Regardless of the size of your network, the cost of annual subscriptions for antivirus software can quickly become a pain in the . . . checkbook. Using FreeBSD's strength as a network server, how hard could it be to hack an easier and cheaper way to administer the antivirus battle?
The solution I found uses a combination of FreeBSD and ClamAV and Sharity-Light, both of which are found in the ports collection. As seen in [Hack #19], Sharity-Light can mount Windows shares. Once the shares are mounted, ClamAV will scan them for viruses.
6.16.1 Preparing the Windows Systems
For the systems you wish to virus scan, share their drives as follows:
Once you've configured the Windows systems for sharing, it's time to prepare the FreeBSD system.
6.16.2 Preparing the FreeBSD System
Install and configure Sharity-Light [Hack #19] . Remember to edit /etc/hosts to reflect the NetBIOS names of the Microsoft systems.
Then, create a mount point. Since I'll be automating the process later on with a script, I need only one mount point. For now, I'll test the required steps using one system:
# mkdir /mnt/winshare # shlight //winbox1/cdrive /mnt/winshare -U algould -P pwd Using port 1653 for NFS.
Here, I've mounted the cdrive share located on winbox1 to the /mnt/winshare mount point. This particular share has a username and password.
6.16.3 Installing and Running the Virus Scanner
ClamAV is a GPL antivirus application that can be used alone or as a daemon in conjunction with mail server tools such as milter or pop3vscan (both are available in the ports collection). Although ClamAV can detect and remove files that have been contaminated with viruses, it does not disinfect these files.
First, install ClamAV from the ports system:
# cd /usr/ports/security/clamav # make install clean
The ClamAV port installs several executables, including clamd, clamdscan, clamscan, freshclam, and sigtool. Each of these commands has a manpage, as does clamav.conf, the configuration file.
For the purposes of this project, we will be using only clamscan and freshclam. Since we will not be activating clamd, we do not need to change the configuration file.
To update ClamAV's virus database, execute freshclam:
# freshclam Current working dir is /usr/local/share/clamav Checking for a new database - started at Tue Dec 30 14:55:43 2003 Connected to clamav.elektrapro.com. Reading md5 sum (viruses.md5): OK viruses.db is up to date. Reading md5 sum (viruses2.md5): OK Downloading viruses.db2 ........... done Database updated (containing in total 11983 signatures). Database updated from clamav.elektrapro.com.
Once you've updated the virus definitions, use clamscan to scan for viruses. You don't need to be the superuser, but you must be able to read the files and directories that you're scanning. Here's what happens when I scan an arbitrary file in my home directory:
% clamscan todo.txt todo.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 11982 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 Mb I/O buffer size: 131072 bytes Time: 0.241 sec (0 m 0 s)
One file scanned and no viruses found good. When we scan the Windows share, however, we will want to scan directories recursively (using the -r option) and log the resulting report to a file (using the -l filename option).
To scan the Windows share mounted at /mnt/winshare and save the scan report to /var/log/clamscan.log, execute:
# clamscan -l /var/log/clamscan.log -r /mnt/winshare
At this point, thousands of filenames fly by the console, ending in a report similar to the one shown earlier, which is saved to /var/log/clamscan.log. clamscan will create the report file if it does not exist. If the report file exists, it will append the new report to the existing file. You can review the report with any text editor.
By default, clamscan only reports that a file has been infected it is up to you to remove the virus.
6.16.4 Automating the Process
Scanning a single share is nice, but it would be even better to scan all of the computers in the network at night. Since I can mount and scan a share without being prompted for additional information, I can automate these commands in a script.
I want each Windows system to be mounted, scanned, and unmounted in turn, and I want each system to have its own scan report log. Since I also want to put the report logs in a clamscan directory in /var/log, I need to create the directory. While I'm at it, I'll create the script file and make it readable and executable only by root:
# mkdir /var/log/clamscan # touch /root/scanscript # chmod u+x,go-rwx /root/scanscript
Next, I'll use my favorite editor to add the commands to /root/scanscript:
# more /root/scanscript #! /bin/sh # /root/scanscript # Sequentially mount Windows shares, scan them for viruses and unmount them. # update virus databases freshclam # winbox1 shlight //winbox1/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox1 -r /mnt/winshare unshlight /mnt/winshare # winbox2 shlight //winbox2/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox2 -r /mnt/winshare unshlight /mnt/winshare # winbox3 shlight //winbox3/cdrive /mnt/winshare -U algould -P pwd clamscan -l /var/log/clamscan/winbox3 -r /mnt/winshare unshlight /mnt/winshare
Now I can execute the script at will or schedule its execution using cron.
6.16.5 See Also