[Samba] vfs object virusfilter not working

lists at zxt10d.de lists at zxt10d.de
Tue Oct 11 06:38:38 UTC 2022 

Am 10.10.2022 um 21:04 schrieb Rowland Penny via samba:
> 
> 
> On 10/10/2022 10:58, lists--- via samba wrote:
>>
>>
>> For testing I changed these lines ... but the result is the same, and 
>> put them on [global] and next try on [public]:
>>
>>   vfs objects = virusfilter
>>   virusfilter:scanner = clamav
>>   virusfilter:socket path = /var/run/clamav/clamd.ctl
>>   virusfilter:scan on open = yes
>>   virusfilter:scan on close = no
>>   virusfilter:max file size = 100000000
>>   virusfilter:min file size = 10
>>   virusfilter:connect timeout = 300000
>>   virusfilter:io timeout = 600000
>>   virusfilter:infected file action = rename
>>   virusfilter:rename prefix = virusfilter.
>>   virusfilter:rename suffix = .infected
>>
>> Restarting samba and copying the eicar.com-file again shows this in 
>> the log:
>> [2022/10/10 11:13:33.573839,  2] 
>> ../../source3/smbd/open.c:1611(open_file)
>>    nobody opened file eicar.com read=No write=No (numopen=2)
>> [2022/10/10 11:13:33.577165,  2] 
>> ../../source3/smbd/close.c:833(close_normal_file)
>>    nobody closed file eicar.com (numopen=0) NT_STATUS_OK
>> [2022/10/10 11:13:33.578962,  2] 
>> ../../source3/smbd/open.c:1611(open_file)
>>    nobody opened file eicar.com read=No write=No (numopen=2)
>> [2022/10/10 11:13:33.581848,  2] 
>> ../../source3/smbd/close.c:833(close_normal_file)
>>    nobody closed file eicar.com (numopen=0) NT_STATUS_OK
>>
>> At least it should rename the file, shouldn't it?
>>
>> Starting clamscan manually on that share finds the "virus":
>> /srv/samba/public/eicar.com: Win.Test.EICAR_HDB-1 FOUND
>>
>> netstat -lnp | grep -E "clam"
>> tcp        0      0 0.0.0.0:3310            0.0.0.0:* LISTEN 36374/clamd
>> unix  2      [ ACC ]     STREAM     HÖRT         70497    36374/clamd 
>>        /var/run/clamav/clamd.ctl
>>
>> Cheers,
>> Torsten
>>
> 
> Thinking about this, try removing 'fruit streams_xattr' from the 'vfs 
> objects' line and see if it then works.
> 
> Rowland

So I did, removed vfs objects one by one, and later on I added one by 
one again ... but the result is/was the same.

After that I set debug level to 5, and copied the file again.
Now I can see these lines (and several others ;)) on the log:
[2022/10/11 08:33:19.466341,  5] 
../../source3/smbd/dosmode.c:68(dos_mode_debug_print)
   dos_mode_debug_print: fdos_mode returning (0x20): "a"
[2022/10/11 08:33:19.466456,  3] 
../../source3/modules/vfs_virusfilter.c:1493(virusfilter_vfs_close)
   virusfilter_vfs_close: Not scanned: File not modified: 
/srv/samba/test/eicar.com

Is there a way to enhance the loglevel for vfs-objects only?

Cheers,
Torsten

More information about the samba mailing list