TIP_Windows_Share_with_Antivirus

This article is part of the Tips & Tricks series.

Terminals / Shells • Network • X Window System • Portage • System • Filesystems • Kernel • Other

This explains how to install a windows share that is scanned when files are uploaded or changed there.

1 Features
2 Alternatives
3 Starting point
- 3.1 You already installed
- 3.2 You already set up
4 From there
- 4.1 Script description
- 4.2 Installing
5 Links

Features

reacts on change, on upload
only the changed file is scanned
file is moved to a directory
a scan report is stored where the file was (as a text file)

Alternatives

set up On-Access Antivirus scanning (if you don't mind tinkering with your kernel)

Starting point

You already installed

clamav
inotify-tools

You already set up

/etc/clamd.conf
freshclam works.
The samba share already exists and works.

From there

Script description

What the script does is:

find all files in the share $SHARE
listen on changes using inotify
output from those two is given clam(d)scan, which analyses the $FILE
If the $FILE contains a virus, it is moved to $VIRUSDIR, and $FILE.txt is created containing a report

Installing

Save the script below to something in your $PATH, like /usr/local/bin/scanshares
(Set the variables according to your setup)
Make sure $SHARE and $VIRUSDIR is owned by the user "nobody"

Call it using

sudo -u nobody scanshares >/var/log/scanshares

Watch /var/log/scanshares while you put a test virus file from [EICAR into your share. After some seconds, it should be replaced by a text file.

File: /usr/local/bin/scanshares

#!/bin/bash

# if you manage to create a file containing a virus, 
# which filename signatures a virus, you will send this script
# in a infinite loop ;-)

TMPFILE=/tmp/lastscanresult.txt

SHARE=/srv/samba/
VIRUSDIR=/srv/samba/hasvirus/

VIRUSDB=/var/clamav/

#INOTIFYWAIT=/home/johannes/inotify-tools-3.13/src/inotifywait
INOTIFYWAIT=inotifywait

# if you have no clamd
CLAMSCAN="clamscan --database $VIRUSDB --block-encrypted -i"
# if you have clamd (faster)
CLAMSCAN="clamdscan"

{
        # initial check
        find $SHARE -type f | while read line; do echo "$line|CLOSE_WRITE"; done;
        # await changes
        # we need to listen to create, otherwise inotifywait doesn't follow in subdirs :-(
        $INOTIFYWAIT -q -m -r -e create -e close_write "$SHARE" --format '%w%f|%e';
} |
grep '|CLOSE_WRITE' --line-buffered | sed -u 's/|.*//g' | # remove create events again
grep -v $VIRUSDIR --line-buffered | # we know THOSE have virus
while read file; do
        echo "scanning $file" 
        $CLAMSCAN --no-summary "$file" > $TMPFILE
        if [ "$?" == "1" ]; then
                mv "$file" $VIRUSDIR
                {
                        echo 'The file contained a virus and was therefore removed.'
                        cat $TMPFILE
                } > "$file.txt"
        fi
        echo "scanning $file done."
done

Gentoo Wiki