Wine with on-access ClamAV scanning

Using Wine introduces new threats to your Linux box. One day every computer virus prepared to run under Windows will smoothly run under Wine. Some time ago I wrote ClamFS, a FUSE-based user-space file system for Linux with on-access anti-virus file scanning. It uses well known Open Source virus scanner – Clam AntiVirus. ClamFS was designed to protect Samba shares and FTP servers with upload enabled. Here is small guide how to configure ClamFS to protect Wine installation form viruses.

What we need?

At least:

  • any Linux distribution (I prefer Debian, so this guide is somehow ”.deb-centric”),
  • Wine,
  • ClamAV (clamd and freshclam as a minimum),
  • ClamFS.

Installing Wine, ClamAV and ClamFS

First of all install everything. Start with:

# aptitude install wine clamav-daemon

If you use Debian unstable:

# aptitude install clamfs

ClamFS is currently available only form unstable. If you are not an unstable user you may try to rebuild ClamFS form Debian sources. If you are not a Debian user install it form sources.

Configuring ClamFS

Create configuration file ~/.clamfs.xml with this content:

<?xml version="1.0" encoding="UTF-8"?>
<clamfs>
    <clamd socket="/var/run/clamav/clamd.ctl" />
    <filesystem root="/home/kb/.wine/root" mountpoint="/home/kb/wine" />
    <file maximal-size="10485760" /> <!-- 10MiB -->
    <blacklist>
        <include extension="exe" /> <!-- executable file -->
        <include extension="com" /> <!-- executable file -->
        <include extension="dll" /> <!-- library -->
        <include extension="sys" /> <!-- system file / driver -->
        <include extension="vbs" /> <!-- Visual Basic Script -->
        <include extension="bat" /> <!-- DOS Batch file -->
        <include extension="cmd" /> <!-- Windows Command file -->
    </blacklist>
    <cache entries="4096" expire="3600000" /> <!-- 1h -->
    <log method="file" filename="/home/kb/.clamfs.log" verbose="no" />
    <mail server="localhost" to="[email protected]" from="[email protected]"
       subject="ClamFS: Virus detected" />
</clamfs>

ClamFS will send e-mail alerts and store it’s log in ~/.clamfs.log. You may tune cache and maximal file size. Also add more blacklisted extension if you like.

Move all files from C: drive to /home/kb/.wine/root and configure Wine to use ~/wine as C: (make symbolic link ~/.wine/dosdevices/c: pointing to ~/wine).

Set permissions

ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.

Set default ACL for directories (files created in those directories will inherit ACL):

$ setfacl -R -b -d -m user:clamav:rx .wine/root

Now set all files and directories to be readable by clamav:

$ setfacl -R -m user:clamav:rx .wine/root

Test it!

Run ClamFS:

$ clamfs ~/.clamfs.xml

Now try to “infect” yourself with not harmful, test “threat” from Eicar.

$ wget http://www.eicar.org/download/eicar_com.zip
$ unzip eicar_com.zip

Unzip will fail (“Cannot open zipfile [ eicar_com.zip ]: Operation not permitted). We are done creating “bulletproof” Wine.

4 comments to Wine with on-access ClamAV scanning

  • Dan

    Who needs wine? I only use it sparely

  • Hi Krzysztof, thanks a lot for this comprehensive manual! I couldn’t find any better howto on ClamFS so far. So please keep on providing such insights!

    I didn’t test with samba, yet, but in case you can provide any smb.conf and so on, I should be delighted.

  • Just mount ClamFS protected filesystem in /clamfs/mountpoint and add to smb.conf something like this:

    [clamfs_protected_share]
        path = /clamfs/mountpoint
  • Dale

    Hi, been trying to get clamfs working on Ubuntu 10.4. It seems like everything is working, clamfs locates infected files and prevents me from opening these.

    But I am having permission troubles with a share that I have created.

    My folder structure looks like this:

    ../.sharedfiles (this is the root directory for clamfs)
    ../sharedfiles (this is the actual shared folder on the server that my windows clients connect to).

    When clamfs is NOT running, I can create and delete folders etc within ../sharedfiles from a windows client.

    But when I turn clamfs ON I can only create files and folder immediately within ../sharedfiles.

    ie I can create ../sharedfiles/newdirectory

    But I can not create ../sharedfiles/newdirectory/somefile

    I have played around with the permissions and ACLs but something is just not working.
    I should mention that the windows clients are logging into the shared directory without a user. ie they are”nobody” and in the “nogroup” group.

    I have set the ACL for both .sharedfiles and sharedfiles as below:

    getfacl .sharedfiles/
    # file: .sharedfiles/
    # owner: administrator
    # group: administrator
    user::rwx
    group::rwx
    other::rwx
    default:user::rwx
    default:user:clamav:rwx
    default:group::rwx
    default:mask::rwx
    default:other::rwx

    ———-

    getfacl sharedfiles/
    # file: sharedfiles/
    # owner: administrator
    # group: administrator
    user::rwx
    group::rwx
    other::rwx
    default:user::rwx
    default:user:clamav:rwx
    default:group::rwx
    default:mask::rwx
    default:other::rwx

    This is how I have configured my clamfs .xml file:

    filesystem root=”/home/administrator/.sharedfiles” mountpoint=”/home/administrator/sharedfiles” public=”yes” readonly=”no” nonempty=”yes”

    Any idea on where I am going wrong? I would really like to get this working. Thanks.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

  

  

  

This site uses Akismet to reduce spam. Learn how your comment data is processed.