[Samba] Ransomware?

Nico Kadel-Garcia nkadel at gmail.com
Fri May 20 13:31:10 UTC 2016

On Sun, May 15, 2016 at 7:07 AM, Helmut Hullen <Hullen at t-online.de> wrote:
> Hallo, ToddAndMargo,
> Du meintest am 15.05.16:
>> Is there anything in Samba that will help protect
>> against ransomware?
> The linux principle is "one job - one tool". Antivirus software exists.
> It doesn't help against really new malware, it doesn't help against
> "social engineering", it doesn't help against a bona fide user.

It was a basic UNIX principle, back in BSD when I first encountered
it. It's not always followed: witness "systemd" and "gnome".

Samba has some advantages. If the core file server is Linux or UNIX,
it can be much faster and cheaper to make regular snapshots of your
filesystem and write them to a basically read-only structure, running
on Linux or UNIX. Much, much, much cheaper than trying to run Windows
based backup software: just getting read access to "open" files, such
as the user's mailbox files that are the most important files to back
up on their whole system, be a nightmare requiring serious privilege
escalation that the local users should *not* need to do. File system
snapshot tools like LVM snapshots, or the more sophisticated snapshots
of ZFS or of a backend NetApp, can also be invaluable. Those can also
often be made accessible by Samba as read-only CIFS shares, for people
to recover their own files. It's invaluable for people not to have to
bother their local sysadmin to get last night's copy of the files they
just accidentally deleted. They will appreciate your thoughtfulness,
and you can get back to playing Minecraft.

If you're on a budget tools like the venerable "rsnapshot" perl
script, writing to cheap local storage, can provide similar
capabilities with the added expense in resources of rsnapshot having
to actually scan and rsync against the filesystems it is backing up,
and having to be *very careful* to expose the backups as read-only.
That exposure of backups can be via CIFS using Samba, or even via NFS.
Since rsnapshot relies on hardlinks among the snapshots, if you
corrupt one, you've potentially corrupted them all, and you *never*
want to expose those backups to ordinary userland.

Does Samba provide some subtle brilliance to block ransomware from
being able to act at atll? Not really, no. The CIFS network file
system for providing authorized access to data doesn't *analyze* the
requests to read or write data to files for their legitimacy or lack
of malice: that's a job for the client side, for the virus scanners or
security on the client side. If Samba started trying to say "I smell a
witch!!!" based on the transformation of data requested..... oh, dear
lord, that could get very resource intensive and very, very messy.

> Perhaps "ClamAV" may fulfill some of your wishes.
> Viele Gruesse!
> Helmut

That's a related, but distinct, problem. ClamAV has limits: Constantly
morphing attack binaries, and the use of encrypted zip files with "use
this password" make such attacks more and more difficult to

More information about the samba mailing list