OSWikiHK: 請協力 GPLv3 的中文翻譯工作。
Scan virus on Samba with ClamAV
OSWikiHK,自由中文開源知識庫
感謝千年蟲,答應編寫這一份文件。
Samba + Samba_vscan + Clamav
這文件是很多網友的幫助下才完成,特別要多謝 HK SAMBA 協會會長 Frankie Chow .
以下是安裝的過程,設定上可能比較簡單希望大家不要介意。
本人是用原始碼安裝的,作業系統是Mandrake 9.1
- samba-3.0.4
- samba-vscan-0.3.5-beta1
- clamav-0.70
安裝Samba 伺服器
tar -zxf samba-3.0.4.tar.gz cd samba-3.0.4/source/
在config samba 時請加上”--enable-vfs”的設定 例如:
$ ./configure ....... --enable-vfs $ make proto $ make $ make install $ cd ..
安裝 Samba-vscan :
tar -zxvf samba-vscan-0.3.5-beta1.tar.gz
移種samba-vscan-0.3.5-beta1到Samba 原始碼下的 example/VFS/ 資料夾,
mv samba-vscan-0.3.5-beta1 /path/to/samba-source/example/VFS/ cd samba-vscan-0.3.5-beta1 ./configure \ --prefix=/usr/local/samba-vscran \ --with-samba-version=../../../source/include/version.h make clamav
(*不用執行make install)
之後把 vscran-clamav.so 和 vscran-clamav.conf 複到 Samba Server 下:
cp vscran-clamav.so /path/to/samba/lib/vfs cp clamav/vscran-clamav.conf /path/to/samba/lib
vscran-clamav.conf 設定:(本人英文不好,如有什麼錯誤請大家諒解)
[samba-vscan] ; run-time configuration for vscan-samba using ; clamd ; all options are set to default values ; do not scan files larger than X bytes. If set to 0 (default), ; this feature is disable (i.e. all files are scanned) max file size = 0
(掃瞄檔案的SIZE上限,”0”是沒有限制)
; log all file access (yes/no). If set to yes, every access will ; be logged. If set to no (default), only access to infected files ; will be logged verbose file logging = no
(log檔案的控制,如果”yes”,所有存取也會記錄下。如果是”no”,只會存取感染 了的檔案才會記錄下)
; if set to yes (default), a file will be scanned while opening scan on open = yes
(如果”yes”,每次開?檔案是也會掃瞄)
; if set to yes, a file will be scanned while closing (default is yes) scan on close = yes
(如果”yes”,每次關閉檔案是也會掃瞄)
; if communication to clamd fails, should access to file denied? ; (default: yes) deny access on error = yes
(如果和clamd 連接錯誤,是否不能存取那些被保護的檔案)
; if daemon files with a minor error (corruption, etc.), ; should access to file denied? ; (default: yes) deny access on minor error = yes
(如果和daemon files發生錯誤,是否不能存取那些被保護的檔案)
; send a warning message via Windows Messenger service ; when virus is found? ; (default: yes) send warning message = yes
(當找到感染的檔案是否發出”警告popup 視窗”給windows)
; what to do with an infected file ; quarantine: try to move to quantine directory; delete it if moving fails ; delete: delete infected file ; nothing: do nothing (default) infected file action = quarantine
(怎樣去處理被感染的檔案: quarantine: 嘗試移動去隔離區,如果移動不成功將會刪除 delete: 刪除被感染的檔案 nothing: 不做任何動作)
; where to put infected files - you really want to change this! quarantine directory = /tmp/clamav/quarantine
(隔離區的位置)
; prefix for files in quarantine quarantine prefix = vir-
(被移動去隔離區的檔案加上字首)
; as Windows tries to open a file multiple time in a (very) short time ; of period, samba-vscan use a last recently used file mechanism to avoid ; multiple scans of a file. This setting specified the maximum number of ; elements of the last recently used file list. (default: 100) max lru files entries = 100 ; an entry is invalidad after lru file entry lifetime (in seconds). ; (Default: 5) lru file entry lifetime = 5
; exclude files from being scanned based on the MIME-type! Semi-colon ; seperated list (default: empty list). Use this with care! exclude file types = ; socket name of clamd (default: /var/run/clamd). Setting will be ignored if ; libclamav is used clamd socket name = /usr/local/clamav/var/run/clamav.sock (clamd socket的位置) ; limits, if vscan-clamav was build for using the clamav library (libclamav) ; instead of clamd ; maximum number of files in archive (default: 1000) libclamav max files in archive = 1000 ; maximum archived file sitze, in bytes (default: 10 MB) libclamav max archived file size = 10 * 1048576 ; maximum recursion level (default: 5) libclamav max recursion level = 5
安裝Clamav :
tar -zxvf clamav-0.70.tar.gz cd clamav-0.70 ./configure –prefix=/usr/local/clamav make make clean make install
請在clamav.conf修改以下的設定:
# Comment or remove the line below. #Example
(一定要comment 這句)
……. # Path to the local socket. The daemon doesn't change the mode of the # created file (portability reasons). You may want to create it in a directory # which is only accessible for a user running daemon. LocalSocket /usr/local/clamav/var/run/clamav.sock
(這個設定的路徑一定要和vscran-clamav.conf 裏的clamd socket name相同)
…….
完成後執行clamd
之後在smb.conf修改以下的設定
例如想在”public”裏在實時掃瞄電腦病毒,
[public]
comment = virus-protected /public directory
path = /public
vfs object = vscan-clamav
vscan-clamav: config-file = /path/to/vscan-clamav.conf
writeable = yes
browseable = yes
guest ok = yes
完成後請重新啟動samba
之後嘗試在windows client下寫入檔案去測試: 可能會有以下三種情況:
- 完成不能進入和存取共用被保護的文件夾
- 如果能進入和存取共用被保護的文件夾,請去檢查/var/log/message
- 如果設定錯誤會有類似的訊息:
May 18 23:07:04 fax 5月 18 23:07:04 smbd_vscan-clamav[10287]: samba-vscan (vscan-clamav 0.3.5beta1) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org May 18 23:07:04 fax 5月 18 23:07:04 smbd_vscan-clamav[10287]: samba-vscan (vscan-clamav 0.3.5beta1) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org May 18 23:07:04 fax 5月 18 23:07:04 smbd_vscan-clamav[10287]: INFO: connect to service root by user root May 18 23:07:04 fax 5月 18 23:07:04 smbd_vscan-clamav[10287]: ERROR: could not parse configuration file '/usr/local/samba/lib/vscan-clamav.conf'. File not found or not read-able. Using compiled-in defaults May 18 23:07:15 fax 5月 18 23:07:15 smbd_vscan-clamav[10287]: INFO: disconnected
- 如果看到以下的訊息表現已經成功:
May 18 23:09:58 fax 5月 18 23:09:58 smbd_vscan-clamav[10300]: samba-vscan (vscan-clamav 0.3.5beta1) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org May 18 23:09:58 fax 5月 18 23:09:58 smbd_vscan-clamav[10300]: samba-vscan (vscan-clamav 0.3.5beta1) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org May 18 23:09:58 fax 5月 18 23:09:58 smbd_vscan-clamav[10300]: INFO: connect to service root by user root May 18 23:10:09 fax 5月 18 23:10:09 smbd_vscan-clamav[10300]: INFO: disconnected
本人是第一次去寫技術文檔,如有什麼不足請大家見諒,?有如大家有什麼更好的或彌 補這文件請電郵給我,令我去改進,謝謝
Dear 千年蟲︰
謝謝你 post 出來的資料,另外 libsamba-vscan 的 debian package 和 uml image 己經完成。
會員們自己試試吧!
或許星期日找此時間和大家介紹一下吧。 不知到時千年蟲會否出現。
但無論如何千年蟲的介紹真是一開我的眼界。 因我一直也不知 vfs 的 modules 是這樣的一回事。
Cheers Frankie Chow
P.S. 如果下載可到 uml image
ftp://hk.samba.org/deb/samba/samba-3.0.4/uml/samba-clamav-image.bz2
(這是經 bzip2 處理過的檔案,你可以用 bunzip2 來處理後,才可以使用。)
為本協會所提供的 samba-3.0.4 而建立的 libsamba-vscan 可到這裡下載。
ftp://hk.samba.org/deb/samba/samba-3.0.4/libsamba-vscan/libsamba-vscan_0.3.5-1_i386.deb
另外要下載 clamav 可在 /etc/apt/source.list 中加入
deb http://home.manos.dd.sn.schule.de/~1tl1/debian/ stable alsa backports icecast2 kernel main non-free samba
deb-src http://home.manos.dd.sn.schule.de/~1tl1/debian/ stable alsa backports icecast2 kernel main non-free samba
另外在
deb http://www.backports.org/debian stable all
也可以找到 clamav 。
後用
# apt-get install clamav # apt-get install clamav-base # apt-get install clamav-daemon # apt-get install clamav-freshclam # apt-get install clamav-testfiles # apt-get install libclamav1
( clamav-testfiles 是測試病毒,我想是 non 病毒。其中檔案 ,
/usr/share/clamav-testfiles/test1
可拿來一試,它是可以給 samba+clamav+samba-vscan 找到病毒的。)
在 uml image 下,可用 smbclient 把病毒上傳到 //localhost/public 來作測試。 但是在另一檔案中卻不能成功找到病毒。
/usr/share/clamav-testfiles/rarfail.rar
為什麼有病毒的RAR檔案沒有被隔離
我猜是在clamav裏沒有修改以下的設定
(clamav.conf):
- By default the built-in RAR unpacker is disabled by default because the code
- terribly leaks, however it's probably a good idea to enable it.
ScanRAR
(uncomment this option)
千年蟲
另外因為測試在零晨進行,所以我無法找到如千年蟲所言的 log message 。
但是會發現病毒檔案是被隔開了;所以我確知它是在工作的。
P.S. 檢查過了,因為系統內沒有可以處理 rar 檔案格式的程式,所以無法被找出來。 例如︰當你系統內沒有 bzip2 ,你也無法找到
/usr/share/clamav-testfiles/test1.bz2
但是有了 bzip2 和 bunzip2 後,你就可以找出來了。 它是有病毒的檔案。
- log 的問題,我還是無法解決。
感謝千年虫的文章及 Frankie Sir 的 uml image, 後來我在公司裡的 samba 3 上也成 功安裝了 vscan !! hehe ~~!!!
但是 send warning message 給 windows client 時, 如果 windows 版本是 Win9x, 他們除非開了 winpopup, 若不, 那他們就完全收不到任何信息, 這是一個稍為不足的 地方呢 ~~!!!
^_^
Frankie Chow
