Home / Scripts / ClamAV for online Windows workstations scans

ClamAV for online Windows workstations scans

Having dozens or hundreds of Windows machines to upkeep, looking for antivirus solution for workstations is balancing between costs, reliability and performance. I’ll try to evaluate if ClamAV together with some Linux toolset can be used effectively for scanning shares on windows machines. At the end you’ll find simple multithreaded daemon written in BASH, which can be used in production in small to medium enteprise environments.

The biggest limitation of the script is that it only notifies you about infection (and optionally copies infected files to some folder which you can share for further investigation), it does not heal/delete infected files.

Scan results reliability
As ClamAV has been developed for email attachement scans, not for filesystems, you may encounter lot of false positives in your scans (there is option in script used for filtering out common false-positives). Also it takes time to scan whole network, depending how big it is it can take from days to weaks. It uses roundrobin so it always starts scans from hosts that were scanned

Workstation performance overhead
The presented solutions have zero overhead on workstation performance, no agent needs to be installed, the full system scan is conducted remotely only when user is logged out from workstation. I know only about one more, quite reliable way of checking for user inactivity using WMI query to check for screensaver process. However for this proof-of-concept script checks if user is logged off, and only then the share is mounted in Linux filesystem and scanned by ClamAV. If you can think of any other way for checking user inactivity (preferably with WMI query), please post it in the comments below.

Overall scan performance
As all scans are done on server side, and all data have to be pushed through network, the performance strongly depends on your network throughput. The amount of parallel threads you can afford (scan_threads option in script) is directly proportional to the maximum bandwith between server and workstations.

The script depends on following software, it was tested on Gentoo Linux:

  • NMAP (for host discovery)
  • Samba (to mount workstation filesystems locally)
  • WMIC (WMI client for Linux, used for detection if workstation is used or not – it can be downloaded from http://www.orvant.com/packages/)

Leave a Reply