University of Applied Sciences Furtwangen, Germany Faculty of Computer Science - Computer Networking
Server-based Virus-protection On Unix/Linux
by Rainer Link
Advisor: Advisor: Finished: Public Release:
Prof. Hannelore Frank Prof. Dr. Rainer Mueller May, 28 2003 August, 2003
Evaluation and development of server-based anti-virus solutions, running on Linux/Unix, using the Internet Content Adaption Protocol (ICAP). The diploma thesis covers proof-of-concept solutions for web proxy (Squid), eMail server (sendmail/postﬁx) and ﬁle server (Samba), with focus on the latter one aiming to provide a (fully-featured) product.
On 07/21/1999, I sent the ﬁrst patch to the maintainer of the AMaViS project (A Mail Virus Scanner, http://www.amavis.org/, GPL’ed1 ) ﬁxing the AntiViral Toolkit Pro/Linux call. Since then - among other stuﬀ - I wrote and maintained several anti-virus modules (and still do). So, with the help of other people, AMaViS supports a wide range of anti-virus products. But wouldn’t it be easier to maintain only one anti-virus module, implementing a common protocol, to support all those anti-virus scanners? Also, back in 1999, I was looking for an on-access virus scanning solution for Samba ﬁleservers2 , receiving a ﬁrst Linux kernel-based solution via email in June ’99. More than a year later, I came across the Samba Virtual File System (VFS)3 . A half year later, I digged into the Samba VFS and started to work on a small piece of code which eventually became the samba-vscan project: onaccess ﬁle scanning directly integrated into Samba (GPL’ed, too). As nearly all the code I wrote past years was put under an Open Source License, I decided to release this thesis under the terms of the GNU Free Documentation License.
GNU General Public License, see http://www.gnu.org/copyleft/gpl.html see e.g. http://www.geocrawler.com/archives/3/281/1999/4/0/1652065/ 3 see e.g. http://sourceforge.net/mailarchive/forum.php?thread id=219140&forum id=4829 2
Overview of the Thesis
Chapter 1 gives an overview of computer-viruses and some other types of malware. As well as anti-virus technologies and anti-virus deployment. Chapter 2 explains possible means to integrate third party anti-virus scanners into scripts and programs. Chapter 3 discusses the Internet Content Adaption Protocol (ICAP) with the focus to use this protocol for an anti-virus service. The developed ”icapclient” utility for scanning any ﬁle on disk using an ICAP anti-virus facility will be dissected, too. The results of some performance testings will be discussed as well. Chapter 4 explains brieﬂy the use of AMaViS for protecting the mail server and the ICAP integration. Chapter 5 shows two possible concepts for on-access, real-time scanning of Samba shares; focused on the direct Samba integration as implemented by the samba-vscan project. Results of ﬁle retrieval tests illustrates impacts on performance. Chapter 6 discusses concepts for protecting HTTP/FTP transfers. Chapter 7 summerizes the results and gives a short future outlook.
First of all, I’d like to thank my advisors Prof. Hannelore Frank and Prof. Dr. Rainer Mueller for their support, feedback and suggestions. A professional thank you goes to the following persons and/or companies: • SuSE Linux AG for funding this diploma thesis and my AMaViS work for three years. • Travis Priest, Rui Ataide (Symantec USA) and Gerald Maronde (Symantec Germany) for providing me with the latest Symantec AntiVirus Engine product before it was public available and for various ICAP/Symantec AntiVirus Scan Engine related discussions. • Martin Stecher (WebWasher AG) for some email exchange about ICAP and WebWasher; Oxana Herzog and Elka Plattmann for sending a special trial evaluation key for the WebWasher CSM suite. • Christian Hofmann of DATSEC for oﬀering the latest Kaspersky AntiVirus for File servers and a one year license key.