Hi Jess,
I wrote a samba_vscan howto using trophie late back in 2003 for the penguinista group, I sent it to your private email address for reference, maybe it can help. (Although the lame howto is more on installing it with trophie and not clamd)
Back then, you need to change the permission of the antivirus socket, so a quick chmod a+rw to the socket will fix the permission issue.
Also, I noticed in your logs, samba-vscan wants to communicate with a 'clamd.sock'?
In my setups wherein I use clamd daemon for scanning services such as email and http requests, I never had a clamd.sock, socket is named as 'clamd' and pid is 'clamd.pid'.
regards, Kenneth
jess enerio wrote:
Hi pluggers question lang po, has anyone had a successfull implementation ng samba w/ vscan using clamav? I got mine from http://support.intcomgrp.com/mirror/fedora-core/beta/i386/
I was able install it, but kept getting this error:
Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not connect to clamd (socket: '/var/run/clamav/clamd.sock')! Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not communicate to daemon - access denied Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not connect to clamd (socket: '/var/run/clamav/clamd.sock')! Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not communicate to daemon - access denied Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not connect to clamd (socket: '/var/run/clamav/clamd.sock')! Sep 15 15:36:10 katipunan smbd_vscan-clamav[4022]: ERROR: can not communicate to daemon - access denied Sep 15 15:36:15 katipunan smbd_vscan-clamav[4022]: ERROR: can not connect to clamd (socket: '/var/run/clamav/clamd.sock')!
any idea? I'm using FC1 as my test server. Thanks!
Virus Protected Samba Share HOWTO
revision 1.2
written by: Kenneth Oncinian
Panasonic Communications Corp. of the Philippines
June 23, 2003Introduction: Basically a proof-of-concept module for providing on-access virus scanning with Samba. samba-vscan currently consists of seven Samba VFS modules: * vscan-fprotd - for use with F-Prot Daemon * vscan-icap - for use with an ICAP antivirus service, currently only Symantec AntiVirus Engine 4.x is supported (this is alpha code and not yet for production environment!) * vscan-kavp - for use with Kaspersky AntiVirus (kavdaemon) via Kaspersky KAV client C library. vscan-kavp is a stripped-down version from vscan-kavp of Ries van Twisk). For the full-featured version please see http://www.rvt.dds.nl * vscan-mks - for use with mks32 via mks_vir Daemon * vscan-oav - for use with OpenAntiVirus.org ScannerDaemon * vscan-sophos - for use with Sophos Sweep via Sophie (http://www.vanja.com/tools) * vscan-trend - for use with Trend Micro FileScanner / InterScan VirusWall via Trophie (http://www.vanja.com/tools) So what this means is that seven (7) antivirus for Linux can be used with samba-vscan. For this documentation, we will be using the vscan-trend module for the implementation of a virus protected samba file server. I. Configuration and Installation of the antivirus daemon 1. Download the engine and pattern file from antivirus,com download the engine here: *note: The engine you will be needing is under InterScan VirusWall Linux platform: http://www.trendmicro.com/download/engine.asp download the pattern here: http://www.trendmicro.com/download/pattern.asp 2. create an /etc/iscan directory and extract the engine and pattern there: example: assuming the engine pattern is vsapi6510rh.tar.Z and the pattern file is ptn751.tar (latest as the time of this document is written) as root: #cd /etc/iscan # tar zxvf /path_to/vsapi6510rh.tar.Z # tar xvvf /path_to/ptn751.tar the /etc/iscan should contain the following files: -r-xr-xr-x 1 root sys 1317698 Nov 30 2002 libvsapi.so -rw-rw-rw- 1 root root 6843512 Jun 21 15:41 lpt$vpn.571 now we need to link libvsapi.so to a local library dir such as /usr/local/lib #cd /usr/local/lib ln -s /etc/iscan/libvsapi.so libvsapi.so 3. Download trophie from http://www.vanja.com/tools/trophie/ The latest as of this writing is version 1.12 $cd /tmp $wget http://www.vanja.com/tools/trophie/trophie-1.12.tar.gz tar zxvf trophie-1.12.tar.gz cd trophie $./configure --with-timeout=0 $make then as root #cp trophie /usr/local/bin Start the antivirus daemon *NOTE: You should include trophie in your startup scripts depending on your linux distribution. Ex: this script starts trophie and set the proper permission for samba-vscan's use, please note the permission, it is important to set the permission of /var/run/trophie to a+rw. #!/bin/bash /usr/local/bin/trophie -D chmod a+rw /var/run/trophie you should then see a message like this: #trophie placed in the background 4. Let's try out the antivirus daemon shall we? download a test virus from http://www.eicar.org/anti_virus_test_file.htm example: $cd /tmp $wget http://www.eicar.org/download/eicarcom2.zip $trophie -f eicarcom2.zip It should report something like this: Initializing : VSAPI version 6.510-1002 Initializing : Pattern version 571 (pattern number 54109) Socket path : /var/run/trophie Timeout : 0 seconds Running as user : mail Socket group : mail Max processes : 20 PID file : /var/run/trophie.pid Trophie version : 1.12 Scanning file : 'eicarcom2.zip' Scan result : File '/tmp/eicar.com' infected with 'Eicar_test_file' virus Cleanup : VSAPI cleaned up and terminated If you will notice, it detects the Eicar_test_file virus, pretty neat huh? =) II. Now that we have an antivirus to use, let's get down to samba: 1. We need to download the samba source code, download the latest from http://www.samba.org The file you will be likely to be downloading is samba-latest.tar.gz *Note: It is likely that you already have samba installed, nevertheless, you still need to download the source because we will run the confire script of samba-vscan inside the source dir of samba. if for example you downloaded the source code of samba in /tmp, do the following: #cd /tmp #tar zxvf samba-latest.tar.gz 2. then go to the newly extracted samba dir and run the configure script: *Note: this is important, if you have samba installed already, you have to make sure itis compiled with the vfs option enabled, otherwise samba-vscan will not work, if you will compile and install from source, then the example options that I did here will suffice, also please note the --with-cups option, if you are not using cups for printing, do not include this option, I just included this option as an example since most rpm based distros use cups by default. Also, the path that I used are Slackware specific, edit it if you wish to suit your distribution. ./configure \ --with-cups \ ### Only if you have use CUPS for printing ### --with-fhs \ --prefix=/usr \ --localstatedir=/var \ --bindir=/usr/bin \ --sbindir=/usr/sbin \ --with-lockdir=/var/cache/samba \ --sysconfdir=/etc \ --with-configdir=/etc/samba \ --with-privatedir=/etc/samba/private \ --with-codepagedir=/etc/codepages \ --with-smbmount \ --with-quotas \ --with-syslog \ --with-utmp \ --with-sambabook=/usr/share/swat/using_samba \ --with-ssl \ --with-sslinc=/usr/include/openssl \ --with-ssllib=/usr \ --with-msdfs \ --with-vfs \ --with-libsmbclient \ then #make Ok, stop for now. Now we have a samba source dir with VFS support to work on. Let's now get the samba-vscan application: III. Samba-vscan configuration and installation 1.Download the latest stable from http://www.openantivirus.org/projects.php#samba-vscan *On this example, I used a sourceforge mirror to get the application and /tmp as the temporary extract dir: $cd /tmp $wget http://switch.dl.sourceforge.net/sourceforge/openantivirus/samba-vscan-0.3.2b.tar.bz2 $tar xjvf samba-vscan-0.3.2b.tar.bz2 Copy recursively the complete samba-vscan directory to our samba source tree VFS directory and make this directory your working directory, so for our example, since we are in the /tmp dir with the samba-vscan and samba source directory: $cp -ra samba-vscan /etc/samba/examples/VFS $cd /etc/samba/examples/VFS/samba-vscan If by any chance you are using an older version of samba which is != 2.2.8a make sure you follow the following instructions: Edit includes/vscan-global.h and set SAMBA_VERSION_MINOR to the following value 4 - for Samba 2.2.4 and later OR SAMBA_VERSION_MAJOR to 3 - for Samba 3.0 (SAMBA_VERSION_MINOR is ignored in this case then) 2. Go to the directory of the antivirus that you are going to use; in our case, trend so: $cd trend $make then as root copy vscan-trend.so to a lib directory, for example: #cp vscan-trend.so /usr/local/lib or #cp vscan-trend.so /usr/lib or where ever the samba libraries of your distribution should be located. copy the configuration file to where your samba configuration file resides, for example: #cp vscan-trend.conf /etc/samba *Note: Please note that there are two ways to control the samba-vscan configuration, one is by editing the compile time configuration (vscan-trend.h) which needs to be edited before issuing the command "make" and one is by editing the run time configuration (vscan-trend.conf) which copied to /etc/samba in our example. To simplify this, editing the compile time configuration controls the default behaviour of samba-vscan. Neat huh? =) 3. Since the module is already compiled and available, the only thing we need to do is to edit our configuration files which is the samba configuration file (smb.conf) and the samba-vscan configuration file (vscan-trend.conf). So, basically you have to add a vfs object line to *all* of your shares which should be virus-protected by this module. If you'd like to use the run-time configuration file, simply add the vfs options = /path/config-file (different settings for several shares can be achived by using a different name of the configuration file for each share). Example of a samba config file with the module entry: [Public] comment = virus-protected public directory path = /home/Public vfs object = /usr/local/lib/vscan-trend.so vfs options = config file = /etc/samba/vscan-trend.conf writeable = yes browseable = yes guest ok = yes public = yes Edit vscan-trend.conf, and change the following values: 1. ; if set to yes, a file will be scanned while closing (default is no) scan on close = no to ; if set to yes, a file will be scanned while closing (default is no) scan on close = yes 2. ; socket name of Trophie (default: /var/run/trophie) trophie socket name = /var/run/sophie to ; socket name of Trophie (default: /var/run/trophie) trophie socket name = /var/run/trophie *Note: sophie is a different antivirus daemon, this is a typographical error on the part of the modules's author. Number 1 is important if you want the files inside of a directory to be scanned if copied or accessed in a protected share. Test the setup by downloading the fake eicar virus from http://www.eicar.org/download/ and copy them from a M$ box to your samba share, a pop-up window should appear indicating the virus name and the denial of the use of the share. THATS IT!! Now you have a file server which is virus protected =). ADDITIONAL STUFF: 1. By default, this option in the vscan-trend.conf file is set to true: ; if communication to trophie fails, should access to file denied? ; (default: yes) deny access on error = yes So basically, what this means is that if the trophie daemon is for example is not active, or has wrong permission; access on the samba share will be denied. This is basically a good thing, but of course it will depend on the security policy of your organization. One thing you can do however is to have a script activated by a cron job which from time to time checks the daemon, For example: #!/bin/bash if [ -e /var/run/trophie.pid ]; then echo "trophie is running and protecting this system..." chmod a+rw /var/run/trophie else echo "trophie is not running on this system...activating" /usr/local/bin/trophie -D chmod a+rw /var/run/trophie fi 2. The virus definition which trophie uses should of course be updated on a regular basis. This is a simple bash script to update the definition file, edit to your liking if you wish =). #!/bin/bash # version 1.1 # limitations: Does not remove old lpt update file and does not look for engine update,why? # reason: I used it in a busy mail server and I dont like the idea of removing the old pattern before the update and # I do not know if trophie needs recompilation to reflect new engine changes. # # check and create temp dir to use if not found UPDATEDIR=/tmp/update if [ -d $UPDATEDIR ]; then echo "temp dir...ok" else echo "creating temp dir..." mkdir /tmp/update fi cd $UPDATEDIR echo "checking http://antivirus.com for available pattern update..." # If the future this url does not work anymore, update it manually wget -q http://www.trendmicro.com/download/pattern.asp # see what is the latest pattern file echo "now, lets see if you need an update..." UPDATE=$(grep "ptn*.*tar" $UPDATEDIR/pattern.asp | sed -e 's/ //g') NEW=$(echo "${UPDATE}" | sed -e :a -e 's/<[^<]*>/ /g;/</{N;s/\n/ /;ba;}' | sed -e 's/ //g') echo $NEW > newpattern.log PATTERN=$(grep ptn*.*tar /tmp/update/newpattern.log | sed -e 's/ //g') LOG=$(grep ptn*.*tar /var/log/pattern.log | sed -e 's/ //g') # work around for the extra blank characters that sed produces which I cannot fix echo http://www.trendmicro.com/ftp/products/pattern/$NEW | sed -e 's/ //g' > $UPDATEDIR/updateurl.txt echo "updated pattern is :" $PATTERN echo "pattern from log is :" $LOG if [ "${LOG}" == "${PATTERN}" ] ; then echo "The pattern is up-to-date" echo "You are using the latest pattern from http://www.antivirus.com which is" $PATTERN | /usr/bin/email -s "vscan is up to date" <your_email> else # Update process echo "pattern needs to be updated. Starting update process:" cd $UPDATEDIR wget -i /tmp/update/updateurl.txt echo "finished downloading pattern file..." echo "extracting archive..." tar -xvvf $UPDATEDIR/ptn*.*tar echo "Updating pattern..." cp lpt*.* /etc/iscan echo "Successfully updated pattern file." echo "logging update to log file..." echo $(date +%Y%m%d) $NEW >> /etc/iscan/pattern_update.log echo $NEW > /var/log/pattern.log # get whatsnew on the pattern and email sysadmin about it echo "sending report to the system administrator..." cat WHATSNEW*.* | /usr/bin/mail -s "Trend Pattern Update" <your_email> # now that trend is updated, take care of the important extra stuff # trophie's permission is set to a+rw for samba vscan purposes, edit to your liking if [ -e /var/run/trophie.pid ]; then echo "trophie was found and is running on this system..." echo "reloading trophie..." killall -HUP trophie chmod a+rw /var/run/trophie echo "trophie was succesfully reloaded" else echo "No trophie was found and running on this system..." /usr/loca/bin/trophie -D chmod a+rw /var/run/trophie echo "trophie was succesfully reloaded" fi fi #make sure to erase the contents of /tmp/update cd $UPDATEDIR rm * echo "temporary directory emptied..." echo "...vscan update script completed."
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
