File Server Antivirus

Hi @asavinok ,

Lets have a try:

First of all create shared folder than:

  1. download http://91.209.1.54/vscan-clamav.conf and http://91.209.1.54/vscan-clamav.so
cp vscan-clamav.so /usr/lib64/samba/vfs/ 
cp vscan-clamav.conf /etc/samba/
  1. Change dir to /etc/samba

    cd /etc/samba/

Edit smb.conf file to add two lines under global section

vi smb.conf

Now copy below two lines to the file

vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
service clamd restart
service smb restart
  1. Try to copy infected file to shared folder

Thanks. I give a try but it seems not working. I downloaded the “eicar.com” file directly in the shared folder via Linux console. Then I used windows to copy and paste it in subfolders of the same share … nothing happened. How can I set a log file for vscan-clamav?
Thanks
Alessandro

Hi @asavinok,
In file :

/etc/samba/vscan-clamav.conf

edit

verbose file logging = yes
infected file action = delete

after it

service smb restart

I have build this new util but i can not access to Samba through VPN neither tun nor tap interface , for testing it :

https://bitbucket.org/fumiyas/samba-virusfilter/downloads

Still not working. Please where the vscan-clamav log file is supposed to be?
Thanks
Alessandro

OK … it is in var/log/messages …
here is what I see:
Jan 16 20:15:14 nethserver smbd[2580]: error probing vfs module ‘vscan-clamav’: NT_STATUS_UNSUCCESSFUL
Jan 16 20:15:14 nethserver smbd[2580]: [2016/01/16 20:15:14.127387, 0] smbd/vfs.c:315(smbd_vfs_init)
Jan 16 20:15:14 nethserver smbd[2580]: smbd_vfs_init: vfs_init_custom failed for vscan-clamav
Jan 16 20:15:14 nethserver smbd[2580]: [2016/01/16 20:15:14.127786, 0] smbd/service.c:902(make_connection_snum)
Jan 16 20:15:14 nethserver smbd[2580]: vfs_init failed for service IPC$

and in /var/log/clamav/clamd.log

as the old scan modules is outdated, thus we can only use “scannedonly”

https://www.samba.org/samba/docs/man/manpages/vfs_scannedonly.8.html

Thanks Nas. I have seen this video tutorial https://youtu.be/i5MySTopG8M and this couple of post http://permalink.gmane.org/gmane.network.samba.internals/85112
https://www.centos.org/forums/viewtopic.php?t=21688
Well I think for me would be better to relay more on the client antivirus, and configure clamav to scan the server shared folder twice a day.

did you have resolved using @Nas suggestion?

Hi @alefattorini , wee need to involve our @dev team to make some investigation and development , because antivirus should scan shared folder, maybe not on the fly but at least 1 time per day.

please, don’t

AV scanning is quite intensive for server: cpu, ram and disks… running it twice a day will only make your server more slow, not more secure…

Well actually I was planning to scan only /var/lib/nethserver/ibay once a day and hourly scan only modified and changed files hourly with something like this:

#find /var/lib/nethserver/ibay -mmin -61 -type f -print0 | xargs -0-r clamscan --quiet --infected --move= /tmp/virus 
#find /var/lib/nethserver/ibay -cmin -61 -type f -print0 | xargs -0-r clamscan --quiet --infected --move= /tmp/virus
1 Like

Hi @giacomo @filippo_carletti @stephdl, please share your thoughts regarding Antivirus scanning of Shared Folders.

An option per ibay should be available for scanning it during the night…or a full scanning should be done each night/week if requested.

It is a basic feature O:)

Not tested but interesting

I always liked the idea of on-the-fly antivirus scan, but it’s probably useless since clamav it’s not so good on finding virus and it’s quite eager of resources.

I support the @asavinok idea: scan ibays once a day.
Maybe we can add an option for each ibay.

We have to completely rework the antivirus part for NS 7, I hope @davidep will also consider this scenario.

can you argument a bit more?
if you use (and NS does) extended signatures (they are updated many times during the day), why clamav would fail?

Unfortunately, now it is not possible due to lack of software.

Another way it is:
On access ClamAV, but it requires running ClamAV from root user.

17 messages ont été intégrés dans un sujet existant : Nethserver-clamscan think tank