Operating Principles

The SpIDer Guard for SMB monitor operates in daemon mode (usually it is started by the Dr.Web ConfigD configuration management daemon on system startup). After the startup, the component operates as a server to which custom plugins (VFS SMB modules) are connected that operate on the Samba server side and monitor user activity in shared directories. Once new or modified files are found, the monitor requests their scanning with the Dr.Web File Checker component.

If a file scanned at request of the monitor is infected with an incurable threat or with a threat for which the “Block” (BLOCK) action is specified, the monitor instructs the VFS SMB module controlling the shared directory to block this file (that is, to prevent users from reading, writing and executing the file). Furthermore, a text file describing a reason for blocking is created next to the blocked file, if this setting is enabled. This is done to avoid the “unexpected disappearance” of the file to which the “Delete” (DELETE) or “Quarantine” (QUARANTINE) action was applied. Furthermore, this prevents the user (or the worm that infected the computer) from multiple attempts to recreate the moved or deleted file. Moreover, this text file also notifies the user that the computer is probably infected with a malicious program. If informed of this, the user can start anti-virus scanning of the computer to detect and neutralize local threats. In addition, the file (depending on a value of the corresponding configuration parameter) can be blocked upon a scanning error, including the absence of a valid license that enables operation of SpIDer Guard for SMB.

You can disable monitoring of specified files and directories stored in controlled shared directories of the Samba server. This can be useful when some files are frequently modified, which results in constant repeated scanning of these files and thus can cause high system load. If it is known with certainty that frequent modification is typical for some files in the storage, it is recommended that you add them to the list of exclusions. In this case, the monitor ignores modification of these files, and their scanning with the file scanning component is not initiated.

To distinguish between directories to be monitored and those to be skipped, the file storage monitor for Samba—SpIDer Guard for SMB—uses two configuration parameters:

•ExcludedPath—list of paths to be excluded from monitoring (exclusion scope).

Normally, the monitoring scope covers the entire shared directory. If you specify both monitoring and exclusion scopes, only those files in the shared directory are monitored whose paths are not specified in the ExcludedPath parameter or are specified in the IncludedPath parameter. If the same path is specified in both parameters, the IncludedPath parameter has a priority over the other one: the objects whose paths are included will be controlled by the SpIDer Guard for SMB monitor. Thus, you can use the IncludedPath parameter to add some files and directories to monitoring even if they are covered by the exclusion scope.

You can specify various protection parameters for different Samba shared directories protected by the SpIDer Guard for SMB monitor, including different monitoring and exclusion scopes as well as reactions to detected threats. For that purpose, in the SpIDer Guard for SMB configuration section, specify individual settings for VFS SMB modules that control these shared directories.

Refer to the Integration with Samba File Server section for information about integrating Dr.Web Server Security Suite with the file service.