Anti-Virus

[sourcaffeine]

Is there a method to implement anti-virus on CIFS shares besides running it on another computer and scanning the network drive?

Reading around in here, everyone suggests just running anti-virus on all the computers that connect to the share. While that is fine, I see no reason why an anti-virus wouldn't be implemented to scan all files/new files on the share itself.

 

[pirateghost]

Install clamav in a jail? I don't really see a benefit of this, but that's about your only option

 

[jgreco]

Install clamav in a jail? I don't really see a benefit of this, but that's about your only option

That's what some of the other NAS devices offering "anti-virus" do.

 

[Ericloewe]

While that is fine, I see no reason why an anti-virus wouldn't be implemented to scan all files/new files on the share itself.

'cause the server doesn't actually execute any of that crap?

Even if it did, how much malware is written for FreeBSD?

Is a silly little antivirus going to solve the tiny problem? Probably not.

That's why.

 

[jgreco]

'cause the server doesn't actually execute any of that crap?

Even if it did, how much malware is written for FreeBSD?

Is a silly little antivirus going to solve the tiny problem? Probably not.

That's why.

I think the usual reason is that when one of your Windows boxes inevitably gets pwned and is logged in with "administrator" privileges (because, y'know, that's not as unusual as it should be) that the big concern is that something gets written to network storage that then infects other Windows computers using that same share.

I don't think anti-virus is about protecting the FreeBSD OS on the NAS.

 

[Ericloewe]

I think the usual reason is that when one of your Windows boxes inevitably gets pwned and is logged in with "administrator" privileges (because, y'know, that's not as unusual as it should be) that the big concern is that something gets written to network storage that then infects other Windows computers using that same share.

I don't think anti-virus is about protecting the FreeBSD OS on the NAS.

It's a valid point, but if there's one thing I don't want anywhere near my server, it's antivirus software. I've lost count of the times I've been seriously pissed off by one.

• Panda absolutely wrecked two Windows XP installs back in the day
• McAfee was slow as hell and dammed obtrusive
• BitDefender managed to quarantine all files on x64 machines (hooray for WHS vanilla and backups)
• Kaspersky 2012 or so messed with the WHS 2011 dashboard and backups - of course, they only fixed it in the next major release.
• Kaspersky 2016 actively wants to perform man-in-the-middle attacks on its users if they don't opt out - and they seriously bury the option in a mostly unrelated menu. It took me a half hour to find the damned option, even with Google, after I noticed that a government website had supposedly been signed with a Kaspersky certificate.

 

[jgreco]

It's a valid point, but if there's one thing I don't want anywhere near my server, it's antivirus software. I've lost count of the times I've been seriously pissed off by one.

Okay, fine, probably anyone with more than ten minutes experience with Windows has an AV horror story, but what's being discussed here, something like ClamAV, is merely a userland program that sits there looking at files for something suspicious (and maybe quarantining them). It is not a big ugly complex thing with tendrils digging into all areas of the operating system because it is trying to protect the platform that it is running on. It's merely something examining files for known problems. Think of it like a very sophisticated version of grep(1).

 

[sourcaffeine]

'cause the server doesn't actually execute any of that crap?

Even if it did, how much malware is written for FreeBSD?

Is a silly little antivirus going to solve the tiny problem? Probably not.

That's why.

I am not trying to protect FreeBSD from malware.

I think the usual reason is that when one of your Windows boxes inevitably gets pwned and is logged in with "administrator" privileges (because, y'know, that's not as unusual as it should be) that the big concern is that something gets written to network storage that then infects other Windows computers using that same share.

I don't think anti-virus is about protecting the FreeBSD OS on the NAS.

Okay, fine, probably anyone with more than ten minutes experience with Windows has an AV horror story, but what's being discussed here, something like ClamAV, is merely a userland program that sits there looking at files for something suspicious (and maybe quarantining them). It is not a big ugly complex thing with tendrils digging into all areas of the operating system because it is trying to protect the platform that it is running on. It's merely something examining files for known problems. Think of it like a very sophisticated version of grep(1).

This, exactly. I want to protect my Windows boxes from executing malware on their machines from the share. Even if they do not have administrator privileges, when myself or someone else needs to get files quickly from our share, having to make sure we don't run any sort of malware is important. This will be a simple public share to users on our LAN, and I want to prevent any nasty software from being executed elsewhere.

 

[jgreco]

The real problem with non-realtime virus scanners is that they're (by definition) non-realtime, so it is merely a level of resistance. A file that is written by one client and quickly accessed by another is likely never to be scanned.

I am not arguing that this invalidates a NAS based virus scan, merely that one be aware of the limitations. I expect it would be fairly easy to set up a FreeBSD jail running ClamAV to do this. I haven't, however, tried this myself.

Interestingly, it looks like someone's figured out a way to integrate ClamAV into Samba: https://redhatme.wordpress.com/2012/04/25/integrate-antivirus-clamav-into-samba/

 

[russnas]

as above the only concern for me is malware, windows being the window for a code to run and access a share and delete as much as possible, spread personal files to the public share, or make HDDs spin up and down. cause grief.

just thinkng of this makes me want to delete that saved password and not leave a share accessible while im away, one of the reasons why i create a Read Only share.

 

[anodos]

Or you could always configure a software restriction policy on the windows clients that only allows execution of files and scripts from a small number of paths that aren't writable by regular users. And of course, don't log into the local admin account.

TL;Dr - there are numerous better ways of mitigating this threat than an A/V scan.

You can do quite a lot by the following:
- Configure software restriction policy
- Install and configure EMET
- Remove unnecessary programs
- Protect and restrict administrative privileges (this means using 'run as' instead of granting your regular user admin privileges).
- Harden adobe reader (if you use it)
- Remove java (deserves its own point)
- Disable flash or make it 'click-to-run' (ditto)
- Configure your computer to automatically update, and make sure it stays up-to-date.
- Use a password manager. I like keepass 2
- If this is for a business, work on implementing the SANS Institute "Critical Security Controls"

 

[sourcaffeine]

Or you could always configure a software restriction policy on the windows clients that only allows execution of files and scripts from a small number of paths that aren't writable by regular users. And of course, don't log into the local admin account.

TL;Dr - there are numerous better ways of mitigating this threat than an A/V scan.

You can do quite a lot by the following:
- Configure software restriction policy
- Install and configure EMET
- Remove unnecessary programs
- Protect and restrict administrative privileges (this means using 'run as' instead of granting your regular user admin privileges).
- Harden adobe reader (if you use it)
- Remove java (deserves its own point)
- Disable flash or make it 'click-to-run' (ditto)
- Configure your computer to automatically update, and make sure it stays up-to-date.
- Use a password manager. I like keepass 2
- If this is for a business, work on implementing the SANS Institute "Critical Security Controls"

I am having a hard time figuring out why there is this stigma with having anti-virus on FreeNAS. Is it because it is FreeBSD and that crowd is overly proud of the fact that viruses are almost impossible to be executed on it?

Why does it "make more sense" to prevent users from running infected software, than to prevent it from being on the share in the first place? This means each computer that is connected to the share has to be setup to prevent them from running such software. I thought the point of having a share, and network servers in general was to cut down on work?

 

[anodos]

I am having a hard time figuring out why there is this stigma with having anti-virus on FreeNAS. Is it because it is FreeBSD and that crowd is overly proud of the fact that viruses are almost impossible to be executed on it?

A/V isn't as effective as you think it is. ClamAV on a unix system even less so because it is not performing heuristics on the OS behavior (unlike modern endpoint protection suites). It's just a fancy way of enumerating badness. One of the first things people do when developing malware is test it against the latest AV definitions. If detected, repackage it / rewrite it a little. So A/V is only a small piece of the security picture and it's probably not a good use of time scanning for windows malware on a unix box. That's why it's in the SANS Top 20, but isn't the only item on the list (and once again it's ambiguous because most vendors have switched to doing 'endpoint protection' rather than simple malware scanning).

Why does it "make more sense" to prevent users from running infected software, than to prevent it from being on the share in the first place? This means each computer that is connected to the share has to be setup to prevent them from running such software. I thought the point of having a share, and network servers in general was to cut down on work?

It is always better to harden a system to prevent malware infection from taking place than to let things get infected and trust a 3rd party product to properly clean it up.

In larger windows networks (more than 20 computers, which is the point where I'd seriously consider AD), system hardening can be mostly done through group policy and proper network design. Basically, the domain controller pushes out the security configuration to client systems. I typically take steps to create a default install image and use windows deployment services or the free software equivalent to push out mostly-configured systems and let my group policies handle the rest. It's very efficient and effective, and I believe very typical in IT.

The NSA put together a simple "best practices" guide here - https://www.nsa.gov/ia/_files/factsheets/Defending_Against_Destructive_Malware.pdf
Not all of it will apply for home users.