Hi, I just recently helped my friend to install his linux box, where he used the linux box as file storage server among his friends, the server is connected to the LAN and have also have internet connection.

I'm using SAMBA for the service, where it have multiple private folders [requires username/password to access], and few public folders, where anyone can access and write data in it.

Now the problem is where, certain users in his groups actually stored "infected" files unintentionally, and caused some problems to other users as well as they accidentally executes the files.

So I want to ask some question, like is there any service or function that allows the server to scans any incoming traffic and filter out any possible infected files been shared/stored inside the server?

Setup

Network connection:
- A dsl modem connected to a 8 port switch

Server:
- Fedora-distro Linux box.
- Connected to LAN via cable.
- Samba used as file sharing service.
- Connected to the internet.

Clients:
- 5 computers, all running Windows XP.
- All of them connected via LAN cable.
- Have internet connection as well.

Pardon me for my bad English, and thanks in advance!

I would recommend ClamAV. Set it up as a daemon to automatically get any new updates and scan new files. It should be pretty easy to set up.

HTH
Dave

I did a little searching after my post and see that ClamAV is designed for mail servers so it "may" work for what you want. In either case, I think the principle is sound.

Thanks AsusDave... I'll give ClamAV a try, yeah I read about ClamAV earlier and most of the settings are for the mail server. Probably I missed out somewhere on scanning the new files.

Thanks and I'll give ClamAV a try later on when I'm going to his dorm, I'll post up the status later.

No, there's a file based version (clamscan) that scans files on disk.

You may want to tie clamscan in with incrontab or some other methiod to automatically scan new files, unless there's some form os samba add on to call it when a file is saved.

There a Linux kernel module AV can interface with called Dazuko. YMMV(VM) though: even if __dpath() is exported it may crash stock kernels so a kernel patch and rebuild may be in order. Also the project seems a wee bit stale.


If you have a good stash of w32 malware samples what you could do is testdrive different AV products. While ClamAV is clearly OSS and promoted a lot, and I'm not a proponent of commercial AV SW, but other commercial vendors like Bitdefender, F-Prot, Panda (others are easy to search for) may offer freely usable products as well. The best reason for testing is finding differences in maturity of AV engines, performance and reporting. If you take ClamAV for instance you'll find there's a difference in features between clamscan and clamdscan and how they will report things.

Still there's nothing like prevention (also see modifying users behaviour), and running up to date AV on each mcrsft arcade game console should be considered mandatory. There's also Squid proxy setups that runs OSS AV like ICAP or HAVP (which for instance IPCOP rebrands as "Copfilter") ...

@billymayday: So I just set it under incrontab for scanning the new files arrives into the disk?

unSpawn: Yeah, plenty of them, in their shared folder, mostly are those common w32 autorun viruses that infected from the usb drives among them.

Haven't heard about Dazuko, but thanks for the head up, and thanks for the help guys.

Billymayday - Thanks for the info on clamscan. Now I know!! :-)

Unspawn - I think you make a couple of really good points. Not "everything" software has to be free and the best antivirus/malware/phishing defense is a smart user.

I had a bit of a play around with incron, and realised that it doesn't monitor recursively so that may be an issue for you.

There is also a samba-vscan vfs module for samba her (http://www.openantivirus.org/projects.php), but not sure of how up to date it is. Never used it myself.