F-Prot Antivirus Preloadable Library Call Wrapper (f-prot.so)

How does it work?

Normally, when an application needs to read and/or write to a file on disk, it calls the "open()" function (or one of it's variants) to access the file. This function is a part of the shared C runtime library, so when that function is called, a runtime process called a dynamic loader (ld.so) looks for that function inside the C runtime library (libc) and executes it.

Not using the F-Prot Antivirus Preloadable Library Call Wrapper

In order for F-Prot Antivirus to scan all files before allowing applications to read their contents, f-prot.so needs to intercept these "open()" function calls before the runtime library's code is executed. This is done by setting the LD_PRELOAD environment variable. The dynamic linker then loads f-prot.so before the C runtime library. For further details on how this is done, see the manual page for f-prot.so.

Using the F-Prot Antivirus Preloadable Library Call Wrapper

When f-prot.so receives a open() function call, it sends a scan request of the file to the virus scanning daemon. Based on the results of the scsan it either invokes the proper libc open() function, or returns a "Permission denied" error.

How to use it

As mentioned above, in order to use this on-access scanning technique, the user or administrator must configure the dynamic loader to load f-prot.so before it loads libc. This method is explained in detail in the f-prot.so manual page.

For further information on how to use the Preloadable Library Call Wrapper to protect your Samba share, please click here.

Back to Index Next