Nod32 ESET GATEWAY SECURITY User Manual FOR LINUX/BSD/SOLARIS

ESET Gateway Security

Installation Manual and User Guide

Linux, BSD and Sol ari s

Contents

1. Introduction

2. Terminology and abbreviations

3. Installation

4. Architecture Overview

5. Integration with Internet Gateway services

..................................................................3

.........................................................................................3

Mai n functionality1.1

.........................................................................................3

Key features of the sys tem1.2

..................................................................5

..................................................................7

..................................................................8

..................................................................9

.........................................................................................9

Transparent HTTP/FTP proxy configura tion5.1

.........................................................................................10

Manual HTTP/FTP proxy confi guration5.2

5.2.2

Internet Content Adaptation configuration5.3
Large HTTP Objects Handli ng5.4
ESETS plug-in fi l ter for SafeSqui d Proxy Cache5.5

................................................................................10Manua l proxy configura ti on of Mozilla Firefox5.2.1

Manua l proxy configura ti on of Squid Web Proxy

................................................................................11

Cache

.........................................................................................11

.........................................................................................12

.........................................................................................13

................................................................................13Opera tion principle5.5.1

................................................................................13Installation and configuration5.5.2

6. Important ESET Gateway Security

..................................................................15

mechanisms

.........................................................................................15

Handle Object Policy6.1

.........................................................................................15

User Speci fic Confi guration6.2

.........................................................................................16

Blacklist and Whi teli s t6.3

Sampl es Submissi on System6.4
Web Interface6.5

Remote Admini s tra tion6.6

Logging6.7

................................................................................16URL Whitelist6.3.1

.........................................................................................16

.........................................................................................17

................................................................................18License mana gement6.5.1

................................................................................18Agent HTTP configuration example6.5.2

..........................................................................19HTTP Agent tes ti ng with the Mozilla Fire fox6.5.2.1

................................................................................20Statis tics6.5.3

.........................................................................................20

................................................................................21Remote Administra tion usage example6.6.1

.........................................................................................23

ESET Gateway Security

Copyright ©2011 by ESET, spol. s r. o.

ESET Gateway Security was developed by ESET, spol. s r. o.
For more information visit www.e set.com.
All rights reserved. No part of this documentation may be reproduced,
stored in a retrieval sys tem or transmitted in any form or by any
mea ns , electroni c, mecha nical, photocopying, recording, scanning, or
othe rwise without permis sion in writing from the author.
ESET, spol. s r. o. res erves the right to change any of the described
application softwa re without prior notice.

Custome r Care Worldwi de: www.es et.eu/support
Custome r Care North America : www.eset.com/support

REV. 2011-02-08

7. ESET Security system update

8. Let us know

..................................................................24

.........................................................................................24

ESETS update utility7.1

.........................................................................................24

ESETS update process descri ption7.2

.........................................................................................24

ESETS mirror http daemon7.3

..................................................................25

9. Appendix A. ESETS setup and

..................................................................26

configuration

Setting ESETS for s canning of HTTP communica tion -

9.1

.........................................................................................26

transparent mode
Setting ESETS for s canning of FTP communication -

9.2

.........................................................................................26

transparent mode
Setting ESETS for s canning of ICAP encapsulated HTTP

9.3

.........................................................................................26

messages

10. Appendix B. PHP License

..................................................................27

1. Introduction

Dear user, you have acquired ESET Gateway Securi ty - the premier securi ty system running under the Linux, BSD and Sol ari s OS.
As you wil l s oon find out, ESET's state-of-the-art sca nning engine has unsurpass ed sca nning speed and detection rates combi ned
with a very s mall footpri nt that makes i t the ideal choice for any Linux, BSD and Solari s OS server.

1.1 Main functionality

Hypertext Transfer Protocol filter (HTTP)

The HTTP filter module is an HTTP 1.1 compliant speci al proxy s erver used to sca n communication between HTTP cl i ents a nd
HTTP servers for viruses. The module receives HTTP messages from an HTTP cli ent (a web browser application or other proxy
cache) and forwards them to the HTTP server (a web server appl i cation) and vice versa. The body of the mess age (if ava i l able)
wil l be scanned for vi ruses by the

The

esets_h ttp

module into the environment.

File Transfer Protocol filter (FTP)

The FTP fil ter module is a s peci a l trans parent proxy s erver that scans communica tion between an ftp client and a n ftp s erver
for vi ruses. The FTP gateway modul e is used to scan both incoming and outgoing data transfers. Depending on the scanning
results a transferred object will be cl eaned, deleted or blocked.

SafeSquid filter

The SSFI modul e is a plugin accessing all objects process ed by the SafeSqui d Proxy ca che. Once an object is accessed by the
plugin, it wil l be sca nned for infi l trations by the ESETS daemon. In ca se of positive detection SSFI blocks the appropri ate source
and sends a predefined template page instead. The
higher.

is able to act as both a transparent and a non-transparent proxy server depending on the integration of the

esets_h ttp

module.

esets_ssfi.so

module is s upported by SafeSquid Advanced version 4.0.4.2 and

Internet Content Adaptation Protocol filter (ICAP)

The ICAP filter module i s an ICAP 1.0 compliant s peci al server that scans ICAP enca ps ul a ted HTTP messages from ICAP cl i ents
for vi ruses.

1.2 Key features of the system

Advanced engine algorithms

The ESET antivirus s canning engine algori thms provide the highest detection rate and the fas test s canning times.

Multi-processing

ESET Gateway Security is developed to run on single- as well as multi-process or uni ts.

Advanced Heuristics

ESET Gateway Security incl udes uni que adva nced heuristics for Win32 worms, backdoor infections and other forms of
malware.

Built-In features

Built-in archi vers unpack a rchi ved obj ects without the need for any external programs.

Speed and efficiency

To increase the speed and effici ency of the sys tem, its archi tecture is based on the runni ng da emon (resident progra m) where
al l s canning requests a re sent.

Enhanced security

All executive daemons (except esets_dac) run under non-privileged user a ccount to enhance securi ty.

Selective configuration

The system supports s elective confi guration bas ed on the user or client/server.

Multiple logging levels

Multipl e l ogging l evels can be confi gured to get information about system activi ty and i nfil trations .

3

Web interface

Configuration, administrati on a nd license management are offered through a n i ntuitive and user-fri endl y Web interface.

Remote administration

The system supports ESET Remote Admini s tra tion for mana gement in large computer networks .

No external libraries

The ESET Gateway Securi ty instal l a tion does not requi re external libra ries or programs except for LIBC.

User-specified notification

The system can be configured to notify s peci fi c users in the event of a detected infiltration or other i mportant events.

Low system requirements

To run effici ently, ESET Gateway Security requires just 16MB of hard-di s k s pace and 32MB of RAM. It runs s moothly under the

2.2.x, 2.4.x and 2.6.x Linux OS kernel vers i ons a s well a s under 5.x, 6.x FreeBSD OS kernel versi ons.

Performance and scalability

From lower-powered, small office servers to enterprise-clas s ISP s ervers with thousands of us ers, ESET Gateway Security
deli vers the performance and s cal a bi l i ty you expect from a UNIX based sol ution, in addition to the unequaled securi ty of ESET
products.

4

2. Terminology and abbreviations

In this s ection we wil l review the terms a nd a bbreviati ons us ed i n thi s document. Note that a bol dface font is reserved for
product component names and also for newly defi ned terms and a bbreviations . Terms and abbrevia tions defined in this cha pter
are expanded upon later in this document.

ESETS

ES E T S ecu rity

operating s ys tems. It is also the name (or i ts part) of the software packa ge containing the products.

RSR

Abbreviation for ‘RedHat/Novell (SuSE) Ready’. Note that we al s o support RedHat Ready and Novell (SuSE) Ready vari ations of
the product. The RSR package differs from the ‘standa rd’ Linux version i n that it meets the FHS (Fil e-system Hierarchy Standard
defined as a part of Linux Standard Bas e) criteria required by the RedHat Ready and Novell(SuSE) Ready certifi cate. This means
that the RSR package is instal l ed as an add-on appl i cation - the primary instal l ation directory is ‘/opt/eset/esets’.

ESETS daemon

The mai n ESETS system control a nd scanning da emon:

ESETS base directory

The directory where ESETS loadable modules containi ng the virus s i gna ture databa se are stored. The abbreviation

@ BA SE D IR@

listed below:

Linux: /var/lib/esets
Linux RSR: /var/opt/eset/esets/lib
FreeBSD: /var/lib/esets
NetBSD: /var/lib/esets
Solaris: /var/opt/esets/lib

is a s tandard a cronym for all securi ty products developed by ESET, spol . s r. o. for Linux, BSD and Sol ari s

esets_d a em on

wil l be used for future references to this di rectory. The

.

@ BA SE D IR@

value for the following Operating Systems i s

ESETS configuration directory

The directory where al l fi l es related to the ESET Gateway Securi ty confi guration a re stored. The abbrevia tion
used for future references to this directory. The

Linux: /etc/esets
Linux RSR: /etc/opt/eset/esets
FreeBSD: /usr/local/etc/esets
NetBSD: /usr/pkg/etc/esets
Solaris: /etc/opt/esets

@ ETCD IR@

value for the following Operating Systems i s l i s ted below:

ESETS configuration file

Mai n ESET Gateway Security confi guration file. The abs ol ute path of the fil e is as follows:

@ETCDIR@/esets.cfg

ESETS binary files directory

The directory where the relevant ESET Gateway Security bi nary files are stored. The abbreviation
future references to thi s di rectory. The

Linux: /usr/bin
Linux RSR: /opt/eset/esets/bin
FreeBSD: /usr/local/bin
NetBSD: /usr/pkg/bin
Solaris: /opt/esets/bin

@ BINDIR @

value for the following Operating Systems i s l i s ted below:

@ BINDIR @

ESETS system binary files directory

The directory where the relevant ESET Gateway Security s ys tem bina ry files are stored. The abbrevia tion
used for future references to this directory. The

@ SB INDIR @

value for the following Operating Systems i s l i s ted below:

@ ETCD IR@

wil l be used for

@ SB INDIR @

wil l be

wil l be

Linux: /usr/sbin
Linux RSR: /opt/eset/esets/sbin
FreeBSD: /usr/local/sbin
NetBSD: /usr/pkg/sbin
Solaris: /opt/esets/sbin

5

ESETS object files directory

The directory where the relevant ESET Gateway Security object fil es and libra ries are stored. The abbreviation
be used for future references to this directory. The

Linux: /usr/lib/esets
Linux RSR: /opt/eset/esets/lib
FreeBSD: /usr/local/lib/esets
NetBSD: /usr/pkg/lib/esets
Solaris: /opt/esets/lib

@ LIBD IR@

value for the following Operating Systems i s l i s ted below:

@ LIBD IR@

wil l

6

3. Installation

After purchasing ESET Gateway Securi ty, you will receive your authorizati on data (username, password and l i cense key). This
data is necessa ry for both identifyi ng you as our customer and al l owi ng you to download upda tes for ESET Gateway Security. The
username/pass word data i s also requi red for downloadi ng the ini tial installation package from our web site. ESET Gateway
Securi ty i s di s tri buted as a binary fi l e:

esets.i386.ext.bin

In the bina ry file shown a bove,

‘ex t’

is a Linux, BSD and Solaris OS distribution dependent suffi x, i.e., ‘deb’ for Debian, ‘rpm’ for
RedHat and SuSE, ‘tgz’ for other Linux OS di stri buti ons , ‘fbs5.tgz’ for FreeBSD 5.x, ‘fbs6.tgz’ for FreeBSD 6.x, ‘nbs4.tgz’ for NetBSD 4.
xx a nd ‘sol 10.pkg.gz‘ for Sol ari s 10.

Note that the Linux RSR binary fi l e format is:

esets-rsr.i386.rpm.bin

To install or upgra de the product, use the following command:

sh ./esets.i386.ext.bin

For the Linux RSR vari a tion of the product, use the command:

sh ./esets-rsr.i386.rpm.bin

to display the product’s User License Acceptance Agreement. Once you have confirmed the Acceptance Agreement, the
instal l ation package is placed into the current worki ng directory and relevant information regardi ng the packa ge’s i ns tallation,
un-instal l a tion or upgra de is di spl ayed onscreen.

Once the package is i ns talled, you can veri fy tha t the main ESETS service i s running by usi ng the foll owing command:

Linux OS:

ps -C esets_daemon

BSD OS:

ps -ax | grep esets_daemon

Solaris:

ps -A | grep esets_daemon

After pressing ENTER, you should s ee the following (or s i milar) mess age:

PID TTY TIME CMD
2226 ? 00:00:00 esets_daemon
2229 ? 00:00:00 esets_daemon

At least two ESETS daemon processes are running in the background. The first PI D represents the process and threads manager
of the sys tem. The other represents the ESETS sca nning process .

7

4. Architecture Overview

Once ESET Gateway Securi ty i s s uccessfully instal l ed, you s hould become familiar with its archi tecture.The system is
compris ed of the following parts:

CORE

The Core of ESET Gateway Security is the ESETS daemon (esets_daemon). The daemon uses ESETS API library libesets.so a nd
ESETS loading modules em00X_xx.dat to provide base sys tem tas ks s uch as scanni ng, mai ntenance of the agent daemon
process es, maintenance of the samples submission system, loggi ng, noti fi cation, etc. Please refer to the
page for details.

AGENTS

The purpos e of ESETS agent modul es is to integrate ESETS with the Linux, BSD and Sola ris Server environment.

UTILITIES

The utility modules provi de simple and effective management of the system. They are responsible for relevant sys tem tasks
such a s l i cense management, quarantine management, sys tem setup and upda te.

CONFIGURATION

Proper configuration is the most important aspect of a smooth-runni ng s ecurity system - the remai nder of this chapter is
dedicated to explaining all related components. A thorough unders tandi ng of the
this fi l e contai ns i nformati on essential to the confi guration of ESET Gateway Security.

esets.cfg

file is also hi ghl y recommended, as

esets_d a em on (8 )

man

After the product is s uccessfully i ns talled, all its confi guration components are stored in the ESETS configura tion di rectory.
The directory consists of the foll owing fi l es:

@ETCDIR@/esets.cfg

This i s the most i mportant configuration file, as it controls al l major a spects of the product‘s functionality. The esets.cfg file is
made up of s everal sections, each of which contai ns various para meters. The file contains one global and several “agent“
sections, with all section names enclosed in square bra ckets. Parameters i n the globa l section are used to define configura tion
options for the ESETS daemon as well a s default val ues for the ESETS scanning engine configura tion. Para meters in agent sections
are used to define confi guration options of modul es used to intercept vari ous data fl ow types in the computer and/or i ts
neighborhood, and prepare it for s canning. Note that in addition to the various parameters used for system configuration, there
are al s o rules governing the organization of the file. For detailed information on the most effective way to organize this fi l e,
please refer to the

@ETCDIR@/certs

This directory i s used to store the certifi cates used by the ESETS web interface for a uthentication. Please see the
man pa ge for detai l s .

@ETCDIR@/license

This directory i s used to store the product(s) license key(s) you have acquired from your vendor. Note that the ESETS daemon
wil l check only this directory for a valid l icense key, unless the

@ETCDIR@/scripts/license_warning_script

If enabl ed by the ESETS configuration file parameter
before product license expiration, sendi ng a n emai l notifi cation about the expira tion status to the sys tem administrator.

esets.cfg (5 )

and

esets_d a em on (8 )

man pa ges, as well a s relevant agents‘ man pages.

‘licen se_d ir’

‘licen se_w a rn_en a bled ’

parameter in the ESETS confi gurati on fi l e is redefined.

, this s cri pt will be executed 30 days (once per day)

esets_w w wi(8 )

@ETCDIR@/scripts/daemon_notification_script

If enabl ed by the ESETS configuration file parameter
by the antivi rus system. It is used to send email notifica tion about the event to the system admini strator.

8

‘ex ec_scrip t’

, this s cri pt is executed in the event of a detected infi l tration

5. Integration with Internet Gateway services

ESET Gateway Security protects the organi za tion’s HTTP and FTP services a gainst virus es, worms, troj ans, spyware, phishing
and other internet threats. The term
review the process of ESET Gateway Security i ntegration with va rious services.

5.1 Transparent HTTP/FTP proxy configuration

The configura tion for transparent proxying is based on a standard routing mechanism as shown i n Fi gure 5-1 below:

Figure 5-1. Scheme of ESET Gateway Security as a transparent proxy

Ga tew a y Server

refers to layer 3, or ‘router’ level of the ISO/OSI model. In this chapter we

The configura tion i s created naturally as kernel I P routing tabl es are defined on each loca l network cli ent. These routing
tabl es are used to establ i sh s tati c routes to the defaul t network gateway s erver (router). On a DHCP network, this is done
automatically. All HTTP (or FTP) communication with outbound s ervers i s then routed vi a network gateway server, where ESET
Gateway Security must be instal l ed in order to scan the communication for infiltrations. For this purpose, a generic ESETS HTTP
(or FTP) fil ter ha s been developed, called

To confi gure ESET Gateway Security to scan HTTP (or FTP) messages routed through the network gateway server, enter the
command:

/usr/sbin/esets_setup

Follow the ins tructions provided by the scri pt. When the ‘Available ins tallations /un-installations’ offer appears , choose the
‘HTTP’ (or FTP) option to display the ‘instal l /uninstal l ’ options , then choos e ‘instal l ’. This wi l l automatica l l y confi gure the
module to li s ten on a predefined port. It also redi rects IP pa ckets ori gi na ting from the selected network and wi th HTTP (or FTP)
destination port to the port where
destination ports will be scanned. If you also wis h to monitor other ports, equival ent redi rection rul es must be ass i gned.

In defaul t mode, the installer shows all steps which wi l l be performed and also creates a ba ckup of the configuration, which
can be restored at any time. The detai l ed i ns taller util i ty s teps for all pos sibl e scenarios are also descri bed i n a ppendi x A of this
document.

esets_h ttp

esets_h ttp

(or

(or

esets_ftp

esets_ftp

).

) listens. This means that onl y requests ori gi nally sent to HTTP (or FTP)

9