Installation instructions for samba-vscan ***************************************** Copyright (C) by Rainer Link, 2001-2004 OpenAntiVirus.org <rainer@openantivirus.org> This software is licensed under the GNU General Public License (GPL) See COPYING file or http://www.gnu.org/copyleft/gpl.html Please read through this file in full and carefully! Contents ======== Instructions for Samba 2.2.0 to 2.2.3 Instructions for Samba >= 2.2.4 or Samba 3.0 Log checking Anti-virus product-specific information Check the license of your anti-virus product Subscribe to mailing list How to report bugs, give feedback or send patches Donations Instructions for Samba 2.2.0 to 2.2.3 ------------------------------------- The use of those versions are NOT recommended, as they contain some security vulnerabilities. Even if your vendor provides patched version to fix those issues, those Samba contain a bug which prevents the use of run-time configuration settings. Moreover, VFS support is broken in these Samba releases. I would suggest to use the latest 2.2.x release (as the time of this writing Samba 2.2.8a). To get VFS working, you have to apply the provided samba-<version>-vfs.dif, re-configure Samba (./configure --enable-vfs) and re-compile Samba. As the parsing for the "vfs options" parameter is broken in these Samba releases, you must use the compile-time settings and can not use a run-time configuration file per share. Once again, please consider to use the latest 2.2.x release. The following compile time settings are available in <product>/vscan-<product>.h, so change into the directory of the anti-virus product you want to use, i.e. cd openantivirus vi vscan-oav.h * VSCAN_SCAN_ON_OPEN: if it's set to True (default), files will be scanned on open * VSCAN_SCAN_ON_CLOSE: if it's set to True (default), files will be scanned on close * VSCAN_MAX_SIZE: scanning a (very) large file may slow down performance (too much). Therefore, you can specify if a file is larger than x bytes, it shouldn't be scanned. Please set it for your needs. If it's set to 0, all files, regardless of their file size, will be scanned. * VSCAN_DENY_ACCESS_ON_ERROR: if communication to the virus scanning daemon fails, you may either deny access to file(s) or not. You can change this behaviour via the VSCAN_DENY_ACCESS_ON_ERROR setting. If it's set to True (default), access will be _denied_. * VSCAN_DENY_ACCESS_ON_MINOR_ERROR: basically the same as VSCAN_DENY_ACCESS_ON_ERROR but related to minor errors. Not really implemented in all modules. * VSCAN_SEND_WARNING_MESSAGE: if it's set to True (default), a virus notification message via winpopup service is send to the remote client computer. On Windows95/98, the "winpopup" program must be run. * VSCAN_INFECTED_FILE_ACTION: three values are possible - INFECTED_QUARANTINE: an infected file will be renamed and moved into a specific quarantine directory (see below). If quarantining fails, the file will _not_ be deleted. - INFECTED_DELETE: an infected file will be removed - INFECTED_DO_NOTHING: the infected file will remain untouched * SCAN_QUARANTINE_DIRECTORY: the quarantine directory for infected files, default is "/tmp" - it should be a directory not reachable via (Samba) shares. Keep in mind this directory must be world-read/writable and the sticky-bit should be set. * VSCAN_QUARANTINE_PREFIX: a quarantined file will be renamed, via this setting the prefix can be specified. Default is "vir-". * VSCAN_MAX_LRUFILES: the maximum number of last recently accessed file entries, default is 100. If set to 0, the lru access mechanism is disabled. Please see chapter "Avoid multiple scans of a file caused by Windows behaviour". * VSCAN_LRUFILES_INVALIDATE_TIME: specifies the time in seconds, after an lru accessed file entry is considered as invalidated. The default is 5 seconds. Please see the chapter "Avoid multiple scans of a file caused by Windows behaviour". * VSCAN_FT_EXCLUDE_LIST: MIME-types of files to be excluded from scanning, separated by semi-colon. Wildcards are not possible. Use this feature with care. * VSCAN_FR_EXCLUDE_REGEXP: regular expression (PCRE) to exclude files from scanning based on path- and/or filename. Use this feature with care! After you may have adjusted these settings to your needs, please refer to the next section on how to actually build and install samba-vscan. Installation instructions for Samba >= 2.2.4 or Samba 3.0 --------------------------------------------------------- Step 1: Prerequisite VFS support works out-of-the-box in these Samba releases. As for compiling this module the config.h file of Samba is needed, you have to run ./configure in <samba-source>/source (yes, you need the Samba sources. A binary-only Samba installation is not sufficient). For Samba 3.0 you also have to run "make proto" in <samba-source>/source. Step 2: copying the sources (optional) You may copy recursively the complete samba-vscan directory to <samba-source>/examples/VFS and make then this directory your working directory, i.e. cp -ra samba-vscan /usr/local/src/samba/examples/VFS cd /usr/local/src/samba/examples/VFS/samba-vscan If you do this step, you do not need the configure parameter --with-samba-source=DIR later on. Step 3: compile-time settings (optional for Samba 2.2.4 and any later version): In Samba 2.2.4 and better (or Samba 3.0), the "vfs options" parsing works correctly, so you can use the run-time configuration file on a per share basis, if you like. Of course, the compile time settings are still usable (and will be overwritten by the run-time configuration file, if any) The following compile time settings are available in <product>/vscan-<product>.h, so change into the directory of the anti-virus product you want to use, i.e. cd openantivirus vi vscan-oav.h * VSCAN_SCAN_ON_OPEN: if it's set to True (default), files will be scanned on open * VSCAN_SCAN_ON_CLOSE: if it's set to True (default), files will be scanned on close * VSCAN_MAX_SIZE: scanning a (very) large file may slow down performance (too much). Therefore, you can specify if a file is larger than x bytes, it shouldn't be scanned. Please set it for your needs. If it's set to 0, all files, regardless of their file size, will be scanned. * VSCAN_DENY_ACCESS_ON_ERROR: if communication to the virus scanning daemon fails, you may either deny access to file(s) or not. You can change this behaviour via the VSCAN_DENY_ACCESS_ON_ERROR setting. If it's set to True (default), access will be _denied_. * VSCAN_DENY_ACCESS_ON_MINOR_ERROR: basically the same as VSCAN_DENY_ACCESS_ON_ERROR but related to minor errors. Not really implemented in all modules. * VSCAN_SEND_WARNING_MESSAGE: if it's set to True (default), a virus notification message via winpopup service is send to the remote client computer. On Windows95/98, the "winpopup" program must be run. * VSCAN_INFECTED_FILE_ACTION: three values are possible - INFECTED_QUARANTINE: an infected file will be renamed and moved into a specific quarantine directory (see below). If quarantining fails, the file will _not_ be deleted. - INFECTED_DELETE: an infected file will be removed - INFECTED_DO_NOTHING: the infected file will remain untouched * SCAN_QUARANTINE_DIRECTORY: the quarantine directory for infected files, default is "/tmp" - it should be a directory not reachable via (Samba) shares. Keep in mind this directory must be world-read/writable and the sticky-bit should be set. * VSCAN_QUARANTINE_PREFIX: a quarantined file will be renamed, via this setting the prefix can be specified. Default is "vir-". * VSCAN_MAX_LRUFILES: the maximum number of last recently accessed file entries, default is 100. If set to 0, the lru access mechanism is disabled. Please see section "Avoid multiple scans of a file caused by Windows behaviour". * VSCAN_LRUFILES_INVALIDATE_TIME: specifies the time in seconds, after an lru accessed file entry is considered as invalidated. The default is 5 seconds. Please see the chapter "Avoid multiple scans of a file caused by Windows behaviour". * VSCAN_FT_EXCLUDE_LIST: MIME-types of files to be excluded from scanning, separated by semi-colon. Wildcards are not possible. Use this feature with care! * VSCAN_FR_EXCLUDE_REGEXP: regular expression (PCRE) to exclude files from scanning based on path- and/or filename. Use this feature with care! Step 4: build Now run the ./configure script. If you didn't copy the samba-vscan directory to <samba-src>/examples/VFS, you must use the --with-samba-source=DIR option, which must point to the source directory of the Samba sources, e.g. ./configure --with-samba-source=/usr/local/src/samba/source (see configure --help for all available options) The configure script will detect the Samba version and flags needed for build samba-vscan. If the Samba version can not be autodetected, as e.g. your vendor uses it's own version (e.g. 3.0-vendor) please use --with-samba-version=VERSION to set the version correctly. To compile the samba-vscan backends (the VFS modules), simply type "make". If you want to build only (a) specific backend(s), simply type "make <backend1> [<backend2>]", e.g. "make fprotd" to build only the fprotd backend (vscan-fprotd.so) or "make fprotd oav sophos" to build the fprotd OpenAntiVirus and Sophos backend (vscan-fprotd.so, vscan-oav.so, vscan-sophos.so). Hint: On *BSD systems please use GNU make (gmake) instead of BSD make, e.g. "gmake" (to build all modules) or "gmake fprotd" to build only the fprotd backend. Step 5: install After compilation has finished, copy the vscan-<product>.so (i.e. vscan-oav.so) to /usr/local/samba/lib/vfs (this is the default location of Samba 3.0 - depending on your vendor/distribution, the location may vary). Otherwise, "make install" should work, too. On *BSD systems please use "gmake install" instead. If you want to use the run-time configuration file copy the corresponding .conf file to /etc/samba, i.e. cp -a openantivirus/vscan-oav.conf /etc/samba NOTE: "make install" does NOT copy configuration file(s). Step 6: configure Samba Samba 2.2.x: Edit /etc/smb.conf and add the following entry (that's only an example): [vscan] comment = virus-protected /tmp directory path = /tmp vfs object = /usr/lib/samba/vfs/vscan-oav.so vfs options = config-file = /etc/samba/vscan-oav.conf writeable = yes browseable = yes guest ok = yes Basically you have to add a vfs object line to your shares which should be virus-protected by this module. If you'd like to use the run-time configuration file, simply add the vfs options = config-file = /path/config-file (different settings for several shares can be achieved by using a different name of the configuration file for each share). If you want to protect _all_ shares your Samba server offers, simply add the vfs object line (and the vfs options line, if you like) to the [global] section. Samba 3.0: Edit /etc/smb.conf and add the following entry (that's only an example): [vscan] comment = virus-protected /tmp directory path = /tmp vfs object = vscan-oav vscan-oav: config-file = /etc/samba/vscan-oav.conf writeable = yes browseable = yes guest ok = yes IMPORTANT: "vscan-oav: config-file = /path/file" refers as the name already implies to the vscan-oav module only. So, generally speaking it's "vscan-<backend>: config-file = /path/file" Basically you have to add a vfs object line to your shares which should be virus-protected by this module. If you'd like to use the run-time configuration file, simply add vscan-<backend>: config-file = /path/config-file (different settings for several shares can be achieved by using a different name of the configuration file for each share). If you want to protect _all_ shares your Samba server offers, simply add the vfs object line (and the vscan-<backend>: config-file = /file/path line, if you like) to the [global] section. IMPORTANT: In Samba 3, more than one VFS module can be used, so in most cases it's recommended to have the samba-vscan module as the first one. If you want to use vscan-oav and the recycle module, they must be mentioned in one vfs object line, i.e. vfs object = vscan-oav recyle For more details, please see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html The following options are available in the samba-style run-time configuration file for each anti-virus product (some additional settings are available, please refer to the corresponding configuration file): * max file size = <value> This setting can be used to exclude (very) large files from scanning. <value> is an integer value (bytes). If set to 0 (default), all files will be scanned. * verbose file logging = <boolean> Specifies whether every scan of a file should be logged (therefore, clean files will be logged, too). If set to yes (or True or 1), everything will be logged. If set to no (or False or 0), only access to infected files will be logged (this is the default) * scan on open = <boolean> If set to yes (or True or 1), a file will be scanned while opening it. Default is yes. * scan on close = <boolean> If set to yes (or True or 1), a file will be scanned while closing. Default is yes. * deny access on error = <boolean> If set to yes (or True or 1), access to file will be denied if communication to the virus scanning daemon has failed (and therefore could not be scanned). Default is yes. * deny access on minor error = <boolean> Similar to "deny access on error" but only for minor errors. Not implemented for all modules. Default is yes. * send warning message = <boolean> If set to yes (or True or 1), a warning message via Windows Messenger Service (winpopup) will be send when a virus was found. Note: on Win95/ Win98 the "winpopup" client must be running. Default is yes. * infected file action = <quarantine|delete|nothing> If set to "quarantine", an infected file will be moved and renamed to a specified quarantine directory (see below). If this fails, the file will be deleted. If set to "delete" the infected file will be deleted. If set to "nothing" an infected file will be untouched. Default is "quarantine". * quarantine directory = <string> Specifies the quarantine directory. Default is "/tmp", please change this for your needs. The quarantine directory must not be reached via samba share. Keep in mind this directory must be world-read/writable and the sticky-bit should be set. * quarantine prefix = <string> Prefix for files in quarantine, default is "vir-". * max lru files entries = <value> As Windows tries to open a file multiple times in a (very) short period of time, samba-vscan use a last recently accessed file mechanism to avoid multiple scans of the same file. This setting specified the maximum number of entries for the last recently accessed files list. If set to 0, this mechanism is disabled completely. The default is 100. Please see the chapter "Avoid multiple scans of a file caused by Windows behaviour". * lru file entry lifetime = <value> Specifies the lifetime of an entry in the lru accessed files list in seconds. The default is 5. After this lifetime an entry is considered as invalidated and deleted from the list. Please see the chapter "Avoid multiple scans of a file caused by Windows behaviour". * exclude file types = <string> Exclude files from scan process based on the MIME-type (i.e. as if "file -i <file>" is used, see file(1) for details). This is a semi-colon separated list (default: empty list). Use this feature with care! * exclude file regexp = <string> Exclude files from scan process based on regular expression (PCRE), see pcre(3) and pcrepattern(3) for details. Of course, the PCRE library must be installed to use this. Use this feature with care! Step 7: Restart Samba Restart Samba (e.g. killall -HUP smbd) If you want to test, if everything works well, simply do the following steps copy eicar.com to /tmp smbclient //localhost/vscan At the smbclient command line try to retrieve eicar.com - get eicar.com -> access should be denied!!! everything should be logged via syslog Avoid multiple scans of a file caused by Windows behaviour ---------------------------------------------------------- Windows (I think all versions) may open file(s) several times in a very short period of time, when i.e. opening a directory or double-clicking on a file. Here are two real-world examples, created using vscan-fprotd with verbose logging switched on. Double-clicking on an infected Word document: Jan 4 14:46:49 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/macroviren/CAP-A.DOC' Jan 4 14:46:50 rlss2 smbd_vscan_fprotd[3201]: ALERT - Scan result: '/tmp/macroviren/CAP-A.DOC' infected with virus 'WM/CAP.A', client: '172.16.14.129' Jan 4 14:46:50 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/macroviren/CAP-A.DOC' Jan 4 14:46:50 rlss2 smbd_vscan_fprotd[3201]: ALERT - Scan result: '/tmp/macroviren/CAP-A.DOC' infected with virus 'WM/CAP.A', client: '172.16.14.129' Jan 4 14:46:51 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/macroviren/CAP-A.DOC' Jan 4 14:46:51 rlss2 smbd_vscan_fprotd[3201]: ALERT - Scan result: '/tmp/macroviren/CAP-A.DOC' infected with virus 'WM/CAP.A', client: '172.16.14.129' Jan 4 14:46:52 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/macroviren/CAP-A.DOC' Double-clicking on a not-infected Word document: Jan 4 14:50:26 rlss2 smbd_vscan_fprotd[3201]: INFO: file /tmp/test.doc is clean Jan 4 14:50:26 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/test.doc' Jan 4 14:50:26 rlss2 smbd_vscan_fprotd[3201]: INFO: file /tmp/test.doc is clean Jan 4 14:50:27 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/test.doc' Jan 4 14:50:27 rlss2 smbd_vscan_fprotd[3201]: INFO: file /tmp/test.doc is clean Jan 4 14:50:28 rlss2 smbd_vscan_fprotd[3201]: INFO: Scanning file : '/tmp/test.doc' Jan 4 14:50:28 rlss2 smbd_vscan_fprotd[3201]: INFO: file /tmp/test.doc is clean As these examples demonstrate, both files have been opened several times by Windows and are therefore scanned several times, although scanning each of them once would have been sufficient. Of course, this slows down performance. Since the 0.3.2 release, samba-vscan has a mechanism, to avoid this. It uses a last recently accessed file list. Each entry contains the file name, the last modified date/time and the time the entry was added to the list. Log checking ------------ samba-vscan logs nearly everything via the syslog facility. For easier automatic log analysis, each syslog message starts with a particular tag: INFO - just an informational message ERROR - error message, i.e. when communication to a daemon has failed ALERT - a virus has been found Anti-virus product-specific information -------------------------------------- As a general hint: once in a while it may happen an antivirus vendor changes the communication protocol of the product without prior note. So, esp. when you installed a major update/upgrade of your used anti-virus product, you should test by retrieving eicar.com (the EICAR Test file virus, see www.eicar.org) whether samba-vscan still works with it. If not, please contact us asap. - F-Prot A running F-Prot daemon is required, which runs on localhost (127.0.0.1), port 10200 (up to 10204). The port number (or port numbers) can be changed via VSCAN_FPROTD_PORT in vscan-fprotd.h or the fprot port = <string> setting in the run-time configuration file. The arguments passed to the daemon (i.e. to scan inside of archive files) can be set via VSCAN_FPROTD_ARGS in vscan-fprotd.h or fprotd args = <string> in the run-time configuration file (default is -dumb%20-archive); remember to encode space as %20 - F-Secure The F-Secure AntiVirus Daemon can operate in two modes. In the standalone mode, a daemon process is started for each user requesting a scan task. In standalone mode, daemon processes will be stopped after 30 sec of idle time. In the central mode, the daemon is started once and serves requests from any user. To be able to read the files of any user, the daemon has to be started as "root" in most cases. NOTE: the standalone mode currently does not work. You're welcome helping to debug the reason. If you use the standalone mode, please set "fsav userinstance = yes" - otherwise set it to no (default). If you use the central mode (default), please set "fsav connect uid = <uid>" accordingly. As the daemon runs as root, set the <uid> to 0, which is the default. In dedicated mode this setting will be ignored. Also in central mode, the socket to the daemon must be configured via "fsav socket = <string>", default is "/tmp/.fsav-0". This setting will be ignored if dedicated mode is set. Other settings are: Location of FSAV config file, fsavd binary and databases: fsav config file = </path/to/config> (default: /etc/fsav.conf) fsav binary = </path/to/fsavd> (default: /opt/fsecure/fsav/bin/fsavd) fsav db dir = </path/to/db> (default: /var/opt/f-secure/fsav/databases) Scanning of archive file, maximum number of nested archives and support of MIME fsav archive scan = <boolean> (default: yes) fsav maxnested level = <integer> (default: 5) fsav mime scan = <boolean> (default: yes) Scan timeout (in seconds), in standalone mode this setting is ignored as the value of 30sec is hardcoded in the fsavd binary. If set to 0, scan timeout is disabled. fsav timeout = <int> (default: 0). - ICAP The support for an ICAP anti-virus service is currently at a very early stage, so don't expect it to be very stable. Actually, only the Symantec AntiVirus Engine 4.x is currently supported. The "ICAPResponse=0" setting _must_ set in /opt/SYMCScan/etc/symcscan.cfg (and of course SAVE must be configured to use ICAP and not the native protocol!) Moreover, the "ICAPActionPolicy=SCAN" option must be set. The icap-client program (gcc -o icap-client icap-client.c) can be used for debugging purposes or to scan a specific file via Symantec AntiVirus Engine (sic!). See icap-client -h for details. - Kaspersky Anti Virus Install kavplinux linux from Kaspersky. You can download a version from www.kaspersky.com Install the version according to the docs and make sure that kavdaemon is running. Also make sure that kavdaemon does scan the samba shared directories!!!! Please do check the [object] section in defUnix.prf and sure you add something like: Names=*/samba_shares where samba_shares is a samba share! Please do check if kavdaemon really can scan that directory! You can do this by copying a eicar.test file to on of the shares and run: $AVPBASEDIR/DaemonClients/Sample/AvpDaemonClient /samba_shares/eicar.com The AvpDaemonClient software should now return that a virus was found! Then compile the KAV C library. Change into <AVPDIR>/DaemonClients/SampleLibs/C and type make make install This installs kavdclib.so into /usr/lib Per default, the daemon socket file is /var/run/AvpCtl. If this isn't true on your system, please set either AVPCTL in vscan-kavp.h or avp socket file = <string> in the run-time configuration file accordingly. If compiling of the vscan-kavp module fails, please try make -f Makefile.KAV4 Some hints for building samba-vscan with KAV on RedHat (by Kevin Wang): Before you start fiddling with samba-vscan, you need the Kaspersky daemon client libs compiled and installed: cd /opt/AVP/DaemonClients/ ./configure make cd /opt/AVP/DaemonClients/SampleLibs/C make install echo /usr/local/lib >>/etc/ld.so.conf ldconfig Get the SRPM from RedHat, install it, and then use rpmbuild to compile the "same" Samba version that RedHat does with these commands as root: cd /usr/src/redhat/ rpmbuild SPECS/samba.spec IMPORTANT: if you do a rebuild with rpmbuild, the entire BUILD/samba-2.2.7/ directory will get erased, so don't use rpmbuild past this point! Then insert the samba-vscan into the tree: cd /usr/src/redhat/BUILD/samba-2.2.7/examples/VFS bunzip < ~/samba-vscan-0.3.2.tar.bz2 | tar -xvf - and compile samba-vscan: cd /usr/src/redhat/BUILD/samba-2.2.7/examples/VFS/samba-vscan-0.3.2 I'm using kaspersky4, which puts its libraries in a different place... cd /usr/src/redhat/BUILD/samba-2.2.7/examples/VFS/samba-vscan-0.3.2/kaspersky/ mv Makefile Makefile.KAV3 mv Makefile.KAV4 Makefile check the default settings cd /usr/src/redhat/BUILD/samba-2.2.7/examples/VFS/samba-vscan-0.3.2/kaspersky/ vi vscan-kavp.h # defaults look good build it! make install it! make install # NOTE: the settings in vscan-kavp.conf should be the same as # when vscan-kavp.h is initially delivered to you, and will # override those defaults! so it may be better to just edit these # and just not mess with the .h files cp vscan-kavp.conf /etc/samba/vscan-kavp.conf NOTE: If you do not want to use the global lib, you may use the buildin libraray. Simply do ./configure --with-libkavdc-builtin=yes make Normally, configure should autodected it (i.e. if no global lib is available, the builtin lib will be used). - McAfee uvscan McAfee/NAI is supported via mcDaemon, which is basically a wrapper for uvscan. mcDaemon will not be automatically compiled, so please step into nai/mcDaemon and type "make" (or "gmake" for BSD users). "make install" will install the binary, the config file for mcDaemon and the start-stop script (it's SUSE-like style). The following mcdaemon specific settings are available: mcdaemon ip = <IP> (default: 127.0.0.1) mcdaemon port = <port> (default: 8128) For starting mcdaemon see mcLoader.sh for details. Please keep in mind mcdaemon is just a proof-of-concept! By design, it's slow and not really reliable. - mks_vir Daemon You need mks32 - virus scanner, mksd - daemon for mks32, and virus signatures for mks32 from http://download.mks.com.pl/download/ (i.e. mksLinux-x-y-z.tgz, mksdLinux-x.yy.tgz, bazy3.tgz). All README and INSTALL files are in Polish language, so full instruction is below. Install mks32 and mksd, i.e. mkdir /usr/local/lib/mks cd /usr/local/lib/mks tar xzf <path>/mksLinux-x-y-z.tgz tar xzf <path>/mksdLinux-x.yy.tgz tar xzf <path>/bazy3.tgz ln -s mksd-x.yy/mksd . Edit /etc/mks_vir.cfg, add: --mks-vir-dat-path=/usr/local/lib/mks/bazy3/ --scan Make directory for mksd socket and mksd.pid: mkdir /var/run/mksd Run mksd: /usr/local/lib/mks/mksd or: /usr/local/lib/mks/mksd [scan|cure] [number_of_processes] Install libmksd.a: cd /usr/local/lib/mks/mksd-x.yy/inne tar xf src.tar make cp libmksd.a /usr/local/lib cp libmksd.h /usr/local/include And then build the mks module as usual by simply typing "make". NOTE: In any case, the method above is not possible (i.e you're the package maintainer of a RPM package or a *BSD port) or you do not want to install the library globally, as mentioned above, simply do the following steps ./configure --with-libmksd-builtin=yes make (Note: configure should auto-detect this) Then the libmksd library (mks/libmksd) will be build and used instead (licensed LGPL). But as this builtin library may not be up-to-date, this is not the preferred way. - OpenAntiVirus ScannerDaemon A running ScannerDaemon on the same host as your Samba Server is needed. Per default, localhost (127.0.0.1) and port 8127 is assumed. The port can be changed via VSCAN_OAV_PORT in vscan-oav.h or via the oav port = <int> setting in the run-time configuration file. - Sophos Sweep via Sophie / Trend via Trophie You need Sophie or Trophie from http://www.vanja.com/tools/. As socket name /var/run/sophie (/var/run/trophie) is assumed. You can modify this via SOPHIE_SOCKET_NAME (TROPHIE_SOCKET_NAME) in vscan-sophos.h (vscan-trend.h) or via sophie socket name = <string> (trophie socket name = <string>) in the run-time configuration file. The socket must have read/write permissions for everyone (i.e. chmod a+rw /var/run/sophie) , as smbd runs under various user IDs (i.e. "nobody" or as the user "xyz", when user "xyz" is connected to his home directory). This could be a security risk, as now an attacker could pass arbitrary commands to Sophie/Trophie, so we need a better solution here ... - Clam AntiVirus samba-vscan (clamav module) can be configured to use for the Clam AntiVirus daemon (clamd) or the ClamAV library (libclamav). Usage of clamd is default. For a discussion about pro and cons please see http://marc.theaimsgroup.com/?t=108550773300004&r=1&w=2 Daemon: You need Clam AntiVirus Daemon from http://www.clamav.net/. As socket name /var/run/clamd is assumed. You can modify this via CLAMD_SOCKET_NAME in vscan-clamav.h or via clamd socket name = <string> in the run-time configuration file. The socket must have read/write permissions for everyone (i.e. chmod a+rw /var/run/clamd), as smbd runs under various user IDs (i.e. "nobody" or as the user "xyz", when user "xyz" is connected to his home directory). This could be a security risk, as now an attacker could pass arbitrary commands to Clam AntiVirus Daemon, so we need a better solution here. Moreover, clamd must run as root in most cases to be able to read the files, which could lead to as security risk as well. libclamav: To use the ClamAV library instead, use the --with-clamav-lib switch for ./configure. Keep in mind, if vscan-clamav is build and linked for libclamav, you must rebuild the module if you decide to use clamd instead. Please keep in mind, this could be a huge performance penalty. - Symantec AntiVirus Engine The Symantec module will not be build by default, as it will be statically linked against a library from Symantec. As this library is not GPL, but a VFS module must be GPL (the VFS interface itself is GPL, too), loading the vscan-symantec module my infringe the GPL rights of the Samba Team. Do not distribute this module as a binary. If in doubt, please contact the Samba Team. To build this module, copy (or create a link) libsymcsapi.a and symcsapi.h from the Symantec SDK to the symantec directory of the samba-vscan package. Use the "--with-symantec" switch for configure, e.g. "./configure --with-symantec", so that the module will be compiled. - Avira AntiVir An "antivir" binary (version 2.1.0-28 or later) and a valid SERVER license are required. Please check these requirements by means of the "antivir --version" command. No service needs to be started up, the vscan-antivir.so plugin itself will handle the scanner processes. Although it's advised to setup a cronjob which runs regularly scheduled updates for the AntiVir product. The samba service does not need to be restarted nor need the users reconnect to shares after AntiVir updates. The correct pathname to the "antivir" binary needs to be setup in the vscan-antivir.conf file. The binary's name usually is "/usr/lib/AntiVir/antivir". Archive related settings can be customized to prevent DoS situations. This is why archive support is disabled by default. When enabled, archives will not be scanned completely when they exceed one of the specified limits. A limit of 0 will disable the appropriate condition (i.e. means "unlimited"). By default only viruses are scanned for. Detection of other types of unwanted software can be enabled with the appropriate "detect" options. But you should make sure to adjust the notification message which is sent to the remote users since in this situation not every alert is an "INFECTION" with a "VIRUS". The vscan-antivir.so plugin is capable of handling files with non printable and other special characters (umlauts and such) in their names. Unicode support has not been tested. Check the license of your anti-virus product -------------------------------------------- Before using samba-vscan together with your anti-virus product, please check if your current license allows this, i.e. are you allowed to use it on a server? Are you allowed to use it for your (maximum) number of users connected to your Samba Server? Contains the license some other stuff, which won't permit it to use within samba-vscan? If in doubt, please contact your vendor/dealer and buy the correct license. Thank you very much for your co-operation. Subscribe to mailing list ------------------------- Every user of samba-vscan is encouraged to subscribe at least to the openantivirus-announce mailing list. Via this list we announce new versions, security announcements and other news. It's a low volume list. Please see http://sourceforge.net/mail/?group_id=10590 for all available mailing list and for subscription details. How to report bugs, give feedback or send patches ------------------------------------------------- Please send a mail to Rainer Link <rainer@openantivirus.org>. If you think your input is valuable for others, you may of course post to the openantivirus-discuss mailing list. If it's a technical issue, you may post to openantivirus-developer mailing list. Security issues should reported only to me directly. Please use my PGP-Key (ID: 13B44079) for privacy. To report bugs or send patches you may use the SF Tracker, if you like (http://sf.net/projects/openantivirus). I prefer patches in unified diff format (diff -u), as there are more human readable (at least for me). Donations --------- Donations are of course very welcome :-) Please check http://www.openantivirus.org/donate.php for more details. Thanks a lot.