Using Wine introduces new threats to your Linux box. One day every computer virus prepared to run under Windows will smoothly run under Wine. Some time ago I wrote ClamFS, a FUSE-based user-space file system for Linux with on-access anti-virus file scanning. It uses well known Open Source virus scanner – Clam AntiVirus. ClamFS was designed to protect Samba shares and FTP servers with upload enabled. Here is small guide how to configure ClamFS to protect Wine installation form viruses.
What we need?
At least:
- any Linux distribution (I prefer Debian, so this guide is somehow ”.deb-centric”),
- Wine,
- ClamAV (clamd and freshclam as a minimum),
- ClamFS.
Installing Wine, ClamAV and ClamFS
First of all install everything. Start with:
# aptitude install wine clamav-daemon
If you use Debian unstable:
# aptitude install clamfs
ClamFS is currently available only form unstable. If you are not an unstable user you may try to rebuild ClamFS form Debian sources. If you are not a Debian user install it form sources.
Configuring ClamFS
Create configuration file ~/.clamfs.xml with this content:
<clamfs>
<clamd socket="/var/run/clamav/clamd.ctl" />
<filesystem root="/home/kb/.wine/root" mountpoint="/home/kb/wine" />
<file maximal-size="10485760" /> <!-- 10MiB -->
<blacklist>
<include extension="exe" /> <!-- executable file -->
<include extension="com" /> <!-- executable file -->
<include extension="dll" /> <!-- library -->
<include extension="sys" /> <!-- system file / driver -->
<include extension="vbs" /> <!-- Visual Basic Script -->
<include extension="bat" /> <!-- DOS Batch file -->
<include extension="cmd" /> <!-- Windows Command file -->
</blacklist>
<cache entries="4096" expire="3600000" /> <!-- 1h -->
<log method="file" filename="/home/kb/.clamfs.log" verbose="no" />
<mail server="localhost" to="kb@localhost" from="clamfs@localhost"
subject="ClamFS: Virus detected" />
</clamfs>
ClamFS will send e-mail alerts and store it’s log in ~/.clamfs.log. You may tune cache and maximal file size. Also add more blacklisted extension if you like.
Move all files from C: drive to /home/kb/.wine/root and configure Wine to use ~/wine as C: (make symbolic link ~/.wine/dosdevices/c: pointing to ~/wine).
Set permissions
ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.
Set default ACL for directories (files created in those directories will inherit ACL):
$ setfacl -R -b -d -m user:clamav:rx .wine/root
Now set all files and directories to be readable by clamav:
$ setfacl -R -m user:clamav:rx .wine/root
Test it!
Run ClamFS:
$ clamfs ~/.clamfs.xml
Now try to “infect” yourself with not harmful, test “threat” from Eicar.
$ wget http://www.eicar.org/download/eicar_com.zip $ unzip eicar_com.zip
Unzip will fail (“Cannot open zipfile [ eicar_com.zip ]: Operation not permitted). We are done creating “bulletproof” Wine.
Who needs wine? I only use it sparely
Hi Krzysztof, thanks a lot for this comprehensive manual! I couldn’t find any better howto on ClamFS so far. So please keep on providing such insights!
I didn’t test with samba, yet, but in case you can provide any smb.conf and so on, I should be delighted.
Just mount ClamFS protected filesystem in /clamfs/mountpoint and add to smb.conf something like this:
path = /clamfs/mountpoint
Hi, been trying to get clamfs working on Ubuntu 10.4. It seems like everything is working, clamfs locates infected files and prevents me from opening these.
But I am having permission troubles with a share that I have created.
My folder structure looks like this:
../.sharedfiles (this is the root directory for clamfs)
../sharedfiles (this is the actual shared folder on the server that my windows clients connect to).
When clamfs is NOT running, I can create and delete folders etc within ../sharedfiles from a windows client.
But when I turn clamfs ON I can only create files and folder immediately within ../sharedfiles.
ie I can create ../sharedfiles/newdirectory
But I can not create ../sharedfiles/newdirectory/somefile
I have played around with the permissions and ACLs but something is just not working.
I should mention that the windows clients are logging into the shared directory without a user. ie they are”nobody” and in the “nogroup” group.
I have set the ACL for both .sharedfiles and sharedfiles as below:
getfacl .sharedfiles/
# file: .sharedfiles/
# owner: administrator
# group: administrator
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:clamav:rwx
default:group::rwx
default:mask::rwx
default:other::rwx
———-
getfacl sharedfiles/
# file: sharedfiles/
# owner: administrator
# group: administrator
user::rwx
group::rwx
other::rwx
default:user::rwx
default:user:clamav:rwx
default:group::rwx
default:mask::rwx
default:other::rwx
This is how I have configured my clamfs .xml file:
filesystem root=”/home/administrator/.sharedfiles” mountpoint=”/home/administrator/sharedfiles” public=”yes” readonly=”no” nonempty=”yes”
Any idea on where I am going wrong? I would really like to get this working. Thanks.