Plug-in of Dr.Web Samba SpIDer Module

Add the following section to Samba configuration file (

/etc/samba/smb.conf

by default):

cut ---[drweb_audit]

comment = Dr.Web protected directory path = /directory/to/protect/

vfs objects = smb_spider writeable = yes

browseable = yes guest ok = yes public = yes cut

---You must restart Samba file server after editing the configuration file.

7.3. Start

Dr.Web Samba SpIDer monitor is activated, when the first client opens a shared resource at the server. After its initialization the following actions are performed:

●versions of Dr.Web Samba SpIDer interface and Samba server are checked;

●Dr.Web Samba SpIDer reads the configuration file (

/etc/drweb/smb_spider.conf

by default);

●Dr.Web Samba SpIDerr starts monitoring clients file operations.

At the first and second stages Dr.Web Samba SpIDer outputs information to the system log (

syslog

). By default the following values are specified for parameters, controlling operation of

syslogd

system utility:

SyslogFacility = Daemon SyslogPriority = Info

The recommended starting order is the following:

●Dr.Web Daemon;

●Dr.Web Samba VFS SpIDer.

Please note, that If Daemon is launched with the rights not sufficient to read from (for anti-virus check) and write to (for deletion, cure, etc.) files on a shared resource, it will operate in non-local scan mode by default and receive all necessary files via socket. In this mode total system performance will be considerably reduced.

If you want to assure best performance, please pay special attention to providing Daemon with all the rights necessary to access shared resources.

Configuration

7.4. Configuration

Dr.Web Samba VFS SpIDer can be used with default settings, but it is much more convenient to set it up according your specific requirements and situations. Dr.Web Samba VFS SpIDer settings are stored in configuration file (

smb-spider.conf

by default) which is located in

/etc/drweb/

directory. To use another configuration file specify full path to it in the

smb.conf

configuration file by adding the following string:

smb_spider: config = /my/new/path/smb_spider.conf

Description of configuration file structure and parameter types can be found in p. 1.5 of this Manual. Parameters are described in the order they are presented in main configuration file.

Address = {FAMILY : ADDRESS}

List of socket addresses of Dr.Web Daemon. Addresses in the list are delimited by comma and specified in

FAMILY:ADDRESS

^format.

FAMILY

part can have one of the following values:

●

inet

— TCP sockets are used,

ADDRESS

^is

PORT@HOST

^;

●

local

— UNIX socket is used,

ADDRESS

^is

SOCKETFILE

^;

●

pid

— real address of Daemon process from its pid-file is used,

ADDRESS

^is

PIDFILE

^. Default value:

Address = pid:/var/drweb/run/drwebd.pid Cache = {Yes | No}

Allows caching of the resolved IP address of Daemon's host. Otherwise its IP address will be requested each time the necessity to scan a file emerges. This parameter is used only if Daemon uses TCP sockets for communication.

Default value:

Cache = Yes Timeout = {value in seconds}

Timeout for the one scanning session. When parameter value is set to 0, maximum time for scan of one file is not limited.

Default value:

Timeout = 120 UseTcpNodelay = {Yes | No}

TCP_NODELAY parameter can be used to set up operation of TCP socket if there are any problems with the network.

Please, do not change the default value, if your connection to the network is stable, and the network itself operates fine.

Default value:

UseTcpNodelay = No HeuristicAnalysis = {Off | On}

Enable/disable heuristic detection of unknown viruses. Enabling heuristic analysis allows detection of unknown viruses using knowledge about specific architecture of viral code. Approximate nature of this type of virus detection makes us talk about «suspicious», not «infected» objects. With this option disabled only known viruses will be detected by Dr.Web.

Some programs may trigger heuristic analyzer name files «suspicious» by mistake due to code similar to virus structure.

Besides, this mode may slightly increase time of virus scan. These considerations may lead you to disabling heuristic analysis. At the same time, heuristic analysis improves reliability of antivirus protection. We recommend you to send all files detected by heuristic analyzer to developers using http://vms.drweb.com/sendvirus/ (preferably) or via e-mail [email protected]. Follow this procedure to upload files: make password protected archive, include password in message body and attach Scanner report.

Default value:

Configuration

HeuristicAnalysis = On StripPath = {numeric value}

Allows to remove the certain amount of segments from the beginning of specified scan path. When value of this parameter is set to 0, path stays unmodified. When value is set to 1, the first segment is removed, including slash («/») symbol. When value is set to 2, two segments are removed from the beginning of the path, including corresponding slash («/») symbol.

Example:

If we have

/some/path/to/file.ext

specified as a scan path, then:

●when

StripPath = 1,

the path will look like the following:

path = some/path/to/file.ext

●when

StripPath = 2,

the path will look like the following:

path = path/to/file.ext

^. Default value:

StripPath = 0 PrefixPath = {path to file}

Specifies path segment to be added to the beginning of scan path after its processing by

StripPath

parameter. Please note, that value of this parameter must not be ended with slash («/») symbol. Required slash will be inserted to the new scan path automatically.

Example:

If we have

/some/path/to/file.ext

specified as a scan path, and after processing by

StripPath

parameter with 2 set as a value it looks like the following:

path = path/to/file.ext

then after automatic insertion of slash symbol and processing by

PrefixPath = /just/another

, it will look like the following:

path = /just/another/path/to/file.ext

Default value:

PrefixPath =

MaxFileSizeToScan = {value in Kbytes}

Maximum size of file for scan. When parameter value is set to 0, maximum file size is not limited.

Default value:

MaxFileSizeToScan = 0

ScanMode = {onWrite | onRead | onAccess}

This parameter can have one of the following values:

●

onAccess

— files will be scanned on each attempt to open or run them and also on closing after creation or modification.

●

onRead

— files will be scanned on each attempt to open or run them, only. This mode allows to increase operation speed, but decreases antivirus protection level (infected file can be copied to the shared directory and executed by the user, who has local access to shared resource, not via Samba-server).

●

onWrite

— files will be scanned on closing after creation or modification, only. This mode allows to increase operation speed, but decreases antivirus protection level (infected file can be copied to the shared directory and executed by the user, who has local access to shared resource, not via Samba-server).

Default value:

ScanMode = onAccess

Configuration

When parameter value is set to

Yes

, cache for md5 hashes of infected and clean files is created from scratch each time new user accesses shared directory. All data cached during previous session is overwritten.

Default value:

RewriteDataBase = Yes BlockedCacheSize = {size in bytes}

Size of cache to store md5 hashes of scanned infected (and therefore blocked) files. When parameter value is set to 0, md5 hashes are not cached. This parameter allows to increase operation speed, because if md5 hash of requested file is the same as cached md5 hash, file is considered infected and is not sent to Daemon for repeated scan.

Default value:

BlockedCacheSize = 4096 AllowedCacheSize = {size in bytes}

Size of cache to store md5 hashes of scanned clean files. When parameter value is set to 0, md5 hashes are not cached.

This parameter allows to increase operation speed, because if md5 hash of requested file is the same as cached md5 hash, file is considered clean and is not sent to Daemon for repeated scan.

Default value:

AllowedCacheSize = 4096 LocalScan = {Yes | No}

Allows to use local scan mode, when Daemon receives not the whole file, but only the path of it. With

LocalScan = Yes

Daemon will operate in local scan mode.

Default value:

LocalScan = Yes

In non-local scan mode or when Daemon does not have sufficient rights to access certain file, Dr.Web Samba VFS SpIDer can perform actions with files independently.

LicenseLimit = {reject | pass}

Action to be applied to files which have not been scanned due to license expiration. Possible values are:

pass

^{— allow} access to file,

reject

— block access to file.

Default value:

LicenseLimit = reject

Infected = {reject | quarantine | discard | rename | cure}

Action to be applied to files, infected with known virus. Possible values are:

cure

— try to cure infected file,

rename

^— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

— block access to file. Rename mask looks like:

#??

- the first character of file extension is replaced by

«#»

symbol, and all other subsequent characters are preserved. If file has no extension, it will consist only of

«#»

^symbol.

Default value:

Infected = quarantine

Suspicious = {reject | quarantine | discard | rename | pass}

Action to be applied to suspicious files (possibly infected with unknown virus). Possible values are:

pass

— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

— block access to file.

Default value:

Suspicious = quarantine

Configuration

Incurable = {reject | quarantine | discard | rename}

Action to files that cannot be cured. Possible values are:

rename

— rename file and block access to it,

discard

^— delete file,

quarantine

— move file to quarantine and block access to it,

reject

— block access to file.

Default value:

Incurable = quarantine

Adware = {reject | quarantine | discard | rename | pass}

Action to be applied to adware. Possible values are:

pass

— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

^{— block} access to file.

Default value:

Adware = quarantine

Dialers = {reject | quarantine | discard | rename | pass}

Action to be applied to dialer programs. Possible values are:

pass

— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

^— block access to file.

Default value:

Dialers = quarantine

Jokes = {reject | quarantine | discard | rename | pass}

Action to be applied to joke programs, which can scare or annoy user. Possible values are:

pass

— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

— block access to file.

Default value:

Jokes = quarantine

Riskware = {reject | quarantine | discard | rename | pass}

Action to be applied to riskware. Possible values are:

pass

— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

^{— block} access to file.

Default value:

Riskware = quarantine

Hacktools = {reject | quarantine | discard | rename | pass}

Action to be applied to programs used to gain unauthorized access to computer systems. Possible values are:

pass

^— allow access to file,

rename

— rename file and block access to it,

discard

— delete file,

quarantine

— move file to quarantine and block access to it,

reject

— block access to file.

Default value:

Hacktools = quarantine

Archives = {reject | quarantine | discard | rename}

Action to be applied to archives containing infected files. To enable deletion of such archives set

EnableDeleteArchiveAction = Yes

in main configuration file

drweb32.ini

. Possible values are:

rename

— rename archive and block access to it,

discard

— delete archive,

quarantine

— move archive to quarantine and block access to it,

reject

— block access to archive.

Default value:

Configuration

Archives = quarantine SkipObject = {reject | pass}

Action to be applied to files, which cannot be scanned by Daemon (password protected or broken archives, symbolic links or non regular files). Possible values are:

pass

— allow access to file,

reject

— block access to file.

Default value:

SkipObject = pass

ArchiveRestriction = {reject | pass}

Action to be applied to archives, which cannot be scanned by Daemon due to the excess of limits set for archives in main configuration file

drweb32.ini

. Possible values are:

pass

— allow access to file,

reject

— block access to file.

Default value:

ArchiveRestriction = pass ScanningErrors = {reject | pass}

Action to be applied to files causing Daemon errors during scan (e.g. Daemon has run short of memory or does not have proper rights for further processing). Possible values are:

pass

— allow access to file,

reject

— block access to file.

Default value:

ScanningErrors = reject ProcessingErrors = {reject | pass}

Action to be applied to files causing Samba SpIDer errors during scan (e.g. Samba VFS SpIDer was not configured properly or cannot connect to Daemon). Possible values are:

pass

— allow access to file,

reject

— block access to file.

Default value:

ProcessingErrors = reject SendNotifyToUser = {Off | On}

Allows to notify users about detection of a virus in a file. Windows Messenger (WinPopup) is used for sending notifications in Windows systems. LinPopup (for Linux) is used for sending notifications in UNIX systems. UNIX users must have properly configured message receiving utility to receive these notifications.

Default value:

SendNotifyToUser = off SendNotifyToAdmin = {Off | On}

Allows to notify Administrator about events emerging during scan (e.g. detection of a virus). Windows Messenger (WinPopup) is used for sending notifications in Windows systems. LinPopup (for Linux) is used for sending notifications in UNIX systems. For UNIX systems it is also possible to send notifications via e-mail. To enable this option add the

following line to

smb.conf

configuration file:

message command = /usr/bin/mail -s 'Messages from %f on %m' {address} < %s ; rm

%s

where

{address}

is e-mail address of the Administrator.

Default value:

SendNotifyToAdmin = off AdminAddress = {Address}

IP address of Administrator's computer.

Configuration

AdminAddress = "127.0.0.1"

ShellScriptForBlockedFile = {path to file}

Path to shell script to be initialized upon blocking of the file. Dr.Web Samba VFS SpIDer passes to script the following parameters:

FileName

— name of the infected file;

UserName

— login name of the user, who have tried to open infected file;

UserHost

— name of the host from which user have tried to open infected file;

DaemonReport

^— report from the Daemon. Example of such script can be found in

/opt/drweb/doc/samba/

directory (file

smb_script.sh

^).

Default value:

ShellScriptForBlockedFile = Quarantine = {path to directory}

Path to quarantine directory.

Default value:

Quarantine = /var/drweb/infected/

QuarantineFilesMode = {access permissions}

Access permissions to files in quarantine.

Default value:

QuarantineFilesMode = 0660

Level = {Debug | Verbose | Info | Alerts | Errors | Quiet}

Log verbosity level.

Default value:

Level = Info

SyslogFacility = {Local7 | ... | Local0 | Daemon | Mail}

Log type when

syslogd

system service is used for activity logging (please refer to

syslog

documentation for further details).

Default value:

SyslogFacility = Daemon

SyslogPriority = {Alert | Notice | Info | Debug}

Priority of record when using

syslogd

system service.

Default value:

SyslogPriority = Info

Dr.Web Samba VFS SpIDer can also receive configuration information from Dr.Web Agent module. To enable this option insert the following line to

smb.conf

configuration file:

smb_spider: config = /var/drweb/ipc/.agent

«Dr.Web console for UNIX file servers»

8. «Dr.Web console for UNIX file servers»

Setup and configuration of «Dr.Web for UNIX file servers» can be performed via separate web interface «Dr.Web console for UNIX file servers». It is implemented as a plug-in to Webmin (detailed information about Webmin interface is available on its official website at http://www.webmin.com/).

To achieve optimal performance of «Dr.Web console for UNIX file servers» web interface, please, make sure that the following Perl modules are installed to your system:

●

XML::Parser —

Perl module for parsing XML documents;

●

XML::XPath —

set of modules for parsing and evaluating

XPath

statements;

●

Text::Iconv —

Perl interface to

iconv(

) codeset conversion function;

●

JSON —

Perl module for

parsing and converting to JSON (JavaScript Object Notation).

Web interface layout and appearance may differ depending on Webmin version and browser used. All screenshots provided in this document were made with Webmin 1.450 and Firefox 3.0.7 (Mozilla/5.0 (Windows; U; Windows NT 5.1;

ru; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7) using default settings.

In document Dr.Web for UNIX file servers (OS Linux) (Page 47-54)