Discussion:
Installing an antivirus on EON.
Perez
2011-03-17 16:28:10 UTC
Permalink
Hi,

I was trying to install an anti-virus to my EON machine following Andre's link (http://wiki.genunix.org:8080/wiki/index.php/Implementing_vscan_service_with_ClamAV_on_ZFS) when I came across this in a comment at EON's blog:
[i]
jogger said...
Andre,
How lucky i am? I google a site http://www.sunfreepacks.com where can download Solaris express 130.

During installation, I suggest guys who want to install vscan into EON server. You should copy all files from SUNWvcanu, SUNWvscanr, SUNWvscankr to root directory. I means RAM directory not zpool directory. If installed most file into zpool directory, it will generate error and vscan service go maintenance mode.
[/i]

The thing is that I can't find those packages in the specified address. My experience with OpenSolaris is limited, but I'm working on it. Could someone point me in the right direction please?

Thank you in advance.
--
This message posted from opensolaris.org
Andre Lue
2011-03-18 22:25:37 UTC
Permalink
Hi Chuck,

I am not sure what is meant by can't find those packages in my address.

If you mean the SUNWvscanu ...

You would rar or an ISO mount to mount and view the solaris 130 iso. Or you can burn it to DVD. The packages you seek are on there.

Hope that helps
--
This message posted from opensolaris.org
Andre Lue
2011-03-19 20:55:40 UTC
Permalink
After pkgadd-ing the packages (just to dump the binaries) on a regular opensoalris system or using a live-cd

Transfer the binaries to your EON system. I dumped them in /ZPOOL/vscan.

Then

rem_drv vscan
add_drv -v -m '* 0640 root sys' vscan
modinfo | grep vscan
cp or symlink SUNW_vscan_link.so /usr/lib/devfsadm/linkmod/
mkdir /dev/vscan
ln -s /devices/pseudo/vscan\@0:vscan\@0 /dev/vscan/vscan0
cd /usr/lib ; ln -s /abyss/vscan .
ln -s /abyss/vscan/usr/lib/vscan/libvscan.so .
ln -s /abyss/vscan/usr/lib/vscan/libvscan.so.1 .
ln -s /abyss/vscan/usr/lib/vscan/vscand .
svccfg -v import vscan.xml
/usr/lib/vscan/vscand
--
This message posted from opensolaris.org
Perez
2011-03-22 16:52:05 UTC
Permalink
Thank you Andre.

I'm working on it and learning Solaris on the go. Excuse my lack of experience, but is there any particular reason why I should not install pkgadd to my EON machine? Would that make it easier to add aditional software?

Thank you very much!
--
This message posted from opensolaris.org
Andre Lue
2011-03-22 17:25:08 UTC
Permalink
You cannot run pkgadd because the pkgadd database sub-systems are not apart of EON (size, design contraints).

Hence it has to be run on a full system, directing it's output to a temp/root

Feel free to attempt the pkgadd install and share a good write up.
--
This message posted from opensolaris.org
Perez
2011-03-23 17:48:54 UTC
Permalink
Hi,

I executed all the steps until the add_drv command. Before running add_drv, I copied /tmp/vscan_binaries/kernel/drv/vscan and vscan.conf to /kernel/drv/ on my EON machine. I also added the amd64 vscan to /kernel/drv/amd64/ just in case.

eon:138:/mnt/eon0/mios/vscan/kernel/drv#add_drv -v -m '* 0640 root sys' vscan
Cannot open (/kernel/drv/vsaan): No such file or directory.

Does anyone know what vsaan is? I googled it and nothing shows up. What am I missing?
--
This message posted from opensolaris.org
Jerry Kemp
2011-03-23 18:30:09 UTC
Permalink
any chance this is what you are looking for?

http://hub.opensolaris.org/bin/view/Project+vscan/

Jerry
Post by Perez
Hi,
I executed all the steps until the add_drv command. Before running add_drv, I copied /tmp/vscan_binaries/kernel/drv/vscan and vscan.conf to /kernel/drv/ on my EON machine. I also added the amd64 vscan to /kernel/drv/amd64/ just in case.
eon:138:/mnt/eon0/mios/vscan/kernel/drv#add_drv -v -m '* 0640 root sys' vscan
Cannot open (/kernel/drv/vsaan): No such file or directory.
Does anyone know what vsaan is? I googled it and nothing shows up. What am I missing?
Perez
2011-03-23 19:53:17 UTC
Permalink
Post by Jerry Kemp
any chance this is what you are looking for?
http://hub.opensolaris.org/bin/view/Project+vscan/
I think so, but the download link inside your link doesn't work. I extracted the packages SUNWvcanu, SUNWvscanr and SUNWvscankr from the Solaris Express b130 dvd following Andre's advice, but when I try to add_drv vscan it fails as I posted before. I'm going to start over again and see what happens.

Thanks.
--
This message posted from opensolaris.org
Andre Lue
2011-03-23 20:36:07 UTC
Permalink
Hi chuck,

I skipped certain steps assuming you put the driver bits in place already (see addind driver links for guidance)
http://eonstorage.blogspot.com/2009/02/adding-your-own-drivers-to-eon.html
http://eonstorage.blogspot.com/2009/02/another-way-to-add-drivers-to-eon.html

The SUNWvscankr package has the kernel driver files that you seek. Their placement are as follows (I believe):
/kernel/drv/vscan
/kernel/drv/amd64/vscan
--
This message posted from opensolaris.org
Perez
2011-03-23 23:07:42 UTC
Permalink
Finally!

I started over again and was getting the same error. Then, I copied the amd64/vscan driver, which I also did last time, but now it worked (of course, I have a 64 bit machine...). Tomorrow I'll try to transfer the clamav, which I have already installed in the Solaris machine to my [b]EON[/b] machine and see if I can make it work.

Thank you Andre and Jerry for your support.
--
This message posted from opensolaris.org
Jerry Kemp
2011-03-23 20:41:43 UTC
Permalink
Hello Perez,

FWIW, I had archived the following message (below) from the ZFS mailing
list. This may be of value to you once you get past your current hurdle.

Jerry
Post by Jerry Kemp
any chance this is what you are looking for?
http://hub.opensolaris.org/bin/view/Project+vscan/
I think so, but the download link inside your link doesn't work. I
extracted the packages SUNWvcanu, SUNWvscanr and SUNWvscankr from the
Solaris Express b130 dvd following Andre's advice, but when I try to
add_drv vscan it fails as I posted before. I'm going to start over again
and see what happens.
Thanks.
..................................................
I would like to ask if it's possible to check the content of
quarantine in case of zfs uses vscand + antivirus. So is there any
command to list all the infected files in a dataset?
Any file which has been quarantined will have the av_quarantine bit set.

The easiest way to see that is with /usr/bin/ls for example:

ls -/ v foo
rw-r--r-- 1 darrenm staff 176411 Nov 4 14:56 foo

{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink,nooffline,nosparse}

In the above case the file has noav_quarantined if it had been one that
vscand had marked as quarantined it would say av_quarantined instead.

There is also a compact mode see ls(1) man page.

-rw-r--r-- 1 darrenm staff 176411 Nov 4 14:56 foo
{A-------q---}

That is what it would look like if 'foo' was quarantined.
--
Darren J Moffat
Perez
2011-03-23 21:11:35 UTC
Permalink
Post by Jerry Kemp
Hello Perez,
FWIW, I had archived the following message (below)
from the ZFS mailing
list. This may be of value to you once you get past
your current hurdle.
Jerry
Thank you I appreciate it.
--
This message posted from opensolaris.org
Andre Lue
2011-03-24 03:17:57 UTC
Permalink
Hi Chuck,

This is a good link to help tie it all together. Includes a false positive file "eicar.com" for testing.

http://wiki.genunix.org:8080/wiki/index.php/Implementing_vscan_service_with_ClamAV_on_ZFS
--
This message posted from opensolaris.org
Perez
2011-04-09 18:49:30 UTC
Permalink
I have come a long way.... I finally managed to install everything even though I got many compilation problems when building c-icap. If useful to anyone, when compiling c-icap, you also have to download and compile the icap modules in order to get support for clamav. Also blastwave repositories don't have the latest clamav-0.97. You can find that version in openCSW repositories.

BUT.... now I have a problem I can't read files on the dataset where vscan is enabled, but I can create new files. I disable it and then everything works fine again. I killed the c-icap server and left vscan on to see if it had to do with c-icap and it behaves the same way.

Apparently vscan is failing to communicate with the c-icap server. When I run "vscanadm stats" I get:
scanned=0
infected=0
failed=31

I understand that c-icap communicates with clam_av using a service declared in c-icap.conf. To add an engine I followed the steps:
# ./vscanadm add-engine motor1 (I picked this name randomly, it doesn't match anything in the system)
# ./vscanadm set-engine -p host=localhost motor1
# ./vscanadm show to see the details of the engine that was created:

What I don't get is how vscan knows how to communicate with the c-icap server. Maybe here lies the problem...

Any ideas?
--
This message posted from opensolaris.org
Andre Lue
2011-04-09 19:47:45 UTC
Permalink
A couple of things help each other. It would help to see your c-icap.conf, the output of vscanadm show and your compile options. (LDFLAGS and --with-clamav)
--
This message posted from opensolaris.org
Perez
2011-04-11 16:36:01 UTC
Permalink
I hope this helps...

Here is my "vscanadm show" output:

max-size=1GB
max-size-action=allow
types=+*

motor1:enable=on
motor1:host=localhost
motor1:port=1344
motor1:max-connection=8

This is what I used to compile c-icap:

PATH=$PATH:/usr/sfw/bin
export LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib -lclamav"
export CC=gcc
export CXX=g++

./configure --prefix=/opt/icap --with-clamav=/opt/csw --with-perl=/bin/perl --with-zlib=/usr/lib --enable-large-files

make; make install

And my c-icap.conf is here http://pastebin.com/Frbc91vt

c-icap compilation didn't go very smooth. I had to take out the docs folder from the Makefile because it was stopping the process.

I have tested(as indicated in the post) the c-icap server with the c-icap-client and it works.
--
This message posted from opensolaris.org
Andre Lue
2011-04-11 17:52:50 UTC
Permalink
Hi Chuck,

This line is should match the :host= , :port= entries from vscanadm show
ServerName YourServerName
--
This message posted from opensolaris.org
Perez
2011-04-11 21:48:24 UTC
Permalink
Thank you Andre,

I guess that through :host= and :port=, is how vscan knows about the c-icap server. I changed "SeverName x" to "ServerName localhost" in c-icap.conf and executing:

#./svcadm set-engine -p host=localhost

Ports were matching already (port 1344). Still no luck.

So far... Clamav works, c-icap works with the c-icap-client but not with vscan. When I turn vscan on I can't execute nor write files(dataset permissions are fine, everying is ok when vscan is off).

Later I will try to compile c-icap over again and give it one more try.
--
This message posted from opensolaris.org
Andre Lue
2011-04-12 16:45:23 UTC
Permalink
Did you also do this step, can you include your srv_clamav.conf?

http://sourceforge.net/apps/trac/c-icap/wiki/c-icap-modulesInstall
--
This message posted from opensolaris.org
Perez
2011-04-12 19:30:41 UTC
Permalink
Here is my srv_clamav.conf http://pastebin.com/GMqFNqZN.

Today I recompiled c-icap. I compiled the icap_modules using the followin:

export LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib -lclamav"
export CC=gcc
export CXX=g++

./configure --prefix=/opt/icap_mods --with-clamav=/opt/csw --with-c-icap=/opt/icap
make
make install

Still the same behavior. When I turn vscan on in the dataset and I do a cp, cat, etc. with the eicar.com file, the command "vscanadm stats" keeps increasing "failed"...

#vscanadm stats
scanned=0
infected=0
failed=36

I'll try to see if I can catch vscan complaining somewhere about not reaching c-icap...
--
This message posted from opensolaris.org
Andre Lue
2011-04-13 16:25:28 UTC
Permalink
Hi Chuck,

Are you using the latest version?
http://sourceforge.net/projects/c-icap/files/c-icap/0.1.x/c_icap-0.1.5.tar.gz/download

MaxKeepAliveRequests 100
Means after 100 requests this connection will be closed. I know that's not what may be happening but you may want to change this to -1
more here:
http://blogs.sun.com/chrisg/entry/automatic_virus_scanning_with_c

I'm not sure but this may be an issue. The service alias is listed as avscan but I seem to remember you defining your vscanadm engine to be motor1. I think these need to align. Try changing either one to conform.
ServiceAlias avscan srv_clamav?allow204=on&sizelimit=off&mode=simple
--
This message posted from opensolaris.org
Perez
2011-04-13 18:13:25 UTC
Permalink
Hi Andre,

Yes, I'm using c_icap-0.1.5.

I think I got it working. I haven't tested it much though...

What I did was kill the vscand process and instead of starting vscan by executing /usr/lib/vscan/vscand I enabled the vscan service with "svcadm enable svc:/system/filesystem/vscan:icap".

When I run vscanadm stats now I get:

scanned=7
infected=1
failed=0
motor1:errors=0


So far It has detected a virus when I tried to copy eicar.tar.
Post by Andre Lue
http://blogs.sun.com/chrisg/entry/automatic_virus_scanning_with_c
I will check it.

One last thing, if I did a write up about the whole process and shared it, would it be worth it?
--
This message posted from opensolaris.org
Andre Lue
2011-04-13 19:10:29 UTC
Permalink
Hi Chuck,

Good news! Feel free to send it eonstore AT gmail DOT com and I'll post it with the proper credits.
--
This message posted from opensolaris.org
Loading...