Hack 68 Scan a Network of Windows Computers for Viruses


figs/expert.gif figs/hack68.gif

Regardless of the size of your network, the cost of annual subscriptions for antivirus software can quickly become a pain in the . . . checkbook. Using FreeBSD's strength as a network server, how hard could it be to hack an easier and cheaper way to administer the antivirus battle?

The solution I found uses a combination of FreeBSD and ClamAV and Sharity-Light, both of which are found in the ports collection. As seen in [Hack #19], Sharity-Light can mount Windows shares. Once the shares are mounted, ClamAV will scan them for viruses.

6.16.1 Preparing the Windows Systems

For the systems you wish to virus scan, share their drives as follows:

  1. Open My Computer and right-click on the drive you wish to share.

    Select Sharing from the list of options that appear.

    If Sharing is not available, you will need to activate file sharing in the Network setting in Control Panel. Use Help if you're unsure of where to find this setting.


  2. In the Sharing tab of the Properties window, assign a name to the new share. I'll use cdrive in this example. Choose a name that is both useful to you and not already in use. (If a share already exists, click on New Share.)

  3. Unless your network is completely closed to the outside world, click on Permissions and limit the access to your user. You should only need read access for scanning purposes.

  4. If you need further assistance, search for "sharing" in Windows Help. (Click on the Start button and select Help.)

Once you've configured the Windows systems for sharing, it's time to prepare the FreeBSD system.

6.16.2 Preparing the FreeBSD System

Install and configure Sharity-Light [Hack #19] . Remember to edit /etc/hosts to reflect the NetBIOS names of the Microsoft systems.

Then, create a mount point. Since I'll be automating the process later on with a script, I need only one mount point. For now, I'll test the required steps using one system:

# mkdir /mnt/winshare # shlight //winbox1/cdrive /mnt/winshare -U algould -P pwd Using port 1653 for NFS.

Here, I've mounted the cdrive share located on winbox1 to the /mnt/winshare mount point. This particular share has a username and password.

6.16.3 Installing and Running the Virus Scanner

ClamAV is a GPL antivirus application that can be used alone or as a daemon in conjunction with mail server tools such as milter or pop3vscan (both are available in the ports collection). Although ClamAV can detect and remove files that have been contaminated with viruses, it does not disinfect these files.

First, install ClamAV from the ports system:

# cd /usr/ports/security/clamav # make install clean

The ClamAV port installs several executables, including clamd, clamdscan, clamscan, freshclam, and sigtool. Each of these commands has a manpage, as does clamav.conf, the configuration file.

For the purposes of this project, we will be using only clamscan and freshclam. Since we will not be activating clamd, we do not need to change the configuration file.

To update ClamAV's virus database, execute freshclam:

# freshclam Current working dir is /usr/local/share/clamav Checking for a new database - started at Tue Dec 30 14:55:43 2003 Connected to clamav.elektrapro.com. Reading md5 sum (viruses.md5): OK viruses.db is up to date. Reading md5 sum (viruses2.md5): OK Downloading viruses.db2 ........... done Database updated (containing in total 11983 signatures). Database updated from clamav.elektrapro.com.

Once you've updated the virus definitions, use clamscan to scan for viruses. You don't need to be the superuser, but you must be able to read the files and directories that you're scanning. Here's what happens when I scan an arbitrary file in my home directory:

% clamscan todo.txt todo.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 11982 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 Mb I/O buffer size: 131072 bytes Time: 0.241 sec (0 m 0 s)

One file scanned and no viruses found good. When we scan the Windows share, however, we will want to scan directories recursively (using the -r option) and log the resulting report to a file (using the -l filename option).

To scan the Windows share mounted at /mnt/winshare and save the scan report to /var/log/clamscan.log, execute:

# clamscan -l /var/log/clamscan.log -r /mnt/winshare

At this point, thousands of filenames fly by the console, ending in a report similar to the one shown earlier, which is saved to /var/log/clamscan.log. clamscan will create the report file if it does not exist. If the report file exists, it will append the new report to the existing file. You can review the report with any text editor.

By default, clamscan only reports that a file has been infected it is up to you to remove the virus.

6.16.4 Automating the Process

Scanning a single share is nice, but it would be even better to scan all of the computers in the network at night. Since I can mount and scan a share without being prompted for additional information, I can automate these commands in a script.

I want each Windows system to be mounted, scanned, and unmounted in turn, and I want each system to have its own scan report log. Since I also want to put the report logs in a clamscan directory in /var/log, I need to create the directory. While I'm at it, I'll create the script file and make it readable and executable only by root:

# mkdir /var/log/clamscan # touch /root/scanscript # chmod u+x,go-rwx /root/scanscript

Next, I'll use my favorite editor to add the commands to /root/scanscript:

# more /root/scanscript #! /bin/sh # /root/scanscript # Sequentially mount Windows shares, scan them for viruses and unmount them. # update virus databases freshclam # winbox1 shlight //winbox1/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox1 -r /mnt/winshare unshlight /mnt/winshare # winbox2 shlight //winbox2/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox2 -r /mnt/winshare unshlight /mnt/winshare # winbox3 shlight //winbox3/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox3 -r /mnt/winshare unshlight /mnt/winshare

Now I can execute the script at will or schedule its execution using cron.

As with any antivirus scanning policy, execute the script when users will be least affected and the scanned computers are up and running.


6.16.5 See Also

  • man clamscan

  • man freshclam

  • man clamd

  • man clamdscan

  • man clamav.conf

  • man sigtool

  • The Sharity-Light README and FAQ (/usr/local/share/doc/Sharity-Light/)

  • The Sharity-Light web site (http://www.obdev.at/products/sharity-light/)

  • The ClamAV web site (http://clamav.elektrapro.com/)



BSD Hacks
BSD Hacks
ISBN: 0596006799
EAN: 2147483647
Year: 2006
Pages: 160
Authors: Lavigne

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net