File Server Antivirus

asavinok · January 13, 2016, 11:09pm

Hi, I like to test nethserver as fileserver in a small network with windows client PC. I’d like to have an antivirus engine running on the fileserver to protect hte client operations. Any suggestion?
From Nethserver documentation I understood it can use Clamav, but only for e-mail or web proxy, is it correct?
I installed Clamav following this guide https://www.centosblog.com/how-to-install-clamav-and-configure-daily-scanning-on-centos/
Is there a way to trigger antivirus “real time” file check when a file is saved or the only way is a daily scan?
Thanks
Alessandro

Nas · January 13, 2016, 11:40pm

Hi there is samba-vscan :
http://www.openantivirus.org/projects.php
Maybe we need it in production

mabeleira · January 14, 2016, 12:17pm

I did it a while ago using centos 5, but it didn’t work so well, i you
look around you’ll probably find a how to, but not sure it it will work on
nethserver (centos6)

Nas · January 14, 2016, 12:54pm

Hi @asavinok ,

Lets have a try:

First of all create shared folder than:

download http://91.209.1.54/vscan-clamav.conf and http://91.209.1.54/vscan-clamav.so

cp vscan-clamav.so /usr/lib64/samba/vfs/ 
cp vscan-clamav.conf /etc/samba/

Change dir to /etc/samba

cd /etc/samba/

Edit smb.conf file to add two lines under global section

vi smb.conf

Now copy below two lines to the file

vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

service clamd restart
service smb restart

Try to copy infected file to shared folder

asavinok · January 15, 2016, 10:55pm

Thanks. I give a try but it seems not working. I downloaded the “eicar.com” file directly in the shared folder via Linux console. Then I used windows to copy and paste it in subfolders of the same share … nothing happened. How can I set a log file for vscan-clamav?
Thanks
Alessandro

Nas · January 16, 2016, 9:27am

Hi @asavinok,
In file :

/etc/samba/vscan-clamav.conf

edit

verbose file logging = yes
infected file action = delete

after it

service smb restart

Nas · January 16, 2016, 3:29pm

I have build this new util but i can not access to Samba through VPN neither tun nor tap interface , for testing it :

https://bitbucket.org/fumiyas/samba-virusfilter/downloads

asavinok · January 16, 2016, 6:14pm

Still not working. Please where the vscan-clamav log file is supposed to be?
Thanks
Alessandro

asavinok · January 16, 2016, 8:04pm

OK … it is in var/log/messages …
here is what I see:
Jan 16 20:15:14 nethserver smbd[2580]: error probing vfs module ‘vscan-clamav’: NT_STATUS_UNSUCCESSFUL
Jan 16 20:15:14 nethserver smbd[2580]: [2016/01/16 20:15:14.127387, 0] smbd/vfs.c:315(smbd_vfs_init)
Jan 16 20:15:14 nethserver smbd[2580]: smbd_vfs_init: vfs_init_custom failed for vscan-clamav
Jan 16 20:15:14 nethserver smbd[2580]: [2016/01/16 20:15:14.127786, 0] smbd/service.c:902(make_connection_snum)
Jan 16 20:15:14 nethserver smbd[2580]: vfs_init failed for service IPC$

Nas · January 16, 2016, 8:08pm

and in /var/log/clamav/clamd.log

Nas · January 16, 2016, 11:46pm

as the old scan modules is outdated, thus we can only use “scannedonly”

https://www.samba.org/samba/docs/man/manpages/vfs_scannedonly.8.html

asavinok · January 17, 2016, 10:52am

Thanks Nas. I have seen this video tutorial https://youtu.be/i5MySTopG8M and this couple of post http://permalink.gmane.org/gmane.network.samba.internals/85112
https://www.centos.org/forums/viewtopic.php?t=21688
Well I think for me would be better to relay more on the client antivirus, and configure clamav to scan the server shared folder twice a day.

alefattorini · January 18, 2016, 4:09pm

did you have resolved using @Nas suggestion?

Nas · January 18, 2016, 4:15pm

Hi @alefattorini , wee need to involve our @dev team to make some investigation and development , because antivirus should scan shared folder, maybe not on the fly but at least 1 time per day.

zamboni · January 18, 2016, 4:35pm

please, don’t

AV scanning is quite intensive for server: cpu, ram and disks… running it twice a day will only make your server more slow, not more secure…

asavinok · January 18, 2016, 11:06pm

Well actually I was planning to scan only /var/lib/nethserver/ibay once a day and hourly scan only modified and changed files hourly with something like this:

#find /var/lib/nethserver/ibay -mmin -61 -type f -print0 | xargs -0-r clamscan --quiet --infected --move= /tmp/virus 
#find /var/lib/nethserver/ibay -cmin -61 -type f -print0 | xargs -0-r clamscan --quiet --infected --move= /tmp/virus

Nas · January 18, 2016, 11:27pm

Hi @giacomo @filippo_carletti @stephdl, please share your thoughts regarding Antivirus scanning of Shared Folders.

stephdl · January 19, 2016, 6:11am

An option per ibay should be available for scanning it during the night…or a full scanning should be done each night/week if requested.

It is a basic feature O:)

stephdl · January 19, 2016, 6:15am

Not tested but interesting

giacomo · January 19, 2016, 7:51am

I always liked the idea of on-the-fly antivirus scan, but it’s probably useless since clamav it’s not so good on finding virus and it’s quite eager of resources.

I support the @asavinok idea: scan ibays once a day.
Maybe we can add an option for each ibay.

We have to completely rework the antivirus part for NS 7, I hope @davidep will also consider this scenario.