HowTo
Installation and Configuration of
Avira AntiVir Professional for UNIX
Avira Support
June 2009
Content
1 Which environment can be protected by Avira Professional for Unix?............................... 2
2 Installation.............................................................................................................................. 2
3 Recommended Basic Configuration ...................................................................................... 3
4 What can be configured additionally?................................................................................... 6
4.1 No Real Time Protection ............................................................................................................ 6
4.2 Heavy Load in the System .......................................................................................................... 6
4.3 Exception of Directories ............................................................................................................. 6
5 Particularities - NSS Volumes ............................................................................................... 7
6 Command Line Scanner - avscan.......................................................................................... 7
7 Update Configuration............................................................................................................. 8
7.1 Reasonable Values for an Update.............................................................................................. 8
7.2 Large Enterprises........................................................................................................................ 8
7.3 Small Business:............................................................................................................................ 8
7.4 Customers with Narrow Strip Connections (modem/ISDN)................................................... 9
7.5 Internet Service Providers.......................................................................................................... 9
7.6 Signature Update ........................................................................................................................ 9
1
1 Which environment can be protected by Avira
Professional for Unix?
- Local virus protection
You only have to mount the corresponding shares with DazukoFS (or to configure the
shares as include path in Dazuko 2)
You can use the Avira AntiVir Professional for Unix with (OnAccess) or without real
time protection (OnDemand).
2 Installation
- Decompress: gzip -d antivir-workstation-prof-3.0.2-5.tar.gz
- Unpack tar -xvf antivir-workstation-prof-3.0.2-5.tar.gz
- Change directory: cd antivir-workstation-prof-3.0.2-5.tar.gz
- Execute installation: ./install\
Follow the installation dialog...
The following requests are recommended and should be kept:
- Would you like to setup Engine and Signature updates as cron task ? [y]
- Please, specify the interval to check. Recommended values are daily or 2 hours.
available options: d [2]
- Please specify if boot scripts should be set up.
Set up boot scripts [y]
Please, consider that the installation of the real time protection with Unix needs the
external kernel module Dazuko 3.0.
You find more information on www.dazuko.org.
2
3 Recommended Basic Configuration
# Amount of scanner daemons
NumDaemons 3
# This produces the start of 3 daemons which are enough for a usual use. The
amount can be increased in case of heavy load. But consider that you also need
more free main storage!
# Action in case of detection
AlertAction quarantine
# in case of a detection the file is moved to the quarantine directory and renamed.
Therefore the file can’t be opened anymore by the user. But it is not deleted or
changed because it might be a false positive.
# Default: QuarantineDirectory NONE
QuarantineDirectory /home/quarantine
# In case a file in the /home directory should be moved into quarantine it is
recommended to configure this here for a good performance.
In spite of copying a large file from one partition to another, you can only move the
file and keep it on the same partition.
# Files to be checked
ScanMode all
#This mode scans all files.
# Archive scan
Archive Scan yes
# Activates the scan of small and medium archives. Large archives should be limited
because of the performance. (view underneath)
You can scan large archives e.g. by means of a regular scan.
# Scan in mbox
MailboxScan yes
# This command executes a scan of the mail boxes. We recommend to activate this
option for security reasons.
# Maximum archive size which should be scanned
ArchiveMaxSize 1GB
# You should limit the size of archives which should be scanned to 1 GB for a good
performance.
# Maximum recursion depth
ArchiveMaxRecursion 20
# You shoud limit the recursion depth to 20 level in order to keep a good
performance.
# Maximum compression rate
3
ArchiveMaxRatio 150
# You should limit the compression rate of scanned archives to 150 in order to keep
a good performance.
# Maximum of files which should be scannend
ArchiveMaxCount 0
# Limitation of the amount of files which should be scanned. Usually this is not
necessary.
# Notification level
SuppressNotificationBelow scanner warning
# Sends email notifications for the component “scanner” in case of an event
“warning” and higher. We recommend that in order to be well informed.
# Define the log file
LogFile /var/log/avguard.log
# Defines the log files of the OnAccess scanner. This is the default path.
# Detection of undesired software
DetectPrefixes adspy=yes appl=no bdc=yes dial=yes game=no hiddenext=yes
joke=no pck=no phish=yes spr=no
# Offers a protection against undesired Software like e.g. hidden file extensions,
phishing, dial up programs, backdoor programs and undesired publicity pop-ups.
But you can also configure the detection by means of the following list:
--# ADSPY: Software that displays advertising pop-ups or software, that very
# often, without the user's consent, sends user specific data to
# third parties and might therefore be unwanted.
# APPL: The term APPL/ denotes an application of dubious origin or which
# might be hazardous to use.
# BDC: Is the Control software for backdoors. Control software for
# backdoors are generally harmless.
# DIAL: A Dial-Up program for connections that charge a fee. Its use might
# lead to huge costs for the user.
# GAME: It concerns a game that causes no damage on your computer.
4
# HEUR-DBLEXT: The file has an executable file extension, but hides it behind a
# harmless one.
# JOKE: A harmless joke program is present as file.
# PCK: File has been compressed with an unusual runtime compression tool.
# Please, make sure that this file comes from a trustworthy source.
# PHISH: Faked emails that are supposed to prompt the victim to reveal
# confidential information such as user accounts, passwords or
# online-banking data on certain websites.
# SPR: Software that may be able to compromise the security of your system,
# initiate unwanted program activities, damage your privacy or spy
# out your user behavior and might therefore be unwanted.
---
# Activates the heuristic on medium level
HeuristicsLevel 2
# A good balance between detection and early detection which prevents a lot of
possible false positives.
# Activates the detection of possible macro viruses in office documents
HeuristicsMacro yes
5
4 What can be configured additionally?
4.1 No Real Time Protection
You ca use only the command line scanner without real time protection by setting the
parameter 'OndemandMgmt yes' in the /etc/avguard.conf. In that case Dazuko or
DazukoFS don’t have to be loaded.
4.2 Heavy Load in the System
Depending on the load you can choose a value between 3 and 20 in the parameter
NumDaemons. You should take into consideration the relation between the need ant
the available main storage.
4.3 Exception of Directories
Usually you should exclude data base directories from the scan. They don’t have to
be checked because of the internal structure. A scan of data base directories could
cause a high loss of performance.
You can set the exception with the parameter ExcludePath.
Example:
/etc/avira/avguard.conf
ExcludePath /dbdir
6
5 Particularities - NSS Volumes
The NSS starts very late using e.g. SLES. This causes a malfunction of the already
mounted DafukoFS.
Therefore it is necessary to adjust the run level, so that the concerned shares are
mounted after the start of the NSS with DazukoFS. You find more detailed
information bout the adjustment of the start order in the documentation of the
operating system.
6 Command Line Scanner - avscan
The avscan binary offers the OnDemand scan mode and can be activated beneath
/usr/lib/AntiVir/avscan with the user-defined parameters.
The following activation is similar to the above described guard configuration. The
parameters can be deduced accordingly. The scan is executed in the /home
directory.
The parameter –s stands for a recursive scan in subdirectories. In order to execute
the scan automatically without user interaction, the parameter –batch can be used.
Detections are moved automatically into the quarantine:
$ avscan --scan-in-archive=yes --scan-in-mbox=yes --archivemax-size=0 --archive-max-recursion=0 --archive-max-ratio=0 -scan-mode=all --heur-macro=yes --heur-level=2 --alertaction=quarantine --quarantine-dir=/home/quarantine -s --batch
/home
This can also be executed automatically by means of cron job. We recommend you
to create the activation in the form of a shell script and to activate it accordingly via
cronjob – e.g. one time a week, on Saturday y at twelve o’clock.:
00 12 * * 6 root /usr/local/bin/virenscan.sh
7
7 Update Configuration
In order to keep your AntiVir installation up-to-date, two kinds of updates are set
during the installation:
Scanner update (only scanner & engine & VDF)
Product update (Guard program files)
You find the settings for the update after the installation in the following file:
/etc/cron.d/avira_updater:
00 */2 * * * root /usr/lib/AntiVir/avupdate --product=Scanner
15 12 * * Tue root /usr/lib/AntiVir/avupdate --product=Guard
7.1 Reasonable Values for an Update
Depending on the target group we recommend our customers to proceed an update
at least 2 or 3 times a day.
7.2 Large Enterprises
Example: hourly update
/etc/cron.d/avira_updater:
* */1 * * * root /usr/lib/AntiVir/avupdate --product=Scanner
7.3 Small Business:
Example: 3 hour interval
/etc/cron.d/avira_updater:
* */3 * * * root /usr/lib/AntiVir/avupdate --product=Scanner
8
7.4 Customers with Narrow Strip Connections (modem/ISDN)
Example: 8 hour interval
/etc/cron.d/avira_updater:
* */8 * * * root /usr/lib/AntiVir/avupdate --product=Scanner
7.5 Internet Service Providers
It is recommended for internet service providers to download the current signatures
more frequently, e.g. every 15 minutes. Thereby you can make sure to use always
the latest signatures
/etc/cron.d/avira_updater:
*/15 * * * * root /usr/lib/AntiVir/avupdate --product=Scanner
7.6 Signature Update
Furthermore you have the possibility to execute only an engine and VDF update. The
guard product files and the central scanner service (SAVAPI) are not updated.
This can be interesting for you in case you are considering program updates as
especially sensitive. Thereby you have the possibility to proceed an audit on a
separate test system before you implement the new version in the productive
network.
The command has to be entered as follows:
$ /usr/lib/AntiVir/avupdate --product=Signatures
9
Loading...