[Samba] vfs object virusfilter not working

lists at zxt10d.de lists at zxt10d.de
Mon Oct 10 09:58:26 UTC 2022 


Am 10.10.2022 um 11:01 schrieb Rowland Penny via samba:
> 
> 
> On 10/10/2022 08:27, lists--- via samba wrote:
>> Good morning list :)
>>
>> I have a Debian-Bullseye system running as an ad-member server, using 
>> Louis' 4.15 version.
>>
>> Now I wanted to add the virusscan feature, but it seems it doesn't 
>> work proper ...
>>
>> As you can see in the log-entries, vfs-object [virusfilter] get loaded 
>> ... and eicar.com-file could be stored.
> 
>>          virusfilter:rename suffix = .infected
>>          virusfilter:infected file command = echo -e "Found virus 
>> during on-access scanning of Samba share." | mail -s"Samba: Virus 
>> Found" %EMAIL-ADRESS%
>>          virusfilter:scan error command = echo -e "Scan error during 
>> on-access scanning of Samba share." | mail -s"Samba: Scan Error" 
>> %EMAIL-ADRESS%
>> [...]
>>
>> Is something missing? Or interfering?
>>
>> Thanks in advance!
>>
>> Cheers,
>> Torsten
>>
> 
> I do not use the virus scanner, but could this be something as simple as 
> you having to use the full path for 'echo' or do you have to run a 
> script as in the example that samba provides ?
> 
> Rowland

For testing I changed these lines ... but the result is the same, and 
put them on [global] and next try on [public]:

  vfs objects = virusfilter
  virusfilter:scanner = clamav
  virusfilter:socket path = /var/run/clamav/clamd.ctl
  virusfilter:scan on open = yes
  virusfilter:scan on close = no
  virusfilter:max file size = 100000000
  virusfilter:min file size = 10
  virusfilter:connect timeout = 300000
  virusfilter:io timeout = 600000
  virusfilter:infected file action = rename
  virusfilter:rename prefix = virusfilter.
  virusfilter:rename suffix = .infected

Restarting samba and copying the eicar.com-file again shows this in the log:
[2022/10/10 11:13:33.573839,  2] ../../source3/smbd/open.c:1611(open_file)
   nobody opened file eicar.com read=No write=No (numopen=2)
[2022/10/10 11:13:33.577165,  2] 
../../source3/smbd/close.c:833(close_normal_file)
   nobody closed file eicar.com (numopen=0) NT_STATUS_OK
[2022/10/10 11:13:33.578962,  2] ../../source3/smbd/open.c:1611(open_file)
   nobody opened file eicar.com read=No write=No (numopen=2)
[2022/10/10 11:13:33.581848,  2] 
../../source3/smbd/close.c:833(close_normal_file)
   nobody closed file eicar.com (numopen=0) NT_STATUS_OK

At least it should rename the file, shouldn't it?

Starting clamscan manually on that share finds the "virus":
/srv/samba/public/eicar.com: Win.Test.EICAR_HDB-1 FOUND

netstat -lnp | grep -E "clam"
tcp        0      0 0.0.0.0:3310            0.0.0.0:* 
LISTEN      36374/clamd
unix  2      [ ACC ]     STREAM     HÖRT         70497    36374/clamd 
       /var/run/clamav/clamd.ctl

Cheers,
Torsten

More information about the samba mailing list