# SAMBA -:- Working With ClamAV

## KristyX

Hi!

I'm trying to get my Samba running together with ClamAV but without the printers

as described in the Gentoo Docs.

I did emerge my SAMBA with the USE options defined in the docs and

emerged clamav. But after adding the VFS part in smb.conf that deals

with the clamav integration, testparm spits out the following:

```

root@kristy kristy # testparm

Load smb config files from /etc/samba/smb.conf

Unknown parameter encountered: "vfs options"

Ignoring unknown parameter "vfs options"

Processing section "[guests]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

```

Obviously, the part that SAMBA is having trouble with is:

   vfs options = config-file = /etc/samba/vscan-clamav.conf

But why?

Has anyone managed to get ClamAV running with SAMBA to scan

shares automatically?

Thanks a bunch!

~Kristy

/etc/samba/smb.conf

```

[global]

   workgroup = MAIN-ONE

   server string =

                                                                                

   log file = /var/log/samba3/log.%m

   max log size = 50

                                                                                

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   interfaces = lo eth0

   bind interfaces only = yes

   hosts allow = 127.0.0.1 192.168.0.1/24

   hosts deny = 0.0.0.0/0

                                                                                

   security = share

   guest account = guest

   encrypt passwords = yes

   smb passwd file = /etc/samba/private/smbpasswd

                                                                                

   vfs object = /usr/lib/samba/vfs/vscan-clamav.so

   vfs options = config-file = /etc/samba/vscan-clamav.conf

                                                                                

[guests]

   comment = Public Shared Folder

   path = /tmp/shares

   guest ok = yes

   guest only = yes

   read only = no

```

----------

## KristyX

By the way, my vscan config is:

/etc/samba/vscan-clamav.conf

```

[samba-vscan]                                                                          

max file size = 0

verbose file logging = no

                                                                                

scan on open = yes

scan on close = yes

deny access on error = yes

deny access on minor error = yes

                                                                                

send warning message = yes

infected file action = delete

quarantine directory  = /tmp/badshares

quarantine prefix = vir-

                                                                                

max lru files entries = 100

lru file entry lifetime = 5

clamd socket name = /var/run/clamd

```

----------

## jcosters

for samba 2.2.x use:

```
vfs object = /usr/lib/samba/vfs/vscan-clamav.so

vfs options = config-file = /etc/samba/vscan-clamav.conf
```

for samba 3.x use:

```
vfs object = vscan-clamav

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
```

Last edited by jcosters on Fri May 21, 2004 3:55 pm; edited 1 time in total

----------

## jcosters

also, you need to explicitly edit /etc/conf.d/clamd to enable the scanner to startup when running /etc/init.d/clamd start

you can also set some other parameters there like the log file locations.

also, you need to edit /etc/clamav.conf, remove the bogus example line and set the socket file to /var/run/clamd

you might want to configure this file some more.

also, you need a /etc/samba/vscan-clamav.conf file which you can find (a sample) in the samba-vscan docs.

here you can tweak the behaviour of the scanner when used by samba.

then your setup should work

----------

## KristyX

Thank you so much for replying! I almost gave up hope of ever getting 

Samba working with Clam  :Very Happy: 

The line worked! Samba starts without a hitch now  :Very Happy: 

The thing is, using the sample virus-infected file from eicar.org, I copied it 

into my shared folder through the network browser and it pasted without any

trouble  :Confused:  No error message, no access denied or anything.

Any ideas?

Thanks,

~Kristy

--------------------

/var/log/clamd.log

```

Sat May 22 08:59:12 2004 -> +++ Started at Sat May 22 08:59:12 2004

Sat May 22 08:59:12 2004 -> Log file size limited to 2097152 bytes.

Sat May 22 08:59:12 2004 -> Reading databases from /var/lib/clamav

Sat May 22 08:59:13 2004 -> Protecting against 21635 viruses.

Sat May 22 08:59:13 2004 -> Unix socket file /var/run/clamd

Sat May 22 08:59:13 2004 -> Setting connection queue length to 15

Sat May 22 08:59:13 2004 -> Archive: Archived file size limit set to 10485760 bytes.

Sat May 22 08:59:13 2004 -> Archive: Recursion level limit set to 5.

Sat May 22 08:59:13 2004 -> Archive: Files limit set to 1000.

Sat May 22 08:59:13 2004 -> Archive: Compression ratio limit set to 200.

Sat May 22 08:59:13 2004 -> Archive support enabled.

Sat May 22 08:59:13 2004 -> RAR support disabled.

Sat May 22 08:59:13 2004 -> Mail files support disabled.

Sat May 22 08:59:13 2004 -> OLE2 support enabled.

Sat May 22 08:59:13 2004 -> Self checking every 3600 seconds.

```

/etc/clamav.conf

```

# Comment or remove the line below.

# Example

LogFile /var/log/clamd.log

#LogFileUnlock

LogFileMaxSize 2M

LogTime

#LogClean

#LogSyslog

#LogVerbose

#PidFile /var/run/clamd.pid

#TemporaryDirectory /var/tmp

#DatabaseDirectory /var/lib/clamav

LocalSocket /var/run/clamd

#FixStaleSocket

#TCPSocket 3310

TCPAddr 127.0.0.1

#MaxConnectionQueueLength 30

#StreamSaveToDisk

#StreamMaxLength 10M

#MaxThreads 10

#ReadTimeout 300

MaxDirectoryRecursion 15

#FollowDirectorySymlinks

#FollowFileSymlinks

#SelfCheck 600

#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"

#User clamav

#AllowSupplementaryGroups

#Foreground

#Debug

##

## Document scanning

##

ScanOLE2

#ScanMail

ScanArchive

#ScanRAR

ArchiveMaxFileSize 10M

ArchiveMaxRecursion 5

ArchiveMaxFiles 1000

ArchiveMaxCompressionRatio 200

#ArchiveLimitMemoryUsage

#ArchiveBlockEncrypted

#ClamukoScanOnAccess

ClamukoScanOnOpen

ClamukoScanOnClose

ClamukoScanOnExec

ClamukoIncludePath /home

#ClamukoIncludePath /students

#ClamukoExcludePath /home/guru

ClamukoMaxFileSize 1M

ClamukoScanArchive

```

/etc/samba/vscan-clamav.conf

```

[samba-vscan]

; run-time configuration for vscan-samba using

; clamd -- all options are set to default values

max file size = 0

verbose file logging = no

scan on open = yes

scan on close = yes

deny access on error = yes

deny access on minor error = yes

send warning message = yes

infected file action = delete

quarantine directory  = /tmp/badshares

quarantine prefix = vir-

max lru files entries = 100

lru file entry lifetime = 5

clamd socket name = /var/run/clamd

```

/etc/samba/smb.conf

```

[global]

   workgroup = MAIN-ONE

   server string = 

   log file = /var/log/samba3/log.%m

   max log size = 50

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   interfaces = lo eth0

   bind interfaces only = yes

   hosts allow = 127.0.0.1 192.168.0.1/24

   hosts deny = 0.0.0.0/0

   security = share

   guest account = guest

   encrypt passwords = yes

   smb passwd file = /etc/samba/private/smbpasswd

   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

[guests]

   comment = Public Shared Folder

   path = /tmp/shares

   guest ok = yes

   guest only = yes

   read only = no

```

----------

## jcosters

You need an extra line in smb.conf (see below). Now your scanner is running, but it isn't called by samba.

My /var/log/clamav/clamd.log:

```
Thu May 20 18:58:39 2004 -> +++ Started at Thu May 20 18:58:39 2004

Thu May 20 18:58:39 2004 -> Log file size limited to 1048576 bytes.

Thu May 20 18:58:39 2004 -> Verbose logging activated.

Thu May 20 18:58:39 2004 -> Setting /tmp as global temporary directory

Thu May 20 18:58:39 2004 -> Reading databases from /var/lib/clamav

Thu May 20 18:58:42 2004 -> Protecting against 21622 viruses.

Thu May 20 18:58:45 2004 -> Unix socket file /var/run/clamd

Thu May 20 18:58:45 2004 -> Setting connection queue length to 20

Thu May 20 18:58:45 2004 -> Listening daemon: PID: 10132

Thu May 20 18:58:45 2004 -> Archive: Archived file size limit set to 10485760 bytes.

Thu May 20 18:58:45 2004 -> Archive: Recursion level limit set to 5.

Thu May 20 18:58:45 2004 -> Archive: Files limit set to 1000.

Thu May 20 18:58:45 2004 -> Archive: Compression ratio limit set to 200.

Thu May 20 18:58:45 2004 -> Archive support enabled.

Thu May 20 18:58:45 2004 -> RAR support enabled.        

Thu May 20 18:58:45 2004 -> Mail files support disabled.

Thu May 20 18:58:45 2004 -> OLE2 support enabled.

Thu May 20 18:58:45 2004 -> Self checking every 3600 seconds.

Fri May 21 17:49:45 2004 -> No stats for Database check - forcing reload

Fri May 21 17:49:45 2004 -> /home/jonathan/eicar.com: Eicar-Test-Signature FOUND

Fri May 21 17:49:45 2004 -> Reading databases from /var/lib/clamav

Fri May 21 17:49:51 2004 -> Database correctly reloaded (21635 viruses)

Fri May 21 17:50:11 2004 -> /home/jonathan/eicarcom2.zip: Eicar-Test-Signature FOUND

Fri May 21 18:08:17 2004 -> /home/jonathan/eicar.com: Eicar-Test-Signature FOUND

Fri May 21 18:08:41 2004 -> /home/jonathan/eicarcom2.zip: Eicar-Test-Signature FOUND

Fri May 21 18:37:35 2004 -> /home/jonathan/eicarcom2.zip: Eicar-Test-Signature FOUND

Fri May 21 18:51:55 2004 -> SelfCheck: Database status OK.
```

My /etc/samba/vscan-clamav.conf:

```
[samba-clamav]

max file size = 0

verbose logging = no

scan on open = yes

scan on close = yes

deny access on error = yes

deny access on minor error = yes

send warning message = yes

infected file action = delete

max lru files entries = 100

lru file entry lifetime = 5

clamd socket name = /var/run/clamd
```

My /etc/conf.d/clamd:

```
# Config file for /etc/init.d/clamd

START_CLAMD=yes

CLAMD_OPTS=""

CLAMD_LOG=""

START_FRESHCLAM=yes

FRESHCLAM_OPTS="-d -c 2"

FRESHCLAM_LOG="/var/log/clamav/clam-update.log"
```

My relevant /etc/samba/smb.conf entries (you need the vfs object line too):

```
vfs object = vscan-clamav

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
```

BTW - you only get the virus warning messages if you are in the same NT workgroup as your samba server, I found that out the hard way.

----------

## KristyX

Thank you *so* much Ice-O-Lator.. I don't get a warning message but the

eicar.com file doesn't get copied either  :Very Happy: 

~Kristy

----------

## jcosters

no problem kristyX

I had to figure the lot out analysing samba's and clamd's logs, it took me some days to get it all to work. I think the official documentation should be updated.

Anyway, when you add

```
send warning message = yes
```

inside your /etc/samba/vscan-clamav.conf

you normally should get a warning message sent by samba through the "net send" NT command when you try to open/close an infected file.  you only receive it on the same workgroup.

Also, access to the infected file should be denied.

In my setup the file gets deleted immediately after virus detection, because I haven't found a way to repair infected files in Linux, so quarantining makes no sense to me. 

Anyone got some other point of view?

----------

## thekk

 *Quote:*   

> In my setup the file gets deleted immediately after virus detection, because I haven't found a way to repair infected files in Linux, so quarantining makes no sense to me.
> 
> Anyone got some other point of view?

 

Thanks for this great thread, now my all of my samba shares are protected through the virusscanner.

And on the other point of view: if you get a virus that tries to modify your files to attach itself to it, it might be able to recover the quarantined file in windows. You can copy them from the quaratine location (for example /tmp) through ssh and recover them on windows after the the client is cleaned. Then you can copy them back to the server.

----------

## KristyX

Okay, for some reason the users on my network aren't able to access my computer and list the shares.

This happened awhile back but I didn't have time to investigate.. basically, one day everything was fine and the next, it was not.

I'm not sure what could be the problem.. has anyone got any ideas why it can't find the vfs module??

Thanks,

Kristy

/var/log/samba3/log.christie

```

[2004/09/02 14:10:32, 0] smbd/vfs.c:vfs_init_custom(256)

  Can't find a vfs module [vscan-clamav]

[2004/09/02 14:10:32, 0] smbd/vfs.c:smbd_vfs_init(319)

  smbd_vfs_init: vfs_init_custom failed for vscan-clamav

[2004/09/02 14:10:32, 0] smbd/service.c:make_connection_snum(502)

  vfs_init failed for service IPC$                                                                                

```

I have no idea what's wrong.. samba's testparm shows:

```

root@kristy samba3 # testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[guests]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

                                                                                

# Global parameters

[global]

        workgroup = MAIN-ONE

        server string =

        interfaces = lo, eth0

        bind interfaces only = Yes

        security = SHARE

        guest account = guest

        log file = /var/log/samba3/log.%m

        max log size = 50

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        vscan-clamav:config-file = /etc/samba/vscan-clamav.conf

        hosts allow = 127.0.0.1, 192.168.0.1/24

        hosts deny = 0.0.0.0/0

        vfs objects = vscan-clamav

 

[guests]

        comment = Public Shared Folder

        path = /tmp/shares

        read only = No

        guest only = Yes

        guest ok = Yes

```

And ClamAV doesn't seem to be having any troubles either:

/var/log/clamd.log

```

Thu Sep  2 14:10:17 2004 -> +++ Started at Thu Sep  2 14:10:17 2004

Thu Sep  2 14:10:17 2004 -> clamd daemon 0.75 (OS: linux-gnu, ARCH: i386, CPU: i686)

Thu Sep  2 14:10:17 2004 -> Log file size limited to 2097152 bytes.

Thu Sep  2 14:10:17 2004 -> Reading databases from /var/lib/clamav

Thu Sep  2 14:10:18 2004 -> Protecting against 23725 viruses.

Thu Sep  2 14:10:19 2004 -> Unix socket file /var/run/clamd

Thu Sep  2 14:10:19 2004 -> Setting connection queue length to 15

Thu Sep  2 14:10:19 2004 -> Archive: Archived file size limit set to 10485760 bytes.

Thu Sep  2 14:10:19 2004 -> Archive: Recursion level limit set to 5.

Thu Sep  2 14:10:19 2004 -> Archive: Files limit set to 1000.

Thu Sep  2 14:10:19 2004 -> Archive: Compression ratio limit set to 200.

Thu Sep  2 14:10:19 2004 -> Archive support enabled.

Thu Sep  2 14:10:19 2004 -> RAR support disabled.

Thu Sep  2 14:10:19 2004 -> Mail files support disabled.

Thu Sep  2 14:10:19 2004 -> OLE2 support enabled.

Thu Sep  2 14:10:19 2004 -> Self checking every 3600 seconds.

```

/var/log/clam-update.log

```

freshclam daemon 0.75 (OS: linux-gnu, ARCH: i386, CPU: i686)

ClamAV update process started at Thu Sep  2 14:10:19 2004

main.cvd is up to date (version: 26, sigs: 22925, f-level: 2, builder: tomek)

daily.cvd is up to date (version: 477, sigs: 802, f-level: 2, builder: diego)

--------------------------------------

```

----------

## jcosters

 *KristyX wrote:*   

> 
> 
> ```
> vfs objects = vscan-clamav
> ```
> ...

 

should read:

```
vfs object = vscan-clamav
```

But I guess that's just a typo, right?

----------

## jcosters

 *thekk wrote:*   

> 
> 
> on the other point of view: if you get a virus that tries to modify your files to attach itself to it, it might be able to recover the quarantined file in windows. You can copy them from the quaratine location (for example /tmp) through ssh and recover them on windows after the the client is cleaned. Then you can copy them back to the server.

 

That should work indeed.

----------

## KristyX

Okay, that's really weird.

My smb.conf file states:

/etc/samba/smb.conf

```

[global]

   workgroup = MAIN-ONE

   server string =

                                                                                                                                         

   log file = /var/log/samba3/log.%m

   max log size = 50

                                                                                                                                         

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   interfaces = lo eth0

   bind interfaces only = yes

   hosts allow = 127.0.0.1 192.168.0.1/24

   hosts deny = 0.0.0.0/0

                                                                                                                                         

   security = share

   guest account = guest

   encrypt passwords = yes

   smb passwd file = /etc/samba/private/smbpasswd

                                                                                                                                         

   vfs object = vscan-clamav

   vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

                                                                                                                                         

[guests]

   comment = Public Shared Folder

   path = /tmp/shares

   guest ok = yes

   guest only = yes

   read only = no

```

But testparm spits out:

```

kristy@kristy kristy $ testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[guests]"

Loaded services file OK.

Server role: ROLE_STANDALONE

Press enter to see a dump of your service definitions

 

# Global parameters

[global]

        workgroup = MAIN-ONE

        server string =

        interfaces = lo, eth0

        bind interfaces only = Yes

        security = SHARE

        guest account = guest

        log file = /var/log/samba3/log.%m

        max log size = 50

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        vscan-clamav:config-file = /etc/samba/vscan-clamav.conf

        hosts allow = 127.0.0.1, 192.168.0.1/24

        hosts deny = 0.0.0.0/0

        vfs objects = vscan-clamav

 

[guests]

        comment = Public Shared Folder

        path = /tmp/shares

        read only = No

        guest only = Yes

        guest ok = Yes

```

Why does testparm show "vfs objects" when it clearly states that it's using /etc/samba/smb.conf?

I increased Samba's Debug Level to 2 and when the computer "Isaac" tries to connect:

/var/log/samba3/log.isaac

```

[2004/09/02 20:15:49, 2] smbd/sesssetup.c:setup_new_vc_session(602)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2004/09/02 20:15:49, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.4)

[2004/09/02 20:15:49, 0] smbd/vfs.c:vfs_init_custom(256)

  Can't find a vfs module [vscan-clamav]

[2004/09/02 20:15:49, 0] smbd/vfs.c:smbd_vfs_init(319)

  smbd_vfs_init: vfs_init_custom failed for vscan-clamav

[2004/09/02 20:15:49, 0] smbd/service.c:make_connection_snum(502)

  vfs_init failed for service IPC$

[2004/09/02 20:15:49, 2] smbd/sesssetup.c:setup_new_vc_session(602)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2004/09/02 20:15:49, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.4)

[2004/09/02 20:15:49, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error NT_STATUS_LOGON_FAILURE

[2004/09/02 20:15:49, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error NT_STATUS_LOGON_FAILURE

[2004/09/02 20:15:49, 0] smbd/vfs.c:vfs_init_custom(256)

  Can't find a vfs module [vscan-clamav]

[2004/09/02 20:15:49, 0] smbd/vfs.c:smbd_vfs_init(319)

  smbd_vfs_init: vfs_init_custom failed for vscan-clamav

[2004/09/02 20:15:49, 0] smbd/service.c:make_connection_snum(502)

  vfs_init failed for service IPC$

[2004/09/02 20:15:49, 2] smbd/server.c:exit_server(568)

  Closing connections

```

Isaac's computer never asks him for a password when he tries to connect.. so what's up with the:

[2004/09/02 20:15:49, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error

~Kristy

----------

## jcosters

 *KristyX wrote:*   

> Why does testparm show "vfs objects" when it clearly states that it's using /etc/samba/smb.conf?

 

Not real sure at this time ... weird.

I'm guessing testparm makes a list of all "vfs object" directives and groups them in one "vfs objects" directive when it outputs. Maybe you can check it out adding the recycle bin -or another- vfs object to the same share? If I'm right, testparm should list something like 

```
vfs objects = vscan-clamav recycler
```

 *KristyX wrote:*   

> Isaac's computer never asks him for a password when he tries to connect.. so what's up with the:
> 
> [2004/09/02 20:15:49, 2] auth/auth.c:check_ntlm_password(312)
> 
>   check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error

 

I think this is the reason why your users can't list shares.

Does the guest account exist in /etc/passwd ? I see you have mapped guest to the guest account. That isn't really necessary. Also, if guest is not in /etc/passwd with your current setup, you won't be able to even list the shares because samba uses guest to get the listing from the server. I'm also thinking this is causing the vscan-clamav module not being found by samba, but I can't explain why.

I bet you can fix your problem using these directives:

```
# Uncomment this if you want a guest account, you must add this to /etc/passwd 

# otherwise the user "nobody" is used 

; guest account = pcguest 

# Allow users to map to guest: 

map to guest = bad user
```

Like this, any user can access shares using the guest account, without needing to enter a password.

You don't need the guest account mapping to an account in /etc/passwd, samba uses nobody as default.

----------

## KristyX

I tried it but now the error has just changed to "nobody" instead of guest.

There is a guest & a nobody account in /etc/passwd.. I'm going to see if Google can give me any clues :)

```

[2004/09/03 09:22:52, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [nobody] -> [nobody] FAILED with  error NT_STATUS_WRONG_PASSWORD

[2004/09/03 09:22:52, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [nobody] -> [nobody] FAILED with  error NT_STATUS_WRONG_PASSWORD

[2004/09/03 09:22:52, 0] smbd/vfs.c:vfs_init_custom(256)

  Can't find a vfs module [vscan-clamav]

```

~Kristy

----------

## jcosters

https://forums.gentoo.org/viewtopic.php?t=203824&highlight=samba+nobody+guest

----------

## KristyX

Hey Ice-O-Lator.. the problem is definately not the guest/passwords thing because, as soon as I comment the lines:

Everything works just fine (even though the logs still show the guest error) and Win98 machines are able to access the files in my shared folder with no problems.

Going to re-emerge ClamAV.

~Kristy

```

   #vfs object = vscan-clamav

   #vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

```

/var/log/samba3/log.christie

```

[2004/09/03 18:15:19, 2] smbd/sesssetup.c:setup_new_vc_session(602)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2004/09/03 18:15:19, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.2)

[2004/09/03 18:15:21, 2] smbd/server.c:exit_server(568)

  Closing connections

[2004/09/03 18:15:22, 2] smbd/sesssetup.c:setup_new_vc_session(602)

  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources.

[2004/09/03 18:15:22, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.0.2)

[2004/09/03 18:15:22, 2] auth/auth.c:check_ntlm_password(312)

  check_ntlm_password:  Authentication for user [guest] -> [guest] FAILED with error NT_STATUS_WRONG_PASSWORD

[2004/09/03 18:15:24, 2] smbd/server.c:exit_server(568)

  Closing connections

```

----------

## KristyX

Hey Ice-O-Lator.. can you do a search and tell me where vscan-clamav.so is supposed to be located? I can't find it and I've already tried re-emerging ClamAV.

Thanks :)

Kristy

----------

## jcosters

vscan-clamav is part of samba-vscan i think (use flag: oav builds interfaces for some scanners when you emerge samba), so re-emerging clamd won't help.

```
maertens ice-o-lator # slocate vscan

/usr/lib/vfs/vscan-clamav.so

/usr/lib/vfs/vscan-sophos.so

/usr/lib/vfs/vscan-mksd.so

/usr/lib/vfs/vscan-fsav.so

/usr/lib/vfs/vscan-trend.so

/usr/lib/vfs/vscan-mcdaemon.so

/usr/lib/vfs/vscan-icap.so

/usr/lib/vfs/vscan-oav.so

/usr/lib/vfs/vscan-fprotd.so

/usr/lib/vfs/vscan-kavp.so

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/FAQ.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-symantec.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/README.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-mks32.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/TODO.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-fsav.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-fprotd.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/NEWS.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/INSTALL.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-oav.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/COPYING.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/AUTHORS.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-sophos.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-trend.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-icap.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-kavp.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-mcdaemon.conf.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/ChangeLog.gz

/usr/share/doc/samba-3.0.5/samba-vscan-0.3.5/vscan-clamav.conf.gz
```

re-emerge samba? maybe you rebuilt samba somehow without the oav useflag and now the vscan modules are deleted?

these are my flags:

```
maertens root # emerge -pv samba

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-fs/samba-3.0.5  +acl +cups +doc -kerberos +ldap +mysql +oav +pam -postgres +python +readline -xml +xml2  0 kB
```

----------

## KristyX

You're right.. I just checked my USE flags and Samba was upgraded without oav in the flags   :Shocked: 

I've placed oav in my make.conf and will be re-emerging Samba tonite.

Sorry for all the trouble   :Embarassed: 

~Kristy

----------

## KristyX

Yes, the culprit was me heh.

Samba has re-emerged and everything is working just fine with ClamAV :)

Thanks for bearing with me.. (I know, I know)

~Kristy

----------

## jcosters

no problem   :Wink: 

Another thing: I noticed samba shares preforming slooooow when I make samba scan them for viruses. 

My server system is nothing more than an old Compaq Deskpro with a P2 400Mhz and 512MB RAM. Also, 120 GB disk space.

At first I thought it was just samba behaving badly, but after snooping around I noticed it was the clamd scanner scanning every file on read. So when I opened that share from a windows box with explorer, every file was read AND scanned. This caused very bad performance in explorer, like 5 minutes to get a (large: hundreds of files in a directory) directory listing.

Turning off the "on read" scanning fixed this, now files only are scanned on write.

cheers!

----------

## KristyX

Thanks for the tip. I think I'll do the same :)

----------

## thekk

I've done the same, and directory listings are indeed much faster. Just a note to other users: do not do this if users can copy files to the shares in another way than through samba.

And the line to change (in /etc/samba/vscan-clamav.conf) is:

```
scan on open = no
```

Not that users have that permission here, but as a safeguard, I think I'm going to setup cron to scan all of the shares at night (when nobody uses them), with another virusscanner (paranoid anyone?).

----------

## jcosters

 *thekk wrote:*   

> And the line to change (in /etc/samba/vscan-clamav.conf) is:
> 
> ```
> scan on open = no
> ```
> ...

 

I forgot to mention the line in vscan-clamav.conf. Thanks.

Scanning the whole share(s) at night is a great idea.

Know of any other (free) virusscanners? Or would you use a Windows virusscanner to be able to repair infected files?

----------

## thekk

The other major free (as in beer) is f-prot (for personal use only, of course). It also happens to be in portage, as well as a McAfee scanner. You can find your options through 

```
ls /usr/portage/app-antivirus
```

So, I think I'll just 

```
emerge -av f-prot
```

 and setup a cron to update the virusdefs and scan at night.

Ah, you can count on it that someone of the gentoo community already did something similar. Thanks JoeG!

And I have not yet enjoyed the joy of a virus on my server, so I haven't done much research in the cleaning of a infected file (and almost any virus today doesn't modify any files, they send themselves to anyone else and open ports to act as spam-zombies).

A disastrous example would be that a user recieves it's mail through outlook express, and has their .dbf files on the server. If a virus is recieved, the complete .dbf file is removed, as well as all the e-mail in it! That's something I don't want to happen! So would I use repairing if possible: Hell yeah!

----------

## jcosters

I can't get clamav quarantine to work in samba shares.

Infected files never get moved to the quarantine directory, which I made writable to user clamav.

from /etc/samba/vscan-clamav.conf:

```
...

send warning message = yes

infected file action = quarantine

quarantine directory = /tmp/quarantine

quarantine prefix = VIRUS_

...
```

What am I missing?

BTW - I setup f-prot to scan my system overnight too. F-prot will try to repair infected files moved to the quarantine directory right? When I get them to be moved to the quarantine directory that is ...

----------

## KristyX

Just a little thing I came across in the ClamAV FAQ:

 *Quote:*   

> 
> 
> Can ClamAV disinfect files?
> 
> No, it can't. We will add support for disinfecting OLE2 files in one of the next stable releases. There are no plans for disinfecting other types of files. There are many reasons for it: cleaning viruses from files is virtually pointless these days. It is very seldom that there is anything useful left after cleaning, and even if there is, would you trust it? 
> ...

 

That's fine by me :)

----------

## fls

 *Ice-o-lator wrote:*   

> I can't get clamav quarantine to work in samba shares.
> 
> Infected files never get moved to the quarantine directory, which I made writable to user clamav..

 

IIRC the file is being quarantined with the rights of the samba user who owns the file, so every samba user need write permissons on the quarantine dir.

To test wether my memory serves me correctly, you can make the quatantine dir world-writable and set the sticky bit so your users can´t write to files they don´t own.

Perhaps a group smbusers with all samba users in it would work as a permanent solution?! Then the dir wouldn´t need to be world-wirtable, only group-writable. And the sticky bit could stay so that you can´t mess with files you don´t own.

edit: some confusing typos  :Wink: 

----------

## jcosters

That makes a lot of sense, I should have thought about that already ...

Thanks!

----------

## birdo

In giving the correct permissions to the Quarantine dir, I found that I needed to give world write and execute in order for it to correctly copy the files in. (chmod 222 did not work, chmod 333 did)

I am not that versed in the permission bits (as you can tell). Can anyone explain whats up with this? The owner of the dir is 'nobody' and the group owner is users.

This is an extremely helpful thread, stepped me through all of my ClamAV probs, should be made part of the FAQ, or linked to it.

----------

## StaraDama

what about that

```

ServerName PrintServer          # your printserver name

ServerAdmin root@PrintServer    # the person for printer-related hate-mail, eg you

```

must be also used or can be like

```

#ServerName myhost.domain.com

```

and if can be commented how i can then look what is in windows share, how i can mount. This is not correct.

```

The syntax for mounting a Windows/Samba share is:

  mount -t smbfs [-o username=xxx,password=xxx] //server/share /mnt/point

If we are not using passwords or a password is not needed)

# mount -t smbfs //PrintServer/public /mnt/public

(If a password is needed)

# mount -t smbfs -o username=USERNAME,password=PASSWORD //PrintServer/public /mnt/public

```

thnx

----------

## Master One

I generally have samba+clamav up and running now, but I do not get any notifications on my WinXP machine once a virus is found and moved to the quarantine directory on the samba server.

I just checked, the samba server and the WinXP client are in the same workgroup, but it seems the mentioned "net send" command is invalid (if that should be the command to notify Windows clients, which I don't think so).

Anyone got virus notifications to work properly?

If yes, please explain how.

----------

## loonix

I am still having difficulties getting clamav to work with samba.

I followed the samba+cups+clamav how-to and samba by itlself works no problem. As soon as I uncomment the lines regarding the clam anti virus. Windows machines freeze up connecting to the samba server and cpu time on the server goes up through the roof.....

Here are my config files if anybody would like to help it would be greatly appreciated:

/etc/samba/smb.conf

```
[global]

workgroup = HOME

server string = Samba Server %v

log file = /var/log/samba/log.%m

max log size = 50

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

interfaces = lo eth0

bind interfaces only = yes

hosts allow = 127.0.0.1 10.0.0.0/24

hosts deny = 0.0.0.0/0

security = share

guest account = samba

guest ok = yes

# We now will implement the on access virus scanner.

# NOTE: By putting this in our [Global] section, we enable

# scanning of ALL shares, you could optionally move

# these to a specific share and only scan it.

# For Samba 3.x. This enables ClamAV on access scanning.

vfs object = vscan-clamav

vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

# We create a new share that we can read/write to from anywhere

# This is kind of like a public temp share, anyone can do what

# they want here.

[public]

comment = Public Files

browseable = yes

public = yes

create mode = 0766

guest ok = yes

read only = no

path = /mnt/samba

```

/etc/samba/vscan-clamav.conf

```

[samba-vscan]

; run-time configuration for vscan-samba using

; clamd

; all options are set to default values

; do not scan files larger than X bytes. If set to 0 (default),

; this feature is disable (i.e. all files are scanned)

max file size = 0

; log all file access (yes/no). If set to yes, every access will

; be logged. If set to no (default), only access to infected files

; will be logged

verbose file logging = no

; if set to yes (default), a file will be scanned while opening

scan on open = yes

; if set to yes, a file will be scanned while closing (default is yes)

scan on close = yes

; if communication to clamd fails, should access to file denied?

; (default: yes)

deny access on error = yes

; if daemon fails with a minor error (corruption, etc.),

; should access to file denied?

; (default: yes)

deny access on minor error = yes

; send a warning message via Windows Messenger service

; when virus is found?

; (default: yes)

send warning message = yes

; what to do with an infected file

; quarantine: try to move to quantine directory; delete it if moving

fails

; delete:     delete infected file

; nothing:    do nothing

infected file action = quarantine

; where to put infected files - you really want to change this!

; it has to be on the same physical device as the share!

quarantine directory  = /tmp

; prefix for files in quarantine

quarantine prefix = vir-

; as Windows tries to open a file multiple time in a (very) short time

; of period, samba-vscan use a last recently used file mechanism to

avoid

; multiple scans of a file. This setting specified the maximum number of

; elements of the last recently used file list. (default: 100)

max lru files entries = 100

; an entry is invalidated after lru file entry lifetime (in seconds).

; (Default: 5)

lru file entry lifetime = 5

; socket name of clamd (default: /var/run/clamd)

clamd socket name = /tmp/clamd

; port number the ScannerDaemon listens on

oav port = 8127

```

Thanks

AR

----------

## loonix

here are some error messages from the log files:

```
Aug  3 21:20:55 localhost smbd_vscan-clamav[25317]:   PANIC: internal error

Aug  3 21:20:58 localhost smbd_vscan-clamav[25317]: [2005/08/03 21:20:58, 0] lib/util.c:smb_panic2(1490)

Aug  3 21:20:58 localhost smbd_vscan-clamav[25317]:   BACKTRACE: 1 stack frames:

Aug  3 21:20:58 localhost smbd_vscan-clamav[25317]:    #0 /usr/sbin/smbd(smb_panic2+0x10f) [0x81d7b7f]

Aug  3 21:20:58 localhost smbd_vscan-clamav[25317]:

Aug  3 21:21:03 localhost smbd_vscan-clamav[25331]: samba-vscan (vscan-clamav 0.3.5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:21:03 localhost smbd_vscan-clamav[25331]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:21:03 localhost smbd_vscan-clamav[25331]: INFO: connect to service IPC$ by user samba

Aug  3 21:21:41 localhost smbd_vscan-clamav[25331]: INFO: disconnected

Aug  3 21:21:44 localhost smbd_vscan-clamav[25331]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:21:44 localhost smbd_vscan-clamav[25331]: INFO: connect to service IPC$ by user samba

Aug  3 21:21:49 localhost smbd_vscan-clamav[25331]: [2005/08/03 21:21:49, 0] lib/fault.c:fault_report(36)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   ===============================================================

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]: [2005/08/03 21:21:50, 0] lib/fault.c:fault_report(37)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   INTERNAL ERROR: Signal 11 in pid 25331 (3.0.10)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   Please read the appendix Bugs of the Samba HOWTO collection

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]: [2005/08/03 21:21:50, 0] lib/fault.c:fault_report(39)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   ===============================================================

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]: [2005/08/03 21:21:50, 0] lib/util.c:smb_panic2(1482)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   PANIC: internal error

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]: [2005/08/03 21:21:50, 0] lib/util.c:smb_panic2(1490)

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:   BACKTRACE: 1 stack frames:

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:    #0 /usr/sbin/smbd(smb_panic2+0x10f) [0x81d7b7f]

Aug  3 21:21:50 localhost smbd_vscan-clamav[25331]:

Aug  3 21:21:52 localhost smbd_vscan-clamav[25341]: samba-vscan (vscan-clamav 0.3.5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:21:52 localhost smbd_vscan-clamav[25341]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:21:52 localhost smbd_vscan-clamav[25341]: INFO: connect to service IPC$ by user samba

Aug  3 21:22:10 localhost smbd_vscan-clamav[25341]: INFO: disconnected

Aug  3 21:22:11 localhost smbd_vscan-clamav[25341]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:22:11 localhost smbd_vscan-clamav[25341]: INFO: connect to service IPC$ by user samba

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]: [2005/08/03 21:22:12, 0] lib/fault.c:fault_report(36)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   ===============================================================

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]: [2005/08/03 21:22:12, 0] lib/fault.c:fault_report(37)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   INTERNAL ERROR: Signal 11 in pid 25341 (3.0.10)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   Please read the appendix Bugs of the Samba HOWTO collection

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]: [2005/08/03 21:22:12, 0] lib/fault.c:fault_report(39)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   ===============================================================

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]: [2005/08/03 21:22:12, 0] lib/util.c:smb_panic2(1482)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   PANIC: internal error

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]: [2005/08/03 21:22:12, 0] lib/util.c:smb_panic2(1490)

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:   BACKTRACE: 1 stack frames:

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:    #0 /usr/sbin/smbd(smb_panic2+0x10f) [0x81d7b7f]

Aug  3 21:22:12 localhost smbd_vscan-clamav[25341]:

Aug  3 21:22:24 localhost smbd_vscan-clamav[25348]: samba-vscan (vscan-clamav 0.3.5) registered (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:22:24 localhost smbd_vscan-clamav[25348]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:22:24 localhost smbd_vscan-clamav[25348]: INFO: connect to service IPC$ by user samba

Aug  3 21:22:29 localhost smbd[25347]: [2005/08/03 21:22:29, 0] lib/util_sock.c:get_peer_addr(1000)

Aug  3 21:22:29 localhost smbd[25347]:   getpeername failed. Error was Transport endpoint is not connected

Aug  3 21:22:29 localhost smbd[25347]: [2005/08/03 21:22:29, 0] lib/util_sock.c:write_socket_data(430)

Aug  3 21:22:29 localhost smbd[25347]:   write_socket_data: write failure. Error = Connection reset by peer

Aug  3 21:22:29 localhost smbd[25347]: [2005/08/03 21:22:29, 0] lib/util_sock.c:write_socket(455)

Aug  3 21:22:29 localhost smbd[25347]:   write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer

Aug  3 21:22:29 localhost smbd[25347]: [2005/08/03 21:22:29, 0] lib/util_sock.c:send_smb(647)

Aug  3 21:22:29 localhost smbd[25347]:   Error writing 4 bytes to client. -1. (Connection reset by peer)

Aug  3 21:22:57 localhost smbd_vscan-clamav[25348]: samba-vscan (vscan-clamav 0.3.5) connected (Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org

Aug  3 21:22:57 localhost smbd_vscan-clamav[25348]: INFO: connect to service IPC$ by user samba

```

not sure, could it be a permission issue?

Thanks

AR

----------

## loonix

I followed crxchaos suggestion https://forums.gentoo.org/viewtopic-t-320588-highlight-.html

and now it works for me!!!

AR

----------

## AlienDaycare

I'm not sure at what point it happened, but my clamav protected shares don't work anymore.

Here are some details:

```
[2005/09/30 08:36:21, 3] smbd/service.c:make_connection_snum(479)

  Connect path is '/home/samba/data' for service [data]

[2005/09/30 08:36:21, 4] rpc_server/srv_srvsvc_nt.c:get_share_security(217)

  get_share_security: using default secdesc for data

[2005/09/30 08:36:21, 3] lib/util_seaccess.c:se_access_check(251)

[2005/09/30 08:36:21, 3] lib/util_seaccess.c:se_access_check(252)

  se_access_check: user sid is S-1-5-21-207587031-4164727997-2014857653-3032

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-2501

  se_access_check: also S-1-1-0

  se_access_check: also S-1-5-2

  se_access_check: also S-1-5-11

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-513

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-2601

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-2801

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-3001

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-3021

  se_access_check: also S-1-5-21-403143280-1186990291-617630493-512

[2005/09/30 08:36:21, 3] smbd/vfs.c:vfs_init_default(206)

  Initialising default vfs hooks

[2005/09/30 08:36:21, 3] smbd/vfs.c:vfs_init_custom(232)

  Initialising custom vfs hooks from [vscan-clamav]

[2005/09/30 08:36:21, 3] lib/module.c:do_smb_load_module(49)

  Error loading module '/usr/lib/samba/vfs/vscan-clamav.so': /usr/lib/samba/vfs/vscan-clamav.so: undefined symbol: vscan_clamav_log_virus

[2005/09/30 08:36:21, 0] smbd/vfs.c:vfs_init_custom(259)

  Can't find a vfs module [vscan-clamav]

[2005/09/30 08:36:21, 0] smbd/vfs.c:smbd_vfs_init(322)

  smbd_vfs_init: vfs_init_custom failed for vscan-clamav

[2005/09/30 08:36:21, 0] smbd/service.c:make_connection_snum(524)

  vfs_init failed for service data

[2005/09/30 08:36:21, 3] smbd/error.c:error_packet(145)

  error packet at smbd/reply.c(415) cmd=117 (SMBtconX) eclass=1 ecode=67

```

here's my relevant USE config:

```

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-fs/samba-3.0.14a-r2  +acl +cups -doc -kerberos -ldap +libclamav -mysql +oav +pam +postgres +python +quotas +readline (-selinux) -winbind +xml +xml2 0 kB

[ebuild   R   ] app-antivirus/clamav-0.87  +crypt -mailwrapper -milter (-selinux) 0 kB

Total size of downloads: 0 kB

```

```
host samba3 # slocate vscan

/usr/lib/samba/vfs/vscan-clamav.so

/usr/lib/samba/vfs/vscan-fprotd.so

/usr/lib/samba/vfs/vscan-fsav.so

/usr/lib/samba/vfs/vscan-icap.so

/usr/lib/samba/vfs/vscan-kavp.so

/usr/lib/samba/vfs/vscan-mcdaemon.so

/usr/lib/samba/vfs/vscan-mksd.so

/usr/lib/samba/vfs/vscan-oav.so

/usr/lib/samba/vfs/vscan-sophos.so

/usr/lib/samba/vfs/vscan-trend.so

/usr/lib/samba/vfs/vscan-antivir.so
```

a snippet of the share config:

```
[data]

  comment = All staff may share data here

  path = /home/samba/data

  nt acl support = yes

  public = yes

  writable = yes

  write list = @"Staff"

  read list = @"Staff"

  vfs object = vscan-clamav

  vscan-clamav: config-file = /etc/samba/vscan-clamav.conf

  #vfs object = vscan-oav

  #vscan-oav: config-file = /etc/samba/vscan-oav.conf

```

and the vscan-clamav.conf config:

```
[samba-vscan]

max file size = 0

verbose file logging = no

scan on open = no

scan on close = yes

deny access on error = yes

deny access on minor error = yes

send warning message = yes

infected file action = delete

quarantine directory  = /var/tmp/VIRUS-QUARANTINE

quarantine prefix = "!!VIRUS!!-"

max lru files entries = 100

lru file entry lifetime = 5

clamd socket name = /var/run/clam/clamd
```

Did samba recently ( ~3months) break for anyone else?

Any and all advice is much appreciated!

 - AlienDaycare

----------

## Wizo

I have the same configuration and I got the same problem.

Maybe a bug of vscan-clamav.so module?

This is a check with log level 10

```

titan ~ # vfstest

Initialising default vfs hooks

vfstest $> load vscan-clamav

Initialising custom vfs hooks from [vscan-clamav]

Probing module 'vscan-clamav'

Probing module 'vscan-clamav': Trying to load from /usr/lib/samba/vfs/vscan-clamav.so

Error loading module '/usr/lib/samba/vfs/vscan-clamav.so': /usr/lib/samba/vfs/vscan-clamav.so: undefined symbol: vscan_clamav_log_virus

Can't find a vfs module [vscan-clamav]

load: (vfs_init_custom failed for vscan-clamav)

result was NT_STATUS_UNSUCCESSFUL

vfstest $>

```

----------

## Wizo

ok, I have resolved removing the libclamav flag (and some others, but they do not have importance).

Actually I use:

```

titan samba-vscan-0.3.6b # equery uses samba

[ Searching for packages matching samba... ]

[ Colour Code : set unset ]

[ Legend    : Left column  (U) - USE flags from make.conf              ]

[           : Right column (I) - USE flags packages was installed with ]

[ Found these USE variables for net-fs/samba-3.0.14a-r2 ]

 U I

 - - acl       : Adds support for Access Control Lists

 - - cups      : Add support for CUPS (Common Unix Printing System)

 - - doc       : Adds extra documentation (API, Javadoc, etc)

 - - kerberos  : Adds kerberos support

 - - ldap      : Adds LDAP support (Lightweight Directory Access Protocol)

 - - mysql     : Adds mySQL support

 + + pam       : <unknown>

 - - postgres  : Adds support for the postgresql database

 + + python    : Adds support/bindings for the Python language

 - - quotas    : Enables support for user quotas

 + + readline  : enables support for libreadline, a GNU line-editing library that most everyone wants.

 - - winbind   : Enables support for the winbind auth daemon

 + - xml       : Check/Support flag for XML library (version 1)

 + + xml2      : Check/Support flag for XML library (version 2)

 - - libclamav : Enables clamav libraries, without needing to use the daemon

 + + oav       : Enables support for anti-virus from the openantivirus.org project

 - - selinux   : !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur

```

this link has helped me in the resolution of the problem

----------

