Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-25-2009, 09:01 PM   #1
LQ Newbie
Registered: Oct 2009
Posts: 2

Rep: Reputation: 0
Unhappy Samba with Anti-virus active denial?

I desire an antivirus solution that can actively block writes before commits on samba.
I went through a few well-known Antivirus software for Samba on the web, but most trial commercial versions do not offer a specific Samba VFS (vscan) module compilation instruction. Clam's on-demand scan detects/deletes but cannot disinfect. So in the end, that left me with 1 choice, Kaspersky for Samba v5.5.14 trial. But Kaspersky active denial isn't working properly. I posted this problem on their forums but no one bothers to reply.

How I Test:
Kaspersky is able to block the read-access of infected, but is unable to prevent a file from being infected on the share through samba in the first place.
1. I place a EICAR virus signature file into the share (or modify an existing dummy file with the EICAR signature)
2. Kaspersky does not block the write (I don't want this)
3. I attempt to copy out or open back the same file.
4. Kaspersky blocks.

CheckOnClose= Yes

What I want:
What I really want is to prevent the shares from being infected by irresponsible users in the first place. Is there anything I should do to configure samba or VFS properly? Or is it a missing feature? Or is there another antivirus that can do the job? I'll even consider Clam if it can do that.

My Setup:
I help to admin a test lab environment with the following

1 Centos 4.8 Multi-purpose Server (inclusive of File server)
3000 test PCs pulling and pushing files (through samba and http)

The test PCs are at various times inside MS-DOS, XP/Vista, Linux, RTOS environments.
Password protection for the samba share is impossible (because we need
We have wasted a lot of valuable productivity due to 2 previous incidents of irresposible users plugging infected systems into the network, which was the Win32.Almanahe.c, and proceeded to overwrite executables on the unprotected network share. Background scan is not an option because the other test PCs may be scripted to pull and run the executables for tests at anytime. to use cilent for MS-DOS), so this is a very big hole for certain Win32 virus (example Win32.Almanahe.c)

Last edited by csyang; 10-25-2009 at 09:04 PM.
Old 11-16-2009, 10:52 PM   #2
Registered: Apr 2006
Location: Twentynine Palms, California
Distribution: Fedora, Ubuntu
Posts: 40
Blog Entries: 14

Rep: Reputation: 15
Can I say that it may not be that people don't bother to reply, but it's supposed to be the job of the client (in typical configurations) to ensure that the file is cleaned? Perhaps you should ensure that users are using an active antivirus program. Otherwise, install an active agent/daemon on the server for this. Sometimes, this is something that would be helpful if added to a program.
Old 11-17-2009, 12:57 AM   #3
LQ Newbie
Registered: Oct 2009
Posts: 2

Original Poster
Rep: Reputation: 0
I think most antivirus software have an active agent/daemon capability.

The problem is of all the combinations that I have tested for samba/Linux so far, none of them can block before the write is committed, in other words, before the file is "corrupted". They only block when a read access is attempted on a "corrupted" file.

However, most antivirus agents for Windows are able to block before corruption.

From my POV, it is halfway pointless, when the file has been corrupted and I have to initiate a manual restore from a backup that could be several days behind. The large size of our file server (8TB) makes daily backups quite impossible.

As much as I would like to enforce an anti-virus client policy, chances are there are users who do not share the same sense of responsibilty. Its my job to fix when things go wrong and not theirs.
Old 11-17-2009, 09:22 PM   #4
Registered: Apr 2006
Location: Twentynine Palms, California
Distribution: Fedora, Ubuntu
Posts: 40
Blog Entries: 14

Rep: Reputation: 15
I'll have to say that that's a terrible policy. An IT guy should be in charge of the network. Your leadership is failing you. I'm sorry that I can't answer further. I don't worry about viruses on my network because I have too few Windows machines.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Postfix Backup Mail Server Anti-Spam / Anti-Virus Configuration LXer Syndicated Linux News 0 05-05-2009 02:00 PM
Samba on access anti virus scans paul_mat Linux - Networking 1 04-02-2006 08:13 PM
LXer: Microsoft Anti-Spyware Deleting Norton Anti-Virus LXer Syndicated Linux News 0 02-13-2006 04:31 AM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 02:35 PM
Creating an ultimate anti-virus and anti-spam email gateway markcc Linux - Networking 2 10-08-2003 03:10 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:32 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration