Eset File Security Installation Manual and User Guide

Download

ESET File Security

Installation Manual and User Guide

Linux, BSD and Solaris

Contents

1. Introduction

2. Terminology and abbreviations

3. Installation

4. Architecture Overview

5. Integration with File System services

6. Important ESET File Security mechanisms

..................................................................3

.........................................................................................3

Mai n functionali ty1.1

.........................................................................................3

Key features of the sys tem1.2

..................................................................5

..................................................................7

..................................................................8

..................................................................10

.........................................................................................10

On-demand scanner5.1

.........................................................................................10

On-access scanner powered by Dazuko5.2

On-access scanner us ing preload LIBC l ibra ry5.3

................................................................................10Opera tion principle5.2.1

................................................................................11Installa tion and configuration5.2.2

................................................................................11Tips5.2.3

.........................................................................................11

................................................................................12Opera tion principle5.3.1

................................................................................12Installa tion and configuration5.3.2

................................................................................12Tips5.3.3

..................................................................13

.........................................................................................13

Handle Object Pol i cy6.1

.........................................................................................13

User Speci fi c Configura tion6.2

.........................................................................................14

Sampl es Submis sion Sys tem6.3

.........................................................................................14

Web Interface6.4

Remote Adminis tration6.5

Logging6.6

................................................................................15Licens e ma nagement6.4.1

................................................................................16On-Access scanner (DAC) configuration example6.4.2

................................................................................16On-Dema nd scanner6.4.3

................................................................................17Statis tics6.4.4

.........................................................................................17

................................................................................18Remote Admini stration usage example6.5.1

.........................................................................................20

ESET File Security

ESET File Security was developed by ESET, spol. s r. o. For more information visit www.es et.com. All rights res erved. No part of this documentation may be reproduced, stored in a retri eva l syste m or transmi tte d in any form or by any mea ns, ele ctronic, mecha nical, photocopyi ng, recording, scanning, or othe rwis e without permission in writing from the author. ESET, spol . s r. o. res erve s the right to cha nge any of the described application software without prior notic e.

Customer Care Worldwide: www.eset.eu/support Customer Care North America: www.e se t.com/support

7. ESET Security system update

8. Let us know

9. Appendix A. PHP License

..................................................................21

.........................................................................................21

ESETS update utility7.1

.........................................................................................21

ESETS update process description7.2

.........................................................................................21

ESETS mirror http daemon7.3

..................................................................22

..................................................................23

REV. 2011-02-08

1. Introduction

Dear user, you have acquired ESET File Security - the premier security sys tem runni ng under the Linux, BSD and Solaris OS. As you will soon find out, ESET's state-of-the-art scanning engine has unsurpassed s ca nni ng s peed and detection rates combined with a very s mal l footprint that makes i t the ideal choi ce for any Linux, BSD and Solaris OS server.

1.1 Main functionality

On-demand scanner

The On-demand sca nner can be invoked by a privileged user (usuall y a system admi ni strator) through either the command line interface or the web interface; or by the operating s ys tem's automatic scheduling tool (e.g., cron). Thus, the term refers to fil e system objects being scanned on user or s ys tem demand.

On-access scanner

The On-access s canner is i nvoked whenever a user a nd/or operating s ys tem attempts to access fil e system objects. This a lso cl arifies the use of the term

O n -a ccess

; becaus e a s can is tri ggered by any attempt to access fil e system objects.

1.2 Key features of the system

Advanced engine algorithms

The ESET antivirus scanni ng engine algori thms provi de the highest detection rate and the fas test scanni ng times.

Multi-processing

ESET File Security is developed to run on s i ngle- as well as multi-process or units.

O n -dem an d

Advanced Heuristics

ESET File Security includes unique adva nced heuristics for Win32 worms, backdoor infections and other forms of malware.

Built-In features

Built-in a rchivers unpack a rchived objects without the need for any external progra ms.

Speed and efficiency

To increase the speed and efficiency of the system, its archi tecture is ba sed on the runni ng da emon (resident program) where al l sca nni ng requests a re sent.

Enhanced security

All executive daemons (except esets_dac) run under non-pri vileged user account to enhance security.

Selective configuration

The system supports selective confi guration ba sed on the user or cl i ent/server.

Multiple logging levels

Multipl e logging levels can be confi gured to get information about system activi ty and infiltrations .

Web interface

Configura tion, admi ni stration a nd l i cense management are offered through an i ntui tive and user-friendly Web interface.

Remote administration

The system supports ESET Remote Administrati on for mana gement in la rge computer networks.

No external libraries

The ESET Fil e Securi ty instal lation does not require external li braries or programs except for LIBC.

User-specified notification

The system can be configured to notify specifi c users in the event of a detected infiltration or other important events.

Low system requirements

To run effici ently, ESET Fil e Security requires j ust 16MB of hard-disk space and 32MB of RAM. It runs smoothly under the 2.2.x,

2.4.x a nd 2.6.x Linux OS kernel vers ions as well as under 5.x, 6.x FreeBSD OS kernel versions.

Performance and scalability

From lower-powered, smal l offi ce servers to enterprise-class ISP servers wi th thousands of users, ESET Fil e Security delivers the performance and s cal ability you expect from a UNIX bas ed solution, in additi on to the unequaled s ecurity of ESET products.

2. Terminology and abbreviations

In this section we will review the terms a nd a bbreviations used i n thi s document. Note that a boldface font is reserved for product component names and als o for newly defined terms and abbreviations. Terms a nd a bbreviations defined i n this chapter are expanded upon later in this document.

ESETS

ES ET Security

operating s ystems. It is a lso the name (or i ts part) of the software package containing the products.

RSR

Abbreviation for ‘RedHat/Novell(SuSE) Ready’. Note that we also support RedHat Ready and Novell(SuSE) Ready varia tions of the product. The RSR package di ffers from the ‘standard’ Linux version in that it meets the FHS (File-system Hierarchy Standard defined as a part of Linux Standa rd Bas e) criteri a required by the RedHat Ready and Novell(SuSE) Ready certifi ca te. This means that the RSR package is installed as an add-on application - the pri mary i nstal l ation directory i s ‘/opt/eset/esets’.

ESETS daemon

The mai n ESETS sys tem control and scanni ng daemon:

ESETS base directory

The directory where ESETS loadabl e modules contai ni ng the virus signature database are stored. The abbreviation

@ BA SE D IR @

lis ted below:

Linux: /var/lib/esets Linux RSR: /var/opt/eset/esets/lib FreeBSD: /var/lib/esets NetBSD: /var/lib/esets Solaris: /var/opt/esets/lib

is a standard acronym for all s ecurity products developed by ESET, spol. s r. o. for Linux, BSD and Sol ari s

esets_d a emo n

wil l be used for future references to this directory. The

@ BA SE D IR @

value for the foll owing Opera ting Systems i s

ESETS configuration directory

The directory where al l files related to the ESET Fil e Security configuration are stored. The abbrevia tion used for future references to this di rectory. The

Linux: /etc/esets Linux RSR: /etc/opt/eset/esets FreeBSD: /usr/local/etc/esets NetBSD: /usr/pkg/etc/esets Solaris: /etc/opt/esets

@ ETCDIR @

value for the foll owing Opera ting Systems i s listed below:

ESETS configuration file

Mai n ESET Fil e Security configura tion file. The abs olute path of the file is as foll ows:

@ETCDIR@/esets.cfg

ESETS binary files directory

The directory where the relevant ESET Fil e Securi ty bi nary fi l es are stored. The abbreviation references to thi s directory. The

Linux: /usr/bin Linux RSR: /opt/eset/esets/bin FreeBSD: /usr/local/bin NetBSD: /usr/pkg/bin Solaris: /opt/esets/bin

@ BIND IR@

value for the foll owing Opera ting Systems i s listed below:

@ BIND IR@

ESETS system binary files directory

The directory where the relevant ESET Fil e Securi ty system binary files are stored. The abbreviation for future references to this directory. The

@ SB IN D IR@

value for the foll owing Opera ting Systems i s listed below:

@ ETCDIR @

wil l be

wil l be used for future

@ SB IN D IR@

wil l be used

Linux: /usr/sbin Linux RSR: /opt/eset/esets/sbin FreeBSD: /usr/local/sbin NetBSD: /usr/pkg/sbin Solaris: /opt/esets/sbin

ESETS object files directory

The directory where the relevant ESET Fil e Securi ty obj ect files and librari es are stored. The abbreviation used for future references to this di rectory. The

Linux: /usr/lib/esets Linux RSR: /opt/eset/esets/lib FreeBSD: /usr/local/lib/esets NetBSD: /usr/pkg/lib/esets Solaris: /opt/esets/lib

@ LIBD IR @

value for the foll owing Opera ting Systems i s listed below:

@ LIBD IR @

wil l be

3. Installation

After purchasing ESET File Security, you wil l receive your a uthoriza tion data (us ername, pass word and li cense key). This data is necessary for both identifyi ng you as our cus tomer and al lowing you to downl oad upda tes for ESET File Security. The username/pass word data is a lso required for downloading the ini tial i nstal lation package from our web si te. ESET Fil e Securi ty is dis tri buted as a bi nary fi l e:

esets.i386.ext.bin

In the binary fi l e shown above,

‘ex t’

is a Linux, BSD and Sol ari s OS di s tri bution dependent suffi x, i.e., ‘deb’ for Debian, ‘rpm’ for RedHat and SuSE, ‘tgz’ for other Linux OS distributions, ‘fbs5.tgz’ for FreeBSD 5.x, ‘fbs6.tgz’ for FreeBSD 6.x, ‘nbs4.tgz’ for NetBSD 4. xx a nd ‘s ol10.pkg.gz‘ for Sola ri s 10.

Note that the Linux RSR binary file format is:

esets-rsr.i386.rpm.bin

To install or upgrade the product, use the following command:

sh ./esets.i386.ext.bin

For the Linux RSR vari ation of the product, use the command:

sh ./esets-rsr.i386.rpm.bin

to displa y the product’s User License Acceptance Agreement. Once you have confirmed the Acceptance Agreement, the installation packa ge is pl aced i nto the current working directory and relevant informati on regardi ng the package’s installati on, un-instal lation or upgrade is displa yed ons creen.

Once the package is installed, you can verify that the main ESETS servi ce is running by using the foll owing command:

Linux OS:

ps -C esets_daemon

BSD OS:

ps -ax | grep esets_daemon

Solaris:

ps -A | grep esets_daemon

After pressing ENTER, you s houl d see the following (or s i mila r) mess age:

PID TTY TIME CMD 2226 ? 00:00:00 esets_daemon 2229 ? 00:00:00 esets_daemon

At least two ESETS daemon process es are running in the background. The first PID represents the process and threads mana ger of the sys tem. The other represents the ESETS sca nni ng process.

4. Architecture Overview

Once ESET Fil e Securi ty i s successfully installed, you should become familia r with its a rchitecture.

Figure 4-1. Structure of ESET File Security.

The structure of ESET File Security is s hown in Figure 4-1. The sys tem is comprised of the following parts:

CORE

The Core of ESET File Security is the ESETS daemon (esets_daemon). The daemon uses ESETS API libra ry li besets.so and ESETS loading modules em00X_xx.dat to provi de base system tasks such as scanning, maintenance of the agent daemon process es, maintenance of the samples submis sion system, logging, notification, etc. Please refer to the details.

AGENTS

The purpos e of ESETS agent modul es i s to integrate ESETS with the Linux, BSD and Solaris Server environment.

UTILITIES

The utility modules provide si mple and effective management of the system. They are responsi bl e for relevant sys tem tas ks such as license management, quarantine mana gement, sys tem setup and update.

CONFIGURATION

Proper confi guration i s the most important aspect of a s mooth-running security system - the remai nder of this chapter i s dedicated to explai ni ng all related components. A thorough understandi ng of the this fi l e contains informati on essential to the confi guration of ESET File Security.

After the product is s uccess ful l y i ns tal l ed, al l its confi gura tion components are stored in the ESETS configuration directory. The directory consis ts of the foll owi ng fi les:

@ETCDIR@/esets.cfg

This i s the most important configuration file, as i t controls al l maj or as pects of the product‘s functional i ty. The esets.cfg file is made up of s everal s ections, each of which contai ns vari ous parameters. The file contai ns one global and s everal “agent“ sections , with al l section names enclosed i n s qua re brackets. Parameters in the global section are used to define confi guration options for the ESETS daemon as well as default va lues for the ESETS scanning engine configuration. Parameters in agent sections are used to define confi guration options of modul es used to i ntercept various data fl ow types i n the computer and/or its neighborhood, and prepare it for scanning. Note that in addition to the various parameters used for system configura tion, there are also rul es governing the organization of the file. For detai l ed information on the most effective way to organi ze this fi l e,

esets.cfg

esets_d a emo n (8 )

file is als o highl y recommended, as

man pa ge for

please refer to the

esets.cfg (5 )

and

esets_d a emo n (8 )

man pa ges, as well as relevant agents‘ man pages.

@ETCDIR@/certs

This di rectory is used to store the certificates used by the ESETS web interface for authentication. Pl ease see the

esets_ww w i(8 )

man pa ge for detai l s.

@ETCDIR@/license

This di rectory is used to store the product(s) li cense key(s) you have acquired from your vendor. Note that the ESETS daemon wil l check onl y this directory for a vali d l i cense key, unless the

‘license_dir’

parameter in the ESETS configuration file i s redefined.

@ETCDIR@/scripts/license_warning_script

If enabled by the ESETS confi guration fi le parameter

‘license_wa rn_ena bled ’

, this script will be executed 30 days (once per da y)

before product license expi ra tion, sending a n emai l notification about the expiration status to the system administrator.

@ETCDIR@/scripts/daemon_notification_script

If enabled by the ESETS confi guration fi le parameter

‘ex ec_scrip t’

, this script is executed in the event of a detected infi l tration

by the antivirus s ystem. It is used to send email notifi cation about the event to the system administrator.

5. Integration with File System services

This chapter describes the On-demand a nd On-access scanner configurati on whi ch wil l provide the most effective protection from vi rus a nd worm fil e system infecti ons . ESET File Securi ty’s s canning power is deri ved from the On-demand scanner command additiona l On-a ccess scanner techni que which uses the preloa ded library module described in the foll owi ng sections.

‘es ets_sca n’

and the On-access s canner command

‘es ets_d a c’

. The Linux version of ESET Fil e Security offers a n

libes ets_ p a c.so

. All of these commands a re

W arnin g !

This resul ts in no threat detection on NSS mounted volumes. If you ha ve such mounted volume, set the

‘ro o t’

Novell Stora ge Services (NSS) break common unix securi ty principles the scanner relies on when limiting privil eges.

‘es ets_u ser’

in ESETS configuration file and restart ESETS daemon.

parameter to

5.1 On-demand scanner

The On-demand sca nner can be invoked by a privileged user (usuall y a system admi ni strator) through the command line interface or web interface, or by the operating sys tem’s automatic scheduling tool (e.g., cron). Thus , the term file system objects whi ch are scanned on user or system demand.

The On-demand sca nner does not requi re speci al confi guration i n order to run. After the ESETS package has been properly installed and a valid license has been moved to the license keys di rectory (@ETCDIR@/li cense), the On-demand s ca nner can be run i mmediately us i ng the command li ne interface or the Scheduler tool. To run the On-demand scanner from the command l i ne, use the following s yntax:

@SBINDIR@/esets_scan [option(s)] FILES

where FILES is a lis t of di rectories and/or files to be scanned.

Multipl e command line options are avai l able usi ng ESETS On-demand s canner. To s ee the full li s t of options, please see the

esets_sca n(8 )

man pa ge.

O n -dem an d

refers to

5.2 On-access scanner powered by Dazuko

The On-access s canner is i nvoked by user(s) access and/or operating s ys tem access to fil e system objects. This a lso explai ns the term

O n -a ccess

; the scanner is triggered on a ny attempt to access a selected fil e system object.

The techni que used by ESETS On-access s canner is powered by the Dazuko (da-tzu-ko) kernel modul e and is bas ed on the interception of kernel call s . The Dazuko project is open s ource, which means that its s ource code is freely distributed. This al l ows users to compile the kernel modul e for their own custom kernels. Note that the Dazuko kernel module is not a part of any ESETS product and must be compil ed and instal led into the kernel pri or to usi ng the On-access command hand the Dazuko techni que makes On-a ccess sca nni ng i ndependent from the fil e system type used. It is a lso suitabl e for scanning of file sys tem objects via Network File System (NFS), Nettalk and Samba.

Import a nt :

that the scanner has been pri marily developed and tested to protect external ly mounted file systems. In ca se of multiple fil e systems that are not externall y mounted, you will need to exclude them from fil e access control i n order to prevent system hang ups. An example of a typical directory to exclude is the

Before we provide detai led information related to On-access scanner confi guration and us e, it s houl d be noted

‘/dev ’

directory and any directori es used by ESETS.

esets_d a c

. On the other

5.2.1 Operation principle

The On-access scanner conti nuous moni tori ng a nd control over the file sys tem. Every file system object is scanned based on cus tomizable fil e access event types. The following event types are supported by the current version:

Open events

To activa te this file access type set the value of the This will enabl e the ON_OPEN bit of the Dazuko access mask.

Close events

To activa te this file access type set the value of the This will enabl e the ON_OPEN bit of the Dazuko access mask. This will enabl e the ON_CLOSE and ON_CLOSE_MODIFIED bits of the Dazuko access mask.

esets_d a c

(ESETS Dazuko-powered file Access Control ler) is a resi dent program which provi des

‘ev en t_m a sk’

parameter to open in the

parameter to close in the

[d a c]

section of the esets.cfg file.

[d a c]

section of the esets.cfg file.

NOTE: Some OS kernel versions do not support the interception of ON_CLOSE events. In these ca ses, close events will not be monitored by

Exec events

To activa te this file access type set the value of the

esets_d a c

‘ev en t_m a sk’

parameter to exec i n the

[d a c]

section of the esets.cfg file. This

wil l enable the ON_EXEC bit of the Dazuko access mask.

The On-access s canner ensures that all opened, closed and executed files are first scanned by the esets_daemon for viruses. Depending on the sca n resul ts, access to specific files i s denied or allowed.

5.2.2 Installation and configuration

The Dazuko kernel module must be compiled and installed within the running kernel before initializi ng on how to compil e and install Dazuko, please see:

http://www.dazuko.org

esets_d a c

. For detai l s

Once Dazuko i s installed, review and edit the proper functioni ng of the On-a ccess scanner i s dependent upon configurati on of the section of this fi le. Additional l y, you mus t define the fil e system objects (i .e. directories and fi les) that are to be monitored by the On-access scanner. This can be accomplished by defini ng the parameters of the located within the read by reloading the ESETS daemon.

[d a c]

section. After making changes to the esets.cfg fil e, you can force the newly created confi guration to be re-

[g loba l]

and

[d a c]

sections of the ESETS configuration file (esets.cfg). Note that

‘a gen t_en ab led ’

‘ctl_in cl’

and

‘ctl_ex cl’

option within the

options, which are al so

[d a c]

5.2.3 Tips

To ensure that the Dazuko modul e loads prior to initial ization of the

Place a copy of the Dazuko module in either of the followi ng di rectories reserved for kernel modul es:

/lib/modules

/modules

Use the kernel utilities ‘depmod’ and ‘modprobe’ (For BSD OS, use ‘kldconfig’ and ‘kl dl oad’) to handle dependenci es and successful initialization of the newly added Dazuko module.

In the esets_daemon ini tial i zation scri pt ‘/etc/ini t.d/esets_daemon’, insert the following l i ne before the daemon initialization statement:

/sbin/modprobe dazuko

For BSD OS’s the line

esets_d a c

daemon, follow these steps:

/sbin/kldconfig dazuko

must be inserted into the ‘/usr/local/etc/rc.d/esets_daemon.sh’ scri pt.

W arnin g !

withi n the kernel modules directory it will not properly loa d, caus ing system hang-ups.

It i s extremely important that these steps are executed in the exact order gi ven. If the kernel module is not loca ted

5.3 On-access scanner using preload LIBC library

In the previous s ections we descri bed the integration of the On-access scanner powered by Dazuko with Linux/BSD fi l e system services. If, however, the use of Dazuko i s not feas ible, for exampl e for s ys tem adminis trators who mai ntain criti ca l systems where:

the source code and/or confi guration fi les related to the runni ng kernel are not avai lable, the kernel is more monoli thic than modular, the Dazuko modul e simpl y does not support the given OS.

In any of these cases, the On-access s canni ng techni que based on the preload LIBC library shoul d be us ed. See the foll owing topics in this s ection for detailed information. Please note that this section is relevant only for Linux OS users and contains information regarding the operation, ins tall ation and configurati on of the On-a ccess scanner us i ng the preload li brary

‘lib esets_p a c.so’

5.3.1 Operation principle

The On-access s canner activa ted at system start-up. This l i brary is used for LIBC cal l s by fi le sys tem servers such a s FTP server, Samba server etc. Every file system object is sca nned based on cus tomiza bl e file access event types. The following event types are supported by the current versi on:

Open events

This fi l e access type is activa ted if the word

Close events

This fi l e access type is activa ted if the word In this case, all file descri ptor and FILE stream close functions of the LIBC are intercepted.

Exec events

This fi l e access type is activa ted if the word this cas e, al l exec functions of the LIBC are intercepted.

All opened, cl osed and executed fil es a re sca nned by the ESETS daemon for vi ruses. Based on the result of s uch scans, access to given fil es i s denied or allowed.

libes ets_ p a c.so

(ESETS Preloa d l ibra ry bas ed file Access Control l er) i s a shared objects library whi ch is

‘o p en ’

is present in the

‘close’

is present in the

‘ex ec’

is present in the

‘ev en t_m a sk’

parameter in the esest.cfg fil e (

parameter in the esets.cfg fil e (

parameter in the esets.cfg (

[p a c]

section).

[p a c]

section).

section). In

5.3.2 Installation and configuration

The

libes ets_ p a c.so

just to define the environment varia bl e please refer to the

library modul e is installed us ing a standard i ns tal l ation mechani s m of the preloaded l ibra ri es. One has

ld .so ( 8 )

‘LD _PRELO A D’

man pa ge.

with the absolute path to the

libes ets_ p a c.so

library. For more information,

NOTE: It is important that the (ftp, Samba, etc.) that will be under control of the On-access scanner. Generall y, preloa di ng LIBC cal l s for al l operating sys tem process es i s not recommended, as this can dramatically sl ow the performance of the sys tem or even cause the sys tem to hang. In this s ense, the ‘/etc/ld.so.preload’ file should not be used, nor should the ‘LD_PRELOAD‘ environment variabl e be exported global l y. Both would override all relevant LIBC cal ls, which could lead to system hang-up duri ng i ni tial i zation.

To ensure that only relevant file access cal ls withi n a given file system are intercepted, executable statements can be overri dden usi ng the following l i ne:

LD_PRELOAD=/usr/lib/libesets_pac.so COMMAND COMMAND-ARGUMENTS

where ‘COMMAND COMMAND-ARGUMENTS’ is the original executable statement.

Review and edit the functi on correctly, you must define the file system objects (i .e. directories a nd fi l es) that are required to be under control of the preload library. This can be achieved by defining the parameters of the ESETS configuration fi l e. After maki ng changes to the esets.cfg file, you can force the newly created confi guration to be re-read by reloading the ESETS daemon.

[g loba l]

‘LD _PRELO A D‘

and

[p a c]

environment varia bl e is defined onl y for the network server daemon processes

sections of the ESETS configuration file (esets.cfg). In order for the On-access s canner to

‘ctl_in cl’

and

‘ctl_ex cl’

options in the

[p a c]

section of the

5.3.3 Tips

In order to activate the On-access s canner immedia tely a fter file system start-up, the be defined within the appropri ate network file server initia l ization s cript.

Ex a mp le:

starting the Samba server. Within the Samba daemon initiali zation scri pt (/etc/init.d/smb), we would replace the statement

daemon /usr/sbin/smbd $SMBDOPTIONS

Let’s assume we want to have the On-a ccess scanner to monitor all file system access events i mmediately after

‘LD _PRELO A D’

environment varia bl e must

with the following li ne:

LD_PRELOAD=/usr/lib/libesets_pac.so daemon /usr/sbin/smbd $SMBDOPTIONS

In this way, selected file system objects controlled by Samba wil l be scanned at system start-up.

6. Important ESET File Security mechanisms

6.1 Handle Object Policy

The Handl e Object Policy (s ee figure 6-1) mechanism provides fi l tering of scanned obj ects bas ed on their status. This functi onality is ba sed on the foll owi ng configuration options:

action_av action_av_infected action_av_notscanned action_av_deleted

For detai l ed information on these options, please refer to the

Figure 6-1. Scheme of Handle Object Policy mechanism.

Every object processed is fi rst handl ed according to the configuration of the (or

‘d efer’, ‘d isca rd ’, ‘reject’

scanned for vi rus infiltra tions, and if the confi gurati on options eval uate handl ing of the object. If an accepted. Otherwise, the object is bl ocked.

) the object i s accepted (or deferred, di scarded, rejected). If the option i s set to

‘a v_clea n_m o d e

‘a ctio n _a v _in f ected

’,

‘a ctio n _a v _n o ts ca nn ed

‘a ccep t’

action has been taken as a result of these three action options , the object is

esets.cfg (5 )

’ option is s et to

’ and

‘a ctio n _a v _d eleted

man pa ge.

‘a ctio n _a v ‘

‘yes

’, the object is also cleaned. In addition, the

option. If thi s option is set to

‘sca n’

the object i s

’ are taken into account to further

‘a ccep t’

6.2 User Specific Configuration

The purpos e of the User Speci fic Configuration mechanism is to provide a hi gher degree of cus tomization and functi onality. It al l ows the sytem administra tor to define ESETS antivi rus s canner parameters ba sed on the user who i s accessing file system objects.

A detai l ed descri ption of this functiona lity can be found i n the short example of a user-specific configuration.

In this example, the goal is to use the disc mounted under the /home directory. The modul e can be confi gured in the below:

[dac] agent_enabled = yes event_mask = "open" ctl_incl = "/home" action_av = "scan"

To specify scan settings for an individual user, the where the individual s canning rules wi ll be stored. In the example shown here, the speci al configurati on fi l e is call ed

‘es ets_d a c_s p ec.cfg ’

Please see Terminology and abbreviati ons page).

and is l ocated withi n the ESETS configuration directory (This di rectory is bas ed on your opera ting system.

esets_d a c

module to control the ON_OPEN and ON_EXEC access events for an external

‘u ser_co n fig ’

esets.cfg (5 )

parameter must specify the speci al confi guration fi l ename

man pa ge; in thi s section we will provide only a

[d a c]

section of the ESETS configura tion file. See

[dac] agent_enabled = yes event_mask = "open" ctl_incl = "/home" action_av = "scan" user_config = "esets_dac_spec.cfg"

Once the

‘u ser_co n fig ’

file para meter is specifi ed within the

[d a c]

section, the

‘es ets_d a c_s p ec.cfg ’

file must be created in the

ESETS configuration directory. Finally, add the desi red scanning rules.

[username] action_av = "reject"

At the top of the special section, enter the username to which the individual rules will be appl ied. This configuration wil l al l ow all other users attempting to access the fil e-system to be process ed normally. i.e., all file system objects accessed by other users wi ll be scanned for i nfi ltrations, except for the user

‘u sern am e’

, whose access wil l be rejected (blocked).

6.3 Samples Submission System

The Samples submiss i on s ys tem is an i ntelli gent detected by advanced heuristics and deli vers them to the samples submis s ion system server. All virus sampl es collected by the sample submission system will be processed by the ESET virus laboratory and if necessa ry, a dded to the ESET virus signature database.

NOTE: According to our license agreement, by enabli ng s ample submissi on s ys tem you are agreeing to allow the computer and/or pl atform on which the esets_daemon is instal led to collect data (which may incl ude personal information a bout you and/or the user of the computer) and sa mples of newly detected viruses or other threats and send them to our vi rus la b. This feature is turned off by default. All i nformation collected wil l be used only to anal yze new threats a nd wi ll not be used for any other purpose.

In order to activate the Samples Submissi on System, the samples submiss i on s ys tem cache must be ini tial i zed. This ca n be achieved by enabl ing the

‘sa m ples_en a bled ’

option in the deli very of sa mples to the ESET virus laboratory servers, the para meter section.

Th rea tSen se.Net

[g loba l]

section of the ESETS configura tion file. To al l ow for the actual

technology that collects infected objects which have been

‘sa m ples_s end_p erio d ’

must also be speci fi ed in the same

In addi tion, users can choose to provide the ESET virus l abora tory team with supplementary i nformation us ing the

‘sa m ples_p rov id er_m a il’

and/or

‘sa m ples_p rov id er_co un try’

configurati on options . The informati on collected using these options

wil l assi st in providing the ESET team with an overvi ew about a given infiltration which may be spreadi ng over the Internet.

For more information on the Sampl es Submis sion Sys tem, refer to the

esets_d a emo n (8 )

man pa ge.

6.4 Web Interface

The Web Interface al l ows user-friendly configuration, adminis tra tion and license mana gement of ESET Security s ystems. This module is a separate agent and must be expli citly enabled. To qui ckly confi gure the the ESETS configura tion file and restart the ESETS daemon:

[wwwi] agent_enabled = yes listen_addr = address listen_port = port username = name password = pass

Replace the text in italics with your own val ues and direct your browser to

‘u sern am e/p a ss w o rd ’

found on the

esets_ww w i(1 )

. Basic us age ins tructions can be found on the help page and techni ca l details about

man pa ge.

The web interface all ows you to remotely access the ESETS daemon and deploy it easily. Thi s powerful utility makes it easy to read and write configurati on va lues.

W eb In terfa ce

‘h ttps:// a ddres s:po rt’

, set the foll owing options in

(note the https). Login with

esets_ww w i

can be

Figure 6-1. ESET Security for Linux - Home screen.

The web interface window of ESET Fil e Securi ty is divided into two mai n s ections. The primary window, that serves to dis pl ay the contents of the selected menu option and the main menu. This horizontal bar on the top lets you na vi gate between the following main options:

Home

- provides basic system and ESET product information

L icen ses

Con fig ur a tion

Con t r o l

Help

L o g ou t

- is a l i cense management utility, see the following chapter for mode details

- you can change the ESET File Security system confi guration here

- all ows you to run simple tas ks and view globa l statistics about obj ects processed by esets_daemon

- provides detai led usage instructions for the ESET File Securi ty web interface

- use to end your current session

6.4.1 License management

You can upl oad a new li cense using the Web interface, as shown in Figure 6-2.

If you want to di splay li censes in the console, use the foll owing command:

/usr/sbin/esets_lic --list

If you want to import new li cense files, use the following command:

/usr/sbin/esets_lic --import *.lic

Figure 6-2. ESET Licenses.

You can enable the li cense notification option in the days prior to your license expiration.

Glo b a l

section options. If enabl ed, this functionali ty will notify you 30

6.4.2 On-Access scanner (DAC) configuration example

There are two ways you can to confi gure ESETS. In our example we wil l demonstrate how to use either of them to setup the DAC module, descri bed i n section 5.2. You can choos e the option that best suits you.

Usi ng the ESETS configurati on fi l e:

[dac] agent_enabled = yes event_mask = "open" ctl_incl = "/home" action_av_deleted = "reject" action_av = "scan" action_av_infected = "reject"

Usi ng the web interface:

Figure 6-3. ESETS - Configuration > On-Access scanner.

When changi ng s ettings in the web interface, always remember to save your confi guration by the cl i ck your new changes cl ick the

A p p ly ch a ng es

button in the

Con fig ur a tion

sections pa nel.

6.4.3 On-Demand scanner

This s ection comprises an example on how to run the On-Demand scanner to scan for vi ruses:

Navi gate to Enter the path to the directory you want to scan Execute the Command-l ine scanner by cli cking the

Con t r o l > O n-Dem a nd Sca n

Sca n

button

Sa ve ch a ng es

. To appl y

Figure 6-4. ESETS - Control > On-Demand scanner.

ESET Command-l i ne scanner will a utomatically run in the background. To see the scanni ng progress, click the browser window wil l open.

6.4.4 Statistics

You can vi ew statistics for all of active ESETS agents here.

Figure 6-5. ESETS - Control > Statistics.

Sta t ist ics

summary refreshes every 10 seconds .

V iew

link. A new

6.5 Remote Administration

ESETS supports ESET Remote Admini stration for file security management in l arge computer networks. The ESETS Remote Admini strati on Cl i ent is pa rt of the mai n ESETS daemon and performs the following functions:

Communicates with ERA Server and provi des you with system information, configuration, protection statuses and several other features All ows cl ient configura tions to be viewed/modifi ed using the ESET Configuration Editor and impl emented with the help of confi gurati on tasks Can perform Performs On-demand scans as requested, and submits the resul ting back to ERA Server Adds l ogs of notable scans performed by the ESETS daemon to Sends al l non-debug mess ages to

These functi onalities are not supported:

Firewall Log Remote Instal l

Upd a te No w

tasks

Sca n L o g

Th r ea t Log

Ev ent L og

Figure 6-6. ERA Console tabs.

For more information, please read the ESET Remote Adminis tra tor manual. This manua l is located on our web si te at the following l i nk:

http://www.eset.com/documentation

6.5.1 Remote Administration usage example

Before commenci ng a ny remote administration process ensure your system fulfil l s the three following prerequisites:

Runni ng ERA Server Runni ng ERA Console Enabl e RA Cli ent in the ESETS daemon. Ensure that firewall settings do not block traffic to ERA Server or vi ce versa.

To setup the bas i cs , specify the address of your ERA Server i n the to access the ERA Consol e pass word, you must edit the value of the

‘ra cl_server_a dd r’

‘ra cl_pa s swo rd ’

parameter first. If you are using a pas sword

parameter accordingly. Change the val ue of

the ‘racl_interval ’ parameter to adjus t the frequency of connections to ERA Server (in minutes).

You can either us e the web interface (see also previous chapter) to apply the new configuration, or you can a djust these parameters i n the

racl_server_addr = "yourServerAddress" racl_server_port = 2222 racl_password = "yourPassword" racl_interval = 1

NOTE: All a ppl i ca bl e ESET Remote Adminis tra tion Client vari ables are listed on the

[g loba l]

section of the ESETS configura tion file as follows:

esets_d a emo n (8 )

man pa ge.

The ESETS daemon configurati on will be reloa ded and RACL will connect to ERA Server. You will be able to see a newly connected cl i ent in your ERA Console. Press the F5 button (or

M enu > V iew > Refr esh

) to manua lly refresh the li st of connected

cl ients.

Figure 6-7. ERA Console.

By using ERA Console you ca n create a configura tion tas k to ESETS daemon from ERA Consol e:

Right click the connected Navi gate to Expand

N ew Ta sk > C o n fig ur a tion T a sk > Cr ea te...

Unix ESET S ecurit y tree

Client N a me

For a n example of a configuration task by the DAC agent, see below:

Figure 6-8. ERA Configuration Editor.

The

N ew Ta sk

context menu contains On-demand s ca nni ng options (enabled/dis abled cleani ng).

You can select the desi red product, that you wis h to set the task for, i n the

Con fig ur a tion S ectio n

drop-down menu. Make sure that you select the

(i.e. the product that is i ns tal l ed on your target works tation).

Figure 6-9. ERA On-demand scan.

O n -Dem a nd Sca n

pop-up window in the

O n -d em a nd Sca n ta sk fo r Unix E SET S ecu r it y P r od u ct

option

6.6 Logging

ESETS provides system daemon logging via s ys log.

Syslog

is a standard for l oggi ng program mess ages and can be used to log

system events s uch as network and securi ty events.

Messages refer to a fa cil i ty:

auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7

Messages are assigned a priority/level by the sender of the message:

Error, Warning, Summall, Summ, Partall, Part, Info, Debug

This s ection descri bes how to confi gure and read the logging output of sysl og. The

‘d a em o n ’

interface. Modify the val ue of the

) defines the sys l og faci l ity used for logging. To modify s ys log settings edit the ESETS configura tion file or use the web

‘syslog _cla ss’

parameter to change the logging clas s. We recommend you modify these settings

‘syslog _fa cility’

option (default value

only if you a re famil i ar with sys l og. For an example of sys l og configuration see below:

syslog_facility = "daemon" syslog_class = "error:warning:summall"

The name and l ocati on of the log file depend on your syslog installa tion and configuration (e.g. rsyslog, syslog-ng, etc.). Standa rd filenames for s ys l og output fi les are for example

‘syslog ’, 'd a em o n.lo g '

, etc. To follow sysl og activity, run one of the

following commands from the cons ol e:

tail -f /var/log/syslog tail -100 /var/log/syslog | less cat /var/log/syslog | grep esets | less

If you enabl e ESET Remote Administration, ERA log entries ol der than given days by the option

‘ra cl_lo g s_lifetime’

wil l be

automatical l y deleted.

7. ESET Security system update

7.1 ESETS update utility

To maintai n the effectiveness of ESET File Security, the virus signature databa se must be kept up to date. The esets_update util i ty has been developed for this purpose. See the options In the event that your server accesses the Internet via HTTP proxy, the addi tional confi gura tion options must be defined. If access to the HTTP proxy requires a us erna me and pa ssword, the options must also be defined in this s ection. To initiate an update, enter the foll owing command:

the world - new patterns a re added to the virus si gnature database in very s hort intervals. For this reason, we recommend that updates be initiated on a regular ba sis. To speci fy the update frequency, the

[g loba l]

virus signature databas e.

‘a v_up d a te_usern a me’

@SBINDIR@/esets_update

To provi de the highest possible securi ty for the end us er, the ESET team continuously collects vi rus defini tions from all over

section of the ESETS configura tion file. The ESETS daemon must be up and runni ng i n order to successfully update the

and

‘a v_up d a te_pa ssw ord ’

7.2 ESETS update process description

The update process consi s ts of two stages: First, the precompiled update modules are downloaded from the ESET server. If the option

‘a v_mirror_en a bled ’

modules are created in the fol lowing directory:

is s et to ‘yes’ in the

esets_u p d a te( 8 )

[g loba l]

section of the ESETS configura tion file, copies (or mirror) of these update

man pa ge for detai l s. To la unch an update, the confi gura tion

must be defined in the

‘a v_up d a te_perio d ’

[g loba l]

section of the ESETS configura tion file.

‘p ro x y_usern a me’

‘p ro x y_a d dr’, ‘p ro x y_po rt’

and

‘p ro x y_pa ssw ord ’

option must be defined in the

@BASEDIR@/mirror

If desired, the Mirror directory pa th ca n be redefined usi ng the confi gurati on fi l e. The newly created Mirror ca n then serve as a fully functi onal update server and can be used to create lower (chi l d) Mi rror s ervers . See section 7.3 for detai ls.

The option security products. These modul es can be mirrored from the ESET server.

NOTE: Once you set your username, pas sword a nd l i cense for ESET Fil e Security to downl oad PCU's for ESET NOD32 Antivirus / ESET Smart Security, please contact our Technical Support and request a change, that wil l enabl e your ESET File Security to download PCU's for our Wi ndows-based products.

The second stage of the update process is the compilati on of modules loadabl e by the ESET File Security scanner from those stored in the local mirror. Typicall y, the following ESETS loadi ng modul es are created: loader modul e (em000.dat), scanner module (em001.dat), virus signature database module (em002.dat), archi ves support module (em003.dat), advanced heuri stics module (em004.dat), etc. The modules are created in the following directory:

@BASEDIR@

This i s the directory where the ESETS daemon loads modules from and thus can be redefined usi ng the

[g loba l]

‘a v_mirror_p cu’

section of the ESETS configura tion file.

al l ows you to downl oad Program Component Update (PCU) modul es for Wi ndows-ba sed ESET

‘a v_mirror_d ir’

option in the

[g loba l]

section of the ESETS

‘b a se_d ir’

option in the

7.3 ESETS mirror http daemon

ESETS mirror http daemon is installed automatically with ESET Fil e Securi ty. The http mirror daemon starts i f the option

‘a v_mirror_h ttpd _en a bled’

in the

[g loba l]

section of the ESETS configura tion file is set to

‘yes ’

and the Mirror i s enabled.

Options address es) where the http server l i stens.

The option

‘a v_mirror_h ttpd _usern a me’

access the Mirror.

‘a v_mirror_h ttpd _port’

‘a v_mirror_h ttpd _a u th_m od e’

and

‘a v_mirror_h ttpd _pa s swo rd ’

‘a v_mirror_h ttpd _a d d r’

define the port (default 2221) and address (default: all l ocal tcp

al l ows access authentication (default: none) to be changed to basic. The options

al l ow an admini s trator to define the login and pas sword used to

8. Let us know

Dear user, we hope this Gui de has provi ded you wi th a thorough understandi ng of the requi rements for ESET File Security installation, configuration a nd maintenance. However, our goal i s to continua lly improve the qual i ty and effectiveness of our documentation. If you feel that any s ections in this Gui de are uncl ear or incomplete, please let us know by contacting Customer Care:

http://www.eset.com/support

or us e directly the support form:

http://www.eset.eu/support/form

We are dedicated to provi de the highest level of support and l ook forward to helping you shoul d you experience any probl ems concerning this product.

9. Appendix A. PHP License

Redis tri bution and us e in source and bi na ry forms, with or without modification, is permitted provided that the foll owing conditi ons are met:

1. Redis tri butions of source code must retain the above copyri ght notice, this list of condi tions and the foll owing di scl aimer.

2. Redis tri butions in bi nary form must reproduce the above copyri ght notice, this l i st of conditi ons and the following di s cl aimer

in the documentation and/or other materi als provi ded with the distribution.

3. The name “PHP” must not be used to endorse or promote products derived from this s oftware without pri or written

permis s ion. For written permis sion, please contact group@php.net.

4. Products derived from this s oftware may not be called “PHP”, nor may “PHP” appear i n their name, without prior wri tten

permis s ion from group@php.net. You may i ndi cate that your software works in conjunction with PHP by s aying “Foo for PHP” instead of calling it “PHP Foo” or “phpfoo”

5. The PHP Group may publ i sh revised and/or new versi ons of the license from time to time. Each version will be given a

distingui shing version number. Once covered code has been published under a particular version of the li cense, you may al ways continue to use it under the terms of that versi on. You may al s o choose to use such covered code under the terms of any subsequent version of the li cense publ i shed by the PHP Group. No one other than the PHP Group ha s the right to modify the terms appl ica bl e to covered code created under thi s License.

6. Redis tri butions of any form whatsoever must retain the foll owi ng acknowledgment: “This product includes PHP software,

freely a vailabl e from <http://www.php.net/software/>”.

THIS SOFTWARE IS PROVIDED BY THE PHP DEVELOPMENT TEAM "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMI TED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE PHP DEVELOPMENT TEAM OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISI NG IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSI BILITY OF SUCH DAMAGE.

Eset File Security Installation Manual and User Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

W eb In terfa ce

Sta t ist ics