Barry Smoke wrote: | We were invaded by multiple viruses on our samba server today. ... | Some of these | latest viruses also invade network connections also, and I | have seen discussion of this on this list. I was able to | protect against nimda with the veto files global option, but | all of our jpegs are now3 .vbs from another virus ... | There are several scanners that work on linux, but that I | know of, none that can integrate into samba to provide on the | fly scanning of anything written to the server. Hmmn: this could be done by a vfs module, which on open(file,O_WRONLY|O_RDWR|O_APPEND) opens the file with mode 700 (or chmods it to 700), writes the data and then chmods it to 0 and passes it to a commercial virus scanner. On completion, it's permission are reset to normal. 1) This will make all writes slow. 2) There is a window during writing during which a program running as the same user can read it, virus and all. 3) There is also a window induced by MS Windows apps sometimes writing to a madcap name and then issuing a rename. If the rename occurs before the virus scan completes, something Will Go Wrong. 4) depending on the virus scanner, scanning log files which are being appended to will eat CPU. Many of these issues can be resolved by a virus-scanning company: if you already have McAfee, I recommend you have a word with them. --dave -- David Collier-Brown, | Always do right. This will gratify Americas Customer Engineering, | some people and astonish the rest. SunPS Integration Services. | -- Mark Twain (905) 415-2849 | davecb@canada.sun.com
o.k...mcafee works great on linux... It is our qmail scanner now.... but, in order to even half assed protect the server, I would have to be running a cron job hourly(or sooner) on every samba share. Is there any way to queue files written to a samba share, so that they are not immediately scanned, but are scanned as soon as possible....then if infected, mcafee can clean, and notify the user that wrote the file, or the sys admin. If un-cleanable, send it to /var/infected, or something. -----Original Message----- From: samba-admin@lists.samba.org [mailto:samba-admin@lists.samba.org]On Behalf Of David Collier-Brown Sent: Friday, October 12, 2001 12:35 PM To: Barry Smoke; samba@lists.samba.org Subject: Re: samba virus wrapper Barry Smoke wrote: | We were invaded by multiple viruses on our samba server today. ... | Some of these | latest viruses also invade network connections also, and I | have seen discussion of this on this list. I was able to | protect against nimda with the veto files global option, but | all of our jpegs are now3 .vbs from another virus ... | There are several scanners that work on linux, but that I | know of, none that can integrate into samba to provide on the | fly scanning of anything written to the server. Hmmn: this could be done by a vfs module, which on open(file,O_WRONLY|O_RDWR|O_APPEND) opens the file with mode 700 (or chmods it to 700), writes the data and then chmods it to 0 and passes it to a commercial virus scanner. On completion, it's permission are reset to normal. 1) This will make all writes slow. 2) There is a window during writing during which a program running as the same user can read it, virus and all. 3) There is also a window induced by MS Windows apps sometimes writing to a madcap name and then issuing a rename. If the rename occurs before the virus scan completes, something Will Go Wrong. 4) depending on the virus scanner, scanning log files which are being appended to will eat CPU. Many of these issues can be resolved by a virus-scanning company: if you already have McAfee, I recommend you have a word with them. --dave -- David Collier-Brown, | Always do right. This will gratify Americas Customer Engineering, | some people and astonish the rest. SunPS Integration Services. | -- Mark Twain (905) 415-2849 | davecb@canada.sun.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Hello ! I'm using AvpLinux from www.kaspersky.com and it works great both as e-mail scanner using postfix and "in the fly" file scanner for linux file access. They have daily updates that can be run by cron. Jan-Eric Enlund Administrator Oy Elho Ab, Finland>We were invaded by multiple viruses on our samba server today. We have a >linux box running qmail, with qmail-scanner to prevent viruses from entering >our network. We are using mcafee with qmail-scanner, so it scans every >message, and rejects it in case of a virus. Apparently someone allowed a >virus in anyway, probably through an outside e-mail account. Some of these >latest viruses also invade network connections also, and I have seen >discussion of this on this list. I was able to protect against nimda with >the veto files global option, but all of our jpegs are now3 .vbs from >another virus....>Is it time to discuss implementing a virusscan wrapper for samba? I know >there are products for novell servers that scan, so that it prevents server >infection. I'm sure that there are scanners for nt also. >There are several scanners that work on linux, but that I know of, none that >an integrate into samba to provide on the fly scanning of anything written >onthe server.>is it time for a project for this?>Barry Smoke >Network Administrator >Bryant Public Schools-------------- next part -------------- HTML attachment scrubbed and removed