Friday, December 16, 2011

ClamFS - Antivirus Filesystem for Linux

Disclaimer: Flying through Linux and OpenSource. You might experience Freedom along with plenty of awesomeness.

Linux as never failed to amaze me with its simplicity and its feature richness. That was one of the few reasons that convinced me to switch to Linux on my computers as the primary Operating System. One such feature is the ability to load virtual filesystems in userspace using the FUSE module. When enabled, the custom FUSE module would allow you to load custom data stores that could be traditional and non-traditional file systems or custom programs that allow filesystem like interaction. You could then interact with these custom userspace filesystems as though they were like any other filesystem. Depending on the fuse module, you could browse the folders and create, modify, and delete data as though they were regular files on your computer.

Two of the many real world applications of FUSE are in the following areas:
  1. Antivirus filesystems - Creates virtual filesystems that trigger antivirus scanning whenever files within the filesystems are written to or read from.

  2. Encrypted filesystems - Creates virtual filesystems that automatically encrypt files on write operations and decrypt them on reads.
In this article, I'll introduce ClamFS, which lets you create a virtual antivirus filesystem on top of your existing filesystem.

ClamFS triggers automatic scanning of files using ClamAV whenever I/O is performed on them. The best candidate for ClamFS would be the default downloads folder where you Internet browser saves those files that are downloaded from the Internet. You would ideally start with an empty Downloads folder, however, ClamFS also allows you to secure folders that already have contents in them.

ClamFS could be easily installed from your Linux distributions software package manager. Just search for clamfs. For each virtual antivirus filesystem that you'd like to create, you will need an XML configuration file. The configuration file will let you define the following:
  1. What folder to secure, where to mount the virtual filesystem
  2. What maximum file size to scan - to increase performance
  3. Whitelist extensions - files with these extensions will never be scanned
  4. Blacklist extensions - files with these extensions will always be scanned regardless of maximum file size parameter
  5. Logging method - standard out, syslog, file, or email
In the event that you attempt to download or write an infected file to the ClamFS virtual filesystem, an error entry will be logged and the file will not be successfully written to your filesystem. If an infected file already exists on the ClamFS virtual filesystem, you will not be allowed to read from it.

Here is an example configuration: clamfs.xml

The command to enable ClamFS protected virtual filesystem is:

$ sudo clamfs configuration.xml

You can find more information about ClamFS and on the configuration XML on their website.

This article is part of the series ClamAV - Antivirus for Linux:

You may also like:

1 comment:

  1. Another theory is that antivirus vendors are not really motivated to do a good job of removing threats, so you buy their software. This may sound plausible, but it is as ridiculous as the belief that vendors write viruses themselves.

    Norton 360 for small business