F-secure ANTI-VIRUS LINUX CLIENT SECURITY ADMINISTRATOR GUIDE

F-Secure Anti-Virus

Linux Client Security

Administrator’s Guide

"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.

Companies, names and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of F-Secure Corporation.

This product may be covered by one or more F-Secure patents, including the following:

GB2353372 GB2366691 GB2366692 GB2366693 GB2367933 GB2368233 GB2374260

Contents

Chapter 1 Introduction 5

1.1 Welcome......................................................................................................................6

1.2 How the Product Works ...............................................................................................6

1.3 Key Features and Benefits...........................................................................................9

1.4 F-Secure Anti-Virus Server and Gateway Products...................................................11

Chapter 2 Deployment 13

2.1 Deployment on Multiple Stand-alone Linux Workstations..........................................14

2.2 Deployment on Multiple Centrally Managed Linux Workstations...............................14

2.3 Central Deployment Using Image Files......................................................................15

Chapter 3 Installation 16

3.1 System Requirements................... ... ... ... .... ... ... ... .... ... ... ....................................... ... ...17

3.2 Installation Instructions...............................................................................................18

3.2.1 Stand-alone Installation..................................................................................19

3.2.2 Centrally Managed Installation.......................................................................21

3.3 Upgrading from a Previous Product Version..............................................................24

3.4 Upgrading the Evaluation Version.................... ... .... ... ... ... ... .......................................25

3.5 Replicating Software Using Image Files ....................................................................26

3.6 Preparing for Custom Installation...............................................................................26

3.7 Unattended Installation ..............................................................................................27

3.8 Installing Command Line Scanner Only.....................................................................28

3.9 Creating a Backup...................................................... ... ... ... .......................................29

3.10 Uninstallation..............................................................................................................30

Chapter 4 Getting Started 31

4.1 Accessing the Web User Interface.............................................................................32

4.2 Basics of Using F-Secure Policy Manager.................................................................32

4.3 Testing the Antivirus Protection .................................................................................33

Chapter 5 User Interface - Basic Mode 34

5.1 Summary .................................. .................................................... ............................. 35

5.2 Common Tasks..........................................................................................................36

Chapter 6 User Interface - Advanced Mode 37

6.1 Alerts..........................................................................................................................38

6.2 Virus Protection......................... .... ... ... ... ....................................... ... .... ... ... ... ... ..........40

6.2.1 Real-Time Scanning.......................................................................................40

6.2.2 Scheduled Scanning.......................................................................................44

6.2.3 Manual Scanning............................................................................................44

6.3 Firewall Protection......................................................................................................49

6.3.1 General Settings............ ....................................... ... .... ... ................................51

6.3.2 Firewall Rules.................................................................................................52

6.3.3 Network Services............................................................................................54

6.4 Integrity Checking ..... .... ... ... ....................................... ... ... ... .......................................57

6.4.1 Known Files....................................................................................................57

6.4.2 Verify Baseline................................................................................................61

6.4.3 Generate Baseline......... .... ... ... ... .... ... ....................................... ... ... ... .............61

6.4.4 Rootkit Prevention................... ... .... ... ... ....................................... ... ... ... ..........63

6.5 General Settings ....... .... ... ....................................... ... ... ....................................... ... ...64

6.5.1 Communications.............................................................................................64

6.5.2 Automatic Updates.........................................................................................66

6.5.3 About..............................................................................................................69

Chapter 7 Command Line Tools 70

7.1 Overview....................................................................................................................71

7.2 Virus Protection......................... .... ... ... ... ....................................... ... .... ... ... ... ... ..........71

7.2.1 fsav.................................................................................................................71

7.2.2 dbupdate.........................................................................................................72

7.3 Firewall Protection......................................................................................................72

7.3.1 fsfwc...............................................................................................................73

7.4 Integrity Checking ..... .... ... ... ....................................... ... ... ....................................... ...73

7.4.1 fsic..................................................................................................................73

7.4.2 fsims...............................................................................................................74

7.5 General Command Line Tools...................................................................................74

7.5.1 fssetlanguage.................................................................................................74

7.5.2 fsma................................................................................................................75

7.5.3 fsav-config......................................................................................................76

AppendixA Installation Prerequisites 77

A.1 All 64-bit Distributions ............................................................................................... 78

A.2 Red Hat Enterprise Linux 4................. .......................................................................78

A.3 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06....................................................................79

A.4 SuSE..........................................................................................................................80

A.5 Turbolinux 10 ......................... ... .... ... ... ... .... ... ... ....................................... ... ... ... ..........80

AppendixB Installing Required Kernel Modules Manually 81

B.1 Introduction ............................................................................................................... 82

B.2 Before Installing Required Kernel Modules................................................................82

B.3 Installation Instructions...............................................................................................82

AppendixC List of Used System Resources 84

C.1 Overview ................................................................................................................... 85

C.2 Installed Files ................... ... ... ... .... ... ....................................... ... ... ... .... ... ... ................85

C.3 Network Resources....................................................................................................85

C.4 Memory ......................................................................................................................86

C.5 CPU............................................................................................................................86

AppendixD Troubleshooting 87

D.1 User Interface............................................................................................................ 88

D.2 F-Secure Policy Manager...........................................................................................89

D.3 Integrity Checking ............................ ... ... .... ... ....................................... ... ... ... .............89

D.4 Firewall.......................................................................................................................91

D.5 Virus Protection... ... ... ....................................... ... .... ... ... ... ... .......................................93

D.6 Generic Issues ...........................................................................................................93

AppendixE Man Pages 96 Technical Support 165

Introduction ...................................................................................................................... 166

F-Secure Online Support Resources ...............................................................................166

Web Club .... ... ....................................... ... ... ....................................... ... ... .... ....................167

Virus Descriptions on the Web .........................................................................................167

INTRODUCTION

Welcome....................................................................................... 6

How the Product Works................................................................ 6

Key Features and Benefits........................................................... 9

F-Secure Anti-Virus Server and Gateway Products................... 11

1.1 Welcome

Welcome to F-Secure Anti-Virus Linux Server Security. Computer viruses are one of the most harmful threats to the security of

data on computers. Viruses have increased in number from ju st a handful a few years ago to many thousands today. While some viruses are harmless pranks, other viruses can destroy data and pose a real threat.

The product provides an integrated, out-of-the-box rea dy security solution with a strong real-time antivirus protection and a host intrusion prevention (HIPS) functionality that provides protectio n again st unauthorized connection attempts from network, unauthorized system modifications, userspace and kernel rootkits. The solution can be easily deployed and managed either using the local graphical user interface or F-Secure Policy Manager.

F-Secure Policy Manager provides a tightly integrated infrastructure for defining and distributing security policies and monitoring the security of different applications from one central location.

1.2 How the Product Works

The product detects and prevents intrusions and protects against malware. With the default settings, workstations and servers are protected right after the installation without any time spent configuring the product.

Protection Against Malware

The product protects the system against viruses and potentially malicious files.

When user downloads a file from the Internet, for example by clicking a link in an e-mail message, the file is scanned when the user tries to open it. If the file is infected, the product protects the system against the malware.

Real-time Scanning

Real-time scanning gives you continuous protection against viruses as files are opened, copied, and downloaded from the Web. Real-time scanning functions transparently in the background, looking for viruses whenever you access files on the hard disk, diskettes, or network drives. If you try to access an infected file, the real-tim e pr ot ec tio n au to matically stops the virus from executing.

Manual Scanning And Scheduled Scanning

When the real-time scanning has been configured to scan a limited set of files, the manual scanning can be used to scan the full system or yo u can use the scheduled scanning to scan the full system at regular intervals.

Automatic Updates

Automatic Updates keep the virus definitions always up-to-date. The virus definition databases are updated automatica lly after the pr oduct has been installed. The virus definitions updates are signed by the F-Secure Anti-Virus Research Team.

Host Intrusion Prevention System

CHAPTER 1 7

Introduction

The Host Intrusion Prevention System (HIPS) detects any malicious activity on the host, protecting the system on many levels.

Integrity Checking

Integrity Checking protects the system against unauthorized modifications. It is based on the concept of a known good configuration the product should be installed before the server or workstation is connected to the network to guarantee that the system is in a known g ood configuration.

You can create a baseline of the system files you want to protect and block modification attempts of protected files for all users.

Firewall

The firewall component is a stateful packet filtering firewall which is based on Netfilter and Iptables. It protects computers against unauthorized connection attempts. You can use predefined security profiles which are tailored for common use cases to select the traffic you want to allow and deny.

Protection Against Unauthorized System Modifications

If an attacker gains a shell access to the system and tries to add a user account to login to the system later, Host Intrusion Prevention System (HIPS) detects modified system files and alerts the administrator.

Protection Against Userspace Rootkits

If an attacker has gained an access to the system and tries to install a userspace rootkit by replacing various system utilities, HIPS detects modified system files and alerts the administrator.

Protection Against Kernel Rootkits

If an attacker has gained an access to the system and tries to install a kernel rootkit by loading a kernel module for example through /sbin/ insmod or /sbin/modprobe, HIPS detects the attempt, pr ev en ts the unknown kernel module from loading and alerts the administrator.

If an attacker has gained an access to the system and tries to install a kernel rootkit by modifying the running kernel direc tly via /dev /kmem, HIPS detects the attempt, prevents write attempts and alerts the administrator.

1.3 Key Features and Benefits

CHAPTER 1 9

Introduction

Superior Protection

against Viruses and

Worms

Transparent to

End-users

› The product scans files on any Linux-supported file system. This

is the optimum solution for computers that run several different operating systems with a multi-boot utility.

› Superior detection rate with multiple scanning engines. › A heuristic scanning engine can detect suspicious, potentially

malicious files.

› The product can be configured so that the users cannot bypass

the protection.

› Files are scanned for viruses when they are opened and before

they are executed.

› Y ou ca n specify what files to scan, how to scan them , what action

to take when malicious content is found and how to alert about the infections.

› Recursive scanning of archive files. › Virus definition database updates are sign ed for security. › Integrated firewall component with predefined security levels.

Each security level comprises a set of rules that allow or deny network traffic based on the protocols used.

› The product has an easy-to-use user interface. › The product works totally transparently to the end users. › Virus definition databases are updated automatically without any

need for end-user intervention.

Protection of Critical

System Files

Easy to Deploy and

Administer

Extensive Alerting

Options

› Critical information of system files is stored and automatically

checked before access is allowed.

› The administrator can protect files against changes so that it is

not possible to install, for example, a trojan version.

› The administrator can define that all Linux kernel modules are

verified before the modules are allowed to be loaded.

› An alert is sent to the administrator when a modified system file is

found.

› The default settings apply in most systems and the product can

be taken into use without any additional configuration.

› Security policies can be configured and distributed from one

central location.

› The product has extensive monitoring and alerting functions that

can be used to notify any administrator in the company network about any infected content that has been found.

› Alerts can be forwarded to F-Secure Policy Manager Console,

e-mail and syslog.

1.4 F-Secure Anti-Virus Server and Gateway Products

The F-Secure Anti-Virus product line consists of workstation, file server, mail server and gateway products.

› F-Secure Messaging Security Gateway delivers the industry's

most complete and effective security for e-mail. It combines a robust, enterprise-class messaging platform with perimeter security, antispam, antivirus, secure messaging and outbound content security capabilities in an easy-to-deploy, hardened appliance.

› F-Secure Internet Gatekeeper for Linux is a high perfor mance,

totally automated web (HTTP and FTP) and e-mail (SMTP and POP) virus scanning solution for the gateway level. F-Secure Internet Gatekeeper works independently of firewall and e-mail server solutions, and does not affect their performance.

› F-Secure Internet Gatekeeper (for Windows) is a high

performance, totally automated web ( HTTP and FTP-over-HTTP) and e-mail (SMTP) virus scanning solution for the gateway level. F-Secure Internet Gatekeeper works independently of firewall and e-mail server solutions, and does not affect their performance.

› F-Secure Anti-Virus for Microsoft Exchange protects your

Microsoft Exchange users from malicious code contained within files they receive in mail messages and documents they open from shared databases. Malicious code is also stopped in outbound messages and in notes being posted on Public Folders. The product operates transparently and scans files in the Exchange Server Information Store in real-time. Manual and scheduled scanning of user mailboxes and Public Folders is a lso supported.

CHAPTER 1 11

Introduction

› F-Secure Anti-Virus for MIMEsweeper provides a powerful

anti-virus scanning solution that tightly integrates with Clearswift MAILsweeper and WEBsweeper products. F-Secure provides top-class anti-virus software with fast and simple integration to Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web, giving the corporation the powerful combination of complete content security.

› F-Secure Anti-Virus for Citrix Servers ensures business

continuity without disruptions caused by viruses and other malicious content. Citrix solutions enable businesses to improve their productivity by providing easy access to information and applications regardless of time, place and acce ss de vice .

DEPLOYMENT

Deployment on Multiple Stand-alone Linux Workstations.......... 14

Deployment on Multiple Centrally Managed Linux Workstations 14

Central Deployment Using Image Files...................................... 15

2.1 Deployment on Multiple Stand-alone Linux Workstations

When the company has multiple Linux workstations deployed, but they are not managed centrally, the workstation users can install the software themselves.

› In organizations with few Linux machines, the graphical user

interface can be used to manage Linux workstations instead of F-Secure Policy Manager. For more information on stand-alone installation without F-Secure Policy Manager, see “Stand-alone

Installation”, 19.

› Centrally Managed installation with F-Secure Policy Manager

installed on a separate computer is recommended. In this mode, F-Secure Policy Manager is used to manage Linux workstations. For more information on Centrally Managed installation, see “Centrally Managed Installation”, 21.

The recommended deployment method is to delegate the installation responsibility to each workstation user and then monitor the installation progress via F-Secure Policy Manager Console. After the installation on a host has completed, the host sends an autoregistration request to F-Secure Policy Manager. You can monitor with F-Secure Policy Manager Console which of the hosts have sent an autoregistration request.

2.2 Deployment on Multiple Centrally Managed Linux Workstations

When the company has multiple Linux workstations deployed and they are managed through Red Hat network, Ximian Red Carpet, or similar, the software can be pushed to workstations using the existing management framework.

2.3 Central Deployment Using Image Files

When the company has a centralized IT department that install and maintains computers, the software can be installed centrally to all workstations.

The recommended way to deploy the products is to create an image of a Linux workstation with the product preinstalled. For instructions on how to do this, see “Replicating Software Using Image Files”, 26.

CHAPTER 2 15

Deployment

INSTALLATION

System Requirements................................................................ 17

Installation Instructions............................................................... 18

Upgrading from a Previous Product Version.............................. 24

Upgrading the Evaluation Version.............................................. 25

Replicating Software Using Image Files..................................... 26

Preparing for Custom Installation............................................... 26

Creating a Backup...................................................................... 29

Uninstallation.............................................................................. 30

3.1 System Requirements

CHAPTER 3 17

Installation

Operating system:

› Novell Linux Desktop 9 › SUSE Linux 9.0, 9.1, 9.2, 9.3, 10, 10.1,

10.2

› Ubuntu 5.10 (Breezy), 6.06 (Dapper

Drake)

› SUSE Linux Enterprise Server 8, 9, 10 › SUSE Linux Enterprise Desktop 10 › Red Hat Enterprise Linux 4, 3, 2.1 AS › Miracle Linux 2.1 › Miracle Linux 3.0 › Asianux 2.0 › Turbolinux 10 › Debian 3.1

The following 64-bit (AMD64/EM64T) distributions are supported with 32-bit compatibility packages:

› SUSE Linux Enterprise Server 9, 10 › SUSE Linux Enterprise Desktop 10 › Red Hat Enterprise Linux 4 › Asianux 2.0 › Turbolinux 10

Kernel version: Linux kernel 2.4 or later (for 64-bit support, Linux

kernel 2.6 or later) Glibc version Glibc 2.2.4 or later Processor: Intel x86 Memory: 256 MB RAM or more Disk space: 200 MB

Konqueror is not a supported browser with the local user inte rface. It is recommended to use Mozilla or Firefox browsers.

Note About Dazuko Version

The product needs the Dazuko kernel module for the real-time virus protection, integrity checking and rootkit protection. Dazuko is an open-source kernel module that provides an interface for the file access control. More information is at http://www.dazuko.org

The product installs the Dazuko driver during the product installation. The product has been tested extensively with the Dazuko version that is

included with the product. Operation with other Dazuko versions or Linux distribution provided Dazuko versions is not su pp or te d or rec om m end ed .

3.2 Installation Instructions

The following installation modes are available:

› Stand-alone installation.

This installation mode is meant for evaluation use and for environments with few Linux workstations or servers where central administration with F-Secure Policy Manager is not necessary.

When you install the product in stand-alone mode you configure and manage the product with the web user interface that can be

opened from the system tray , or with the (local) or

In addition to the user interface, the stand-alone installation creates the F-Icon and a program entry under the applications menu, and enables you to use the “right-mouse click” function.

For installation instructions, see “Stand-alone Installation”, 19.

› Centrally Managed installation.

The product is installed locally , and it is managed with F-Secure Policy Manager that is installed on a separate computer.

https://<host.domain>:28082/ (remote) address.

http://localhost:28080/

Centrally managed installation is the recommended installation mode when taking the product into use in a large network environment.

For installation instructions, see “Centrally Managed Installation”,

21.

› For information on how to install the product on multiple

computers, see “Replicating Software Using Image Files”, 26.

› For information on how to install the product in the unattended

mode, which does not ask any questions during the installation, see “Unattended Installation”, 27.

IMPORTANT: If you have some other vendor’s antivirus software installed on the computer, you must uninst all it before installing the product.

3.2.1 Stand-alone Installation

During the installation, you must have a compiler and the kernel source installed. Read the documentation of your distribution on how to check that the required tools are installed. For some common distribution-specific instructions how to install required tools to the computer, see “Installation Prerequisites”, 77.

CHAPTER 3 19

Installation

It is recommended to use the default settings during the installation. To select the default value, press installation.

Follow these instructions to install the product in stand-alone mode. You will need to install the product using an account with root privileges.

1. Copy the installation file to your hard disk. Use the following command to extract the installation file:

tar zxvf f-secure-linux-client-security-<version>.<build>.tgz

2. Make sure that the installation file is executable:

chmod a+x f-secure-linux-client-security-<version>.<build>

3. Run the following command to start the installation:

./f-secure-linux-client-security-<version>.<build>

ENTER to any question during the

4. Select the language you want to use in the web user interface during the installation.

Select language to use in Web User Interface [1] English (default) [2] Japanese [3] German

5. The installation displays the license agreement. If you accept the agreement, answer

yes press ENTER to continue.

6. Enter the keycode to install the full, licensed version of the product. Enter the keycode in the format you received it, including the hyphens that separate sequences of letters and digits:

If you are installing the evaluation version and do not have a keycode, press

ENTER.

7. Select the Standalone installation .

8. Select whether you want to allow the remote access to the web user interface.

Allow remote access to the web user interface? [no]

9. Select whether the web user interface can be opened from the localhost without a login.

Allow connections from localhost to the web user interface without login? [yes]

10. Enter the user name who is allowed to access the web user interface.

Please enter the user name who is allowed to use the web user interface.

The user name is a local Linux account. Y ou ha ve to create the account if it does not exist yet. Do not use the root account for this purpose.

1 1. Select whether you want add currently installed kernel modules to the

Integrity Checker known files list and generate the baseline. For more information, see “Generate Baseline”, 61

Would you like to enable Linux kernel module verification [yes]?

12. Enter the baseline passphrase. For more information, see

“Passphrase”, 62.

Please insert passphrase for HMAC creation (max 80 characters)

13. The installation is complete. After the installation is complete, you can start the F-icon systray applet

with the For information how to access the web user interface and to see that the

virus protection is working, see “Getting Started”, 31.

fsui command.

3.2.2 Centrally Managed Installation

When you install the product in centrally managed mode, you must first have F-Secure Policy Manager installed on a separate computer. For F-Secure Policy Manager Console installation instructions, see the F-Secure Policy Manager Administrator’s Guide.

CHAPTER 3 21

Installation

IMPORTANT: Before you start the installation, you have to copy the admin.pub key from F-Secure Policy Manager to the computer where you will install the product. You can do this by using, for example, scp, sftp or any removable media. By default the installation script assumes that the admin.pub key is located in the /root directory.

Follow the instructions below to install the product in centrally managed mode. You will need to install the product using an account with root privileges.

1. Copy the installation file to your hard disk. Use the following

command to extract the installation file:

tar zxvf f-secure-linux-client-security-<version>.<build>.tgz

2. Make sure that the installation file is executable:

chmod a+x f-secure-linux-client-security-<version>.<build>

3. Run the following command to start the installation:

./f-secure-linux-client-security-<version>.<build>

The setup script will display some questions. The default value is shown in brackets after the question. Press

ENTER to select the

default value.

4. Select the language you want to use in the web user interface during the installation.

Select language to use in Web User Interface [1] English (default) [2] Japanese [3] German

5. The installation displays the license agreement. If you accept the agreement, answer

yes and press ENTER to continue.

6. Enter the keycode to install the full, licensed version of the product. Enter the keycode in the format you received it, including the hyphens that separate sequences of letters and digits:

If you are installing the evaluation version and do not have a keycode, press

ENTER.

7. Type

C to select the centrally managed installation.

8. Enter the address of the F-Secure Policy Manager Server.

Address of F-Secure Policy Manager Server: [http://localhost/]:

9. Enter the location of the admin.pub key. This is the key that you created during F-Secure Policy Manager Console Installation.

Give the admin.pub file location [/root/admin.pub]:

You can u se th e TAB key to complete directory and file names when you enter the file name.

10. Select whether you want to allow remote accesses to the web user interface.

Allow remote access to the web user interface? [no]

CHAPTER 3 23

Installation

11. Select whether the web user interface can be opened from the

localhost without a login.

Allow connections from localhost to the web user interface without login? [yes]

12. Enter the user name who is allowed to use the web user interface.

Please enter the user name who is allowed to use the web user interface.

The user name is a local Linux account. Y ou ha ve to create the account if it does not exist yet. Do not use the root account for this purpose.

13. Select whether you want add currently installed kernel modu les to the

Integrity Checker known files list and generate the baseline. For more information, see “Generate Baseline”, 61

Would you like to enable Linux kernel module verification [yes]?

14. Enter the baseline passphrase. For more information, see

“Passphrase”, 62.

Please insert passphrase for HMAC creation (max 80 characters)

15. The installation is complete.

16. Install the included upgrade for F-Secure Policy Manager Console.

a. Select Installation Packages in the Tools menu. b. Select to import the fsav_linux_*_mib.jar file.

17. The product receives the policy file from the F-Secure Policy

Manager within 10 minutes after the inst a llation. If yo u do not want to wait for the policy file, run the following command:

/etc/init.d/fsma fetch

After the installation is complete, you can start the F-icon systray applet with the

fsui command.

For information how to access the web user interface and to see that the virus protection is working, see “Getting Started”, 31.

3.3 Upgrading from a Previous Product Version

If you are running version 5.20 or later, you can install the new version without uninstalling the previous version.

If you have an earlier version, upgrade it to 5.20 first, or uninstall it before you install the latest version. The uninstallation preserves all settings and the host identity, so you do not need to import the host to the F-Secure Policy Manager again. For more information, see “Uninstalling Earlier

Version”, 25.

The product upgrade asks for the keycode you have received with the new version. If you are running an earlier version in the evaluation mode, you have to provide a valid keycode for the new version during the upgrade.

If you are running an earlier version in the evaluation mode and you want to evaluate the latest version, you have to uninstall the earlier version first. You can install the latest in the evaluation mode during the clean install.

If you do not have a valid keycode during the upgrade, press CTRL-C to abort the upgrade. The installer uninstalls the prod uc t and you can make a clean install.

Manual scanning, scheduled scanning and database update settings have changed in version 5.30 and later. If you have modified these settings before the upgrade, you have to make the same modifications again after the upgrade.

Note that the upgrade deletes all alerts generated with th e ea rlier ver sion.

Upgrading from F-Secure Anti-Virus 4.65

You can upgrade version 4.65 to a command line only installation of version 5.52 by running the installer normally. Your old configuration file will be stored as /opt/f-secure/fsav/migration/fsav4.conf. For more information, see “Installation Instructions”, 18.

If you want to upgrade version 4.65 to the full 5.52 version, uninstall the old version first and run 5.52 installer normally. For more information, see “Uninstalling Earlier Version”, 25.

Uninstalling Earlier Version

If you have version 5.x, run the following command from the command line to uninstall it

/opt/f-secure/fsav/bin/uninstall-fsav.

If you have version 4.x, remove the following directories and files to uninstall it:

/opt/f-secure/fsav/ /var/opt/f-secure/fsav/ /etc/opt/f-secure/fsav/ /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man5/fsav.conf.5 /usr/share/man/man5/fsavd.conf.5 /usr/share/man/man8/dbupdate.8 /usr/share/man/man8/fsavd.8 /usr/share/man/man8/fsavschedule.8

CHAPTER 3 25

Installation

3.4 Upgrading the Evaluation Version

If you want to upgrade the evaluation version to the full, licensed version of the product, run the installation as normal. The upgrade script will notice the trial version and upgrades the packages.

Enter the keycode to upgrade to the licensed version of the product. Enter the keycode in the format you received it, including the hyphens that separate sequences of letters and digits.

If the evaluation period has expired, uninstall the current installation first. For more information, see “Uninstallation”, 30.

3.5 Replicating Software Using Image Files

If you are going to install the product on several computers, you can create a disk image file that includes the product and use this image to replicate the software on the computers. Make sur e that ea ch com pu te r on which the software is installed will create a new unique identification code.

Follow these steps to make sure that each compu ter uses a pe rsonalized Unique ID when a disk imaging software is used:

1. Install the system and all the software that should be in the image file, including the product.

2. Configure the product to use the correct F-Secure Policy Manager Server. However, do not import the host to F-Secure Policy Manager Console if the host has sent an autoregistration re qu e st to the F-Secure Policy Manager Server. Only hosts on which the image file will be installed should be imported.

3. Run the comma nd followin g com m a nd :

/etc/init.d/fsma clearuid

The utility program resets the Unique ID in the product installation.

4. Shut down the computer and do not restart the computer before the image file has been created.

5. Create the disk image file.

A new Unique ID is created automatically when the system is restarted. This will happen individually on each machine where the image file is installed. These machines will send autoregistration requests to F-Secure Policy Manager and the request can be processed normally.

3.6 Preparing for Custom Installation

The product installation package is a self extracting package, which contains the software as RPMs. If there is a need to create a custom installation package, the RPMs can be extracted from the package as follows:

1. Type the following command:

./f-secure-linux-client-security-<version>.<build> rpm

2. Install RPM packages.

IMPORTANT: The /opt/f-secure/fsav/fsav-config script must be executed after the RPMs have been installed, otherwise the product will not operate.

3.7 Unattended Installation

You can install the product in the unattended mode. In unattended mode, you provide all the information on the installer command line (or

fsav-config command line, if you install from RPM packages). The

unattended installation mode asks no questions during the installation. Use the following command line switch during the installation:

--auto MODE [fspms=FSPMSURL adminkey=/PATH/TO/ADMIN.PUB] lang=en|de|ja [no]remotewui [no]locallogin user=USER kernelverify|nokernelverify pass=PASSPHRASE keycode=KEYCODE

Where centrally managed installation.

MODE is standalone for the standalone installation or managed for the

CHAPTER 3 27

Installation

MODE is managed, you have to provide the URL to F-Secure Policy

Manager Server and the location of the administrator public key, for example: fspms=http://f sp ms .co m pany.com/ adminkey=/root/admin.pub

Use the following options in the command line:

lang Select the language for the web user interface. remotewui Allow remote access to the web user interface. noremotewui Do not allow remote access to the web user

interface.

nolocallogin Allow local access to the web user interface

without login.

locallogin Require login for the local access to the web

user interface.

user=USER S pecify the local account to use for the web user

interface login. kernelverify Turn on the kernel module verification. nokernelverify Turn off the kernel module verification. pass=PASS Specify th e passphrase for the baseline

generation. keycode=KEYCODE Specify the keycode for license checks. If no

keycode is provided, the product is installed in

the evaluation mode.

For example, to install the product in standalone mode with English web user interface, with no remote access to user interface and not requiring login for local user interface access and not using kernel module verification:

./f-secure-linux-client-security-<version>.<build> --auto standalone lang=en noremotewui nolocallogin nokernelverify

3.8 Installing Command Line Scanner Only

The command line only installation installs only the command line scanner and the automatic update agent. The installation mode is designed for users migrating from F-Secure Anti-Virus for Linux 4.6x series and for users who do not need the real-time protection, integrity checking, web user interface or central management, for example users running AMaViS mail virus scanner.

Use the following command line when running the installer to install the command line scanner only version of the product:

./f-secure-linux-server-security-<version>.<build>

--command-line-only

If you are running an earlier version and you want to upgrade to the latest version, but you want to install the command line scanner only, you have to uninstall the earlier version first.

Use the /etc/opt/f-secure/fssp/fssp.conf configuration file to con fig ur e the command line scanner only installation. See the file for detailed descriptions of the available settings.

3.9 Creating a Backup

To backup all relevant data, run the following commands:

# /etc/init.d/fsma stop # /etc/init.d/fsaua stop # tar cpsf <backup-filename>.tar /etc/init.d/fsma /etc/

init.d/fsaua /etc/opt/f-secure /var/opt/f-secure /opt/ f-secure

# /etc/init.d/fsaua start # /etc/init.d/fsma start

To restore data from backup file, run the following commands:

CHAPTER 3 29

Installation

# /etc/init.d/fsma stop # /etc/init.d/fsaua stop # cd / # rm -rf /var/opt/f-secure # tar xpsf <backup-filename>.tar # /etc/init.d/fsaua start # /etc/init.d/fsma start

Make sure that fsma and fsaua users and fsc group exist after the backup has been restored, for exampe by backing up also /etc/passwd, /etc/ shadow and /etc/group files.

3.10 Uninstallation

Run the script /opt/f-secure/fsav/bin/uninstall-fsav as root to uninstall the product.

The uninstall script does not remove configuration files. If you are sure that you do not need them any more, remove all files in the /etc/opt/ f-secure/fsma path.

GETTING STARTED

Accessing the Web User Interface............................................. 32

Basics of Using F-Secure Policy Manager................................. 32

Testing the Antivirus Protection.................................................. 33

4.1 Accessing the Web User Interface

In small deployments where F-Secure Policy Manager is not available, the web user interface can be used to configure the product. You can access the web user interface from the system tray, or with the

http://localhost:28080/ address.

If you allow the remote access to the web user interface, you can access it with the following HTTPS address:

https://<host.domain>:28082/.

It is possible to have in use both F-Secure Policy Manager and the web user interface at the same time. Note that the user can locally override the settings created with F-Secure Policy Manager unless the administrator has prevented this by selecting the Final checkbox in the F-Secure Policy Manager settings.

4.2 Basics of Using F-Secure Policy Manager

If your corporate network utilizes F-Secure Policy Manager to configure and manage F-Secure products, you can add the product to the existing F-Secure Policy Manager environment. In the centralized administration mode, F-Secure Policy Manager Console is used to change settings and view statistics of the F-Secure products.

Use the variables under the F-Secure Anti-Virus Linux Server Security / Settings branch or F-Secure Anti-Virus Linux Client Security / Settings to define settings for the product. depending on the installed product.

For more information about F-Secure Policy Manager, see F-Secure Policy Manager Administrator’s Guide.

4.3 Testing the Antivirus Protection

To test whether the product operates correctly, you can use a special test file that is detected as a virus. This file, known as the EICAR Standard Anti-Virus Test File, is also detected by several other anti-virus programs. You can use the EICAR test file also to test your E-mail Scanning. EICAR is the European Institute of Computer Anti-virus Research. The Eicar info page can be found at

http://www.europe.f-secure.com/virus-info/eicar_test_file.shtml

You can test your antivirus protection as follows:

1. You can download the EICAR test file from

http://www.europe.f-secure.com/virus-info/ eicar_test_file.shtml

Alternatively, use any text editor to create the eicar.com file with the following single line in it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FI LE!$H+H*

2. Run the following command: fsav eicar.com

3. The product should detect the file as a virus. Naturally, the file is not a virus.

CHAPTER 4 33

Getting Started

USER INTERFACE B

ASIC MODE

Summary.................................................................................... 35

Common Tasks........................................................................... 36

5.1 Summary

The summary page displays the product status and the latest report s. The product status displays the protection status and any possible errors or malfunctions.

Status

CHAPTER 5 35

User Interface - Basic Mode

Virus Protection Shows the current Virus Protection level. Virus

Protection levels allow you to change the level of protection according to your needs.

If Virus Protection is disabled, your computer is vulnerable to virus attacks.

Firewall Protection Shows the current firewall protection level. The

firewall protection levels allow you to instantly change your firewall rule set. For more information, see “Firewall Rules”, 52.

If Firewall Protection is disabled, your computer is vulnerable to hacking attacks.

Integrity Protection Shows the current integrity protection level. For

more information, see “Integrity Checking”, 57. If Integrity Protection is disabled, your computer

is vulnerable to rootkits.

Click Details... for more information about the current protection status.

Reports

Virus Definitions Updated

Alerts Shows the number of unread security alerts.

Shows the time and status of the latest update.

Click View to view a list of ale rts. For more information, see“Alerts”, 38.

5.2 Common Tasks

You can configure the manual scan and firewall settings and check the latest virus definition database updates from the common tasks page.

Choose one of the following actions:

Scan the computer for malware

Create a firewall rule Create a new firewall rule. Y ou can control which

Check the integrity of the file system

Update virus definitions

Install software Install new software while maintaining the

Opens a scanning wizard that can scan the computer for any type of malware, including viruses, worms and trojans. Follow the on-screen instructions for more details. For more information, see “Manual Scanning”, 44.

type of network traffic is allowed and denied with firewall rules. For more information, see “Add

And Edit Rules”, 53.

Check that important system files have not bee n modified without permission. For more information, see “Integrity Checking”, 57.

Retrieve the latest virus definition database updates from the Internet. For more information, see “Automatic Updates”, 66.

system integrity. The integrity checker checks the full system integrity and reports results, after which you can proceed installing software. Follow the on-screen instructions for more details. For more information, see “Software

Installation Mode”, 60.

Click Modify advanced settings... to view and configure advanced settings.

USER INTERFACE A

DVANCED MODE

Alerts.......................................................................................... 38

Virus Protection.......................................................................... 40

Firewall Protection...................................................................... 49

Integrity Checking....................................................................... 57

General Settings......................................................................... 64

6.1 Alerts

On the Alerts page, you can read and delete alert messages. To find the alert message you want to view, follow these instructions:

1. Select the Status of security alerts you want to view.

 Select All to view All alerts.  Select Unread to view new alerts.  Select Read to view alerts you have already viewed.

2. Select the Severity of security alerts you want to view. For more information, see “Alert Severity Levels”, 38.

Click alerts to highlight them and click Mark highlighted as read to flag them as read messages. Click Delete highlighted to delete all highlighted alerts.

Alert Database Maintenance

Y ou can dele te or mark multiple messages as read simul taneously. Select how old and which alert severity messages you want to edit and click

Perform action to delete or mark selected messages as read.

Alert Severity Levels

Alerts are divided into following severity levels:

Security Level Description

Informational Normal operating information from the host.

Warning A warning from the host.

Error Recoverable error on the host.

For example, starting to update virus databases.

For example, an error when trying to read a file.

CHAPTER 6 39

User Interface - Advanced Mode

Security Level Description

For example, the virus definition database update is older than the previously accepted version.

Fatal Error Unrecoverable error on the host that requires

attention from the administrator. For example, a process fails to start or lo ading

a kernel module fails.

Security alert For example, a virus-alert. The alert includes

information of the infection and the performed operation.

6.2 Virus Protection

 Real-Time Scanning

Real-time scanning is completely transparent. By default, all files are scanned automatically when they are opened and executed.

 Scheduled Scanning

If you want to scan the computer for viruses regularly, for example once a week, you can create a scheduled scanning task. Scheduled scanning uses the settings you have defined for manual scanning.

 Manual Scanning

You can launch a manual scan any time you want if you suspect that there might be a virus on a computer. You can specify the manual scanning settings, for example the directories to scan and the action to take, independently of the real-time scanning settings.

6.2.1 Real-Time Scanning

On the Real-Time Scanning page, you can select what to scan automatically in real-time and what to do when a virus or other malware is found.

In most cases you do not need to change the Real-T ime Scanning default settings before you take the system into use.

When the real-time scanning is enabled, any file you open is automatically scanned for viruses.

Action on infection

Select the primary and secondary actions to take when a virus is found. The secondary action takes place if the primary action cannot be performed.

By default, the primary action for infections is Disinfect and secondary action Rename. Choose one of the following actions:

CHAPTER 6 41

Report and deny access

Disinfect Disinfects viruses. Note that some viruses

Rename Renames the infected file and removes its

Delete Deletes the infected file. Deny access Blocks the access to the infected file, but does

Suspected files

Select the primary and secondary actions to take when heuristics scanning engine finds a suspected file. The secondary action t akes place if the primary action cannot be performed.

Displays and alerts about the found virus and blocks access to it. No other action is taken against the infected file. View Alerts to check security alerts. For more information, see “Alerts”, 38.

cannot be disinfected. If the virus cannot be disinfected, the access to the infected file is still blocked.

execute permissions. Renamed infecte d file stays on the computer, but it cannot cause any damage.

The renamed file has .virus extension.

not send any alerts or reports.

By default, the primary action for suspected files is Report only and secondary action Deny access. Choose one of the following actions:

Report and deny access

Rename Renames the suspected file and removes its

Displays and alerts about the suspected file and blocks access to it. No other action is taken. View Alerts to check security alerts. For more information, see “Alerts”, 38.

execute permissions. Renamed suspe c te d file stays on the computer, but it cannot cause any damage.

The renamed file has .suspected extension. Delete Deletes the suspected file. Deny access Blocks the access to the suspected file, but does

not send any alerts or reports.

What to scan

Directories excluded from the scan

Scan only executables

Whitelisted executables

Whitelisted executables must match baseline

Define directories which are excluded from the

virus scan. Type each directory on a new line,

only one directory per line.

If scanning a certain directory takes a long time

and you know that no user can create or copy an

infected file in it, or you get false alarms during

the scan, you can exclude the directory from the

virus scan.

The list can also contain files if you want to exclude

specific files from the scan.

Select whether only executables in scanned

directories are scanned for viruses. Clear the

check box to scan all files for viruses.

Define executables which may access any files.

The real-time virus scan does not block any file

accesses from whitelisted executables.

Select whether whitelisted executables must be

unmodified in the known files list. If this setting is

enabled and the executable cannot be found in

the integrity checking baseline, is not

whitelisted. Scan when opening a

file Scan when closing a

file

Select whether files are scanned every time they

are opened.

Select whether files are scanned every time they

are closed.

CHAPTER 6 43

Scan when running an executable

Select whether files are scanned every time they are run.

If Scan on open and Scan on execute are disabled, nothing is scanned even if Scan only executables is enabled.

Archive scanning

Scan inside archives Scan files inside compressed ZIP, ARJ, LZH,

RAR, CAB, TAR, BZ2, GZ, JAR and TGZ archives.

Scanning archives with the real-time scanning can degrade the overall system performance.

When the archive scanning is enabled, some e-mail clients may stop processing further e-mails when an infected e-mail is opened.

Maximum number of nested archives

Set the number of levels in nested archives the product should scan. Nested archives are archives inside other archives.

Treat password protected archives as safe

Password protected archives cannot be scanned for viruses. Select whether password protected archives are treated as safe and the access to them is allowed or if they are treated as unsafe and the user cannot access the archive.

Stop on first infection inside an archive

The user who opens the password protected archive should have an up-to-date virus protection on the workstation if password protected archives are treated as safe.

Select whether the whole archive should be scanned even after an infection is found inside the archive.

6.2.2 Scheduled Scanning

You can use the scheduled scanning to scan files for viruses regularly at predefined times.

To set the scanning schedule, follow these instructions:

1. Click Add a new task.

2. Set the date and time wh en the sc hedu le d sca n sh ou ld start. For example:

a. To perform the task each sunday at 4 am:

Minute: 0, Hour: 4, Day of the Month: *, Month: *, Day of the Week: sun

b. To perform the task every day at 5:30 am:

Minute: 30, Hour: 5, Day of the Month: *, Month: *, Day of the Week: *

3. Select directories that should be scanned at the scheduled time.

4. Click Save task to add the scheduled scanning task into the schedule.

The scheduled scanning tasks use the Manual Scanning settings. For more information, see “Manual Scanning”, 44.

A scheduled scan can take several hours, so it is a good idea to run it when the system is idle, for exampe during the night. Another alternative is to configure several scheduled scan tasks, and to scan only some directories at one time.

6.2.3 Manual Scanning

The manual scanning settings are used when you want to scan files or directories for viruses manually and during the scheduled scanning.

CHAPTER 6 45

If you have received a suspicious file, for example an executable or an archive file via e-mail, it is always a good idea to scan it for viruses manually.

By default, the archive scanning is disabled during the real-time scan. The real-time scan scans the archive when it is extracted, but if you copy or forward the archive without extracting it first, you should manually scan the archive to make sure that it does not contain any viruses.

To start the manual scan, select I want to... > Scan the computer for

malware in the basic mode. For more information, see “Common Tasks”,

36.

Action on infection

Select the primary and secondary actions to take when a virus is found. The secondary action takes place if the primary action cannot be performed.

By default, the primary action for infections is Disinfect and secondary action Rename. Choose one of the following actions:

Report and deny access

Disinfect Disinfects viruses. Note that some viruses

Rename Renames the infected file removes its execute

Delete Deletes the infected file when a virus is found.

Displays and alerts about the found virus. No other action is taken against the virus. View Alerts to check security alerts. For more information, see “Alerts”, 38.

cannot be disinfected.

permissions when a virus is found. Renamed infected file stays on the computer, but it cannot cause any damage.

The renamed file has .virus extension.

Custom Performs the action you define. To define the

custom action, enter the command to the Primary or Secondary custom action field.

Deny access Blocks the access to the infected file, but does

not send any alerts or reports.

Abort Scan Stops the scan.

Suspected files

Select the primary and secondary actions to take when heuristics scanning engine finds a suspected file. The secondary action t akes place if the primary action cannot be performed.

By default, the primary action for suspected files is Report only and secondary action Deny access. Choose one of the following actions:

Report and deny access

Rename Renames the suspected file and removes its

Delete Deletes the suspected file. Deny access Blocks the access to the suspected file, but does

What to scan

Scan files Define files that are scanned during the manual

Displays and alerts about the suspected file and blocks access to it. No other action is taken. View Alerts to check security alerts. For more information, see “Alerts”, 38.

execute permissions. Renamed susp e cte d file stays on the computer, but it cannot cause any damage.

The renamed file has .suspected extension.

not send any alerts or reports.

scan.

All files - Scans all files in the system.

Only files with specified extensions - Scans only files with the extensions specified in the Included extensions field.

The Included extensions field appears after you have selected Only files with specified extensions,

Enable exclusions Files with the extensions specified in the

Directories excluded from scanning field are not scanned.

The Directories excluded from scanning field appears after you have enabled exclusions.

CHAPTER 6 47

Directories excluded from scanning

Scan also executables

Archive scanning

Scan inside archives Scan files inside compressed ZIP, ARJ, LZH,

Maximum number of nested archives

Treat password protected archives as safe

Define directories which are excluded from the virus scan if the Enable exclusions setting is selected. T ype each directory on a new line, only one directory per line.

Scan any executable files in addition to all other specified files during the manual scan.

RAR, CAB, TAR, BZ2, GZ, JAR and TGZ archives.

Set the number of levels in nested archives the product should scan. Nested archives are archives inside other archives.

Password protected archives cannot be scanned for viruses. Select whether password protected archives are treated as safe.

The user who opens the password protected archive should have an up-to-date virus protection on the workstation if password protected archives are treated as safe.

Stop on first infection inside an archive

Select whether the whole archive should be scanned even after an infection is found inside the archive.

Scanning a File Manually on a Workstation

When the product scans files, it must have at least read access to them. If you want the product to disinfect infected files, it must ha ve write acce ss to the files.

Y o u can scan files manually from the KDE filemanager. Right-click on any file you want to scan and select Scan to scan the file for viruses.

Command Line

For information how to scan files from the shell, see “fsav”, 71.

6.3 Firewall Protection

The firewall protects the computers against unauthorize d access from the Internet as well as against attacks originating from inside the local-area network. It provides protection agai nst information theft as unauthorized access attempts can be prohibited and detected.

 Security Profiles

The firewall contains predefined security profiles which have a set of pre-configured firewall rules. Different security profiles can be assigned to different users; for example based on the company security policy, user mobility, location and user experience.

 Firewall Rules

You can configure the firewall by creating and editing firewall rules. Firewall rules are a set of firewall services - Internet traffic parameters that control which type of traffic is allowed and denied. One rule can contain multiple services.

 Network Services

Network services are described by what protocol and port they use, for example web browsing uses TCP protocol and the port number 80.

CHAPTER 6 49

Security Profiles

You can change the current security profile from the Summary page. For more information, see “Summary”, 35.

The following table contains a list of the security profiles available in the product and the type of traffic each of them either allow or deny.

Security profiles Description

Block All Blocks all network traffic (excluding loopback). Server Allows only IP configuration via DHCP, DNS

lookups and ssh protocol out and in. The server profile has to be customized

before it can be taken into use.

Mobile Allows normal web browsing and file retrievals

(HTTP, HTTPS, FTP), as well as e-mail and Usenet news traffic. Encryption programs, such as VPN and SSH are also allowed. Everything else is denied. Local rules can be added after the malware probes detection.

Home Allows all outbound TCP traffic and FTP file

retrievals. Everything else is denied. Local rules can be added to enable new network functionality.

Office Allows all outbound TCP traffic and FTP file

retrievals. Everything else is denied by default. With this profile, a firewall should exist between 0.0.0.0/0 and the host.

Security profiles Description

Strict Allows outbound web browsing, e-mail and

Normal Allows all outbound traffic, and denies some

Disabled Allows all inbound and outbound network

6.3.1 General Settings

On the General Settings page, you can select network packet logging settings and configure trusted network interfaces.

Enable firewall Select the Enable firewall check box to enable

CHAPTER 6 51

News traffic, encrypted communication, FTP file transfers and remote updates. Everything else is denied.

specific inbound services.

traffic.

the firewall protection. Clear the check box to disable the firewall.

Log all unhandled network packets

Trusted network interfaces

Select to log all network packets that do not match to any firewall rules.

You can log unhandled network packets in problem solving situations. By default, leave the check box deselected.

Firewall rules are applied to the first network interface on the host and all other interfaces are blocked. If other interfaces are connected to trusted networks, add those interfaces to the list and separate each entry with a comma. All traffic to trusted network interfaces is allowed.

6.3.2 Firewall Rules

Each security profile has a set of pre-configured Firewall Rules.

Profile to edit Select the firewall profile you want to edit. For

List of rules The list of rules displays the currently used

more information, see “Security Profiles”, 50. The current security profile is displayed on the

top of the Firewall Rules page. You can change the current security profile from the Summary page. For more information, see “Summary”, 35.

ruleset. Clear the Enabled checkbox to disable the rule

temporarily. Use up and down arrows to change the order of

rules in the ruleset. The order of the rules is important. The rules are read from top to bottom, and the first rule that applies to a connection attempt is enforced.

For example: You have a rule that allows an IRC (Internet Relay Chat) connections to a specif ic host above a rule that denies all IRC traffic. You are still allowed to make the connection to that one host. However , if the rule that denies all IRC traffic comes first, any other IRC rules below that rule are ignored and no IRC connections can be made.

Click X to delete the rule permanently. To edit a rule, select it from the list of rules. The

selected rule is displayed in the Edit Rule pane. The Edit Rule pane appears below the list of rules.

CHAPTER 6 53

If the profile contains more than 10 rules, use <<, <, > and >> arrows to browse rules.

Changing the order of the rules may affect all the other rules you have created.

Add And Edit Rules

You can add a new firewall rule, for example, to allow access to a new service in the network.

To add a new rule, click Add new rule below the list of rules. When you edit the firewall rules, you should allow only the needed

services and deny all the rest to minimize the security risk.

Type Choose whether the rule allows or denies the

service.

Remote host Enter details about target addresses. Enter the

IP address and the subnet in bit net mask format. For example: 192.168.88.0/29.

You can use the following aliases as the target address:

[myNetwork] - The local-area network. [myDNS] - All configured DNS servers.

Description Enter a short description for the rule.

Services connected to this rule

Service Select services for which you want the rule to

apply. You can add multiple services to each rule. Click Add Service to this rule after each service you want to add. Each rule must have at least one service.

If the rule contains a new service, make sure you have saved the service list in the Network Services page. For more information, see “Network Services”, 54.

Direction For every service you selected, choose the

Click Add to firewall rules to add the rule to the end of the list of rules. Click Save after you have added or edited a rule to activate all changes.

Click Cancel to discard all changes made after the previous save.

6.3.3 Network Services

The Network Services page displays the network services that currently exist in the system. When you want to enable or disable the use of a certain service, you have to make sure that the service exists in the Network Services table. After that you can create a firewall rule that allows or denies the use of that service.

direction in which the rule applies. in = all incoming traffic that comes to your

computer from the internet. out = all outgoing traffic that or iginates from your

computer.

To add a new service, click Add new service below the list of services. To edit a service, select it from the list of services.

Add And Edit Services

Service name Enter a name for the service. Protocol Select the protocol (ICMP, TCP, UDP) or define

the protocol number for the service you want to

specify. Initiator ports Enter initiator ports. Responder ports Enter responder ports. Description Enter a short description of the service.

Click Save after you have added or edited a service to activate all changes. Click Cancel to discard all changes made after the previous save.

Creating Firewall Services and Rules

To enable the use of a new service, do the following:

1. Select the Network Services in the Advanced mode menu.

2. Define a unique name for the service in the Service Name field. You can also enter a descriptive comment in the Description field to distinguish this service from other services.

3. Select a protocol number for the service from the Protocol drop-down list. If your service does not use ICMP, TCP or UDP protocol, select Numeric and type the protocol number in the field reserved for it.

4. If your service uses the TCP or UDP protocol, you need to define

Initiator Ports the service covers.

5. If your service uses TCP or UDP protocols, you need to define

Responder Ports the service covers.

6. Click Add as a new service to add the service to the Network services list.

7. Click Save to save the new service list.

CHAPTER 6 55

8. The next step is to create a Firewall Rule that allows use of the service you just defined. Select Firewall Rules in the Advanced mode menu.

9. Select the profile where you want to add a new rule and click Add

new rule to create a new rule.

10. Select Accept or Deny as a rule Type. Enter a descriptive comment in the Description field to distinguish this rule.

11. Define Remote Host to which the rule applies. Enter the IP address of the host in the field.

12. Select the new service you have created in the Service field and the direction when the rule is applied.

13. Click Add Service to This Rule. If you do not want to add other services to the same rule, click Add to Firewall Rules to add the rule to the active set of rules on the Firewall Rules table.

14. Click Save to save the new rule list.

6.4 Integrity Checking

Integrity Checking protects important system files against unauthorized modifications. Integrity Checking can block any modification attempts of protected files, regardless of file system permissions.

Integrity Checking compares files on the disk to the baseline, which is a cryptographically signed list of file properties.

Integrity Checking can be configured to send alerts to the administrator about modification attempts of the monitored files. “Communications”, 64.

 Known Files

The Known Files lists files that the product monitors and protects.

 Verify Baseline

Verify the system integrity manually.

 Generate Baseline

Generate a new baseline for all known files.

 Rootkit Prevention

Adjust rootkit prevention settings.

CHAPTER 6 57

6.4.1 Known Files

The Known Files lists files that the product monitors and protects. The baseline is created from the Known Files list by reading the properties of the files in the list and cryptographically signing the result. Integrity Checking compares this result to real-time file accesses.

Use the search filters to select files you want to view in the list.

Using The Search

Status Select files you want to view in the known files

list. Modified and new - Displays all files that have

been modified or added to the baseline. Modified - Displays all files that have been

modified. New - Displays all files that have been added to

the baseline. Unmodified - Displays all baselined files that

have not been modified. All - Displays all files in the known files list.

Filename Enter any part of the filename of the monitored

file you want to view in the known files list.

Integrity Checking does not protect new or modified files before you regenerate the baseline. If you add files to th e Known File s list or files have been modified, regenerate the baseline to protect those files.

Click Search to view the search results.

Filename Displays the name of the file. Detection time Displays the time when a modification was

detected.

Detected modifier Displays the filename of the process that

modified the file.

Action Displays whether the product allows or denies

modifications to the file.

Alert Displays whether the product sends an alert

when the file is modified.

Protection Displays whether the file is monitored or

protected. Protected files cannot be modified while monitored files are only monitored and can be modified.

To regenarate the baseline, select new and modified files you want to baseline and click Regenerate baseline for highlighted files. For more information, see “Generate Baseline”, 61.

If you want to remove files from the baseline, click files to select them and click Remove highlighted files to stop monitoring the selected files.

Adding Files To The Known Files List

To add a file to the known files list, enter the filenam e and se lect the protection method you want to use.

CHAPTER 6 59

Filename Enter the filename of the file you want to

monitor. If you want to add more than one file, separate each filename with a space.

Protection Select the protection method:

Monitor - Monitors the file but does not prevent any modifications to it.

Protect - Does not allow any modifications to the file. The protected file can be opened but it cannot be changed.

Action The product can prevent the access to modified

files. Allow - The access to the modified file is allowed

when it is executed or opened. Deny - The access to the modified file is denied.

Modified files cannot be opened or executed.

Click Add to known files to add the entry to the Known Files List. Integrity Checking does not protect new or modified files before you

regenerate the baseline. Regenerate the baseline to protect files you have added. For more information, see “Generate Baseline”, 61.

You can add a single file or multiple files to the baseline at the same time.

Software Installation Mode

Integrity Checking prevents unauthorized and unwanted modifications of system files and programs. When you update your operating system, apply a security update or install new versions of software, you need to modify files that Integrity Checking monitors.

Use the Software Installation Mo de when you want to modify system file s and programs. To access the Software Installation Mode, open the user interface, select I want to... and click Install software.

The Software Installation Mode wizard guides you through the software installation and updates the baseline with new software that you inst all on your system.

When the Software Installation Mode is enabled, any process can load any kernel modules regardless whether they are in the baseline or not and any process can change any files in the baseline, whether those files are protected or not. The real-time scanning is still enabled and it alerts of any malware found during the installation.

Command Line

For information how to use the Software Installation Mode from the shell, see “fsims”, 74.

6.4.2 Verify Baseline

Enter your passphrase to verify the baseline. For more information ab out the passphrase, see “Passphrase”, 62.

CHAPTER 6 61

IMPORTANT: If you install software without the Software Installation Mode when Integrity Checking monitors updated files, you may be unable to install or use the new software. Fo r example, Integrity Checking may prevent a kernel update from booting properly as new drivers are not in the baseline.

Do not start any other integrity checking processes while the product verifies the baseline.

You can verify the baseline manually to make sure that your system is safe and all baselined files are unmodified. If an atta cker has managed to gain a root access to the system and regenerated the baseline, the regenerated baseline does not match against your passphrase when you verify the baseline.

6.4.3 Generate Baseline

Integrity Checking is set up by creating a baseline of the system files that you want to protect.

A default set of system files is added to the Known Files list during the installation. By default, Kernel Module Verification is enabled during the installation and the baseline is generated from the Known Files list. If you

do not enable the Kernel Module Verification during the installation, you have to generate the baseline manually before Integrity Checking is enabled.

All files that are added to the baseline during the installation are set to Allow and Alert protection mode.

Passphrase

The generated baseline has to be signed to prevent anyone from modifying the protected files.

The product verifies the baseline and the system integrity cryptographically. A cryptographic algorithm is applied to the baseline contents and the passphrase to gen erate a signature (a HMAC sig nature) of the baselined information.

IMPORTANT: You must take great care not to forget the passphrase used as it cannot be recovered and the baseline cannot be verified against tampering without using the same passphrase.

You should not share the passphrase with other administrators without fully understanding the consequences. Other ad ministrators could ta mper with the baseline and regenerate it using the same passphrase, and the subsequent check would appear to be all right.

Command Line

For information how to create and check the system integrity from the shell, see “fsic”, 73.

6.4.4 Rootkit Prevention

When the Integrity Checking is enabled, the product can prevent rootkits. Hackers can use rootkits to gain access to the system and obtain administrator-level access to the computer and the network.

CHAPTER 6 63

Kernel module verification

Write protect kernel memory

Allowed kernel module loaders

Protects the system against rootkits by preventing unknown kernel modules from loading.

When the kernel module verification is on, only those kernel modules that are listed in the known files list and which have not been modified can be loaded.

If the kernel module verification is set to Report only, the product sends an alert when an unknown or modified kernel module is loaded but does not prevent it from loading.

Protects the /dev/kmem file against write attempts. A running kernel cannot be directly modified through the device.

If the write protection is set to Report only, the product sends an alert when it detects a write attempt to /dev/kmem file, but it does not prevent the write operation.

Specify programs that are allowe d to load kernel modules when the kernel module verification is enabled.

By default, the list contains the most common module loaders. If the Linux system you use uses some other module loaders, add them to the list. Type each entry on a new lin e, only one entry per line.

6.5 General Settings

 Communications

Configure alerting.

 Automatic Updates

Configure automatic virus definition database updates.

 About

View the product and version information.

6.5.1 Communications

Change Communications settings to configure where alerts are sent.

Management Server

Server Address Define the URL of the F-Secure Policy Manager

Server address. This setting is only available in the centrally

managed installation mode.

Alert Forwarding

Alert Level Specify where an alert is sent according to its

severity level. You can send an alert to any of the following:

E-mail to - Enter the e-mail address where the alert is sent as an e-mail.

Local - Alert is displayed in the Web User Interface.

Syslog - Alert is written to the system log. The syslog facility is LOG_DAEMON and alert priority varies.

FSPMC - Alert is sent to F-Secure Policy Manager Console.

CHAPTER 6 65

E-mail Settings

The e-mail settings are used for all alert messages that have been configured to send e-mail alerts.

Server Enter the address of the SMTP server in the

Server Address field. You can use either the DNS-name or IP-address of the SMTP server.

If the mail server is not running or the network is down, it is possible that some e-mail alerts are lost. To prevent this, configure a local mail server to port 25 and use it for relaying e-mail alerts.

From Enter the full e-mail address

(sender@example.com) you want to use as a sender of the alert in the e-mail message.

Subject Enter the e-mail alert message subject. Use

%DESCRIPTION% as the subject to display a short description of the alert in the subject line.

Alert Message Variables

The following table lists all variables that are available for the e-mail alert message subject.

Variable Description

%SEVERITY% The severity of the alert: informational,

%HOST_DNS% The DNS address of the host that sent the

%HOST_IP% The IP address of the host that sent the alert. %USER% The active user login name. %PRODUCT_NAME% The name of the product that generated the

warning, error, fatal error or security alert.

alert.

Variable Description

%PRODUCT_OID% The OID of the product that generated the

%DESCRIPTION% The alert description. %DATE% The date when an alert sent in format

%TIME% The time when an alert sent in format

%ALERT_NUMBER% The alert number during the session.

6.5.2 Automatic Updates

It is of the utmost importance that the virus definition databases are up-to-date. The product updates them automatically.

Information about the latest virus definition database update can be fo und at: http://www.F-Secure.com/download-purchase/updates.shtml

alert.

YYYY-MM-DD.

HH:MM:SS+GMT.

Updates enabled Enable and disable the automatic virus definition

updates. By default they are enabled.

Policy Manager Proxies

Displays a list of virus definition database update sources and F-Secure Policy Manager proxies.

If no update servers are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.

PM Proxy address Displays the URL of the update source.

CHAPTER 6 67

Priority Displays the priority level of the update source.

The priority numbers are used to define the order in which the host tries to connect servers. Virus definition updates are downloaded from the primary sources first, secondary update sources can be used as a backup.

The product connects to the source with the smallest priority number first (1). If the connection to that source fails, it tries to connect to the source with the next smallest number (2) until the connection succeeds.

To add a new address to the list, enter the url to the Address field and define the priority level of the new address. Click Add PM Proxy to add the new entry to the list.

HTTP Proxy

Use HTTP Proxy Use an HTTP proxy server to download

database updates.

HTTP Proxy Address Enter the HTTP proxy server address.

Periodic updates

Automatic updates interval

Intermediate server failover time

Define (in minutes) how often the product checks the virus definition database update sources for new updates.

Define (in minutes) the failover time to connect to specified update servers.

If the product cannot connect to update servers during the specified time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.

Allow fetching updates from F-Secure Update Server

Launch scan after updates

Reminders

Send reminders If the virus definition databases have not been

Database age in days before reminders are sent

Enable the product to download virus definition updates from F-Secure Update Server when it cannot connect to specified update servers.

Select whether a virus scan should be launched automatically after the virus definitions have been updated. The virus scan scans all local files and directories and it can take a long time. The scan uses the manual scanning settings. By default, the scan is not launched automatically.

updated in a while, the product can be set to send a reminder. To enable reminders, check the Send reminders check box and set the database age in days when reminders are sent.

Specify the age of th e virus d efinition databases when they are considered old (3-30 days, the default value is 7 days). An alert is sent as a reminder when the database is older than the specified age.

Using F-Secure Anti-Virus Proxies

F-Secure Anti-Virus Proxy offers a solution to bandwidth problems in distributed installations of F-Secure Anti-Virus Linux Server Security by significantly reducing load on networks with slow connections. When you use F-Secure Anti-Virus Proxy as an updates source, F-Secure products can be configured to retrieve virus definition database updates from a local update repository rather than from the central F-Secure Policy Manager Server.

For information about how to install and configure F-Se cure Anti-Virus Proxy, see chapter F-Secure Anti-Virus Proxy in F-Secure Policy Manager Administrator’s Guide.

6.5.3 About

CHAPTER 6 69

The About page displays the license terms, the product version number and the database version.

If you are using the evaluation version of the pro du ct, you can en te r th e keycode in the About page to upgrade the product to the fully licensed version.

Command Line Tools

Overview..................................................................................... 71

Virus Protection.......................................................................... 71

Firewall Protection...................................................................... 72

Integrity Checking....................................................................... 73

General Command Line Tools.................................................... 74

7.1 Overview

For more information on command line options, see “Man Pages”, 96.

7.2 Virus Protection

You can use the fsav command line tool to scan files and the dbupdate command line tool to update virus definition databases from the shell.

7.2.1 fsav

Follow these instructions to scan files from the shell:

› To scan all default file types on all local disks, type:

fsav /

› To scan all files in a directory and its subdirectories, enter the

directory name. For example:

fsav mydirectory

› To scan a single file, enter the file name (without wildcards). For

example:

fsav myfile.exe

Note that the recursive scan detects mounted network file system subdirectories and does not scan network file systems. Scanning a network file system from the client workstation would create unnecessary load on the network and it is much slower than scanning the local file system.

CHAPTER 7 71

Command Line Tools

If you want to scan the network file system, run fsav / on the server. If you cannot run fsav on the server, you can scan the network file

system from the client workstation by explicitly specifying mounted network file system directories on the fsav command line.

For example, if an NFS file system is mounted in /mnt/server1, scan it with the following command:

fsav /mnt/server1

7.2.2 dbupdate

For more information on command line options, see the fsav man pages or type fsav --help.

Before you can update virus definition databases manually, you have to disable the periodic database update. To disable periodic database updates, edit the crontab of root:

1. Run the following command

crontab -e

2. Add # to the beginning of the following line to comment it out:

*/1 * * * * /opt/f-secure/fs av/bin/fsavpmd --dbupdate-only >/de v/null 2>&1

Follow these instructions to update virus definition databases manually from the command line:

1. Download the fsdbupdate.run file from:

http://download.f-secure.com/latest/fsdbupdate.run

fsdbupdate.run is a self-extracting file that stops the automatic upda te agent daemon, updates databases and rest art s the automatic upda te agent.

2. Run fsdbupdate.run as root user.

3. Run dbupdate as root user.

7.3 Firewall Protection

Y o u can use the fsfwc command line tool to view and change th e current security profile.

7.3.1 fsfwc

Use the following command to change the current security profile:

/opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office, strict, normal, bypass}

For more information about security profiles, see “Security Profiles”, 50.

7.4 Integrity Checking

You can use the fsic command line tool to check the system integrity and fsims to use the Software Installation Mode from the shell.

7.4.1 fsic

You can create the baseline, add files to the baseline and verify the baseline with the fsic command line tool.

Creating the Baseline

CHAPTER 7 73

Command Line Tools

Follow these instructions to create the baseline from the command line:

1. Run the fsic tool with the --b ase lin e optio n:

fsic --baseline

2. Select the files to add to the baseline. If you want to add all files in the

directory in the Known Files List in the baseline, type A in the prompt.

3. Enter a passphrase to create the signature.

Adding Files to the Baseline

Follow these instructions to add files to the baseline from the command line. In this example, the product is also configured to send an alert about unauthorized modification attempts of the protected files.

1. Run the fsic tool with the --add, --alert and --protect options:

/opt/f-secure/fsav/bin/fsic --add --alert=yes

--protect=yes /etc/passwd /etc /shadow

7.4.2 fsims

2. Recalculate the baseline. The baseline update progress is displayed during the process, and you are prompted to select whether to include the new files in the baseline:

/opt/f-secure/fsav/bin/fsic --bas eline

3. Enter a passphrase to create the signature.

Verifying the Baseline

Follow these instructions to verify the baseline from the command line:

1. Run the comma nd :

/opt/f-secure/fsav/bin/fsic

2. Enter the passphrase that you used when you created the baseline.

3. The product validates files and displays whether the files are intact.

Use the following command to enable Software Installation Mode:

/opt/f-secure/fsav/bin/fsims on

After you have installed the new software, disable the Software Installation Mode to restore the normal protection level:

/opt/f-secure/fsav/bin/fsims off

For more information about the Software Inst allation Mode, see “Software

Installation Mode”, 60.

7.5 General Command Line Tools

You can use the fssetlanguage command line tool to set the language used in the web user interface.

7.5.1 fssetlanguage

Use the following command to set the language:

/opt/f-secure/fsav/bin/fssetlanguage <language>

Where language is:

en - english ja - japanese de - german

7.5.2 fsma

Use the following command to check the status of the product modules:

/etc/init.d/fsma status

The following table lists all product modules:

Module Process Description

CHAPTER 7 75

Command Line Tools

F-Secure Alert Database Handler Daemon

F-Secure FSAV Policy Manager Daemon

F-Secure Firewall Daemon

F-Secure FSAV License Alerter

F-Secure FSAV On-Access Scanner Daemon

/opt/f-secure/fsav/sbin/fsadhd Stores alerts to a local database. Alerts can

be viewed with the web user interface.

/opt/f-secure/fsav/bin/fsavpmd Handles all F-Secure Policy Manager Console

operations (for example, Scan all hard disks now, Update database now, Reset statistics)

/opt/f-secure/fsav/bin/ fsfwd.run

/opt/f-secure/fsav/libexec/ fslmalerter

/opt/f-secure/fsav/sbin/fsoasd Provides all real-time protection features:

The interface between F-Secure Management Agent and the iptables/netfilter firewall.

Checks and informs how many days are left in the evaluation period when the product is installed in the evaluation mode.

real-time virus scanning, real-time integrity checking and rootkit protection.

Module Process Description

F-Secure FSAV Status Daemon

F-Secure FSA V W eb UI/opt/f-secure/fsav/tomcat/bin/

F-Secure FSAV PostgreSQL daemon

/opt/f-secure/fsav/bin/fstatusd Checks the current status of every component

catalina.sh start /opt/f-secure/common/

postgresql/bin/startup.sh

7.5.3 fsav-config

If you install the product using RPM packages, you have to use the following command to fsav-config command line tool to create the initial product configuration:

/opt/f-secure/fsav/fsav-config

keeps desktop panel applications and web user interface up-to-date.

Handles the web user interface.

Stores alerts that can be viewed with the web user interface.

Installation

Prerequisites

All 64-bit Distributions................................................................. 78

Red Hat Enterprise Linux 4 ........................................................ 78

Debian 3.1 and Ubuntu 5.04, 5.10, 6.06..................................... 79

SuSE.......................................................................................... 80

Turbolinux 10.............................................................................. 80

A.1 All 64-bit Distributions

Some 64-bit distributions do not install 32-bit compatibility libraries by default. Make sure that these libraries are installed. The name of the compatibility library package may vary, see the documentation of the ditribution you use for the package name for 32-bit compatibility libraries.

On 64-bit Ubuntu, install ia32-libs.

A.2 Red Hat Enterprise Linux 4

Follow these instructions to install the product on a server running Red Hat Enterprise Linux 4 AS:

1. Install the following RPM packages from RHEL4 CDs.

› Use the command rpm -ivh <rpm files>, › Use Applications > System Settings > Add/Remove Applications,

› Use up2date.

Make sure you have all the following RPM packages installed:

› gcc › glibc-devel › glibc-headers › glibc-kernheaders

Make sure you have at least one of the following RPM packages installed:

› kernel-devel › kernel-hugemem-devel › kernel-smp-devel

Use the uname -r command to see the current kernel version information.

The system tray applet requires the following RPM packages:

› kdelibs › compat-libstdc++

2. Install the prod uct normally.

A.3 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06

To install the product on a server running either Debian 3.1 or Ubuntu

5.04, 5.10 or 6.06:

1. Install a compiler, kernel headers and RPM before you install the

product.

Debian:

sudo apt-get install gcc rpm make libc6-dev sudo apt-get install kernel-headers-`uname -r | cut -d- -f

1-`

Ubuntu:

sudo apt-get install gcc rpm make libc6-dev sudo apt-get install linux-headers-`uname -r`

2. If you are using Ubuntu 5.10, make sure that gcc-3.4 package is

installed.

3. If you want to use the system tray applet, run the following

commands:

Debian:

sudo apt-get install kde-core

Ubuntu:

sudo apt-get install kdelibs libstdc++5

4. If you want to enable logins to the Web User Interface, comment (add

a hash sign (#) at the beginning of the line) the following line in /etc/ pam.d/login:

auth requisite pam_securetty.so

5. Install the prod uct normally.

CHAPTER A 79

Installation Prerequisites

A.4 SuSE

To install the product on a server running SuSE version 9.1, 9.2, 9.3 or

10.0:

1. Before you install the product, make sure that kernel-source, make

and gcc packages are installed. Use YaST or another setup tool.

2. Install the prod uct normally.

A.5 Turbolinux 10

Turbolinux kernel sources may not be configured and so they cannot be used to compile kernel drivers. To fix this, run the following command in the kernel source tree:

make oldconfig

Installing Required

Kernel Modules Manually

Introduction................................................................................. 82

Before Installing Required Kernel Modules................................ 82

Installation Instructions............................................................... 82

B.1 Introduction

This section describes how to install required kernel modules manually. You may need to do this in the following cases:

› You forgot to use Software Installation Mode and the system is

not working properly.

› In large installations some hosts may not include development

tools or kernel source.

B.2 Before Installing Required Kernel Modules

Before installing required kernel modules, you must do the following:

› Make sure that the running kernel version is the same as the

version of the kernel sources installed. The kernel configuration must also be the same.

› On some distributions, such as older SUSE distributions, you

may need to go to /usr/src/linux and run commands make cloneconfig and make modules_pre pare before the kernel sources match the installed kernel.

B.3 Installation Instructions

Follow the instructions below to install required kernel modules:

1. Run the following command as the root user:

/opt/f-secure/fsav/bin/fsav-compile-drivers

2. If the summary page in the user interface does not show any errors,

the product is working correctly.

CHAPTER B 83

Installing Required Kernel Modules Manually

fsav-compile-drivers is a shell script that configures and compiles the Dazuko driver automatically for your system and for the product. For more information on the Dazuko driver, visit www.dazuko.org

You can download the Dazuko driver from www.dazuko.org and use it with the product, but it is not recommended. The product has been extensively tested only with the Dazuko version that ships with the product, which is installed in /opt/f-secure/fsav/ dazuko.tar.gz.

If your Linux distribution has a preinstalled Dazuko, it cannot be used as Dazuko depends on the included patches and configuration options, which are likely different in the preinstalled Dazuko. Uninstall the preinstalled Dazuko or make sure that it is not run during the system startup and follow the installation instru ctions above to install Dazuko with all required patches and configuration options.

List of Used System

Resources

Overview..................................................................................... 85

Installed Files.............................................................................. 85

Network Resources.................................................................... 85

Memory....................................................................................... 86

CPU............................................................................................ 86

C.1 Overview

This appendix summarizes the system resources used by the product.

C.2 Installed Files

All files installed by the product are in the following directories:

/opt/f-secure /etc/opt/f-secure /var/opt/f-secure

In addition, the installation creates the following symlinks:

/usr/bin/fsav -> /opt/f-secure/fssp/bin/fsav /usr/bin/fsic -> /opt/f-secure/fsav/bin/fsic /usr/bin/fsui -> /opt/f-secure/fsav/bin/fsui /usr/share/man/man1/fsav.1 -> /opt/f-secure/fssp/man/fsav.1 /usr/share/man/man8/fsavd.8 -> /opt/f-secure/fssp/man/fsavd.8

CHAPTER C 85

List of Used System Resources

C.3 Network Resources

When running, the product reserves the following IP ports:

Interface Protocol Port Comment

lo tcp 28005 Web User Interface internal

lo tcp 28078 PostgreSQL alert database lo tcp 28080 Local Web User Interface access any tcp 28082 Remote SSL Web User Interface

communication port

access (if enabled)

C.4 Memory

C.5 CPU

The Web User Interface reserves over 200 MB of memory, but since the WebUI is not used all the time, the memory is usually swapped out. The other product components sum up to about 50 MB of memory, the on-access scanner uses the majority of it.

The memory consumption depends on the amount of file accesses on th e system. If several users are logged in to the system and all of them access lots of files, the memory consumption grows.

The load on the processor depends on the amount of file acce sses on the system, as the on-access scanner scans every file that is opened and closed.

The CPU usage grows when many users are logged in to the system at the same time.

Some software products are designed to access many files and the on-access scanning can slow down these products noticeably.

Troubleshooting

User Interface............................................................................. 88

F-Secure Policy Manager........................................................... 89

Integrity Checking....................................................................... 89

Firewall....................................................................................... 91

Virus Protection.......................................................................... 93

Generic Issues............................................................................ 93

D.1 User Interface

Q. I cannot log in to the Web User Interface. What can I do?

A. On some distributions, you have to comment (add a hash sign (#) at

the beginning of the line) the following line in /etc/pam.d/login:

# auth requisite pam_securetty.so

Q. The F-icon in the system tray has a red cross over it, what does

it mean?

A. When the F-icon has a red cross over it, the product has encoutered

an error. Open the Web User Interface to see a detailed report about the issue.

To fix the problem, try to restart the product. Run the following command:

/etc/init.d/fsma restart

Q. How can I get the F-icon visible in the systray?

A. You may need to logout and login again to get the F-icon in your

systray. If you are using Gnome Desktop, make sure you have a notification area in your Gnome Panel.

Q. How do I enable the debug log for the web user interface?

A. Change /opt/f-secure/fsav/tomcat/bin/catalina.sh from:

#CATALINA_OUT="$LOGS_BASE"/catalina.out CATALINA_OUT=/dev/null

to:

CATALINA_OUT="$LOGS_BASE"/catalina.out #CATALINA_OUT=/dev/null

The logfile is in /var/opt/f-secure/fsav/tomcat/catalina.out.

D.2 F-Secure Policy Manager

Q. How can I use F-Secure Linux Server Security with F-Secure

Policy Manager 6.0x for Linux?

A. F-Secure Policy Manager Server has to be configured to retrieve new

riskware and spyware databases for the prod uct. Note that these instructions apply to F-Secure Policy Manager Serv er

6.0x for Linux only, the product is not compatible with other Linux or Windows F-Secure Policy Manager Server versions.

Add a line to the /etc/opt/f-secure/fspms/fspms-fsauasc.conf file by running this command:

echo "avpe=republish" >> /etc/opt/f-secure/fspms/ fspms-fsauasc.conf

D.3 Integrity Checking

CHAPTER D 89

Troubleshooting

Q. Symlinks are not working for Integrity Checking or Rootkit

Protection, what can I do?

A. You may be denied to load a kernel module if the file containing the

kernel module is a symlink and the real file where the symlink points to is not in the Integrity Checking baseline. The same applies if modprobe or insmod utilities (the module loaders) use files or libraries which are symlinks and the file where the symlink points to is not in the baseline.

For example, modprobe uses /lib/libz.so.1, which is really a symlink to a real file /lib/libz.so.1.2.2. The symlink is in the baseline but the real file is not. In this case, modprobe is not allowed to run as it tried to open a file that is not in the baseline.

You should never add only symlinks to the baseline, you should always add both the symlink and the real file where the symlink points.

Q. I forgot to use Software Installation Mode and my system is not

working properly. What can I do?

A. Create a new baseline. Execute the following commands:

/opt/f-secure/fsav/bin/fslistfiles | fsic --add fsic --baseline

Q. Can I update the Linux kernel when I use Integrity Checking?

A. Use the Software Installation Mode. After you have updated the

kernel, disable the Software Installation Mode to restore the normal protection level. For more information, see “Software Installation

Mode”, 60.

Q. There are too many modified files to update with the user

interface.

A. Create a new baseline. Execute the following commands:

/opt/f-secure/fsav/bin/fslistfiles | fsic --add fsic --baseline

Q. The Integrity Checking page in the user interface does not

display all entries. How can I fix this?

A. If you have many (over 10000) files in the baseline, you may have to

adjust the memory settings of the Java Virtual Machine view all entries in the baseline.

a. Edit /opt/f-secure/fsav/tomcat/bin/catalina.sh file:

Replace

JAVA_OPTS=-Djava.library.path= /opt/f-secure/fsav/ tomcat/shaj

with

JAVA_OPTS="-Djava.library.path =/opt/f-secure/fsav / tomcat/shaj -Xmx256M"

b. Restart the product to take new setting s int o use :

/etc/init.d/fsma restart

D.4 Firewall

CHAPTER D 91

Troubleshooting

Q. Do I have to use the same passphrase every time I generate the

baseline?

A. No, you have to verify the baseline using the same passphrase that

was used when the baseline was generated, but you do not have to use the same passphrase again when you generate the baseline again.

Q. After installing the product, users cannot access samba shares

on my computer, how can I fix this?

A. The Office firewall profile contains a rule that allows Windows

Networking but that rule is disabled by default. Enable the rule to allow accesses to samba shares.

Q. After intalling the product, I cannot browse local are network

domains and workgroups (SMB). How can I fix this?

A. You need to add a rule to the firewall that allows browsing Windows

shares on your local area network. Follow these instructions: a. Go to Firewall > Network Services page in the Web User

Interface advanced mode. b. Click Add new service. c. Create the following service:

Service Name: Windows Networki ng Local Browsing

Protocol: UDP

Initiator ports: 137-138

Responder: >1023

Description SMB LAN browsing

d. Click Add as a new service and Save. e. Go to the firewall menu and click Firewall Rules. f. Click Add new rule. g. Create the following rule:

Type: ACCEPT Remote Host: [myNetwork] Description: Windows Networkin g Local Browsing Service (select box): Windows Networking Lo cal

Browsing Direction: in

h. Click Add Service to this Rule and Add to Firewall Rules. The

new rule should be visible at the bottom of the firewall rule list. If you cannot see the rule, click >> to move to the end of the list.

i. Click on the up arrow next to the new ruleto move the rule above

any "Deny rest" rule.

j. Click Save to save your new rule set and apply new firewall rules.

Your SMB LAN browsing should work now.

Q. How can I set up firewall rules to access NFS servers?

A. You need to allow the following network traffic through the firewall:

› portmapper (tcp and udp port 111) › nfsd (tcp and udp 2049) › mountd (variable port from portmapper)

Mountd is needed only when the NFS share is mounted. After the mount is completed, all traffic is to the nfsd.

As the mountd port is not always the same, follow these instructions to mount NFS shares:

› Either turn off the firewall, mount (or umount) the NFS share and

turn on the firewall again, or

› on the NFS server, start mountd with the --port PORT option,

which forces mountd to use a fixed port number instead of a random port. Then, create a firewall rule that allows udp and tcp traffic to that port number.

D.5 Virus Protection

Q. How do I enable the debug log for real-time virus scanner?

A. In Policy Manager Console, go to Product/Settings/Advanced/ and

set fsoasd log level to Debug. In standalone installation, run the following co mmand:

/opt/f-secure/fsma/bin/chtest s 44.1.100.11 9

The above command works for Client Security product. If you are using Server Security, replace 44 with 45.

The log file is in /var/opt/f-secure/fsav/fsoasd.log

Q. How can I use an HTTP proxy server to downloading database

updates?

A. In Policy Manager Console, go to F-Secure Automatic Up date Agent /

Settings / Communications / HTTP Settings / User-defined proxy settings and set Address to:

http://[[user][:pass]@]proxyhost[:port]

CHAPTER D 93

Troubleshooting

In Web User Interface, use the setting in the Automatic Updates page in the advanced mode.

Q. Does the real-time scan work on NFS server?

A. If the product is installed on NFS server, the real-time scan does not

scan files automatically when a client accesses a file on the server.

D.6 Generic Issues

Q. How can I clean an interrupted installation?

A. If the product installation is interrupted, you may have to remove the

product components manually. a. List all installed rpm packages:

rpm -qa | grep f-secure rpm -qa | grep fsav

b. Remove installed packages. Run the following command for each

installed package:

rpm -e --noscripts <package_name>

c. 3. Remove all of the product installation directories:

rm -rf /var/opt/f-secure/fsav rm -rf /var/opt/f-secure/fsma rm -rf /etc/opt/f-secure/fsav rm -rf /etc/opt/f-secure/fsma rm -rf /opt/f-secure/fsav rm -rf /opt/f-secure/fsma

Q. System is very slow. What is causing this?

A. The real-time virus scan and Integrity Checking can slow down the

system.

› Use the basic Linux tools (top and vmstat) to check what is

slowing down the system.

› Make sure that you are using the dazuko version that is shipped

with the product.

› If a file that is accessed often is time-consuming to scan, consider

adding it to the excluded list. For more information, see “Real-Time Scanning”, 40.

› If you are using the centralized administration mode, make sure

that the DNS queries return addresses quickly or use IP addresses with F-Secure Policy Manager.

CHAPTER D 95

Troubleshooting

Q. The product is unable to contact the database, how can I fix

this?

A. Sometimes, after a hard reset for example, the product may be

unable to contact the database. Follow these instructions to resolve the issue:

a. As root, remove the database PID file:

rm /var/opt/f-secure/fsav/pgsq l/data/postmaster.p id

b. As root, restart the product:

/etc/init.d/fsma restart

Q. I get reports that "F-Secure Status Daemon is not running", how

can I start it?

A. Sometimes, after a hard reset for example, F-Secure Status Daemon

may fail to start. Restart the product to solve the issue:

/etc/init.d/fsma restart

Alternatively, you may start F-Secure Status Deamon manually:

/opt/f-secure/fsav/bin/fstatusd

Q. I need to compile kernel drivers manually, how do I do that?

A. You may need to compile kernel drivers that the product need

manually, if

› you did not have compilers and other required tools intalled

during the installation,

› you did not have kernel headers or sources installed during the

installation, or

› you have upgraded the kernel and you need to compile drivers

for the new kernel. To compile and install drivers, run the following command:

/opt/f-secure/fsav/bin/fsav-compile-drivers

Man Pages

fsav............................................................................................. 97

fsavd......................................................................................... 131

dbupdate................................................................................... 149

fsfwc......................................................................................... 153

fsic............................................................................................ 156

CHAPTER E 97

support@F-Secure.com

fsav (1)

fsav

command line interface for F-Secure Anti-Virus fsav options target ...

Description

fsav is a program that scans files for viruses and other malicious code. fsav scans specified targets (files or directories) and reports any maliciouscode it detects. Optionally, fsav disinfects, renames or deletes infected files.

The types of viruses F-Secure Anti-Virus detects anddisinfects include but are not limited to: Linux viruses, macro viruses infecting Microsoft Office files, Windows viruses and DOS file viruses. F-Secure Anti-Virus can also detect spyware, adware and other riskware (in selected products). fsav can scan files inside ZIP, ARJ, LHA, RAR, GZIP, TAR, CAB and BZ2 archives and MIME messages. F-Secure

Anti-Virus utilizes three scanners to scan files: F-Secure Corporation Orion and Libra scan engines and Kaspersky Lab A VP scan engine.

fsav requires the fsavd scanner deamon to scan files. fsav uses UNIX domain sockets to communicate with the daemon. If fsavd is not running, fsav launches fsavd before the scan.

Options

--action1={none|report,disinf|clean,rename,de lete|remove,abort,custom|exec}

Synonym to --virus-action1, deprecated.

--action2={none|report,disinf|clean,rename,de lete|remove,abort,custom|exec}

Synonym to --virus-action2, deprecated.

--action1-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the primary action is set to custom/exec.

--action2-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the secondary action is set to custom/exec.

--action-timeout={e,c} What to do when the scan times out: Treat the timeout as error (e) or clean (c).

--archive[={on,off,yes,no,1,0}] Scan files inside archives (default). Archives are still scanned as normal files with or without this option. See NOTES -section below about nested archives.

--auto[={on,off,yes,no,1,0}] Disable action confirmation. Assumes 'Yes' to all enabled actions.

--avp[={on,off,yes,no,1,0}] Enable/disable the AVP scanning engine for the scan and the disinfection. If any engine is enabled, all other engines are disabled (unless

F-secure ANTI-VIRUS LINUX CLIENT SECURITY ADMINISTRATOR GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

INTRODUCTION

1.1 Welcome

1.2 How the Product Works

1.3 Key Features and Benefits

1.4 F-Secure Anti-Virus Server and Gateway Products

DEPLOYMENT

2.1 Deployment on Multiple Stand-alone Linux Workstations

2.2 Deployment on Multiple Centrally Managed Linux Workstations

2.3 Central Deployment Using Image Files

INSTALLATION

3.1 System Requirements

3.2 Installation Instructions

3.2.1 Stand-alone Installation

3.2.2 Centrally Managed Installation

3.3 Upgrading from a Previous Product Version

3.4 Upgrading the Evaluation Version

3.5 Replicating Software Using Image Files

3.6 Preparing for Custom Installation

3.7 Unattended Installation

3.8 Installing Command Line Scanner Only

3.9 Creating a Backup

3.10 Uninstallation

GETTING STARTED

4.1 Accessing the Web User Interface

4.2 Basics of Using F-Secure Policy Manager

4.3 Testing the Antivirus Protection

5.1 Summary

5.2 Common Tasks

6.1 Alerts

6.2 Virus Protection

6.2.1 Real-Time Scanning

6.2.2 Scheduled Scanning

6.2.3 Manual Scanning

6.3 Firewall Protection

6.3.1 General Settings

6.3.2 Firewall Rules

6.3.3 Network Services

6.4 Integrity Checking

6.4.1 Known Files

6.4.2 Verify Baseline

6.4.3 Generate Baseline

6.4.4 Rootkit Prevention

6.5 General Settings

6.5.1 Communications

6.5.2 Automatic Updates

6.5.3 About

Command Line Tools

7.1 Overview

7.2 Virus Protection

7.2.1 fsav

7.2.2 dbupdate

7.3 Firewall Protection

7.3.1 fsfwc

7.4 Integrity Checking

7.4.1 fsic

7.4.2 fsims

7.5 General Command Line Tools

7.5.1 fssetlanguage

7.5.2 fsma

7.5.3 fsav-config

A.1 All 64-bit Distributions

A.2 Red Hat Enterprise Linux 4

A.3 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06

A.4 SuSE

A.5 Turbolinux 10

B.1 Introduction

B.2 Before Installing Required Kernel Modules

B.3 Installation Instructions

C.1 Overview

C.2 Installed Files

C.3 Network Resources

C.4 Memory

C.5 CPU

Troubleshooting

D.1 User Interface

D.2 F-Secure Policy Manager