KAPERSKY ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI FILE SERVER User Manual

Download

Page 1

KASPERSKY LAB

Kaspersky Anti-Virus for FreeBSD, OpenBSD and BSDi File Server

USER GUIDE

Page 2

1111

KASPERSKY ANTI-VIRUS FOR FREEBSD,

OPENBSD AND BSDI FILE SERVER

User Guide

User GuideUser Guide

User Guide

 Kaspersky Lab Ltd.

http://www.kaspersky.com

Revision date: June 2002

Page 3

2222

Contents

KASPERSKYTM ANTI-VIRUS FOR FREEBSD, OPENBSD AND

BSDI FILE SERVER.............................................................................8

1.1.

Introduction ................................................................................. 8

1.2.

Distribution kit............................................................................10

1.2.1.

What is in the distribution kit...............................................10

1.2.2.

License agreement.............................................................11

1.2.3.

Registration card.................................................................11

1.3.

Help desk for registered users.................................................11

1.4.

Information in the book.............................................................12

1.5.

Conventions..............................................................................12

INSTALLING KASPERSKY A NTI-VIRUS FOR XBSD FILE

SERVER ..............................................................................................14

2.1.

Software and hardware requirements.....................................14

2.2.

Backing up your installation diskettes......................................15

2.3.

Step-By-Step Installation..........................................................15

2.3.1.

… of Kaspersky Anti-Virus for FreeBSD ...........................15

2.3.2.

… of Kaspersky Anti-Virus for OpenBSD and BSDi.........17

2.4.

Preparing to run........................................................................18

2.4.1.

Editing the .ini file ................................................................18

2.4.2.

Editing the path to temporary files......................................19

2.4.3.

Customizing software for several users.............................19

RUNNING KASPERSKY ANTI-VIRUS FOR XBSD FILE SERVER21

3.1.

Changing scanning settings.....................................................21

3.2.

Starting to check.......................................................................22

3.3.

Starting to update virus-definition databases..........................23

ANTI-VIRUS SCANNER: SCANNING AND DISINFECTING.........25

Page 4

CONTENTS

3333

4.1.

Starting Scanner.......................................................................25

4.2.

Searching for viruses and deleting them.................................27

4.2.1.

Loading anti-virus scanner.................................................27

4.2.2.

Handling infected objects ...................................................28

4.2.3.

Handling corrupted objects.................................................30

4.2.4.

Handling suspicious objects...............................................31

4.3.

Reviewing performance statistics............................................32

ANTI-VIRUS SCANNER AND DAEMON PROCESS: USING

SWITCHES AND PROFILES.............................................................34

5.1.

Scanning settings .....................................................................34

5.2.

How to change settings............................................................35

5.3.

Settings for a separate location to be checked.......................36

5.3.1.

Defining the location(s) to be checked...............................36

5.3.2.

Defining objects to be checked..........................................38

5.3.2.1.

Object ty pes

.................................................................... 38

5.3.2.2.

Sectors

............................................................................. 38

5.3.2.3.

Files

.................................................................................. 39

5.3.2.4.

Packed executables

...................................................... 41

5.3.2.5.

Archives

........................................................................... 42

5.3.2.6.

Mail databases and plain mail files

............................ 43

5.3.2.7.

Embedded OLE objects

............................................... 44

5.3.3.

Defining anti-virus actions ..................................................44

5.3.4.

Defining the advanced scanning tools to be used............46

5.4.

Settings for the cumulative location to be checked ................49

5.4.1.

Cumulative settings ............................................................49

5.4.2.

Defining scanning and performance settings: Scanner and

Daemon...............................................................................50

5.4.3.

Defining actions on infected and suspicious objects ........54

5.4.4.

Defining the reporting parameters .....................................56

DAEMON PROCESS: INTEGRATING ANTI-VIRUS PROTECTION

IN CLIENTS......................................................................................... 59

6.1.

Features of the Daemon program...........................................59

Page 5

CONTENTS

4444

6.2.

Launching the daemon process..............................................60

6.3.

Calling up the process from a client program .........................63

ANTI-VIRUS MONITOR: MONITORING THE SYSTEM FOR

VIRUSES ............................................................................................. 65

7.1.

Features and functions.............................................................65

7.2.

Assembling and Configuring....................................................66

7.2.1.

Assembling Monitor ............................................................66

7.2.2.

Configuring Monitor ............................................................68

7.3.

Launching Monitor....................................................................71

7.4.

Reviewing the performance results.........................................72

7.5.

Troubleshooting........................................................................72

SLOGAN: PROCESSING AND SUMMARIZING THE

PERFORMANCE REPORTS.............................................................75

8.1.

Features and functions.............................................................75

8.2.

Launching Slogan.....................................................................76

8.3.

Slogan in the real-time monitoring mode ................................78

TUNER: CUSTOMIZING SCANNER AND DAEMON.....................80

9.1.

Features and functions.............................................................80

9.2.

Launching Tuner.......................................................................81

9.3.

Interface....................................................................................82

9.4.

Creating, editing and saving a profile ......................................83

9.5.

The Location page....................................................................85

9.5.1.

Defining the location to be scanned for viruses ................85

9.5.2.

Defining scanning settings for a separate directory..........87

9.5.2.1.

The directory Property window: Selecting the required directory

........................................................... 87

9.5.2.2.

The directory Property window: Objects to be checked

........................................................................... 88

9.5.2.3.

The directory Property window: Defining anti-virus actions

.............................................................................. 90

9.5.2.4.

The directory Property window: Defining the advanced scanning tools used. The Options page

Page 6

CONTENTS

5555

9.6.

The Options page.....................................................................93

9.7.

The Report page.......................................................................95

9.8.

The ActionWith page................................................................98

9.9.

The Customize page..............................................................100

10.

WEBTUNER: REMOTE ADMINISTRATION PROGRAM ............102

10.1.

Functions and features...........................................................102

10.2.

General concept of the program performance......................103

10.3.

Installing WebTuner. Access rights.......................................105

10.3.1. The WebTuner components ............................................105

10.3.2. Setting up the web server and WebTuner.......................106

10.3.3. Rights on the web server..................................................109

10.3.3.1.

Rights to run the web server

..................................... 109

10.3.3.2.

Rights to run the WebTuner copy

............................ 110

10.4.

Launching WebTuner.............................................................111

10.5.

Interface..................................................................................112

10.6.

Defining the Configuration of WebTuner...............................114

10.6.1. WebTuner settings............................................................114

10.6.2. The main page: WebTuner performance settings..........116

10.6.3. The modules page: remote administration settings........117

10.7.

WebTuner: Administering Daemon.......................................121

10.7.1. Daemon settings...............................................................121

10.7.2. Remote configuration of the Daemon program...............123

10.7.2.1.

The Profile tuning window

......................................... 123

10.7.2.2.

The objects page: location to be scanned

............. 124

10.7.2.3.

The options page: scanning settings

...................... 126

10.7.2.4.

The actions page: object-handling settings

........... 126

10.7.2.5.

The report page: reporting settings

......................... 127

10.7.2.6.

The customs page: advanced scanning settings

. 128

10.7.3. Launching Daemon from a remote location....................128

10.7.4. Reviewing the log file........................................................132

10.8.

WebTuner: administering Scanner........................................135

Page 7

CONTENTS

6666

10.8.1. Scanner settings ...............................................................135

10.8.2. Remote configuration of the Scanner program...............137

10.8.3. Launching Scanner from a Remote Location..................137

10.8.4. Reviewing the log file........................................................139

10.9.

WebTuner: administering Updater ........................................139

11.

UPDATER: UPDATING VIRUS-DEFINITION DATABASES .......143

11.1.

Function and features.............................................................143

11.2.

Starting the Updater ...............................................................143

11.3.

How to update virus-definition databases.............................145

11.3.1. Updating via the Internet ..................................................145

11.3.2. Updating from a network directory...................................146

11.3.3. Updating from an archive .................................................146

11.4.

Saving the report to a file .......................................................147

12.

INSPECTOR: MONITORING FILESYSTEM INTEGRITY.............148

12.1.

Function and Features ...........................................................148

12.2.

Running Inspector ..................................................................149

12.2.1. The Program Command Line ..........................................149

12.2.2. Defining the location to be checked.................................150

12.2.3. Handling modified and new files ......................................152

12.2.4. Saving the performance report ........................................154

13.

CONTROL CENTRE: SCHEDULING THE KASPERSKY ANTI-

VIRUS FOR XBSD FILE SERVER PERFORMANCE...................155

13.1.

Function and Features ...........................................................155

13.2.

Running Control Centre .........................................................155

13.3.

Scheduling performance of package component-based

tasks........................................................................................156

13.4.

Saving the performance report..............................................160

14.

APPENDIX A. PRINCIPAL FILES..................................................162

15.

APPENDIX B. SUPPLEMENTARY DETAILS OF KASPERSKY

ANTI-VIRUS FOR XBSD FILE SERVER........................................163

Page 8

CONTENTS

7777

15.1.

Files with the program settings..............................................163

15.2.

Scanner and Daemon: The initialization file (AvpUnix.ini) ...163

15.3.

Scanner and Daemon: the profile (defUnix.prf)....................165

15.4.

Scanner and Daemon: command line switches...................176

15.5.

Scanner and Daemon: report messages..............................181

15.6.

Scanner and Daemon: exit codes.........................................183

15.7.

Slogan: report templates........................................................184

15.8.

Inspector: command line switches ........................................187

15.9.

Control Centre: command line switches................................190

15.10.

Monitor: configuration file (monitor.conf)...............................194

15.11.

Updater: command line switches ..........................................196

15.12.

Installer: command line switches...........................................199

15.13.

WebTuner: the configuration file (loader.cfg)........................200

16.

APPENDIX C. CLASSIFYING COMPUTER VIRUSES.................204

17.

APPENDIX D. KASPERSKY LAB LTD.........................................207

17.1.

About Kaspersky Lab.............................................................207

17.2.

Other Kaspersky Lab AntiViral Products...............................208

17.3.

Kaspersky Lab Contact Information......................................210

18.

INDEX.................................................................................................212

Page 9

8888

Attention!!! New viruses arise ev er y da

and if you want to keep your anti-virus fresh and capable, we strongl

recommend you to update anti-virus databases at least every day (for more details see belo w). Moreover, m ake sure to update them right after you install the product on your computer!

1.1.

1. Kaspersky

KasperskyKaspersky

Kaspersky

TMTM

Anti

Anti Anti

Anti----Virus f or

Virus for Virus for

Virus for

F reeBSD, OpenBSD and BSDi

F reeBSD, OpenBSD and BSDi F reeBSD, OpenBSD and BSDi

F reeBSD, OpenBSD and BSDi File Server

File ServerFile Server

File Server

1.1. Introduction

What is Kaspersky Anti-Virus for F ree BS D, OpenBSD an d BSDi File Server?

KasperskyTM Anti-Virus for FreeBSD, OpenBSD and BSDi File Server (Kaspersky Anti-Virus for xBSD File Server) is a software product that is designed to search for and delete viruses

from xBSD and

remotely manage Kaspersky Anti-Virus for xBSD File Server File Server. It

The computer virus

is a computer program (that is, executable code and/or a collection of instructions) that can replicate itself (though the copy may not necessarily exactly match the original) and penetrate files and other resources of computer systems and networks and make them perform tasks the virus dictates without the user’s permission. Copies of the program are also capable of self-replicating.

Chapter

Page 10

INTRODUCTION

9999

allows detection and deletion of all currently known types of viruses and mailware codes including:

• polymorphic or self-encoding viruses;

• stealth or invisible viruses;

• viruses for Windows 9x, Windows NT, UNIX, OS/2;

• new viruses for Java applets;

• macroviruses infecting Word documents, Excel spreadsheets,

PowerPoint present ati ons , Help files etc.;

• network worms;

• Trojans.

!"For classification of viruses that can be detected and deleted using

Kaspersky Anti-Virus for xBSD File Server refer to Appendix C.

The package contains a set of anti-virus applications and utilities. The kavscanner (Scanner) enables you to check for viruses in your

operation system on demand

The kavdaemon anti-virus process (Daemon) allows integration of the virus check process into your programs, and kavmonitor, the anti-virus file- monitor (Monitor), continuously keeps checking for viruses in files of your FreeBSD filesystem that are started or opened.

The slogan program (Slogan) was developed to process and summarize data within the performance reports of the Scanner and the Daemon programs.

Kavupdater (Updater) enables you to update virus-definition databases that are used by other components when checking for viruses.

!"When checking for viruses Kaspersky Anti-Virus for xBSD File

Server uses virus-definition databases that contain information

allowing detection and deletion of many viruses. Kaspersky Lab

releases virus-d ef init ion databas e upd ates cont aini ng i nf ormation

about new viruses on a daily basis.

If there are other computer drives mounted under your filesystem, files on these drives will be also virus-checked. Hereinafter when describing the virus-checking process on your computer we mean your computer filesystem and all the files mounted under it.

Page 11

INTRODUCTION

1010

The package also contains the special configuration program kavtuner (Tuner), which allows you to define the virus-scanning settings of the Scanner and Daemon programs.

By using the kavinspector program (Inspector) you can check the filesystem. This will allow you to monitor changes in the file structure and to check for viruses in files with respect to the methods used to penetrate these files.

The package component WebTuner allows you to remotely manage Kaspersky Anti-Virus for xBSD File Server.

Performance of all the Kaspersky Anti-Virus for xBSD File Server components can be coordinated by means of the kavucc program (Control Centre), allowing a user to schedule automatic starts of the components and display information about the licensed traffic and the Kaspersky AntiVirus for xBSD File Server users.

1.2. Distribution kit

What is in the distribution kit. License agreement. Registration card.

1.2.1. What is in the distribution kit

The distribution kit includes:

• a sealed envelope with installation CD (or diskettes) with files of the software product;

• User Guide;

• key diskette;

• registration card (with serial number of the product);

• license agreement.

!"Before you unseal the envelope with CD (or diskettes), be sure to

thoroughly review the license agreement.

Page 12

INTRODUCTION

1111

1.2.2. License agreement

The License Agreement (LA) is a legal agreement between you (either an individual or a single entity) and the manufacturer (Kaspersky Lab Ltd.) describing the terms on which you may employ the anti-virus product, which you have purchased.

Make sure to read the terms of the LA!

If you do not agree to the terms of this LA, Kaspersky Lab is not willing to license the software product to you and you should return the unused product to your Kaspersky Anti-Virus dealer for a full refund, making sure the envelope with CD (or diskettes) is sealed.

If you unsealed the envelope, you have agreed to all the terms of the LA.

1.2.3. Registration card

To register please fill the detachable coupon of your registration card (your full name, phone, e-mail address) and mail it to the dealer that sold this kit to you.

If your mail/e-mail address or telephone number changes, please notify the entity you mailed the register coupon to.

On registration you obtain the status of registered user of Kaspersky AntiVirus for xBSD File Server and will be provided with product support and virus-definition database updates for the period of your subscription. Furthermore, Kaspersky Lab provides Kaspersky Anti-Virus registered users with information on the company’s new products.

1.3. Help desk f or registered users

Services that we provide to registered users.

Kaspersky Lab offers a large service package enabling legal users to efficiently employ Kaspersky Anti-Virus.

Page 13

INTRODUCTION

1212

If you register and purchase a subscription you will be provided with the following services for the period of your subscription:

• daily virus-definition database updates via e-mail;

• product upgrades;

• phone and e-mail advice on matters related to your software

installation, configuration and performance;

• information about new Kaspersky Lab products and new computer viruses (for those who subscribe to our newsletter

http://www.kaspersky.com/subscribeNow.asp

Kaspersk y Lab does not give advic e on the per f orm anc e and use of your operating system or various other technologies.

1.4. Information in the bo ok

What is in t his docume ntation an d w hat is not .

This book contains information on how to install, customize and manage the software product. It explains the basic concepts and the way they can be applied, and recommends ways to manage and change settings.

This book does not describe xBSD and software products that can be integrated with Kaspersky Anti-Virus for xBSD File Server.

1.5. Conventions

Conventions that are used in this book.

In this book we use various conventions to emphasize different meaningful parts of the documentation.

Page 14

INTRODUCTION

1313

Convention Meaning

Bold font

Menu titles, commands, window titles, dialog elements, etc.

!"Note. Additional information, notes

Attention!

Very important information

To do this: …

1. Step 1.

2. …

Actions that must be taken

• Function of the control—function of

the control.

Description of the settings tree

[switch]—function of the switch.

Command line switches

Strings in the command line

Text to be entered in the command line by the user

Info message text

Text of the configuration files and information messages of the program.

Page 15

1414

2.2.

2. Installing Kaspersky Anti

Installing Kaspersky AntiInstalling Kaspersky Anti

Installing Kaspersky Anti---Virus for xBSD File Se

Virus for xBSD File SeVirus for xBSD File Se

Virus for xBSD File Server

rverrver

rver

2.1. Software and hardware requirements

What hardware and software do you need to run Kaspersky Anti-Virus for xBSD File Server?

In order to run Kaspersky Ant i-Virus for xBSD Fi le Server you need a system that meets the following requirements:

• a PC-compatible computer with 486 CPU or better and at least 64 Mb of RAM;

• running the xBSD (FreeBSD, OpenBSD or BSDi) operating system;

• at least 30 MB of disk space;

• with a kernel (version 3.x or 4.x).

Kernels of versions 2.0.x and earlier are not supported!

Chapter

Page 16

INSTALLATION

1515

2.2. Backing up y our insta lla tion disk ette s

If you purchased the Kaspersky Anti-Virus for xBSD File Server package on installation diskettes (but not the CD) before installing the program on your computer, it is recommended that you back up those diskettes. Then, if during the installation you accidentally damage your installation diskettes, you will be able to restore them from copies.

2.3. Step-By-Step Installation

Descriptions of each step to be take n when installing Kaspersky Anti-Virus for xBSD File Server on a computer.

2.3.1. … of Kaspersky Anti-Virus for

FreeBSD

To install the Kaspersky Anti-Virus for FreeBSD software package on a computer, follow these steps:

1. Copy the archive from the installation CD (installation diskette) to a filesystem directory on your computer.

2. Extract the archive by using the string tar zxvf archive_name. Several elements will be extracted from the software package archive. These elements are also archives containing the software product’s files.

3. Run installation of the Kaspersky Anti-Virus Workstation package by using the string pkg_add archive_name in the command line. For example, your command line may look like

Page 17

INSTALLATION

1616

the following:

pkg_add kav-WorkstationSuit-4.0.0.0-FreeBSD-4.x.tgz

4. Copy the .key file from the installation CD (installation

diskette) to the directory defined in the KeysPath line of the file AvpUnix.ini. The default .key file directory is /etc.

5. Run the Updater program to download virus-definition databases that are used in searches for viruses and disinfection (for details on how to launch Updater refer to subchapter 11.2).

!"If required, before launching your Updater copy, edit the BasePath

value in the file AvpUnix.ini. The BasePath parameter defines the path to the virus-defin it ion data bas e direc tory.

For addresses of the servers from which you may download new virus-definition databases refer to subchapter 17.3 of Appendix B.

6. Run installation of the Monitor program by using the string pkg_add archive_name in the command line.

7. Run installation of the WebTuner program by using the string pkg_add archive_name in the command line. A script file allowing creation of the server SSL certificate will be started. You must answer all the questions that appear on your screen.

8. Move to the directory /etc/AVP and edit the following files as required: AvpUn ix.ini, defUnix.prf and monitor.conf.

9. Move to the directory /usr/local/etc/rc.d and edit as required the following auto-start parameters for the Kaspersky Anti-Virus for FreeBSD components in the file kavd.sh:

RUN_DAEMON="Y" – launches the Daemon program. RUN_MONITOR="Y" – launches the Monitor progr am. RUN_KAVUCC="Y" – launches the Control Centre program. RUN_HTTPD="Y" – launches the WebTuner program.

!"By default, auto-start for all the above-listed components is enabled,

i.e. the parameters’ value is "Y". To disable auto-start for a component, substitute "N" for the appropriate parameter value.

The Kaspersky Anti-Virus for FreeBSD program will be started automatically right after you restart your computer, or you may start it manually by entering the string start: ./kavd.sh start in the command line.

Page 18

INSTALLATION

1717

If any component of the Kaspersky Anti-Virus for FreeBSD software package failed to start, apply the launching procedure described in the corresponding chapter of this book.

2.3.2. … of Kaspersky Anti-Virus for OpenBSD and BSDi

To install the Kaspersky Anti-Virus for OpenBSD and BSDi software package on a computer, follow these steps:

1. Copy the archive from the installation CD (installation diskette) to a filesystem directory on your computer.

3. Extract and install every component of the Kaspersky Anti- Virus for OpenBSD and BSDi software pac k age one b y one.

4. Copy the .key file from the installation CD (installation diskette) to the directory defined in the KeysPath line of the file AvpUnix.ini. The default .key file directory is /etc.

5. Edit the BasePath value defining the path to the virus-definition databases in the file AvpUnix.ini and, if required, the file defUnix.prf.

If you want to be able to start the installed executable files from any directory, create appropriate links in the directory /usr/bin or /usr/local/bin.

For a list of files that are critical for the program’s performance refer to Appendix A.

Page 19

INSTALLATION

1818

2.4. Preparing to run

How to edit the .ini file and a path to the directory for temporary files. Custo mizing the software for v arious needs.

2.4.1. Editing the .ini file

The initialization file AvpUnix.ini contains information that is essential for your program’s correct performance and may be found in one of the following directories:

1. ~/.AVP (a user directory. For example, /root/.AVP or /home/user1/.AVP)

2. /usr/local/share/AVP/etc

3. /etc/AVP

When started, the program searches for the file AvpUnix.ini in the directories listed above one after another. If the file is not detected

there, the program begins to look for it in the current directory!

If required, you may edit the file (for details of the INI file see Appendix B). The initialization file must be edited in one of the following cases:

• If you copied your virus-definition databases to a separate directory, you must specify a new path to these files in the BasePath line of your AvpUnix.ini. Otherwise, when started your Scanner will not find those databases and will not be able to detect a virus, even if you have any!

• If you changed the name of your .set file (i.e. settings file of your virus-definition databases), you must specify its new name in the SetFile line of your AvpUnix.ini. Otherwise when started the Scanner and the Daemon will not load its virus-definition databases and will not be able to detect a virus, even if you have any!

Page 20

INSTALLATION

1919

When editing the SetFile parameter, be sure to specify only the name of your .set file. You do not need to define the full path to it!

• If you copied the key files to a separate directory, you must specify a new path to these files in the KeysPath line of your AvpUnix.ini. Otherwise, all the programs will operate as demo versions, i.e. they will be disabled to delete the viruses detected and to scan for viruses in archives and mail databases.

It is advisable that you specify an absolute path to the virus-definition databases and key files in your AvpUnix.ini file.

2.4.2. Editing the path to temporary files

If you want your anti-virus scanner and the daemon process while checking for viruses to place temporary in a directory that is different from /tmp (the default directory for temporary files), define the desired directory by following these steps:

1. Create a directory for temporary files, e.g. /TEMP.

2. Add the directory to your environmental variab le TEMP or TMP.

For other programs the directory for temporary files must be defined by editing the corresponding settings in the settings files of these programs.

2.4.3. Customizing software for several users

If you want to enable two or more different users to start the Scanner and the Daemon with individual settings, follow these steps:

1. Create the subdirectory .AVP (e.g. /root/.AVP) in the home directories of those users.

2. Copy AvpUnix.ini and defUnix.prf to those subdirectories.

Page 21

INSTALLATION

2020

3. If necessary, edit the profile (see Appendix B).

If you specify the –ua=name switch (where name is the user name) in the Tuner or the Installer command line, the programs will automatically perform the steps described above.

Page 22

2121

3.3.

3. Running Kaspersky Anti

Running Kaspersky AntiRunning Kaspersky Anti

Running Kaspersky Anti----Virus

Viru s Viru s

Viru s

for xBSD File Server

for xBSD File Serverfor xBSD File Server

for xBSD File Server

3.1. Changing scanning settings

How to change scanning settings . Using comman d line switches and profiles.

To use various features of Kaspersky Anti-Virus for xBSD File Server, you must define:

• objects to be checked;

• how to handle those objects;

• advanced scanning tools to be used etc.

The program loads scanning settings from a profile—the .prf extension file—that is define in the DefaultProfile line of your AvpUnix.ini or from its command line, if you use the required command line switches (see subchapter 4.1). There are two ways to edit a profile:

Chapter

Page 23

RUNNING

2222

• First

—by means of the configuration program called Tuner (see chapter 9) or the remote configuration program called WebTuner (see chapter 10).

• Second

—by opening and editing a profile in any text editor (see

subchapter 5.2).

For various situations, you may define different settings. For example, if you want to perform a regular preventative check you do not need to enable advanced scanning tools. However, if you suspect that your computer is infected, these tools should be used.

For example,

./kavscanner –V –H- /root

This command line enables the anti-virus scanner to check the directory /root by using two advanced scanning tools—a redundant check and a heuristic tool.

To define settings for the same operation in defUnix.prf,

open it in a text editor of your choice and specify the following values:

Names=*/root; RedundantScan=Yes CodeAnylyser=Yes

3.2. Starting to chec k

How to start checking for viruses. A n example of how to start your anti-virus scanner and the daemon process. Monitoring files. Checking in mail messages.

You may start the check from the command line or from a script file. For example, the Scanner command line may look similar to the following:

./kavscanner

When started, the Scanner automatically loads settings from the file defined by the DefaultProfile parameter in AvpUnix.ini. The default file name

Page 24

RUNNING

2323

is defUnix.prf, a sample of which is supplied with Kaspersky Anti-Virus for xBSD File Server. If your package doesn’t contain the file, the scanner

will use its own default settings. You may also redefine settings by using the swi tch F=profile_name in the command line.

To check for viruses you may also load the Daemon program (see chapter 5). In the beginning, this program can be started from the command line and later it may be called from the client. When you start the daemon process for the first time, your command line may look similar to the following:

./kavdaemon

This command execution will start the daemon process and loading of the virus-definition databases into the system memory. To start checking in your home directories, for example, you may use the following command:

./kavdaemon -o{/home}

Daemon inherits all functions of Scanner, but there are some differences in command line switches that are related to features of the process (see chapter 6).

The Monitor is always active and continuously checks filesystem objects that are started or opened (for details on how to start the Monitor see subchapter 7.3).

3.3. Starting to update vi rusdefinition da tabases

Sources of updates for yo ur virus-definition databases . An example of how to use Updater.

You may acquire updates for your virus-definition databases via the Internet or from Kaspersky Lab dealers.

The main address for updates is http://updates2.kaspersky-labs.com/updates.

Page 25

RUNNING

2424

You may also refer to the site at www.kaspersky.com for a complete list of Kaspersky Lab dealers that can provide you with updates.

To efficiently protect your computer from new viruses it's advisable to update your virus-definition databases on a regular basis.

Updater that is supplied with Kaspersky Anti-Virus for xBSD File Server allows you to automate the update operation (see subchapter 11.2).

To launch your Updater you may use, for example, the following command:

./kavupdater –ui=http://kasperskylab.com/updates

Page 26

2525

4.4.

4. Anti

AntiAnti

Anti----Virus Scanner: Scanning

Virus Scanner: Scanning Virus Scanner: Scanning

Virus Scanner: Scanning

and Disinfecting

and Disinfectingand Disinfecting

and Disinfecting

4.1. Starting Scanner

Starting the s canner from the command l ine or from a script file. Using exit codes.

To periodically check for viruses in your computer you must start Scanner. This program may be started from the command line or from the specially developed script file.

If your Scanner, when started, does not detect the key file, the program will function as a demonstration copy, i.e. it will be disabled from scanning for viruses in archives and mail messages, and from asking you to choose an action for a virus that has been detected.

When starting Scanner from the command line you can define its settings by corresponding switches. The general format of the Scanner command line is:

./kavscanner [switch1] [switch2] [...] [switchN] [path] [filemasks]

where:

Chapter

Page 27

SCANNER

2626

[switchN] is the optional switch in the Scanner command line, [path] is the optional xBSD path that defines the location to be

checked

[filemasks] are the optional xBSD file masks that define the files to

be checked for v iruses. By default, the program checks for viruses in all execut abl e files.

!"Before you start scanning you can define the scanner settings, i.e.

objects to be checked for viruses, actions to be taken regarding those objects, advanced scanning tools to be used etc. (see subchapter 5.1). When started, the program automatically loads settings from defUnix.prf that is supplied with Kaspersky Anti-Virus for xBSD File Server. However, if you created a new prof ile and specified its name in the DefaultProfile line of AvpUnix.ini, your Scanner will load settings from this file. However, if, when started, the program will find no profile, it will use its default settings. Finally, settings from the profile may be redefined by available command line switches.

If you want to load settings from a profile that is different from that defined in the .ini file, start the program using the command line switch

-F=profile_name. For a complete list of available command line switches

refer to A ppendix B. When starting Scanner from a script file, you can review its exit codes.

Refer to Appendix B for a complete list of available exit codes and an example of their analysis within the script file.

You may start Scanner from the installation diskette. It is advisable that you create boot diskettes for xBSD and save Kaspersky Anti-Virus for xBSD File Server together with the virus-definition databases on them (you will need several diskettes). Those diskettes will be useful restoring your system in the case of virus attack.

!"When you create a profile for your Scanner on the boot diskettes,

make sure to define Yes for the UseMemoryFiles parameter (for details of this parameter see subchapter 5.4.2).

Page 28

SCANNER

2727

4.2. Searching fo r viruses and deleting them

Actions to be taken reg arding infected objects. Recommendations . Messages generated by the anti-virus scanner when it detected o bjects that are suspicious or infected with a virus , and mes sages about a virus in y our anti-virus program .

4.2.1. Loading anti-virus scanner

When started, Scanner loads virus-definition databases. If the operation was successful, you will see the following message at the bottom of your screen:

Antiviral databases were loaded. Records: <NNNN>

where <NNNN> is the number of entries in the databases.

After this, the anti-virus scanner checks for viruses in itself (the kavscanner executable module).

If your anti-virus scanner is infected with a virus,

the program will ask whether you want to disinfect the file. In this case, if you have a virus-free installation copy of Scanner, it is advisable that you delete the infected installation and reinstall Scanner on your computer hard disk. If there is no way to do so, select to desInfect the file. After the file is disinfected, your anti-virus scanner will suggest restarting the program and will shutdown.

If your anti-virus scanner is not infected,

after the self-check, it will begin checking for viruses in user predefined objects by using predefined settings for handling them and by applying predefined advanced scanning tools.

Page 29

SCANNER

2828

!"If you started the program with no predefined objects to be checked,

the following message will appear on your screen: "Nothing to scan. You should select Files and/or Sectors in the *.prf file."

If you see this message, specify the objects to be checked by your Scanner.

!"If you started the program with no predefined location to be checked,

the following message will appear on your screen: "Nothing to scan. You should select at least one directory to scan."

If you see this message, specify the location to be checked by your Scanner.

4.2.2. Handling infected objects

If the program detected objects infected with a virus, try to disinfect them. Unfortunately, sometimes it is impossible to do (Scanner displays the corresponding message). In this case infected objects must be deleted.

!"Scanner does not disinfect files corrupted by a virus, files that in fact

are Trojans, archived files, mail databases and plane mail files.

Be careful when handling infected and suspicious objects or their copies! If some executable file is infected, do not start it.

If your anti-virus scanner was preset to ask for instructions on how to handle infected objects,

after detection of such an object it will display the object’s name, the virus name and will ask you to choose the method to handle this object. For example, the inquiry string may look similar to the following:

Actions — Report only (OK/disInfect/Delete/Cancel/Stop)

where:

• Report only—do not handle the object but log the event;

Page 30

SCANNER

2929

• disInfect—try to disinfect the object; the virus will be deleted and the object will be restored to its virus-free state, close to the original;

• Delete—delete the object;

• Cancel—ignore the object and co nti nue wit h checking;

• Stop—abort the check.

The inquiry string will vary depending on the method that was selected for the previous infected object detected. The general format for the dialog is:

Actions — <Action_1> (OK/<Action_2>/<Action_3>/Cancel/Stop)

where:

• <Action_1> is the default method suggested. It may be one of the following three actions: Report only, disInfect or Delete;

• <Action_2>

and <Action_3> are the other two methods of the three listed above. The Cancel and Stop commands are always at the end of the string.

To select the default method you may press the key with its capital letter or the <O> key (that means OK).

To select one of the other methods press the key with its capital letter. For example, to disInfect the object you must press the I key.

If your system sector is infected (Boot, MBR, Partition Table),

and you selected to disInfect them or Delete, Scanner will display the following warning:

Treatment of sectors is a risky operation! We recommend you to make a complete backup of your drive. Proceed with treatment now? - Yes/No

To confirm the action type <Y> and press <E

NTER

>. To cancel it type

<N> and press <E

NTER

Page 31

SCANNER

3030

The sector check function under your operating system may be not available.

If you confirm the action, Scanner will right away start disinfecting the sectors and will replace them with a standard MS-DOS 6.0 boot sector. If you cancel the action, the scanning will be aborted. In this case you will be able exit the program and back up your hard disk prior to disinfecting.

After you selected one of the above mentioned methods of object-handling, a query similar to the following will appear on your screen:

Apply to all Infected objects? - Yes/No

If you agree, during the check your anti-virus scanner will automatically handle all infected objects as you specified in the previous dialog. Results of the check will be logged.

4.2.3. Handling corrupted objects

As we mentioned already, infected objects sometimes cannot be disinfected because some viruses change the data irreversibly. Objects that were infected in such a way must be deleted.

If the program is not able to desinfect an object, it will display the following query:

Disinfecting of <OBJECT_NAME> infected by virus <VIRUS_NAME> is impossible. Delete this object Yes/No

where:

•

<OBJECT_NAME> is a name of the infected object;

•

<VIRUS_NAME> is a name of the virus.

To delete the object type <Y> and press <E

NTER

>. The program will

delete the object and display the following new query:

Delete all non disinfected objects? - Yes/No

Page 32

SCANNER

3131

If you choose to confirm the action, the program will automatically delete all infected objects that it is not able to disinfect. If you cancel the action, next time when the program finds an infected object it is not able to disinfect, it will again ask whether you want to delete this object.

To cancel the deletion type <N> and press <E

NTER

>. The program will

skip the object and display the following new query:

Do n o t de l e t e a l l non-disinfected ob j e cts? Yes/No

If you choose to confirm the action, the program will automatically skip all infected objects that it is not able to disinfect. If you cancel the action, next time when the program finds an infected object it is not able to disinfect, it will again ask whether you want to delete this object.

!"The anti-virus scanner does not disinfect mail databases and plain

mail files. The scanner does not disinfect and delete infected objects, if they are archived, but you may try the following method to disinfect them: extract the archive and disinfect extracted files with your antivirus scanner. Then you ma y delete the arc hive and a r chive disinfected files.

4.2.4. Handling suspicious objects

If your Scanner reported some suspicious file or sector, it’s advisable that you contact our help desk department. Send these objects to Kaspersky Lab, so that they could be studied (for example, you may use the address

newvirus@kaspersky.com

). You may also deliver these objects to the Kaspersky Lab distributor that sold you copy of Kaspersky Anti-Virus for xBSD File Server.

It’s advisable that you archive suspicious objects and password the archive prior to sending them to Kaspersky Lab or delivering to the distributor together with the archive password.

Page 33

SCANNER

3232

4.3. Reviewing performance

statis tics

How to review virus check reports. Messages about check ed obje cts. P erformance statist ics.

While checking for viruses the program displays current results. On the left side of your screen you may see names of the objects that were

checked. On the opposite side the program reports their status. For the list of available messages refer to Appendix B.

When the check is finished, the program displays statistics about objects that have been checked and viruses that have been detected and deleted.

The statistics table is divided into two columns:

• Its left column

displays values for objects that have been checked: sectors, files, directories, packed files and archives. Here you may also see the time that was spent for the check.

• The right column

displays the following values:

• Known viruses — types of viruses detec t ed b y Kaspersky Anti-Virus for xBSD File Server;

• Virus bodies — the number of files infected by a known virus;

• Disinfected — objects from which viruses were deleted;

• Deleted — deleted objects;

• Warnings — objects containing codes that look like

known virus modif icati ons ;

• Suspicious — suspicious objects, i.e. the heuristic checking tool messages;

• Corrupted — corrupted objects;

• I/O errors.

Page 34

SCANNER

3333

!"Messages about infected objects and general statistics will be

logged, if you preset the program to do so.

!"To process and summarize data within the performance reports and

to review details of scanning operations use the Slogan program (for details refer to chapter 8).

Page 35

3434

5.5.

5. Anti

AntiAnti

Anti----Virus Scanner and

Virus Scanner and Virus Scanner and

Virus Scanner and

Daemon Proces

Daemon ProcesDaemon Proces

Daemon Process: Using

s: Using s: Using

s: Using

switches and profiles

switches and profilesswitches and profiles

switches and profiles

5.1. Scanning settings

What to check? Where to check? How to handle infected objects?…

Prior to checking for viruses in your computer you must define:

• Location to be checked: system sectors including: Boot Sector, Master Boot Record, Partition Table; files on local, network and external disks (floppy, LS-120, CD).

The sector check function under your operating system may be not available.

• Objects to be checked: packed files, archives, mail databases, local mail boxes of the most commonly used messaging systems, files of various types.

Chapter

Page 36

DEFINING SETTINGS

3535

• Actions to be taken on infected objects: they may be disinfected or deleted, or copied to another directories.

• Advanced scanning tools: checking for corrupted and modified viruses, redundant scanning tool, i.e. a full-scan device that checks not just the entry points into a file that are used by the system when processing, but the entire contents of examined files, heuristic analyzer, allowing detection of viruses that are unknown to the program.

!"According to tests, our heuristic analyzer enables a user to detect

more then 92% of unknown viruses from the Kaspersky Lab virus collection.

• Logging reports of the check to a file: the program can log the check report and the performance statistics to a file.

5.2. How to chan ge settings

How to change settings: command line switches , profile, and configur ation program. Recom mendatio ns on use of various settings .

The Scanner and the Daemon programs load settings from a profile, i.e. the .prf file. In order to edit a profile, you may use one of the following two methods:

• First method

— by using Tuner (see chapter 9) or WebTuner

(see chapter 10).

• Second method

— by opening and editing a .prf file co ntents in any text editor of your choice. Settings from the profile may be also redefined by available command line switches.

When setting your Scanner for different purposes you may use various configuration methods:

• Regular check. You may preset Scanner for some regular checks; e.g. for daily preventative checks, for an extremely thorough check of a diskette etc. For these purposes you may

Page 37

DEFINING SETTINGS

3636

create a set of regular profiles with various settings. This way, when you need your Scanner to be set according to some certain profile, define this profile in the program command line.

• Irregular check. There may be some irregular situations, when you need an irregular set of settings. For example, you may need to check some directory for viruses in archives or mail databases. In this case it is advisable that you start the anti-virus scanner from the command line with appropriate switches.

5.3. Settings f or a separate location to b e c hecked

Location to be checke d. Objects to be check ed. Individual settings for locations to be check ed.

5.3.1. Defining the location(s) to be

checked

Before changing other settings you must define the location where your program will search for viruses and delete them.

!"If you started the program with no predefined location to be checked,

the following message will appear on your screen: "Nothing to scan. You should select at least one directory to scan."

The location to be checked must be defined in the Names line of the [Object] section of a profile.

!"A PROFILE MAY HAVE MORE THEN ONE [Object] SECTION for

several different locations to be checked. In addition, for every location you can define different check settings.

Page 38

DEFINING SETTINGS

3737

To define the location to be checked,

in the Names line of the [Object] section, enter the filesystem directories to be checked for viruses. If you define more then one directory, they must be separated by semicolons. There is one more important thing: if you specify a directory in this line and want the program to check it for viruses, make sure to prefix it with the character "*". For example, if the line looks similar to Names =*/root/vir; .home/samba; */root/tst;, its meaning is: the program when started will check for viruses only in files of the /root/vir and /root/tst directories. To exclude a directory from the location to be checked prefix it with the character ".". This feature is very useful since now you do not have to type or delete directories each time when including or excluding them from the check. Now you simply prefix them with "." or "*". You may also specify the location by command line switches (for details see subchapter 4.1).

If you do not have rights to access some of the predefined directories or files to be checked, they will be skipped during the check.

To check for viruses in subdirectories of the directories predefined in the Names line,

type Yes in the SubDirectories line of the [Object] section. Otherwise, type No.

The SubDirectories parameter corresponds to the command line switch -R[-]. The switch -R disables, and the switch -R- enables your anti-virus scanner to search for viruses in file s located in the subdirectories of the directories defined in the Names line.

For the program to cross filesystem borders, type Yes in the CrossFs line of the [Object] section. Otherwise, type No.

The CrossFs parameter corresponds to the command line switch

-C[-]. The switch -C disables and the switch -C- enables your anti-virus

scanner to cross filesystem borders.

Page 39

DEFINING SETTINGS

3838

5.3.2. Defining objects to be checked

5.3.2.1. Object types

Now, when you defined the location to be checked (see subchapter 5.3.1) after you defined the location to be scanned, you must define objects that will be checked for viruses. The program can check for viruses in objects of the following types:

• sectors (see subchapter 5.3.2.2);

The sector check function under your operating system may be not available.

• files (see subchapter 5.3.2.3). Including:

• packed executables (see subchapter 5.3.2.4);

• archives, including self-extracting (see

subchapter 5.3.2.5);

• mail databases and plane mail files (see subchapter 5.3.2.6);

• OLE objects, embedded in the examined files (see subchapter 5.3.2.7).

If you started the program with no predefined objects to be checked, the following message will appear on your screen: "Nothing to scan. You should select Files and/or Sectors in the *.prf file."

Objects to be checked must be defined in the appropriate lines of the [Object] section of a profile.

5.3.2.2. Sectors

The sector check function under your operating system may be not available.

To scan (ignore) sectors within the selected location,

type Yes (No) for the Sectors parameter of the profile.

This parameter corresponds to the command line switches -P[-] and B[-]. The switch -P disables, and the switch -P- enables the scanner to

Page 40

DEFINING SETTINGS

3939

check MBR. The switch -B disables and the switch -B- enab les the scanner to check Boot Sectors of disks defined in the Names line.

5.3.2.3. Files

To scan files within the selected location:

1. Type Yes in the Files line of the profile.

2. To be more specific type one of the following values for the FileMask parameter:

• 0 — scans programs, i.e. all the files with extensions: .bat, .com, .exe, .ov*, .sys, .bin, .prg, .class, .ini, .vbs, .js, .htm, .dpl, .htt, .hta, .hlp, .pif; and also files whose inner format corresponds to DOS executable files (*.com, *.exe and .sys), Windows and OS/2 (.exe, *.dll), Linux (in the format .elf); files with the format of Microsoft Office documents and spreadsheets (OLE2 and Access) and Java applets. Thereby, this value scans all the files that are capable of containing a virus-code.

• 1 — scans all the files with extensions: bat, .bin, .cla, .cmd, .com, .cpl, .dll, .doc, .dot, .dpl, .drv, .dwg, .eml, .exe, .fpm, .hlp, .hta,.htm, .htt, .ini, .js, .jse, .lnk, .mbx, .md*, .msg, .msi, .ocx, .otm, .ov*, .php, .pht, .pif, .plg, .pp*, .prg, .rtf, .scr, .shs, .sys, .tsp, .vbe, .vbs, .vxd, .xl*.

• 2 — scans every file of every type (this value is equal to the mask *.*).

The value 2 for the FileMask parameter corresponds to the command line switch -* or –I2.

• 3 — scans file types defined by the user for the UserMask parameter. If you define more then one file

type, they must be separated by commas.

Besides this, you may specify files to be checked by the command line switch -@!=filename. In this case Scanner checks only those files listed in the text file filename (ASCII). Every line in this file contains only one name of a file (with the full path to it). If the optional

Page 41

DEFINING SETTINGS

4040

character ! is specified in the switch (i.e. -@!=filename), upon completion of the task the filename file will be deleted. If this character is not in the switch (i.e. -@=filename), this file will be kept.

To exclude some files from the check:

1. Enter one of the following values in the ExcludeFiles line of the profile:

• 1 — excludes file types defined by the ExcludeMask parameter (see below);

• 2 — excludes files located in directories defined by the ExcludeDir parameter (see below);

• 3 — excludes both the ExcludeMask files and the ExcludeDir directories.

To exclude no files from the check type 0 in the ExcludeFiles line of the profile.

2. In the ExcludeMask line, define file masks to be excluded from the check and separate them by commas or spaces.

This parameter corresponds to the command line switch XF=filemasks, where filemasks must be substituted with the file masks

to be excluded from the check.

3. In the ExcludeDir line define directories to be excluded from the check and separate them by commas or spaces.

This parameter corresponds to the command line switch

-XD=directories, where directories must be substituted with the directories to be excluded from the check. The directories defined in the InfectedFolder, SuspiciousFolder and CorruptedFolder lines of the profile (see subchapter 5.4.3) are automatically ignored during the check.

If you suspect that your computer is infected it’s advisable to type

Yes for all the objects-to-be-scanned parameters, and 2 in the FileMask line. For daily preventative checks type Yes in the Sectors

and Files lines and 0 in the FileMask line, and disable archives and packed executables scanning tools.

Page 42

DEFINING SETTINGS

4141

5.3.2.4. Packed executables

Scanner can check for viruses in packed executable files that are unpacked by the special engine.

Packed executable files contain special unpacking modules. When such a file is started, the module unpacks the program to RAM and then runs it. Packing utilities can pack infected files along with clean ones. If these are scanned by a conventional anti-virus scanner, the infected file would be passed as virus-free, because the virus body was packed together with the program code.

To enable the unpacking engine,

type Yes in the Packed line o f th e p r o fi l e . After th is, y o u r Scanner will be able to check and delete viruses from packed executable files.

This parameter corresponds to the command line switch -U[-]. The switch -U disables and the switch -U- enables the unpacking engine.

The unpacking engine unpacks files that have been packed by various versions of the most popular utilities: DIET, PKLITE, LZEXE, EXEPACK etc., to temporary files so the anti-virus scanner can check them. When the check is completed the temporary files are deleted.

The unpacking engine generates temporary files in the directory defined by the TempPath parameter in the [TempFiles] section of a profile (see subchapter 5.4.2).

If a virus known to Kaspersky Anti-Virus for xBSD File Server was detected in some packed file, it can be deleted (if your Scanner was preset to disinfect files — see subchapter 5.3.3). In this case the infected file will be replaced by the unpacked and disinfected one. If the unpacking engine is disabled, packed executable modules will be scanned as unpacked and your Scanner will only be able to detect viruses that infected the files when they were already packed.

The unpacking device is able to correctly unpack files that have been compressed multiple times. It can also deal with some versions of immunizers, programs protecting executable files from viruses by attaching checking code blocks (like CPAV and F-XLOCK) and enciphering programs (like CryptCOM) to them.

Page 43

DEFINING SETTINGS

4242

If the unpacking and extracting (see subchapter 5.3.2.5) engines are enabled, Kaspersky Anti-Virus for xBSD File Server is able to detect an infected file even though it was enciphered by the CryptCOM utility, then packed by PKLITE and, finally, added to the PKZIP archive.

5.3.2.5. Archives

You can enable your Scanner to check for viruses in archived files (including self-extracting archives) that are extracted by the special engine.

The extracting engine is designed to check for viruses in files archived with various versions of the following archivers: ZIP, ARJ, LHA, RAR, CAB etc.

!"Ability to check for viruses in archives is very important as an

infected file can stay in your archive for months or years, and the virus will be inactive and therefore invisible to you, but some day the virus may break loose and ruin your system.

To enable the extracting engine:

1. Type Yes in the Archives line of the profile. Otherwise, type No.

2. Type Yes in the SelfExtArchives line of the profile (for checking in self-extracting archives). Otherwise, type No.

!"This Archives parameter corresponds to the command line switch -A[-

]. The swit ch -A disables and the switch -A- enables the extracting

engine.

!"Scanner does not extract password protected archives. Scanner

does not delete viruses from archives, it only detects them.

!"The unpacking engine generates temporary files in the directory

defined by the TempPath parameter in the [TempFiles] section of a profile (see subchapter 5.4.2).

!"The extracting engine noticeably slows down the Scanner scanning

rate. Therefore, we recommend enabling this engine only if the probability that your archived files are infected is high.

Page 44

DEFINING SETTINGS

4343

5.3.2.6. Mail databases and plain mail files

You can enable your Scanner to check for viruses in mail databases and plain mail files.

The mail databases and especially plain mail files scanning modes noticeably slow down the Scanner scanning rate. Therefore we do not recommend their use in a regular check for viruses.

Scanner checks mail databases and plain mail files but does not delete viruses from them.

Kaspersky Anti-Virus for xBSD File Server checks mail databases of the following formats:

• Microsoft Outlook, Microsoft Outlook Express (*.pst and *.pab files, a type of MS Mail archive);

• Microsoft Internet Mail (*.mbx files, a type of MS Internet Mail archive);

• Eudora Pro & Lite;

• Pegasus Mail;

• Netscape Navigator Mail;

• JSMail SMTP/POP3 server (user database).

To check for viruses in mail databases,

type Yes in the MailBases line of the profile. Otherwise, type No.

This parameter corresponds to the command line switch -MD[-]. The switch -MD enables, and the switch -MD- disables your anti-virus scanner to check for viruses in mail databases.

While scanning mail databases Kaspersky Anti-Virus for xBSD File Server checks every entry and scans attached files. The following formats are supported: UUEncode; XXEncode; btoa (up to 5.0); btoa

5.*; BinHex 4.0; ship; NETRUN 3.10; NETSEND 1.0 (not packed);

NETSEND 1.0C (packed); MIME base64.

Page 45

DEFINING SETTINGS

4444

To check for viruses in plain mail files,

type Yes in the MailPlain line of the profile. Otherwise, type No.

This parameter corresponds to the command line switch -MP[-]. The switch -MP enables and the switch -MP- disables your anti-virus scanner to check for viruses in plain mail files.

While scanning plain mail files Kaspersky Anti-Virus for xBSD File Server searches in every file for the message header, and then checks for viruses in the attached data (UUEncode, XXEncode etc.).

5.3.2.7. Embedded OLE objects

To check for viruses in OLE objects embedded in the examined files,

type Yes in the Embedded line of the profile. Otherwise, type No.

5.3.3. Defining anti-virus actions

In the appropriate lines of the [Object] section of a profile you can define actions that should be taken on infected, suspicious and corrupted objects if these are detected.

If Kaspersky Anti-Virus for xBSD File Server reported some suspicious file or sector, it’s advisable that you contact our help desk department. Send these objects to Kaspersky Lab, so that they could be studied (for example, you may use the address newvirus@kaspersky.com). It’s advisable that you archive suspicious objects and password the archive prior to sending them to Kaspersk y Lab or deliverin g to the distr ibutor toge ther with the archive password.

To define actions to be taken on infected, suspicious and corrupted objects,

enter one of the following values for the InfectedAction parameter of the profile:

Page 46

DEFINING SETTINGS

4545

• 0 — reports infected, suspicious and corrupted objects. Messages will be displayed and, if preset, logged into the file (see subchapter 5.4.4). The program will not disinfect or delete infected objects.

!"0 in the InfectedAction line of the profile corresponds to the

command line switch -I0.

• 1 — displays the inquiry about how to handle the infected object (see subchapter 4.2.2).

!"This value is advisable since for Scanner program in this case, when

an infected object is detected, the program first asks the user how this object should be handled. 1 in the InfectedAction line of the profile corresponds to the command line switch –I1.

• 2 — disinfects all the infected objects without asking first. If the object cannot be disinfected, the program will ask whether you want it to be deleted (see subchapter 4.2.3).

!"You can preset the anti-virus scanner to automatically disinfect

infected objects with the command line switch — or –I2. There are available two more command line switches for this action: the switch –I2S automatically disinfects infected objects and skips objects that cannot be disinfected, and the switch—I2D automatically disinfects infected objects and deletes objects that cannot be disinfected.

• 3 — deletes the infected object without asking first.

!"3 in the InfectedAction line of the profile corresponds to the command

line switch –E or –I3.

While scanning for viruses the program may detect an infected object that cannot be disinfected. In this case, the only way to protect your computer is to delete those objects.

To define actions to be taken on unrecoverable objects,

enter one of the following values for the IfDisinfImpossible parameter of the profile:

• 0 — reports unrecoverable objects (see subchapter 4.2.3). Messages will be displayed and, if preset, logged into the log file

Page 47

DEFINING SETTINGS

4646

(see subchapter 5.4.4). The program will not delete these objects.

!"0 in the IfDisinfImpossible line corresponds to the command line switch

–I2S.

• 1 — deletes unrecoverable objects.

!"1 in the IfDisinfImpossible line corresponds to the command line switch

–I2D.

You can preset the program to copy infected and suspicious objects to separate directories. In some cases these copies may be very useful. For example, if you preset your anti-virus scanner to delete infected objects (3 in the InfectedAction line), later you may use their copies to restore them.

To copy infected files to a separate directory,

type Yes in the Backupinfected line of the profile.

!"The directory for copies of the infected files must be defined in the

appropriate line of the [ActionWithInfected] section of a profile (see subchapter 5.4.3).

5.3.4. Defining the advanced scanning tools to be used

In the appropriate lines of the [Object] section of a profile you can enable/disable the following advanced scanning tools:

• Advanced checking tool

searches for corrupted and modified viruses. If a file or sector contains a corrupted or modified virus or a suspicious code, the program displays corresponding warning.

The sector check function under your operating system may be not available.

• Code Analyzer (the heuristic detecting tool)

checks file and

sector codes down the various Kaspersky Anti-Virus for xBSD

Page 48

DEFINING SETTINGS

4747

File Server algorithmic legs searching for virus-similar instructions.

• Redundant scanning tool

checks not just the entry points into a file that are used by the system when processing, but the entire contents of the examined files. In most cases a virus registers itself in the entry point of a file with a reference to its body that is usually appended to the file contents. To delete such virus you just need to run an ordinary scanning operation that will remove the virus code located in the file entry point and the virus body pointed by the initial address. However, sometimes the virus divides its body into several parts and places them into clear areas of the file. In this case an ordinary scanning operation will neutralize the virus (i.e. the virus code in the entry point and main part of the virus body will be deleted) but some of its parts will remain in the file. This is the case when you need to run the redundant scan operation that will check not only the file entry points but also the entire contents of your file.

To enable the advanced checking tool searching for corrupted or modified viruses,

type Yes in the Warnings line of the profile.

To enable the heuristic detecting tool searching for unknown viruses,

type Yes in the CodeAnalyser line of the profile.

This parameter corresponds to the command line switch -H[-]. The switch -H disables and the switch -H- enables the heuristic detecting tool.

By default, the anti-virus scanner always uses Code Analyzer to check files for unknown viruses. Disabling of the heuristic detecting tool is not recommended!

If the heuristic tool detects certain instructions (such as — to open a file, to write into it, to intercept the interrupt vectors etc.), the file is suspicious and the program generates the appropriate message:

Suspicion: <TYPE>

where <TYPE> is replaced by one of the following strings:

Page 49

DEFINING SETTINGS

4848

• Com—the file seems to be infected by a virus that infects .COM files;

• Exe—the file seems to be infected by a virus that infects .EXE files;

• ComExe—the file seems to be infected by a virus that infects both .COM and .EXE files;

• ComTSR, ExeTSR, SysTSR, ComExeTSR—the file seems to be infected by a virus that infects .COM, .EXE and .SYS files;

• Boot—the file/sector seems to be infected by a boot virus or a boot virus installer;

The sector check function under your operating system may be not available.

• Trojan—the file looks like a Trojan;

• Trivial—the file seems to be infected by an unknown virus

replacing executable files in a current directory by its own codes (usually the virus size doesn’t exceed 300 bytes);

• Win32—the file seems to be infected by an unknown Windows virus;

• Formula—the Excel file contains suspicious instructions.

Of course, just like any other of the type the heuristic algorithm may occasionally produce false alarms, however Code Analyzer has been tested many times and checked a large number of files, and has not so far been actually deceived. If you do encounter a false alarm while checking files using Code Analyzer, please let us know and send us copies of the virus-free files that were identified as infected so that we could study them at Kaspersky Lab.

When scanning the code the heuristic detecting tool examines the structure of a program down to several sublevels slowing down the general scanning rate of Kaspersky Anti-Virus for xBSD File Server approximately by 20%. This device detects92 % of the viruses (including many encrypted ones) in Kaspersky Lab’s database, and we believe that new-found viruses that aren’t yet in the database will be detected with the same degree of probability.

Page 50

DEFINING SETTINGS

4949

To enable the redundant scanning tool,

type Yes in the RedundantScan line of the profile.

This parameter corresponds to the command line switch -V[-]. The switch -V enables and the switch -V- disables the redundant scanning tool.

The redundant scanning tool is recommended if no virus was detected in a normal scan but the system is still behaving strangely (for example, there are frequent instances where the computer restarts by itself, unnaturally slows performance from applications etc.) Otherwise, we do not recommend enabling the redundant scanning tool as it noticeably slows down the scanning rate and increases the probability of “false alarms”.

5.4. Settings f or the cumula tiv e location to b e c hecked

5.4.1. Cumulative settings

Unlike settings for a separate location to be checked that define scanning operation for the location defined in a certain [Object] section of the profile (see subchapter 5.3), settings for the cumulative location to be checked or the cumulative settings define other scanning and performance parameters for all the [Objects] sections of the profile.

General settings are consolidated in several sections of defUnix.prf (for details refer to Appendix B).

You can define the following general settings:

• General parameters of scanning and performance of the antivirus scanner (see subchapter 5.4.2).

• Methods to handle infected, suspicious and corrupted objects (see subchapter 5.4.3).

Page 51

DEFINING SETTINGS

5050

• Generation of the check report and the performance statistics (see subchapter 5.4.4).

5.4.2. Defining scanning and performance settings: Scanner and Daemon

General parameters for the program performance are located in the [Customize] section of a profile. This section allows you to define frequency of updating of the Kaspersky Anti-Virus for xBSD File Server virusdefinition databases and actions to be taken in case the databases are infected. The performance settings in this section also allow you to define messages that will be displayed by the program.

General parameters for the scanning operations are located in the [Options] and [Tempfiles] sections of a profile. These parameters allow you to define scanning of directories located on removable disks, scanning of links and subdirectories, generating of the temporary files.

Defining general set tings for the program performan ce

New viruses arise every day. If you want to keep your anti-virus program at pick efficiency, we strongly recommend you to update virus-definition databases.

To define the interval between the two reminders about the need to update virus-definition databases:

1. Type Yes in the updatesCheck line of the [Customize] sec tion of a profile.

2. Decide how often do you want to see a message reminding you to update your virus-definition databases. Type the interval (in days) between two displays of the message in the updatesInterval line of the section.

Page 52

DEFINING SETTINGS

5151

To enable error reporting at the program start,

type Yes in the Othermessages line of the [Customize] section of a profile. Otherwise, type No.

To be asked for confirmation when enabling the redundant scanning tool,

type Yes in the Redundantmessage line of the [Customize] section of a profile. Otherwise, the program will be enabling the redundant scanning tool without the confirmation.

The setting will be used only for that location to be checked, which has a positive value (Yes) in the Redundantscan line of the [Object] section.

To be asked for confirmation when deleting an infected object,

type Yes in the Deleteallmessage line of the [Customize] section of a profile. If you type No, the program will be deleting the objects without the confirmation.

The setting will be used only for that location to be checked, which has the value 3 in the InfectedAction line of the [Object] section.

To shut down the program when the corrupted virus-definition databases are detected,

type Yes in the ExitOnBadBases line of the [Customize] section of a profile. Otherwise, type No.

To be reported about the performance results using the extended exit codes,

type Yes in the Useextendedexitcode line of the [Customize] section of a profile. Otherwise, type No.

Defining general settings for the scanning operations

To skip data on the removable disks while checking for viruses in the entire filesystem (by default this type of data media is also checked),

Page 53

DEFINING SETTINGS

5252

type No in the ScanRemovable line of the [Options] section of a profile. Otherwise, type Yes.

To scan subdirectories in the last place (after all the other objects have been scanned),

type Yes in the ScanSubDirAtEnd line of the [Options] section of a profile. Otherwise, type No.

This setting will be used only for that location to be checked, which has a positive value (Yes) in the SubDirectories line of the [Object] section (for details refer to subchapter 5.3.1).

To define whether and how the program must check symlinks,

type one of the following values in the Symlinks line of the [Options] section:

• 0 — do not check files and directories available via the symbolic links.

0 in the Symlinks line corresponds to the command line switch

-LP.

• 1 — check only files and directories available via the symbolic links defined in the command line and ignore other links. This is the default mode.

1 in the Symlinks line corresponds to the command line switch

-LH.

• 2 — check files and directories available via the symbolic links.

2 in the Symlinks line corresponds to the command line switch

-LL.

The four [Options] section's parameters below are for the Scanner program only. These parameters are not operational without the key file and are not present in the Kaspersky Anti-Virus version for Rescue Disk.

To scan for viruses in several files simultaneously:

1. Type Yes in the ParallelScan line. Otherwise, type No.

Page 54

DEFINING SETTINGS

5353

2. Define the maximum number of simultaneously scanned files in the LimitForProcesses line.

To implement the loop-scanning for viruses:

1. Type Yes in the EndlesslyScan line. Otherwise, type No.

2. Define the interval between two loops (in seconds) in the ScanDelay line. For the interval equal to zero type -1.

For the program to create temporary files in the memory (but not on your hard disk):

1. Type Yes in the UseMemoryFiles line of the [Tempfiles] section of a profile. Otherwise type No. In this case temporary files will be created on the hard disk.

2. To limit the size of temporary files to be created in the memory, define the maximum size (in Kb) in the LimitForMemFiles line. The temporary files exceeding this size will be created on the hard drive.

This setting will be used onl y if you entere d a posit ive v alu e (Yes) in the UseMemoryFiles line of the [Tempfiles] section.

3. To limit the size of files to be extracted in the memory (see subchapter 5.3.2.5), define the maximum size (in Kb) for this type of temporary files in the MemFilesMaxSize line. In this case if the file, while being extracted from its archive, will exceed this value, the program will stop extrac ti ng it into the memory and start generating this te mporary file on the hard disk.

This setting will be used onl y if you entere d a posit ive v alu e (Yes) in the UseMemoryFiles line of the [Tempfiles] section.

Values in the LimitForMemFiles and MemFilesMaxSize lines must not exceed RAM on your computer.

To define the directory for temporary files,

type the path in the TempPath line. For example, TempPath=/tmp

Page 55

DEFINING SETTINGS

5454

5.4.3. Defining actions on infected and suspicious objects

The following three sections allow you to define actions to be taken by the program when it detects infected, suspicious or corrupted objects:

• [ActionWithInfected] section parameters define how to handle the infected objects.

• [ActionWithSuspicion] section parameters define how to handle the suspicious objec ts.

• [ActionWithCorrupted] section parameters define how to handle the corrupted objects.

To copy infected files to a separate folder, in the [ActionWithInfected] section of a profile:

• Type Yes in the InfectedCopy line.

• Define a path to the folder for infected files in the InfectedFolder

line. The default folder is /infected.

To copy suspicious files to a separate folder, in the [ActionWithSuspicion] section of a profile:

• Type Yes in the SuspiciousCopy line.

• Define path to the folder for suspicious files in the

SuspiciousFolder line. The default folder is /suspicious.

To copy corrupted files to a separate folder, in the [ActionWithCorrupted] section of a profile:

• Type Yes in the CorruptedCopy line.

• Define path to the folder for corrupted files in the CorruptedFolder

line. The default folder is /corrupted.

Page 56

DEFINING SETTINGS

5555

To copy infected, suspicious and corrupted objects together with their paths,

type Yes in the CopyWithPaths lines of the above sections. Otherwise, type No.

It’s recommended to enable the above option since you may have files with similar names on your computer.

To change extensions of infected, suspicious and corrupted files,

in the sections listed above:

• Type Yes in the ChangeExt lines.

• Define the target extension for the files in the NewExtension line.

For example, you may type vir for infected files, susp for suspicious files and corr for corrupted files.

To change the name of the owner of infected, suspicious and corrupted files that the program failed to desinfect,

define the target name in the ChownTo lines of the above sections. If you do not want to make the changes, type None.

To change access attributes of infected, suspicious and corrupted files that the program failed to desinfect,

define the target attribute mask in the ChModTo lines of the above sections. For example, the value 640 assigns the following attributes to the file: Read by owner, Write by owner and Read by group. If you do not want to make the changes, type No.

Be careful when handling infected and suspicious objects or their copies! If some executable file is infected, do not start it.

Page 57

DEFINING SETTINGS

5656

5.4.4. Defining the reporting parameters

To review results of the check performed by the program you must define its reporting parameters located in the [Report] section of a profile. This section also allows you to enable/disable additional information in the log.

To create a log file for the program reports:

1. Type Yes in the Report line.

2. Define the name of your log file in the ReportFileName line. The default value is report.txt.

If you prefix the file name with the character "~", the file will be created in your home directory.

To limit the size of your log file:

• Type Yes in the ReportFileLimit line.

• Define the maximum size (in Kb) in the ReportFileSize line.

To append new reports to the contents of the log file,

type Yes in the Append line. Type No to overwrite the report with the new one.

To be reported on every examined object,

type Yes in the RepForEachDisk line.

To define the log file attributes mask,

type the desired mask number in the s line. For example, RepCreateFlag=600

To use both the carriage return and the linefeed characters to separate records in a log file,

type Yes in the UseCR line. Otherwise, type No. By default records in a log file are separated with the linefeed character only. Therefore, in

Page 58

DEFINING SETTINGS

5757

some text editors it will be difficult to review these files, since the program shows everything written on a single line. If you feel this way with your text editor, type Yes for the above parameter and the program will use both separators (carriage return and linefeed) in your log file.

!"To define the file for storing check-reports, you may use the

command line switch -W[T][A][+][=filename], where filename is a name of the log file (the default name is report.txt). The character A in the switch appends the report to the file contents, while the character T overwrites the report with the new one. The character + in the switch adds more details to the report heading.

The program may be enabled to log check-reports to the system or the user log.

To add check-results to the system log,

type Yes in the UseSysLog line. Type No to add check-results to the user-defined file.

!"The positive value (Yes) in the UseSysLog line automatically

suppresses the following parameters: ReportFileName, Append, ReportFileLimit, ReportFileSize and RepCreateFlag.

The following two parameters are used only for the Daemon program, and only if you call up the daemon process from a script file and want to display the performance report.

To add current check-results to the user defined log file,

1. Type Yes in the UserReport line.

2. Define the file name in the UserReportName line.

If you prefix the name with the character "~", the file will be created in your home director y.

To add more details to the report,

type Yes in the ExtReport line.

Page 59

DEFINING SETTINGS

5858

Use the below parameters to define optional information that will be added to the report:

• WriteTime – reports the date and the time when the program messages were displayed. Type Yes to enable these mess ages in the report, or No to disable them.

• WriteTimeInfo – reports the time of last modification and the size for every infected objec t. Type Yes to enable these messages in the report, or No to disable them.

• ShowOK — reports virus-free objects. Type Yes to enable these messages in the report, or No to disable them.

This parameter corresponds to the command line switch -O[-]. The switch -O enables, and the switch -O- disables the messages.

• ShowPack — reports packed and archived objects. Type Yes to enable these messages, or No to disable them.

This parameter corresponds to the command line switch -K[-]. The switch -K enables, and the switc h -K- disables the messages.

• Showpassworded — reports password-protected archives. Type Yes to enable these messages, or No to disable them.

• ShowSuspicion — reports suspicious objects. Type Yes to enable these messages, or No to disable them.

• Showwarning — reports objects suspected as infected with the modification of a known virus. Type Yes to enable these messages, or No to disable them.

• Showcorrupted — reports corrupted objects. Type Yes to enable these messages, or No to disable them.

• Showunknown — reports unknown viruses detected. Type Yes to enable these messages, or No to disable them.

Page 60

5959

6.6.

6. Daemon Process: Integrating

Daemon Process: Integrating Daemon Process: Integrating

Daemon Process: Integrating Anti

AntiAnti

Anti----Virus Protection in Clients

Virus Protection in ClientsVirus Protection in Clients

Virus Protection in Clients

6.1. F eatures of the Daemon program

Describing functions and features of the program.

The Daemon anti-virus process, kavdaemon, is designed to integrate antivirus protection (search and deletion of viruses) in client software (e.g. Monitor) on a computer running xBSD. Daemon operates as a system process and inherits all the functions of Scanner, therefore our description of the Scanner capabilities can be applied to Daemon.

Unlike the anti-virus scanner Daemon loads virus-definition databases into the memory just once, when started the first time. It significantly decreases the amount of time required to perform a virus check. This feature determines the scope of application of the Daemon program, namely WEB servers and mail systems under xBSD. All the objects incoming to these systems must be promptly checked for viruses, and this is the task that can be accomplished with the daemon process.

Chapter

Page 61

DAEMON

6060

Daemon has all the features of anti-virus programs designed for other platforms, and allows checking for viruses in all file types (including archives, packed and plain mail files), application of the heuristic detection and redundant checking tools. The process can perform functions of the server or the client.

Installation, setup, customization and updating of the Daemon virusdefinition databases are similar to those described for the anti-virus scanner. The difference is in the command line and the available switches, and this is related to the specific operation mode of the process (see subchapter 6.2).

6.2. Launching the daemon process

The Daemon command line. Command line switches specific to the daemon process. The D aemon profile as compared with the anti-virus scanner.

Daemon can be launched from the command line, script files and user programs. Treatment of the daemon process for the purpose of search and deletion of viruses is independent its status (whether it is running or not) and from whether it is called from the command line or a user program.

If, when started, your Daemon does not detect the key file, the program will function as a demonstration copy, i.e. it will be disabled from scanning for viruses in archives and mail messages and from asking you to choose an action for a virus that has been detected.

The general format of the Daemon command line is:

./kavdaemon [switch1] [switch2] [...] [switchN] [path]

where

[switch…] is the optional command line switch of the Daemon

program;

Page 62

DAEMON

6161

[path] is the optional xBSD path that defines the location to be

checked.

!"The meaning of path in the Daemon command line differs from that

of the Scanner program. For the scanner this setting defines the location to be checked for viruses, but for Daemon it assigns the

path value to the list of locations enabled to be checked (i.e. to the Object parameter of the profile). The objects to be checked are

defined by the switch -o in the command line (see

below).

The list of available switches includes those described for Scanner (see Appendix B), except for the switches -D and -@!. Besides, there are several command line switches that are specific to the daemon process:

-q

terminates the performance right after the check and disinfecting is completed without starting the daemon process. This switch is used only if the daemon process is not started yet.

-k

kills the parent daemon process. This switch is not recommended.

-ka

kills all daemon processes running (the parent process as well as the child processes).

-v

displays the version number.

-o{the list of files, directories or symbolic links separated by colons}

checks the defined files, directories and links. If the objects are not located in the check-permitted area, they will be ignored.

-f=directoryname

creates and stores the files AvpCtl and AvpPid in the defined directory. If you do not start Daemon from under the root user, the program may be prohibited from accessing the default directory for these files. In this case every time you start Daemon, make sure to use the switch -f.

-WU[=temporaryfilename]

the temporary file for the daemon process to log check-results.

Page 63

DAEMON

6262

In this version when you launch the daemon process, it automatically initiates the following two processes: the primary process handles calls from the client programs, the secondary process reports performance of the first. It is possible to disable the second process.

-dl — disables start of the secondary daemon process.

The Daemon command line may look similar to the following:

./kavdaemon /home -o{/home/my_mail} -A -K

When started the Daemon program first checks for any daemon process running.

If it is not detected, Daemon will act similar to the anti-virus scanner (see subchapter 4.2), then it will start the daemon process. This is only if you didn't use the command line switch -q. However, if the switch is in the command line, the daemon process will not be started.

If the process has been started, the Daemon program establishes a data link with it and uses this link to transfer the command string with scanning settings. Then the daemon process checks and deletes viruses and uses this link to record the check results. When the check is finished the program breaks the link.

!"For the Daemon program to be started correctly the initialization file,

AvpUnix.ini (see Appendix B), must be located in a directory together with the Daemon module. If you decide to move the executable file, kavdaemon, to some other directory, AvpUnix.ini must be copied there as well and then appropriately edited (e.g. the path to virusdefinition databases).

!"To optimize process loading of you may change priorities of the

parent and child processes. To do this you must change values for the Father and Child parameters in the [Priority] section of the profile.

Page 64

DAEMON

6363

6.3. Calling up the process from a client p rogram

How to call up the process from a client program. The example.

To call up the existing daemon process from the client program, follow these steps:

1. Create a socket.

2. Link the socket to the Daemon program.

3. Type the corresponding command string into the socket. The general format of the string is:

<flags>date_and_time:command param

The <flags> substring must be substituted with the following values:

• 0 — the command param substring transfers the file name and parameters of the command line. In the simplest case, just the file name will be transferred. In this case the string can look similar to the following: <0>27 Mar 13:40:11:/tmp/test.tgz. In a more complicated case, the file name and parameters of the command line will be transferred. In this case the general format of the string is:

<flags>date_and_time: 0xfeparameter1[|parameter2[|parameter3[…]]] 0xfepath1[;path2[;path3[…]]]

where:

° 0xfe defines the section beginning; ° [parameterN] defines the corresponding command

line parameter (without the leading character "–");

° pathN defines the corresponding path to the location

to be checked.

The number of paths and parameters is unlimited.

Page 65

DAEMON

6464

• 3—the command param substring transfers parameters of the shared m em or y, where the exam ined object was preplaced. The mode is used if the objects are checked without being intermediately saved onto the disk. In this case the general format of the string is:

where:

° | is the character separating sections; ° switch is the value acquired using the ftok() function; ° length is a size of the shared memory.

!"The value 3 is used only in the server version of the Daemon

program. 4 displays the version number.

4. Read check-results from the socket. The results are read in 2 bytes. The low byte contains standard exit codes or the value 0x3f (in this case the client program must return the operation to be applied by the daemon process to the object). The high byte contains flags defining further operations. The value 0x2 in the high byte means that there should be 4 bytes read containing a size of the shared memory with the disinfected object. This value may be present only if during the transfer the flag was switched to the value 3 (or

1) and the exit code is 5. In this case you must open the shared memory and rewrite the examined object from it. The value 0x1 in the high byte means that there should be 4 bytes read (containing a size of the report buffer) and then the buffer.

5. Delete the socket.

!"The distribution kit includes the protocol implementation samples. In

addition to the Daemon program the package also contains Monitor, the client program (see chapter 7).

!"The examples and the client programs are supplied as source codes

that include a description of the methods used to call up the Daemon program from the client software.

Page 66

6565

7.7.

7. Anti

AntiAnti

Anti----Virus Monitor: Monitoring

Virus Monitor: Monitoring Virus Monitor: Monitoring

Virus Monitor: Monitoring

the system for viruses

the system for virusesthe system for viruses

the system for viruses

7.1. F eatures and functions

Function an d features of the progra m.

Monitor is used under FreeBSD operating system only!

Monitor has been developed to check for viruses in files every time they are opened, saved or executed. The program handles files of FreeBSD OS, FTP, HTTP, HTTP Proxies, POP3, Samba and other network servers whose filesystems are located on the local computer.

When the program is installed (see subchapter 7.2.1), customized (see subchapter 7.2.2) and launched (see subchapter 7.3), it can perform the following functions:

• Prevent infected files from being opened, executed or saved on all local and mounted filesystems on the local computer.

• Log the performance results to a log file.

Chapter

Page 67

MONITOR

6666

!"Monitor is a client program of the Daemon process. Therefore, in

order to run Monitor you must also install and customize Daemon.

7.2. Assembling and Configuring

Assembling the F reeBSD k ernel anti-virus module and the anti-virus monitor. Editing the Monitor configuration file.

7.2.1. Assembling Monitor

The FreeBSD kernel is constructed in such a way that to enable the monitoring of files to be opened, saved or executed you must first install and assemble the kernel anti-virus module. The module is supplied together with the Monitor program and is called klmon.

The main feature of the module construction is that the module allows you to launch and shut down the anti-virus monitor without restarting the FreeBSD operating system.

The Monitor program performs its functions only in combination with the klmon anti-virus kernel and the Daemon program.

The Figure 9 illustrates the process of anti-virus monitoring within the FreeBSD fil esystem.

Figure 1. The monitoring flowchart

Right before a file within the FreeBSD filesystem is opened, recorded or executed it is intercepted by the anti-virus module and transferred to

Page 68

MONITOR

6767

Monitor. The monitor processes the file and transfers its name to the daemon process, which checks for viruses in the file. If the file is not infected, the Daemon returns the appropriate code to the Monitor, which informs the anti-virus module that a permission to work with this file is granted. If the file is infected, the daemon process returns the error code and the Monitor disables the anti-virus module from working with the file. The file is handled by the daemon process following the predefined settings. As you see, there is a chain of interconnected programs, every component of which cannot perform its functions without the others.

The klmon anti-virus module and Monitor are supplied as a source code and therefore must be assembled before you are able to launch them.

After installation (see chapter 2) the Monitor source codes and the /module.freebsd subdirectory with the anti-virus modules source codes are located in the /kavmonitor directory.

Only the administrator (the root user) is authorized to assemble and install the anti-virus module.

To assemble the anti-virus module and install the Monitor program, follow these steps:

1. Go to the directory with the anti-virus module source codes using the command cd. For example, cd /usr/local/share/AVP/monitor/modile.freebsd

2. Assemble the module using the command make. The assembly process will be displayed on your screen.

The kernel module must be assembled in the FreeBSD operating system where it is supposed to be run.

Note that the anti-virus module version must correspond to the kernel version, since the use of an inappropriate module may damage the system. To display the version number of your FreeBSD kernel, type the string uname –a in the command line. If you updated the kernel of your FreeBSD operating system, you must also reassemble the anti-virus module.

3. For the operating system to automatically launch the module, add a file containing the string insmod <file_name> (where <file_name> is the full path to the module executable file) to the

Page 69

MONITOR

6868

required start level. For example: insmod monitor-2.2.18.о

4. Go to the directory with the monitor source codes using the command cd. For example, cd /usr/local/share/AVP/monitor

5. Assemble Monitor using the command make.

7.2.2. Configuring Monitor

You may configure the Monitor program by changing its settings within the configuration file monitor.conf. By editing the configuration file you can:

• Define the program performance parameters.

• Define the program reporting mode and the path to a log file with

the program performance results.

The program configuration file contains two sections: the Report file section allowing you to define the program reporting mode and Options section with parameters defining the program performance.

When a file is processed and saved to the hard disk, Monitor returns the appropriate exit code. However, many programs do not process exit codes of the file closing function and, therefore, will continue to handle the infected file. To avoid this kind of situation, it is advisable to use the Monitor program when handling infected objects.

To define how the monitor must handle infected files, type one of the following strings in the WriteInfedtedAction line of the Options section:

• remove—delete the file;

• rename—rename the infected file by adding the string .infected

to its extension;

• none—ignore the file. This is the default value. For example, the section line may look similar to the following:

WriteInfedtedAction none

The system also creates, saves and executes files that do not carry viruses for certain (for example, log files and files in the bin directory), and their

Page 70

MONITOR

6969

check only slows down the system performance. Therefore, it is advisable to exclude these files from the monitoring.

To exclude some files from the objects to be checked when they are opened, saved or executed,

in the Options section of the configuration file define values for the following lines:

• OpenExcludeMask—the full path to the directory with files to be ignored when opened. You can enter more than one path in this line, but make sure to separate them by colons. For example:

OpenExcludeMask /etc:/var/log:/usr/include:/lib:/usr/lib

• WriteExcludeMask—the full path to the directory with files to be ignored when saved. You can enter more than one path in this line, but make sure to separate them by colons. For example:

WriteExcludeMask /etc:/var/log

• ExecExcludeMask—the full path to the directory with files to be ignored when executed. You can enter more than one path in this line, but make sure to separate them by colons. For example: ExecExcludeMask /usr/bin:/bin:/sbin

The settings described above are also applied to subdirectories of the defined directories. For example, by entering the path /etc, you also exclude the files located in the subdirectories from the check, for example, /etc/lib and /etc/passwd/my.

Some files on a computer are opened quite often and every time they are opened, they are checked for viruses by the Monitor program. This may result in the essential decrease of the user performance. To avoid the problem there was developed the cache memory that stores these files’ names and the time when they were last checked. This way, before checking for viruses in a file Monitor searches the cache for the file details. This accelerates the check procedure, but you must remember that too many files in the cache may also slow down the program performance, since the time spent for the check becomes equal to the time when the program searches for the details in its cache.

Page 71

MONITOR

7070

To define the quantity of files to be scanned for viruses only once, when they are opened the first time, enter the required number in the CacheSize line of the Options section. For example:

CacheSize 2500

This value depends on the computer capacity and its functions within the network (i.e. a workstation or a server); therefore, the recommended value is located within the range 500 through 5000.

You can reduce the check time by increasing the number of files to be processed simultaneously. However, it may slow down your operating system performance, therefore it is advisable to scan not more than 5 to 15 files at once.

To define the maximum quantity of simultaneously scanned files,

enter the required number in the MaxConcurrentCheck line. For example:

MaxConcurrentChecks 10

To enable the program to report errors, type OK in the Warnings line of the Options section.

To define the program performance reporting mode,

in the Report file section of the configuration file define values for the following lines:

• LogFile—the full path to the log file. For example:

LogFile /tmp/KasperskyMonitor.log

For the program to log its performance results make sure to define the full path to the log file, otherwise Monitor will not create it at all.

• Append—type Yes to append a new report to the contents of the log file. To overwrite the report with the new one, type No.

The example of a configuration file for Monitor see in Appendix B.

Monitor is a client program of the Daemon process. Therefore while checking for viruses and deleting them the program applies the

Page 72

MONITOR

7171

Daemon settings. For example, if a directory is not included in the location to be checked by the Daemon program, it will be ignored although it may be not excluded from the location to be checked by Monitor.

7.3. Launching Monitor

How to launch the program.

To launch Monitor, follow these steps:

1. Start Daemon, for example, by entering the string./kavdaemon.

Monitor cannot be launched until you start the daemon process and load the kernel anti-virus module.

2. Launch the klmon anti-virus module, if it was not automatically started by your operating system. For example, enter the string: insmod monitor-2.2.18.o

3. Edit as required the Monitor configuration file monitor.conf (for details refer to subchapter 7.2.2), if it was not done before.

4. Launch the Monitor program with a path to the program configuration file in the command line. For example, enter: ./kavmonitor monitor.conf

If error was produced while the program was starting, the error is reported and the program shuts down. For details about possible problems see subchapter 7.5.

Page 73

MONITOR

7272

7.4. Reviewing the performance results

How to review the performance results.

While checking for viruses in the files to be opened, saved or executed the Monitor program (if preset) logs its performance results into the log file.

The log file name and the reporting mode are defined in the Report file section of the configuration file monitor.conf.

The log file can be reviewed in any text editor.

7.5. Troubleshooting

The most frequent problems and their solutio n.

While running Monitor you may face some problems. The most frequent problems and the ways to solve them are described below.

If you cannot load the klmon kernel anti-virus module and see a message similar to the following on your screen: unresolved symbol…

check the module version number. The module version must correspond to the version of your FreeBSD kernel, otherwise you will not be able to start the anti-virus module.

If when launching the Monitor you see the following message on your screen: ERROR: Could not open kavmonitor peer file: No such file or directory,

check whether the kernel anti-virus module is correctly installed. By entering the command lsmod in the command line display the list of loadable modules and check whether the klmon kernel module is in the list.

Page 74

MONITOR

7373

If when launching the Monitor you see the following message on your screen: ERROR: Could not open kavmonitor peer file: permission denied,

this means that you are not authorized to launch Monitor. Only the root user has the rights to launch the Monitor program.

If all files in the Monitor performance report are marked as UNKNOWN,

check whether the Daemon program is correctly installed and running. By entering the command ps ax in the command line display the list of running processes and check whether the daemon process is in the list.

If when launching the Monitor you see the following message on your screen: "Error opening daemon socket: no such file or directory",

this means that the daemon process is not running or is set to use the wrong socket. In the Daemon program configuration file, define the path to the socket file that you want to use.

If your Monitor does not detect viruses in files that are infected for certain,

this means that these files are not included in the location to be scanned by the Daemon program. Set Daemon to check for viruses in all directories to be protected.

Monitor is not able to detect viruses in files that are saved within a NTFS filesystem whose server is running on the local computer. This is because of the non-standard procedure applied by NFS servers within the FreeBSD kernel while saving files!

If there is a problem,

try to define the problem source by following these steps:

1. Enter the command ps ax in the command line to check whether the daemon process is running.

Page 75

MONITOR

7474

2. Enter the command lsmod in the command line to check whether the kernel anti-virus module is loaded.

3. Try to launch the Monitor program with a path to the configuration file in the command line.

Page 76

7575

8.8.

8. Slogan: Processing and

Slogan: Processing and Slogan: Processing and

Slogan: Processing and summarizing

summarizingsummarizing

summarizing the perfor m

the performthe perform

the performance

ance ance

ance

reports

reportsreports

reports

8.1. F eatures and functions

Function an d features of the progra m.

The Slogan program is developed to process and summarize data within the performance reports of the Scanner and the Daemon programs.

Slogan performs the following functions:

• summarizes the scanning results of the programs mentioned above for a user-defined period of time;

• monitor current changes of data within the log files.

Chapter

Page 77

SLOGAN

7676

8.2. Launching Slogan

Starting the program from the co mmand line.

To launch Slogan, the log processing and summarizing program, enter its name and the required switches in the command line:

./slogan [switch1] [switch2] […] [switchN]

where [switchN] is the Slogan optional command line switch.

Make sure to define the log files to be processed. The file or the list of files must be defined using the command line switch –s (for details see below). If you start the program with No switches in the command line, the list of available switches will appear on your screen. You can also display this list by using the command line switch –h.

When starting Slogan you can use the following command line switches:

-s file1 file2 … fileN or –s filemask. where:

file1 file2 … fileN is the list of log files to be parsed by Slogan; filemask is the mask of log files to be parsed by Slogan.

The summary produced by Slogan contains cumulative information about all the predefined files!

-h

Displays the Help file with the list of available command line switches.

-t filename

The optional file-template to be used for the summary report produced by Slogan.

The program includes several templates *.tm, to be used by Slogan when summarizing logs data (for details of the templates see subchapter 15.7 Appendix B). By default the program generates the summary report using template.tm (see Figure 2) and this report is similar to the one described in subchapter 10.7.4.

Page 78

SLOGAN

7777

Figure 2. The example of a summary report produced by Slogan

-ds dd.mm.yyyy

The program will summarize the reports generated starting from the date defined by this switch.

-de dd.mm.yyyy

The program will summarize the reports generated before and on the date defined by this switch.

-e

This switch allows use of the English language in the summary reports. By default, the Slogan report language is defined by the appropriate settings of your operating system.

-tt filename

This switch enables the program monitoring/real time mode (for details refer to subchapter 8.3).

Page 79

SLOGAN

7878

8.3. Slogan in the real-time

monitoring mode

Performance of the program in the monitoring mode.

The real time monitoring mode allows you to track changes in the predefined log file and study them. The general format of the command line for Slogan in the monitoring mode is:

./slogan –s [file1] […] [fileN] –tt [switch1] […] [switchN]

where:

-tt — the switch enabling the Slogan monitoring mode. [fileN] — the optional log file to be monitored in the real time. [switchN] — the optional command line switch defining settings of

Slogan in the monitoring mode.

When starting the program in the real-time monitoring mode you can use the following command line switches:

-R sec

The required refresh rate of the Slogan real-time statistics screen. For example, for the screen to be updated every thirty seconds you must enter the command line switch -R 30. By default the screen is updated every second.

-fast

This switch allows you to display only the end of the monitored log file. If this switch is not used the screen will show real-time changes of the log file contents with auto-scrolling to the point of change.

Since the total amount of changes within a log file can be sufficiently large, it is advisable to use this switch.

-prev

This swi tch enables the program to study all the data presented in the log file.

Page 80

SLOGAN

7979

-r

This switch redisplays the log file, if it became unavailable at some point of time.

The screen (see Figure 3) displayed by Slogan in the real-time monitoring mode is divided into the following two panes:

• General statistics displays the following total amounts:

• Request—objects checked.

• Archives—archives checked.

• Packed—packed executable files checked.

• Corrupted—corrupted objects detected .

• OK—files checked.

• I/O Errors—input/output errors occurred.

• Infected—infected objects detected.

• Disinfected—objects disinfected.

• Suspicion—suspicious objects detected.

• Disinfections failed—unrecoverable objects detected.

• Deleted—objects deleted.

• Warnings—modified and corrupted viruses detected.

• The end of the monitored log file.

The key combination <C

TRL

+C> allows to exit the real time monitoring

mode.

Figure 3. Slogan in the real time monitoring mode

Page 81

8080

9.9.

9. Tuner: Customizing Scanner

Tuner: Customizing Scanner Tuner: Customizing Scanner

Tuner: Customizing Scanner and Daemon

and Daemonand Daemon

and Daemon

9.1. F eatures and functions

Function an d features of the progra m.

Tuner, the customization program, allows you to create and edit profiles, i.e. files containing a certain set of predefined settings of the anti-virus scanner and the daemon process:

• the list of objects to be checked for viruses;

• the way infected objects must be proces s ed;

• advanced scanning tools to be used etc.

The profile program allows you to change all the main settings within a profile.

Chapter

Page 82

TUNER

8181

9.2. Launching Tuner

Starting the program from the co mmand line. Av ailab le command l ine switches .

The general format of the Tuner command line is:

./kavtuner [switch1] […] [switchN],

where [switch1] is the optional command line switch (see below).

When starting Tuner you can use the following command line switches:

-g

This switch enables defUnix.prf located in the directory /usr/local/share/AVP/ to be used as a profile.

-ps

This switch enables Tuner to manage only the Scanner settings.

-pd

This switch enables Tuner to manage only the Daemon settings.

-ua=user_name

This switch enables (if not created) defUnix.prf to be used as the default profile for the defined user.

-ud=user_name

This switch disables defUnix.prf to be as the default profile for the defined user.

-v

This switch displays the program version number.

-e

This switch enables the program to generate reports, text messages etc. in English.

Page 83

TUNER

8282

9.3. Interface

Discussing the interface. The page functions .

When you start the program its main window appears on your screen. The main window is divided into the following two panes: menu bar and working area.

At the top of the window you may see the menu bar containing three menus: File, Settings, Help.

To select a menu, press the key <A

> and a key with the letter that is highlighted in the

name of the menu.

If you started Tuner via telnet, to use a hotkey you must first double press the key <E

> and then the required hotkey. The key

combination <A

LT+THE REQUIRED KEY

> will not function here!

To move along the menu,

use arrow keys or the appropriate key combinations.

Under the menu bar you may see the main window working area. It contains six tabs with various titles (Location, Options, Report, ActionsWith, Customize and Mail). When you start the program the main window shows the Location page.

To switch to another page, select i ts n ame in the Settings menu or press the <A

> key and a

key with the letter that is highlighted in the name of the page.

To switch to the next page, select Next Page in the Settings menu.

To switch to the previous page, select Previous Page in the Settings menu.

Page 84

TUNER

8383

Use the following keys when selecting options within a page:

• <H

OME

>—move the cursor to the beginning of the text field;

• <E

>—move the cursor to the end of the text field;

• <S

PACE

>—check/uncheck the check-box or select/deselect the

option;

• <T

>—go to the next item;

• <F10>—go to the menu bar (File, Settings, Help).

To exit the customization program, select Exit in the File menu or use the key combination <A

+X>.

9.4. Creating, editing and sa ving a

profile

Creating, editing and saving a profile using the customizatio n program.

For your anti-virus scanner to use values that you defined in the working area of the customization program, you must save them to a profile.

To create a new profile, follow these steps:

1. Start your Tuner. The main window will appear on your screen.

2. Change settings as you wish (for details see subchapters 9.5—9.9).

3. Select Save Profile As… in the File menu. The Save Profile… dialog will appear on your screen.

4. Select a directory from the Files list.

5. Enter the profile name in the Profile name text field.

6. Press the Save button.

Now the settings are saved to the defined .prf file.

Page 85

TUNER

8484

!"To cancel saving of the settings press the Cancel button.

To edit a profile, follow these steps:

1. Start your Tuner. The main window will appear on your screen.

!"When started the program loads the default profile (its name is

specified in the .ini file) or the file defined in the command line (see subchapter 9.2).

2. Select Load Profile... in the File menu. The Load Profile... dialog will appear on your sc reen.

3. In the Files list select the directory with the profile you are suppose to edit.

4. Select the profile.

5. Press the Open button. Settings from this profile will be loaded into the main window.

!"To cancel loading of the profile settings press the Cancel button.

6. Change the required settings.

7. Save settings (as described above).

8. When the confirmation dialog appears on your screen, press the Yes button.

Now the changes are saved to the defined .prf file.

To save settings to the default profile, whose name is defined in the DefaultProfile line in AvpUnix.ini,

select Save Profile as default in the File menu.

Page 86

TUNER

8585

9.5. The

Location

page

Defining the lo cation to be chec k ed. The settings de fined for a separate d irectory to be chec ke d for viruses .

9.5.1. Defining the location to be scanned for viruses

In the Location page (see Figure 4) you can define the list of directories to be scanned for viruses.

Figure 4. The

Location

page

!"The Location page corresponds to the [Object] section of a profile. !"If you started the program with no predefined location to be checked,

the following message will appear on your screen: "Nothing to scan. You should select at least one directory to scan".

To define the location to be checked,

create the list of directories to be checked for viruses.

Page 87

TUNER

8686

!"This is a general list of directories to be checked. The directories that

should be checked are prefixed with "+", and the directories that should be skipped are prefixed with "-".

To edit an item within the list, you must press the S

PACE

key or double-click it with your mouse. You

may select one of the following options for the item:

• item must be checked for viruses (prefixed with "+");

• item must be skipped during the check (prefixed with "-");

• item must be neutral (no prefix).

To add a directory to the list:

1. Press the Add folder button. The Add folder dialog window with the Directory Name field, the corresponding drop down list, the directory tree and the buttons — OK, Cancel and Revert — will appear on your screen.

2. Select the required directory. To do this, you may enter the full path to the directory in the Directory name text field, or select this directory from the drop down list, or find the directory in the Directory tree list.

3. Press the OK button. The directory will be added to the list and prefixed with "+".

To remove a directory from the list,

select it using the cursor controlling keys and press the <D

key.

You do not have to remove a directory from the list. Just use the

<SPACE

key to disable its prefix ("+" or "-"). This is very useful if you have saved your settings to a profile (see subchapter 9.4). In this case you do not need to remove directories from the list and add them again. Just remove them from the location to be checked.

Page 88

TUNER

8787

9.5.2. Defining scanning settings for a separate directory

9.5.2.1. The directory Property window:

Selecting the required directory

The Tuner program allows to define scanning settings for a separate directory. To do this, follow these steps:

1. Select the required directory with the arrow keys or with your mouse.

By default the program selects the first directory in the list.

2. Press the Property button. The Property for… window will appear on your screen. This window contains the tabs:

Objects, Actions, and Options and the buttons: Accept, Accept to all, Save as… and Cancel. Options on these tabs

allow you to define the following settings for the selected directory:

• the objects and the file types to be checked for viruses (for details see subchapter 9.5.2.2);

• the way infected objects must be proces s ed (for details see subchapter 9.5.2.3);

• the advanced scanning tools to be used (for details see subchapter 9.5.2.4).

3. Buttons at the bottom of the Property for… window allow you to do the following:

• Accept — applies the defined settings to the directory selected on the Location page.

• Accept to all — applies the defined settings to the location to be checked (the entire list of directories defined on the Location page).

• Save as… — allows to apply the defined settings to a new directory to be added to the location to be checked.

Page 89

TUNER

8888

When you press the button the Add folder window will appear on your screen. Use the window to add the required directory to the list of directories on the Location page (for instructions about how to add a directory to the location to be checked see subchapter 9.5.1). The directory will be added to the list and prefixed with "+".

• Cancel — allows to exit the Property for… windo w without saving the changes you made.

9.5.2.2. The directory Property window: Objects to be checked

Options on the Property window Objects page (see Figu re 5 ) a llow y o u t o define the following settings:

• object types to be scanned for viruses;

• objects and directories to be ignored;

• file types to be checked for viruses.

Figure 5. The Objects page

Define the objects to be scanned within the selected directory:

Sectors — check this box to scan for viruses in disk sectors.

Page 90

TUNER

8989

The sector check function under your operating system may be not available.

Files — check this box to scan for viruses in files. If you checked

this box, you must select the file types to be checked. For details of how to do this see below.

Packed files — check this box to scan for viruses in packed

executable modules (for details see subchapter 5.3.2.4).

Archives — che ck this box to scan for viruses in archived files

(for details see subchapter 5.3.2.5).

The extracting and unpacking engines noticeably slow down the Kaspersky Anti-Virus for xBSD File Server scanning rate. Therefore we recommend enabling these engines only if the probability that your archived and pack ed files are infec ted is high.

Mail Databases — chec k thi s box t o check for viruses in mail

databases (for details see subchapter 5.3.2.6).

Plain Mail formats — check this box to check for viruses in plain

mail files (for details see subchapter 5.3.2.6).

The mail databases and especially plain mail files scanning modes noticeably slow down the Kaspersky Anti-Virus for xBSD File Server scanning rate. Therefore, we do not recommend their use in a regular check for viruses.

Kaspersky Anti-Virus for xBSD File Server does not delete viruses from archives, mail databases and plain mail files.

Embedded — check this box to check for viruses in OLE objects

embedded in the examined files.

Select one of the following options to define the file types to be checked:

Smart — scans programs, i.e. all the files with extensions .bat,

.com, .exe, .ov*, .sys, .bin, .prg, .class, .ini, .vbs, .js, .htm, .dpl, .htt, .hta, .hlp, .pif; and also files whose inner format corresponds to DOS executable files (*.com, *.exe and .sys), Windows and OS/2 (.exe, *.dll), Linux (in the format .elf); files with the format of Microsoft Office documents and spreadsheets (OLE2 and Access) and Java applets. Thereby, this value scans all the files

Page 91

TUNER

9090

that are capable of containing a virus-code.

Programs — scans all the files with extensions: .bat, .bin, .cla,

.cmd, .com, .cpl, .dll, .doc, .dot, .dpl, .drv, .dwg, .eml, .exe, .fpm, .hlp, .hta, .htm, .htt, .ini, .js, .jse, .lnk, .mbx, .md*, .msg, .msi, .ocx, .otm, .ov*, .php, .pht, .pif, .plg, .pp*, .prg, .rtf, .scr, .shs, .sys, .tsp, .vbe, .vbs, .vxd, .xl*.

All files — scans every file of every type (this value is equa l to

the mask *.*).

User defined — scans file types defined by the user for the

below text field. If you define more then one file type, they must be separated by commas.

Define the files and/or directories to be ignored:

Exclude files — check this box to enable the program to ignore

the files defined in the below text field. Enter the corresponding filenames or the masks in the below text field. You can also use the Add button to select these files from the directory tree in the Add folder box (for details see subchapter 9.5.1).

To make sure there is not virus in the location to be checked, it is advisable to scan all the files (the All files option).

Exclude directories — check this box to enable the program to

ignore the files defined in the below text field. Enter the corresponding directories in the below text field. You can also use the Add button to select these directories from the directory tree in the Add folder box (for details see subchapter 9.5.1).

9.5.2.3. The directory Property window: Defining anti-virus actions

Options on the Property window Actio ns page (see Figure 6) allow you to define actions that should be taken on infected and suspicious objects.

Select one of the following options to define how to handle infected and suspicious objects:

Report only — reports infected and suspicious objects.

Messages will be displayed and, if preset, logged into the file. The program will not disinfect or delete infected objects.

Page 92

TUNER

9191

Display Disinfect Dialog — displays the inquiry about how to

handle the infected object. The program will suggest to disinfect the object (for recoverable objects) or to delete it (for unrecoverable objec ts ).

Disinfect automatically — disinfects infected objects without

asking first. For unrecoverable objects the program will suggest the object deletion.

Delete object automatically — deletes infected objects without

asking first.

Figure 6. The

Actions

page

Select one of the following options to define how to handle unrecoverable objects:

Report only — reports unrecoverable objects. Messages will be

displayed and, if preset, logged into the file. The program will not delete unrecoverable objects.

Delete object automatically — deletes unrecoverable objects.

Enable the program to backup infected files before they will be deleted or desinfected:

Backup infected — check this box to copy infected files to the

directory defined in the Copy to infected folder text field (see subchapter 9.8).

Page 93

TUNER

9292

9.5.2.4. The directory Property window:

Defining the advanced scanning tools used. The Options page

Options on the Property window Options page (see Figure 7) allow you enable/disable the following advanced scanning tools.

You can use the following advanced scanning tools:

Warnings — check this box to enable the advanced checking

tool searching for corrupted or modified viruses.

Code Analyzer — check this box to enable the heuristic

detecting tool searching for unknown viruses.

Figure 7. The

Options

page

Sometimes a file may be infected in the so called "incorrect" way and turns out to be "under-treated", what means that it’s recovered but the virus isn't cut off. In this case, to detect the virus, the thorough check (redundant scanning tool) must be used.

Redundant scan — check this box to enable the redundant

scanning tool.

Scan subdirectories — check this box to check for viruses in

Page 94

TUNER

9393

subdirectories of the selected directory.

Cross filesystems — check this box to enable the program to

cross filesystem borders. This check box is useful if there are other filesystems mounted under your s, and you want to scan files in all the available filesystems.

9.6. The

Options

page

Options located o n the Options page.

Options on the Options page of the Tuner main window (see Figure 8) allow you to define the scanning settings applied to the entire list of directories to be checked (the cumulative location to be checked).

!"The Options page corresponds to the [Options] section of a profile.

Figure 8. The

Options

page

To define whether and how the program must check symlinks, select one of the below options:

On the command line — scan only the symbolic links defined in

the command line. All symbolic links — check all symbolic links. Skip symbolic links — do not check symbolic links.

Page 95

TUNER

9494

Define the following settings:

Scan subdir at end — check this box to scan subdirectories in

the last place (after all the other predefined objects have been

scanned).

Scan removable — check this box t o scan for viruses on the

removable disks.

The following option is not dis played when you use Tuner to redefine settings of the Daemon program (i.e. when Tuner is started with the command line switch –pd)!

Scan … files in parallel – check this box to simultaneously scan

the objects defined in the text field that follows the word Scan.

Use memory files — check this box to enable the program to

create temporary files in the memory (but not on your hard disk).

If the box is checked, you must define the below settings:

• Limit for mem. files — to limit the size of an in-memory created temporary file, define the maximum size (in Kb) in this text field. The default value is 3000 Kb and it means that the temporary files exceeding this size will be created on the hard drive.

• Mem. files max size — to limit the size of files to be extracted from archives, define the maximum size (in Kb) for this type of temporary files in this text field. By default the value is 20000 Kb and it means that if the file, while being extracted from its archive, will exceed this size, the program will stop extracting it into the memory and start generating this te mporary file on the hard disk.

Temp path — enter the path to the directory for temporary files in

this text field. By default the temporary files’ directory is /tmp.

The following option is not dis played when you use Tuner to redefine settings of the Daemon program (i.e. when Tuner is started with the command line switch –pd)!

Endlessly scan – check this box to implement the loop-scanning

for viruses.

Scan delay – enter the interval between two loops (in seconds). This

Page 96

TUNER

9595

parameter is used onl y if you check ed Endles sly scan check box.

If the Scan delay value is equal to 0, there will be no interval between the loops!

9.7.

9.7.9.7.

9.7. The

Report

page

Options located on the Report page.

Options on the Report page of the Tuner main window (see Figure 9) allow you to define the format and the contents of the program reports.

The Report page corresponds to the [Report] section of a profile.

Figure 9. The

Report

page

On this page you can define the following reporting settings:

Report file — check this box to enable the program to add

check-results to a file. In the below text field define the file name. By default the log file name is report.txt.

Use syslog — check the box to log the performance reports in

the system log.

Page 97

TUNER

9696

!"The checked Use syslog box automatically suppresses the following

parameters: ReportFileName, Append, ReportFileLimit ReportFileSize and RepCreateFlag.

Append — check this box to append new reports to the contents

of the log file.

Extended report — check this box to add more details to the

report.

Limit sizes of report file, Kb — check this box to limit the size

of your log file. In the below text field define the maximum size in Kb. By default this value is 500 Kb.

Use CR — check this box to use both the carriage return and the

linefeed characters to separate records in the log file. By default records in a log file are separated with the linefeed character only. Therefore, in some text editors it will be difficult to review these files, since the program shows everything written on a single line. If you feel this way with your text editor, che ck this box and the program will use both separators (carriage return and linefeed) in your log file.

Report for each object — check this box to be reported on

every examined object.

Use long strings — check this box not to break the lines in your

report when displaying it.

The following option is not dis played when you use Tuner to redefine settings of the Scanner program (i.e. when Tuner is started with the command line switch –ps)!

User report — check this box to log the performance reports in

the user log. In the below text field define the full name of the log file. By default the value is userreport.log.

To define access attributes of the log file to be created, Report create flag — define the target attribute mask in this text

field. For example, the value 600 assigns the following attributes to the file: Read by owner and Write by owner).

The Showing button on the Report page allows you to define optional information that must be added to the report.

Page 98

TUNER

9797

Check the Showing button to display the corresponding dialog window (see Figure 10) that is divided into the following two parts:

• The working area with the list of check boxes defining optional messages to be included in the performance report. By default all the check boxes are checked.

• The set of buttons

• Accept — save the changes made.

• Cancel — exit the window without saving the changes made.

Use the below check boxes to define optional information that will be included in the report:

Show clean object in the log — check this box to be reported

about the examined virus-free objects.

Figure 10. The list of check boxes in the

Showing

box

Show pack info in the log — check this box to be reported

about the examined packed executable files.

Show passworded in the log — check this box to be reported

about the examined password-protected archives.

Show suspicion in the log — check this box to be reported

about the examined suspicious objects.

Page 99

TUNER

9898

Show warning in the log — check this box to be reported about

the objects suspected as infected with the modification of a known virus.

Show corrupted in the log — check this box to be reported

about the examined corrupted objects.

Show unknown in the log — check this box to be reported

about the detected unknown viruses.

9.8. The

ActionWith

page

Options located on the ActionWith page.

Options on the ActionWith page of the Tuner main window (see Figure 11) allow you to define how to handle infected and suspicious files detected within the cumulative location to be checked.

!"The ActionWith page corresponds to the [ActionWithInfected] and

[ActionWithSuspicion] sections of a profile.

This page contains two sets of similar options for the infected files and for the suspicious files, therefore we shall describe options for the infected files only and you will apply the guidelines to the suspicious files.

Use the below check boxes to define how the program must handle infected files:

Copy to infected folder — check this box to copy infected files

to a separate folder. In the below text field define a path to the folder for infected files. The default folder is infected (it is located in the same directory as Kaspersky Anti-Virus for xBSD File Server).

Page 100

TUNER

9999

Figure 11. The

ActionWith

page

!"We recommend that you enter an absolute path to suspicious and

infected folders, but not relative.

Be careful when handling infected and suspicious objects or their copies! If an executable file is infected, do not start it.

Copy with path

— check this box to copy infected objects

together with their paths.

Change extension to

— check this box to change extensions of infected files. In the text field on the right define the target extension.

Use the below text fields to define access attributes of infected files:

Chown to —

to change the name of the owner of infected files that the program failed to disinfect, enter the target name in this text field. The default value is

None

meaning that the

program does not change the owner name.

Chmod to

— to change access attributes of infected files that the program failed to disinfect, define the target attribute mask in this text field. For example, the value

640

assigns the following attributes to the file: Read by owner, Write by owner and Read by group. By default the value is No meaning that the program does not change the access attributes.

KAPERSKY ANTI-VIRUS - FOR FREEBSD-OPENBSD-BSDI FILE SERVER User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual