.
Fri Mar 12 10:57:40 2010 -> Self checking every 600 seconds.
Fri Mar 12 11:01:30 2010 -> /tmp/teste_clamav.txt: Eicar-Test-Signature FOUND
Fri Mar 12 11:02:17 2010 -> /tmp/teste_antivirus_samba_clamav.txt: Eicar-Test-Signature FOUND

… and they are moved to quarantine

[root at rhel5 clamav]# ls -la /home/clamav/quarantine/
total 8
drwxrwx--- 2 clamav   clamav 4096 Mar 12 11:02 .
drwxrwx--- 7 clamav   clamav 4096 Mar 12 10:57 ..
-rw------- 1 mauramos users     0 Mar 12 11:01 vir-ao7wgD
-rw------- 1 mauramos users     0 Mar 12 11:02 vir-kmBxUg

Thanks a lot for the help. Below I reproduce the steps to configure all the environment:


1)      Install and configure samba

2)      Install and configure clamav

3)      Download, “./configure” and “make proto” the source of the running samba server

4)      Download samba-vscan, “./configure --with-samba-source=<path to samba source “source” dir>” and “make clamav”

5)      Copy “vscan-clamav.so” to “/usr/lib/samba/vfs” (this path can vary)

6)      Copy “vscan-clamav.conf” from “<samba-vscan-source-dir>clamav” to “/etc/samba”

7)      Configure smb.conf at each share to be protected with lines like

vfs object = vscan-clamav

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

8)      Update clamav database using freshclam

9)      Start everything

10)   Create a text file with the following content inside a protected share (harmless eicar test virus)

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

We are using, now, samba 3.0.33 and this version needs samba-vscan0.3.6c. the previous version of samba we were using (3.0.23c) needed samba-vscan0.3.6b.

Again, thaks you all for the support!


Mauricio.

From: Alexander [mailto:forsmbg at googlemail.com]
Sent: sexta-feira, 12 de março de 2010 05:56
To: samba at lists.samba.org; Maurício Ramos
Subject: Re: [Samba] Samba + Antivirus

2010/3/11 Maurício Ramos Mauricio.Ramos at wedotechnologies.com<mailto:Mauricio.Ramos at wedotechnologies.com>

-- clamd.conf --
LocalSocket /home/clamav/clamd.socket

-- vscan-clamav.conf --
clamd socket name = /home/clamav/clamd.sock

Looks like you've got a discrepancy/typo in your clamav and samba-vscan config files that is causing that.

cheers,
Alexander

More information about the samba mailing list