diff --git a/roles/common/templates/etc/samba/smb.conf.j2 b/roles/common/templates/etc/samba/smb.conf.j2
index f0dbe44..25b4e80 100644
--- a/roles/common/templates/etc/samba/smb.conf.j2
+++ b/roles/common/templates/etc/samba/smb.conf.j2
@@ -305,6 +305,14 @@
 # next parameter to 'no' if you want to be able to write to them.
    read only = no
 
+{% if samba_homes_virusfilter | default(false) | bool %}
+# Virusfilter aktiv: Gruppe benötigt Leserecht, damit clamd (als Gruppenmitglied)
+# Dateien und Verzeichnisse direkt öffnen kann (SCAN-Kommando an clamd).
+   create mask = 0640
+   force create mode = 0040
+   directory mask = 0750
+   force directory mode = 0050
+{% else %}
 # File creation mask is set to 0700 for security reasons. If you want to
 # create files with group=rw permissions, set next parameter to 0775.
    create mask = 0700
@@ -312,6 +320,7 @@
 # Directory creation mask is set to 0700 for security reasons. If you want to
 # create dirs. with group=rw permissions, set next parameter to 0775.
    directory mask = 0700
+{% endif %}
 
 # By default, \\server\username shares can be connected to by anyone
 # with access to the samba server.
@@ -319,6 +328,35 @@
 # to \\server\username
 # This might need tweaking when using external authentication schemes
    valid users = %S
+{% if samba_homes_virusfilter | default(false) | bool %}
+
+   # --- Virusfilter-Einstellungen [homes] ---
+
+   vfs objects = virusfilter
+
+   virusfilter:scanner = clamav
+   virusfilter:socket path = /var/run/clamav/clamd.ctl
+
+   virusfilter:infected file action = delete
+
+   virusfilter:cache entry limit = 1000
+   virusfilter:cache time limit = 60
+
+   virusfilter:max file size = 26214400
+   virusfilter:min file size = 10
+
+   virusfilter:scan on open = yes
+   virusfilter:scan on close = yes
+
+   # Fehlercode bei infizierter Datei (beim Öffnen)
+   virusfilter:infected file errno on open = EACCES
+
+   # Fehlercode beim Schließen
+   virusfilter:infected file errno on close = EACCES
+
+   virusfilter:connect timeout = 30000
+   virusfilter:io timeout = 60000
+{% endif %}
 
 # Un-comment the following and create the netlogon directory for Domain Logons
 # (you need to configure Samba to act as a domain controller too.)