"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure
product names and symbols/logos are either trademarks or registered trademarks of F-Secure
Corporation. All product names referenced herein are trademarks or registered trademarks of their
respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of
others. Although F-Secure Corporation makes every effort to ensure that this information is accurate,
F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure
Corporation reserves the right to modify specifications cited in this document without prior notice.
Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of
this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of F-Secure Corporation.
This product may be covered by one or more F-Secure patents, including the following:
How the Product Works................................................................ 6
Key Features and Benefits........................................................... 9
F-Secure Anti-Virus Server and Gateway Products................... 11
5
6
1.1Welcome
Welcome to F-Secure Anti-Virus Linux Server Security.
Computer viruses are one of the most harmful threats to the security of
data on computers. Viruses have increased in number from ju st a handful
a few years ago to many thousands today. While some viruses are
harmless pranks, other viruses can destroy data and pose a real threat.
The product provides an integrated, out-of-the-box rea dy security solution
with a strong real-time antivirus protection and a host intrusion prevention
(HIPS) functionality that provides protectio n again st unauthorized
connection attempts from network, unauthorized system modifications,
userspace and kernel rootkits. The solution can be easily deployed and
managed either using the local graphical user interface or F-Secure
Policy Manager.
F-Secure Policy Manager provides a tightly integrated infrastructure for
defining and distributing security policies and monitoring the security of
different applications from one central location.
1.2How the Product Works
The product detects and prevents intrusions and protects against
malware. With the default settings, workstations and servers are
protected right after the installation without any time spent configuring the
product.
Protection Against Malware
The product protects the system against viruses and potentially malicious
files.
When user downloads a file from the Internet, for example by clicking a
link in an e-mail message, the file is scanned when the user tries to open
it. If the file is infected, the product protects the system against the
malware.
Real-time Scanning
Real-time scanning gives you continuous protection against viruses as
files are opened, copied, and downloaded from the Web. Real-time
scanning functions transparently in the background, looking for viruses
whenever you access files on the hard disk, diskettes, or network drives.
If you try to access an infected file, the real-tim e pr ot ec tio n au to matically
stops the virus from executing.
Manual Scanning And Scheduled Scanning
When the real-time scanning has been configured to scan a limited set of
files, the manual scanning can be used to scan the full system or yo u can
use the scheduled scanning to scan the full system at regular intervals.
Automatic Updates
Automatic Updates keep the virus definitions always up-to-date. The virus
definition databases are updated automatica lly after the pr oduct has been
installed. The virus definitions updates are signed by the F-Secure
Anti-Virus Research Team.
Host Intrusion Prevention System
CHAPTER 17
Introduction
The Host Intrusion Prevention System (HIPS) detects any malicious
activity on the host, protecting the system on many levels.
Integrity Checking
Integrity Checking protects the system against unauthorized
modifications. It is based on the concept of a known good configuration the product should be installed before the server or workstation is
connected to the network to guarantee that the system is in a known g ood
configuration.
You can create a baseline of the system files you want to protect and
block modification attempts of protected files for all users.
8
Firewall
The firewall component is a stateful packet filtering firewall which is based
on Netfilter and Iptables. It protects computers against unauthorized
connection attempts. You can use predefined security profiles which are
tailored for common use cases to select the traffic you want to allow and
deny.
Protection Against Unauthorized System Modifications
If an attacker gains a shell access to the system and tries to add a user
account to login to the system later, Host Intrusion Prevention System
(HIPS) detects modified system files and alerts the administrator.
Protection Against Userspace Rootkits
If an attacker has gained an access to the system and tries to install a
userspace rootkit by replacing various system utilities, HIPS detects
modified system files and alerts the administrator.
Protection Against Kernel Rootkits
If an attacker has gained an access to the system and tries to install a
kernel rootkit by loading a kernel module for example through /sbin/insmod or /sbin/modprobe, HIPS detects the attempt, pr ev en ts the
unknown kernel module from loading and alerts the administrator.
If an attacker has gained an access to the system and tries to install a
kernel rootkit by modifying the running kernel direc tly via /dev /kmem,
HIPS detects the attempt, prevents write attempts and alerts the
administrator.
1.3Key Features and Benefits
CHAPTER 19
Introduction
Superior Protection
against Viruses and
Worms
Transparent to
End-users
›The product scans files on any Linux-supported file system. This
is the optimum solution for computers that run several different
operating systems with a multi-boot utility.
›Superior detection rate with multiple scanning engines.
›A heuristic scanning engine can detect suspicious, potentially
malicious files.
›The product can be configured so that the users cannot bypass
the protection.
›Files are scanned for viruses when they are opened and before
they are executed.
›Y ou ca n specify what files to scan, how to scan them , what action
to take when malicious content is found and how to alert about
the infections.
›Recursive scanning of archive files.
›Virus definition database updates are sign ed for security.
›Integrated firewall component with predefined security levels.
Each security level comprises a set of rules that allow or deny
network traffic based on the protocols used.
›The product has an easy-to-use user interface.
›The product works totally transparently to the end users.
›Virus definition databases are updated automatically without any
need for end-user intervention.
10
Protection of Critical
System Files
Easy to Deploy and
Administer
Extensive Alerting
Options
›Critical information of system files is stored and automatically
checked before access is allowed.
›The administrator can protect files against changes so that it is
not possible to install, for example, a trojan version.
›The administrator can define that all Linux kernel modules are
verified before the modules are allowed to be loaded.
›An alert is sent to the administrator when a modified system file is
found.
›The default settings apply in most systems and the product can
be taken into use without any additional configuration.
›Security policies can be configured and distributed from one
central location.
›The product has extensive monitoring and alerting functions that
can be used to notify any administrator in the company network
about any infected content that has been found.
›Alerts can be forwarded to F-Secure Policy Manager Console,
e-mail and syslog.
1.4F-Secure Anti-Virus Server and Gateway
Products
The F-Secure Anti-Virus product line consists of workstation, file server,
mail server and gateway products.
›F-Secure Messaging Security Gateway delivers the industry's
most complete and effective security for e-mail. It combines a
robust, enterprise-class messaging platform with perimeter
security, antispam, antivirus, secure messaging and outbound
content security capabilities in an easy-to-deploy, hardened
appliance.
›F-Secure Internet Gatekeeper for Linux is a high perfor mance,
totally automated web (HTTP and FTP) and e-mail (SMTP and
POP) virus scanning solution for the gateway level. F-Secure
Internet Gatekeeper works independently of firewall and e-mail
server solutions, and does not affect their performance.
›F-Secure Internet Gatekeeper (for Windows) is a high
performance, totally automated web ( HTTP and FTP-over-HTTP)
and e-mail (SMTP) virus scanning solution for the gateway level.
F-Secure Internet Gatekeeper works independently of firewall
and e-mail server solutions, and does not affect their
performance.
›F-Secure Anti-Virus for Microsoft Exchange protects your
Microsoft Exchange users from malicious code contained within
files they receive in mail messages and documents they open
from shared databases. Malicious code is also stopped in
outbound messages and in notes being posted on Public Folders.
The product operates transparently and scans files in the
Exchange Server Information Store in real-time. Manual and
scheduled scanning of user mailboxes and Public Folders is a lso
supported.
CHAPTER 111
Introduction
12
›F-Secure Anti-Virus for MIMEsweeper provides a powerful
anti-virus scanning solution that tightly integrates with Clearswift
MAILsweeper and WEBsweeper products. F-Secure provides
top-class anti-virus software with fast and simple integration to
Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web,
giving the corporation the powerful combination of complete
content security.
›F-Secure Anti-Virus for Citrix Servers ensures business
continuity without disruptions caused by viruses and other
malicious content. Citrix solutions enable businesses to improve
their productivity by providing easy access to information and
applications regardless of time, place and acce ss de vice .
2
DEPLOYMENT
Deployment on Multiple Stand-alone Linux Workstations.......... 14
Deployment on Multiple Centrally Managed Linux Workstations 14
Central Deployment Using Image Files...................................... 15
13
14
2.1Deployment on Multiple Stand-alone Linux
Workstations
When the company has multiple Linux workstations deployed, but they
are not managed centrally, the workstation users can install the software
themselves.
›In organizations with few Linux machines, the graphical user
interface can be used to manage Linux workstations instead of
F-Secure Policy Manager. For more information on stand-alone
installation without F-Secure Policy Manager, see “Stand-alone
Installation”, 19.
›Centrally Managed installation with F-Secure Policy Manager
installed on a separate computer is recommended. In this mode,
F-Secure Policy Manager is used to manage Linux workstations.
For more information on Centrally Managed installation, see
“Centrally Managed Installation”, 21.
The recommended deployment method is to delegate the
installation responsibility to each workstation user and then
monitor the installation progress via F-Secure Policy Manager
Console. After the installation on a host has completed, the host
sends an autoregistration request to F-Secure Policy Manager.
You can monitor with F-Secure Policy Manager Console which of
the hosts have sent an autoregistration request.
2.2Deployment on Multiple Centrally Managed Linux
Workstations
When the company has multiple Linux workstations deployed and they
are managed through Red Hat network, Ximian Red Carpet, or similar,
the software can be pushed to workstations using the existing
management framework.
2.3Central Deployment Using Image Files
When the company has a centralized IT department that install and
maintains computers, the software can be installed centrally to all
workstations.
The recommended way to deploy the products is to create an image of a
Linux workstation with the product preinstalled. For instructions on how to
do this, see “Replicating Software Using Image Files”, 26.
CHAPTER 215
Deployment
3
INSTALLATION
System Requirements................................................................ 17
›Novell Linux Desktop 9
›SUSE Linux 9.0, 9.1, 9.2, 9.3, 10, 10.1,
10.2
›Ubuntu 5.10 (Breezy), 6.06 (Dapper
Drake)
›SUSE Linux Enterprise Server 8, 9, 10
›SUSE Linux Enterprise Desktop 10
›Red Hat Enterprise Linux 4, 3, 2.1 AS
›Miracle Linux 2.1
›Miracle Linux 3.0
›Asianux 2.0
›Turbolinux 10
›Debian 3.1
The following 64-bit (AMD64/EM64T)
distributions are supported with 32-bit
compatibility packages:
›SUSE Linux Enterprise Server 9, 10
›SUSE Linux Enterprise Desktop 10
›Red Hat Enterprise Linux 4
›Asianux 2.0
›Turbolinux 10
Kernel version:Linux kernel 2.4 or later (for 64-bit support, Linux
kernel 2.6 or later)
Glibc versionGlibc 2.2.4 or later
Processor:Intel x86
Memory:256 MB RAM or more
Disk space:200 MB
18
Konqueror is not a supported browser with the local user inte rface.
It is recommended to use Mozilla or Firefox browsers.
Note About Dazuko Version
The product needs the Dazuko kernel module for the real-time virus
protection, integrity checking and rootkit protection. Dazuko is an
open-source kernel module that provides an interface for the file access
control. More information is at http://www.dazuko.org
The product installs the Dazuko driver during the product installation.
The product has been tested extensively with the Dazuko version that is
included with the product. Operation with other Dazuko versions or Linux
distribution provided Dazuko versions is not su pp or te d or rec om m end ed .
3.2Installation Instructions
The following installation modes are available:
›Stand-alone installation.
This installation mode is meant for evaluation use and for
environments with few Linux workstations or servers where
central administration with F-Secure Policy Manager is not
necessary.
When you install the product in stand-alone mode you configure
and manage the product with the web user interface that can be
opened from the system tray , or with the
(local) or
In addition to the user interface, the stand-alone installation
creates the F-Icon and a program entry under the applications
menu, and enables you to use the “right-mouse click” function.
For installation instructions, see “Stand-alone Installation”, 19.
›Centrally Managed installation.
The product is installed locally , and it is managed with F-Secure
Policy Manager that is installed on a separate computer.
https://<host.domain>:28082/ (remote) address.
.
http://localhost:28080/
Centrally managed installation is the recommended installation
mode when taking the product into use in a large network
environment.
For installation instructions, see “Centrally Managed Installation”,
21.
›For information on how to install the product on multiple
computers, see “Replicating Software Using Image Files”, 26.
›For information on how to install the product in the unattended
mode, which does not ask any questions during the installation,
see “Unattended Installation”, 27.
IMPORTANT: If you have some other vendor’s antivirus software
installed on the computer, you must uninst all it before installing the
product.
3.2.1Stand-alone Installation
During the installation, you must have a compiler and the kernel source
installed. Read the documentation of your distribution on how to check
that the required tools are installed. For some common
distribution-specific instructions how to install required tools to the
computer, see “Installation Prerequisites”, 77.
CHAPTER 319
Installation
It is recommended to use the default settings during the installation. To
select the default value, press
installation.
Follow these instructions to install the product in stand-alone mode. You
will need to install the product using an account with root privileges.
1. Copy the installation file to your hard disk. Use the following
command to extract the installation file:
tar zxvf f-secure-linux-client-security-<version>.<build>.tgz
2. Make sure that the installation file is executable:
4. Select the language you want to use in the web user interface during
the installation.
Select language to use in Web User Interface
[1] English (default)
[2] Japanese
[3] German
5. The installation displays the license agreement. If you accept the
agreement, answer
yes press ENTER to continue.
6. Enter the keycode to install the full, licensed version of the product.
Enter the keycode in the format you received it, including the hyphens
that separate sequences of letters and digits:
If you are installing the evaluation version and do not have a keycode,
press
ENTER.
7. Select the Standalone installation .
8. Select whether you want to allow the remote access to the web user
interface.
Allow remote access to the web user interface? [no]
9. Select whether the web user interface can be opened from the
localhost without a login.
Allow connections from localhost to the web user interface
without login? [yes]
10. Enter the user name who is allowed to access the web user interface.
Please enter the user name who is allowed to use the web user
interface.
The user name is a local Linux account. Y ou ha ve to create the
account if it does not exist yet. Do not use the root account for
this purpose.
1 1. Select whether you want add currently installed kernel modules to the
Integrity Checker known files list and generate the baseline. For more
information, see “Generate Baseline”, 61
Would you like to enable Linux kernel module verification
[yes]?
12. Enter the baseline passphrase. For more information, see
“Passphrase”, 62.
Please insert passphrase for HMAC creation (max 80
characters)
13. The installation is complete.
After the installation is complete, you can start the F-icon systray applet
with the
For information how to access the web user interface and to see that the
virus protection is working, see “Getting Started”, 31.
fsui command.
3.2.2Centrally Managed Installation
During the installation, you must have a compiler and the kernel source
installed. Read the documentation of your distribution on how to check
that the required tools are installed. For some common
distribution-specific instructions how to install required tools to the
computer, see “Installation Prerequisites”, 77.
When you install the product in centrally managed mode, you must first
have F-Secure Policy Manager installed on a separate computer. For
F-Secure Policy Manager Console installation instructions, see the
F-Secure Policy Manager Administrator’s Guide.
CHAPTER 321
Installation
IMPORTANT: Before you start the installation, you have to copy
the admin.pub key from F-Secure Policy Manager to the computer
where you will install the product. You can do this by using, for
example, scp, sftp or any removable media. By default the
installation script assumes that the admin.pub key is located in the
/root directory.
Follow the instructions below to install the product in centrally managed
mode. You will need to install the product using an account with root
privileges.
1. Copy the installation file to your hard disk. Use the following
command to extract the installation file:
tar zxvf f-secure-linux-client-security-<version>.<build>.tgz
2. Make sure that the installation file is executable:
The setup script will display some questions. The default value is
shown in brackets after the question. Press
ENTER to select the
default value.
4. Select the language you want to use in the web user interface during
the installation.
Select language to use in Web User Interface
[1] English (default)
[2] Japanese
[3] German
5. The installation displays the license agreement. If you accept the
agreement, answer
yes and press ENTER to continue.
6. Enter the keycode to install the full, licensed version of the product.
Enter the keycode in the format you received it, including the hyphens
that separate sequences of letters and digits:
If you are installing the evaluation version and do not have a keycode,
press
ENTER.
7. Type
C to select the centrally managed installation.
8. Enter the address of the F-Secure Policy Manager Server.
Address of F-Secure Policy Manager Server:
[http://localhost/]:
9. Enter the location of the admin.pub key. This is the key that you
created during F-Secure Policy Manager Console Installation.
Give the admin.pub file location [/root/admin.pub]:
You can u se th e TAB key to complete directory and file names
when you enter the file name.
10. Select whether you want to allow remote accesses to the web user
interface.
Allow remote access to the web user interface? [no]
CHAPTER 323
Installation
11. Select whether the web user interface can be opened from the
localhost without a login.
Allow connections from localhost to the web user interface
without login? [yes]
12. Enter the user name who is allowed to use the web user interface.
Please enter the user name who is allowed to use the web user
interface.
The user name is a local Linux account. Y ou ha ve to create the
account if it does not exist yet. Do not use the root account for
this purpose.
13. Select whether you want add currently installed kernel modu les to the
Integrity Checker known files list and generate the baseline. For more
information, see “Generate Baseline”, 61
Would you like to enable Linux kernel module verification
[yes]?
14. Enter the baseline passphrase. For more information, see
“Passphrase”, 62.
Please insert passphrase for HMAC creation (max 80
characters)
15. The installation is complete.
16. Install the included upgrade for F-Secure Policy Manager Console.
a. Select Installation Packages in the Tools menu.
b. Select to import the fsav_linux_*_mib.jar file.
17. The product receives the policy file from the F-Secure Policy
Manager within 10 minutes after the inst a llation. If yo u do not want to
wait for the policy file, run the following command:
/etc/init.d/fsma fetch
After the installation is complete, you can start the F-icon systray applet
with the
fsui command.
For information how to access the web user interface and to see that the
virus protection is working, see “Getting Started”, 31.
24
3.3Upgrading from a Previous Product Version
If you are running version 5.20 or later, you can install the new version
without uninstalling the previous version.
If you have an earlier version, upgrade it to 5.20 first, or uninstall it before
you install the latest version. The uninstallation preserves all settings and
the host identity, so you do not need to import the host to the F-Secure
Policy Manager again. For more information, see “Uninstalling Earlier
Version”, 25.
The product upgrade asks for the keycode you have received with the
new version. If you are running an earlier version in the evaluation mode,
you have to provide a valid keycode for the new version during the
upgrade.
If you are running an earlier version in the evaluation mode and you want
to evaluate the latest version, you have to uninstall the earlier version
first. You can install the latest in the evaluation mode during the clean
install.
If you do not have a valid keycode during the upgrade, press
CTRL-C to abort the upgrade. The installer uninstalls the prod uc t
and you can make a clean install.
Manual scanning, scheduled scanning and database update settings
have changed in version 5.30 and later. If you have modified these
settings before the upgrade, you have to make the same modifications
again after the upgrade.
Note that the upgrade deletes all alerts generated with th e ea rlier ver sion.
Upgrading from F-Secure Anti-Virus 4.65
You can upgrade version 4.65 to a command line only installation of
version 5.52 by running the installer normally. Your old configuration file
will be stored as /opt/f-secure/fsav/migration/fsav4.conf. For more
information, see “Installation Instructions”, 18.
If you want to upgrade version 4.65 to the full 5.52 version, uninstall the
old version first and run 5.52 installer normally. For more information, see
“Uninstalling Earlier Version”, 25.
Uninstalling Earlier Version
If you have version 5.x, run the following command from the command
line to uninstall it
/opt/f-secure/fsav/bin/uninstall-fsav.
If you have version 4.x, remove the following directories and files to
uninstall it:
If you want to upgrade the evaluation version to the full, licensed version
of the product, run the installation as normal. The upgrade script will
notice the trial version and upgrades the packages.
Enter the keycode to upgrade to the licensed version of the product. Enter
the keycode in the format you received it, including the hyphens that
separate sequences of letters and digits.
If the evaluation period has expired, uninstall the current
installation first. For more information, see “Uninstallation”, 30.
26
3.5Replicating Software Using Image Files
If you are going to install the product on several computers, you can
create a disk image file that includes the product and use this image to
replicate the software on the computers. Make sur e that ea ch com pu te r
on which the software is installed will create a new unique identification
code.
Follow these steps to make sure that each compu ter uses a pe rsonalized
Unique ID when a disk imaging software is used:
1. Install the system and all the software that should be in the image file,
including the product.
2. Configure the product to use the correct F-Secure Policy Manager
Server. However, do not import the host to F-Secure Policy Manager
Console if the host has sent an autoregistration re qu e st to the
F-Secure Policy Manager Server. Only hosts on which the image file
will be installed should be imported.
3. Run the comma nd followin g com m a nd :
/etc/init.d/fsma clearuid
The utility program resets the Unique ID in the product installation.
4. Shut down the computer and do not restart the computer before the
image file has been created.
5. Create the disk image file.
A new Unique ID is created automatically when the system is restarted.
This will happen individually on each machine where the image file is
installed. These machines will send autoregistration requests to F-Secure
Policy Manager and the request can be processed normally.
3.6Preparing for Custom Installation
The product installation package is a self extracting package, which
contains the software as RPMs. If there is a need to create a custom
installation package, the RPMs can be extracted from the package as
follows:
MODE is standalone for the standalone installation or managed for the
CHAPTER 327
Installation
If
MODE is managed, you have to provide the URL to F-Secure Policy
Manager Server and the location of the administrator public key, for
example: fspms=http://f sp ms .co m pany.com/ adminkey=/root/admin.pub
Use the following options in the command line:
langSelect the language for the web user interface.
remotewuiAllow remote access to the web user interface.
noremotewuiDo not allow remote access to the web user
interface.
nolocalloginAllow local access to the web user interface
without login.
28
localloginRequire login for the local access to the web
user interface.
user=USERS pecify the local account to use for the web user
interface login.
kernelverifyTurn on the kernel module verification.
nokernelverifyTurn off the kernel module verification.
pass=PASSSpecify th e passphrase for the baseline
generation.
keycode=KEYCODESpecify the keycode for license checks. If no
keycode is provided, the product is installed in
the evaluation mode.
For example, to install the product in standalone mode with English web
user interface, with no remote access to user interface and not requiring
login for local user interface access and not using kernel module
verification:
The command line only installation installs only the command line
scanner and the automatic update agent. The installation mode is
designed for users migrating from F-Secure Anti-Virus for Linux 4.6x
series and for users who do not need the real-time protection, integrity
checking, web user interface or central management, for example users
running AMaViS mail virus scanner.
Use the following command line when running the installer to install the
command line scanner only version of the product:
If you are running an earlier version and you want to upgrade to the latest
version, but you want to install the command line scanner only, you have
to uninstall the earlier version first.
Use the /etc/opt/f-secure/fssp/fssp.conf configuration file to con fig ur e the
command line scanner only installation. See the file for detailed
descriptions of the available settings.
3.9Creating a Backup
To backup all relevant data, run the following commands:
Make sure that fsma and fsaua users and fsc group exist after the backup
has been restored, for exampe by backing up also /etc/passwd, /etc/shadow and /etc/group files.
30
3.10Uninstallation
Run the script /opt/f-secure/fsav/bin/uninstall-fsav as root to
uninstall the product.
The uninstall script does not remove configuration files. If you are sure
that you do not need them any more, remove all files in the /etc/opt/f-secure/fsma path.
4
GETTING STARTED
Accessing the Web User Interface............................................. 32
Basics of Using F-Secure Policy Manager................................. 32
Testing the Antivirus Protection.................................................. 33
31
32
4.1Accessing the Web User Interface
In small deployments where F-Secure Policy Manager is not available,
the web user interface can be used to configure the product. You can
access the web user interface from the system tray, or with the
http://localhost:28080/ address.
If you allow the remote access to the web user interface, you can access
it with the following HTTPS address:
https://<host.domain>:28082/.
It is possible to have in use both F-Secure Policy Manager and the web
user interface at the same time. Note that the user can locally override the
settings created with F-Secure Policy Manager unless the administrator
has prevented this by selecting the Final checkbox in the F-Secure Policy
Manager settings.
4.2Basics of Using F-Secure Policy Manager
If your corporate network utilizes F-Secure Policy Manager to configure
and manage F-Secure products, you can add the product to the existing
F-Secure Policy Manager environment. In the centralized administration
mode, F-Secure Policy Manager Console is used to change settings and
view statistics of the F-Secure products.
Use the variables under the F-Secure Anti-Virus Linux Server Security / Settings branch or F-Secure Anti-Virus Linux Client Security / Settings to
define settings for the product. depending on the installed product.
For more information about F-Secure Policy Manager, see F-Secure
Policy Manager Administrator’s Guide.
4.3Testing the Antivirus Protection
To test whether the product operates correctly, you can use a special test
file that is detected as a virus. This file, known as the EICAR Standard
Anti-Virus Test File, is also detected by several other anti-virus programs.
You can use the EICAR test file also to test your E-mail Scanning. EICAR
is the European Institute of Computer Anti-virus Research. The Eicar info
page can be found at
Common Tasks........................................................................... 36
34
5.1Summary
The summary page displays the product status and the latest report s. The
product status displays the protection status and any possible errors or
malfunctions.
Status
CHAPTER 535
User Interface - Basic Mode
Virus ProtectionShows the current Virus Protection level. Virus
Protection levels allow you to change the level of
protection according to your needs.
If Virus Protection is disabled, your computer is
vulnerable to virus attacks.
Firewall ProtectionShows the current firewall protection level. The
firewall protection levels allow you to instantly
change your firewall rule set. For more
information, see “Firewall Rules”, 52.
If Firewall Protection is disabled, your computer
is vulnerable to hacking attacks.
Integrity ProtectionShows the current integrity protection level. For
more information, see “Integrity Checking”, 57.
If Integrity Protection is disabled, your computer
is vulnerable to rootkits.
Click Details... for more information about the current protection status.
Reports
Virus Definitions
Updated
AlertsShows the number of unread security alerts.
Shows the time and status of the latest update.
Click View to view a list of ale rts. For more
information, see“Alerts”, 38.
36
5.2Common Tasks
You can configure the manual scan and firewall settings and check the
latest virus definition database updates from the common tasks page.
Choose one of the following actions:
Scan the computer
for malware
Create a firewall ruleCreate a new firewall rule. Y ou can control which
Check the integrity of
the file system
Update virus
definitions
Install softwareInstall new software while maintaining the
Opens a scanning wizard that can scan the
computer for any type of malware, including
viruses, worms and trojans. Follow the
on-screen instructions for more details. For more
information, see “Manual Scanning”, 44.
type of network traffic is allowed and denied with
firewall rules. For more information, see “Add
And Edit Rules”, 53.
Check that important system files have not bee n
modified without permission. For more
information, see “Integrity Checking”, 57.
Retrieve the latest virus definition database
updates from the Internet. For more information,
see “Automatic Updates”, 66.
system integrity. The integrity checker checks
the full system integrity and reports results, after
which you can proceed installing software.
Follow the on-screen instructions for more
details. For more information, see “Software
Installation Mode”, 60.
Click Modify advanced settings... to view and configure advanced
settings.
General Settings......................................................................... 64
37
38
6.1Alerts
On the Alerts page, you can read and delete alert messages. To find the
alert message you want to view, follow these instructions:
1. Select the Status of security alerts you want to view.
Select All to view All alerts.
Select Unread to view new alerts.
Select Read to view alerts you have already viewed.
2. Select the Severity of security alerts you want to view. For more
information, see “Alert Severity Levels”, 38.
Click alerts to highlight them and click Mark highlighted as read to flag
them as read messages. Click Delete highlighted to delete all
highlighted alerts.
Alert Database Maintenance
Y ou can dele te or mark multiple messages as read simul taneously. Select
how old and which alert severity messages you want to edit and click
Perform action to delete or mark selected messages as read.
Alert Severity Levels
Alerts are divided into following severity levels:
Security LevelDescription
InformationalNormal operating information from the host.
WarningA warning from the host.
ErrorRecoverable error on the host.
For example, starting to update virus
databases.
For example, an error when trying to read a
file.
CHAPTER 639
User Interface - Advanced Mode
Security LevelDescription
For example, the virus definition database
update is older than the previously accepted
version.
Fatal ErrorUnrecoverable error on the host that requires
attention from the administrator.
For example, a process fails to start or lo ading
a kernel module fails.
Security alertFor example, a virus-alert. The alert includes
information of the infection and the performed
operation.
40
6.2Virus Protection
Real-Time Scanning
Real-time scanning is completely transparent. By default, all files
are scanned automatically when they are opened and executed.
Scheduled Scanning
If you want to scan the computer for viruses regularly, for
example once a week, you can create a scheduled scanning
task. Scheduled scanning uses the settings you have defined for
manual scanning.
Manual Scanning
You can launch a manual scan any time you want if you suspect
that there might be a virus on a computer. You can specify the
manual scanning settings, for example the directories to scan
and the action to take, independently of the real-time scanning
settings.
6.2.1Real-Time Scanning
On the Real-Time Scanning page, you can select what to scan
automatically in real-time and what to do when a virus or other malware is
found.
In most cases you do not need to change the Real-T ime Scanning default
settings before you take the system into use.
When the real-time scanning is enabled, any file you open is
automatically scanned for viruses.
Action on infection
Select the primary and secondary actions to take when a virus is found.
The secondary action takes place if the primary action cannot be
performed.
By default, the primary action for infections is Disinfect and secondary
action Rename. Choose one of the following actions:
CHAPTER 641
Report and deny
access
DisinfectDisinfects viruses. Note that some viruses
RenameRenames the infected file and removes its
DeleteDeletes the infected file.
Deny accessBlocks the access to the infected file, but does
Suspected files
Select the primary and secondary actions to take when heuristics
scanning engine finds a suspected file. The secondary action t akes
place if the primary action cannot be performed.
Displays and alerts about the found virus and
blocks access to it. No other action is taken
against the infected file. View Alerts to check
security alerts. For more information, see
“Alerts”, 38.
cannot be disinfected. If the virus cannot be
disinfected, the access to the infected file is still
blocked.
execute permissions. Renamed infecte d file
stays on the computer, but it cannot cause any
damage.
The renamed file has .virus extension.
not send any alerts or reports.
By default, the primary action for suspected files is Report only and
secondary action Deny access. Choose one of the following actions:
Report and deny
access
RenameRenames the suspected file and removes its
Displays and alerts about the suspected file and
blocks access to it. No other action is taken.
View Alerts to check security alerts. For more
information, see “Alerts”, 38.
execute permissions. Renamed suspe c te d file
stays on the computer, but it cannot cause any
damage.
42
The renamed file has .suspected extension.
DeleteDeletes the suspected file.
Deny accessBlocks the access to the suspected file, but does
not send any alerts or reports.
What to scan
Directories excluded
from the scan
Scan only
executables
Whitelisted
executables
Whitelisted
executables must
match baseline
Define directories which are excluded from the
virus scan. Type each directory on a new line,
only one directory per line.
If scanning a certain directory takes a long time
and you know that no user can create or copy an
infected file in it, or you get false alarms during
the scan, you can exclude the directory from the
virus scan.
The list can also contain files if you want to exclude
specific files from the scan.
Select whether only executables in scanned
directories are scanned for viruses. Clear the
check box to scan all files for viruses.
Define executables which may access any files.
The real-time virus scan does not block any file
accesses from whitelisted executables.
Select whether whitelisted executables must be
unmodified in the known files list. If this setting is
enabled and the executable cannot be found in
the integrity checking baseline, is not
whitelisted.
Scan when opening a
file
Scan when closing a
file
Select whether files are scanned every time they
are opened.
Select whether files are scanned every time they
are closed.
CHAPTER 643
Scan when running
an executable
Select whether files are scanned every time they
are run.
If Scan on open and Scan on execute are disabled,
nothing is scanned even if Scan only executables is
enabled.
Scanning archives with the real-time scanning can
degrade the overall system performance.
When the archive scanning is enabled, some e-mail
clients may stop processing further e-mails when an
infected e-mail is opened.
Maximum number of
nested archives
Set the number of levels in nested archives the
product should scan. Nested archives are
archives inside other archives.
Treat password
protected archives as
safe
Password protected archives cannot be
scanned for viruses. Select whether password
protected archives are treated as safe and the
access to them is allowed or if they are treated
as unsafe and the user cannot access the
archive.
Stop on first infection
inside an archive
The user who opens the password protected
archive should have an up-to-date virus
protection on the workstation if password
protected archives are treated as safe.
Select whether the whole archive should be
scanned even after an infection is found inside
the archive.
44
6.2.2Scheduled Scanning
You can use the scheduled scanning to scan files for viruses regularly at
predefined times.
To set the scanning schedule, follow these instructions:
1. Click Add a new task.
2. Set the date and time wh en the sc hedu le d sca n sh ou ld start. For
example:
a. To perform the task each sunday at 4 am:
Minute: 0, Hour: 4, Day of the Month: *, Month: *, Day of the
Week: sun
b. To perform the task every day at 5:30 am:
Minute: 30, Hour: 5, Day of the Month: *, Month: *, Day of the
Week: *
3. Select directories that should be scanned at the scheduled time.
4. Click Save task to add the scheduled scanning task into the
schedule.
The scheduled scanning tasks use the Manual Scanning settings. For
more information, see “Manual Scanning”, 44.
A scheduled scan can take several hours, so it is a good idea to
run it when the system is idle, for exampe during the night. Another
alternative is to configure several scheduled scan tasks, and to
scan only some directories at one time.
6.2.3Manual Scanning
The manual scanning settings are used when you want to scan files or
directories for viruses manually and during the scheduled scanning.
CHAPTER 645
If you have received a suspicious file, for example an executable or an
archive file via e-mail, it is always a good idea to scan it for viruses
manually.
By default, the archive scanning is disabled during the real-time
scan. The real-time scan scans the archive when it is extracted, but
if you copy or forward the archive without extracting it first, you
should manually scan the archive to make sure that it does not
contain any viruses.
To start the manual scan, select I want to... > Scan the computer for
malware in the basic mode. For more information, see “Common Tasks”,
36.
Action on infection
Select the primary and secondary actions to take when a virus is found.
The secondary action takes place if the primary action cannot be
performed.
By default, the primary action for infections is Disinfect and secondary
action Rename. Choose one of the following actions:
Report and deny
access
Disinfect Disinfects viruses. Note that some viruses
Rename Renames the infected file removes its execute
Delete Deletes the infected file when a virus is found.
Displays and alerts about the found virus. No
other action is taken against the virus. View
Alerts to check security alerts. For more
information, see “Alerts”, 38.
cannot be disinfected.
permissions when a virus is found. Renamed
infected file stays on the computer, but it cannot
cause any damage.
The renamed file has .virus extension.
46
CustomPerforms the action you define. To define the
custom action, enter the command to the
Primary or Secondary custom action field.
Deny accessBlocks the access to the infected file, but does
not send any alerts or reports.
Abort ScanStops the scan.
Suspected files
Select the primary and secondary actions to take when heuristics
scanning engine finds a suspected file. The secondary action t akes
place if the primary action cannot be performed.
By default, the primary action for suspected files is Report only and
secondary action Deny access. Choose one of the following actions:
Report and deny
access
RenameRenames the suspected file and removes its
DeleteDeletes the suspected file.
Deny accessBlocks the access to the suspected file, but does
What to scan
Scan filesDefine files that are scanned during the manual
Displays and alerts about the suspected file and
blocks access to it. No other action is taken.
View Alerts to check security alerts. For more
information, see “Alerts”, 38.
execute permissions. Renamed susp e cte d file
stays on the computer, but it cannot cause any
damage.
The renamed file has .suspected extension.
not send any alerts or reports.
scan.
All files - Scans all files in the system.
Only files with specified extensions - Scans only files with the extensions specified in the Included
extensions field.
The Included extensions field appears after you
have selected Only files with specified extensions,
Enable exclusionsFiles with the extensions specified in the
Directories excluded from scanning field are not
scanned.
The Directories excluded from scanning field
appears after you have enabled exclusions.
Define directories which are excluded from the
virus scan if the Enable exclusions setting is
selected. T ype each directory on a new line, only
one directory per line.
Scan any executable files in addition to all other
specified files during the manual scan.
RAR, CAB, TAR, BZ2, GZ, JAR and TGZ
archives.
Set the number of levels in nested archives the
product should scan. Nested archives are
archives inside other archives.
Password protected archives cannot be
scanned for viruses. Select whether password
protected archives are treated as safe.
48
The user who opens the password protected
archive should have an up-to-date virus
protection on the workstation if password
protected archives are treated as safe.
Stop on first infection
inside an archive
Select whether the whole archive should be
scanned even after an infection is found inside
the archive.
Scanning a File Manually on a Workstation
When the product scans files, it must have at least read access to them. If
you want the product to disinfect infected files, it must ha ve write acce ss
to the files.
Y o u can scan files manually from the KDE filemanager. Right-click on any
file you want to scan and select Scan to scan the file for viruses.
Command Line
For information how to scan files from the shell, see “fsav”, 71.
6.3Firewall Protection
The firewall protects the computers against unauthorize d access from the
Internet as well as against attacks originating from inside the local-area
network. It provides protection agai nst information theft as unauthorized
access attempts can be prohibited and detected.
Security Profiles
The firewall contains predefined security profiles which have a set
of pre-configured firewall rules. Different security profiles can be
assigned to different users; for example based on the company
security policy, user mobility, location and user experience.
Firewall Rules
You can configure the firewall by creating and editing firewall
rules. Firewall rules are a set of firewall services - Internet traffic
parameters that control which type of traffic is allowed and
denied. One rule can contain multiple services.
Network Services
Network services are described by what protocol and port they
use, for example web browsing uses TCP protocol and the port
number 80.
CHAPTER 6 49
50
Security Profiles
You can change the current security profile from the Summary page. For
more information, see “Summary”, 35.
The following table contains a list of the security profiles available in the
product and the type of traffic each of them either allow or deny.
Security profilesDescription
Block AllBlocks all network traffic (excluding loopback).
ServerAllows only IP configuration via DHCP, DNS
lookups and ssh protocol out and in.
The server profile has to be customized
before it can be taken into use.
MobileAllows normal web browsing and file retrievals
(HTTP, HTTPS, FTP), as well as e-mail and
Usenet news traffic. Encryption programs,
such as VPN and SSH are also allowed.
Everything else is denied. Local rules can be
added after the malware probes detection.
HomeAllows all outbound TCP traffic and FTP file
retrievals. Everything else is denied. Local
rules can be added to enable new network
functionality.
OfficeAllows all outbound TCP traffic and FTP file
retrievals. Everything else is denied by
default. With this profile, a firewall should exist
between 0.0.0.0/0 and the host.
Security profilesDescription
StrictAllows outbound web browsing, e-mail and
NormalAllows all outbound traffic, and denies some
DisabledAllows all inbound and outbound network
6.3.1General Settings
On the General Settings page, you can select network packet logging
settings and configure trusted network interfaces.
Enable firewallSelect the Enable firewall check box to enable
CHAPTER 651
News traffic, encrypted communication, FTP
file transfers and remote updates. Everything
else is denied.
specific inbound services.
traffic.
the firewall protection. Clear the check box to
disable the firewall.
Log all unhandled
network packets
Trusted network
interfaces
Select to log all network packets that do not
match to any firewall rules.
You can log unhandled network packets in
problem solving situations. By default, leave the
check box deselected.
Firewall rules are applied to the first network
interface on the host and all other interfaces are
blocked. If other interfaces are connected to
trusted networks, add those interfaces to the list
and separate each entry with a comma. All traffic
to trusted network interfaces is allowed.
52
6.3.2Firewall Rules
Each security profile has a set of pre-configured Firewall Rules.
Profile to editSelect the firewall profile you want to edit. For
List of rulesThe list of rules displays the currently used
more information, see “Security Profiles”, 50.
The current security profile is displayed on the
top of the Firewall Rules page. You can change
the current security profile from the Summary
page. For more information, see “Summary”, 35.
ruleset.
Clear the Enabled checkbox to disable the rule
temporarily.
Use up and down arrows to change the order of
rules in the ruleset. The order of the rules is
important. The rules are read from top to bottom,
and the first rule that applies to a connection
attempt is enforced.
For example: You have a rule that allows an IRC
(Internet Relay Chat) connections to a specif ic
host above a rule that denies all IRC traffic. You
are still allowed to make the connection to that
one host. However , if the rule that denies all IRC
traffic comes first, any other IRC rules below that
rule are ignored and no IRC connections can be
made.
Click X to delete the rule permanently.
To edit a rule, select it from the list of rules. The
selected rule is displayed in the Edit Rule pane.
The Edit Rule pane appears below the list of
rules.
CHAPTER 653
If the profile contains more than 10 rules, use <<, <, > and >> arrows to
browse rules.
Changing the order of the rules may affect all the other rules you
have created.
Add And Edit Rules
You can add a new firewall rule, for example, to allow access to a new
service in the network.
To add a new rule, click Add new rule below the list of rules.
When you edit the firewall rules, you should allow only the needed
services and deny all the rest to minimize the security risk.
TypeChoose whether the rule allows or denies the
service.
Remote hostEnter details about target addresses. Enter the
IP address and the subnet in bit net mask
format. For example: 192.168.88.0/29.
You can use the following aliases as the target
address:
[myNetwork] - The local-area network.
[myDNS] - All configured DNS servers.
DescriptionEnter a short description for the rule.
Services connected to this rule
ServiceSelect services for which you want the rule to
apply. You can add multiple services to each
rule. Click Add Service to this rule after each
service you want to add. Each rule must have at
least one service.
If the rule contains a new service, make sure
you have saved the service list in the Network
Services page. For more information, see
“Network Services”, 54.
54
DirectionFor every service you selected, choose the
Click Add to firewall rules to add the rule to the end of the list of rules.
Click Save after you have added or edited a rule to activate all changes.
Click Cancel to discard all changes made after the previous save.
6.3.3Network Services
The Network Services page displays the network services that currently
exist in the system. When you want to enable or disable the use of a
certain service, you have to make sure that the service exists in the
Network Services table. After that you can create a firewall rule that
allows or denies the use of that service.
direction in which the rule applies.
in = all incoming traffic that comes to your
computer from the internet.
out = all outgoing traffic that or iginates from your
computer.
To add a new service, click Add new service below the list of services.
To edit a service, select it from the list of services.
Add And Edit Services
Service nameEnter a name for the service.
ProtocolSelect the protocol (ICMP, TCP, UDP) or define
the protocol number for the service you want to
specify.
Initiator portsEnter initiator ports.
Responder portsEnter responder ports.
DescriptionEnter a short description of the service.
Click Save after you have added or edited a service to activate all
changes. Click Cancel to discard all changes made after the previous
save.
Creating Firewall Services and Rules
To enable the use of a new service, do the following:
1. Select the Network Services in the Advanced mode menu.
2. Define a unique name for the service in the Service Name field. You
can also enter a descriptive comment in the Description field to
distinguish this service from other services.
3. Select a protocol number for the service from the Protocol
drop-down list. If your service does not use ICMP, TCP or UDP
protocol, select Numeric and type the protocol number in the field
reserved for it.
4. If your service uses the TCP or UDP protocol, you need to define
Initiator Ports the service covers.
5. If your service uses TCP or UDP protocols, you need to define
Responder Ports the service covers.
6. Click Add as a new service to add the service to the Network
services list.
7. Click Save to save the new service list.
CHAPTER 6 55
56
8. The next step is to create a Firewall Rule that allows use of the
service you just defined. Select Firewall Rules in the Advanced mode
menu.
9. Select the profile where you want to add a new rule and click Add
new rule to create a new rule.
10. Select Accept or Deny as a rule Type. Enter a descriptive comment in
the Description field to distinguish this rule.
11. Define Remote Host to which the rule applies. Enter the IP address
of the host in the field.
12. Select the new service you have created in the Service field and the
direction when the rule is applied.
13. Click Add Service to This Rule. If you do not want to add other
services to the same rule, click Add to Firewall Rules to add the rule
to the active set of rules on the Firewall Rules table.
14. Click Save to save the new rule list.
6.4Integrity Checking
Integrity Checking protects important system files against unauthorized
modifications. Integrity Checking can block any modification attempts of
protected files, regardless of file system permissions.
Integrity Checking compares files on the disk to the baseline, which is a
cryptographically signed list of file properties.
Integrity Checking can be configured to send alerts to the administrator
about modification attempts of the monitored files. “Communications”, 64.
Known Files
The Known Files lists files that the product monitors and protects.
Verify Baseline
Verify the system integrity manually.
Generate Baseline
Generate a new baseline for all known files.
Rootkit Prevention
Adjust rootkit prevention settings.
CHAPTER 657
6.4.1Known Files
The Known Files lists files that the product monitors and protects. The
baseline is created from the Known Files list by reading the properties of
the files in the list and cryptographically signing the result. Integrity
Checking compares this result to real-time file accesses.
Use the search filters to select files you want to view in the list.
58
Using The Search
StatusSelect files you want to view in the known files
list.
Modified and new - Displays all files that have
been modified or added to the baseline.
Modified - Displays all files that have been
modified.
New - Displays all files that have been added to
the baseline.
Unmodified - Displays all baselined files that
have not been modified.
All - Displays all files in the known files list.
FilenameEnter any part of the filename of the monitored
file you want to view in the known files list.
Integrity Checking does not protect new or modified files before
you regenerate the baseline. If you add files to th e Known File s list
or files have been modified, regenerate the baseline to protect
those files.
Click Search to view the search results.
FilenameDisplays the name of the file.
Detection timeDisplays the time when a modification was
detected.
Detected modifierDisplays the filename of the process that
modified the file.
ActionDisplays whether the product allows or denies
modifications to the file.
AlertDisplays whether the product sends an alert
when the file is modified.
ProtectionDisplays whether the file is monitored or
protected. Protected files cannot be modified
while monitored files are only monitored and can
be modified.
To regenarate the baseline, select new and modified files you want to
baseline and click Regenerate baseline for highlighted files. For more
information, see “Generate Baseline”, 61.
If you want to remove files from the baseline, click files to select them and
click Remove highlighted files to stop monitoring the selected files.
Adding Files To The Known Files List
To add a file to the known files list, enter the filenam e and se lect the
protection method you want to use.
CHAPTER 659
FilenameEnter the filename of the file you want to
monitor. If you want to add more than one file,
separate each filename with a space.
ProtectionSelect the protection method:
Monitor - Monitors the file but does not prevent
any modifications to it.
Protect - Does not allow any modifications to the
file. The protected file can be opened but it
cannot be changed.
60
ActionThe product can prevent the access to modified
files.
Allow - The access to the modified file is allowed
when it is executed or opened.
Deny - The access to the modified file is denied.
Modified files cannot be opened or executed.
Click Add to known files to add the entry to the Known Files List.
Integrity Checking does not protect new or modified files before you
regenerate the baseline. Regenerate the baseline to protect files you
have added. For more information, see “Generate Baseline”, 61.
You can add a single file or multiple files to the baseline at the
same time.
Software Installation Mode
Integrity Checking prevents unauthorized and unwanted modifications of
system files and programs. When you update your operating system,
apply a security update or install new versions of software, you need to
modify files that Integrity Checking monitors.
Use the Software Installation Mo de when you want to modify system file s
and programs. To access the Software Installation Mode, open the user
interface, select I want to... and click Install software.
The Software Installation Mode wizard guides you through the software
installation and updates the baseline with new software that you inst all on
your system.
When the Software Installation Mode is enabled, any process can load
any kernel modules regardless whether they are in the baseline or not
and any process can change any files in the baseline, whether those files
are protected or not. The real-time scanning is still enabled and it alerts of
any malware found during the installation.
Command Line
For information how to use the Software Installation Mode from the shell,
see “fsims”, 74.
6.4.2Verify Baseline
Enter your passphrase to verify the baseline. For more information ab out
the passphrase, see “Passphrase”, 62.
CHAPTER 661
IMPORTANT: If you install software without the Software
Installation Mode when Integrity Checking monitors updated files,
you may be unable to install or use the new software. Fo r example,
Integrity Checking may prevent a kernel update from booting
properly as new drivers are not in the baseline.
Do not start any other integrity checking processes while the product
verifies the baseline.
You can verify the baseline manually to make sure that your system is
safe and all baselined files are unmodified. If an atta cker has managed to
gain a root access to the system and regenerated the baseline, the
regenerated baseline does not match against your passphrase when you
verify the baseline.
6.4.3Generate Baseline
Integrity Checking is set up by creating a baseline of the system files that
you want to protect.
A default set of system files is added to the Known Files list during the
installation. By default, Kernel Module Verification is enabled during the
installation and the baseline is generated from the Known Files list. If you
62
do not enable the Kernel Module Verification during the installation, you
have to generate the baseline manually before Integrity Checking is
enabled.
All files that are added to the baseline during the installation are set to
Allow and Alert protection mode.
Passphrase
The generated baseline has to be signed to prevent anyone from
modifying the protected files.
The product verifies the baseline and the system integrity
cryptographically. A cryptographic algorithm is applied to the baseline
contents and the passphrase to gen erate a signature (a HMAC sig nature)
of the baselined information.
IMPORTANT: You must take great care not to forget the
passphrase used as it cannot be recovered and the baseline
cannot be verified against tampering without using the same
passphrase.
You should not share the passphrase with other administrators without
fully understanding the consequences. Other ad ministrators could ta mper
with the baseline and regenerate it using the same passphrase, and the
subsequent check would appear to be all right.
Command Line
For information how to create and check the system integrity from the
shell, see “fsic”, 73.
6.4.4Rootkit Prevention
When the Integrity Checking is enabled, the product can prevent rootkits.
Hackers can use rootkits to gain access to the system and obtain
administrator-level access to the computer and the network.
CHAPTER 663
Kernel module
verification
Write protect kernel
memory
Allowed kernel
module loaders
Protects the system against rootkits by
preventing unknown kernel modules from
loading.
When the kernel module verification is on, only
those kernel modules that are listed in the
known files list and which have not been
modified can be loaded.
If the kernel module verification is set to Report
only, the product sends an alert when an
unknown or modified kernel module is loaded
but does not prevent it from loading.
Protects the /dev/kmem file against write
attempts. A running kernel cannot be directly
modified through the device.
If the write protection is set to Report only, the
product sends an alert when it detects a write
attempt to /dev/kmem file, but it does not
prevent the write operation.
Specify programs that are allowe d to load kernel
modules when the kernel module verification is
enabled.
By default, the list contains the most common
module loaders. If the Linux system you use
uses some other module loaders, add them to
the list. Type each entry on a new lin e, only one
entry per line.
Change Communications settings to configure where alerts are sent.
Management Server
Server AddressDefine the URL of the F-Secure Policy Manager
Server address.
This setting is only available in the centrally
managed installation mode.
Alert Forwarding
Alert LevelSpecify where an alert is sent according to its
severity level. You can send an alert to any of
the following:
E-mail to - Enter the e-mail address where the
alert is sent as an e-mail.
Local - Alert is displayed in the Web User
Interface.
Syslog - Alert is written to the system log. The
syslog facility is LOG_DAEMON and alert
priority varies.
FSPMC - Alert is sent to F-Secure Policy
Manager Console.
CHAPTER 6 65
E-mail Settings
The e-mail settings are used for all alert messages that have been
configured to send e-mail alerts.
ServerEnter the address of the SMTP server in the
Server Address field. You can use either the
DNS-name or IP-address of the SMTP server.
If the mail server is not running or the network is
down, it is possible that some e-mail alerts are lost. To
prevent this, configure a local mail server to port 25
and use it for relaying e-mail alerts.
FromEnter the full e-mail address
(sender@example.com) you want to use as a
sender of the alert in the e-mail message.
SubjectEnter the e-mail alert message subject. Use
%DESCRIPTION% as the subject to display a short
description of the alert in the subject line.
Alert Message Variables
The following table lists all variables that are available for the e-mail alert
message subject.
VariableDescription
%SEVERITY%The severity of the alert: informational,
%HOST_DNS%The DNS address of the host that sent the
%HOST_IP%The IP address of the host that sent the alert.
%USER%The active user login name.
%PRODUCT_NAME%The name of the product that generated the
warning, error, fatal error or security alert.
alert.
alert.
66
VariableDescription
%PRODUCT_OID%The OID of the product that generated the
%DESCRIPTION%The alert description.
%DATE%The date when an alert sent in format
%TIME%The time when an alert sent in format
%ALERT_NUMBER%The alert number during the session.
6.5.2Automatic Updates
It is of the utmost importance that the virus definition databases are
up-to-date. The product updates them automatically.
Information about the latest virus definition database update can be fo und
at: http://www.F-Secure.com/download-purchase/updates.shtml
alert.
YYYY-MM-DD.
HH:MM:SS+GMT.
Updates enabledEnable and disable the automatic virus definition
updates. By default they are enabled.
Policy Manager Proxies
Displays a list of virus definition database update sources and F-Secure
Policy Manager proxies.
If no update servers are configured, the product retrieves the latest virus
definition updates from F-Secure Update Server automatically.
PM Proxy addressDisplays the URL of the update source.
CHAPTER 667
PriorityDisplays the priority level of the update source.
The priority numbers are used to define the
order in which the host tries to connect servers.
Virus definition updates are downloaded from
the primary sources first, secondary update
sources can be used as a backup.
The product connects to the source with the
smallest priority number first (1). If the
connection to that source fails, it tries to connect
to the source with the next smallest number (2)
until the connection succeeds.
To add a new address to the list, enter the url to
the Address field and define the priority level of
the new address. Click Add PM Proxy to add
the new entry to the list.
HTTP Proxy
Use HTTP ProxyUse an HTTP proxy server to download
database updates.
HTTP Proxy Address Enter the HTTP proxy server address.
Periodic updates
Automatic updates
interval
Intermediate server
failover time
Define (in minutes) how often the product
checks the virus definition database update
sources for new updates.
Define (in minutes) the failover time to connect
to specified update servers.
If the product cannot connect to update servers
during the specified time, it retrieves the latest
virus definition updates from F-Secure Update
Server if Allow fetching updates from F-Secure Update Server is enabled.
68
Allow fetching
updates from
F-Secure Update
Server
Launch scan after
updates
Reminders
Send remindersIf the virus definition databases have not been
Database age in days
before reminders are
sent
Enable the product to download virus definition
updates from F-Secure Update Server when it
cannot connect to specified update servers.
Select whether a virus scan should be launched
automatically after the virus definitions have
been updated. The virus scan scans all local
files and directories and it can take a long time.
The scan uses the manual scanning settings. By
default, the scan is not launched automatically.
updated in a while, the product can be set to
send a reminder. To enable reminders, check
the Send reminders check box and set the
database age in days when reminders are sent.
Specify the age of th e virus d efinition databases
when they are considered old (3-30 days, the
default value is 7 days). An alert is sent as a
reminder when the database is older than the
specified age.
Using F-Secure Anti-Virus Proxies
F-Secure Anti-Virus Proxy offers a solution to bandwidth problems in
distributed installations of F-Secure Anti-Virus Linux Server Security by
significantly reducing load on networks with slow connections. When you
use F-Secure Anti-Virus Proxy as an updates source, F-Secure products
can be configured to retrieve virus definition database updates from a
local update repository rather than from the central F-Secure Policy
Manager Server.
For information about how to install and configure F-Se cure
Anti-Virus Proxy, see chapter F-Secure Anti-Virus Proxy in
F-Secure Policy Manager Administrator’s Guide.
6.5.3About
CHAPTER 669
The About page displays the license terms, the product version number
and the database version.
If you are using the evaluation version of the pro du ct, you can en te r th e
keycode in the About page to upgrade the product to the fully licensed
version.
General Command Line Tools.................................................... 74
70
7.1Overview
For more information on command line options, see “Man Pages”, 96.
7.2Virus Protection
You can use the fsav command line tool to scan files and the dbupdate
command line tool to update virus definition databases from the shell.
7.2.1fsav
Follow these instructions to scan files from the shell:
›To scan all default file types on all local disks, type:
fsav /
›To scan all files in a directory and its subdirectories, enter the
directory name. For example:
fsav mydirectory
›To scan a single file, enter the file name (without wildcards). For
example:
fsav myfile.exe
Note that the recursive scan detects mounted network file system
subdirectories and does not scan network file systems. Scanning a
network file system from the client workstation would create unnecessary
load on the network and it is much slower than scanning the local file
system.
CHAPTER 771
Command Line Tools
If you want to scan the network file system, run fsav / on the server.
If you cannot run fsav on the server, you can scan the network file
system from the client workstation by explicitly specifying mounted
network file system directories on the fsav command line.
For example, if an NFS file system is mounted in /mnt/server1, scan it
with the following command:
fsav /mnt/server1
72
7.2.2dbupdate
For more information on command line options, see the fsav man pages
or type fsav --help.
Before you can update virus definition databases manually, you have to
disable the periodic database update. To disable periodic database
updates, edit the crontab of root:
1. Run the following command
crontab -e
2. Add # to the beginning of the following line to comment it out:
For more information about security profiles, see “Security Profiles”, 50.
7.4Integrity Checking
You can use the fsic command line tool to check the system integrity
and fsims to use the Software Installation Mode from the shell.
7.4.1fsic
You can create the baseline, add files to the baseline and verify the
baseline with the fsic command line tool.
Creating the Baseline
CHAPTER 773
Command Line Tools
Follow these instructions to create the baseline from the command line:
1. Run the fsic tool with the --b ase lin e optio n:
fsic --baseline
2. Select the files to add to the baseline. If you want to add all files in the
directory in the Known Files List in the baseline, type A in the prompt.
3. Enter a passphrase to create the signature.
Adding Files to the Baseline
Follow these instructions to add files to the baseline from the command
line. In this example, the product is also configured to send an alert about
unauthorized modification attempts of the protected files.
1. Run the fsic tool with the --add, --alert and --protect options:
/opt/f-secure/fsav/bin/fsic --add --alert=yes
--protect=yes /etc/passwd /etc /shadow
74
7.4.2fsims
2. Recalculate the baseline. The baseline update progress is displayed
during the process, and you are prompted to select whether to
include the new files in the baseline:
/opt/f-secure/fsav/bin/fsic --bas eline
3. Enter a passphrase to create the signature.
Verifying the Baseline
Follow these instructions to verify the baseline from the command line:
1. Run the comma nd :
/opt/f-secure/fsav/bin/fsic
2. Enter the passphrase that you used when you created the baseline.
3. The product validates files and displays whether the files are intact.
Use the following command to enable Software Installation Mode:
/opt/f-secure/fsav/bin/fsims on
After you have installed the new software, disable the Software
Installation Mode to restore the normal protection level:
/opt/f-secure/fsav/bin/fsims off
For more information about the Software Inst allation Mode, see “Software
Installation Mode”, 60.
7.5General Command Line Tools
You can use the fssetlanguage command line tool to set the language
used in the web user interface.
7.5.1fssetlanguage
Use the following command to set the language:
/opt/f-secure/fsav/bin/fssetlanguage <language>
Where language is:
en - english
ja - japanese
de - german
7.5.2fsma
Use the following command to check the status of the product modules:
/etc/init.d/fsma status
The following table lists all product modules:
ModuleProcessDescription
CHAPTER 7 75
Command Line Tools
F-Secure Alert
Database Handler
Daemon
F-Secure FSAV
Policy Manager
Daemon
F-Secure Firewall
Daemon
F-Secure FSAV
License Alerter
F-Secure FSAV
On-Access Scanner
Daemon
/opt/f-secure/fsav/sbin/fsadhd Stores alerts to a local database. Alerts can
be viewed with the web user interface.
/opt/f-secure/fsav/bin/fsavpmd Handles all F-Secure Policy Manager Console
operations (for example, Scan all hard disks now, Update database now, Reset statistics)
/opt/f-secure/fsav/bin/
fsfwd.run
/opt/f-secure/fsav/libexec/
fslmalerter
/opt/f-secure/fsav/sbin/fsoasdProvides all real-time protection features:
The interface between F-Secure Management
Agent and the iptables/netfilter firewall.
Checks and informs how many days are left in
the evaluation period when the product is
installed in the evaluation mode.
real-time virus scanning, real-time integrity
checking and rootkit protection.
76
ModuleProcessDescription
F-Secure FSAV
Status Daemon
F-Secure FSA V W eb UI/opt/f-secure/fsav/tomcat/bin/
F-Secure FSAV
PostgreSQL daemon
/opt/f-secure/fsav/bin/fstatusd Checks the current status of every component
catalina.sh start
/opt/f-secure/common/
postgresql/bin/startup.sh
7.5.3fsav-config
If you install the product using RPM packages, you have to use the
following command to fsav-config command line tool to create the initial
product configuration:
/opt/f-secure/fsav/fsav-config
keeps desktop panel applications and web
user interface up-to-date.
Handles the web user interface.
Stores alerts that can be viewed with the web
user interface.
Installation
A
Prerequisites
All 64-bit Distributions................................................................. 78
Red Hat Enterprise Linux 4 ........................................................ 78
Debian 3.1 and Ubuntu 5.04, 5.10, 6.06..................................... 79
Some 64-bit distributions do not install 32-bit compatibility libraries by
default. Make sure that these libraries are installed. The name of the
compatibility library package may vary, see the documentation of the
ditribution you use for the package name for 32-bit compatibility libraries.
On 64-bit Ubuntu, install ia32-libs.
A.2Red Hat Enterprise Linux 4
Follow these instructions to install the product on a server running Red
Hat Enterprise Linux 4 AS:
1. Install the following RPM packages from RHEL4 CDs.
›Use the command rpm -ivh <rpm files>,
›Use Applications > System Settings > Add/Remove Applications,
or
›Use up2date.
Make sure you have all the following RPM packages installed:
2. If you are using Ubuntu 5.10, make sure that gcc-3.4 package is
installed.
3. If you want to use the system tray applet, run the following
commands:
Debian:
sudo apt-get install kde-core
Ubuntu:
sudo apt-get install kdelibs libstdc++5
4. If you want to enable logins to the Web User Interface, comment (add
a hash sign (#) at the beginning of the line) the following line in /etc/pam.d/login:
auth requisite pam_securetty.so
5. Install the prod uct normally.
CHAPTER A79
Installation Prerequisites
80
A.4SuSE
To install the product on a server running SuSE version 9.1, 9.2, 9.3 or
10.0:
1. Before you install the product, make sure that kernel-source, make
and gcc packages are installed. Use YaST or another setup tool.
2. Install the prod uct normally.
A.5Turbolinux 10
Turbolinux kernel sources may not be configured and so they cannot be
used to compile kernel drivers. To fix this, run the following command in
the kernel source tree:
This section describes how to install required kernel modules manually.
You may need to do this in the following cases:
›You forgot to use Software Installation Mode and the system is
not working properly.
›In large installations some hosts may not include development
tools or kernel source.
B.2Before Installing Required Kernel Modules
Before installing required kernel modules, you must do the following:
›Make sure that the running kernel version is the same as the
version of the kernel sources installed. The kernel configuration
must also be the same.
›On some distributions, such as older SUSE distributions, you
may need to go to /usr/src/linux and run commands
make cloneconfig and make modules_pre pare before the
kernel sources match the installed kernel.
B.3Installation Instructions
Follow the instructions below to install required kernel modules:
1. Run the following command as the root user:
/opt/f-secure/fsav/bin/fsav-compile-drivers
2. If the summary page in the user interface does not show any errors,
the product is working correctly.
CHAPTER B83
Installing Required Kernel Modules Manually
fsav-compile-drivers is a shell script that configures and compiles
the Dazuko driver automatically for your system and for the product. For
more information on the Dazuko driver, visit www.dazuko.org
You can download the Dazuko driver from www.dazuko.org and
use it with the product, but it is not recommended. The product has
been extensively tested only with the Dazuko version that ships
with the product, which is installed in /opt/f-secure/fsav/dazuko.tar.gz.
If your Linux distribution has a preinstalled Dazuko, it cannot be used as
Dazuko depends on the included patches and configuration options,
which are likely different in the preinstalled Dazuko. Uninstall the
preinstalled Dazuko or make sure that it is not run during the system
startup and follow the installation instru ctions above to install Dazuko with
all required patches and configuration options.
When running, the product reserves the following IP ports:
InterfaceProtocolPortComment
lotcp28005Web User Interface internal
lotcp28078PostgreSQL alert database
lotcp28080Local Web User Interface access
anytcp28082Remote SSL Web User Interface
communication port
access (if enabled)
86
C.4Memory
C.5CPU
The Web User Interface reserves over 200 MB of memory, but since the
WebUI is not used all the time, the memory is usually swapped out. The
other product components sum up to about 50 MB of memory, the
on-access scanner uses the majority of it.
The memory consumption depends on the amount of file accesses on th e
system. If several users are logged in to the system and all of them
access lots of files, the memory consumption grows.
The load on the processor depends on the amount of file acce sses on the
system, as the on-access scanner scans every file that is opened and
closed.
The CPU usage grows when many users are logged in to the system at
the same time.
Some software products are designed to access many files and the
on-access scanning can slow down these products noticeably.
D
Troubleshooting
User Interface............................................................................. 88
Q. Symlinks are not working for Integrity Checking or Rootkit
Protection, what can I do?
A. You may be denied to load a kernel module if the file containing the
kernel module is a symlink and the real file where the symlink points
to is not in the Integrity Checking baseline. The same applies if
modprobe or insmod utilities (the module loaders) use files or libraries
which are symlinks and the file where the symlink points to is not in
the baseline.
For example, modprobe uses /lib/libz.so.1, which is really a symlink to
a real file /lib/libz.so.1.2.2. The symlink is in the baseline but the real
file is not. In this case, modprobe is not allowed to run as it tried to
open a file that is not in the baseline.
You should never add only symlinks to the baseline, you should
always add both the symlink and the real file where the symlink
points.
90
Q. I forgot to use Software Installation Mode and my system is not
working properly. What can I do?
A. Create a new baseline. Execute the following commands:
b. Restart the product to take new setting s int o use :
/etc/init.d/fsma restart
D.4Firewall
CHAPTER D91
Troubleshooting
Q. Do I have to use the same passphrase every time I generate the
baseline?
A. No, you have to verify the baseline using the same passphrase that
was used when the baseline was generated, but you do not have to
use the same passphrase again when you generate the baseline
again.
Q. After installing the product, users cannot access samba shares
on my computer, how can I fix this?
A. The Office firewall profile contains a rule that allows Windows
Networking but that rule is disabled by default. Enable the rule to
allow accesses to samba shares.
Q. After intalling the product, I cannot browse local are network
domains and workgroups (SMB). How can I fix this?
A. You need to add a rule to the firewall that allows browsing Windows
shares on your local area network. Follow these instructions:
a. Go to Firewall > Network Services page in the Web User
Interface advanced mode.
b. Click Add new service.
c.Create the following service:
Service Name: Windows Networki ng Local Browsing
Protocol: UDP
Initiator ports: 137-138
Responder: >1023
Description SMB LAN browsing
d. Click Add as a new service and Save.
e. Go to the firewall menu and click Firewall Rules.
f.Click Add new rule.
g. Create the following rule:
92
Type: ACCEPT
Remote Host: [myNetwork]
Description: Windows Networkin g Local Browsing
Service (select box): Windows Networking Lo cal
Browsing
Direction: in
h. Click Add Service to this Rule and Add to Firewall Rules. The
new rule should be visible at the bottom of the firewall rule list. If
you cannot see the rule, click >> to move to the end of the list.
i.Click on the up arrow next to the new ruleto move the rule above
any "Deny rest" rule.
j.Click Save to save your new rule set and apply new firewall rules.
Your SMB LAN browsing should work now.
Q. How can I set up firewall rules to access NFS servers?
A. You need to allow the following network traffic through the firewall:
›portmapper (tcp and udp port 111)
›nfsd (tcp and udp 2049)
›mountd (variable port from portmapper)
Mountd is needed only when the NFS share is mounted. After the
mount is completed, all traffic is to the nfsd.
As the mountd port is not always the same, follow these instructions
to mount NFS shares:
›Either turn off the firewall, mount (or umount) the NFS share and
turn on the firewall again, or
›on the NFS server, start mountd with the --port PORT option,
which forces mountd to use a fixed port number instead of a
random port. Then, create a firewall rule that allows udp and tcp
traffic to that port number.
D.5Virus Protection
Q. How do I enable the debug log for real-time virus scanner?
A. In Policy Manager Console, go to Product/Settings/Advanced/ and
set fsoasd log level to Debug.
In standalone installation, run the following co mmand:
/opt/f-secure/fsma/bin/chtest s 44.1.100.11 9
The above command works for Client Security product. If you are
using Server Security, replace 44 with 45.
The log file is in /var/opt/f-secure/fsav/fsoasd.log
Q. How can I use an HTTP proxy server to downloading database
updates?
A. In Policy Manager Console, go to F-Secure Automatic Up date Agent /
Settings / Communications / HTTP Settings / User-defined proxy
settings and set Address to:
http://[[user][:pass]@]proxyhost[:port]
CHAPTER D93
Troubleshooting
In Web User Interface, use the setting in the Automatic Updates page
in the advanced mode.
Q. Does the real-time scan work on NFS server?
A. If the product is installed on NFS server, the real-time scan does not
scan files automatically when a client accesses a file on the server.
D.6Generic Issues
Q. How can I clean an interrupted installation?
A. If the product installation is interrupted, you may have to remove the
product components manually.
a. List all installed rpm packages:
94
rpm -qa | grep f-secure
rpm -qa | grep fsav
b. Remove installed packages. Run the following command for each
installed package:
rpm -e --noscripts <package_name>
c.3. Remove all of the product installation directories:
command line interface for F-Secure Anti-Virusfsavoptionstarget ...
Description
fsav is a program that scans files for viruses and other malicious code. fsav scans specified targets (files or directories)
and reports any maliciouscode it detects. Optionally, fsav
disinfects, renames or deletes infected files.
The types of viruses F-Secure Anti-Virus detects anddisinfects include but are not limited to: Linux viruses, macro
viruses infecting Microsoft Office files, Windows viruses and
DOS file viruses. F-Secure Anti-Virus can also detect spyware, adware and other riskware (in selected products).
fsav can scan files inside ZIP, ARJ, LHA, RAR, GZIP, TAR,
CAB and BZ2 archives and MIME messages. F-Secure
Anti-Virus utilizes three scanners to scan files: F-Secure Corporation Orion and Libra scan engines and Kaspersky Lab
A VP scan engine.
fsav requires the fsavd scanner deamon to scan files. fsav
uses UNIX domain sockets to communicate with the daemon.
If fsavd is not running, fsav launches fsavd before the scan.
--action1-exec=PROGRAMF-Secure Anti-Virus runs
PROGRAM if the primary action is set to
custom/exec.
--action2-exec=PROGRAMF-Secure Anti-Virus runs
PROGRAM if the secondary action is set
to custom/exec.
--action-timeout={e,c} What to do when the scan
times out: Treat the timeout as error (e)
or clean (c).
--archive[={on,off,yes,no,1,0}] Scan files inside
archives (default). Archives are still
scanned as normal files with or without
this option. See NOTES -section below
about nested archives.
--auto[={on,off,yes,no,1,0}] Disable action confirmation. Assumes 'Yes' to all enabled
actions.
--avp[={on,off,yes,no,1,0}] Enable/disable the AVP
scanning engine for the scan and the
disinfection. If any engine is enabled, all
other engines are disabled (unless
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.