How does the Preloadable Library Call Wrapper work?

How does it work? Normally, when an application needs to read and/or write to a file on disk, it calls the "open()" function (or one of it's variants) to access the file. This function is a part of the shared C runtime library, so when that function is called, a runtime process called a dynamic loader (ld.so) looks for that function inside the C runtime library (libc) and executes it.

In order for F-PROT Antivirus to scan all files before allowing applications to read their contents, f-prot.so needs to intercept these "open()" function calls before the runtime library's code is executed. This is done by setting the LD_PRELOAD environment variable. The dynamic linker then loads f-prot.so before the C runtime library. For further details on how this is done, see the manual page for f-prot.so.

When f-prot.so receives a open() function call, it sends a scan request of the file to the virus scanning daemon. Based on the results of the scan it either invokes the proper libc open() function, or returns a "Permission denied" error.

How to use the Preloadable Call Wrapper:

As mentioned above, in order to use this on-access scanning technique, the user or administrator must configure the dynamic loader to load f-prot.so before it loads libc. This method is explained in detail in the f-prot.so manual page.

For further information, see Can I use the Preloadable Library Call Wrapper to protect your Samba share?.

Feedback | Contact Technical Support | Contact Sales Support