2025-03-23 06:50:21 +03:00 · 2016-10-18 13:34:53 -06:00 · 2016-10-18 13:34:53 -06:00 · 63f9a037fd
commit 63f9a037fd
parent 8f20444abe
9 changed files with 3494 additions and 1 deletions
--- a/docs-xml/manpages/vfs_virusfilter.8.xml
+++ b/docs-xml/manpages/vfs_virusfilter.8.xml
@ -0,0 +1,336 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE refentry PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<refentry id="vfs_virusfilter.8">
+
+<refmeta>
+	<refentrytitle>vfs_virusfilter</refentrytitle>
+	<manvolnum>8</manvolnum>
+	<refmiscinfo class="source">Samba</refmiscinfo>
+	<refmiscinfo class="manual">System Administration tools</refmiscinfo>
+	<refmiscinfo class="version">4.8</refmiscinfo>
+</refmeta>
+
+
+<refnamediv>
+	<refname>vfs_virusfilter</refname>
+	<refpurpose>On access virus scanner</refpurpose>
+</refnamediv>
+
+<refsynopsisdiv>
+	<cmdsynopsis>
+		<command>vfs objects = virusfilter</command>
+	</cmdsynopsis>
+</refsynopsisdiv>
+
+<refsect1>
+	<title>DESCRIPTION</title>
+
+	<para>This is a set of various Samba VFS modules to scan and filter
+	virus files on Samba file services with an anti-virus scanner.</para>
+
+	<para>This module is stackable.</para>
+
+</refsect1>
+
+<refsect1>
+	<title>OPTIONS</title>
+
+	<variablelist>
+
+		<varlistentry>
+		<term>virusfilter:scanner</term>
+		<listitem>
+		<para>The antivirus scan-engine.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:socket path = PATH</term>
+		<listitem>
+		<para>Path of local socket for the virus scanner.
+		</para>
+		<para>If this option is not set, the default path depends on the
+		configured AV scanning engine.
+		</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:connect timeout = 30000</term>
+		<listitem>
+		<para>Controls how long to wait on connecting to the virus
+		scanning process before timing out. Value is in milliseconds.
+		</para>
+		<para>If this option is not set, the default is 30000.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:io timeout = 60000</term>
+		<listitem>
+		<para>Controls how long to wait on communications with the virus
+		scanning process before timing out. Value is in milliseconds.
+		</para>
+		<para>If this option is not set, the default is 60000.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan on open = yes</term>
+		<listitem>
+		<para>This option controls whether files are scanned on open.
+		</para>
+		<para>If this option is not set, the default is yes.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan on close = no</term>
+		<listitem>
+		<para>This option controls whether files are scanned on close.
+		</para>
+		<para>If this option is not set, the default is no.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:max file size = 100000000</term>
+		<listitem>
+		<para>This is the largest sized file, in bytes, which will be scanned.
+		</para>
+		<para>If this option is not set, the default is 100MB.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:min file size = 10</term>
+		<listitem>
+		<para>This is the smallest sized file, in bytes, which will be scanned.
+		</para>
+		<para>If this option is not set, the default is 10.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:infected file action = nothing</term>
+		<listitem>
+		<para>What to do with an infected file. The options are
+		nothing, quarantine, rename, delete.</para>
+		<para>If this option is not set, the default is nothing.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:infected file errno on open = EACCES</term>
+		<listitem>
+		<para>What errno to return on open if the file is infected.
+		</para>
+		<para>If this option is not set, the default is EACCES.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:infected file errno on close = 0</term>
+		<listitem>
+		<para>What errno to return on close if the file is infected.
+		</para>
+		<para>If this option is not set, the default is 0.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine directory = PATH</term>
+		<listitem>
+		<para>Where to move infected files. This path must be an
+		absolute path.</para>
+		<para>If this option is not set, the default is ".quarantine"
+		relative to the share path. </para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine prefix = virusfilter.</term>
+		<listitem>
+		<para>Prefix for quarantined files.</para>
+		<para>If this option is not set, the default is "virusfilter.".</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine suffix = .infected</term>
+		<listitem>
+		<para>Suffix for quarantined files.
+		This option is only used if keep name is true. Otherwise it is ignored.</para>
+		<para>If this option is not set, the default is ".infected".</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:rename prefix = virusfilter.</term>
+		<listitem>
+		<para>Prefix for infected files.</para>
+		<para>If this option is not set, the default is "virusfilter.".</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:rename suffix = .infected</term>
+		<listitem>
+		<para>Suffix for infected files.</para>
+		<para>If this option is not set, the default is ".infected".</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine keep tree = yes</term>
+		<listitem>
+		<para>If keep tree is set, the directory structure relative
+		to the share is maintained in the quarantine directory.
+		</para>
+		<para>If this option is not set, the default is yes.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine keep name = yes</term>
+		<listitem>
+		<para>Should the file name be left unmodified other than adding a suffix
+		and/or prefix and a random suffix name as defined in virusfilter:rename prefix
+		and virusfilter:rename suffix.</para>
+		<para>If this option is not set, the default is yes.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:infected file command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmaster@example.com --cc "%U@example.com" --from samba@example.com --subject-prefix "Samba: Infected File: "</term>
+		<listitem>
+		<para>External command to run on an infected file is found.</para>
+		<para>If this option is not set, the default is none.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan archive = true</term>
+		<listitem>
+		<para>This defines whether or not to scan archives.</para>
+		<para>Sophos supports this and defaults to false.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:max nested scan archive = 1</term>
+		<listitem>
+		<para>This defines the maximum depth to search nested archives.</para>
+		<para>The Sophos module supports this and defaults to 1.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan error command = @SAMBA_DATADIR@/bin/virusfilter-notify --mail-to virusmaster@example.com --from samba@example.com --subject-prefix "Samba: Scan Error: "</term>
+		<listitem>
+		<para>External command to run on scan error.</para>
+		<para>If this option is not set, the default is none.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:exclude files = empty</term>
+		<listitem>
+		<para>Files to exclude from scanning.</para>
+		<para>If this option is not set, the default is empty.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:block access on error = false</term>
+		<listitem>
+		<para>Controls whether or not access should be blocked on
+		a scanning error.</para>
+		<para>If this option is not set, the default is false.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan error errno on open = EACCES</term>
+		<listitem>
+		<para>What errno to return on open if there is an error in
+		scanning the file and block access on error is true.
+		</para>
+		<para>If this option is not set, the default is EACCES.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:scan error errno on close = 0</term>
+		<listitem>
+		<para>What errno to return on close if there is an error in
+		scanning the file and block access on error is true.
+		</para>
+		<para>If this option is not set, the default is 0.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:cache entry limit = 100</term>
+		<listitem>
+		<para>The maximum number of entries in the scanning results
+		cache. Due to how Samba's memcache works, this is approximate.</para>
+		<para>If this option is not set, the default is 100.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:cache time limit = 10</term>
+		<listitem>
+		<para>The maximum number of seconds that a scanning result
+		will stay in the results cache. -1 disables the limit.
+		0 disables caching.</para>
+		<para>If this option is not set, the default is 10.</para>
+		</listitem>
+		</varlistentry>
+
+		<varlistentry>
+		<term>virusfilter:quarantine directory mode = 0755</term>
+		<listitem>
+		<para>This is the octet mode for the quarantine directory and
+		its sub-directories as they are created.</para>
+		<para>If this option is not set, the default is 0755 or
+		S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_IROTH |
+		S_IXOTH.</para>
+		<para>Permissions must be such that all users can read and
+		search. I.E. don't mess with this unless you really know what
+		you are doing.</para>
+		</listitem>
+		</varlistentry>
+
+	</variablelist>
+</refsect1>
+
+<refsect1>
+	<title>NOTES</title>
+
+	<para>This module can scan other than default streams, if the
+	alternative datastreams are each backed as separate files, such as with
+	the vfs module streams_depot.</para>
+
+	<para>For proper operation the streams support module must be before
+	the virusfilter module in your vfs objects list (i.e. streams_depot
+	must be called before virusfilter module).</para>
+
+	<para>This module is intended for security in depth by providing
+	virus scanning capability on the server. It is not intended to be used
+	in lieu of proper client based security. Other modules for security may
+	exist and may be desirable for security in depth on the server.</para>
+</refsect1>
+
+<refsect1>
+	<title>AUTHOR</title>
+
+	<para>The original Samba software and related utilities
+	were created by Andrew Tridgell. Samba is now developed
+	by the Samba Team as an Open Source project similar
+	to the way the Linux kernel is developed.</para>
+
+</refsect1>
+
+</refentry>
--- a/docs-xml/wscript_build
+++ b/docs-xml/wscript_build
@ -90,6 +90,7 @@ manpages='''
         manpages/vfs_time_audit.8
         manpages/vfs_tsmsm.8
         manpages/vfs_unityed_media.8
+         manpages/vfs_virusfilter.8
         manpages/vfs_worm.8
         manpages/vfs_xattr_tdb.8
         manpages/vfstest.1
--- a/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
+++ b/examples/scripts/vfs/virusfilter/virusfilter-notify.ksh
@ -0,0 +1,284 @@
+#!/bin/ksh
+##
+## Samba-VirusFilter VFS modules
+## Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan
+##
+## This program is free software; you can redistribute it and/or modify
+## it under the terms of the GNU General Public License as published by
+## the Free Software Foundation; either version 3 of the License, or
+## (at your option) any later version.
+##
+## This program is distributed in the hope that it will be useful,
+## but WITHOUT ANY WARRANTY; without even the implied warranty of
+## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+## GNU General Public License for more details.
+##
+## You should have received a copy of the GNU General Public License
+## along with this program.  If not, see <http://www.gnu.org/licenses/>.
+##
+
+set -u
+
+pdie() { echo "$0: ERROR: ${1-}" 1>&2; exit "${2-1}"; }
+
+## ======================================================================
+
+sendmail="${VIRUSFILTER_NOTIFY_SENDMAIL_COMMAND:-/usr/sbin/sendmail}"
+sendmail_opts="${VIRUSFILTER_NOTIFY_SENDMAIL_OPTIONS:-}"
+
+smbclient="${VIRUSFILTER_NOTIFY_SMBCLIENT_COMMAND:-@SAMBA_BINDIR@/smbclient}"
+smbclient_opts="${VIRUSFILTER_NOTIFY_SMBCLIENT_OPTIONS:-}"
+
+## ======================================================================
+
+if [ -n "${VIRUSFILTER_RESULT_IS_CACHE-}" ]; then
+  ## Result is cache. Ignore!
+  exit 0
+fi
+
+if [ ! -t 1 ] && [ -z "${VIRUSFILTER_NOTIFY_BG-}" ]; then
+  export VIRUSFILTER_NOTIFY_BG=1
+  "$0" ${1+"$@"} </dev/null >/dev/null &
+  exit 0
+fi
+
+## ----------------------------------------------------------------------
+
+if [ -n "${VIRUSFILTER_INFECTED_FILE_ACTION-}" ]; then
+  report="$VIRUSFILTER_INFECTED_FILE_REPORT"
+else
+  report="$VIRUSFILTER_SCAN_ERROR_REPORT"
+fi
+
+if [ X"$VIRUSFILTER_SERVER_NAME" != X"$VIRUSFILTER_SERVER_IP" ]; then
+  server_name="$VIRUSFILTER_SERVER_NAME"
+else
+  server_name="$VIRUSFILTER_SERVER_NETBIOS_NAME"
+fi
+
+if [ X"$VIRUSFILTER_CLIENT_NAME" != X"$VIRUSFILTER_CLIENT_IP" ]; then
+  client_name="$VIRUSFILTER_CLIENT_NAME"
+else
+  client_name="$VIRUSFILTER_CLIENT_NETBIOS_NAME"
+fi
+
+mail_to=""
+winpopup_to=""
+subject_prefix=""
+sender=""
+from=""
+cc=""
+bcc=""
+content_type="text/plain"
+content_encoding="UTF-8"
+
+cmd_usage="Usage: $0 [OPTIONS]
+
+Options:
+  --mail-to ADDRESS
+    Send a notice message to this e-mail address(es)
+  --winpopup-to NAME
+    Send a \"WinPopup\" message to this NetBIOS name
+  --sender ADDRESS
+    Envelope sender address for mail
+  --from ADDRESS
+    From: e-mail address for mail
+  --cc ADDRESS
+    Cc: e-mail address(es) for mail
+  --bcc ADDRESS
+    Bcc: e-mail address(es) for mail
+  --subject-prefix PREFIX
+    Subject: prefix string for mail
+  --content-type TYPE
+  --content-encoding ENCODING
+    Content-Type: TYPE; charset=\"ENCODING\" for mail [$content_type; charset=\"$content_encoding\"]
+  --header-file FILE
+    Prepend the content of FILE to the message
+  --footer-file FILE
+    Append the content of FILE to the message
+"
+
+## ----------------------------------------------------------------------
+
+getopts_want_arg()
+{
+  if [ "$#" -lt 2 ]; then
+    pdie "Option requires an argument: $1"
+  fi
+  if [ "$#" -ge 3 ]; then
+    if expr x"$2" : x"$3\$" >/dev/null; then
+      : OK
+    else
+      pdie "Invalid value for option: $1 $2"
+    fi
+  fi
+}
+
+while [ "$#" -gt 0 ]; do
+  OPT="$1"; shift
+  case "$OPT" in
+  --help)
+    echo "$cmd_usage"
+    exit 0
+    ;;
+  --mail-to)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    mail_to="${mail_to:+$mail_to, }$1"; shift
+    ;;
+  --winpopup-to)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    winpopup_to="$1"; shift
+    ;;
+  --sender)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    sender="$1"; shift
+    ;;
+  --from)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    from="$1"; shift
+    ;;
+  --cc)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    cc="${cc:+$cc, }$1"; shift
+    ;;
+  --bcc)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    bcc="${bcc:+$bcc, }$1"; shift
+    ;;
+  --subject-prefix)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    subject_prefix="$1"; shift
+    ;;
+  --content-type)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    content_type="$1"; shift
+    ;;
+  --content-encoding)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    content_encoding="$1"; shift
+    ;;
+  --header-file)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    header_file="$1"; shift
+    ;;
+  --footer-file)
+    getopts_want_arg "$OPT" ${1+"$1"}
+    footer_file="$1"; shift
+    ;;
+  --)
+    break
+    ;;
+  -*)
+    pdie "Invalid option: $OPT"
+    ;;
+  *)
+    set -- "$OPT" ${1+"$@"}
+    break
+    ;;
+  esac
+done
+
+[ -z "$sender" ] && sender="$from"
+subject="$subject_prefix$report"
+
+## ======================================================================
+
+msg_header="\
+Subject: $subject
+Content-Type: $content_type; charset=$content_encoding
+X-VIRUSFILTER-Version: $VIRUSFILTER_VERSION
+X-VIRUSFILTER-Module-Name: $VIRUSFILTER_MODULE_NAME
+"
+
+if [ -n "${VIRUSFILTER_MODULE_VERSION-}" ]; then
+  msg_header="${msg_header}\
+X-VIRUSFILTER-Module-Version: $VIRUSFILTER_MODULE_VERSION
+"
+fi
+
+if [ -n "${from-}" ]; then
+  msg_header="${msg_header}\
+From: $from
+"
+fi
+
+if [ -n "${mail_to-}" ]; then
+  msg_header="${msg_header}\
+To: $mail_to
+"
+fi
+
+if [ -n "${cc-}" ]; then
+  msg_header="${msg_header}\
+Cc: $cc
+"
+fi
+
+if [ -n "${bcc-}" ]; then
+  msg_header="${msg_header}\
+Bcc: $bcc
+"
+fi
+
+## ----------------------------------------------------------------------
+
+msg_body=""
+
+if [ -n "${header_file-}" ] && [ -f "$header_file" ]; then
+  msg_body="${msg_body}\
+`cat "$header_file"`
+"
+fi
+
+msg_body="${msg_body}\
+Server: $server_name ($VIRUSFILTER_SERVER_IP)
+Server PID: $VIRUSFILTER_SERVER_PID
+Service name: $VIRUSFILTER_SERVICE_NAME
+Service path: $VIRUSFILTER_SERVICE_PATH
+Client: $client_name ($VIRUSFILTER_CLIENT_IP)
+User: $VIRUSFILTER_USER_DOMAIN\\$VIRUSFILTER_USER_NAME
+"
+
+if [ -n "${VIRUSFILTER_INFECTED_FILE_ACTION-}" ]; then
+  msg_body="${msg_body}\
+Infected file report: $VIRUSFILTER_INFECTED_FILE_REPORT
+"
+  msg_body="${msg_body}\
+Infected file path: $VIRUSFILTER_SERVICE_PATH/$VIRUSFILTER_INFECTED_SERVICE_FILE_PATH
+"
+  msg_body="${msg_body}\
+Infected file action: $VIRUSFILTER_INFECTED_FILE_ACTION
+"
+else
+  msg_body="${msg_body}\
+Scan error report: $VIRUSFILTER_SCAN_ERROR_REPORT
+Scan error file path: $VIRUSFILTER_SERVICE_PATH/$VIRUSFILTER_SCAN_ERROR_SERVICE_FILE_PATH
+"
+fi
+
+if [ -n "${VIRUSFILTER_QUARANTINED_FILE_PATH-}" ]; then
+  msg_body="${msg_body}\
+Quarantined/Renamed file path: ${VIRUSFILTER_QUARANTINED_FILE_PATH-}
+"
+fi
+
+if [ -n "${footer_file-}" ] && [ -f "$footer_file" ]; then
+  msg_body="${msg_body}\
+`cat "$footer_file"`
+"
+fi
+
+## ======================================================================
+
+if [ -n "$mail_to" ]; then
+  (echo "$msg_header"; echo "$msg_body") \
+    |"$sendmail" -t -i ${sender:+-f "$sender"} $sendmail_opts
+fi
+
+if [ -n "$winpopup_to" ]; then
+  echo "$msg_body" \
+    |"$smbclient" -M "$winpopup_to" -U% $smbclient_opts \
+    >/dev/null
+fi
+
+exit 0
--- a/source3/modules/vfs_virusfilter.c
+++ b/source3/modules/vfs_virusfilter.c
--- a/source3/modules/vfs_virusfilter_common.h
+++ b/source3/modules/vfs_virusfilter_common.h
@ -0,0 +1,149 @@
+/*
+   Samba-VirusFilter VFS modules
+   Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _VIRUSFILTER_COMMON_H
+#define _VIRUSFILTER_COMMON_H
+
+#include <stdint.h>
+#include <time.h>
+
+/* Samba common include file */
+#include "includes.h"
+
+#include "smbd/smbd.h"
+#include "smbd/globals.h"
+#include "system/filesys.h"
+#include "transfer_file.h"
+#include "auth.h"
+#include "passdb.h"
+#include "../librpc/gen_ndr/ndr_netlogon.h"
+#include "../lib/tsocket/tsocket.h"
+
+/* Samba debug class for VIRUSFILTER */
+#undef DBGC_CLASS
+#define DBGC_CLASS virusfilter_debug_class
+extern int virusfilter_debug_class;
+
+/* Samba's global variable */
+extern userdom_struct current_user_info;
+
+#define VIRUSFILTER_VERSION "0.1.5"
+
+/* ====================================================================== */
+
+typedef enum {
+	VIRUSFILTER_ACTION_DO_NOTHING,
+	VIRUSFILTER_ACTION_QUARANTINE,
+	VIRUSFILTER_ACTION_RENAME,
+	VIRUSFILTER_ACTION_DELETE,
+} virusfilter_action;
+
+typedef enum {
+	VIRUSFILTER_RESULT_OK,
+	VIRUSFILTER_RESULT_CLEAN,
+	VIRUSFILTER_RESULT_ERROR,
+	VIRUSFILTER_RESULT_INFECTED,
+	VIRUSFILTER_RESULT_SUSPECTED,
+	/* FIXME: VIRUSFILTER_RESULT_RISKWARE, */
+} virusfilter_result;
+
+struct virusfilter_config {
+	int				scan_request_count;
+	int				scan_request_limit;
+
+	/* Scan on file operations */
+	bool				scan_on_open;
+	bool				scan_on_close;
+
+	/* Special scan options */
+	bool				scan_archive;
+	int				max_nested_scan_archive;
+	bool				scan_mime;
+	bool				block_suspected_file;
+
+	/* Size limit */
+	size_t				max_file_size;
+	size_t				min_file_size;
+
+	/* Exclude files */
+	name_compare_entry		*exclude_files;
+
+	/* Scan result cache */
+	struct virusfilter_cache	*cache;
+	int				cache_entry_limit;
+	int				cache_time_limit;
+
+	/* Infected file options */
+	virusfilter_action		infected_file_action;
+	const char *			infected_file_command;
+	int				infected_open_errno;
+	int				infected_close_errno;
+
+	/* Scan error options */
+	const char *			scan_error_command;
+	int				scan_error_open_errno;
+	int				scan_error_close_errno;
+	bool				block_access_on_error;
+
+	/* Quarantine infected files */
+	const char *			quarantine_dir;
+	const char *			quarantine_prefix;
+	const char *			quarantine_suffix;
+	bool				quarantine_keep_tree;
+	bool				quarantine_keep_name;
+	mode_t				quarantine_dir_mode;
+
+	/* Rename infected files */
+	const char *			rename_prefix;
+	const char *			rename_suffix;
+
+	/* Network options */
+	const char *			socket_path;
+	struct virusfilter_io_handle	*io_h;
+
+	/* The backend AV engine */
+	struct virusfilter_backend	*backend;
+};
+
+struct virusfilter_backend_fns {
+	int (*connect)(
+		struct vfs_handle_struct *handle,
+		struct virusfilter_config *config,
+		const char *svc,
+		const char *user);
+	void (*disconnect)(
+		struct vfs_handle_struct *handle);
+	virusfilter_result (*scan_init)(
+		struct virusfilter_config *config);
+	virusfilter_result (*scan)(
+		struct vfs_handle_struct *handle,
+		struct virusfilter_config *config,
+		const struct files_struct *fsp,
+		char **reportp);
+	void (*scan_end)(
+		struct virusfilter_config *config);
+};
+
+struct virusfilter_backend {
+	unsigned version;
+	const char *name;
+	const struct virusfilter_backend_fns *fns;
+	void *backend_private;
+};
+
+#endif /* _VIRUSFILTER_COMMON_H */
--- a/source3/modules/vfs_virusfilter_utils.c
+++ b/source3/modules/vfs_virusfilter_utils.c
--- a/source3/modules/vfs_virusfilter_utils.h
+++ b/source3/modules/vfs_virusfilter_utils.h
@ -0,0 +1,177 @@
+/*
+   Samba-VirusFilter VFS modules
+   Copyright (C) 2010-2016 SATOH Fumiyasu @ OSS Technology Corp., Japan
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#ifndef _VIRUSFILTER_UTILS_H
+#define _VIRUSFILTER_UTILS_H
+
+#include "modules/vfs_virusfilter_common.h"
+#include "../lib/util/memcache.h"
+#include "../lib/util/strv.h"
+
+/*#define str_eq(s1, s2)		\
+	((strcmp((s1), (s2)) == 0) ? true : false)
+#define strn_eq(s1, s2, n)	\
+	((strncmp((s1), (s2), (n)) == 0) ? true : false) */
+
+/* "* 3" is for %-encoding */
+#define VIRUSFILTER_IO_URL_MAX		(PATH_MAX * 3)
+#define VIRUSFILTER_IO_BUFFER_SIZE	(VIRUSFILTER_IO_URL_MAX + 128)
+#define VIRUSFILTER_IO_EOL_SIZE		1
+#define VIRUSFILTER_IO_IOV_MAX		16
+#define VIRUSFILTER_CACHE_BUFFER_SIZE	(PATH_MAX + 128)
+
+struct virusfilter_io_handle {
+	struct tstream_context *stream;
+	int		connect_timeout;	/* msec */
+	int		io_timeout;		/* msec */
+
+	/* end-of-line character(s) */
+	char		w_eol[VIRUSFILTER_IO_EOL_SIZE];
+	int		w_eol_size;
+
+	/* end-of-line character(s) */
+	char		r_eol[VIRUSFILTER_IO_EOL_SIZE];
+	int		r_eol_size;
+
+	/* buffer */
+	char		r_buffer[VIRUSFILTER_IO_BUFFER_SIZE];
+	size_t		r_len;
+};
+
+struct virusfilter_cache_entry {
+	time_t time;
+	virusfilter_result result;
+	char *report;
+};
+
+struct virusfilter_cache {
+	struct memcache *cache;
+	TALLOC_CTX *ctx;
+	time_t time_limit;
+};
+
+/* ====================================================================== */
+
+char *virusfilter_string_sub(
+	TALLOC_CTX *mem_ctx,
+	connection_struct *conn,
+	const char *str);
+int virusfilter_vfs_next_move(
+	vfs_handle_struct *handle,
+	const struct smb_filename *smb_fname_src,
+	const struct smb_filename *smb_fname_dst);
+
+/* Line-based socket I/O */
+struct virusfilter_io_handle *virusfilter_io_new(
+	TALLOC_CTX *mem_ctx,
+	int connect_timeout,
+	int timeout);
+int virusfilter_io_set_connect_timeout(
+	struct virusfilter_io_handle *io_h,
+	int timeout);
+int virusfilter_io_set_io_timeout(
+	struct virusfilter_io_handle *io_h, int timeout);
+void virusfilter_io_set_writel_eol(
+	struct virusfilter_io_handle *io_h,
+	const char *eol,
+	int eol_size);
+void virusfilter_io_set_readl_eol(
+	struct virusfilter_io_handle *io_h,
+	const char *eol,
+	int eol_size);
+bool virusfilter_io_connect_path(
+	struct virusfilter_io_handle *io_h,
+	const char *path);
+bool virusfilter_io_disconnect(
+	struct virusfilter_io_handle *io_h);
+bool write_data_iov_timeout(
+	struct tstream_context *stream,
+	const struct iovec *iov,
+	size_t iovcnt,
+	int ms_timeout);
+bool virusfilter_io_write(
+	struct virusfilter_io_handle *io_h,
+	const char *data,
+	size_t data_size);
+bool virusfilter_io_writel(
+	struct virusfilter_io_handle *io_h,
+	const char *data,
+	size_t data_size);
+bool virusfilter_io_writefl(
+	struct virusfilter_io_handle *io_h,
+	const char *data_fmt, ...);
+bool virusfilter_io_vwritefl(
+	struct virusfilter_io_handle *io_h,
+	const char *data_fmt, va_list ap);
+bool virusfilter_io_writev(
+	struct virusfilter_io_handle *io_h, ...);
+bool virusfilter_io_writevl(
+	struct virusfilter_io_handle *io_h, ...);
+bool virusfilter_io_readl(TALLOC_CTX *ctx,
+			struct virusfilter_io_handle *io_h,
+			char **read_line);
+bool virusfilter_io_writefl_readl(
+	struct virusfilter_io_handle *io_h,
+	char **read_line,
+	const char *fmt, ...);
+
+/* Scan result cache */
+struct virusfilter_cache *virusfilter_cache_new(
+	TALLOC_CTX *ctx,
+	int entry_limit,
+	time_t time_limit);
+bool virusfilter_cache_entry_add(
+	struct virusfilter_cache *cache,
+	const char *directory,
+	const char *fname,
+	virusfilter_result result,
+	char *report);
+bool virusfilter_cache_entry_rename(
+	struct virusfilter_cache *cache,
+	const char *directory,
+	char *old_fname,
+	char *new_fname);
+void virusfilter_cache_entry_free(struct virusfilter_cache_entry *cache_e);
+struct virusfilter_cache_entry *virusfilter_cache_get(
+	struct virusfilter_cache *cache,
+	const char *directory,
+	const char *fname);
+void virusfilter_cache_remove(
+	struct virusfilter_cache *cache,
+	const char *directory,
+	const char *fname);
+void virusfilter_cache_purge(struct virusfilter_cache *cache);
+
+/* Shell scripting */
+int virusfilter_env_set(
+	TALLOC_CTX *mem_ctx,
+	char **env_list,
+	const char *name,
+	const char *value);
+int virusfilter_shell_set_conn_env(
+	TALLOC_CTX *mem_ctx,
+	char **env_list,
+	connection_struct *conn);
+int virusfilter_shell_run(
+	TALLOC_CTX *mem_ctx,
+	const char *cmd,
+	char **env_list,
+	connection_struct *conn,
+	bool sanitize);
+
+#endif /* _VIRUSFILTER_UTILS_H */
--- a/source3/modules/wscript_build
+++ b/source3/modules/wscript_build
@ -17,6 +17,11 @@ bld.SAMBA3_LIBRARY('non_posix_acls',
                   deps='samba-util vfs',
                   private_library=True)

+bld.SAMBA3_SUBSYSTEM('VFS_VIRUSFILTER_UTILS',
+                   source='vfs_virusfilter_utils.c',
+                   deps='strv',
+                   enabled=(bld.SAMBA3_IS_ENABLED_MODULE('vfs_virusfilter')))
+
 bld.SAMBA3_SUBSYSTEM('VFS_AIXACL_UTIL',
                    source='vfs_aixacl_util.c',
                    enabled=(bld.SAMBA3_IS_ENABLED_MODULE('vfs_aixacl') or bld.SAMBA3_IS_ENABLED_MODULE('vfs_aixacl2')))
@ -505,6 +510,14 @@ bld.SAMBA3_MODULE('vfs_snapper',
                 internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_snapper'),
                 enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_snapper'))

+bld.SAMBA3_MODULE('vfs_virusfilter',
+                 subsystem='vfs',
+                 source='vfs_virusfilter.c',
+                 deps='samba-util VFS_VIRUSFILTER_UTILS',
+                 init_function='',
+                 internal_module=bld.SAMBA3_IS_STATIC_MODULE('vfs_virusfilter'),
+                 enabled=bld.SAMBA3_IS_ENABLED_MODULE('vfs_virusfilter'))
+
 bld.SAMBA3_MODULE('vfs_vxfs',
                 subsystem='vfs',
                 source='lib_vxfs.c vfs_vxfs.c',
--- a/source3/wscript
+++ b/source3/wscript
@ -1665,7 +1665,7 @@ main() {
                                      vfs_preopen vfs_catia
                                      vfs_media_harmony vfs_unityed_media vfs_fruit vfs_shell_snap
                                      vfs_commit vfs_worm vfs_crossrename vfs_linux_xfs_sgid
-                                      vfs_time_audit vfs_offline
+                                      vfs_time_audit vfs_offline vfs_virusfilter
                                  '''))
    default_shared_modules.extend(TO_LIST('auth_script idmap_tdb2 idmap_script'))
    # these have broken dependencies