By Tim Thomas on Apr 11, 2008
OpenSolaris includes features that enable virus scanning of files
accessed by CIFS and NFSv4 clients. You can read about the project on the OpenSolaris Project: VSCAN Service Home Page. The scanning model is similar to that discussed in this article in that files are sent (using the ICAP protocol) to external servers running anti virus software to be scanned...a common model for NAS appliances.
Having set up the OpenSolaris CIFS server as described here,
I wanted to try out these services. Part of my job at Sun is to certify
anti virus software with our NAS products, so I am experienced in this
kind of testing.
As before, I am working on a Sun Fire X4500 with Solaris Nevada build 86 installed....
root@isv-x4500b # uname -a
SunOS isv-x4500b 5.11 snv_86 i86pc i386 i86pc
I have mostly presented the commands I have used as is..but I have occasionally had to edit fields.
I installed a copy of the Symantec Scan Engine Version 5.1 on a Windows server (hostname: scanengine) in my lab to provide the necessary scanning services. The Symantec Scan Engine has an ICAP protocol interface as standard, so enabling the OpenSolaris VSCAN service to communicate with it.
I configured the Symantec Scan Engine in "Scan Only" mode which means that it will notify the VSCAN service if a file is infected or not..it will not attempt to repair infected files (i.e. if won't remove the virus). The response of the VSCAN service to being told that a file is infected is to set attributes on the file so that access is denied i.e. the file is quarantined.
The VSCAN services are managed with the vscanadm command. The vscan service daemon, vscand, interacts with the scan engine to have the file scanned; sending the file contents to the scan engine via the ICAP protocol.
I wanted to enable virus scanning on a CIFS share called cifs2 which is a share off the ZFS file system tank/cifs2. The procedure was as follows:
1. Enable VSCAN Services
root@isv-x4500b # svcadm enable vscan
root@isv-x4500b # svcs vscan
STATE STIME FMRI
online 7:38:08 svc:/system/filesystem/vscan:icap
2. Enable Virus Scanning on the ZFS File System
root@isv-x4500b # zfs set vscan=on tank/cifs2
NOTE: In the next steps you should substitute the hostname of your server running anti virus software for scanengine.
3. Add a Scan Engine
root@isv-x4500b # vscanadm add-engine scanengine
root@isv-x4500b # vscanadm get-engine scanengine
NOTE: Port 1344 is the default for ICAP, it can be changed. If you changed it you would also need to change the port used by the anti virus software.
4. Optional Step - Set Maximum Size of File To Sent To Be Scanned
It is inefficient to scan very large files. Here we set maximum size of a file to be scanned to 100 MB. If a file 100MB in size, or greater, needs to be scanned you have an option of allowing access or denying access: in either case the file will not be scanned.
root@isv-x4500b # vscanadm set -p max-size=100M
root@isv-x4500b # vscanadm set -p max-size-action=deny
root@isv-x4500b # vscanadm show
5. Optional Step - Modify The List of Types of File to Scan
By default all file types are scanned. Here we remove files ending in "jpg" from the list of files types to be scanned.
root@isv-x4500b # vscanadm set -p types=-jpg,+\*
root@isv-x4500b # vscanadm show
6. Checking That Scanning is Working
You can get files from EICAR to test virus scanners. The files look like viruses to the scanners, but are safe to use.
I mounted up the cifs2 share on a Windows server and created some files and Folders on the share with no issues. I then drag and dropped EICAR files from the Window server's unprotected drive onto the share. When I tried to open an EICAR file on the share, access was denied.
Messages like the one below appeared in the system log.
Apr 9 08:13:09 isv-x4500b vscand: [ID 540744 daemon.warning] quarantine /tank/cifs2/eicar.com.txt 11101 - EICAR Test String
Back on the server running OpenSolaris I checked to see if files had actually been scanned as below
root@isv-x4500b # vscanadm stats
File are being scanned and there are no scan errors!
Lastly, I also looked at the statistics on the Symantec Scan Engine GUI which also confirmed that files were being scanned. Note that the numbers below do not match the output of vscanadm above as the screenshot was taken a a later time.
Access is denied to the infected files because the quarantine bit has been set. You can check for the q for quarantine bit as follows...
root@isv-x4500b # ls -/c eicar.com.txt
----------+ 1 2147483649 2147483650 68 Apr 9 08:13 eicar.com.txt
For More Information