KASPERSKY Anti-Virus Linux Mail Servers 5.6 User Manual
KASPERSKY LAB
Kaspersky Anti-Virus 5.6 for Linux
Mail Server
ADMINISTRATOR'S
GUIDE
KASPERSKY A N TI-VI R U S 5. 6 FOR L I N UX MA I L SERV E R
Administrator's Guide
Kaspersky Lab
http://www.kaspersky.com
Revision date: November, 2008
Contents
CHAPTER 1. INTRODUCTION ...................................................................................... 7
1.1. What‟s new ............................................................................................................ 8
1.2. Product requirements ............................................................................................ 9
1.3. Service for registered users ................................................................................ 10
CHAPTER 2. THE STRUCTURE AND OPERATING ALGORITHM OF THE
APPLICATION ............................................................................................................... 11
CHAPTER 3. INSTALLING AND UNINSTALLING THE APPLICATION ................... 14
3.1. Installing the application on a server running Linux ........................................... 14
3.2. Installing the application on a server running FreeBSD ..................................... 15
3.3. Location of application files ................................................................................. 16
3.3.1. Location of files on a server running Linux .................................................. 16
3.3.2. Location of files on a server running FreeBSD ............................................ 18
3.4. Post-installation setup ......................................................................................... 19
3.5. Configuration of permission rules in SELinux and AppArmor systems ............. 22
3.6. Installing the Webmin module to manage Kaspersky Anti-Virus ....................... 24
3.7. Application removal ............................................................................................. 26
CHAPTER 4. INTEGRATION WITH MTA .................................................................... 28
4.1. Integration with Exim ........................................................................................... 29
4.1.1. Post-queue integration using modification of routers .................................. 29
4.1.2. Pre-queue integration using dynamically loaded library .............................. 32
4.2. Integration with Postfix ........................................................................................ 34
4.2.1. Post-queue integration ................................................................................. 35
4.2.2. Pre-queue integration ................................................................................... 37
4.2.3. Integration with Milter .................................................................................... 39
4.3. Integration with qmail ........................................................................................... 41
4.4. Integration with Sendmail .................................................................................... 42
4.4.1. Integration with Sendmail using .cf file ......................................................... 43
4.4.2. Integration with Sendmail using .mc file ....................................................... 44
4 Kaspersky Anti-Virus 5.6 for Linux Mail Server
CHAPTER 5. ANTI-VIRUS PROTECTION OF E-MAIL .............................................. 46
5.1. Setting up groups ................................................................................................ 46
5.2. Definition of e-mail analysis policy ...................................................................... 48
5.3. E-mail scanning mode ......................................................................................... 48
5.3.1. Anti-virus scanning ....................................................................................... 49
5.3.2. Content filtering ............................................................................................. 50
5.4. Actions over objects ............................................................................................ 52
5.5. Predefined security profiles ................................................................................. 53
5.5.1. Recommended profile .................................................................................. 54
5.5.2. Maximum protection profile .......................................................................... 54
5.5.3. Maximum performance profile ..................................................................... 55
5.6. Backup ................................................................................................................. 56
5.7. Notifications ......................................................................................................... 57
5.7.1. Setting up notifications .................................................................................. 57
5.7.2. Notification templates ................................................................................... 59
5.7.3. Customizing notification templates............................................................... 62
CHAPTER 6. ANTI-VIRUS PROTECTION OF FILE SYSTEMS ................................ 70
6.1. Scan scope .......................................................................................................... 71
6.2. Object scan and disinfection mode ..................................................................... 72
6.3. Actions to be performed on objects .................................................................... 72
6.4. On-demand scan of an individual directory ........................................................ 74
6.5. Scheduled scan ................................................................................................... 74
6.6. Sending notifications to the administrator ........................................................... 75
CHAPTER 7. UPDATING THE ANTI-VIRUS DATABASES ....................................... 76
7.1. Automatically updating the anti-virus database .................................................. 77
7.2. On-demand updating of the anti-virus database ................................................ 78
7.3. Creating a network directory to store the updates.............................................. 79
CHAPTER 8. KEY MANAGEMENT ............................................................................. 81
8.1. Viewing key details .............................................................................................. 82
8.2. Renewing your key .............................................................................................. 84
CHAPTER 9. REPORTING AND STATISTICS ........................................................... 85
9.1. Application logging .............................................................................................. 85
9.2. Application statistics ............................................................................................ 87
Contents 5
CHAPTER 10. ADVANCED SETTINGS ...................................................................... 91
10.1. Monitoring of protection status via SNMP ........................................................ 91
10.2. Using the application‟s setup script ................................................................... 95
10.3. Managing the application from the command line ........................................... 97
10.4. Additional informational fields in messages...................................................... 99
10.5. Localization of displayed date and time format .............................................. 100
CHAPTER 11. TESTING THE APPLICATION .......................................................... 101
APPENDIX A. ADDITIONAL INFORMATION ............................................................ 103
A.1. Application configuration file kav4lms.conf....................................................... 103
A.1.1. Section [kav4lms:server.settings] .............................................................. 103
A.1.2. Section [kav4lms:server.log] ...................................................................... 106
A.1.3. Section [kav4lms:server.statistics] ............................................................. 107
A.1.4. Section [kav4lms:server.snmp] .................................................................. 108
A.1.5. Section [kav4lms:server.notifications] ....................................................... 110
A.1.6. Section [kav4lms:filter.settings] .................................................................. 111
A.1.7. Section [kav4lms:filter.log] ......................................................................... 114
A.1.8. Section [kav4lms:groups] ........................................................................... 115
A.1.9. Section [path] .............................................................................................. 115
A.1.10. Section [locale] ......................................................................................... 116
A.1.11. Section [options] ....................................................................................... 117
A.1.12. Section [updater.path] .............................................................................. 117
A.1.13. Section [updater.options] ......................................................................... 117
A.1.14. Section [updater.report]............................................................................ 119
A.1.15. Section [updater.actions] ......................................................................... 119
A.1.16. Section [scanner.display] ......................................................................... 121
A.1.17. Section [scanner.options] ......................................................................... 121
A.1.18. Section [scanner.report] ........................................................................... 124
A.1.19. Section [scanner.container] ..................................................................... 125
A.1.20. Section [scanner.object] ........................................................................... 126
A.1.21. Section [scanner.path] ............................................................................. 127
A.2. Group configuration file ..................................................................................... 127
A.2.1. Section [kav4lms:groups.<group_name>.definition] ................................. 128
A.2.2. Section [kav4lms:groups.<group_name>.settings] ................................... 129
A.2.3. Section [kav4lms:groups.<group_name>.actions] .................................... 131
A.2.4. Section [kav4lms:groups.<group_name>.contentfiltering] ....................... 132
6 Kaspersky Anti-Virus 5.6 for Linux Mail Server
A.2.5. Section [kav4lms:groups.<group_name>.notifications] ............................ 136
A.2.6. Section [kav4lms:groups.<group_name>.backup] ................................... 138
A.3. Command line parameters for component kav4lms-licensemanager ............ 138
A.4. Return codes of the kav4lms-licensemanager component ............................. 139
A.5. Command line parameters for component kav4lms-keepup2date ................. 140
A.6. Return codes of the kav4lms-keepup2date component .................................. 141
APPENDIX B. KASPERSKY LAB ............................................................................... 142
B.1. Other Kaspersky Lab Products ........................................................................ 143
B.2. Contact Us ......................................................................................................... 153
APPENDIX C. THIRD-PARTY SOFTWARE .............................................................. 154
C.1. Pcre library ........................................................................................................ 154
C.2. Expat library ...................................................................................................... 155
C.3. AgentX++v1.4.16 library ................................................................................... 155
C.4. Agent++v3.5.28a library ................................................................................... 162
C.5. Boost v 1.0 library ............................................................................................. 163
C.6. Milter library ....................................................................................................... 164
C.7. Libkavexim.so library ........................................................................................ 166
CHAPTER 1. INTRODUCTION
Kaspersky Anti-Virus® 5.6 for Linux Mail Server (hereinafter referred to as
Kaspersky Anti-Virus or the application) provides anti-virus processing of mail
traffic and file systems of servers running the Linux or FreeBSD operating systems, and using the Sendmail, Postfix, qmail, or Exim MTA.
This application allows the user to:
Check for the presence of threats all server file systems as well as in-
coming and outgoing mail messages.
Detect infected, suspicious, corrupted, and password-protected objects
as well as objects that cannot be scanned.
Neutralize threats detected in files and mail messages. Disinfect in-
fected objects.
Back up e-mail messages prior to their anti-virus processing and filtra-
tion.
Process mail traffic according to rules preset for groups of senders and
recipients.
Provide content filtering of mail traffic by name, type and size of at-
tached files, and use individual processing rules for the filtered objects.
Notify the sender, recipients, and administrator about detection of mail
messages that contain infected, suspicious, password protected objects
or objects that cannot be scanned.
Generate statistics and reports on application performance.
Update the anti-virus databases, either using a schedule or on demand,
by downloading update files from Kaspersky Lab‟s update servers.
The anti-virus database is used to search for and attempt to cure in-
fected objects. During the scan each file is analyzed for the presence of
threats by comparing the file‟s code with code typical of various threats.
Configure and manage Kaspersky Anti-Virus both locally (using stan-
dard OS means including command line options, signals and modification of the application configuration file) and remotely via the web-based
interface provided by the Webmin program.
Obtain information about product configuration and activity statistics via
SNMP and configure the application to generate SNMP traps when
specified events occur.
8 Kaspersky Anti-Virus 5.6 for Linux Mail Server
1.1. What’s new
Version 5.6 of Kaspersky Anti-Virus for Linux Mail Server merges the features
of Kaspersky Anti-Virus 5.5 for Linux and FreeBSD Mail Server and Kaspersky
Anti-Virus 5.6 for Sendmail with Milter API and adds the following improvements:
Both pre-queue and post-queue integration is supported for Exim. In case
of pre-queue integration, e-mail is transferred for scanning before its addition to the mail system queue while post-queue integration means that
messages are scanned after addition to the queue. Automatic integration
using the application configuration script is now available. See Chapter 4
on p. 28 for details on the integration procedure.
Opportunities for configuration of mail scanning functionality have been
enhanced: two scanning methods are now available. A message can be
scanned as a single object or using combined approach – first as a single
object and then as a collection of its parts. These methods differ in terms
of the provided protection level. See 5.2 on p. 48 for details.
The application‟s configuration has changed. Individual configuration of
separate groups of senders and recipients is now supported. See 5.1 on
p.46 for details of configuring groups.
The list of actions performed over messages has been extended. New ac-
tion type depending upon the detected malware has been added. See 5.4
on p. 52 for details.
Content filtering capabilities have been extended by adding filtering by at-
tachment size criterion. See 5.3.2 on p. 50 for details.
The library of notification templates has been supplemented with added
administrator templates. Templates are now stored in a separate directory.
The opportunity to place infected objects in Backup is no longer sup-
ported.
Backup functionality has been extended – information files can be created
for each backup entry. See 5.6 on p.56 for details.
Reporting has been improved by increasing the logging setup thorough-
ness. See 9.1 on p.85 for details.
Statistics functionality has been extended by adding per-message statis-
tics. See 9.2 on p.87 for details.
SNMP-queries for configuration, statistics, application status are now
supported. SNMP-traps are also supported. See 10.1 on p. 91 for details.
Introduction 9
Command line administration tool is added to the application‟s package. It
is capable of managing various aspects of the application‟s functionality.
See 10.3 on p. 97 for details.
1.2. Product requirements
The system requirements for Kaspersky Anti-Virus are:
Hardware requirements for a mail server with about 200 MB of traffic
per day:
Intel Pentium IV, 3 GHz processor or higher;
1 GB RAM;
200 MB available space on your hard drive (this amount does not
include space necessary for storing backup message copies).
Software requirements:
One of the following 32-bit operating systems:
o Red Hat Enterprise Linux Server 5.2;
o Fedora 9;
o SUSE Linux Enterprise Server 10 SP2;
o openSUSE 11.0;
o Debian GNU/Linux 4.0 r4;
o Mandriva Corporate Server 4.0;
o Ubuntu 8.04.1 Server Edition;
o FreeBSD 6.3, 7.0.
One of the following 64-bit operating systems:
o Red Hat Enterprise Linux Server 5.2;
o Fedora 9;
o SUSE Linux Enterprise Server 10 SP2;
o openSUSE Linux 11.0.
One of the following mail systems: Sendmail 8.12.x or higher, qmail
1.03, Postfix 2.x, Exim 4.x;
Optional - the Webmin program (www.webmin.com) for remote
administration of Kaspersky Anti-Virus;
Perl version 5.0 or higher (www.perl.org).
10 Kaspersky Anti-Virus 5.6 for Linux Mail Server
Note:
Kaspersky Lab does not give advice on the performance and use of your operating system, third party software or various other technologies.
1.3. Service for registered users
Kaspersky Lab offers its legal users a broad range of services maximizing the
efficiency of Kaspersky Anti-Virus software.
By purchasing a subscription you become a registered software user entitled to
the following services throughout the license period:
software upgrades for this software application;
consultations regarding issues pertaining to installation, configuration
and use of this software, available over the telephone or via e-mail;
notifications about new software products from Kaspersky Lab, and
about new virus outbreaks. This service is provided to users who have
subscribed to the Kaspersky Lab e-mail newsletter service.
CHAPTER 2. THE STRUCTURE
AND OPERATING
ALGORITHM OF THE
APPLICATION
Kaspersky Anti-Virus consists of the following components:
Filter – the service for connection to the mail system, a separate pro-
gram providing for interaction between Kaspersky Anti-Virus and a specific MTA. The product distribution package includes modules for each
supported mail systems:
kav4lms-milter – Milter service for connection with Sendmail and
Postfix via Milter API.
kav4lms-filter – SMTP service for connection with Postfix and Exim.
kav4lms-qmail – mail queue handler for qmail.
kavmd - central service of the application, listening to the filter requests
and implementing the anti-virus functionality of the application protecting e-mail traffic.
kav4lms-kavscanner – provides for anti-virus protection of server file
systems.
kav4lms-keepup2date – provides for updating of the anti-virus database
downloading new data from update servers of Kaspersky Lab or a local
directory.
kav4lms-licensemanager – component for operations with product keys:
installation, removal, viewing statistical information.
kav4lms.wbm – Webmin plug-in module for remote management of the
application via web-based interface (optional), which allows configuration and launch of updates for the anti-virus database, viewing of statistical information, definition of actions over objects depending upon their
status, and monitoring of application activity results.
kav4lms-cmd – utility for Anti-Virus management via the command line.
12 Kaspersky Anti-Virus 5.6 for Linux Mail Server
The application uses the following algorithm to check e-mail:
1. The filter receives a message from MTA. If the filter and the central service are running on the same computer, then names of message files
are passed instead of the actual messages for analysis.
2. The filter determines the groups that the message belongs to, selects
the group with the highest priority (see 5.1 on p. 46) and transfers the
letter for analysis to the central service of the application. If there is no
such group, then the application will process that message using the
rules for the Default group included into its distribution package.
The central service scans the message using the parameters specified
in the configuration file of the group. Depending upon the method defined in the policy, the application can scan the message as a single
solid object or use combined approach scanning it first as a whole and
then checking its individual parts (see 5.2 on p. 48).
Combined analysis is more thorough and provides for higher protection
level although its performance is somewhat lower assumes checking
the message as a whole or as a whole and then part-by-part (combined
policy).
3. If anti-virus mail scanning is enabled (see 5.3 on p. 48), the central service checks a message as a single object. In accordance with the status
assigned after that check (see 5.3.1 on p. 49) the central service: blocks
delivery, rejects or allows the message, replaces it with a warning,
modifies its headers (see 5.4 on p. 52). If special processing is defined
for individual malware types (the VirusNameList option), the specified
actions will be performed if they are detected (VirusNameAction option). Message processing order is specified in the configuration file of
the group.
The application creates a backup copy of the original message before
its processing if that step is enabled in the group settings.
4. After anti-virus message scan the application performs its filtering if it is
enabled in the group settings.
Filtration can be performed by attachment name, type and size (see
5.3.2 on p. 50). The check results in the actions defined by the filtration
settings in the configuration file of the group. Processed objects matching the filtration criteria are passed over for further analysis part by part,
if combined processing method is enabled in the group settings.
5. During e-mail inspection part by part the application parses its MIME
structure and processes message components.
The structure and operating algorithm of the application 13
Message objects are treated in accordance with the status assigned to
each individual object irrespectively of the status assigned to the message as a whole.
If a message is recognized as infected after its processing as a single
object while no threat is found after examination of its parts, the application will handle the whole message using the action defined for infected
mail (InfectedAction option). If the nesting level of an object attached
to a clean message exceeds the limit specified in group settings (Max-
ScanDepth option), the application will handle the whole message using the action defined for letters causing errors during scan (ErrorAc-
tion option).
While processing message objects, the central service renames, deletes or replaces an object with a warning, adds informational headers
or allows a message to pass (see 5.4 on p. 52). Infected messages get
disinfected. The application creates a backup copy of the whole original
message prior to processing of its object (unless it has been made earlier) if that step is enabled in the group settings.
6. After scanning and processing, the central service returns the message
to filter. The processed message together with the notifications about
results of scanning and disinfection is conveyed to the MTA, which delivers the e-mail message to local users or relays it to other mail servers.
Warning!
We advise that you install the application in off hours or when the mail traffic has
the lowest intensity!
CHAPTER 3. INSTALLING AND
UNINSTALLING THE
APPLICATION
Before installing Kaspersky Anti-Virus, you are advised to make the following
preparations for your system:
Make sure your system meets the hardware and software requirements
listed in section 1.2 on page 9.
Make backup copies of configuration files of the mail system installed on
your server.
Set up an Internet connection.
Log in to the system with root access rights or any other account with
superuser privileges.
3.1. Installing the application on a
server running Linux
For servers running the Linux operating system, Kaspersky Anti-Virus is distributed in two different installation packages, depending on the type of your Linux
distribution.
To install the application under Red Hat Enterprise Linux, Fedora, SUSE Linux
Enterprise Server, openSUSE and Mandriva Linux, use the rpm package.
To initiate installation of Kaspersky Anti-Virus from the .rpm package, enter the
following on the command line:
# rpm -i <package_name>
Installing and uninstalling the application 15
Warning!
After installing the application from the rpm package, you must run the postinstall.pl script to perform post-installation configuration. The default location of the
postinstall.pl script is in the /opt/kaspersky/kav4lms/lib/bin/setup/ directory (in
Linux) and in the
/usr/local/libexec/kaspersky/kav4lms/setup/ directory (in FreeBSD)!
Warning!
The procedure of application setup under Mandriva distributions has some peculiarities.
To allow correct launch of Kaspersky Anti-Virus after installation, you will have to
make sure that the /root/tmp/ directory is used for storage of temporary files in
the operating system and the account used to run the application (by default,
kluser) has the right to write to the directory.
You might have to change the access rights for the directory, or redefine or delete the TMP, TEMP environment variables to make the system use another directory (e.g., /tmp/) with the rights required for application functioning.
In Debian GNU/Linux and Ubuntu, the installation is performed from a deb package.
To initiate installation of Kaspersky Anti-Virus from the .deb package, enter the
following on the command line:
# dpkg -i <package_name>
After you enter the command, the application will be installed automatically.
Once the installation completes, information about post-install configuration will
be displayed (see 3.4 on p. 19).
3.2. Installing the application on a
server running FreeBSD
The distribution file for installing Kaspersky Anti-Virus on servers running
FreeBSD OS is supplied as a pkg package.
To initiate installation of Kaspersky Anti-Virus from a pkg package, enter one of
the following at the command line:
# pkg_add <package_name>
After you enter the command, the application will be installed automatically.
Once the installation completes, information about post-install configuration will
be displayed (see 3.4 on p. 19).
16 Kaspersky Anti-Virus 5.6 for Linux Mail Server
Attention!
To make the man pages for the application available upon the man
<man_page_name> command, the following steps are necessary:
for Debian Linux, Ubuntu Linux, SUSE Linux distributions, add the line
below to the /etc/manpath.config file:
MANDATORY_MANPATH /opt/kaspersky/kav4lms/share/man
for Red Hat Linux and Mandriva Linux distributions, add the line below
to the /etc/man.config file:
MANPATH /opt/kaspersky/kav4lms/share/man
for FreeBSD distributions, add the line below to the /etc/manpath.config
file:
MANDATORY_MANPATH /usr/local/man
If your system uses the MANPATH variable, add to the list of its values the path
to the directory containing man pages of the application by running the following
command:
# export MANPATH=$MANPATH:<path to the man pages directory>
3.3. Location of application files
During Kaspersky Anti-Virus setup the product installer copies application files to
program directories on server.
3.3.1. Location of files on a server running
Linux
The default locations of Kaspersky Anti-Virus files on a server running Linux OS
are as follows:
/etc/opt/kaspersky/kav4lms.conf – main configuration file of application;
/etc/opt/kaspersky/kav4lms/ – directory containing the Kaspersky Anti-Virus con-
figuration files:
groups.d/ - directory containing the groups‟ configuration files;
default.conf – configuration file, containing the default group‟s settings;
locale.d/strings.en – file, containing strings, used by the application;
profiles/ – directory containing predefined configuration profiles:
default_recommended/ – directory containing the default configuration
files;
Installing and uninstalling the application 17
high_overall_security/ – directory containing the configuration files for
high security profile;
high_scan_speed/ – directory containing the configuration files for high
scan speed profile;
templates/ – directory containing notification templates;
templates-admin/ – directory containing administrator‟s notifications tem-
plates;
kav4lms.conf – the application‟s main configuration file;
/opt/kaspersky/kav4lms/ – main directory of Kaspersky Anti-Virus, containing:
bin/ – a directory that contains executable files of all Kaspersky Anti-Virus
components:
kav4lms-cmd – executable file of the command line tool;
kav4lms-setup.sh – the application‟s setup script;
kav4lms-kavscanner – executable file of the file system scan compo-
nent;
kav4lms-licensemanager – executable file of the keys management
component;
kav4lms-keepup2date – executable file of the updater component;
sbin/ – a directory that contains executable files of application‟s services;
lib/ - directory containing Kaspersky Anti-Virus library files;
bin/avbasestest – utility validating downloaded updates to the anti-virus
databases used by the kav4lms-keepup2date component;
share/doc/ – directory containing license agreement and deployment docu-
mentation;
share/man/ – directory containing manual files;
share/scripts/ – directory containing the application‟s scripts;
share/snmp-mibs/ – directory containing the Kaspersky Anti-Virus MIB;
share/webmin/ – directory containing plug-in to Webmin application;
/etc/init.d/ – directory containing control scripts for application services:
kav4lms – control script for the central service of the application;
kav4lms-filters – control script for Kaspersky Anti-Virus filter;
/var/opt/kaspersky/kav4lms/ - directory containing variable data of Kaspersky
Anti-Virus:
backup/ – directory containing messages‟ backup copies and information
files;
bases/ – directory containing anti-virus databases;
bases.backup/ – directory containing backup copy of the anti-virus data-
bases;
18 Kaspersky Anti-Virus 5.6 for Linux Mail Server
Warning!
Linux-related paths are used further in this document.
licenses/ – directory containing key files;
nqueue/ – directory containing the mail queue files;
patches/ – directory containing application modules‟ updates;
stats/ – directory containing statistics files;
updater/ – directory containing information file about the last update.
3.3.2. Location of files on a server running
FreeBSD
The default locations of Kaspersky Anti-Virus files on a server running FreeBSD
OS are as follows:
/usr/local/etc/kaspersky/kav4lms.conf – main configuration file of application;
/usr/local/etc/kaspersky/kav4lms/– directory containing the Kaspersky Anti-Virus
configuration files:
groups.d/ - directory containing the groups‟ configuration files;
default.conf – configuration file, containing the default group‟s settings;
locale.d/strings.en – file containing strings used by the application;
profiles/ – directory containing predefined configuration profiles:
default_recommended/ – directory containing the default configuration
files;
high_overall_security/ – directory containing the configuration files of
the high security profile;
high_scan_speed/ – directory containing the configuration files of the
high speed profile;
templates/ – directory containing notification templates;
templates-admin/ – directory containing administrator‟s notifications tem-
plates;
kav4lms.conf – the application‟s main configuration file.
/usr/local/bin/ – a directory that contains executable files of all Kaspersky Anti-
Virus components:
kav4lms-cmd – executable file of the command line tool;
kav4lms-setup.sh – the application‟s setup script;
kav4lms-kavscanner – executable file of the file system scan component;
Installing and uninstalling the application 19
kav4lms-licensemanager – executable file of the keys management compo-
nent;
kav4lms-keepup2date – executable file of the updater component;
/usr/local/sbin/ – a directory that contains executable files of application‟s ser-
vices;
/usr/local/etc/rc.d/ – directory containing control scripts for application services:
kav4lms.sh – control script for the central service of the application;
kav4lms-filters.sh – control script for Kaspersky Anti-Virus filter;
/usr/local/lib/kaspersky/kav4lms/ - directory containing Kaspersky Anti-Virus li-
brary files;
/usr/local/libexec/kaspersky/kav4lms/avbasestest – utility validating downloaded
updates to the anti-virus databases used by the kav4lms-keepup2date component;
/usr/local/share/doc/kav4lms/ – directory containing license agreement and de-
ployment documentation;
/usr/local/man/ – directory containing manual files;
/usr/local/share/kav4lms/scripts/ – directory containing the application‟s scripts;
/usr/local/share/kav4lms/snmp-mibs/ – directory containing the Kaspersky Anti-
Virus MIB;
/usr/local/share/kav4lms/webmin/ – directory containing plug-in to Webmin appli-
cation;
/var/db/kaspersky/kav4lms/ - directory containing variable data of Kaspersky
Anti-Virus:
backup/ – directory containing messages‟ backup copies and information
files;
bases/ – directory containing anti-virus databases;
bases.backup/ – directory containing backup copy of the anti-virus data-
bases;
licenses/ – directory containing key files;
nqueue/ – directory containing the mail queue files;
patches/ – directory containing the application modules‟ updates;
stats/ – directory containing statistics files;
updater/ – directory containing information file about the last update.
3.4. Post-installation setup
Immediately after the application files have been copied to your server, the system configuration process will start. The configuration procedure will either be
20 Kaspersky Anti-Virus 5.6 for Linux Mail Server
started automatically or, if the package manager (such as rpm) does not allow
the use of interactive scripts, you will have to initiate it manually.
To start product configuration manually, enter the following in the command line:
In Linux:
# /opt/kaspersky/kav4lms/lib/bin/setup/postinstall.pl
In FreeBSD:
# /usr/local/libexec/kaspersky/kav4lms/setup/postinstall.pl
You will see an offer to perform the following operations:
1. If the application finds on the computer configuration files of Kaspersky
Anti-Virus 5.5 for Linux Mail Server or Kaspersky Anti-Virus 5.6 for
Sendmail with Milter API, it will offer during this step to choose the file
for conversion and saving in the format of the current product version. If
you select one of the files, you will be offered to replace the default configuration file included into the distribution package with this restored
and converted file.
To replace the configuration file from the distribution package with the
restored file, enter yes as your response. To cancel the replacement,
enter no.
By default converted configuration files are saved in the following directories:
kav4mailservers /etc/opt/kaspersky/kav4lms/profiles/kav4mailservers5.
5-converted
kavmilter /etc/opt/kaspersky/kav4lms/profiles/kavmilter5.6converted
2. Specify the path to the key file.
Please note, that if the product key is not installed, the anti-virus will not
update its databases and create the protected domains list during installation. In that case you will have to perform those steps manually after
key installation.
3. Specify the parameters of the proxy server used for connection to the
Internet in the following format:
http://<IP-proxy_server_address>:<port>
or
Installing and uninstalling the application 21
Note:
The anti-virus databases can only be updated with the installed product key.
Warning!
In case of product integration with qmail automatic updates should be
configured as follows:
# /opt/kaspersky/kav4lms/bin/kav4lms-setup.sh \
--install-cron=updater --user=root
http://<user_name>:<password>@<proxy_server_IP_addres
s>:<port>
if the proxy server requires authentication.
If no proxy server is used to connect to the Internet, enter no as your
response.
The kav4lms-keepup2date update component will use the value to con-
nect to the source of updates.
4. Update the anti-virus databases. To do that, enter yes as your re-
sponse. If you wish to skip updates during this step, enter no. You will
be able to run the update procedure later using the kav4lms-
keepup2date component (see 7.2 on p. 78 for details).
5. Configure automatic updates of the anti-virus databases. To do that, en-
ter yes as your response. To skip configuration of automatic updates
during this step, enter no. You will be able to configure updates later using the kav4lms-setup component (see 7.1 on p. 77) or manually (see
10.2 on p. 95 for details).
6. Install the webmin module for management of Kaspersky Anti-Virus
within the web-based interface of Webmin.
The remote management plug-in will only be installed provided that
Webmin is installed in the default directory. After plug-in installation you
will see appropriate guidelines for configuration of its interaction with the
application.
Enter yes to install the Webmin module or no to cancel its installation.
7. Determine the list of domains whose e-mail traffic will be protected
against viruses. The default value is localhost, localhost.localdomain.
To use it, press Enter.
To specify the list of domains manually, enter them in the command
line. You can define several comma-delimited values; masks and regu-
22 Kaspersky Anti-Virus 5.6 for Linux Mail Server
Warning!
During automatic integration with Sendmail the script always tries to
modify the .mc file because any subsequent update will preserve the
entered changes. If the .mc file contains include directions referring to
.mc files that do not exist, then such file cannot be used for integration
of Kaspersky Anti-Virus. In such case install the sendmail-cf package
for integration using .cf file.
If the .mc file cannot be used for integration of the application, then .cf
file will be used for that purpose.
lar expressions are supported. Dots should be escaped by slash symbol.
E.g.:
re:.*\.example\.com
8. Integrate Kaspersky Anti-Virus with MTA. You can agree to the default
suggested method of integration with the MTA found on the computer or
cancel integration and perform it manually. Please see Chapter 4 on p.
28 for a detailed description of integration with MTA.
By default, the post-queue integration is used for Exim and Postfix mail
systems (see 4.1.1 on p. 29 and 4.2.1 on p. 35).
3.5. Configuration of permission
rules in SELinux and AppArmor
systems
To create a SELinux module with the rules necessary for Kaspersky Anti-Virus
operation, perform the following steps after application setup and its integration
with the e-mail system:
1. Switch SELinux into permissive mode:
# setenforce Permissive
2. Send one or more test messages and make sure that they have passed
anti-virus scanning and have been delivered to recipients.
3. Create a rules module based on the blocking records:
For Fedora:
# audit2allow -l –M kav4lms -i /var/log/messages
Installing and uninstalling the application 23
For RHEL:
# audit2allow -l -M kav4lms –i\
/var/log/audit/audit.log
4. Load the resulting rules module:
# semodule -i kav4lms.pp
5. Switch SELinux into enforcement mode:
# setenforce Enforcing
If new audit messages pertaining to Kaspersky Anti-Virus appear, the rules module file should be updated:
For Fedora:
# audit2allow -l –M kav4lms -i /var/log/messages
# semodule -u kav4lms.pp
For RHEL:
# audit2allow -l -M kav4lms -i /var/log/audit/audit.log
# semodule -u kav4lms.pp
For additional information please refer to:
RedHat Enterprise Linux: «Red Hat Enterprise Linux Deployment
Guide», chapter «44. Security and SELinux».
Fedora: Fedora SELinux Project Pages.
Debian GNU/Linux: «Configuring the SELinux Policy» manual from the
«Documentation for Security-Enhanced Linux» selinux-doc package.
To update AppArmor profiles necessary for operation of Kaspersky Anti-Virus,
perform the following steps after application setup and its integration with the email system:
1. Switch all application rules into complain mode:
# aa-complain /etc/apparmor.d/*
# /etc/init.d/apparmor reload
2. Restart the e-mail system:
# /etc/init.d/postfix restart
3. Restart kav4lms and kav4lms-filters:
# /etc/init.d/kav4lms restart
# /etc/init.d/kav4lms-filters restart
24 Kaspersky Anti-Virus 5.6 for Linux Mail Server
4. Send one or more test messages and make sure that they have passed
anti-virus scanning and have been delivered to recipients.
5. Launch the profiles updating utility:
# aa-logprof
6. Reload AppArmor rules:
# /etc/init.d/apparmor reload
7. Switch all application rules into enforcement mode:
# aa-enforce /etc/apparmor.d/*
# /etc/init.d/apparmor reload
If new audit messages pertaining to Kaspersky Anti-Virus appear, the steps 5
and 6 should be repeated.
For additional information please refer to:
openSUSE and SUSE Linux Enterprise Server: «Novell AppArmor
Quick Start», «Novell AppArmor Administration Guide».
Ubuntu: «Ubuntu Server Guide», chapter «8. Security».
3.6. Installing the Webmin module to
manage Kaspersky Anti-Virus
The activity of Kaspersky Anti-Virus can be controlled remotely via a web
browser using Webmin.
Webmin is a program which simplifies the administration of Linux/Unix systems.
The software has a modular structure, and supports connection of new or customized modules. Additional information about Webmin can be obtained, and its
distribution package downloaded, from the official program web site at:
www.webmin.com.
The distribution package of Kaspersky Anti-Virus contains a Webmin module that
can either be connected during the application‟s post-installation configuration
(see 3.4 on p. 19) if the system already has Webmin installed, or at any time later
after Webmin is installed.
The following part of this manual contains a detailed description of the procedure
necessary to connect the Webmin module for administration of Kaspersky AntiVirus.
Installing and uninstalling the application 25
Note:
The Webmin module is the file mailgw.wbm, which is installed by default in the
/opt/kaspersky/kav4lms/share/webmin/ directory (for Linux distributions), or the
/usr/local/share/kav4lms/webmin/ directory (for FreeBSD distributions).
If default settings were selected during Webmin installation, then you can access
the program after setup in a web browser connecting to port 10000 via
HTTP/HTTPS.
To install the Webmin module for Kaspersky Anti-Virus management:
1. Use your web browser to access Webmin with administrator privileges.
2. Select the Webmin Configuration tab in the program menu, and then
proceed to the Webmin Modules section.
3. Select the From Local File option in the Install Module section and
click (see Figure 1).
Figure 1. Install Module section
4. Select the path to the Webmin module of the product and click OK.
A message on the display will confirm the successful installation of the Webmin
module.
You can access the settings of Kaspersky Anti-Virus by clicking its icon within the
Others tab (see Figure 2).
26 Kaspersky Anti-Virus 5.6 for Linux Mail Server
Warning!
The removal procedure will stop the application without additional user participation!
Figure 2. The icon of Kaspersky Anti-Virus in the Others tab
3.7. Application removal
Removal of Kaspersky Anti-Virus from server requires superuser (root) privileges. If you have no such privileges when you start the removal procedure, you
will have to log on as root first.
During removal the application will be stopped, its files and directories created at
product installation will be deleted. However, files and directories created or
modified by the administrator (configuration file of the application, configuration
files of groups, template notification files, backup directories, key file), will be
preserved.
The application removal procedure can be initiated using different methods depending upon the system package manager. Let us examine those methods
closely.
In order to remove Kaspersky Anti-Virus installed from a rpm package, enter the
following text in the command line:
# rpm -e <package_name>
Installing and uninstalling the application 27
In order to remove Kaspersky Anti-Virus installed from a deb package, enter the
following in the command line:
# dpkg -P <package_name>
if you wish to remove the application together with its configuration files, or:
# dpkg -r <package_name>
if you wish to uninstall the application but keep its configuration files.
In order to remove Kaspersky Anti-Virus installed from a pkg package, enter the
following in the command line:
# pkg_delete <package_name>
A message on the display will confirm the successful removal of the application.
If a plug-in for remote management of the application (Webmin module) was
installed, it must be removed manually using standard Webmin tools.
Note:
MTA does not allow mail rejection if post-queue integration is used. However, if
reject is selected as the action over objects in Kaspersky Anti-Virus settings, the
sender will receive a notification about message rejection. Notification text is
defined by the RejectReply option in the [kav4lms: groups.
<group_name>.settings] section of the group configuration file.
Warning!
Two rules must be observed while using a socket:
The port number, which is a part of network socket definition, must be
greater than 1024.
Both filter and central services must have sufficient privileges to access
the local socket used.
CHAPTER 4. INTEGRATION
WITH MTA
After installation the Anti-Virus must be integrated with the host e-mail system.
To do that, the parameters in the configuration files of the application and MTA
have to be modified. You can perform integration using the product configuration
script included into the distribution package (see 3.4 on p. 19 and 10.2 on p. 95),
or modify the configuration files of Kaspersky Anti-Virus and MTA manually.
For Exim and Postfix the Anti-Virus supports both pre-queue and post-queue
integration. In case of pre-queue integration messages are transferred for analysis before their addition to MTA queue, post-queue integration means that they
are checked after addition to the mail queue.
The sockets used for data exchange between MTA, filter and the central service
of Kaspersky Anti-Virus are assigned using the following rules:
inet:<port>@<ip_address> – for a network socket
local:<socket_path> – for a local socket.
Integration with MTA 29
Warning!
In case of post-queue integration with Exim the FilterSocket, Ser-
viceSocket and ForwardSocket options must point to the network
socket.
4.1. Integration with Exim
The Anti-Virus can use two methods for integration with Exim:
post-queue integration using modification of routers: all e-mail traf-
fic passing the protected server will be transferred for scanning after its
addition to the MTA queue (post-queue filtering).
pre-queue integration using dynamically loaded library: messages
will be transferred for scanning before their addition to the MTA queue
(pre-queue filtering).
4.1.1. Post-queue integration using
modification of routers
Integration using modification of routers implies that messages will be sent for
scanning from all e-mail transfers. To accomplish that, kav4lms_filter must be
specified as the value of the pass_router option for each Exim router.
In case of post-queue integration correct e-mail transfer to the Anti-Virus and its
return to MTA requires observance of the following conditions:
1. The filter must be configured to intercept messages from MTA. The
endpoint of the «filter - MTA» connection is the socked defined by the
FilterSocket option in the [kav4lms:filter.settings] section of the main
application configuration file.
2. The filter must pass messages over for scanning to the central
application service. The endpoint of the «filter – central service»
connection is the socket defined by the ServiceSocket option in the
[kav4lms:server.settings] section of the main application configuration
file.
3. The filter must return messages to the MTA. The endpoint of the «appli-
cation – MTA» connection is the socket defined by the ForwardSocket
option in the [kav4lms:filter.settings] section of the main application
configuration file.
30 Kaspersky Anti-Virus 5.6 for Linux Mail Server
To integrate Kaspersky Anti-Virus with Exim using the application configuration
script:
run the following command:
in Linux:
# /opt/kaspersky/kav4lms/bin/kav4lms-setup.sh \
--install-filter=exim
in FreeBSD:
# /usr/local/bin/kav4lms-setup.sh \
--install-filter=exim
To integrate the application with Exim manually:
1. Make a backup copy of Exim configuration files.
2. Add the following lines in the main configuration settings section of
the Exim configuration file:
#kav4lms-filter-begin-1
local_interfaces=0.0.0.0.25:<forward_socket_ip>.\
<forward_socket_port_number>
#kav4lms-filter-end-1
where <forward_socket_ip>.<forward_socket_port_number>
is the IP-address and port of the socket, to which mail is routed by application after checking.
3. Add the following lines to the routers section of the Exim configuration
file:
#kav4lms-filter-begin-2
kav4lms_dnslookup:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
verify_only
pass_router = kav4lms_filter
no_more
kav4lms_system_aliases:
driver = redirect
allow_fail
allow_defer
Loading...