FRISK Software International

NAME - F-Prot Antivirus for Linux, Preloadable Library Call Wrapper


DESCRIPTION is a shared object file that complements the Daemon Scanner. It wraps certain library calls so that files are scanned before they are opened.



This shared object exports symbols for fopen(3)
fopen64(), and open64(). Those symbols are wrappers for the real functions which cause file open requests to be scanned using the Daemon Scanner, f-protd(8)
. Each time a file open is requested, the wrappers open a socket and connect to the Daemon Scanner, and request a scan from it. After the scan completes, the wrapper either allows a file to be opened or returns EACCES (Permission denied) error.

This shared object is intended as a tool for system administrators to force scanning of files accessed by the system. This can be accomplished in two ways, by putting the library's pathname in the LD_PRELOAD environment variable and export it to all programs whose file accesses should be scanned. Another way is to put the libraries' pathname in the file /etc/ That will force all processes who utilize the dynamic loader to load on execution. Be sure to read the WARNINGS section below before using /etc/

This shared object is not very suitable for hostile environments -- for example to scan files created and opened by malicious persons who have the privilege of executing commands. It is intended for system administrators who want to be able to scan files served by user space daemons, such as smbd(8)
To cause such behavior, the administrator must put the full path of in the LD_PRELOAD environment variable, and export it to all child processes before running smbd(8)
(See the USAGE EXAMPLES section below.)

Please note that this program only works with dynamically linked programs. To find out if a given program is dynamically linked, use the file(1)
program. If a program is statically linked, that means that all library routines it uses are linked into the programs' object, so it never uses any unresolved external symbols which are handled by the dynamic linker. works if it is loaded, and its symbols mapped, before the dynamic linker loads any other shared objects.



Configuration is done via a F-Prot's global configuration file -- /etc/f-prot.conf. Configuration options specific to have names starting with FPROT_SO_*, but also reads several other variables from it, such as the log facility and daemon address. Please read the default config file for explanation of each option.



For to work, and actually wrap file-access library calls with scanrequests to the virus scanning daemon, it needs to be loaded before any other shared libraries get loaded by the dynamic loader,
To accomplish this, users must define and export the LD_PRELOAD environment variable. Or the system administrator can put the full pathname of into /etc/ Be sure to read the WARNINGS section below before using /etc/

Methods of handling environment variables differ between shells. For sh(1)
or bash(1)
the procedure is as follows:

The first line defines the LD_PRELOAD environment variable with the value /usr/local/f-prot/tools/ The second line exports that variable to all child processes of the shell.

Another way of doing the same task is:

LD_PRELOAD=/usr/local/f-prot/tools/ command
This presets the LD_PRELOAD environment variable to /usr/local/f-prot/tools/ for "command" before running it, without actually exporting it to other child processes.

and bash(1)
also have the declare built-in which can be used to set attributes to certain environment variables. the -x flag can be used to mark a variable for export.

declare -x LD_PRELOAD
The first line defines the LD_PRELOAD environment variable as /usr/local/f-prot/tools/ The second line marks the LD_PRELOAD environment variable for export. The third line runs a command which inherits all the exported environment variables.

Another interesting attribute one can set with the declare built-in is -r or read-only. This attribute defines a variable to be read-only in the current context. Variables can unfortunately not be exported with the read-only attribute set.

For csh(1)
and tcsh(1)
the procedure is slightly different:

setenv LD_PRELOAD /usr/local/f-prot/tools/
The first line defines the LD_PRELOAD environment variable with the value /usr/local/f-prot/tools/ and marks it for export. The second line executes a command which inherits all the LD_PRELOAD variable.

As stated in the section DETAILED DESCRIPTION above, only works when used with dynamically linked programs. To see if a file is dynamically- or statically linked, use the file(1)

$ file /bin/ls
/bin/ls: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), stripped
This tells us, among other things, that /bin/ls is dynamically linked.
$ file /usr/local/f-prot/f-prot
/usr/local/f-prot/f-prot: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped
This tells us, among other things, that /usr/local/f-prot/f-prot is statically linked.



* If you're running a SELinux system with an enforcing policy (e.g. Fedora Core 4) you'll get a error message like: 'cannot restore segment prot after reloc: Permission denied' when using To enable in this environment you must put in an appropriate security context. These differ between distros but in general you should put in the same context as For this you use 'chcon -t <context> /path/to/'.

Fedora Core 4 example:

chcon -t lib_t /usr/local/f-prot/tools/

You can also turn SELinux off by

setenforcing 0 as root

* There is a bug in the NPTL (Native POSIX Thread Library) support of the glibc-2.3.2-27.9 package that comes with Red Hat Linux 9. It can cause hangs or crashes. To circumvent the problem, please define the LD_ASSUME_KERNEL environment variable to 2.4.19

LD_ASSUME_KERNEL="2.4.19" LD_PRELOAD="/usr/local/f-prot/tools/" smbd -D
This causes the dynamic loader to circumvent the NPTL version of glibc.  




Extreme caution should be exercised in the use of /etc/ for system-wide preload of Making a mistake in its use could result in a disabled system. Using the LD_PRELOAD environment variable instead is strongly recommended. Use of /etc/ in conjunction with should be considered to be for experts only since it is dangerous for the running system, and harder to disable.
If /etc/ is used, the path to presented in it must be available at boot time. Otherwise the boot procedure will fail at next boot.
Any line in /etc/ pointing to should be removed before removing or overwriting the binary.
The shared object should always be tested using the LD_PRELOAD environment variable first, before adding it to /etc/
The FPROT_SO_REFUSEONERROR option (see /etc/f-prot.conf ) should never be used when loading from /etc/ since f-protd(8)
will not be up and running when many dynamically linked programs on the system are loaded at boot time, and so refusing all requests would render the system unbootable.





Contains configuration data for and F-Prot Antivirus in general.



Exactly how this is done depends on your distribution and how you start the samba server. In general, you will need to edit your samba startup script, usually called /etc/init.d/smb or /etc/init.d/samba and add the string: LD_PRELOAD=/usr/local/f-prot/tools/ to the beginning of the line where smbd is started.

RedHat example:

In the file /etc/init.d/smb change the line:

daemon smbd $SMBDOPTIONS


LD_PRELOAD=/usr/local/f-prot/tools/ daemon smbd $SMBDOPTIONS

SuSE example (from SuSE 8.2):

In the file /etc/init.d/smb change the line:

startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}

to: LD_PRELOAD=/usr/local/f-prot/tools/ startproc -p ${PID_FILE} ${DAEMON_DIR}${BIN_SUFFIX}/${SMBD_BIN} -D -s ${SMB_CONF}



For information about Licensing, see the LICENSE file that comes with F-Prot Antivirus.



Please direct any feedback to:

Updates will be advertised on:




F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Definitions of common antivirus terminology.