Samba with Anti-virus active denial?
 

Scenario:
I desire an antivirus solution that can actively block writes before commits on samba.
I went through a few well-known Antivirus software for Samba on the web, but most trial commercial versions do not offer a specific Samba VFS (vscan) module compilation instruction. Clam's on-demand scan detects/deletes but cannot disinfect. So in the end, that left me with 1 choice, Kaspersky for Samba v5.5.14 trial. But Kaspersky active denial isn't working properly. I posted this problem on their forums but no one bothers to reply.

How I Test:
Kaspersky is able to block the read-access of infected, but is unable to prevent a file from being infected on the share through samba in the first place.
Example:
1. I place a EICAR virus signature file into the share (or modify an existing dummy file with the EICAR signature)
2. Kaspersky does not block the write (I don't want this)
3. I attempt to copy out or open back the same file.
4. Kaspersky blocks.

[samba.shares]
CheckOnOpen=Yes
CheckOnClose= Yes

What I want:
What I really want is to prevent the shares from being infected by irresponsible users in the first place. Is there anything I should do to configure samba or VFS properly? Or is it a missing feature? Or is there another antivirus that can do the job? I'll even consider Clam if it can do that.


My Setup:
I help to admin a test lab environment with the following

1 Centos 4.8 Multi-purpose Server (inclusive of File server)
3000 test PCs pulling and pushing files (through samba and http)

The test PCs are at various times inside MS-DOS, XP/Vista, Linux, RTOS environments.
Password protection for the samba share is impossible (because we need
We have wasted a lot of valuable productivity due to 2 previous incidents of irresposible users plugging infected systems into the network, which was the Win32.Almanahe.c, and proceeded to overwrite executables on the unprotected network share. Background scan is not an option because the other test PCs may be scripted to pull and run the executables for tests at anytime. to use cilent for MS-DOS), so this is a very big hole for certain Win32 virus (example Win32.Almanahe.c)

Can I say that it may not be that people don't bother to reply, but it's supposed to be the job of the client (in typical configurations) to ensure that the file is cleaned? Perhaps you should ensure that users are using an active antivirus program. Otherwise, install an active agent/daemon on the server for this. Sometimes, this is something that would be helpful if added to a program.

I think most antivirus software have an active agent/daemon capability.

The problem is of all the combinations that I have tested for samba/Linux so far, none of them can block before the write is committed, in other words, before the file is "corrupted". They only block when a read access is attempted on a "corrupted" file.

However, most antivirus agents for Windows are able to block before corruption.

From my POV, it is halfway pointless, when the file has been corrupted and I have to initiate a manual restore from a backup that could be several days behind. The large size of our file server (8TB) makes daily backups quite impossible.

As much as I would like to enforce an anti-virus client policy, chances are there are users who do not share the same sense of responsibilty. Its my job to fix when things go wrong and not theirs. :(

I'll have to say that that's a terrible policy. An IT guy should be in charge of the network. Your leadership is failing you. I'm sorry that I can't answer further. I don't worry about viruses on my network because I have too few Windows machines.