Using Wine introduces new threats to your Linux box. One day every computer virus prepared to run under Windows will smoothly run under Wine. Some time ago I wrote ClamFS, a FUSE-based user-space file system for Linux with on-access anti-virus file scanning. It uses well known Open Source virus scanner – Clam AntiVirus. ClamFS was designed to protect Samba shares and FTP servers with upload enabled. Here is small guide how to configure ClamFS to protect Wine installation form viruses.
What we need?
- any Linux distribution (I prefer Debian, so this guide is somehow ”.deb-centric”),
- ClamAV (clamd and freshclam as a minimum),
Installing Wine, ClamAV and ClamFS
First of all install everything. Start with:
# aptitude install wine clamav-daemon
If you use Debian unstable:
# aptitude install clamfs
ClamFS is currently available only form unstable. If you are not an unstable user you may try to rebuild ClamFS form Debian sources. If you are not a Debian user install it form sources.
Create configuration file ~/.clamfs.xml with this content:
<clamd socket="/var/run/clamav/clamd.ctl" />
<filesystem root="/home/kb/.wine/root" mountpoint="/home/kb/wine" />
<file maximal-size="10485760" /> <!-- 10MiB -->
<include extension="exe" /> <!-- executable file -->
<include extension="com" /> <!-- executable file -->
<include extension="dll" /> <!-- library -->
<include extension="sys" /> <!-- system file / driver -->
<include extension="vbs" /> <!-- Visual Basic Script -->
<include extension="bat" /> <!-- DOS Batch file -->
<include extension="cmd" /> <!-- Windows Command file -->
<cache entries="4096" expire="3600000" /> <!-- 1h -->
<log method="file" filename="/home/kb/.clamfs.log" verbose="no" />
<mail server="localhost" to="[email protected]" from="[email protected]"
subject="ClamFS: Virus detected" />
ClamFS will send e-mail alerts and store it’s log in ~/.clamfs.log. You may tune cache and maximal file size. Also add more blacklisted extension if you like.
Move all files from C: drive to /home/kb/.wine/root and configure Wine to use ~/wine as C: (make symbolic link ~/.wine/dosdevices/c: pointing to ~/wine).
ClamAV is run as user clamav. Normal user should not be members of this group. Unfortunately ugo+/-rwx is not enough to set permissions to give access to you and clamav user. To accomplish this we will use POSIX ACLs. If you are not familiar with them read article POSIX Access Control Lists on Linux.
Set default ACL for directories (files created in those directories will inherit ACL):
$ setfacl -R -b -d -m user:clamav:rx .wine/root
Now set all files and directories to be readable by clamav:
$ setfacl -R -m user:clamav:rx .wine/root
$ clamfs ~/.clamfs.xml
Now try to “infect” yourself with not harmful, test “threat” from Eicar.
$ wget http://www.eicar.org/download/eicar_com.zip $ unzip eicar_com.zip
Unzip will fail (“Cannot open zipfile [ eicar_com.zip ]: Operation not permitted). We are done creating “bulletproof” Wine.