Topic: Scanning Windows PC's with ClamAV (by accident) works great!

[rexgaylord]

I created a backup job using Backup to workstation.  My backup path was to the windows default share of the drive c, example \\mypc\c$ .  I have the Pagefault yum contrib installed and it is set to scan SME everynight.  After this backup was setup, I got a scan result indicating that it found viruses in the /mnt directory.  I would like to mount a few more PC's without using the Backup to workstation program.  Can somebody please tell me what the linux command would be to mount another share on a windows PC is?  An example of the scan results below.  I posted a couple months ago that ClamAV had found infected files on the server that I can not find in the directories anywhere.  The path where the infected files are supposed to be located just doesn't seem to exist or is hidden from root?  I have even searched the drive for the infected file using the command ' find / -name filename -print ' but can't find them.  An example of those files is also below.  Does anybody know how to delete these infected files?

Example of infected on PC
//mnt/backup2ws.911/Documents and Settings/rgaylord/Desktop/restore/Documents and Settings/admin/Local Settings/Temporary Internet Files/Content.IE5/89IRKD27/w32.dengue[1].htm: W32.GriYo FOUND

//mnt/backup2ws.911/Program Files/Panda Software/Panda Antivirus Platinum/Sdisk2.img: W32.GriYo FOUND

Example of hidden infected files. /tmp/clamav-* doesn't exist:

/tmp/clamav-7523ad7b651fe284/usr/lib/libpavdll.so.3.6.0.1: W32.GriYo FOUND

/tmp/clamav-8504699fbaaec1d7/bin/exe/libpavdll_qm.so.3.2.1.8: W32.GriYo FOUND

/tmp/clamav-8504699fbaaec1d7/bin/update/download_sf.sh: Eicar-Test-Signature FOUND

/tmp/clamav-8504699fbaaec1d7/bin/update/test_sf.sh: Eicar-Test-Signature FOUND

[LeeKimber]

I can't speak to your hidden file problem, I'm afraid.

Re mounting the Windows shares, the basic command for mounting Windows shares is:

smbmount //<hostname>/<sharename> /mnt/point -o username=<username>,password=<password>,ip=<ip_of_hostname>

I wasn't quite sure with your post whether you meant taht you wanted to mount multiple shares from one Windows machine on to mount points on one Linux server, or something else. But hope the above helps.

You only need the IP addresss of the hostname if using hostname itself is not resolving for one reason or another. You can't reliably use hostname's IP address in place of hostname the way you can in the address bar of Explorer on Windows machines.

Also, if your Windows shre password has non-alphanumeric characters in it, then you need to enclose the password in apostrophes.

[rexgaylord]

The worked fine.  And runing clamscan -r on the mount location seems to scan the files on the pc well also.  Thanks, Rex

[LeeKimber]

I tried mounting an SME-hosted samba share on to my Linux desktop with write permissions.

No go.

No matter how much I loosen up the SME server samba share permissions and no matter how much I chmod the mount point on my machine, I cannot get write permissions on the SME share.

Assuming I mount SME share to /mnt/smb on my own machine, as soon as I smbmount the SME share, the permissions on my /mnt/smb directory turn to drwxr-xr-r-x.

Very annoying! Anyone got a fix or workaround for this?

Thanks

Lee

[wickedImp]

N.B
This will only work if you have created the corresponding /mnt/<dir>'s - I like sticking them in /mnt/ but I don't see why you can't put them where you want...

The networks I administer all pretty much all W2K - so they all have an Administrator account and I use the same admin password for all the boxes. The "C$" basically mounts the whole drive rather than just the shared portions of it..

mount -t smbfs -o username=Administrator,password=adminpass //COMPUTERNAME/C$ /mnt/COMPUTERNAME

[rexgaylord]

Do you get the message on your W2k machines that it needs your W2K CD t restore protected files after Clam AV does a scan of the C$ ?  I'm curious what file it's actually changing on the W2K machine, but I've never let it do the restore.

[wickedImp]

Do you get the message on your W2k machines that it needs your W2K CD t restore protected files after Clam AV does a scan of the C$ ?  I'm curious what file it's actually changing on the W2K machine, but I've never let it do the restore.

Hi Rex,
Seems you have misread me. I didn't say I'd used the scanner in this way, I just mentioned that I had a reliable method for mounting window's boxes on the LAN.
Imp