vfs_virusfilter — On access virus scanner
vfs objects = virusfilter
This is a set of various Samba VFS modules to scan and filter virus files on Samba file services with an anti-virus scanner.
This module is stackable.
The antivirus scan-engine.
sophos, the Sophos AV scanner
fsav, the F-Secure AV scanner
clamav, the ClamAV scanner
Path of local socket for the virus scanner.
If this option is not set, the default path depends on the configured AV scanning engine.
For the sophosbackend the default is /var/run/savdi/sssp.sock.
For the fsav backend the default is /tmp/.fsav-0.
For the fsav backend the default is /var/run/clamav/clamd.ctl.
Controls how long to wait on connecting to the virus scanning process before timing out. Value is in milliseconds.
If this option is not set, the default is 30000.
Controls how long to wait on communications with the virus scanning process before timing out. Value is in milliseconds.
If this option is not set, the default is 60000.
This option controls whether files are scanned on open.
If this option is not set, the default is yes.
This option controls whether files are scanned on close.
If this option is not set, the default is no.
This is the largest sized file, in bytes, which will be scanned.
If this option is not set, the default is 100MB.
This is the smallest sized file, in bytes, which will be scanned.
If this option is not set, the default is 10.
What to do with an infected file. The options are nothing, quarantine, rename, delete.
If this option is not set, the default is nothing.
What errno to return on open if the file is infected.
If this option is not set, the default is EACCES.
What errno to return on close if the file is infected.
If this option is not set, the default is 0.
Where to move infected files. This path must be an absolute path.
If this option is not set, the default is ".quarantine" relative to the share path.
Prefix for quarantined files.
If this option is not set, the default is "virusfilter.".
Suffix for quarantined files. This option is only used if keep name is true. Otherwise it is ignored.
If this option is not set, the default is ".infected".
Prefix for infected files.
If this option is not set, the default is "virusfilter.".
Suffix for infected files.
If this option is not set, the default is ".infected".
If keep tree is set, the directory structure relative to the share is maintained in the quarantine directory.
If this option is not set, the default is yes.
Should the file name be left unmodified other than adding a suffix and/or prefix and a random suffix name as defined in virusfilter:rename prefix and virusfilter:rename suffix.
If this option is not set, the default is yes.
External command to run on an infected file is found.
If this option is not set, the default is none.
This defines whether or not to scan archives.
Sophos and F-Secure support this and it defaults to false.
This defines the maximum depth to search nested archives.
The Sophos and F-Secure support this and it defaults to 1.
This defines whether or not to scan mime files.
Only the fsavscanner supports this option and defaults to false.
External command to run on scan error.
If this option is not set, the default is none.
Files to exclude from scanning.
If this option is not set, the default is empty.
Controls whether or not access should be blocked on a scanning error.
If this option is not set, the default is false.
What errno to return on open if there is an error in scanning the file and block access on error is true.
If this option is not set, the default is EACCES.
What errno to return on close if there is an error in scanning the file and block access on error is true.
If this option is not set, the default is 0.
The maximum number of entries in the scanning results cache. Due to how Samba's memcache works, this is approximate.
If this option is not set, the default is 100.
The maximum number of seconds that a scanning result will stay in the results cache. -1 disables the limit. 0 disables caching.
If this option is not set, the default is 10.
This is the octet mode for the quarantine directory and its sub-directories as they are created.
If this option is not set, the default is 0755 or S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH.
Permissions must be such that all users can read and search. I.E. don't mess with this unless you really know what you are doing.
With this option on, suspected malware will be blocked as well. Only the fsavscanner supports this option.
If this option is not set, the default is false.
This module can scan other than default streams, if the alternative datastreams are each backed as separate files, such as with the vfs module streams_depot.
For proper operation the streams support module must be before the virusfilter module in your vfs objects list (i.e. streams_depot must be called before virusfilter module).
This module is intended for security in depth by providing virus scanning capability on the server. It is not intended to be used in lieu of proper client based security. Other modules for security may exist and may be desirable for security in depth on the server.