F-SECURE ANTI-VIRUS LINUX CLIENT SECURITY - Administrator's Manual

Page of 208

Download

Print this page

Bookmark us

F-Secure Anti-Virus

Linux Server Security

Administrator’s Guide

1 2 3 4 5 6 7 Next › »

Summary of ANTI-VIRUS LINUX CLIENT SECURITY -

Page 1
F-secure anti-virus linux server security administrator’s guide.
Page 2
"f-secure" and the triangle symbol are registered trademarks of f-secure corporation and f-secure product names and symbols/logos are either trademarks or registered trademarks of f-secure corporation. All product names referenced herein are trademarks or registered trademarks of their respective co...
Page 3
1 contents chapter 1 introduction 5 1.1 welcome ...................................................................................................................... 6 1.2 how the product works ............................................................................................... 6 1.3 key...
Page 4
3.10 uninstallation.............................................................................................................. 30 chapter 4 getting started 31 4.1 accessing the web user interface ............................................................................. 32 4.2 basics of using ...
Page 5
3 7.2.2 dbupdate......................................................................................................... 74 7.3 firewall protection...................................................................................................... 74 7.3.1 fsfwc .....................................
Page 6
Appendix e troubleshooting 93 e.1 user interface............................................................................................................ 94 e.2 f-secure policy manager........................................................................................... 95 e.3 integrity chec...
Page 7
5 1 i ntroduction welcome....................................................................................... 6 how the product works................................................................ 6 key features and benefits ........................................................... 9 f-secure ...
Page 8
6 1.1 welcome welcome to f-secure anti-virus linux server security. Computer viruses are one of the most harmful threats to the security of data on computers. Viruses have increased in number from just a handful a few years ago to many thousands today. While some viruses are harmless pranks, other v...
Page 9
Chapter 1 7 introduction real-time scanning real-time scanning gives you continuous protection against viruses and riskware items as files are opened, copied, and downloaded from the web. Real-time scanning functions transparently in the background, looking for viruses whenever you access files on t...
Page 10
8 firewall the firewall component is a stateful packet filtering firewall which is based on netfilter and iptables. It protects computers against unauthorized connection attempts. You can use predefined security profiles which are tailored for common use cases to select the traffic you want to allow...
Page 11
Chapter 1 9 introduction 1.3 key features and benefits superior protection against viruses and worms › the product scans files on any linux-supported file system. This is the optimum solution for computers that run several different operating systems with a multi-boot utility. › superior detection r...
Page 12
10 protection of critical system files › critical information of system files is stored and automatically checked before access is allowed. › the administrator can protect files against changes so that it is not possible to install, for example, a trojan version. › the administrator can define that ...
Page 13
Chapter 1 11 introduction 1.4 f-secure anti-virus server and gateway products the f-secure anti-virus product line consists of workstation, file server, mail server and gateway products. › f-secure messaging security gateway delivers the industry's most complete and effective security for e-mail. It...
Page 14
12 › f-secure anti-virus for mimesweeper provides a powerful anti-virus scanning solution that tightly integrates with clearswift mailsweeper and websweeper products. F-secure provides top-class anti-virus software with fast and simple integration to clearswift mimesweeper for smtp and mimesweeper f...
Page 15
13 2 d eployment deployment on multiple stand-alone linux workstations .......... 14 deployment on multiple centrally managed linux workstations 14 central deployment using image files...................................... 15.
Page 16
14 2.1 deployment on multiple stand-alone linux workstations when the company has multiple linux workstations deployed, but they are not managed centrally, the workstation users can install the software themselves. › in organizations with few linux machines, the graphical user interface can be used ...
Page 17
Chapter 2 15 deployment 2.3 central deployment using image files when the company has a centralized it department that install and maintains computers, the software can be installed centrally to all workstations. The recommended way to deploy the products is to create an image of a linux workstation...
Page 18
16 3 i nstallation system requirements ................................................................ 17 installation instructions............................................................... 18 upgrading from a previous product version .............................. 24 upgrading the evaluation ...
Page 19
Chapter 3 17 installation 3.1 system requirements operating system: › novell linux desktop 9 › suse linux 9.0, 9.1, 9.2, 9.3, 10, 10.1, 10.2 › ubuntu 5.10 (breezy), 6.06 (dapper drake) › suse linux enterprise server 8, 9, 10 › suse linux enterprise desktop 10 › red hat enterprise linux 4, 3, 2.1 as ...
Page 20
18 note about dazuko version the product needs the dazuko kernel module for the real-time virus protection, integrity checking and rootkit protection. Dazuko is an open-source kernel module that provides an interface for the file access control. More information is at http://www.Dazuko.Org . The pro...
Page 21
Chapter 3 19 installation centrally managed installation is the recommended installation mode when taking the product into use in a large network environment. For installation instructions, see “ centrally managed installation ”, 21. › for information on how to install the product on multiple comput...
Page 22
20 4. Select the language you want to use in the web user interface during the installation. Select language to use in web user interface [1] english (default) [2] japanese [3] german 5. The installation displays the license agreement. If you accept the agreement, answer yes press enter to continue....
Page 23
Chapter 3 21 installation 12. Enter the baseline passphrase. For more information, see “ passphrase ”, 64. Please insert passphrase for hmac creation (max 80 characters) 13. The installation is complete. After the installation is complete, you can start the f-icon systray applet with the fsui comman...
Page 24
22 chmod a+x f-secure-linux-server-security-. 3. Run the following command to start the installation: ./f-secure-linux- server-security-. The setup script will display some questions. The default value is shown in brackets after the question. Press enter to select the default value. 4. Select the la...
Page 25
Chapter 3 23 installation 11. Select whether the web user interface can be opened from the localhost without a login. Allow connections from localhost to the web user interface without login? [yes] 12. Enter the user name who is allowed to use the web user interface. Please enter the user name who i...
Page 26
24 3.3 upgrading from a previous product version if you are running version 5.20 or later, you can install the new version without uninstalling the previous version. If you have an earlier version, upgrade it to 5.20 first, or uninstall it before you install the latest version. The uninstallation pr...
Page 27
Chapter 3 25 installation uninstalling earlier version if you have version 5.X, run the following command from the command line to uninstall it /opt/f-secure/fsav/bin/uninstall-fsav. If you have version 4.X, remove the following directories and files to uninstall it: /opt/f-secure/fsav/ /var/opt/f-s...
Page 28
26 3.5 replicating software using image files if you are going to install the product on several computers, you can create a disk image file that includes the product and use this image to replicate the software on the computers. Make sure that each computer on which the software is installed will c...
Page 29
Chapter 3 27 installation 1. Type the following command: ./f-secure-linux-server-security-. Rpm 2. Install rpm packages. 3.7 unattended installation you can install the product in the unattended mode. In unattended mode, you provide all the information on the installer command line (or fsav-config c...
Page 30
28 for example, to install the product in standalone mode with english web user interface, with no remote access to user interface and not requiring login for local user interface access and not using kernel module verification: ./f-secure-linux-server-security-. --auto standalone lang=en noremotewu...
Page 31
Chapter 3 29 installation if you are running an earlier version and you want to upgrade to the latest version, but you want to install the command line scanner only, you have to uninstall the earlier version first. Use the /etc/opt/f-secure/fssp/fssp.Conf configuration file to configure the command ...
Page 32
30 3.10 uninstallation run the script /opt/f-secure/fsav/bin/uninstall-fsav as root to uninstall the product. The uninstall script does not remove configuration files. If you are sure that you do not need them any more, remove all files in the /etc/opt/ f-secure/fsma path..
Page 33
31 4 g etting s tarted accessing the web user interface ............................................. 32 basics of using f-secure policy manager ................................. 32 testing the antivirus protection .................................................. 33.
Page 34
32 4.1 accessing the web user interface in small deployments where f-secure policy manager is not available, the web user interface can be used to configure the product. You can access the web user interface from the system tray, or with the http://localhost:28080/ address. If you allow the remote a...
Page 35
Chapter 4 33 getting started 4.3 testing the antivirus protection to test whether the product operates correctly, you can use a special test file that is detected as a virus. This file, known as the eicar standard anti-virus test file, is also detected by several other anti-virus programs. You can u...
Page 36
34 5 u ser i nterface - b asic m ode summary .................................................................................... 35 common tasks........................................................................... 36.
Page 37
Chapter 5 35 user interface - basic mode 5.1 summary the summary page displays the product status and the latest reports. The product status displays the protection status and any possible errors or malfunctions. Status click details... For more information about the current protection status. Repor...
Page 38
36 5.2 common tasks you can configure the manual scan and firewall settings and check the latest virus definition database updates from the common tasks page. Choose one of the following actions: click modify advanced settings... To view and configure advanced settings. Scan the computer for malware...
Page 39
37 6 u ser i nterface - a dvanced m ode alerts .......................................................................................... 38 virus protection .......................................................................... 40 firewall protection................................................
Page 40
38 6.1 alerts on the alerts page, you can read and delete alert messages. To find the alert message you want to view, follow these instructions: 1. Select the status of security alerts you want to view. Select all to view all alerts. Select unread to view new alerts. Select read to view alerts you h...
Page 41
Chapter 6 39 user interface - advanced mode for example, the virus definition database update is older than the previously accepted version. Fatal error unrecoverable error on the host that requires attention from the administrator. For example, a process fails to start or loading a kernel module fa...
Page 42
40 6.2 virus protection real-time scanning real-time scanning is completely transparent. By default, all files are scanned automatically when they are opened and executed. Scheduled scanning if you want to scan the computer for viruses regularly, for example once a week, you can create a scheduled s...
Page 43
Chapter 6 41 report and deny access displays and alerts about the found virus and blocks access to it. No other action is taken against the infected file. View alerts to check security alerts. For more information, see “ alerts ”, 38. Disinfect disinfects viruses. Note that some viruses cannot be di...
Page 44
42 the renamed file has .Suspected extension. Delete deletes the suspected file. Deny access blocks the access to the suspected file, but does not send any alerts or reports. What to scan directories excluded from the scan define directories which are excluded from the virus scan. Type each director...
Page 45
Chapter 6 43 scan when running an executable select whether files are scanned every time they are run. If scan on open and scan on execute are disabled, nothing is scanned even if scan only executables is enabled. Archive scanning scan inside archives scan files inside compressed zip, arj, lzh, rar,...
Page 46
44 riskware scanning scan for riskware select whether files should be scanned for riskware during the real-time scanning. The riskware scan detects suspicious applications when they are installed or run on the system. Select the primary and secondary actions to take when a riskware is found. The sec...
Page 47
Chapter 6 45 6.2.2 scheduled scanning you can use the scheduled scanning to scan files for viruses regularly at predefined times. To set the scanning schedule, follow these instructions: 1. Click add a new task . 2. Set the date and time when the scheduled scan should start. For example: a. To perfo...
Page 48
46 6.2.3 manual scanning the manual scanning settings are used when you want to scan files or directories for viruses manually and during the scheduled scanning. If you have received a suspicious file, for example an executable or an archive file via e-mail, it is always a good idea to scan it for v...
Page 49
Chapter 6 47 delete deletes the infected file when a virus is found. Custom performs the action you define. To define the custom action, enter the command to the primary or secondary custom action field. Deny access blocks the access to the infected file, but does not send any alerts or reports. Abo...
Page 50
48 only files with specified extensions - scans only files with the extensions specified in the included extensions field. The included extensions field appears after you have selected only files with specified extensions, enable exclusions files with the extensions specified in the directories excl...
Page 51
Chapter 6 49 stop on first infection inside an archive select whether the whole archive should be scanned even after an infection is found inside the archive. Riskware scanning scan for riskware select whether files should be scanned for riskware during the real-time scanning. The riskware scan dete...
Page 52
50 scanning a file manually on a workstation when the product scans files, it must have at least read access to them. If you want the product to disinfect infected files, it must have write access to the files. You can scan files manually from the kde filemanager. Right-click on any file you want to...
Page 53
Chapter 6 51 6.3 firewall protection the firewall protects the computers against unauthorized access from the internet as well as against attacks originating from inside the local-area network. It provides protection against information theft as unauthorized access attempts can be prohibited and det...
Page 54
52 security profiles you can change the current security profile from the summary page. For more information, see “ summary ”, 35. The following table contains a list of the security profiles available in the product and the type of traffic each of them either allow or deny. Security profiles descri...
Page 55
Chapter 6 53 6.3.1 general settings on the general settings page, you can select network packet logging settings and configure trusted network interfaces. Strict allows outbound web browsing, e-mail and news traffic, encrypted communication, ftp file transfers and remote updates. Everything else is ...
Page 56
54 6.3.2 firewall rules each security profile has a set of pre-configured firewall rules. Profile to edit select the firewall profile you want to edit. For more information, see “ security profiles ”, 52. The current security profile is displayed on the top of the firewall rules page. You can change...
Page 57
Chapter 6 55 if the profile contains more than 10 rules, use , , > and >> arrows to browse rules. Add and edit rules you can add a new firewall rule, for example, to allow access to a new service in the network. To add a new rule, click add new rule below the list of rules. When you edit the firewal...
Page 58
56 click add to firewall rules to add the rule to the end of the list of rules. Click save after you have added or edited a rule to activate all changes. Click cancel to discard all changes made after the previous save. 6.3.3 network services the network services page displays the network services t...
Page 59
Chapter 6 57 add and edit services click save after you have added or edited a service to activate all changes. Click cancel to discard all changes made after the previous save. Creating firewall services and rules to enable the use of a new service, do the following: 1. Select the network services ...
Page 60
58 8. The next step is to create a firewall rule that allows use of the service you just defined. Select firewall rules in the advanced mode menu. 9. Select the profile where you want to add a new rule and click add new rule to create a new rule. 10. Select accept or deny as a rule type . Enter a de...
Page 61
Chapter 6 59 6.4 integrity checking integrity checking protects important system files against unauthorized modifications. Integrity checking can block any modification attempts of protected files, regardless of file system permissions. Integrity checking compares files on the disk to the baseline, ...
Page 62
60 using the search click search to view the search results. Status select files you want to view in the known files list. Modified and new - displays all files that have been modified or added to the baseline. Modified - displays all files that have been modified. New - displays all files that have...
Page 63
Chapter 6 61 to regenarate the baseline, select new and modified files you want to baseline and click regenerate baseline for highlighted files . For more information, see “ generate baseline ”, 63. If you want to remove files from the baseline, click files to select them and click remove highlighte...
Page 64
62 click add to known files to add the entry to the known files list. Integrity checking does not protect new or modified files before you regenerate the baseline. Regenerate the baseline to protect files you have added. For more information, see “ generate baseline ”, 63. Software installation mode...
Page 65
Chapter 6 63 when the software installation mode is enabled, any process can load any kernel modules regardless whether they are in the baseline or not and any process can change any files in the baseline, whether those files are protected or not. The real-time scanning is still enabled and it alert...
Page 66
64 do not enable the kernel module verification during the installation, you have to generate the baseline manually before integrity checking is enabled. All files that are added to the baseline during the installation are set to allow and alert protection mode. Passphrase the generated baseline has...
Page 67
Chapter 6 65 6.4.4 rootkit prevention when the integrity checking is enabled, the product can prevent rootkits. Hackers can use rootkits to gain access to the system and obtain administrator-level access to the computer and the network. Kernel module verification protects the system against rootkits...
Page 68
66 6.5 general settings communications configure alerting. Automatic updates configure automatic virus definition database updates. About view the product and version information. 6.5.1 communications change communications settings to configure where alerts are sent. Management server server address...
Page 69
Chapter 6 67 alert message variables the following table lists all variables that are available for the e-mail alert message subject. E-mail settings the e-mail settings are used for all alert messages that have been configured to send e-mail alerts. Server enter the address of the smtp server in th...
Page 70
68 6.5.2 automatic updates it is of the utmost importance that the virus definition databases are up-to-date. The product updates them automatically. Information about the latest virus definition database update can be found at: http://www.F-secure.Com/download-purchase/updates.Shtml %product_oid% t...
Page 71
Chapter 6 69 priority displays the priority level of the update source. The priority numbers are used to define the order in which the host tries to connect servers. Virus definition updates are downloaded from the primary sources first, secondary update sources can be used as a backup. The product ...
Page 72
70 using f-secure anti-virus proxies f-secure anti-virus proxy offers a solution to bandwidth problems in distributed installations of f-secure anti-virus linux server security by significantly reducing load on networks with slow connections. When you use f-secure anti-virus proxy as an updates sour...
Page 73
Chapter 6 71 6.5.3 about the about page displays the license terms, the product version number and the database version. If you are using the evaluation version of the product, you can enter the keycode in the about page to upgrade the product to the fully licensed version..
Page 74
72 7 command line tools overview..................................................................................... 73 virus protection .......................................................................... 73 firewall protection....................................................................
Page 75
Chapter 7 73 command line tools 7.1 overview for more information on command line options, see “ man pages ”, 102. 7.2 virus protection you can use the fsav command line tool to scan files and the dbupdate command line tool to update virus definition databases from the shell. 7.2.1 fsav follow these...
Page 76
74 for more information on command line options, see the fsav man pages or type fsav --help. 7.2.2 dbupdate before you can update virus definition databases manually, you have to disable the periodic database update. To disable periodic database updates, edit the crontab of root: 1. Run the followin...
Page 77
Chapter 7 75 command line tools 7.3.1 fsfwc use the following command to change the current security profile: /opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office, strict, normal, bypass} for more information about security profiles, see “ security profiles ”, 52. 7.4 integrity checking ...
Page 78
76 2. Recalculate the baseline. The baseline update progress is displayed during the process, and you are prompted to select whether to include the new files in the baseline: /opt/f-secure/fsav/bin/fsic --baseline 3. Enter a passphrase to create the signature. Verifying the baseline follow these ins...
Page 79
Chapter 7 77 command line tools where language is: en - english ja - japanese de - german 7.5.2 fsma use the following command to check the status of the product modules: /etc/init.D/fsma status the following table lists all product modules: module process description f-secure alert database handler...
Page 80
78 7.5.3 fsav-config if you install the product using rpm packages, you have to use the following command to fsav-config command line tool to create the initial product configuration: /opt/f-secure/fsav/fsav-config f-secure fsav status daemon /opt/f-secure/fsav/bin/fstatusd checks the current status...
Page 81
79 a installation prerequisites all 64-bit distributions................................................................. 80 red hat enterprise linux 4 ........................................................ 80 debian 3.1 and ubuntu 5.04, 5.10, 6.06..................................... 81 suse .......
Page 82
80 a.1 all 64-bit distributions some 64-bit distributions do not install 32-bit compatibility libraries by default. Make sure that these libraries are installed. The name of the compatibility library package may vary, see the documentation of the ditribution you use for the package name for 32-bit c...
Page 83
Chapter a 81 installation prerequisites the system tray applet requires the following rpm packages: › kdelibs › compat-libstdc++ 2. Install the product normally. A.3 debian 3.1 and ubuntu 5.04, 5.10, 6.06 to install the product on a server running either debian 3.1 or ubuntu 5.04, 5.10 or 6.06: 1. I...
Page 84
82 a.4 suse to install the product on a server running suse version 9.1, 9.2, 9.3 or 10.0: 1. Before you install the product, make sure that kernel-source, make and gcc packages are installed. Use yast or another setup tool. 2. Install the product normally. A.5 turbolinux 10 turbolinux kernel source...
Page 85
83 b installing required kernel modules manually introduction................................................................................. 84 before installing required kernel modules ................................ 84 installation instructions......................................................
Page 86
84 b.1 introduction this section describes how to install required kernel modules manually. You may need to do this in the following cases: › you forgot to use software installation mode and the system is not working properly. › in large installations some hosts may not include development tools or ...
Page 87
Chapter b 85 installing required kernel modules manually fsav-compile-drivers is a shell script that configures and compiles the dazuko driver automatically for your system and for the product. For more information on the dazuko driver, visit www.Dazuko.Org . If your linux distribution has a preinst...
Page 88
86 c riskware types riskware categories and platforms ........................................... 87.
Page 89
Chapter c 87 riskware types c.1 riskware categories and platforms use the following list of riskware categories and platforms to exclude specific riskware from the riskware scan. Category: platform: › adware › apropos › avtool › bat › client-irc › casino › client-smtp › clearsearch › cracktool › dos...
Page 90
88 › server-ftp › perl › server-proxy › php › server-telnet › searcher › server-web › solomon › tool › symantec › trendmicro › unix › vba › vbs › win16 › win32 › wintol › zenosearch category: platform:.
Page 91
Chapter c 89 riskware types.
Page 92
90 d list of used system resources overview..................................................................................... 91 installed files.............................................................................. 91 network resources ........................................................
Page 93
Chapter d 91 list of used system resources d.1 overview this appendix summarizes the system resources used by the product. D.2 installed files all files installed by the product are in the following directories: /opt/f-secure /etc/opt/f-secure /var/opt/f-secure in addition, the installation creates ...
Page 94
92 d.4 memory the web user interface reserves over 200 mb of memory, but since the webui is not used all the time, the memory is usually swapped out. The other product components sum up to about 50 mb of memory, the on-access scanner uses the majority of it. The memory consumption depends on the amo...
Page 95
93 e troubleshooting user interface............................................................................. 94 f-secure policy manager........................................................... 95 integrity checking....................................................................... 95 firew...
Page 96
94 e.1 user interface q. I cannot log in to the web user interface. What can i do? A. On some distributions, you have to comment (add a hash sign (#) at the beginning of the line) the following line in /etc/pam.D/login: # auth requisite pam_securetty.So q. The f-icon in the system tray has a red cro...
Page 97
Chapter e 95 troubleshooting e.2 f-secure policy manager q. How can i use f-secure linux server security with f-secure policy manager 6.0x for linux? A. F-secure policy manager server has to be configured to retrieve new riskware and spyware databases for the product. Note that these instructions ap...
Page 99
Chapter e 97 troubleshooting q. Do i have to use the same passphrase every time i generate the baseline? A. No, you have to verify the baseline using the same passphrase that was used when the baseline was generated, but you do not have to use the same passphrase again when you generate the baseline...
Page 100
98 type: accept remote host: [mynetwork] description: windows networking local browsing service (select box): windows networking local browsing direction: in h. Click add service to this rule and add to firewall rules . The new rule should be visible at the bottom of the firewall rule list. If you c...
Page 101
Chapter e 99 troubleshooting e.5 virus protection q. How do i enable the debug log for real-time virus scanner? A. In policy manager console, go to product/settings/advanced/ and set fsoasd log level to debug. In standalone installation, run the following command: /opt/f-secure/fsma/bin/chtest s 44....
Page 103
Chapter e 101 troubleshooting q. The product is unable to contact the database, how can i fix this? A. Sometimes, after a hard reset for example, the product may be unable to contact the database. Follow these instructions to resolve the issue: a. As root, remove the database pid file: rm /var/opt/f...
Page 104
102 f man pages fsav........................................................................................... 103 fsavd......................................................................................... 137 dbupdate................................................................................
Page 105: Fsav
Chapter f 103 support@f-secure.Com fsav (1) fsav command line interface for f-secure anti-virus fsav options target ... Description fsav is a program that scans files for viruses and other mali- cious code. Fsav scans specified targets (files or directories) and reports any maliciouscode it detects....
Page 108
106 command-line! This option is intended to be used only with the dbupdate script. --allfiles [={on,off,yes,no,1,0}] scan all files regardless of the extension. By default, the setting is on. (in previous versions, this option was called 'dumb'.) --exclude=path do not scan the given path. --exclude...
Page 109
Chapter f 107 --list [={on,off,yes,no,1,0}] list all files that are scanned. --maxnested=value should be used together with the --archive option. Set the maximum number of nested archives (an archive containing another archive). If the fsav encounters an archive that contains more nested archives th...
Page 110
108 note: certain password- protected archives are reported as suspected infections instead of password-pro- tected archives. --orion [={on,off,yes,no,1,0}] enable/disable the orion scanning engine for the scan and the disinfection. If any engine is enabled, all other engines are disabled unless exp...
Page 112
110 --silent [={on,off,yes,no,1,0}] do not generate any output (except error messages). --socketname=socket path use the given socket path to communicate with fsavd. The default socket path is /tmp/.Fsav-, or /tmp/.Fsav--sa , if fsav is started with the --standalone option. --status show the status ...
Page 113
Chapter f 111 standalone version to scan files. The option forces the launch of a new fsavd. --stoponfirst [={on,off,yes,no,1,0}] stop after finding the first infection with any scan engine. If file contains multiple infec- tions, only the first is reported. If several scan engines can detect the in...
Page 114
112 note database versions contain date of the databases only. There may be several databases released on same day. If you need more detailed version information, open header.Ini in the database directory and search for the following lines: [fsav_database_version] version=2003-02-27_03 the string af...
Page 115
Chapter f 113 by default, fsav reports the infected and suspected infections to stdout. Scan errors are reported to stderr. An example of an infection in the scan report: /tmp/eicar.Com: infected: eicar-test-file [avp] where the file path is on the left, the name of the infection in the middle and t...
Page 116
114 encoding and cannot be scanned. Invalid mime header found. Explanation: scanned mime message uses non-standard header and cannot be scanned. The --list option shows the clean files in the report. An example of the output: /tmp/test.Txt - clean the --archive option scans the archive content and t...
Page 117
Chapter f 115 ary action is rename. Fsav must have write access to the file to be disinfected. Dis- infection is not always possible and fsav may fail to disinfect a file. Especially, files inside archives cannot be disinfected. Infected files are renamed to .Virus and clears executable and suid bit...
Page 118
116 action that failed, i.E. If the user does not want to take the pri- mary action, the secondary action is tried next. The action confirmation can be disabled with --auto -option. Warnings fsav warnings are written to the standard error stream (stderr). Warnings do not stop the program. Fsav ignor...
Page 119
Chapter f 117 illegal archive scanning value '' in configuration file line number> explanation: the archivescanning field in the configura- tion file has an incorrect value. Resolution: edit the configuration file and set the archives- canning field to one of the following: 1 or 0. Restart fsav to t...
Page 120
118 is not valid in configuration file path> line . Explanation: the maxnestedarchives field in the configu- ration file is not a number. Resolution: edit the configuration file. Maximum nested archives value '' is out of range in configuration file path> line explanation: the maxnestedarchives fiel...
Page 121
Chapter f 119 scan timeout value '' is not valid in configuration file line explanation: the scantimeout field in the configuration file is not a valid number. Resolution: edit the configuration file. Scan timeout value '' is out of range in configuration file line explanation: the timeout field in ...
Page 122
120 abort, custom or exec. Restart fsav to take new values in use. Unknown syslog facility '' in configuration file line number> explanation: the syslogfacility ield in the configuration file has an incorrect value. Resolution: edit configuration file and set the syslog- facility field to one of the...
Page 123
Chapter f 121 resolution: fsav exits with fatal error status (exit code 1). The user has to correct the command-line parameters or configu- ration file or remove the file from path and start the fsav again. Invalid socket path '': . Explanation: the user has given invalid socket path from configurat...
Page 124
122 explanation: the user has given a file path to the --con- figfile option which either does not exist or is not accessi- ble. Resolution: the user has to correct command-line options and try again. Scan engine directory '' is not valid in configuration file at line number>: explanation: the user ...
Page 125
Chapter f 123 from the configuration file. Resolution: the user has to correct the path and start fsav again. Database directory '' is not valid: explanation: the user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line. Resolutio...
Page 126
124 option>'. Explanation: the user has entered an unknown com- mand-line option from the command-line. Resolution: the user has to correct command-line options and try again. Illegal scan timeout value ''. Explanation: the user has entered an illegal scan timeout value from the command-line. Resolu...
Page 127
Chapter f 125 explanation: the user has tried to request the server version with version but the request processing failed. Resolution: the server is not running. The product may be installed incorrectly. The installdirectory is either miss- ing or wrong in the configuration file. The system may be ...
Page 128
126 explanation: the file scanning failed because the connection to fsavd can not be established. Re-scanning file '' failed due ipc error. Explanation: the file re-scanning failed because the connec- tion to server is broken. Resolution: the server has died unexpectly. The user should restart the s...
Page 129
Chapter f 127 path>' exists. Explanation: the database directory contains an update flag file which is created while the database update is in progress. Resolution: the user has to check if an other database update is in progress. If no other update process exists, the user should delete the flag fi...
Page 130
128 resolution: the database update process does not have proper rights to the lock file and fails. The user has to make sure the update process runs with proper rights or the data- base directory has proper access rights. Could not release lock for lock file ''. Explanation: the database update pro...
Page 131
Chapter f 129 explanation: the database update process has successfully updated databases, but failed to remove the update flag file. Resolution: fsavd is halted. The user should remove the update flag file manually. Scan errors fsav scan errors are written to the standard error stream (stderr). In ...
Page 132
130 [] explanation: the scan engine could not open the file for scanning because the scan engine does not have a read access to the file. Resolution: the user has to make file readable for fsavd and try to scan the file again. If the user or fsav launches fsavd, fsavd has same access rights as the u...
Page 133
Chapter f 131 resolution: the user may try scanning the file again with big- ger scan timeout value. : error: could not read from file [] explanation: the scanning failed because of read from file failed. Resolution: the file is probably corrupted and cannot be scanned. : error: could not write to f...
Page 134
132 resolution: increase maximum nested archives limit and try to scan again. Scanning file '' failed: connection to fsavd lost due timeout. Disinfect file '' failed: connection to fsavd lost due timeout. Explanation: the file scanning failed because the connection to fsavd is lost because of ipc ti...
Page 135
Chapter f 133 3 a boot virus or file virus found. 4 riskware (potential spyware) found. 6 at least one virus was removed and no infected files left. 7 out of memory. 8 suspicious files found; these are not necessarily infected by a virus. 9 scan error, at least one file scan failed. 130 program was ...
Page 136
134 scan all files in a directory '/mnt/smbshare': $ fsav /mnt/smbshare scan all files and archive contents with the scan time limit set to 3 minutes: $ fsav --archive --scantimeout=180 --allfiles /mnt/smbshare scan and list files with '.Exe' or '.Com' extension in a direc- tory '/mnt/smbshare': $ f...
Page 138
136 archives is to use --scantimeout -option and in case the timeout occurs, the archive is scanned with a separate fsavd instance. Bugs please refer to 'known problems' -section in release notes. Authors f-secure corporation copyright copyright (c) 1999-2006 f-secure corporation. All rights reserve...
Page 139: Fsavd
Chapter f 137 support@f-secure.Com fsavd (8) fsavd f-secure anti-virus daemon fsavd options description fsavd is a scanning daemon for f-secure anti-virus. In the startup it reads the configuration file (the default configuration file or the file specified in the command line) in the startup and sta...
Page 141
Chapter f 139 the default is "/tmp/.Fsav-". If the file exists and is a socket, the file is removed and new socket is created. The file removal shuts down all existing fsavd instances. If the path contains non-existing directo- ries, the directories are created and the directory permission is set to...
Page 142
140 send an alarm signal to the parent pro- cess when the socket is ready to accept connections. When the option is used, fsavd does not fork(2) itself during the launch. The option is intended to be used with fsav when fsav automatically launches fsavd. In the normal use the option can be ignored. ...
Page 143
Chapter f 141 failed to scan file : time limit exceeded. Explanation: fsavd reports that the file scan failed because the scan time limit is exceeded. Failed to scan file : scan aborted. Explanation: fsavd reports that the file scan failed because the scan was aborted. The scan is aborted if the cli...
Page 144
142 unknown action '' in configu- ration file line explanation: the action in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit the configuration file and set the action field to one of the fol- lowing: disinfect, rename or delete. The user has t...
Page 145
Chapter f 143 configuration file line number> explanation: the mimescanning field in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit con- figuration file and set the mimescanning field to one of the following: 1, 0, on, off, yes, or no. The use...
Page 146
144 valid in configuration file line explanation: the scantimeout field in the configuration file is not a valid number. Resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Scan timeout value '' is out of range in configuration file line explanation: th...
Page 147
Chapter f 145 resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Maximum scan engine instances value ' value>' is not valid in configuration file line explanation: the engineinstancemax field in the configu- ration file is not a number. Resolution: fsa...
Page 148
146 number> explanation: the syslogfacility ield in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit con- figuration file and set the syslogfacility field to one of the facility names found in syslog(3) manual page. The user has to restart fsavd...
Page 149
Chapter f 147 restart the scan engine. The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically. Database file is not a valid data- base. Explanation: the scan engine reports that the database file is not a valid database file in the ...
Page 150
148 restart the scan engine. The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically. Database file has wrong database version. Explanation: the scan engine reports that the database file has an incorrect version. Resolution: the sca...
Page 151
Chapter f 149 explanation: the scan engine is not responding to the keep-alive messages and it has not reported scan nor initial- ization statuses for a limited time period (300 seconds). The problem may be in a file which the scan engine is scanning. If the user can recognize the source as a proble...
Page 152
150 resolution: fsavd exits with error status. Installation or engine directory in configuration file maybe incorrect or --engine- directory command-line option has incorrect path. Failed to load required symbol from scan engine library. Explanation: fsavd finds required scan engine shared library f...
Page 153
Chapter f 151 explanation: the user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line. Resolution: fsavd exits with error status. The user has to cor- rect the path and start fsavd again. Database update directory '' is not vali...
Page 154
152 long from the command-line. Resolution: fsavd exits with error status. The user has to cor- rect the path and start the fsavd again. Could not open configuration file : error message> explanation: the configuration file path given from the com- mand-line, the file does not exist or it is not acc...
Page 155
Chapter f 153 accept failed because run out of memory. Explanation: the accept(2) has failed because system ran out of the memory. Resolution: fsavd exits with error status. The user has to free some memory and start fsavd again. Files /etc/fssp.Conf the default configuration file for f-secure anti-...
Page 156
154 ration file: $ fsavd --nodaemon start fsavd as a background daemon process using 'fsav-test.Conf' as a configuration file: $ fsavd --configfile=fsav-test.Conf check fsavd, scan engine and database versions: $ fsavd --version bugs please refer to 'known problems' -section in release notes. Author...
Page 157: Dbupdate
Chapter f 155 support@f-secure.Com dbupdate (8) dbupdate virus definition database update for f-secure anti-virus dbupdate --help --auto directory parameters --help show the short help of command line options and exit. --auto do not download databases synchro- nously but update databases previously ...
Page 158
156 on demand update over network use the dbupdate command (without any parameters) if there is a need to check new database updates immediately over the network and take new databases into use. Scheduled update over network typically, dbupdate is started from cron(8) frequently with the following c...
Page 159
Chapter f 157 50 could not copy update. Copying data- base update failed, probably because lack of free disk space. 51 could not extract update. Extracting database update failed, probably because lack of free disk space. Exit value 0 nothing was updated since no new updates were available. 1 an err...
Page 160
158 see also fsav(1) and fsavd(8) for more information, see f-secure home page..
Page 161: Fsfwc
Chapter f 159 support@f-secure.Com fsfwc (1) fsfwc command line interface for firewall daemon fsfwc options description with this tool firewall can be set to different security levels. If invoked without any options, it will show current security level and minimum allowed. Options --mode {block,serv...
Page 162
160 mobile profile for roadwarr- iriors: ssh and vpn protocols are allowed. Dhcp, http, ftp and common email pro- tocols are allowed. All incoming con- nections are blocked. Office profile for office use. It is assumed that some external firewall exists between internet and the host. Any outgoing tc...
Page 163
Chapter f 161 nections are denied. Bypass allow everything in and out. Return values fsfwc has the following return values. 0normal exit; 1error occurred. Authors f-secure corporation copyright copyright (c) 1999-2006 f-secure corporation. All rights reserved. See also for more information, see f-se...
Page 164: Fsic
162 support@f-secure.Com fsic (1) fsic command line interface for integrity checker fsic options target ... Description f-secure integrity checker will monitor system integrity against tampering and unauthorized modification. If invoked without any options, fsic will verify all files in the known fi...
Page 165
Chapter f 163 changed, only base- lined inode informa- tion is shown. If file differs from baselined informa- tion, detailed com- parison is shown. --virus-scan={yes=default,no} scan for viruses when verifying. (default: yes) --ignore={attr,hash} ignore speci- fied file properties if they differ fro...
Page 166
164 been given at all. (default: no) -v, --verifyfile [options] this mode will validate only files given from command line or stdin. This option has the same sub-options as verify. -b, --baseline [options] calculate baseline informa- tion for all of the files. If a previous base- line already exists...
Page 167
Chapter f 165 -b, --baselinefile [options] this mode will add only entries given from command line or stdin to baseline. This option has same sub-options as baseline. -a, --add [options] target ... Add a target[s] to the known files list. Targets must be real files or links. By default all files are...
Page 168
166 an alert if file differs from baselined information. -d, --delete target ... Remove target[s] from the known files list. A new baseline needs to be generated after all file deletions have been performed. Verify action reports if --show-all is specified, then also clean files are reported, as fol...
Page 169
Chapter f 167 so even if inode data is changed hash might be same (touch on a file will change inode data) however if hash is changed and inode data is still same then file contents has been modi- fied and it's mtime set back to what it was with utime() (man 2 utime). If --show-details is specified,...
Page 170
168 late hash and inode information for all files known to the integrity checker. Previously generated baseline will be over- written. User will be asked to confirm adding files to new baseline. For example, /bin/ls: accept to baseline? (yes,no,all yes, disregard new entries) if file has been modifi...
Page 171
Chapter f 169 2no baseline exists yet. 3system compromised. Return value of 3 indicates that one or more of the following happened; * incorrect passphrase, or * files do not match baselined information, or * a virus was detected in one of the files files none. Examples none. Notes none. Bugs none. A...
Page 173
171 g appendix: config files fsaua_config ............................................................................. 172 fssp.Conf ................................................................................... 177.
Page 174
172 g.1 fsaua_config # # configuration for f-secure automatic update agent # # enable fsma # # this directive controls whether automatic update agent works in centrally # managed or standalone mode. # # this option only has effect, if fsma is installed and configured properly # # the default is ‘yes...
Page 175
Appendix g 173 config files # the format is as follows: # update_servers=[http://] # # examples: # update_servers=http://pms # update_servers=http://server1,http://backup_server1,http://backup_server2 # #update_servers= # update proxies # # this directive controls which policy manager proxies the au...
Page 176
174 # http_proxies=[http://][user[:passwd]@] ][user[:passwd]@] # # examples: # http_proxies=http://proxy1:8080/,http://backup_proxy:8880/ # #http_proxies= # poll interval # # this directive specifies (in seconds) how often the automatic update agent # polls the update server for updates. # # the def...
Page 177
Appendix g 175 config files #failover_to_root=yes # failover timeout # # specifies the timei after which automatic update agent is allowed to check # for updates from update servers hosted by f-secure. This is the time elapsed # (in seconds) since the last successful connection with your main update...
Page 178
176 # #log_level=normal # log facility # # specify the syslog facility for automatic update agent # # possible values are: daemon, local0 to local7 # # the default is daemon # #log_facility=daemon os_version_distribution=”testingunstable”.
Page 179
Appendix g 177 config files g.2 fssp.Conf # # this is a configuration file for f-secure security platform # # copyright (c) 1999-2006 f-secure corporation. All rights reserved. # # # specify whether the product should scan all files or only the files that # match the extensions specified in the ‘ext...
Page 180
178 odsincludedextensions .,acm,app,arj,asd,asp,avb,ax,bat,bin,boo,bz2,cab,ceo,chm,cmd,cnv,com,cpl,csc,dat,dll,do ?,drv,eml,exe,gz,hlp,hta,htm,html,htt,inf,ini,js,jse,lnk,lzh,map,mdb,mht,mif,mp?,msg,mso, nws,obd,obt,ocx,ov?,p?T,pci,pdf,pgm,pif,pot,pp?,prc,pwz,rar,rtf,sbf,scr,shb,shs,sys,tar,td0, tgz...
Page 181
Appendix g 179 config files # # determines whether some files can be excluded from scanning. Please note # that the files specified here are excluded from scanning even if they would # be included in scanning according to what is defined in the other scanning # settings # # possible values: # 0 - di...
Page 182
180 # recommended to set this value too high as this will make the product more # vulnerable to dos (denial of service) attacks. If an archive has more nested # levels than the limit, a scan error is generated. # odsfilemaximumnestedarchives 5 # # define whether mime encoded data should be scanned f...
Page 183
Appendix g 181 config files # possible values: # 0 - no # 1 - yes # odsfileignorepasswordprotected 1 # # defines what happens when the first infection is found inside an archive. If # set to ‘yes’, scanning will stop on the first infection. Otherwise the whole # archive is scanned. # # possible valu...
Page 184
182 # 3 - rename # 4 - delete # 5 - abort scan # 6 - custom # odsfileprimaryactiononinfection 2 # # if “custom” is chosen as the primary action, the custom action must be # specified here. Please note that the custom action will be executed as the # super user of the system so consider and check car...
Page 185
Appendix g 183 config files # 3 - rename # 4 - delete # 5 - abort scan # 6 - custom # odsfilesecondaryactiononinfection 3 # # if “custom” is chosen as the secondary action, the custom action must be # specified here. Please note that the custom action will be executed as the # super user of the syst...
Page 186
184 # odsfileprimaryactiononsuspected 1 # # specify the secondary action to take when suspected infection is detected # and the primary action has failed. # # possible values: # 0 - do nothing # 1 - report only # 3 - rename # 4 - delete # odsfilesecondaryactiononsuspected 0 # # set this on to report...
Page 187
Appendix g 185 config files # # type of riskware that should not be detected. # odsexcludedriskware ; # # specify the primary action to take when riskware is detected. # # possible values: # 0 - do nothing # 1 - report only # 3 - rename # 4 - delete # odsfileprimaryactiononriskware 1 # # specify the...
Page 188
186 # 1 - report only # 3 - rename # 4 - delete # odsfilesecondaryactiononriskware 0 # # defines the upper limit for the time used for scanning a file (1 second # resolution). A recommended upper limit would be, for example, 1 minute. # odsfilescantimeout 60 # # specify the action to take after a sc...
Page 189
Appendix g 187 config files # each action. # # possible values: # 0 - no # 1 - yes # odsaskquestions 1 # # read files to scan from from standard input. # # possible values: # 0 - no # 1 - yes # odsinput 0 # # print out all the files that are scanned, together with their status. # # possible values: ...
Page 190
188 odslist 0 # # should infected filenames be printed as they are or should potentially # dangerous control and escape characters be removed. # # possible values: # 0 - no # 1 - yes # odsraw 0 # # in standalone mode a new fsavd daemon is launched for every client. Usually # you do not want this bec...
Page 191
Appendix g 189 config files # # if “no”, fsav command line client does not follow symlinks. If “yes”, # symlinks are followed. This affects e.G. Scanning a directory containing # symlinks pointing to files outside of the directory. # # possible values: # 0 - no # 1 - yes # odsfollowsymlinks 0 # # if...
Page 192
190 # 0 - no # 1 - yes # odsshort 0 # # if this setting is on, file access times are not modified when they are # scanned. If a file is modified due to disinfection, then both access and # modify times will change. # # possible values: # 0 - no # 1 - yes # odsfilepreserveaccesstimes 0 # # specifies ...
Page 193
Appendix g 191 config files # odsfileignoremimedecodeerrors 0 # # defines how partial mime messages should be handled. If set to ‘yes’, # partial mime messages are considered safe and access is allowed. Partial # mime messages cannot reliably be unpacked and scanned. # # possible values: # 0 - no # ...
Page 194
192 # # do not scan files equal or larger than 2 gb (2,147,483,648 bytes). If this # option is not set an error will be reported for large files. # # possible values: # 0 - no # 1 - yes # odsfileskiplarge 0 # # if “on”, the libra scanning engine is used for scanning files. If “off”, # libra is not u...
Page 195
Appendix g 193 config files # orion is not used. # # possible values: # 0 - off # 1 - on # odsuseorion 1 # # if “on”, the avp scanning engine is used for scanning files. If “off”, avp # is not used. # # possible values: # 0 - off # 1 - on # odsuseavp 1 # # f-secure internal. Do not touch. # daemonav...
Page 196
194 # # set this on to enable riskware scanning with the avp scan engine. If you set # this off, riskware scanning is not available for clients. # # possible values: # 0 - off # 1 - on # odsavpriskwarescanning 1 # # maximum size of mime message. Files larger than this are not detected as # mime mess...
Page 197
Appendix g 195 config files # # turn this setting on to use house keeping engine. # # possible values: # 0 - off # 1 - on # daemonusehke 1 # # f-secure internal. Do not change. This is the directory where in-use # databases are kept. # daemondatabasedirectory /var/opt/f-secure/fssp/databases # # f-s...
Page 198
196 # engine libraries are loaded. # daemonenginedirectory /opt/f-secure/fssp/lib # # if “yes”, fsavd writes a log file. If “no”, no log file is written. # # possible values: # 0 - no # 1 - yes # daemonlogfileenabled 0 # # log file location: stderr - write log to standard error stream syslog - # wri...
Page 199
Appendix g 197 config files # daemonmaxscanprocesses 4 # # fsav will add the current user-id to the path to make it possible for # different users to run independent instances of the server. # daemonsocketpath /tmp/.Fsav # # octal number specifying the mode (permissions) of the daemon socket. See # ...
Page 200
198 # syslog facility to use when logging to syslog. # # possible values: # auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7 - auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, loc...
Page 201
Appendix g 199 config files # 1 - emergency # 2 - alert # 3 - critical # 4 - error # 5 - warning # 6 - notice # 7 - info # 8 - debug # 9 - everything # debugloglevel 0 # # specify the full name of the debug logfile. # debuglogfile /var/opt/f-secure/fssp/fssp.Log # # the keycode entered during instal...
Page 202
200 # the complete path that tells where this product is installed in the # filesystem. # installationdirectory /opt/f-secure/fssp # # unix time() when installation done. # installationtimestamp 0 # # f-secure internal. Do not change. Text to be printed every day during # evaluation use. # naggingte...
Page 203
201 h technical support introduction............................................................................... 202 f-secure online support resources........................................ 202 web club.................................................................................. 203 virus d...
Page 204
202 introduction f-secure technical support is available through f-secure support web pages, e-mail and by phone. Support requests can be submitted through a form on f-secure support web pages directly to f-secure support. F-secure online support resources f-secure support web pages for any f-secure...
Page 205
Chapter h 203 technical support › a detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem. › logfile from the machines running f-secure products. Web club the f-secure web club provides assistance an...
Page 206
204.
Page 208
Www.F-secure.Com.