Operating Principles

SpIDer Guard for SMB monitor operates in daemon mode (usually it is started by the Dr.Web ConfigD configuration daemon on system startup). After the startup, the component operates as a server to which special plug-ins are connected (VFS SMB modules) that operate on the Samba server side and monitors user activity in shared directories. Once new or modified files are found on a volume, the monitor instructs the Dr.Web File Checker file checker to scan the file.

If a file scanned at request of the monitor is infected with an incurable threat or with a threat for which the “Block” (Block) action is specified, the monitor instructs the VFS SMB module controlling the corresponding shared directory to block this file (that is, to prevent users from reading, editing, and running the file). A text file is also created next to the blocked object, if this setting is not disabled. The created text file describes the reason why the object was block. It is necessary to avoid the “unexpected disappearance” of the file to which the action “Delete” (Delete) or “Quarantine” (Quarantine) was applied. Thus, it prevents users from multiple attempts to recreate the moved or deleted file. Moreover, this text file also notifies the user that the computer may be infected with a malicious program. If informed on this, the user can start anti-virus scanning of the computer and neutralize local detected threats. Additionally file (depending on the value of the corresponding configuration parameter) can be blocked upon the scanning error, including the case when there is no valid license, which provides operation of SpIDer Guard for SMB.

You can disable monitoring of the specified files and directories stored in controlled shared directories of the Samba server. It can be useful when, for example, some files are frequently modified, which results in constant repeated scanning of these files and, thus, can increase system load. If it is known with certainty that frequent modification is typical for these files in the file server storage, it is recommended that you add them to the list of exclusions. In this case, the monitor stops responding to modification of these objects and their scanning is not initiated.

To distinguish between directories that are to be monitored and the exclusions, the file storage monitor for Samba—SpIDer Guard for SMB—uses two configuration parameters:

Normally, as the monitoring scope, the monitor uses the entire shared directory. If you specify different monitoring and exclusion scopes, only those files in shared directory are monitored whose paths are not specified in the ExcludedPath parameter or are specified in the IncludedPath parameter. If a path is specified in both parameters, the IncludedPath parameter has higher priority than the other one: the objects in the included path will be monitored by the Samba shared directories monitor—SpIDer Guard for SMB. Thus, use the IncludedPath parameter to add some files and directories for monitoring if they are located in the exclusion scope.

You can specify different protection parameters for different Samba shared directories monitored by SpIDer Guard for SMB, including different monitoring and exclusion scope as well as reaction to detected threats. For that purpose, in the configuration section of SpIDer Guard for SMB, specify individual settings for VFS SMB modules that control shared directories.

See the Integration with Samba File Server section for information about integrating Dr.Web for UNIX File Servers with a file service.