List, we are working on implementing an antivirus solution (samba-vscan + clamav)on our samba shares. We performed the steps mentioned on some guides we found in Portuguese and things seems to be installed ok. But when we make a test and try to access a share, every file on it is not accessible (though we can mount the share) and after looking at /var/log/messages we see the following: ... Mar 11 10:56:51 rhel5 smbd_vscan-clamav[5238]: samba-vscan (vscan-clamav 0.3.6b) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org Mar 11 10:56:51 rhel5 smbd_vscan-clamav[5238]: samba-vscan (vscan-clamav 0.3.6b) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org Mar 11 10:56:51 rhel5 smbd_vscan-clamav[5238]: INFO: connect to service tmp by user mauramos Mar 11 10:57:10 rhel5 smbd_vscan-clamav[5238]: ERROR: can not connect to clamd (socket: '/home/clamav/clamd.sock')! Mar 11 10:57:10 rhel5 smbd_vscan-clamav[5238]: ERROR: can not communicate to daemon - access denied Mar 11 10:57:10 rhel5 smbd_vscan-clamav[5238]: ERROR: can not connect to clamd (socket: '/home/clamav/clamd.sock')! Mar 11 10:57:10 rhel5 smbd_vscan-clamav[5238]: ERROR: can not communicate to daemon - access denied ... User mauramos takes part on "clamav" group. We put conf, log, pid, database and socket files under /home/clamav which is owned by user clamav and group clamav both with same permissions (rwx). The number 5238 indicates the os pid and it is the connection I performed to the share ... [root at rhel5 clamav]# ps -ef | grep 5238 mauramos 5238 5228 0 10:56 ? 00:00:00 smbd -D root 5242 4873 0 10:57 pts/8 00:00:00 grep 5238 One note about clamd.conf. Parameter "User" is set to clamav to make the deamon runs and generates logs/pid files as user/group clamav and allow common users, like mauramos, that are part of the clamav group, to access all these files, including clamd.sock that is the one that is raising the error at /var/log/messages. It is said in the comments of clamd.conf that in order for this option to work, clamd must be started as root, but it does not matter if we start it with root or clamav, the result is the same. We are using a RedHat Enterprise Linux 5 server, samba 3.0.23, clamv 0.95 and samba-vscan 0.36b. Does anybody knows what could be? Can you give us a clue/help? Thanks you all! Our config files are as follows: ------------------- -- clamd.conf -- ------------------- LogFile /home/clamav/clamd.log LogTime yes PidFile /home/clamav/clamd.pid TemporaryDirectory /home/clamav/tmp DatabaseDirectory /home/clamav/database LocalSocket /home/clamav/clamd.socket TCPSocket 3310 MaxConnectionQueueLength 100 ReadTimeout 3000 CommandReadTimeout 30 User clamav ---------------------------- -- vscan-clamav.conf -- ---------------------------- [samba-vscan] max file size = 0 verbose file logging = no scan on open = yes scan on close = yes deny access on error = yes deny access on minor error = yes send warning message = yes infected file action = quarantine quarantine directory = /home/clamav/quarantine quarantine prefix = vir- max lru files entries = 100 lru file entry lifetime = 5 exclude file types clamd socket name = /home/clamav/clamd.sock libclamav max files in archive = 1000 libclamav max archived file size = 10485760 libclamav max recursion level = 5 ---------------------------------------- -- share definition at smb.conf -- ---------------------------------------- [tmp] comment = tmp path = /tmp valid users = mauramos assouza public = yes writable = yes create mask = 0750 vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf ------------------------ -- freshclam.conf -- ------------------------ DatabaseDirectory /home/clamav/database UpdateLogFile /home/clamav/databaseUpdate.log LogFileMaxSize 20M LogTime yes PidFile /home/clamav/freshclam.pid DatabaseMirror database.clamav.net
2010/3/11 Maur?cio Ramos Mauricio.Ramos at wedotechnologies.com> > -- clamd.conf -- > LocalSocket /home/clamav/clamd.socket > > -- vscan-clamav.conf -- > clamd socket name = /home/clamav/clamd.sockLooks like you've got a discrepancy/typo in your clamav and samba-vscan config files that is causing that. cheers, Alexander
Hello Alexander, List? Yes that?s the mistake! Now things are working just fine!! We are using the ?Eicar Test Virus? in 2 files. Both are not allowed access and the others are ok. Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: samba-vscan (vscan-clamav 0.3.6c beta5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: samba-vscan (vscan-clamav 0.3.6c beta5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org Mar 12 11:00:51 rhel5 smbd_vscan-clamav[29609]: INFO: connect to service tmp by user mauramos Mar 12 11:01:30 rhel5 smbd_vscan-clamav[29609]: ALERT - Scan result: ''/tmp/teste_clamav.txt'' infected with virus ''Eicar-Test-Signature'', client: ''172.26.129.129'' Mar 12 11:01:30 rhel5 smbd_vscan-clamav[29609]: ERROR: quarantining file ''/tmp/teste_clamav.txt'' to ''/home/clamav/quarantine/vir-ao7wgD'' failed, reason: Opera??o n?o permitida Mar 12 11:02:17 rhel5 smbd_vscan-clamav[29609]: ALERT - Scan result: ''/tmp/teste_antivirus_samba_clamav.txt'' infected with virus ''Eicar-Test-Signature'', client: ''172.26.129.129'' Mar 12 11:02:17 rhel5 smbd_vscan-clamav[29609]: ERROR: quarantining file ''/tmp/teste_antivirus_samba_clamav.txt'' to ''/home/clamav/quarantine/vir-kmBxUg'' failed, reason: Opera??o n?o permitida [root at rhel5 tmp]# more teste_clamav.txt X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* [root at rhel5 tmp]# more teste_antivirus_samba_clamav.txt X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* File clamd.log records the detected v?rus? [root at rhel5 clamav]# tail -f clamd.log Fri Mar 12 10:57:40 2010 -> Algorithmic detection enabled. Fri Mar 12 10:57:40 2010 -> Portable Executable support enabled. Fri Mar 12 10:57:40 2010 -> ELF support enabled. Fri Mar 12 10:57:40 2010 -> Mail files support enabled. Fri Mar 12 10:57:40 2010 -> OLE2 support enabled. Fri Mar 12 10:57:40 2010 -> PDF support enabled. Fri Mar 12 10:57:40 2010 -> HTML support enabled. Fri Mar 12 10:57:40 2010 -> Self checking every 600 seconds. Fri Mar 12 11:01:30 2010 -> /tmp/teste_clamav.txt: Eicar-Test-Signature FOUND Fri Mar 12 11:02:17 2010 -> /tmp/teste_antivirus_samba_clamav.txt: Eicar-Test-Signature FOUND ? and they are moved to quarantine [root at rhel5 clamav]# ls -la /home/clamav/quarantine/ total 8 drwxrwx--- 2 clamav clamav 4096 Mar 12 11:02 . drwxrwx--- 7 clamav clamav 4096 Mar 12 10:57 .. -rw------- 1 mauramos users 0 Mar 12 11:01 vir-ao7wgD -rw------- 1 mauramos users 0 Mar 12 11:02 vir-kmBxUg Thanks a lot for the help. Below I reproduce the steps to configure all the environment: 1) Install and configure samba 2) Install and configure clamav 3) Download, ?./configure? and ?make proto? the source of the running samba server 4) Download samba-vscan, ?./configure --with-samba-source=<path to samba source ?source? dir>? and ?make clamav? 5) Copy ?vscan-clamav.so? to ?/usr/lib/samba/vfs? (this path can vary) 6) Copy ?vscan-clamav.conf? from ?<samba-vscan-source-dir>clamav? to ?/etc/samba? 7) Configure smb.conf at each share to be protected with lines like vfs object = vscan-clamav vscan-clamav: config-file = /etc/samba/vscan-clamav.conf 8) Update clamav database using freshclam 9) Start everything 10) Create a text file with the following content inside a protected share (harmless eicar test virus) X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* We are using, now, samba 3.0.33 and this version needs samba-vscan0.3.6c. the previous version of samba we were using (3.0.23c) needed samba-vscan0.3.6b. Again, thaks you all for the support! Mauricio. From: Alexander [mailto:forsmbg at googlemail.com] Sent: sexta-feira, 12 de mar?o de 2010 05:56 To: samba at lists.samba.org; Maur?cio Ramos Subject: Re: [Samba] Samba + Antivirus 2010/3/11 Maur?cio Ramos Mauricio.Ramos at wedotechnologies.com<mailto:Mauricio.Ramos at wedotechnologies.com> -- clamd.conf -- LocalSocket /home/clamav/clamd.socket -- vscan-clamav.conf -- clamd socket name = /home/clamav/clamd.sock Looks like you''ve got a discrepancy/typo in your clamav and samba-vscan config files that is causing that. cheers, Alexander