samba - Oct 2022 - vfs object virusfilter not working

Am 10.10.2022 um 11:01 schrieb Rowland Penny via samba:
> 
> 
> On 10/10/2022 08:27, lists--- via samba wrote:
>> Good morning list :)
>>
>> I have a Debian-Bullseye system running as an ad-member server, using 
>> Louis' 4.15 version.
>>
>> Now I wanted to add the virusscan feature, but it seems it doesn't 
>> work proper ...
>>
>> As you can see in the log-entries, vfs-object [virusfilter] get loaded 
>> ... and eicar.com-file could be stored.
> 
>> ???????? virusfilter:rename suffix = .infected
>> ???????? virusfilter:infected file command = echo -e "Found virus 
>> during on-access scanning of Samba share." | mail -s"Samba:
Virus
>> Found" %EMAIL-ADRESS%
>> ???????? virusfilter:scan error command = echo -e "Scan error
during
>> on-access scanning of Samba share." | mail -s"Samba: Scan
Error"
>> %EMAIL-ADRESS%
>> [...]
>>
>> Is something missing? Or interfering?
>>
>> Thanks in advance!
>>
>> Cheers,
>> Torsten
>>
> 
> I do not use the virus scanner, but could this be something as simple as 
> you having to use the full path for 'echo' or do you have to run a 
> script as in the example that samba provides ?
> 
> Rowland
For testing I changed these lines ... but the result is the same, and 
put them on [global] and next try on [public]:

  vfs objects = virusfilter
  virusfilter:scanner = clamav
  virusfilter:socket path = /var/run/clamav/clamd.ctl
  virusfilter:scan on open = yes
  virusfilter:scan on close = no
  virusfilter:max file size = 100000000
  virusfilter:min file size = 10
  virusfilter:connect timeout = 300000
  virusfilter:io timeout = 600000
  virusfilter:infected file action = rename
  virusfilter:rename prefix = virusfilter.
  virusfilter:rename suffix = .infected

Restarting samba and copying the eicar.com-file again shows this in the log:
[2022/10/10 11:13:33.573839,  2] ../../source3/smbd/open.c:1611(open_file)
   nobody opened file eicar.com read=No write=No (numopen=2)
[2022/10/10 11:13:33.577165,  2] 
../../source3/smbd/close.c:833(close_normal_file)
   nobody closed file eicar.com (numopen=0) NT_STATUS_OK
[2022/10/10 11:13:33.578962,  2] ../../source3/smbd/open.c:1611(open_file)
   nobody opened file eicar.com read=No write=No (numopen=2)
[2022/10/10 11:13:33.581848,  2] 
../../source3/smbd/close.c:833(close_normal_file)
   nobody closed file eicar.com (numopen=0) NT_STATUS_OK

At least it should rename the file, shouldn't it?

Starting clamscan manually on that share finds the "virus":
/srv/samba/public/eicar.com: Win.Test.EICAR_HDB-1 FOUND

netstat -lnp | grep -E "clam"
tcp        0      0 0.0.0.0:3310            0.0.0.0:* 
LISTEN      36374/clamd
unix  2      [ ACC ]     STREAM     H?RT         70497    36374/clamd 
       /var/run/clamav/clamd.ctl

Cheers,
Torsten

On 10/10/2022 10:58, lists--- via samba wrote:
> 
> 
> 
> 
> For testing I changed these lines ... but the result is the same, and 
> put them on [global] and next try on [public]:
> 
>  ?vfs objects = virusfilter
>  ?virusfilter:scanner = clamav
>  ?virusfilter:socket path = /var/run/clamav/clamd.ctl
>  ?virusfilter:scan on open = yes
>  ?virusfilter:scan on close = no
>  ?virusfilter:max file size = 100000000
>  ?virusfilter:min file size = 10
>  ?virusfilter:connect timeout = 300000
>  ?virusfilter:io timeout = 600000
>  ?virusfilter:infected file action = rename
>  ?virusfilter:rename prefix = virusfilter.
>  ?virusfilter:rename suffix = .infected
> 
> Restarting samba and copying the eicar.com-file again shows this in the 
> log:
> [2022/10/10 11:13:33.573839,? 2] ../../source3/smbd/open.c:1611(open_file)
>  ? nobody opened file eicar.com read=No write=No (numopen=2)
> [2022/10/10 11:13:33.577165,? 2] 
> ../../source3/smbd/close.c:833(close_normal_file)
>  ? nobody closed file eicar.com (numopen=0) NT_STATUS_OK
> [2022/10/10 11:13:33.578962,? 2] ../../source3/smbd/open.c:1611(open_file)
>  ? nobody opened file eicar.com read=No write=No (numopen=2)
> [2022/10/10 11:13:33.581848,? 2] 
> ../../source3/smbd/close.c:833(close_normal_file)
>  ? nobody closed file eicar.com (numopen=0) NT_STATUS_OK
> 
> At least it should rename the file, shouldn't it?
> 
> Starting clamscan manually on that share finds the "virus":
> /srv/samba/public/eicar.com: Win.Test.EICAR_HDB-1 FOUND
> 
> netstat -lnp | grep -E "clam"
> tcp??????? 0????? 0 0.0.0.0:3310??????????? 0.0.0.0:* LISTEN      
> 36374/clamd
> unix? 2????? [ ACC ]???? STREAM???? H?RT???????? 70497??? 36374/clamd 
>  ????? /var/run/clamav/clamd.ctl
> 
> Cheers,
> Torsten
> 
Thinking about this, try removing 'fruit streams_xattr' from the
'vfs
objects' line and see if it then works.

Rowland