Using Wine introduces new threats to your Linux box. One day every computer virus prepared to run under Windows will smoothly run under Wine. Some time ago I wrote ClamFS, a FUSE-based user-space file system for Linux with on-access anti-virus file scanning. It uses well known Open Source virus scanner – Clam AntiVirus. ClamFS was designed to protect Samba shares and FTP servers with upload enabled. Here is small guide how to configure ClamFS to protect Wine installation form viruses.
What we need?
At least:
- any Linux distribution (I prefer Debian, so this guide is somehow ”.deb-centric”),
- Wine,
- ClamAV (clamd and freshclam as a minimum),
- ClamFS.
Installing Wine, ClamAV and ClamFS
First of all install everything. Start with:
# aptitude install wine clamav-daemon
If you use Debian unstable:
# aptitude install clamfs
ClamFS is currently available only form unstable. If you are not an unstable user you may try to rebuild ClamFS form Debian sources. If you are not a Debian user install it form sources.
Configuring ClamFS
Create configuration file ~/.clamfs.xml with this content:
<clamfs>
<clamd socket="/var/run/clamav/clamd.ctl" />
<filesystem root="/home/kb/.wine/root" mountpoint="/home/kb/wine" />
<file maximal-size="10485760" /> <!-- 10MiB -->
<blacklist>
<include extension="exe" /> <!-- executable file -->
<include extension="com" /> <!-- executable file -->
<include extension="dll" /> <!-- library -->
<include extension="sys" /> <!-- system file / driver -->
<include extension="vbs" /> <!-- Visual Basic Script -->
<include extension="bat" /> <!-- DOS Batch file -->
<include extension="cmd" /> <!-- Windows Command file -->
</blacklist>
<cache entries="4096" expire="3600000" /> <!-- 1h -->
<log method="file" filename="/home/kb/.clamfs.log" verbose="no" />
<mail server="localhost" to="kb@localhost" from="clamfs@localhost"
subject="ClamFS: Virus detected" />
</clamfs>
ClamFS will send e-mail alerts and store it’s log in ~/.clamfs.log. You may tune cache and maximal file size. Also add more blacklisted extension if you like.
Move all files from C: drive to /home/kb/.wine/root and configure Wine to use ~/wine as C: (make symbolic link ~/.wine/dosdevices/c: pointing to ~/wine).
Set permissions
ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.
Set default ACL for directories (files created in those directories will inherit ACL):
$ setfacl -R -b -d -m user:clamav:rx .wine/root
Now set all files and directories to be readable by clamav:
$ setfacl -R -m user:clamav:rx .wine/root
Test it!
Run ClamFS:
$ clamfs ~/.clamfs.xml
Now try to “infect” yourself with not harmful, test “threat” from Eicar.
$ wget http://www.eicar.org/download/eicar_com.zip $ unzip eicar_com.zip
Unzip will fail (“Cannot open zipfile [ eicar_com.zip ]: Operation not permitted). We are done creating “bulletproof” Wine.
My Brainbench transcript
My Debian packages
My delicious bookmarks
My Picasa photo gallery
Who needs wine? I only use it sparely
Hi Krzysztof, thanks a lot for this comprehensive manual! I couldn’t find any better howto on ClamFS so far. So please keep on providing such insights!
I didn’t test with samba, yet, but in case you can provide any smb.conf and so on, I should be delighted.
Just mount ClamFS protected filesystem in /clamfs/mountpoint and add to smb.conf something like this:
path = /clamfs/mountpoint