So, lets arm our Samba to protect users from viruses hidden in the shared directories. In Ubuntu and other *nix distros, we can use free Clamav antivirus plugged in to Samba which is called clamav-scan. *nix distros usually provide ready-to-install binary of clamav-scan. But Ubuntu does not. So you must compile the plug in manually.
Enough for the intro, now we'll begin arming the Samba in Ubuntu (my Ubuntu version is 7.04 feisty fawn) . Don't be rush. You must follow test instruction before proceeding the next step.
1. Prepare package Clamav and supporting packages
apt-get install clamav arj unzoo lha clamav-freshclam clamav-daemon clamav-testfiles build-essential
You may also need build-essential package
Test: Please make sure that we can scan infected files.
clamscan -ir /usr/share/clamav-testfiles
We should see lines like the following:
----------- SCAN SUMMARY -----------
Known viruses: 266917
Engine version: 0.91.2
Scanned directories: 1
Scanned files: 7
Infected files: 6
Data scanned: 0.00 MB
Time: 3.762 sec (0 m 3 s)
2. Prepare packages to install clamav-scan into Samba
apt-get install dpkg-dev
apt-get source samba
apt-get build-dep samba
wget -c http://optusnet.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.6b.tar.bz2
tar -jxvf samba-vscan-0.3.6b.tar.bz2 -C /usr/src
make && make install
Now the vscan-clamav module is ready to use
4. Configuring Samba to cooperate with vscan-clamav
cp /usr/src/samba-vscan-0.3.6b/clamav/vscan-clamav.conf /etc/samba/vfs-config/
change some values in the /etc/../vfs-config/vscan-clamav.conf:
clamd socket name = /var/run/clamav/clamd.ctl
infected files action = quarantine
; By default, the quarantine directory is /tmp
; quarantine directory = /mnt/office-shared-files/.quarantine
Add some values in samba config file: /etc/samba/smb.conf. We may add this line under [global] configuration or specific directory configuration
vfs objects = vscan-clamav
vscan-clamav: config-file = /etc/samba/vfs-config/vscan-clamav.conf
5. We must recompile vscan-clamav if we upgrade our Samba. To lock Samba version from upgrading, we must do this:
echo samba hold | dpkg --set-selections
echo samba install | dpkg --set-selections
6. Now restart Samba
7. See vscan-clamav in action
- Just copy /usr/share/clamav-testfiles to shared writable directory of Samba so it can be accessed by Windows users. The files inside are harmless to Windows but make clamav assume them as infected files.
- We can see that Samba has denied us from copying the file out. Instead we'll see the files has been moved to /tmp/var-*****.
- Later, we can see that Samba users can not copy infected files into the shared directory of Samba.