ClamAV - any "real" use besides mail and website checks?

Feature
,
1

Hi All!

ClamAV is the defacto standard for AntiVirus on Linux / FOSS. It does work for certain scenarios, yes. A good, usable example is mail AV checks, mail with ClamAV has more or less “On access” checks enabled. The same goes for Websites with the squid plug-in / module.

But the mainstay of AntiVirus besides mail is still infected files… And, in my opinion, ClamAV is not really any use as an AntiVirus for any file server - simply as it does not provide a mechanism for “On Access” checking.

What it can do, is a regular check on the whole filesystem. This easily can take 6 hours on a small-medium sized system - and only provides a “pseudo security”, as it’s use is actually zero…

Typical case:

NethServer acting as FileServer.
ClamAV, when installed, does a full check daily, usually at night because of CPU load.

So far, so good. Then the following happens:

A user copies a file from a compromised Notebook to the file server.
Another user / co-worker opens that file, and infects his PC or other Infrastructure.

The file in question was never checked on the server!!!
During a working day, not a single file is checked!

Anything kept until the check will be found, but for daily work, clients are unprotected…

On any properly setup Windows Server, even 20 years ago, “On Access” AV-checking is standard.
Even on other systems, “On Access” was / is the standard. I’ve had for example Novell Netware Servers with McAfee installed in 1995 - and On Access was the standard!

Now, everyone touts Linux. Yes, we have AV (ClamAV). And Samba is a great file server, can replace a Windows server easily… And Linux itself has hardly any viruses in the wild…

The components are there, but bricks lying on the floor is not a wall (yet)…

How much of this BS are we believing ourselves?

Any Feedback / Thoughts on this would be very welcome…

My 2 cents
Andy

PS: This could be subject of a sub-discussion for end of month meeting… :slight_smile:

8 Likes
2

Servus Andy,

But the mainstay of AntiVirus besides mail is still infected files… And, in my opinion, ClamAV is not really any use as an AntiVirus for any file server - simply as it does not provide a mechanism for “On Access” checking.

Therefore, I have implemented an AV solution from ESET on every Windows client here, which has always worked reliably over the years.

Regards…

Uwe

3 Likes
3

that’s exactly what I’ve always wondered about, too. Ultimately, Linux shifts the responsibility to the clients and their management. There will already be a proper AV installed…

Inexplicably, we have to live with the fact that established software architectures and development processes are not capable of delivering secure software products and platforms; all we can do is stick a band-aid on the bleeding spots.Even worse, the software industry’s mantra of “there can’t be any bug-free and secure software at all” is not even seriously questioned.
Quick money is more important, collateral damage is accepted without fuss.

If such catastrophic failures happen, that whole companies or administrations are not able to work for weeks, this is accepted with a shrug of the shoulders “it was just a software bug”.

After 20 years in the IT business, I am increasingly coming to the conclusion that if skyscrapers, hotels, ships or airplanes were built according to the same principles and with the same low standards as software, nobody would use them.

5 Likes
4

Good endpoint protection and frequent server backups is a must have, but how about this?
https://www.samba.org/samba/docs/current/man-html/vfs_virusfilter.8.html

4 Likes
5

Hi @bunkobugsy

And welcome to the NethServer Forum!

A good point, yes, the Samba vfs_virusfilter sounds good…
Something like amavis, basically a wrapper, for Samba… :slight_smile:

Now to see if our Devs can get this running in NethServer!

@stephdl , @giacomo , @davidep any suggestions, ideas?

Thanks!

My 2 cents
Andy

6

Thanks @bunkobugsy for the link, this really seems a nice feature.

I tested with the rspamd clamav instance so it logs in /var/log/maillog but it just works.
Opening the eicar test file on my backup share now produces following log entry and I can’t open the file.

Feb 10 23:46:20 server2 clamd[23335]: /var/lib/nethserver/ibay/backup/eicar.com: Eicar-Test-Signature.UNOFFICIAL FOUND

How to test it using custom templates

Create custom template dir:

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf/ibay-default

Setup virusfilter for all shares (old)

To apply the virusfilter to ALL shares, create /etc/e-smith/templates-custom/etc/samba/smb.conf/ibay-default/30virusfilter with following content:

{
    $OUT = "";
    $ibay_vfs->{virusfilter} = "";
}

To be able to apply the virusfilter to specific shares, create /etc/e-smith/templates-custom/etc/samba/smb.conf/ibay-default/30virusfilter with following content:

{
    $OUT = "";
    return unless (($ibay{'SmbVirusFilterStatus'} || 'disabled') eq 'enabled');

    $ibay_vfs->{virusfilter} = "";
}

To enable virusfilter for a share:

db accounts setprop <SHARENAME> SmbVirusFilterStatus enabled

For example I enabled it for the backup share (/var/lib/nethserver/ibay/backup):

db accounts setprop backup SmbVirusFilterStatus enabled

Virusfilter options

Create /etc/e-smith/templates-custom/etc/samba/smb.conf/90virusfilter with the needed virusfilter options:

virusfilter:scanner = clamav
virusfilter:socket path = /var/run/clamd@rspamd/clamav

There are a lot of other options to try like quarantine or scan on close…

EDIT:

With following additional options the file is scanned and renamed immediately after copying it to the share (doesn’t work with the default “scan on open”):

virusfilter:scan on close = yes
virusfilter:infected file action = rename

Apply the changes:

signal-event nethserver-samba-save

9 Likes
7

Just out of curiousity: who has implemented yet? Any experiances? Recommondations?

regards,
stefan

8

I updated the instructions so it’s possible to add a virusfilter for a specific share. This way it’s easier to setup one testshare for virus scanning instead of enabling it for all shares.

3 Likes
9

Thank you for proposing this feature @Andy_Wismer. I’m still not convinced it is effective, but for sure it has a simple implementation - thank you @mrmarkuz!

Same question as Stefan.

Do you have a measure of the impact on the file server performance?

What about virus-signatures quality? I recall the free signatures DB is far from being accurate for email attachment threats… Do you have any successful experience on the field with the paid ones used over the file system?

I’m afraid the costs (server resources, licenses) outweigh the benefits (blocked threats).

3 Likes
10

Hello @davidep

For my clients, I’ve mainly been using McAfee as commercial AV, installed on Servers and Clients.
One thing I liked very much about McAfee, compared with their competitors: If the subscription ran out, the Server and Client kept working and even could get newer AV-Lists. And this for the Enterprise Version…

As I’ve been using such systems on Windows, Novell and Linux, and since 1997 (!), I think I can give valid performance ratings… :slight_smile:
The client side is very performant, no slowing down the client using ERP systems (Something other AV do…). The Server side is also extremly performant. I had “On-Access” activated, and - like we do with Clam-AV, a weekly full check on the Weekend. Depending on file system size, this also takes time. Generally, file systems in companies and institutions have increased massively…

A lot of companies now use the photo capabilities of smartphones for their Work-Documentation (before / after comparisons). This for such diverse professions like electricians, plumbers, painters and others.
In 1997, most phones had only a max resolution of VGA (640x480), nowadays, Multi-Megapixel is the standard.

As we’re talking about the “On-Access” feature - the regular full scan is the norm for Clam-AV at the moment - I can confirm that commercial systems like McAfee have practically no “feelable” overhead. It is maybe in the region of <5 %…

I also confirm that McAfee had extremly good AV-Lists: in 20 years only 2 daily lists had an “error” included, both corrected the next day.

Commercial AV Opinion:

Good ones:

  • McAfee
  • ESET
  • Norman
  • Sophos

The “bad” ones:

  • Anything with Norton or $ymantec, including now the recently bought companies…
  • Panda
  • Kapersky (Best known for “finding” but failing to provide proof of an Iphone Virus, among others…).

I’m only referring to my personal experience with these products, and I include the feedback I get from my clients too.

McAfee had agreements with the amount of protected clients. (Any needed servers were covered!).
This was for ten clients about 900$ first year, subsequent years were about 300$ if I recall correctly. All agreements were directly between my client and McAfee (Or whoever)…
For company employees, the use for their home computer / notebook was also covered, as back-door via VPN / Home Office protection…

As always so far on NethServer, it should be an Option the admin can choose to use - or not.
Due to importance / use / impact, it should be a GUI Option in Cockpit, not for example an e-smith Option… :slight_smile:
A nice, simple warning about affects / impacts would be a nice “topping”, especially for those with less experience!

Besides which, this is a feature hardly any of the other Linux distros include (I can’t name any offhand!) and would also solve the “Distrowatch” issue… :slight_smile:

Windows Admins with no Linux experience expect this feature as standard, as this is standard for all commercial Windows Server AntiVirus products to have On-Access feature…

My 2 cents
Andy

3 Likes
11

I follow Andy’s view, data is very important and protecting it should be a top priority.
In my humble opinion, a slightly less performing server is worth it if there is also a real-time protection layer for the data.

Kind regards,

Aphid