Although at home I only work with Macintosh and OpenSolaris computers and the risk for virusses and malware are rather slim, my files could be infected with pc virusses and I could send pc virusses to friends without me knowing. It is also very stupid to think that Macintosh computer are just safe and don’t need a virus scanner. So this is where this article came from, I installed ClamXav on my MacBooks and then started to look at my NAS. It’s running OpenSolaris so.. there must be a great way to secure that! (and there is!!)

We need a few ingredients to get this running, here are my steps:

• First of al the SUNW packages for vscan (you should be able to install them if you haven’t got them)

# pkginfo |grep -i vscan
system      SUNWvscankr                     Virus Scan Service Kernel (Root)
system      SUNWvscanr                      Virus Scan Service (Root)
system      SUNWvscanu                      Virus Scan Service (Usr)

• Install an antivirus daemon, I chose for clamav available from blastwave (i’m not gonna explain how to install this, but in the end you should have a running daemon)

• We need to download c-icap from sourceforge and extract it and then compile it

# export LDFLAGS=”-L/opt/csw/lib -R/opt/csw/lib -lclamav”
# export CC=gcc
# export CXX=g++

# ./configure –prefix=/opt/icap –with-clamav=/opt/csw –with-perl=/bin/perl –with-zlib=/usr/lib –enable-large-files

# make
# make install

• Before we start it we need to configure /opt/icap/etc/c-icap.conf (changes only)

CommandsSocket /tmp/c-icap.socket
User nobody
Logger sys_logger
acl localnet src 192.168.1.0/255.255.255.0
icap_access allow localnet
srv_clamav.MaxObjectSize 100M

And commented out the Viralator portions, since I’m not going to use that.
# And here the viralator-like mode.
# where to save documents
# srv_clamav.VirSaveDir /srv/www/htdocs/downloads/
# from where the documents can be retrieved (you can find the get_file.pl script in contrib dir)
# srv_clamav.VirHTTPServer “http://fortune/cgi-bin/get_file.pl?usename=%f&remove=1&file=”
# The refresh rate….
# srv_clamav.VirUpdateTime 15
# For which filetypes the “virelator like mode” will be used.
# srv_clamav.VirScanFileTypes ARCHIVE EXECUTABLE

• Now we need to make sure this service starts by itself, for this I modified the clamav smf manifest to my own c-icap.xml and startup script

# cp svc-c-icap /var/opt/csw/svc/method/
# chmod +x /var/opt/csw/svc/method/svc-c-icap
# svccfg import c-icap.xml
# svcadm enable c-icap

• Now we can start with the ZFS stuff

# svcadm enable vscan
# zfs set vscan=on Maxtor1T/Data
# vscanadm add-engine datacapsule         (replace datacapsule by the hostname of your server with c-icap (in my case I choose the hostname of the same server!)
# vscanadm get-engine datacapsule
# vscanadm set -p max-size=100M
# vscanadm show
max-size=100M
max-size-action=allow
types=+*

datacapsule:enable=on
datacapsule:host=localhost
datacapsule:port=1344
datacapsule:max-connection=32

• Now we need to test! download the eicar test virus and put it on that zfs volume

# cp /tmp/eicar.com /Maxtor1T/Data/pom

# tail /var/adm/messages
…
Apr 20 09:54:26 DataCapsule C-ICAP:: [ID 702911 local1.crit] general, VIRUS DETECTED:Eicar-Test-Signature.
Apr 20 09:54:26 DataCapsule Take action…….
Apr 20 09:54:26 DataCapsule
Apr 20 09:54:26 DataCapsule vscand: [ID 540744 daemon.notice] quarantine /Maxtor1T/Data/pom 0 – Eicar-Test-Signature;

# /usr/bin/ls -l/c /Maxtor1T/Data/pom
-rw-r–r–   1 root     root          68 Apr 20 09:54 /Maxtor1T/Data/pom
{A——mq-}
(That q stands for quarantined and all access is denied)

References:

• http://blogs.sun.com/timthomas/entry/configuring_the_opensolaris_virus_scan (this helped me through with configuring vscand)
• http://www.c0t0d0s0.org/uploads/vscanclamav.pdf (helped me with compiling and configuring c-icap but some other bits and pieces didn’t worked for me)

Tags: OpenSolaris, ZFS

Posted in Sun
No Comments Yet Posted by SUNWfrk