Antivirus scan access to Samba
Good day, dear users of Habr.
After another outbreak of virus activity in the network folder of our organization, I thought about its anti-virus protection. This is a network folder that Samba is responsible for running on Debian Wheezy.
Turning to Google for information, I found 2 currently relevant methods:
Clamfs communicates between the protected anti-virus folder (mount point) and the normal (service) directory. When you try to read (copy) a file from a protected directory, the clamav-daemon daemon automatically checks the file for the presence of a virus in it. For its work requires a kernel module FUSE.
')
This method is good, but Samba is spinning in the LXC container. I did not have confidence in the stability of the bundle between the FUSE core module and the lxc container (and did not want to touch the host machine - there are not only my services running), so I stopped at 2 ways.
According to the developers, the svs module is in theory capable of using any antivirus as a backend, but at the moment only ClamAV is supported.
Here is a small howto on installing this module using the example of Debian Wheezy (Samba 3.6.6):
1.) The first thing you need is to install clamav
We update the database
Run the demon
2.) There is no svs module in the repositories, so you need to install the necessary packages to build the module
Download samba sorts and compile the necessary headers
Download the source of the svs module from the sourceforge site in the / tmp directory.
Unpack and compile:
Copy the svs module to the directory with the vfs modules of samba.
On a 32 bit system:
On a 64-bit system:
So - the module is in place, now you need to create for it the configuration file /etc/samba/svs.ini with the following content:
We analyze the parameters:
maxParallelScans - the maximum number of parallel scans (I did the number of processor cores)
maxCachedResults - maximum number of cached results
statisticsLogInterval - time in milliseconds between entries in the scanner's log
statisticsLogThreadUtil - logging thread recycling
clamdscanCommand - command to start clamav scan
postScanSleep - time in milliseconds for which the scanning process “falls asleep” (to reduce the load on clamav)
infectAction - action when a virus is detected. May be 'none', 'delete', 'quarantine'
quarantineDirectory - the directory where found viruses are placed
scanOnOpen - scan when opening a file
scanOnClose - scan when closing a file
maxScannerHeartbeatAge - the maximum time in milliseconds, after which svs will replace the flow with the next one in the queue. If set to <'1000', this option is considered disabled.
maxQueuedRequests - the maximum number of scan requests waiting in the queue (4 X maxParallelScans)
waitPendingScans — do not close the scan session until scanning requests appear in the queue
Now you need to enable the vfs svs module on samba. To do this, add the option to the balls
Well, restart the samba
Everything. This completes the configuration of antivirus scan by access to samba using the vfs module of the svs module.
At the moment I have a bunch of samba + svs working without interruption for 2 months.
About the server load, I can say that on the Xeon E31230, the average LA (load average) does not rise above 3 with 50 users working simultaneously.
References:
Readme of the developer of the SVS module - sourceforge.net/p/svs/code/HEAD/tree/trunk/README
Good article, very helpful in setting up - scottlinux.com/2011/09/06/clamav-virus-on-access-scanning-for-samba-shares
After another outbreak of virus activity in the network folder of our organization, I thought about its anti-virus protection. This is a network folder that Samba is responsible for running on Debian Wheezy.
Turning to Google for information, I found 2 currently relevant methods:
Method 1 - use clamfs
Clamfs communicates between the protected anti-virus folder (mount point) and the normal (service) directory. When you try to read (copy) a file from a protected directory, the clamav-daemon daemon automatically checks the file for the presence of a virus in it. For its work requires a kernel module FUSE.
')
This method is good, but Samba is spinning in the LXC container. I did not have confidence in the stability of the bundle between the FUSE core module and the lxc container (and did not want to touch the host machine - there are not only my services running), so I stopped at 2 ways.
Method 2 - use samba vfs svs module (samba virus scanner)
According to the developers, the svs module is in theory capable of using any antivirus as a backend, but at the moment only ClamAV is supported.
Here is a small howto on installing this module using the example of Debian Wheezy (Samba 3.6.6):
1.) The first thing you need is to install clamav
apt-get install clamav-daemon clamav-freshclam We update the database
freshclam Run the demon
/etc/init.d/clamav-daemon start 2.) There is no svs module in the repositories, so you need to install the necessary packages to build the module
apt-get install build-essential qt4-make libqt4-dev Download samba sorts and compile the necessary headers
apt-get source samba cd samba-3.6.6/source3 ./configure ./make Download the source of the svs module from the sourceforge site in the / tmp directory.
Unpack and compile:
cd samba-3.6.6 bzcat /tmp/svs-0.1.4.tar.bz2 | tar xvf - cd svs qmake && make Copy the svs module to the directory with the vfs modules of samba.
On a 32 bit system:
cp --no-dereference libsvs*.so* /usr/lib/samba/vfs/ On a 64-bit system:
cp --no-dereference libsvs*.so* /usr/lib64/samba/vfs/ So - the module is in place, now you need to create for it the configuration file /etc/samba/svs.ini with the following content:
[SVS] maxParallelScans=6 maxCachedResults=10000 statisticsLogInterval=500 statisticsLogThreadUtil=false clamdscanCommand=clamdscan postScanSleep=100 infectAction=quarantine quarantineDirectory=/home/viruses scanOnOpen=true scanOnClose=true turboMode=false maxScannerHeartbeatAge=0 maxQueuedRequests=24 waitPendingScans=false We analyze the parameters:
maxParallelScans - the maximum number of parallel scans (I did the number of processor cores)
maxCachedResults - maximum number of cached results
statisticsLogInterval - time in milliseconds between entries in the scanner's log
statisticsLogThreadUtil - logging thread recycling
clamdscanCommand - command to start clamav scan
postScanSleep - time in milliseconds for which the scanning process “falls asleep” (to reduce the load on clamav)
infectAction - action when a virus is detected. May be 'none', 'delete', 'quarantine'
quarantineDirectory - the directory where found viruses are placed
scanOnOpen - scan when opening a file
scanOnClose - scan when closing a file
maxScannerHeartbeatAge - the maximum time in milliseconds, after which svs will replace the flow with the next one in the queue. If set to <'1000', this option is considered disabled.
maxQueuedRequests - the maximum number of scan requests waiting in the queue (4 X maxParallelScans)
waitPendingScans — do not close the scan session until scanning requests appear in the queue
Now you need to enable the vfs svs module on samba. To do this, add the option to the balls
vfs objects = libsvs_clamav Well, restart the samba
/etc/init.d/samba restart Everything. This completes the configuration of antivirus scan by access to samba using the vfs module of the svs module.
At the moment I have a bunch of samba + svs working without interruption for 2 months.
About the server load, I can say that on the Xeon E31230, the average LA (load average) does not rise above 3 with 50 users working simultaneously.
References:
Readme of the developer of the SVS module - sourceforge.net/p/svs/code/HEAD/tree/trunk/README
Good article, very helpful in setting up - scottlinux.com/2011/09/06/clamav-virus-on-access-scanning-for-samba-shares
Source: https://habr.com/ru/post/205326/
All Articles