WelcomeWelcome | FAQFAQ | DownloadsDownloads | WikiWiki

Author Topic: On Access Virus Protection ?  (Read 38197 times)

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14790
Re: On Access Virus Protection ?
« Reply #60 on: December 30, 2011, 05:44:27 AM »
Yes, by recompiling the kernel - you'd just need to use the existing tinycore .config and change one or more of the acl settings Rich highlighted

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #61 on: December 30, 2011, 06:48:27 AM »
I do not have
Code: [Select]
/usr/src/linux/.config on my system

Code: [Select]
$ grep _ACL /usr/src/linux/.config
grep: /usr/src/linux/.config: No such file or directory

I've installed linux-headers-3.0.3-tinycore.tcz and the file appeared
running rich's grep command displays same settings.
I'll add the file to .filetools.lst, make changes save, reboot and see what happens.

--> IF <-- messing with ACL permissions gets clamfs working, does that mean its ok to try and release a tc linux extension that makes such a change to other peoples tc linux systems ???
Live long and prosper.

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11041
Re: On Access Virus Protection ?
« Reply #62 on: December 30, 2011, 06:59:30 AM »
No, it would be preferable to use a "normal" group scenario for a posted extension.

Grab the kernel config from one of our mirrors:
ftp://ftp.nluug.nl/pub/metalab/distributions/tinycorelinux/4.x/x86/release/src/kernel/
The only barriers that can stop you are the ones you create yourself.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14790
Re: On Access Virus Protection ?
« Reply #63 on: December 30, 2011, 07:06:30 AM »
copy config-3.0.3-tinycore to the unpacked source as .config after "make mrproper"

Don't use linux-headers-3.0.3-tinycore (this is for compiling out of kernel modules), but do use compiletc + perl5 + bash + ncurses-dev

Edited after seeing previous reply
« Last Edit: December 30, 2011, 07:09:13 AM by Juanito »

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #64 on: December 30, 2011, 07:49:12 AM »
Quote
No, it would be preferable to use a "normal" group scenario for a posted extension.

It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side :)

If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?

------------------------------------------------------

Juanito
So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s[]=kernel

If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.
Live long and prosper.

Offline Juanito

  • Administrator
  • Hero Member
  • *****
  • Posts: 14790
Re: On Access Virus Protection ?
« Reply #65 on: December 30, 2011, 08:03:38 AM »
So I'd load (compiletc + perl5 + bash + ncurses-dev) extensions
And following this wiki ? ->http://wiki.tinycorelinux.net/wiki:custom_kernel?s[]=kernel

If I'm not making an extension, I'll have to review your post regarding how to find out where all these source packages got installed, so I can add them to my backup.

The wiki instructions are almost correct - you don't need any patches and it's vmlinuz you need rather than bzImage, but otherwise it looks about right for tc-4.x

You can make your own local extensions rather than making a massive backup

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11041
Re: On Access Virus Protection ?
« Reply #66 on: December 30, 2011, 09:28:01 AM »
It's a bit disappointing that after all this work, the project can't be released to the public...
Ah well, always look for the bright side :)

If ACL inclussion was only removed because its not used by most people, does that mean its stable and safe ? if so, can its support be included for a future release of tinycore ?

Your link says both ways should work, ACLs only allow more fine-grained permissions.

I'm afraid even with one user, the ACLs would still be bloat for everyone else and so outside our scope.
The only barriers that can stop you are the ones you create yourself.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #67 on: December 30, 2011, 10:09:09 AM »
I've got clamfs to the stage where it allows the eicar test virus file to be copied to the samba file share from windows. But once the file is on the server, clamfs STOPS any other access to the file.
-I can't over write the file.
-I can't open the file.
-I can't copy the file back to windows.
-I can DELETE the file.

This is without messing with ACLs.

I can create an extension out of it as is, and make a link to the tcz file on this forum thread. Giving others who are interested a chance to tinker with it. What do you think curaga ?
Live long and prosper.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11573
Re: On Access Virus Protection ?
« Reply #68 on: December 30, 2011, 10:16:12 AM »
Hi remus
Quote
Copying the eicar.com test file to a samba share from windows allows the file to be copied
Trying to copy the file again and overwriting the original fails
What happens if you try that same test with a clean file?

Offline curaga

  • Administrator
  • Hero Member
  • *****
  • Posts: 11041
Re: On Access Virus Protection ?
« Reply #69 on: December 30, 2011, 10:20:54 AM »
Please submit the extension the usual way, binary links aren't allowed.
The only barriers that can stop you are the ones you create yourself.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11573
Re: On Access Virus Protection ?
« Reply #70 on: December 30, 2011, 11:15:13 AM »
Hi remus
Quote
What happens if you try that same test with a clean file?
Never mind, I found the answer the answer on your post at the Debian User Forums.
It sounds to me like it's working. As I understand it, it does not stop you from writing an infected file
to a directory, rather, it stops you from reading (or executing, which requires reading) the file once
it is there. Prior to saving a file, a test is first done to see if it exists so that you can confirm whether
you wish to overwrite it. If the test is done by attempting to open the file and checking if it exists,
that might trigger clamfs to block the attempt.
Personally, I want to offer you a pat on the back for your perseverance and what you have achieved.
I suggest you package it up into an extension and submit it so that others can do some testing too.
Under  Comments:  in the info file, give a step by step on how to set it up, including an example that
clearly shows which directory is being protected and which is the access point to that directory.
Once again, congratulations on your accomplishment.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #71 on: December 30, 2011, 08:36:58 PM »
Thx Rich,

I'll start following the extension creation wiki, and I'll be sure to include details regarding setup.
Live long and prosper.

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #72 on: December 31, 2011, 08:03:16 AM »
I just got a reply from the clamav mailing list about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.
I'm told by a random mailing list user this behavior is by design. And is also how clamav + dazuko works.
Live long and prosper.

Offline Rich

  • Administrator
  • Hero Member
  • *****
  • Posts: 11573
Re: On Access Virus Protection ?
« Reply #73 on: December 31, 2011, 08:14:39 AM »
Hi remus
Quote
about clamfs letting the eicar test file into a protected mount point, and then stopping read access to the file.
Naturally, "Roaches check in, but they don't check out", that way they can't spread.
« Last Edit: December 31, 2011, 08:47:00 AM by Rich »

Offline remus

  • Sr. Member
  • ****
  • Posts: 371
Re: On Access Virus Protection ?
« Reply #74 on: December 31, 2011, 09:15:19 AM »
Quote
Naturally, "Roaches get in, but they can't get out", that way they can't spread.
Yeah, its better than the samba file server acting as a virus infection source for the windows computers on the network.

I'm about ready to submit my first extension which is one of clamfs deps "RLOG - a C++ logging library" which has no deps of its own. Kind of like a practice run.

Quote
find usr -not -type d > rlog.tcz.list
Gave me a handy list of everything that gets installed.
So do I just delete the /tmp/package/usr/local/share/doc/ dir and thats my doc free tcz right ?
And do it in reverse to create the rlog-doc.tcz ?
Live long and prosper.