ClamAV

[Howard Wilkinson]

John Aldrich wrote:
> Is there any to do on-access scanning with ClamAV *without* having Dazuko? 
> Someone posted a problem here earlier and it got me thinking. We *know* we 
> have a problem doing on-access scanning with ClamAV, and surely someone has 
> thought about trying to find a way around not being able to use Dazuko. Why 
> are we still having this problem with Dazuko??? Can someone not come up 
> with a better way to interface between file access calls and the antivirus 
> than having a kernel module that has to be recompiled each time? Not to 
> mention that due to an incompatibility with the way the kernel is compiled, 
> we can't compile Dazuko.
>
> Just something for some folks who can program to chew on. :-) I'm sure 
> there are some really good programmers out there. I'm not one of them, 
> unfortunately, or I'd take a crack at it. :-)
>
>   
It is possible that a userland solution could be produced using the 
INOTIFY feature in the newer kernels. I have  yet to use this myself so 
have little knowledge on its limitations but reading the manual page it 
look like directories can be monitored, so an opt in scheme that 
monitored 'disc' by monitoring all of the directories in them and 
scanning newly created/altered files would work. This would find virus 
files once they been created (but may not be able to delete them if 
another process has the handle open).

So there would be some windows of vulnerability, but this may be good 
enough.

An alternative for CIFS servers is to modify the SAMBA system to run 
Clamav on the files as they are written, so that file server clients see 
a on write scan behaviour from the server. This is also a partial solution.

Of course this would need a programmer to find time to do this. I have 
the skills but not the time, ho hum!

Howard