Kaspersky ANTI-VIRUS 5.7 User Manual

KASPERSKY LAB

Kaspersky Anti-Virus ® 5.7 for Linux File Server

ADMINISTRATOR'S GUIDE

K A S P E R SK Y A N T I - V I R U S ® 5 . 7 F O R

L I N U X F I L E S E R V E R

Administrator's Guide

 Kaspersky Lab Ltd.

http://www.kaspersky.com/

Revision date: September, 2008

Contents

CHAPTER 1. INTRODUCTION .................................................................................. 6

1.1. Computer viruses and malware ........................................................................ 6

1.2. Purpose and major functionality of Kaspersky Anti-Virus .................................. 7

1.3. What's new in version 5.7? ............................................................................... 8

1.4. Licensing procedure ......................................................................................... 8

1.5. Hardware and software system requirements ................................................... 8

1.6. Distribution kit ................................................................................................. 10

1.6.1. License Agreement .................................................................................. 10

1.6.2. Services for registered users .................................................................... 10

1.7. Conventions used in this document ................................................................ 11

CHAPTER 2. HOW IT WORKS ................................................................................ 12

CHAPTER 3. INSTALLING KASPERSKY ANTI-VIRUS ........................................... 14

3.1. Installing the application on a computer running Linux .................................... 14

3.2. Installation procedure ...................................................................................... 14

3.3. Post-install configuration ................................................................................. 15

3.4. Installing Network Agent ................................................................................. 16

3.5. Configuring Network Agent ............................................................................. 16

3.6. Updating the application to version 5.7 ........................................................... 17

3.7. Locating the application files ........................................................................... 17

3.8. Completing the setup ...................................................................................... 19

CHAPTER 4. USING KASPERSKY ANTI-VIRUS .................................................... 20

4.1. Updating the anti-virus database..................................................................... 20

4.1.1. Automatically updating the anti-virus database ......................................... 21

4.1.2. On-demand updating of the anti-virus database ....................................... 23

4.1.3. Creating a network directory to store the anti-virus database.................... 24

4.2. Anti-virus protection of file systems ................................................................. 25

4.2.1. Scan scope .............................................................................................. 26

4.2.2. Object scan and disinfection mode ........................................................... 27

4.2.3. Actions to be performed on objects .......................................................... 28

4.2.4. On-demand scan of an individual directory ............................................... 29

4.2.5. Scheduled scan ....................................................................................... 29

4 Kaspersky Anti-Virus 5.7 for Linux File Server

4.2.6. Additional capabilities: using script files .................................................... 30

4.2.6.1. Disinfection of infected objects in an archive ...................................... 30

4.2.6.2. Sending notifications to the administrator ........................................... 31

4.3. Real-time anti-virus protection ......................................................................... 32

4.4. Managing license keys ................................................................................... 33

4.4.1. Viewing license key details ....................................................................... 33

4.4.2. Renewing your license ............................................................................. 35

CHAPTER 5. ADDITIONAL SETTINGS ................................................................... 37

5.1. Configuration of product interaction with Webmin ........................................... 37

5.2. Optimization of Kaspersky Anti-Virus operation .............................................. 38

5.3. Moving objects into quarantine ....................................................................... 40

5.4. Backing up infected objects ............................................................................ 41

5.5. Localization of the date and time format .......................................................... 42

5.6. Kaspersky Anti-Virus report generation settings .............................................. 42

CHAPTER 6. ADMINISTERING THE PROGRAM WITH KASPERSKY

ADMINISTRATION KIT ......................................................................................... 45

6.1. Administering the application .......................................................................... 47

6.1.1. Configuring application settings ................................................................ 48

6.1.1.1. Settings tab, Real-time protection: general settings section................ 49

6.1.1.2. Settings tab, Real-time protection: protection scope section............... 50

6.2. Managing tasks .............................................................................................. 50

6.2.1. Creating tasks .......................................................................................... 50

6.2.1.1. Creating local tasks ............................................................................ 52

6.2.1.2. Creating group tasks .......................................................................... 54

6.2.1.3. Creating global tasks ......................................................................... 54

6.2.2. Configuring specific task settings.............................................................. 54

6.2.2.1. On-demand scan task........................................................................ 55

6.2.2.2. Anti-virus database update task ......................................................... 56

6.2.3. Starting and stopping tasks ...................................................................... 56

6.3. Managing policies ........................................................................................... 57

6.3.1. Creating policies ....................................................................................... 57

6.3.2. Viewing and editing policy settings ........................................................... 59

6.3.2.1. Configuring the protection scope........................................................ 60

6.3.2.2. Specifying object types to be protected .............................................. 61

6.3.2.3. Configuring actions applied to objects ................................................ 61

Contents 5

6.3.2.4. Specifying additional parameters ....................................................... 61

CHAPTER 7. UNINSTALLING KASPERSKY ANTI-VIRUS...................................... 62

CHAPTER 8. VERIFYING THE ANTI-VIRUS OPERATION ..................................... 63

APPENDIX A. ADDITIONAL INFORMATION ABOUT THE APPLICATION............. 65

A.1. Kaspersky Anti-Virus configuration file ............................................................ 65

A.2. Command line parameters for component kavscanner .................................. 73

A.3. Return codes of the kavscanner component .................................................. 76

A.4. Command line parameters for component kavmonitor ................................... 77

A.5. Command line parameters for component licensemanager ........................... 78

A.6. Return codes of the licensemanager component............................................ 78

A.7. Command line parameters for component keepup2date ................................ 80

A.8. Return codes of the keepup2date component ................................................ 81

A.9. Command line parameters for component kavmidware.................................. 81

APPENDIX B. FREQUENTLY ASKED QUESTIONS ............................................... 82

APPENDIX C. KASPERSKY LAB ............................................................................ 88

C.1. Other Kaspersky Lab Products ...................................................................... 89

C.2. Contact Us ..................................................................................................... 99

APPENDIX D. LICENSE AGREEMENT ................................................................. 100

CHAPTER 1. INTRODUCTION

The constant growth in both the number of computer users, and the volume of email and internet traffic, increases the threat of virus infections and data corruption or theft by malicious computer programs (malware).

The most dangerous sources of malware are:

Internet

The global information network is the main conduit for all types of malware. As a rule, viruses and other malicious programs are located on popular internet websites, disguised as useful software or freeware. Malware can also be located within scripts that automatically run when a website is loaded in the user‟s browser.

E-mail messages

E-mail messages delivered to the user‟s mailbox and stored in e-mail databases may contain viruses. Malware can be located either in the message body, or as a message attachment. Commonly, infected e-mail messages contain viruses or mail worms. When you open an e-mail message or save an attached file to your hard drive, you may infect data stored in your computer.

Software vulnerabilities

In most cases hackers‟ attacks are attempted using "software holes". Such vulnerabilities allow hackers to obtain remote access to your computer and, therefore, to your data, your LAN resources and other sources of information.

Viruses targeting Unix-based systems are far less common than those aimed at the Windows Operating System, due to the peculiarities of the two platforms. However, the threat to Unix users is not negligible. Provided below is a detailed description of malware types.

1.1. Computer viruses and malware

In order to be aware of potential threats to your computer, it is helpful to know about the types of malicious software (“malware”) and how they work. In general, malicious programs fall into one of three categories:

 Worms – malicious programs which spread themselves using network

resources. These programs are called "worms" due to their ability to tun-

Introduction 7

Henceforth in the text of this Guide the term "virus" will be used to refer to viruses, Trojan Horses and worms. A particular type of malware will be mentioned only when it is required.

nel from one computer to another, using networks, e-mail and other channels. This ability allows worms to proliferate extremely quickly.

Worms propagate by penetrating a computer, determining the IP addresses of other nearby computers, and send copies of themselves to these computers. Apart from network addresses, worms often use data contained in the address books of e-mail client applications installed on the infected machine. Sometimes worms create work files on disks, but they also can function without utilizing any resources of the infected computer other than RAM.

 Viruses – programs that infect other programs by adding their code to the

infected program's code, to gain control when the infected files are run. This simple definition helps determine that the major action of a virus is infecting computer programs. Viruses spread somewhat slower than worms.

 Trojan horses or Trojans – perform unauthorized actions on infected

computers. For instance, depending on the particular conditions, they can erase information on hard drives, "freeze" the system, or steal confidential information. In the strict sense, Trojan Horses are not viruses since they do not infect programs or data; they are unable to sneak independently into computers and are often distributed disguised as some "useful" software. However, Trojans may inflict far greater damages than a regular virus attack.

Recently, worms and Trojans have become the most widespread type of malware in the Unix-based systems.

1.2. Purpose and major functionality

of Kaspersky Anti-Virus

Kaspersky Anti-virus® for Linux File Server (hereinafter referred to as

Kaspersky Anti-Virus, or the application) protects file servers running Linux operating systems.

Kaspersky Anti-Virus for Linux allows the user to:

 Ensure real-time protection of the file system against malicious code: in-

tercept and analyze attempts to access files, and disinfect or delete infected objects.

8 Kaspersky Anti-Virus 5.7 for Linux File Server

 Scan objects on demand: search infected and suspicious files (including

files within specified scan scopes); analyze files, and disinfect or delete infected objects.

 Quarantine suspicious and corrupted objects: save suspicious files in the

quarantine directory.

 Create a copy of the infected object in the backup storage directory be-

fore attempting to disinfect or deleting the object, allowing a future restoration of the object if it contains valuable information.

 Update the anti-virus database; the database is updated from Kaspersky

Lab's updates servers. The user can also configure the application so that the database is updated from a local directory.

 Control and configure Kaspersky Anti-Virus using the application configu-

ration file, the web-based interface of Webmin or the Kaspersky Administration Kit.

1.3. What's new in version 5.7?

The following features are new in Kaspersky Anti-Virus 5.7 for Linux File Server as compared to version 5.5:

 Support for Kaspersky Anti-Virus configuration and management using

Kaspersky Administration Kit has been implemented.

1.4. Licensing procedure

Kaspersky Anti-Virus licensing policy imposes restrictions on the use of the application based on the usage period (as a rule, a one-year period since the date when the application was purchased).

1.5. Hardware and software system

requirements

To run Kaspersky Anti-Virus, the system must comply with the following software and hardware requirements:

 Hardware requirements:

 Processor Intel Pentium® 133 MHz or higher.

 64 MB RAM.

Introduction 9

Please note that Kaspersky Anti-Virus does not support systems running SELinux. Use of SELinux may result in various warnings in the system log file generated by the application.

 100 MB free hard drive space for installation of the application

and storage of temporary files.

 Software requirements:

 One of the following operating systems for 32-bit platforms:

o Red Hat Enterprise Linux 5.2 server;

o Fedora 9;

o SUSE Linux Enterprise Server 10 SP2;

o Novel Open Enterprise Server 2;

o openSUSE Linux 11;

o Debian GNU/Linux 4 R4;

o Mandriva Corporate Server 4;

o Ubuntu 8.04.1 Server Edition;

 One of the following operating systems for 64-bit platforms:

o Red Hat Enterprise Linux 5.2 server;

o Fedora 9;

o SUSE Linux Enterprise Server 10 SP2;

o openSUSE Linux 11.

 Webmin program (www.webmin.com) – for remote administration of Kas-

persky Anti-Virus.

 Perl interpreter - version 5.0 or higher (www.perl.org).

 The which utility must be installed.

 Software compilation packages must be installed (gcc, binutils, glibc-

devel, make, ld) and preinstalled operating system kernel source code for compiling the kavmonitor component.

10 Kaspersky Anti-Virus 5.7 for Linux File Server

Support on issues related to the performance and the use of operating systems or other technologies is not provided.

1.6. Distribution kit

You can purchase Kaspersky Anti-Virus online (for example, visit

http://www.kaspersky.com and follow the E-Store link).

If you buy Kaspersky Anti-Virus online, you will download the application from Kaspersky Lab's website; in this case, the distribution kit will include this Guide along with the application. The license key will be e-mailed to you upon receipt of your payment.

1.6.1. License Agreement

The License Agreement is a legal contract between you and Kaspersky Lab Ltd., which contains the terms and conditions under which you may use the anti-virus product you have purchased.

Read the License Agreement carefully!

If you do not agree with the terms of the License Agreement, you can return Kaspersky Anti-Virus to your dealer for a full refund.

1.6.2. Services for registered users

Kaspersky Lab Ltd. offers all legally registered users an extensive service package that enables them to use Kaspersky Anti-Virus more efficiently.

After purchasing your license, you become a registered user and, during the period of your subscription, you will receive the following services:

 new versions of the purchased software product;

 support on issues related to the installation, configuration and use of the

purchased software product. Services will be provided by phone or via email;

 information about new Kaspersky Lab products and about new viruses

appearing worldwide (this service is provided to users who subscribe to Kaspersky Lab's newsletter).

Introduction 11

Format feature

Meaning/Usage

Bold font

Titles of menus, menu items, windows, dialog boxes and their elements, etc.

Note.

Additional information, notes

Attention!

Information requiring special attention

In order to perform...,

1. Step 1.

2. …

Description of the user's steps and possible actions

Task, example

Statement of a problem, example of the demonstration of the application's capabilities

Solution

Implementation of the task

[modifier] – purpose of the modifier

Command line modifiers

Information messages and command line text

Text of configuration files, information messages and command line

1.7. Conventions used in this

document

Various formatting features and icons are used throughout this document, depending on the purpose and the meaning of the text. The table below lists the conventions used in the text.

The ability to intercept the operations of closing a file is not supported:

 in 32-bit operating systems: from kernel versions

2.6.21 and above;

 in 64-bit operating system: from kernel versions 2.6.18

and above.

CHAPTER 2. HOW IT WORKS

To understand how Kaspersky Anti-Virus works, it is useful to know that it comprises a number of application modules, each with a specific function in providing anti-virus protection for your computer.

Kaspersky Anti-Virus includes:

 On-demand anti-virus scan component kavscanner;

 Real-time anti-virus scan component kavmonitor;

 Anti-virus database update module keepup2date,

 License key management utility licensemanager;

 Remote administration utility for integration with Kaspersky Administration

Kit kavmidware,

 Remote administration module used with Webmin application.

There follows a detailed discussion of the application‟s algorithm, based on an example of real-time protection (that is, using the kavmonitor component).

The component operates as follows:

1. When any application on your computer attempts to access a file system object, whether to open, run or close the file, the call is intercepted by kavmonitor‟s kernel module, and the file is sent for antivirus scanning.

2. The intercepted file is processed using a daemon application included in the kavmonitor component. The daemon scans the object for viruses and processes, based on settings specified in the configuration file. The treatment includes, but is not limited to, disinfection using the anti-virus database if this option is selected.

3. After the file has been processed, kavmonitor sends to the kernel module the access code (allowed/prohibited) that defines the file status.

How it works 13

4. Based on the object's status, the kavmonitor component either allows or blocks access to the file. If access is blocked, the application requesting access to the file will receive an error code indicating that access has been denied.

The file status assigned during scanning and processing can be one of the following:

 Clean – the object is not infected.

 Infected – the object is infected.

 Cured – infected object has been successfully disinfected.

 CureFailed – the infected object could not be disinfected.

 Warning – object code resembles the code of a known virus.

 Suspicion – the object is suspected of being infected with an unknown vi-

rus.

 Protected – the object cannot be scanned because it is encrypted.

 Corrupted– the object is corrupted.

 Error – a system error occurred during the object scan.

The actions performed on the object in response to each status are defined by the configuration file settings (details see Appendix A on p. 65).

To start the installation of Kaspersky Anti-Virus from a .rpm package, type the following at the command line:

To start the installation of Kaspersky Anti-Virus from a .deb package, type the following at the command line:

CHAPTER 3. INSTALLING

KASPERSKY ANTI-VIRUS

We recommend that you perform this system check before installing Kaspersky Anti-Virus:

 Make sure that your system meets the hardware and software require-

ments for Kaspersky Anti-Virus (see 1.5 on p. 8).

 Configure your internet connection.

 Log in as root.

3.1. Installing the application on a

computer running Linux

Kaspersky Anti-Virus for computers running Linux OS is available in the following format:

 .rpm – for systems that support RPM Package Manager

 .deb – for Debian-based OS distributions.

# rpm –i <distribution_package_filename>

# dpkg –i <distribution_package_filename>

3.2. Installation procedure

The installation consists of two parts. The first part includes the following steps:

1. Creation of the kluser user and klusers group.

2. Unpacking of the files from distribution package to target computer.

Installing Kaspersky Anti-Virus 15

During installation to a computer running Debian the post-install configuration script will be launched automatically.

3. Registration of required services depending upon the host system.

4. Setting up default parameters in configuration files of the product components.

3.3. Post-install configuration

Post-install configuration is the second part of Kaspersky Anti-Virus setup. To initiate product configuration, use the postinstall.pl script located in the /opt/kaspersky/kav4fs/lib/bin/setup directory.

After script start, you will be offered to perform the following steps:

1. Specify the path to your license key file.

2. Configure the parameters of the proxy server used for connection to the Internet in the following format:

http://<IP of the proxy server>:<port>

http://<user_name>:<password>@<IP of the proxy server>

:<port>,

depending upon authorization necessity for the proxy. The updating component of the application (keepup2date) uses the value for connection to the servers of Kaspersky Lab and downloading updates to the anti-virus databases.

If you do not use a proxy for connection to the Internet, set the parameter to no.

3. Download the anti-virus databases from the servers of Kaspersky Lab. Enter yes or no depending upon your wish to perform the update immediately.

4. Configure interaction with Webmin.

5. Start compilation of the kavmonitor module. During the stage your computer will compile the libraries required for kavmonitor operation. If the kernel source code is not located in the default directory, enter the following in the command line to compile the kavmonitor component:

# /opt/kaspersky/kav4fs/src/kavmon.pl –b [PATH]

16 Kaspersky Anti-Virus ® 5.7 for Linux File Server

To initiate Network Agent installation from its .rpm package, enter the following in the command line:

To initiate Network Agent installation from its .deb package, enter the following in the command line:

During Network Agent installation to a computer running Debian the post-install configuration script will be launched automatically.

where [PATH] stands for the path to the kernel source code.

3.4. Installing Network Agent

If you plan to manage the application remotely using Kaspersky Administration Kit, the Network Agent has to be installed.

# rpm –i <distribution_package_filename>

# dpkg –i <distribution_package_filename>

3.5. Configuring Network Agent

After installation, the Network Agent has to be configured for its proper interaction with Kaspersky Administration Kit. To start configuration, run the postinstall.pl script located in the /opt/kaspersky/klnagent/lib/bin/setup directory.

After script start, you will be offered to perform the following steps:

1. Specify the DNS name or IP address of your Administration Server.

2. Specify the port number for the Administration Server.

3. Specify the SSL port number of the Administration Server.

4. Define whether the SSL connection should be used for data transfer.

5. Specify the default administration group name.

Installing Kaspersky Anti-Virus 17

The upgrading procedure works correctly for version 5.5-27.

To initiate Kaspersky Anti-Virus upgrade from its .rpm package, enter the following in the command line:

To initiate Kaspersky Anti-Virus upgrade from its .deb package, enter the following in the command line:

The default locations of Kaspersky Anti-Virus files on a server running Linux OS are as follows:

3.6. Updating the application to

version 5.7

The kavmonitor service has to be stopped before upgrading. To do that, enter the following in the command line:

# /etc/init.d/kav4fs stop

# rpm –U <distribution_package_filename>

# dpkg –i <distribution_package_filename>

Upon completion of the upgrade procedure, the configuration file of product version 5.5 will be replaced with its counterpart for version 5.7. Add necessary modifications to the configuration file manually.

3.7. Locating the application files

/etc/opt/kaspersky/ – directory containing the Kaspersky Anti-Virus configuration

file:

kav4fs.conf – configuration file.

/opt/kaspersky/kav4fs/ – main directory of Kaspersky Anti-Virus, containing:

/bin/ – a directory that contains executable files of all Kaspersky Anti-Virus

components: kav4fs-kavscanner – executable file of the anti-virus protection compo-

nent;

kav4fs-keepup2date – executable file of the anti-virus database update

component;

18 Kaspersky Anti-Virus ® 5.7 for Linux File Server

To connect the help system of Kaspersky Anti-Virus (manual pages), assign the value /opt/kaspersky/kav4fs/share/man to the MANPATH environment variable.

On a server running Linux OS, the default locations of Network Agent files after Kaspersky Anti-Virus installation are as follows:

kav4fs-licensemanager – executable file of the license keys manage-

ment component.

/lib/ – directory containing auxiliary files of Kaspersky Anti-Virus.

/setup/ – directory containing the scripts required for application configu- ration:

postinstall.pl – script for post-install product configuration.

uninstall.pl – application removal script.

setup.pl – application configuration script.

/sbin/ – directory containing auxiliary services of Kaspersky Anti-Virus:

kav4fs-kavmonitor – executable file of the anti-virus protection compo-

nent.

kav4fs-kavmidware – executable file of the remote administration com-

ponent kavmidware.

/src/ – directory containing the application's anti-virus kernel module.

/opt/kaspersky/kav4fs/share/contrib/kav4fs.wbm – plug-in to Webmin application.

/opt/kaspersky/kav4fs/share/contrib/vox.sh – script used for disinfecting arc-

hives.

/opt/kaspersky/kav4fs/share/doc/LICENSE – license agreement.

/opt/kaspersky/kav4fs/share/man/ – directory containing manual files.

/var/opt/kaspersky/kav4fs/bases/ – directory containing the anti-virus database. /var/opt/kaspersky/kav4fs/bases.backup/ – directory containing the anti-virus

database that was up-to-date before the last update.

/var/opt/kaspersky/kav4fs/licenses – directory containing license information.

/opt/kaspersky/klnagent/ – main Network Agent directory containing:

/bin/ – directory where the executable files of Network Agent utility programs

are stored, including:

klmover – this utility manually connects the client computer to the Ad-

ministration Server (see the Kaspersky Administration Kit Refer-

ence Book for more information on using this utility).

Installing Kaspersky Anti-Virus 19

klnagchk – this utility checks the manual connection to the Administra-

tion Server (see the Kaspersky Administration Kit Reference Book

for more information on using this utility).

/lib/ – directory containing auxiliary files of the Network Agent.

/bin/setup – directory containing configuration scripts for Network Agent. /share/man/ – directory containing manual files. /sbin/ – directory containing the executable file of the Network Agent service.

3.8. Completing the setup

If the installation process completed correctly, a confirmation message will be displayed on the screen. The configuration file included in the application distribution kit contains all settings necessary to start using the application.

CHAPTER 4. USING KASPERSKY

ANTI-VIRUS

Kaspersky Anti-Virus allows you to specify the anti-virus protection system of your computer, at the level either of individual files or of the entire file system.

The application‟s functionality can be packaged into tasks that the administrator can perform using the application. Tasks implemented using Kaspersky AntiVirus can be divided into the following groups:

 Updating the anti-virus database, which is used for detecting viruses and

disinfecting infected objects (see 4.1 on p. 20).

 Anti-virus protection of the computer‟s file system, using scheduled and/or

on-demand scans (see 4.2 on p. 25).

 Real-time anti-virus protection (see 4.3 on p. 31).

This chapter describes these typical tasks. Within the context of a specific company‟s network, the administrator may combine these tasks and make them more appropriate to business needs.

4.1. Updating the anti-virus database

Updating the anti-virus database is performed by the keepup2date component, and is an integral factor in full-fledged anti-virus protection. The default source used for updating the anti-virus database is Kaspersky Lab‟s updates servers. The list of these servers includes:

http://downloads1.kaspersky-labs.com/

http://downloads2.kaspersky-labs.com/

ftp://downloads1.kaspersky-labs.com/, etc.

The list of URL‟s from which you can download the updates is contained in the updcfg.xml file, included in the application‟s distribution kit. To view the list of update servers, enter the following in the command line:

# /opt/kaspersky/kav4fs/bin/kav4fs-keepup2date -s

During the update process, the keepup2date component selects the first address from this list and attempts to download the anti-virus database from the server. The current computer location (as the two-lettered code of the country according to the ISO 3166-1 standard) can be specified via the RegionSettings parameter

Using Kaspersky Anti-Virus 21

Updates to the anti-virus database are uploaded to Kaspersky Lab's updates servers on an hourly basis.

You can use a server that does not belong to Kaspersky Lab as an update source. Databases of Kaspersky Anti-Virus on the server can be released earlier than the ones installed on your computer. In case of an update from such server, the outdated databases will replace more current records.

All settings of the keepup2date component are grouped in the [upda- ter.*] section of the configuration file.

We strongly recommend that you configure the anti-virus database updates to be performed every hour!

in the [updater.options] section of the application configuration file. In this case the keepup2date component starts choosing the update servers, marked as belonging to the specified region. If the update cannot be performed from the address selected, the component switches to the next URL and makes another attempt.

After a successful update, a command, specified by the PostUpdateCmd parameter of the configuration file‟s [updater.options] section, is executed. By default this command automatically reloads the anti-virus database. If an invalid change is made to this setting, the application may fail to use the updated database or will function improperly.

If the structure of your local area network is complex, you are advised to download updates to the anti-virus database from the updates servers every hour, place them in a network directory, and configure local computers throughout the network to use this directory as their update source. For details on the creation of a network directory, see 4.1.3 on p. 24.

The update may be scheduled using the cron utility (see 4.1.1 on p. 21) or it may be performed on-demand by the administrator who can run this task manually from the command line (see 4.1.2 on p. 23).

4.1.1. Automatically updating the anti-virus

database

You can schedule regular automatic updates of the anti-virus database by modifying the configuration file.

22 Kaspersky Anti-Virus ® 5.7 for Linux File Server

Task: configure automatic anti-virus database updates to be performed every hour. Only record application errors in the system log. Maintain the general log for all tasks started, and do not print any information to the screen.

Solution: to perform this task, do the following:

Task: configure the downloading of anti-virus database updates from Kaspersky Lab's updates servers to automatically select the URL of the updates server from the list included in the keepup2date component.

Solution: to perform this task, do the following:

Task: configure the component to download updates to the anti-virus database from the URL specified by the administrator. If the download cannot be performed from this URL, abort the downloading process.

Solution: to perform this task, do the following:

1. Specify these values in the application's configuration file, for example:

[updater.options]

KeepSilent=yes

[updater.report]

Append=yes

ReportLevel=1

2. Edit the configuration file for the cron (crontab -e) process by entering the following line:

0 0-23/1 * * * /opt/kaspersky/bin/kav4fs-keepup2date

Assign the value No to the UseUpdateServerUrl setting in the [upda- ter.options] section of the application‟s configuration file.

Assign the value Yes to both the UseUpdateServerUrl and UseUpda- teServerUrlOnly settings of the [updater.options] value. Additionally,

the UpdateServerUrl setting must contain the URL of the updates serv- er.

Using Kaspersky Anti-Virus 23

Task: configure the component to download updates to the anti-virus database from a specified URL. If the download cannot be performed from this URL, update the database from the URLs specified in the list included in the keepup2date component.

Solution: to perform this task, do the following:

Task: start the update of the anti-virus database and record the results in the file /tmp/updatesreport.log.

Solution: to implement this task enter at the command line:

Task: arrange updating of the anti-virus database from the network directory /home/bases and only if this directory is not accessible or emp- ty, update the database from Kaspersky Lab's updates servers. Print the results in the report.txt report file.

Solution: to perform this task, do the following:

Assign the value Yes to the UseUpdateServerUrl setting of the [upda- ter.options] section, and the value No to the UseUpdateServerUrlOnly setting. Additionally, the UpdateServerUrl setting must contain the URL of the updates server.

4.1.2. On-demand updating of the anti-virus

database

You can start the update of the anti-virus database from the command line at any time. To do that, type the following command:

# /opt/kaspersky/kav4fs/bin/kav4fs-keepup2date

# /opt/kaspersky/kav4fs/bin/kav4fs-keepup2date –l /tmp/updatesreport.log

The most convenient way to update the anti-virus database on several computers is to download the updates once from the updates servers, place the updates in a network directory and then direct the computers to treat this directory as their update source.

24 Kaspersky Anti-Virus ® 5.7 for Linux File Server

Task: create a network directory from which anti-virus database updates can be copied to local computers within the network.

Solution: to perform this task, do the following:

Task: configure the anti-virus database update to be performed via a proxy server.

Solution: to perform this task, do the following:

1. Specify the corresponding values for the settings in the application's configuration file:

[updater.options]

UpdateServerUrl=/home/bases

UseUpdateServerUrl=yes

UseUpdateServerUrlOnly=no

2. Enter at the command line:

# /opt/kaspersky/kav4fs/bin/kav4fs-keepup2date –l /tmp/report.txt

4.1.3. Creating a network directory to store

the anti-virus database

To ensure that the anti-virus database is correctly updated from the network directory, the directory must contain the same file structure as Kaspersky Lab's updates servers. Provided below is a detailed discussion of this task.

1. Create a local directory.

2. Start the keepup2date component as follows:

# /opt/kaspersky/kav4fs/bin/kav4fs-keepup2date –u <dir>

where <dir> is the full path to the local directory.

3. Grant local computers read-only network access to this catalog.

1. Assign the value Yes to the UseProxy setting of the

[updater.options] section.

Using Kaspersky Anti-Virus 25

All settings of the kavscanner component are grouped in the [scanner.*] options of the application's configuration file.

By default, only the root user can launch an on-demand scan.

2. Make sure that the ProxyAddress setting in the [updater.options]

section of the configuration file contains the URL of the proxy server. The address must be specified in the format

http://username:password@ip_address:port. The values ip address and port are mandatory, while username and password

are necessary only if the proxy server requires authorization.

or:

1. Assign value Yes to the UseProxy setting of the [updater.options]

section.

2. Specify the environment variable http_proxy using format http://username:password@ip_address:port. Note that the environment variable will be considered only if the UseProxy setting of the [updater.options] section is missing or is assigned value Yes.

4.2. Anti-virus protection of file

systems

The kavscanner component provides anti-virus protection of the computer's file systems, by scanning files and processing infected and suspicious objects according to its settings.

You can scan the entire file system, an individual directory or a single file. All protection settings may be divided into groups that define:

 Scan scope (see 4.2.1 on p. 26).

 How objects are to be scanned and disinfected (see 4.2.2 on p. 27).

 Actions to be performed on objects (see 4.2.3 on p. 28).

 Settings used to generate the report on the operation‟s outcome (see 5.6

on p. 42).

The scan of your computer's file systems may be started:

26 Kaspersky Anti-Virus ® 5.7 for Linux File Server

An anti-virus scan of the entire computer is a process that requires considerable resources. It should be noted that when you start this task, your computer's efficiency will be reduced: therefore we recommend that no other heavy application should run at the same time. To avoid such problems, we recommend that you scan individual selected catalogs.

To scan all file systems of the computer, you have to switch to the root directory, or specify the scan scope at the command line as “/”.

If you specified at the command line both scan paths and a text file containing a list of the scan objects, only the paths indicated in the file will be scanned. The paths entered at the command line will be ignored.

 As a one-time task - from the command line (see 4.2.4 on p. 29).

 According to the schedule using the cron application (see 4.2.5 on p. 29).

4.2.1. Scan scope

The scan scope can be roughly divided into two parts:

 scan path – the list of directories and objects to be searched for viruses;

 scan objects – types of objects to be scanned for viruses (archives, etc.)

By default all objects of all available file systems are scanned, starting with the current directory.

You can redefine the scan path by the following methods:

 Listing at the command line (using a space as a separator) all directories

and files to be scanned, using absolute or relative (relative to the current directory) paths.

 List the scan paths in a text file, and specify this file to be used by using

the parameter -@<filename> in the command line. Each object in this file should be entered on a new line, using its absolute path only.

 Restrict paths which are accepted by default (all, starting with the current

directory) or listed in the command line, by entering in the kav4fs.conf configuration file masks of files and directories that will be excluded from the scan scope ([scanner.options] section, settings ExcludeMask and ExcludeDirs).

Using Kaspersky Anti-Virus 27

 Turn off the recursive scan of the catalogs ([scanner.options] section,

the Recursion setting or command line parameter -r).

 Create an alternative configuration file and specify this file to be used us-

ing the command line parameter -c <filename> at component startup.

The default scan objects are specified in the kav4fs.conf configuration file ([scanner.options] section) and they can be redefined.

 directly in this file;

 using command line parameters at component startup;

 by using an alternative configuration file.

4.2.2. Object scan and disinfection mode

The settings of this mode are very important, because they determine whether the application will cure infected files when they are detected.

By default disinfection is turned off: the default behaviour is to scan objects and to notify about detected viruses and other suspicious or corrupted files by printing messages to the screen and in the report (see 5.6 on p. 42).

As a result of an anti-virus scan, each object will be assigned a status from those listed below:

 Clean – no viruses detected (the object is not infected).

 Infected – the object is infected.

 Warning – object code resembles the code of a known virus.

 Suspicious – the object is suspected of being infected with an unknown

virus.

 Corrupted– the object is corrupted.

 Protected – the object cannot be scanned because it is encrypted (pass-

word-protected).

 Error – an error has occurred while scanning the object.

With the disinfection mode turn on (section [scanner.options], setting Cure = yes) only objects with the Infected status will be sent for anti-virus processing. As a result of the disinfection, the object will be assigned a status from those listed below:

 Cured – the object has been successfully disinfected.

28 Kaspersky Anti-Virus ® 5.7 for Linux File Server

Actions performed with self-extracting archives can be differentiated: if the archive itself is infected, it will be viewed as a simple object, while if objects within the archive are infected, the archive will be viewed as a container. Therefore actions to be performed on archives, depending on the case, will be determined by the settings specified in different sections of the configuration file.

 CureFailed – the object could not be disinfected. Files with this status will

be processed according to rules specified for infected objects.

 Error – error occurred during the object scan.

4.2.3. Actions to be performed on objects

The actions to be performed on an object depend on the object's status (see Chapter 2, on p. 12). The default action is only to provide notification about the detection of infected or suspicious objects. However, for objects with Infected, Suspicious, Warning, Error, Protected and Corrupted status you can configure further responses, including:

 moving to a directory – moving objects with the given status to a directory;

simple and recursive moving is available.

 deleting object from the file system;

 performing a command – processing of files using standard Unix script

files, or similar.

Please note that Kaspersky Anti-Virus discriminates between simple objects (files) and container objects (consisting of several objects, for example, an archive). Actions performed with such objects are also discriminated; in the configuration files these actions are located in different sections, with section [scanner.object] for simple objects, and section [scanner.container] for container objects.

You can select actions to be performed on an object using several methods as follows:

 You can specify them in the kav4fs.conf configuration file if you plan to

use these actions as default actions (sections [scanner.object] and [scanner.container]).

 Specify actions in the alternative configuration file and use this file at

component startup.

Using Kaspersky Anti-Virus 29

If no configuration file is specified in the command line at the component startup, the operating settings will be taken from the kav4fs.conf file. The use of this file at startup does not have to be specified!

Task: start an anti-virus scan of the /tmp directory with automatic disinfection of all infected objects detected. Delete all objects that cannot be disinfected.

Create the files infected.lst, suspicion.lst, corrupted.lst and warning.lst to record the filenames of all infected, suspicious and corrupted objects detected during the scan.

The results of the component operation (starting date, information about all files, except clean files) will be printed in the report file kav4fs- kavscanner-current_date-pid.log that will be created in the current directory.

Solution: to implement this task, enter at the command line:

 You can specify them for the current work session using command line

parameters when starting the kavscanner component.

Actions for both simple and container objects use the same syntax (sections [scanner.object] and [scanner.container]).

4.2.4. On-demand scan of an individual