Hi All! I would like to ask if it''s possible to check the content of quarantine in case of zfs uses vscand + antivirus. So is there any command to list all the infected files in a dataset? Best Regards, bzg -- Zoltan Gyula Beck Tel.:?? +36-70-328-9306 E-Mail: beckzg at gmail.com
On 02/ 9/11 09:57 PM, Zoltan Gyula Beck wrote:> I would like to ask if it''s possible to check the content of > quarantine in case of zfs uses vscand + antivirus. So is there any > command to list all the infected files in a dataset?Any file which has been quarantined will have the av_quarantine bit set. The easiest way to see that is with /usr/bin/ls for example: ls -/ v foo rw-r--r-- 1 darrenm staff 176411 Nov 4 14:56 foo {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink,nooffline,nosparse} In the above case the file has noav_quarantined if it had been one that vscand had marked as quarantined it would say av_quarantined instead. There is also a compact mode see ls(1) man page. -rw-r--r-- 1 darrenm staff 176411 Nov 4 14:56 foo {A-------q---} That is what it would look like if ''foo'' was quarantined. -- Darren J Moffat
Hi Darren! Yes, I know that way with ls, but how can I check all the infected files on a dataset which is used by a file server with millions of files?! I mean there is no official way to check infections, but I have to use some customs scripts? (find, ls, grep) bzg On Wed, Feb 9, 2011 at 11:33 PM, Darren J Moffat <darrenm at opensolaris.org> wrote:> On 02/ 9/11 09:57 PM, Zoltan Gyula Beck wrote: >> >> ? I would like to ask if it''s possible to check the content of >> quarantine in case of zfs uses vscand + antivirus. So is there any >> command to list all the infected files in a dataset? > > Any file which has been quarantined will have the av_quarantine bit set. > > The easiest way to see that is with /usr/bin/ls ?for example: > > ls -/ v foo > rw-r--r-- ? 1 darrenm ?staff ? ? 176411 Nov ?4 14:56 foo > > {archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink,nooffline,nosparse} > > In the above case the file has noav_quarantined if it had been one that > vscand had marked as quarantined it would say av_quarantined instead. > > There is also a compact mode see ls(1) man page. > > -rw-r--r-- ? 1 darrenm ?staff ? ? 176411 Nov ?4 14:56 foo > ? ? ? ? ? ? ? ?{A-------q---} > > That is what it would look like if ''foo'' was quarantined. > > -- > Darren J Moffat >-- Zoltan Gyula Beck Tel.:?? +36-70-328-9306 E-Mail: beckzg at gmail.com
On 02/ 9/11 11:50 PM, Zoltan Gyula Beck wrote:> Yes, I know that way with ls, but how can I check all the infected > files on a dataset which is used by a file server with millions of > files?! I mean there is no official way to check infections, but I > have to use some customs scripts? (find, ls, grep)The quarantine bit is just an attribute of the file. ZFS is not a database so you can''t do select name from files where files.quarantine = true; There is no way go to this other than getting the system attributes from each file directly. The only way to do that from shell script is find/ls/grep. You could write a C program that uses the same method that ls does to get the attributes but you will still have to visit every file in the file system. -- Darren J Moffat
> -----Original Message----- > From: zfs-discuss-bounces at opensolaris.org [mailto:zfs-discuss- > bounces at opensolaris.org] On Behalf Of Darren J Moffat > Sent: Wednesday, February 09, 2011 7:21 PM > To: Zoltan Gyula Beck > Cc: zfs-discuss at opensolaris.org > Subject: Re: [zfs-discuss] vscand + quarantine > > On 02/ 9/11 11:50 PM, Zoltan Gyula Beck wrote: > > Yes, I know that way with ls, but how can I check all the infected > > files on a dataset which is used by a file server with millions of > > files?! I mean there is no official way to check infections, but I > > have to use some customs scripts? (find, ls, grep) > > The quarantine bit is just an attribute of the file. ZFS is not a > database so you can''t do > > select name from files where files.quarantine = true; > > There is no way go to this other than getting the system attributes from > each file directly. The only way to do that from shell script is > find/ls/grep. You could write a C program that uses the same method > that ls does to get the attributes but you will still have to visit > every file in the file system.Could you instead parse the log file for scan results? http://dlc.sun.com/osol/docs/content/SYSADV6/vscan-4.html "The system log records the name of the quarantined file and the name of the virus and, if auditing has been enabled, an audit record with the same information is created." Maybe this could give you a list of candidate files to check vs. checking every file in the dataset. -Will