Module 0169: ClamFS: Theory and Application

Tak Auyeung, Ph.D. May 2, 2009

About this module

Prerequisites: Objectives: This module discusses what ClamFS is, and how to use it.

Theory

ClamFS (Clam File System) is Linux (possibly available to other Unix-like operating systems) le system that shadows a real directory. Essentially, accesses to les in a ClamFS directory trigger virus scan on-the-y. If malware is detected in a le by the ClamAV daemon, access to the le is denied. It also features caching so that recently scanned les do not get scanned repeatedly. Visit the ClamFS homepage here (http://clamfs.sourceforge.net) for more information. The most important advantage (from the end-users perspective) is that it is transparent, and every le access from a ClamFS directory is scanned. From the administrators perspective, ClamFS uses FUSE (Filesystem in User Space). This means that ClamFS can be used on a variety of kernels without having to recompile a kernel for kernel-mode drivers.

Installing ClamFS

In a Debian-like distribution, use the following command to install clamfs and the other packages needed: aptitude install clamfs aptitude install fuse-utils aptitude install file This downloads and installs all the les for clamfs. However, it does not automatically create a clamfs le system. This is because the system does not know which part of the le system requires on-demand virus checking.

Setting up group membership

root can set up clamfs any where in the system. However, as a FUSE-based le system, clamfs also permits end users to create their own clamfs. This is a rather neat feature because each end user can determine which part of his/her home folder requires on demand virus scanning. In order to let an end user create his/her own clamfs folders, the user account must be added to the two groups fuse and clamav. As root, use the adduser command (in Debian-like distributions) to do this. After the adduser command, it is best to ask the end user to log out and log in again for the new group membership to take eect.

Setting up mount points

An end user needs to determine what folders in the home directory need to have on-demand virus scanning. Although one can congure the entire home directory to be a clamfs directory, that conguration can tax performance. In general, a user can designate a folder structure that is used as a customs area. This folder structure should be used as the default download destination and cache of browsers, email clients, peer-to-peer software and manual 1

download or any copying from an external source (like a CD, ash drive, etc.). Here, I assume the real directory ~/.customs is created (using mkdir) for this purpose. Note the period as the rst character of the le name. This means the folder is hidden. It wont be displayed normally, unless the ls -a option is specied. clamfs congures a mirror folder for a real directory that represents the same content, only scanned. As a result, the user needs to create an empty folder for this purpose. I assume this folder is ~/customs (without the period). Once clamfs is congured and started, the end user should use ~/customs exclusively so that all les accessed are scanned.

Setting up the conguration le

Perform the following steps as a regular user. I assume the account name is user, you need to change the names of folders accordingly, depending on your actual user name. clamfs reads a conguration le to determine what to do. A sample le is provided when clamfs is installed. Use the following command to copy this sample le to a home directory for editing: cp /usr/share/doc/clamfs/clamfs-sample.xml ~/clamfs.xml This creates a le called clamfs.xml. Use your favorite editor to open the le. It is fairly long due to in-line comments. All the text between <- and -> is ignored by clamfs. The default settings should work for most situations. The only line you need to change is the line that looks like the following: <filesystem root=... /> In our example, the line should become as follows: <filesystem root="/home/user/.customs" mountpoint="/home/user/customs" public="no" /> Note that clamfs does impose a limit of one <filesystem /> line per conguration le. However, a user can specify multiple clamfs.xml les, and start clamfs multiple times (one time for each conguration le) to set up multiple clamfs folders. After the conguration le is edited, run the following command to start clamfs: clamfs clamfs.xml As mentioned, you can have multiple conguration les. If so, you have to start clamfs once for each conguration le (remember to change the name of the conguration le).

Testing clamfs

It is fairly easy to test clamfs. Use the following command to create a harmless le in customs: echo I am harmless! > ~/customs/harmless.txt Then, conrm that clamfs lets you open the harmless le: cat ~/customs/harmless.txt Next, lets get a harmless les that will trigger anti-virus action. These les are crafted to have the signature of a virus, but they do not cause any harm even when opened in an unprotected platform. Download these (http://www.eicar.org/download/eicarcom2.zip) les, and upload it to ~/customs. If you want to by-pass the host operating systems own virus checking, you can do this directly from the VM. You will need to have wget installed. 2

sudo aptitude install wget With wget, you can download the les directly: pushd ~/customs wget http://www.eicar.org/download/eicarcom2.zip wget http://www.eicar.org/download/eicar.com wget http://www.eicar.org/download/eicar.com.txt wget http://www.eicar.org/download/eicar_com.zip popd The commands pushd and popd let you remember the current directory, change to a new one (pushd), and later on get back to the original directory (popd). Now, try to use the system command file to determine the type of these les: pushd ~/customs file eicarcom2.zip file eicar.com file eicar.com.txt file eicar_com.zip popd You should get error messages like lename: writable, regular le, no read permission. This means that the les were scanned on-the-y, determined infected, and requests to read the les were denied. In other words, clamfs worked!

Starting clamfs automatically

It is a hassle to have to start clamfs manually every time a user logs in the rst time. It is, therefore, a good idea to automate the running of clamfs. You can attach shell scripts to .bashrc to do this. However, .bashrc executes for each login, and we dont really need to remount clamfs for each and every login session. The problem can be solved using a script. The following script is written in Perl, which is widely supported by most distributions. #!/usr/bin/perl use strict; use warnings; my $clamfsDir = /home/user/customs; # change this line my $clamfsXml = /home/user/clamfs.xml; # change this line if (!(-e $clamfsDir)) { die "The clamfs mount point $clamfsDir does not exist\n"; } if (!(-e $clamfsXml)) { die "The clamfs XML configuration file $clamfsXml does not exist\n"; } if (mount | grep \"$clamfsDir\" =~ /$clamfsDir/) { print "ClamFS already mounted for $clamfsDir\n"; } else { print "Starting clamfs for $clamfsDir...\n"; print clamfs $clamfsXml; 3

} Copy and paste this code into a le called startClamfs.pl. Then change the permissions to allow the user owner to execute it (use chmod). You will also need to change the two lines commented # change this line to use your specic le names and directory names. Note that this script does not support multiple instances of clamfs, nor is it truly optimal. Those who want to improve it can do so. This script rst checks whether clamfs is already running. It starts clamfs only if the mount point is not mounted yet. As a result, you can invoke this script from any log in/authentication script. For the command line interface, you can append this line to ~/.bashrc: /home/user/startClamfs.pl If you use a GUI environment, such as GNOME, you can also run this script automatically when you log in. Consult this link (http://www.howtoforge.com/make-desktop-applications-start-automatically-gnome) for more details. Important: The script does not unmount the clamfs directories, even when the user logs out. On a workstation, this should be of little or no issue, as the total number of users should be fairly small. However, on a server that supports a large number of users, leaving a large number of clamfs instances running can consume memory. In a server environment, a system script can run periodically to sweep clamfs instances that are no longer needed. The construction of such a script, however, is out of the scope of this module.

Setting up Mozilla products to use clamfs

Once you have clamfs congured and functioning reliably, you can consider making your email client and web browser use the virus-scan-on-demand directories for downloading les and caching. In Linux, Mozilla Firefox puts everything in /home/user/.mozilla, and Mozilla Thunderbird puts everything in /home/user/.mozilla-thunderbird. The quickest and easier way is to rename these folders, make clamfs mount points of the original name, and be done with it. Specically, to do this to Firefox: # stop Firefox first mv .mozilla .mozilla-actual # change the actual folder name mkdir .mozilla # create a clamfs mount point nano clamfs-mozilla.xml # create a clamfs config file for Firefox clamfs clamfs-mozilla.xml # start the clamfs # now start Firefox, it does not know the .mozilla folder is now # scanned-on-demand! This does not control the default behavior of le downloading. To force le scan-on-demand for downloading, do the following. mkdir ~/.mozilla-actual/DL # create a folder to download files Then, in Firefox, go to Edit Preferences, Main, and select Save les to. Click Browse, and type in ~/.mozilla/DL (note: without actual!). This forces Firefox to download les only into the scanned folder. Of course, it also means that you need to retrieve downloaded les from ~/.mozilla/DL. It is a little cumbersome, but any le that is scanned positive cannot be copied out of ~/.mozilla/DL, or even be opened in that folder. You can do the same (clamfs the whole Thunderbird folder) for Thunderbird. However, doing this to Thunderbird may not be very helpful or ecient. This is because Thunderbird stores a whole folder of messages in a single le. This means that clamfs will scan an entire folder of messages when you read just a single message. You can congure Thunderbird to save attachments to a specic folder. Edit Preferences Attachments, then select Save all attachments to this folder. For ease of conguration, you can also make Thunderbird use ~/.mozilla/DL to save email attachments. To perform per-message scanning, you should use postfix and amavis on the email server that you connect to receive email via POP3 or IMAP. 4