Dr.Web for UNIX file servers (OS Linux)

63  Download (0)

Full text

(1)

Doctor Web

Dr.Web®

for UNIX file servers

(OS Linux)

Administrator Manual

(2)

© 2003-2009 Doctor Web. All rights reserved.

This document is a property of Doctor Web. No part of this document may be reproduced, published or transmitted in any form or by any means for any other purpose than the purchaser’s personal use without proper attribution.

TRADEMARKS

Dr.Web is a registered trademark of Doctor Web.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries. UNIX® is a registered trademark of The Open Group.

Other trademarks, registered trademarks and company names used in this document are property of their respective owners. DISCLAIMER

In no event shall Doctor Web and its resellers or distributors be liable for errors or omissions, or any loss of profit or any other damage caused or alleged to be caused directly or indirectly by this document, the use of or inability to use information contained in this document.

Dr.Web for UNIX file servers (OS Linux) Version 5.0.0

Administrator Manual Release date: 22.04.09

Doctor Web Head Office 2-12A, 3rd str. Yamskogo polya Moscow, Russia

125124

Web site: http:// www.drweb.com Phone: +7 (495) 789-45-87

(3)

Contents

1. Introduction...4

1.1. What is this Manual about...4

1.2. Terms and abbreviations...4

1.3. System requirements...5

1.4. Package files location...5

1.5. Configuration files...5

2. Installation and deinstallation...8

2.1. Installation from distribution package for Linux...8

2.2. Installation of Dr.Web Samba SpIDer from source codes...9

2.3. Removal of distribution package for Linux...10

2.4. Upgrade of distribution package for Linux...11

2.5. User interface of graphical installer...12

2.6. User interface of graphical uninstaller...15

3. «Dr.Web for UNIX file servers» solution startup...17

3.1. Software registration. License key file...17

3.2. Updating components and virus databases...18

4. Updating module Dr.Web Updater...20

4.1. Command line parameters...20

4.2. Configuration...20

4.3. Start...22

5. Console Scanner Dr.Web Scanner...24

5.1. Command Line Parameters...24

5.2. Configuration...26

5.3. Start...32

6. Antivirus Module Dr.Web Daemon...34

6.1. Command Line Parameters...34

6.2. Configuration...34

6.3. Start...42

6.4. Signal Processing...43

6.5. Verifying Availability of Dr.Web Daemon...43

6.6. Scanning Modes...46

7. Integrating Daemon with Samba File Server...47

7.1. Requirements...47

7.2. Plug-in of Dr.Web Samba SpIDer Module...47

7.3. Start...47

7.4. Configuration...48

8. «Dr.Web console for UNIX file servers»...54

8.1. Installation...54

8.2. Basic configuration...57

8.3. User interface...58

8.3.1. «Configuration»...59

8.3.1.1. «General settings» tab...60

8.3.2. «Quarantine»...61

9. Contact information...62

Appendix 1. The License Policy...63

(4)

Introduction

1. Introduction

1.1. What is this Manual about

This Manual describes Dr.Web solution for file servers in UNIX based systems.

Manual is designed for the person responsible for antivirus protection and security («Administrator» hereinafter). Protection of file servers in UNIX based operating systems («UNIX systems» hereinafter) consists of checking content of shared directories on viruses to prevent virus expansion and contamination of the whole network. (Viruses can be (and in most cases, they are) designed not directly for UNIX systems. Through local networks ordinary Windows viruses are distributed, including macro-viruses for Word, Excel and other office applications.)

«Dr.Web for UNIX file servers» solution consists of three major components: ●Scanning package Dr.Web Scanner detects and cures viruses on local system.

●Antivirus package Dr.Web Daemon can be used almost in any data processing schemes as an external antivirus filter plug-in.

●Dr.Web Samba VFS SpIDer is a monitor of file operations for Samba file servers. It is implemented as a plug-in for a VFS interface (Virtual File System) in Samba. At the same time it works as a client of Dr.Web Daemon. Dr.Web Samba VFS SpIDer package allows to integrate all other packages with Samba file servers.

In the present manual basic steps of setup, adjustment and startup procedures of «Dr.Web for UNIX file servers» solution will be discussed.

●general information (chapter 1);

●installation of Dr.Web solution for file servers in UNIX systems (chapter 2); ●startup of Dr.Web solution for file servers in UNIX systems (chapter 3); ●usage of updating package Dr.Web Updater (chapters 4);

●usage of console scanner Dr.Web Scanner (chapter 5); ●usage of antivirus package Dr.Web Daemon (chapter 6); ●usage of Dr.Web Samba VFS SpIDer (chapter 7).

In the end of this Manual you will find technical support service contact information.

Dr.Web products are being constantly developed. Add-ons to virus databases are released daily or even several times a day. New versions of programs appear. Diagnostics techniques and methods of antivirus protection, as well as integration with other applications of UNIX systems are improved regularly. Besides that, the list of applications compatible with Dr.Web is constantly expanding, therefore some settings and functions described in this Manual will slightly differ from current program version. To get up-to-date program information please refer to documentation files included in delivery package.

1.2. Terms and abbreviations

The following terms and abbreviations are used in this Manual (table 1).

Table 1. Legend.

Legend Interpretation

Please note... Important remark or instruction

Scanner Term used as definition or reference

to definition

/var/drweb/

File and directory names, excerpts

from configuration files, parameter definition examples, system library

(5)

Terms and abbreviations

Legend Interpretation

and file names

1.3. System requirements

«Dr.Web for UNIX file servers» solution is compatible with Linux distributions with kernel version 2.4.x and higher. Installed Samba v.3.0.x to v.3.3.x is also required.

Dr.Web hardware requirements are similar to command line interface (CLI) hardware requirements for the appropriate OS. Approximately 20 Mb of disk space is required to install «Dr.Web for UNIX file servers» solution.

1.4. Package files location

«Dr.Web for UNIX file servers» solution is installed by default to

/opt/drweb/

,

/etc/drweb/

and

/var/drweb/

directories. OS-independent directory tree is created in these directories:

/opt/drweb/

― executable modules of Dr.Web solution and updating package Dr.Web Updater (perl script

update.pl

);

/opt/drweb/lib/

― antivirus engine as loadable library (

drweb32.dll

). In the same subdirectory various service libraries for packages of «Dr.Web for UNIX file servers» solution can reside;

/var/drweb/bases/*.vdb

― databases of known viruses; ●

/etc/drweb/drweb32.ini

― main configuration file;

/etc/drweb/smb_spider.conf ―

Dr.Web Samba VFS SpIDer configuration file;

/opt/drweb/lib/ru_scanner.dwl

,

/opt/drweb/lib/ru_daemon.dwl

― language files for Dr.Web Scanner and Dr.Web Daemon packages;

/opt/drweb/doc/samba/

― documentation for Dr.Web Samba VFS SpIDer module and shell script

update-links.sh

for automatic creation and update of symbolic links;

/opt/drweb/doc/

― documentation. All documentation is presented in plain text files in English and Russian (KOI8-R and UTF-8 encodings) languages;

/var/drweb/infected/

― quarantine directory to move infected or suspicious files to if such reaction is specified in settings for Dr.Web software system components.

1.5. Configuration files

Setup of Dr.Web software system components is performed using configuration files. Configuration files are plain text files (so they can be modified with any text editor) with the following structure:

beginning of file

---[Section 1 name]

Parameter1 = value1, ..., valueK

...

ParameterM = value1, ..., valueK

...

[Section X name]

Parameter1 = value1, ..., valueK

...

(6)

Configuration files

If the line begins with «;» or «#» symbols, it is considered to be the line of comments. These lines are skipped when reading parameters from the configuration file.

If any parameter is commented out or not specified, it does not mean that this parameter has no value. In this case the hardcoded default value will be used. Only few parameters are optional or do not have default values. Every such case will be described separately.

When a parameter is set incorrectly Dr.Web software system outputs error message and terminates.

When any unknown parameter is found in configuration file, packages of Dr.Web software system continue execution and output a warning into the log file.

Parameter values can be enclosed in quotation marks (and must be enclosed in quotation marks when contain white spaces). Some parameters can have several values. These values can be delimited by comma, or each value can be set in a separate string of configuration file. Possibility to have multiple values is clearly stated in parameter description.

Examples:

Multiple values delimited by commas:

Names = XXXXX, YYYYY

Multiple values set in several strings:

Names = XXXXX

Names = YYYYY

All parameters in this Manual are described in the following way:

ParameterName = {parameter type | possible values}

Parameter description.

{possibility to have multiple values}. Default value:

ParameterName = {value | empty}

Parameters are described in the order they are presented in the corresponding configuration file.

Parameter type

can be:

Numerical value

― parameter value is an integer positive number;

Time

― parameter value is set in time measurement units. Value is a positive number followed by time

measurement unit type (

s

― seconds,

m

― minutes,

h

― hours; case insensitive). If time measurement unit type is omitted, value is considered to be set in seconds.

Examples:

30s, 15m

;

Capacity

― parameter value is set in memory capacity measurement units (either disk space or memory capacity). Value is an integer number followed by memory capacity measurement unit type (

b

― bytes,

k

― kilobytes,

m

― megabytes,

g

― gigabytes; case insensitive). If memory capacity measurement unit type is omitted, value is considered to be set in bytes.

Examples:

20b, 15k

;

●Path to file | directory ― parameter sets file or directory location within file system;

●Actions ― actions to be performed with objects induced a reaction of «Dr.Web for UNIX file servers» solution components. Set of acceptable actions for different parameters may vary, and in this case it is clearly specified in the description of each parameter separately.

All possible actions:

(7)

Configuration files

Truncate

― cut the file to zero length; ●

Delete

― delete the infected file; ●

Rename

― rename the infected file

;

Ignore

– skip the file;

Pass

― output information about the file to log only (for Dr.Web Scanner package); ●

Report

― output information about the file to log only.

Address

― socket addresses of Dr.Web software system components and external packages. These parameters are specified in

type:address

format. The following address types are acceptable:

inet

- TCP sockets are used, address is specified in

port@hostname

format.

hostnam

e can be either direct IP address or host domain name.

Example:

Address = inet:3003@localhost

;

local

– local UNIX sockets are used, address is a path to socket file. Example:

Address = local:/var/drweb/run/.drwebd

;

PID

― real address of the process must be read from its pid-file. This address type is acceptable only in some cases, and in such case it will be explicitly indicated in parameter description.

Text

― parameter value is a text string, which can be enclosed in quotation marks (and must be enclosed in quotation marks when contain white spaces);

Strings and file

s ― sets of text values delimited by commas. If parameter value is set in

file:/path_to_file

format, then text values are taken from the file

path_to_file

. In this file each text value must be specified in a separate line. If it appears to be impossible to read values from

path_to_file

file, components of «Dr.Web for UNIX file servers» solution continue execution and output a warning into the log file;

Other values

― some parameters may have parameter types not described in this list.

Logging for Dr.Web software system components may be exceptionally detailed (when

Debug

value is specified, and logged information is used for debugging) or may be omitted (when

Quiet

value is specified, and no information is logged at all). For all parameters responsible for logging values are taken from the following list:

Quiet

,

Error

,

Info

,

(8)

Installation and deinstallation

2. Installation and deinstallation

Below you can find detailed description of «Dr.Web for UNIX file servers» solution installation and deinstallation procedures for Linux. Administrator (root) rights are necessary to perform all these operations.

You must carefully uninstall all other packages of earlier product versions (delivered in rpm or deb formats) from previous installations.

«Dr.Web for UNIX file servers» solution distribution package for Linux is delivered in EPM format (script-based distribution package with installation and removal scripts and standard install/uninstall GUIs) designed to use with ESP Package Manager (EPM). Please note, that all these scripts belong only to EPM-package itself, not to any of the components of Dr.Web software system.

Installation, deinstallation and upgrade procedures for «Dr.Web for UNIX file servers» solution can be carried out in the following ways:

●via install/uninstall GUIs;

●via install/uninstall console scripts.

In the process of setup dependencies are supported. For installation of some components, other components must be previously installed (for example,

drweb-daemon

requires

drweb-common

and

drweb-bases

components to be already installed). With dependencies such step-by-step installation will be performed automatically.

In the process of deinstallation dependencies are supported only for graphical uninstaller. When deinstallation is performed with uninstall console scripts, only explicitly specified component will be removed.

Please note, that if you install «Dr.Web for UNIX file servers» solution to the computer, where some other Dr.Web products have been previously installed from EPM-packages, then at every attempt to remove some modules via uninstall GUI you will be prompted to remove absolutely all Dr.Web modules, including those from other products. Please, pay special attention to the actions you perform and selections you make during deinstallation to avoid accidental removal of some useful components.

Also please note, that during initial installation only software itself is installed. None of the components are started after setup or after reboot.

2.1. Installation from distribution package for Linux

«Dr.Web for UNIX file servers» solution is distributed as a self-extracting package (

drweb-file-servers-5.0.0-linux.run

). The following components are included into this distribution:

drweb-common:

contains main configuration file

drweb32.ini

, libraries, documentation and directory structure. During installation of this component

drweb

user and

drweb

group will be created;

drweb-bases

: contains antivirus search engine (Engine) and virus databases. It requires

drweb-common

package to be previously installed;

drweb-updater

: contains update utility (Updater) for Engine, virus databases and content-specific black lists. It requires

drweb-common

package to be previously installed;

drweb-daemon

: contains Dr.Web Daemon executable files and its documentation. It requires

drweb-bases

package to be previously installed;

drweb-scanner

: contains Dr.Web Scanner executable files and its documentation. It requires

drweb-bases

package to be previously installed;

drweb-smbspider

: contains compiled libraries for different versions of Samba servers. It requires

drweb-common

package to be previously installed;

drweb-smbspider-src:

contains source codes to enable user compile libraries for his own version of Samba server or system architecture.

(9)

Installation from distribution package for Linux

To install all the components of «Dr.Web for UNIX file servers» solution automatically you may use either console (CLI) or the default file manager of your GUI-based shell. In the first case allow the execution of the corresponding self-extracting package with the following command:

# chmod +x drweb-file-servers-5.0.0-linux.run

and then run it:

# ./drweb-file-servers-5.0.0-linux.run

As a result

drweb-file-servers-5.0.0-linux

directory will be created, and install GUI will be initialized (for the detailed description of graphical user interface refer to the subsequent chapters of this Manual). If startup has been performed without

root

rights, install GUI will try to gain appropriate rights by itself.

If you want only to extract the content of the package without starting install GUI, use

--noexec

command line parameter:

# ./drweb-file-servers-5.0.0-linux.run --noexec

After you extract the content, you may initialize install GUI and continue setup with the following command:

# drweb-file-servers-5.0.0-linux/install.sh

If it is impossible or unacceptable to use install GUI, you may use corresponding install scripts. Run executable

*.install

files in console with the following commands:

# drweb-file-servers-5.0.0-linux/[component_name].install

If you want to perform installation without any additional movements (eg. confirmations on various setup stages), you may use

now

command line parameter. Please note, that if you choose to use this parameter, you automatically confirm and accept the Software License Agreement. (Text files with Software License Agreement in russian and english

languages -

LICENSE

and

LICENSE.ru

– are included in the distribution package.) During the installation the following processes take place:

●original configuration files are recorded to the

/etc/drweb/software/conf/

directory with the following names:

[configuration_file_name].N

;

●operational copies of configuration files are placed to the corresponding directories of the installing software; ●other files are installed. If in the corresponding directory file with the same name already exists (eg. after inaccurate

removal of previous versions of the packages), it will be overwritten with the new file, and its copy will be saved as

[file_name].O

;

update-links.sh

script is executed. It checks for the version of Samba server and then creates a symbolic link in

/usr/lib/samba/vfs/

directory to the library from

/opt/drweb/lib/

directory for the specific Samba version. Please note, that if two different versions of Samba were installed in one directory, then the symbolic link will be created for only one of them. If different versions of Samba were installed in separate directories, then for each Samba individual symbolic link will be created. The following lines will be output to log for each Samba installed:

cut

---Update links for /usr/sbin/smbd

create symlink /opt/drweb/lib/libsmb_spider.so.3.X.X --> /usr/lib/samba/vfs/

smb_spider.so

Please, update your config /etc/samba/smb.conf

cut

---2.2. Installation of Dr.Web Samba SpIDer from source codes

(10)

Installation of Dr.Web Samba SpIDer from source codes

need source codes of your Samba (corresponding packages can be downloaded from Samba.org web-site at

http://us1.samba.org/samba/ftp/old-versions/).

To compile Dr.Web Samba SpIDer from source codes, perform the following actions: ●Install

drweb-smbspider-src

package:

# drweb-file-servers-5.0.0-linux/drweb-smbspider-src.install

If you want to perform installation without any additional movements (eg. confirmations on various setup stages), you may use

now

command line parameter. Please note, that if you choose to use this parameter, you

automatically confirm and accept the Software License Agreement. (Text files with Software License Agreement in russian and english languages -

LICENSE

and

LICENSE.ru

– are included in the distribution package.) After the installation

drweb-smbspider-5.0.0.src.tar.gz

tarball-archive will appear in

/usr/src/

directory.

●Change your directory to

/usr/src/

and extract content of the archive:

# tar -xzvf drweb-smbspider-5.0.0.src.tar.gz

●Change your directory to

/usr/src/drweb-smbspider-5.0.0.src

and execute the following command:

# ./configure –with-samba-source=/directory/with/source/codes/of/Samba

Please note, that for the successful execution of this command m4 macro processor, GCC compiler system and

make

utility must be installed to your system.

●Complete the compilation of Dr.Web Samba SpIDer and install it with the following commands:

# make

# make install

2.3. Removal of distribution package for Linux

To remove all the components of «Dr.Web for UNIX file servers» solution via uninstall GUI, initialize it with the following command:

# drweb-file-servers-5.0.0-linux/remove.sh

For the detailed description of graphical user interface refer to the subsequent chapters of this Manual.

If it is impossible or unacceptable to use uninstall GUI, you may use corresponding uninstall scripts. Run executable

*.remove

files in console with the following commands:

# drweb-file-servers-5.0.0-linux/[component_name].remove

If you want to perform deinstallation without any additional movements (eg. confirmations on various uninstall stages), you may use

now

command line parameter.

After deinstallation you can also remove

drweb

user and

drweb

group from your system. During the deinstallation the following processes take place:

●original configuration files are removed from the

/etc/drweb/software/conf/

directory;

●if operational copies of configuration files were not modified by the user, they are also removed. If the user has made any changes to them, they will be preserved;

●other files are removed. If during the installation a

[file_name].O

copy of some old file has been created, this file will be restored under the name it had before the installation.

Please note, that when contents of

/var/drweb/bases/

,

/var/drweb/drl/

,

/var/drweb/dws/

directories is removed,

*.vdb

,

*.drl

and

*.dws

masks are used for the deletion of corresponding files. If there are any user-created files with similar names, they will be also removed.

(11)

Removal of distribution package for Linux

update-links.sh

script is executed with

--remove

parameter. It removes symbolic link

usr/lib/samba/

vfs/smb_spider.so

. Please note , that if there were several symbolic links for different versions of Samba, all of them will be removed. The following lines will be output to log:

cut

---Remove link /usr/lib/samba/vfs/smb_spider.so

Please, update your config /etc/samba/smb.conf

cut

---2.4. Upgrade of distribution package for Linux

Upgrade process combines install and uninstall procedures. If you want to upgrade «Dr.Web for UNIX file servers» solution you must download the latest version of corresponding software, remove the previous version (refer to p. 2.3 of this Manual for the detailed description of deinstallation) and install the new one (refer to p. 2.1 of this Manual for the detailed description of setup).

When you upgrade «Dr.Web for UNIX file servers» solution, its license key files, log files and configuration files that have been modified by the user are preserved in corresponding directories.

(12)

User interface of graphical installer

2.5. User interface of graphical installer

When you run install GUI with the following command:

# drweb-file-servers-5.0.0-linux/install.sh

setup program window appears.

Figure 1.

«Welcome»

screen

Navigation is performed with

«Back»

and

«Next»

buttons. Setup can be aborted at any moment by clicking

«Cancel»

button. In the

«Install Type»

screen you can choose preferable installation type: typical configuration of

«DrWeb for file servers»

with all the components selected by default, or custom configuration.

Figure 2.

«Install Type»

screen

If you choose

«Custom Configuration»

, you will be offered to select necessary components for the subsequent installation from the list on the

«Select Software»

screen.

(13)

User interface of graphical installer

Figure 3.

«Select Software»

screen

Please note, that if for installation of any component some other components must be previously installed, all corresponding dependencies will be selected for installation automatically. For example if you select

«DrWeb

Antivirus Daemon»

checkbox,

«DrWeb Bases»

and

«DrWeb Common Files»

checkboxes will be selected as well.

If you click

«Install All»

button, all components will be selected. If you click

«Install None»

button, all selection marks will be removed.

When you select everything you consider necessary (or if you have selected typical configuration on the previous stage), you will be offered to overview and confirm all the choices made on the

«Confirm»

screen.

Figure 4.

«Confirm»

screen

On the next screen you will be offered to take notice of Software License Agreement and accept it to continue the installation. Text files with Software License Agreement in russian and english languages -

LICENSE

and

LICENSE.ru

(14)

User interface of graphical installer

Figure 5.

«License»

screen

On the last

«Installing»

screen log of installation process is output in real-time mode.

Figure 6.

«Installing»

screen

(15)

User interface of graphical uninstaller

2.6. User interface of graphical uninstaller

When you run uninstall GUI with the following command:

# drweb-file-servers-5.0.0-linux/remove.sh

deinstallation program window appears.

Figure 7.

«Welcome»

screen

Navigation is performed with

«Back»

and

«Next»

buttons. You can quit the program at any moment by clicking

«Cancel»

button. On the next

«Select Software»

screen you will be offered to select components for the removal from the list. All corresponding dependencies will be selected for deinstallation automatically.

Please note, that if you installed «Dr.Web for UNIX file servers» solution to the computer, where some other Dr.Web products have been previously installed from EPM-packages, then absolutely all Dr.Web modules will be included in the list of components available for removal, including those from other products. Please, pay special attention to the actions you perform and selections you make during deinstallation to avoid accidental removal of some useful components.

(16)

User interface of graphical uninstaller

If you click

«Remove All»

button, all components will be selected. If you click

«Remove None»

button, all selection marks will be removed.

When you select everything you consider necessary, you will be offered to overview and confirm all the choices made on the

«Confirm»

screen.

Figure 9.

«Confirm»

screen

On the last

«Removing»

screen log of deinstallation process is output in real-time mode.

Figure 10.

«Removing»

screen

(17)

«Dr.Web for UNIX file servers» solution startup

3. «Dr.Web for UNIX file servers» solution startup

To run the «Dr.Web for UNIX file servers» solution you must do the following:

●register the software. Place the key file

drweb32.key

to the directory for Dr.Web executable files (default directory for Linux is

/opt/drweb/

). Please note, that if you want to use key file from the different location, you must specify full path to it as a

Key

parameter value of main configuration file

drweb32.ini

;

●configure the software by making necessary changes to configuration files. Please refer to the corresponding chapters of this Manual for the detailed information on configuration;

●edit the

/etc/drweb/daemons.run

file. Set

1

as a value of

RUN_DRWEBD

(Dr.Web Daemon startup) variable. If it is not required to run Dr.Web Daemon (properly configured and working Daemon on some other computer in the network is used),

RUN_DRWEBD

value must be set to 0 (it is also used as default value for this variable).

3.1. Software registration. License key file

User rights for using «Dr.Web for UNIX file servers» solution are controlled by special file called license key file. License key file contains the following information:

●list of Dr.Web components licensed to user; ●license expiration date;

●other restrictions (for example, number of protected PCs).

License key file has

*.key

extension and by default must be placed in directory for Dr.Web executable files.

License key file is digitally signed to prevent its editing. Edited license key file becomes invalid. It is not recommended to open your license key file in text editors to avoid its accidental corruption.

Users who have purchased «Dr.Web for UNIX file servers» solution from Dr.Web certified partners obtain the license key file. The parameters of the key file are specified according to the license user has paid for. The license key file contains the name of the user (or a company name), and the name of the selling company.

For evaluation purposes users may also obtain demo key file. It allows user to enjoy full functionality of the «Dr.Web for UNIX file servers» solution, but has a limited term of use, and no technical support is provided.

License key file may be supplied as a file with

*.key

extension, or as a zip archive containing license key file. License key file may be received using one of the following ways:

●sent by e-mail as a zip archive containing license key file with

*.key

extension (usually after registration on the web site). Extract license key file using the appropriate archiving utility and place it to the directory for Dr.Web executable files (default directory for Linux is

/opt/drweb/

);

●included into the distribution package;

●supplied on a separate media as a file with

*.key

extension. In this case user must copy it manually to the

/opt/drweb/

directory.

License key file is sent to user via e-mail usually after registration on the web site (web site location is specified in registration card accompanying the product). Visit the site, fill in the web form with your customer data and submit your registration serial number (printed on the registration card). As a result of this procedure license is activated, and license key file is created for the serial number provided. Then it is sent to user on the e-mail address specified.

It is recommended to keep license key file until it expires, and use it when reinstalling or repairing «Dr.Web for UNIX file servers» solution installation. If the license key file is damaged or lost, it can be recovered by the same procedure as during license activation. In this case you must use the same product serial number and customer data you have entered during the registration, only e-mail address can be changed (in this case license key file will be sent to the new e-mail address). If serial number matches any entry in Dr.Web database, the corresponding key file will be dispatched to user by automatic system using e-mail address provided.

(18)

Software registration. License key file

Registration with the same product serial number can be performed up to 25 times. If you need to recover lost license key file after 25th registration, you must make a request for license key file recovery on

http://support.drweb.com/request/, and also specify all data used during registration, valid e-mail address and detailed description of the situation. Request will be considered by Dr.Web technical support service engineers, and after approval license key file will be provided to user via automatic support system or dispatched via e-mail.

Please note, that according to the Software License Agreement Licenser may restore and submit to user his lost key, but it reserves the right to consider commercial efficiency of such action.

Path to license key file of the certain component must be specified as a

Key

parameter value in corresponding configuration file (

drweb32.ini

). For example:

Key = /opt/drweb/drweb32.key

If license key file specified as

Key

parameter value is failed to read (wrong path, permission denied), expired, blocked or invalid, the corresponding component terminates.

When less than two weeks left until the license expiration, Dr.Web Scanner outputs warning message at start and Dr.Web Daemon notifies user via e-mail. Messages are sent at every startup, restart or reload of the Daemon for every license key file installed. To enable this option you must set up

MailCommand

parameter in

[Daemon]

section of

drweb32.ini

configuration file.

3.2. Updating components and virus databases

Components of «Dr.Web for UNIX file servers» solution require regular updating. For successful operation of antivirus and traffic filtering modules, virus databases of the known viruses and content-specific black and white lists must be updated regularly.

Dr.Web virus databases contains several

*.vdb

files, representing separate parts of it. On update servers these files are also stored in lzma-archives. When new viruses appear, small files (only several Kbytes in size) with base segments describing these viruses are released for amendment.

Add-ons are the same for all supported platforms. There are two types of them: daily "hot" add-ons (

drwtoday.vdb

) and regular weekly updates (

drwXXXYY.vdb),

where

XXX

is for antivirus version number, and

YY

is a sequential number, beginning from

00

(for example, the first regular update for version 5.0.0 will be named

drw50000.vdb

). «Hot» add-ons may be issued daily or even several times a day to provide effective protection against new viruses. This type of add-ons must be installed over the old ones: i.e. previous

drwtoday.vdb

file will be overwritten. When new regular add-on is released, all records from

drwtoday.vdb

are copied to

drwXXXYY.vdb

, and new empty

drwtoday.vdb

file is issued.

If you want to update virus databases manually, you must install all missing regular add-ons first, and then overwrite drwtoday.vdb file.

To add the add-on to the main virus databases, place the corresponding file to the directory for «Dr.Web for UNIX file servers» solution executable files (

/var/drweb/bases/

by default) or to any other directory specified in the configuration file.

Signatures for virus-like malicious programs (adware, dialers, hacktools, etc.) are supplied in two additional files -

drwrisky.vdb

and

drwnasty.vdb

- with the structure similar to virus databases. These files are also updated regularly:

dwrXXYYY.vdb

and

dwnXXYYY.vdb

are for regular updates, and

dwrtoday.vdb

and

dwntoday.vdb

are for «hot» updates.

From time to time (as brand new viruses and antivirus techniques appear), new versions of the antivirus package are released, containing the updated algorithms, implemented in the antivirus Engine. At the same time, all released add-ons are brought together, and the new package version is completed with the updated main virus databases with descriptions of all known viruses. Usually, when upgrading the package to the new version the portability of bases is assured: i.e. new bases can be linked up to the old Engine. Please note, that this does not guarantee detection or curing of new viruses, as it requires upgrading of algorithms in the antivirus engine.

(19)

Updating components and virus databases

drwebase.vdb

― general virus database, received with the new version of the package ●

drwXXXYY.vdb

― regular weekly add-ons;

drwtoday.vdb

― «hot» add-ons issued daily or several times a day;

drwnasty.vdb

― general database of malware, received with the new version of the package; ●

dwnXXXYY.vdb

― regular weekly add-ons;

dwntoday.vdb

― «hot» add-ons issued daily or several times a day;

drwrisky.vdb

― general database of riskware, received with the new version of the package; ●

dwrXXXYY.vdb

― regular weekly add-ons;

(20)

Updating module Dr.Web Updater

4. Updating module Dr.Web Updater

For automatic receipt and installation of the anti-virus add-ons and content-specific black and white lists you must use a special updating module Dr.Web Updater.

Updating module is a script

update.pl

written in Perl. It can be found in directory containing executable files of «Dr.Web for UNIX file servers» solution.

Dr.Web Updater settings are stored in

[Updater]

section of the main configuration file (

drweb32.ini

by default) from

/etc/drweb/

directory. If you want to use alternative configuration file, specify the full path to it by command line parameter at start.

To run the script use the following command:

$ /opt/drweb/update.pl [parameters]

--not-need-restart

parameter can be specified as command line parameter. It can be used in several ways: ●If this parameter is not specified, all daemons (Dr.Web Daemon in «Dr.Web for UNIX file servers» solution) will be

restarted after

update.pl

script finishes its work. (Note: daemons will be restarted only if any of their components has been updated/removed/added during script operation.).

●If

--not-need-restart

parameter is specified, but no value is set for it, none of the daemons will be restarted after

update.pl

script finishes its work, even if any of their components has been updated/removed/ added during script operation.

●Daemons names can be used as values for

--not-need-restart

parameter. Several names can be specified in one string, without white spaces and with comma, used as delimiter. Values are case insensitive. Daemons, which names are specified as parameter values, will not be restarted.

Example:

$ /opt/drweb/update.pl --not-need-restart=drwebd

Also you can specify the name of the module (Daemon or Scanner) for update as a command line parameter. If it is not specified, information from configuration file is used.

4.1. Command line parameters

At this stage, two formats of the command line parameters for Dr.Web Updater are supported. Using the first format version, you can specify one parameter only - full name of the used configuration file. With the second version the following parameters can be specified in any order:

--ini=path_to_configuration_file

--what=component_to_be_updated

Instead of

component_to_be_updated

value

scanner

or

daemon

values must be used.

4.2. Configuration

Description of configuration file structure and parameter types can be found in p. 1.5 of this Manual. Parameters are described in the order they are presented in main configuration file.

[Updater]

section.

UpdatePluginsOnly = {Yes | No}

With

Yes

value specified Dr.Web Updater will not update Daemon and Scanner. It will update only plug-ins. Default value:

UpdatePluginsOnly = No

Section = {Daemon | Scanner}

(21)

Configuration

Specifies from which section Updater will take settings to determine program version, paths to virus databases, etc. Value of this parameter can be overridden by

--what=

command line parameter at start.

Default value:

Section = Daemon

ProgramPath = {path to file}

Path to the Daemon/Scanner. It is used by Dr.Web Updater for getting the product version and API information of the installed executable file.

Default value:

ProgramPath = /opt/drweb/drwebd

SignedReader = {path to file}

This program is used by Dr.Web Updater to read signed files. Default value:

SignedReader = /opt/drweb

/read_signed

LzmaDecoderPath = {path to file}

Path to program used for unpacking of lzma-archives. Default value:

LzmaDecoderPath =

LockFile = {path to file}

Path to lock file used to prevent sharing of certain files during their processing by Dr.Web Updater. Default value:

LockFile = /var/drweb/run/update.lock

CronSummary = {Yes | No}

If

Yes

value is specified, Dr.Web Updater will output statistics on each session to

stdout

. This mode can be used to send administrator notifications by email, if Updater is run by the

cron

daemon.

Default value:

CronSummary = Yes

DrlFile = {path to file}

Path to file containing list of accessible Dr.Web updating servers. Dr.Web Updater selects the server from this list in a random manner. This file is signed by Doctor Web and must not be modified by the user. It is updated automatically. Default value:

DrlFile = /var/drweb/bases/update.drl

DrlDir = {path to directory}

Path to directory where signed

*.drl

files with lists of update servers for every plug-in are stored. Default value:

DrlDir = /var/drweb/drl/

Timeout = {numerical value in seconds}

Maximum time for download of updates. Default value:

(22)

Configuration

Tries = {numerical value}

Number of attempts to be made by Dr.Web Updater to establish a connection with update server. Default value:

Tries = 3

ProxyServer = {proxy server name or IP}

Name or IP address of proxy server used. Default value:

ProxyServer =

ProxyLogin = {proxy server user login}

User login for proxy server. Default value:

ProxyLogin =

ProxyPassword = {proxy server user password}

User password for proxy server. Default value:

ProxyPassword =

Log settings for Dr.Web Updater are specified below:

LogFileName = {path to file}

Log file name. You can specify

syslog

as log filename and logging will be carried out by

syslogd

system service. In this case

SyslogFacility

and

SyslogPriority

parameters must be also specified. As

syslogd

uses several files for logging various events of different importance, these two parameters and

syslogd

configuration file (usually

/

etc/syslogd.conf

) determine location where information is logged to.

Default value:

LogFileName = syslog

SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}

Log type when

syslogd

system service is used for activity logging (please refer to

syslog

documentation for further details).

Default value:

SyslogFacility = Daemon

LogLevel = {Debug | Verbose | Info | Warning | Error | Quiet}

Log verbosity level. Default value:

LogLevel = Verbose

4.3. Start

The updating process includes the following stages: ●Dr.Web Updater reads the configuration file.

●Parameters to be used are located in

[Updater]

section of main configuration file, except for the following:

EnginePath

(serves both to determine the Daemon version and to specify the directory, where updated

(23)

Start

databases are downloaded.),

UpdatePath

(serves to specify the directory, where all other updated files are downloaded) and

PidFile

(serves to specify path to file, from which the

drwebd

process identifier used for the restart of the Daemon is read).

●Dr.Web Updater requests the list of updates from the server, then tries to download lzma-archives of the

corresponding bases. If no lzma-archives are found, it downloads necessary bases in

*.vdb

and

*.dws

formats. To extract files from lzma-archives special lzma-utility is used, path to which is specified by

LzmaDecoderPath

parameter value in the

[Updater]

section of main configuration file.

(24)

Console Scanner Dr.Web Scanner

5. Console Scanner Dr.Web Scanner

5.1. Command Line Parameters

Dr. Web Scanner is a command line interface (CLI) program operating in command line mode (or X Window terminal emulator). To run Dr.Web Scanner you can use the following command:

$

./drweb -path <path> [command line parameters]

where

<path>

- is the path to scanned directory or the mask for checked files.

When Scanner is started only with

<path>

argument without any parameters specified, it scans the specified directory using the default set of parameters. In the following example user home directory is being checked:

$ ./drweb -path ~

When scan is finished, Scanner outputs information about all detected infected and suspicious files in the following manner:

/path/file infected [virus] VIRUS_NAME

After presenting information about infected or suspicious files, Scanner outputs summary report in the following manner:

Report for "/opt/drweb/tmp":

Scanned : 34/32 Cured : 0

Infected : 5/5 Removed : 0

Modifications : 0/0 Renamed : 0

Suspicious : 0/0 Moved : 0

Scanning time : 00:00:02 Speed : 5233 KB/s

Numbers divided by slash

«/»

mean: the first one - total number of files, the second one - number of files in archives. Please note, that Dr.Web distribution package contains special text file

readme.eicar.rus

. With the text editor you can easily create the

eicar.com

program (refer to instructions inside

readme.eicar.rus

file for more details), which is used to test antiviruses and therefore is included in all virus databases.

The following report will be output:

/opt/drweb/doc/eicar.com infected by Eicar Test File (Not a Virus!)

Like any other UNIX program Dr.Web Scanner supports numerous command line parameters. They are separated from specified path by white space and are prefixed by hyphen

«-»

. To get complete list of parameters, start Scanner with

-?

,

-h

or

-help

parameters.

Main program parameters can be classified in the following way: ●scan area parameters;

●diagnostics parameters; ●actions parameters; ●interface parameters.

Scan area parameters determine where the virus check must be performed. They include: ●

path

— specify path for scan. Several paths can be specified in one parameter;

@[+]<file>

― check objects listed in

<file>

.

P

lus

«+»

instructs Scanner not to delete files from the list of objects after scan is completed. List file may contain paths to directories that must be scanned regularly, or list of files to be checked only once;

(25)

Command Line Parameters

fl

― follow links, both to files and directories; links causing loops are ignored; ●

mask

— ignore masks for file names.

Diagnostics parameters determining what types of objects must be scanned for viruses: ●

al

― scan all files on specified drive or in specified directory;

ar[d|m|r][n]

― scan files in archives (ARJ, CAB, GZIP, RAR, TAR, ZIP, etc.).

d

- delete,

m

- move,

r

- rename archives containing infected objects,

n

- archiver name output disabled. Archives can be in simple (

*.tar

) or compressed forms (

*.tar.bz2

,

*.tbz

);

cn[d|m|r][n]

― scan files in containers (HTML, RTF, PowerPoint,..).

d

- delete,

m

- move,

r

- rename containers containing infected objects,

n

- container type output disabled;

ml[d|m|r][n]

― scan files in mailboxes.

d

- delete,

m

- move,

r

- rename mailboxes, containing infected objects;

n

- mailbox type output disabled;

upn

― scan executable files packed with LZEXE, DIET, PKLITE, EXEPACK with compression type output disabled; ●

ex

― diagnostics using file masks (see

FilesTypes

parameter in configuration file);

ha

― heuristic analysis (search for unknown viruses).

Actions parameters determine what actions must be performed if infected or suspicious files are detected. They include: ●

cu[d|m|r]

― cure infected files:

d

- delete,

m

- move,

r

- rename infected files;

ic[d|m|r]

― actions for incurable files:

d

- delete,

m

- move,

r

- rename incurable files; ●

sp[d|m|r]

― actions for suspicious files:

d

- delete,

m

- move,

r

- rename suspicious files;

adw[d|m|r|i]

― actions for files containing adware:

d

- delete,

m

- move,

r

- rename,

i

- ignore; ●

dls[d|m|r|i]

― actions for dialers:

d

- delete,

m

- move,

r

- rename,

i

- ignore;

jok[d|m|r|i]

― actions for joke programs:

d

- delete,

m

- move,

r

- rename,

i

- ignore;

rsk[d|m|r|i]

― actions for potentially dangerous programs:

d

- delete,

m

- move,

r

- rename,

i

- ignore; ●

hck[d|m|r|i]

― actions for hacktools:

d

- delete,

m

- move,

r

- rename,

i

- ignore;

Interface parameters configure Scanner report output and include:

v, version

– output information about product and Engine versions; ●

ki

– output information about key file and its owner (in UTF8 encoding only); ●

foreground[yes|no]

– enable Scanner to run in foreground or in background; ●

ot

― output information to standard output (

stdout

);

oq

― disable information output; ●

ok

― display

«Ok»

for not infected files; ●

log=<file>

― logging to specified file;

ini=<file>

― use alternative configuration file;

lng=<file>

― use alternative language file. If English interface has been chosen during installation, you may specify

ru_scanner.dwl

file to display reports in Russian.

You can use hyphen

«-»

postfix to disable the following parameters:

-ar

-cu

-ha

-ic

-fl

-ml

-ok

-sd

-sp

(26)

Command Line Parameters

$ drweb -path <path>

-ha-heuristic analysis (enabled by default) will be disabled.

By default (if Scanner configuration was not customized and no parameters were specified) Scanner starts with the following parameters:

-ar

-ha

-fl-

-ml

-sd

Default Scanner parameters (including scan of archives, packed files and mailboxes, recursive search, heuristic analysis, etc.) is sufficient for everyday diagnostics and can be used in typical cases. You can also use hyphen

«-»

postfix to disable some parameters, as it was explained above.

Disabling scan of archives and packed files will significantly decrease antivirus protection level, because in archives (especially, self-extracting) enclosed in e-mail attachments viruses are distributed. Office documents potentially susceptible to infection with macro viruses (Word, Excel) are also dispatched via e-mail in archives and containers. When you run Scanner with default parameters, no cure actions and no actions for incurable and suspicious files are taken. For these actions to be performed, you must specify corresponding command line parameters explicitly. Set of actions parameters may vary in particular cases. We recommend the following:

cu

― cure infected files and system areas without deletion, moving or renaming infected files; ●

icd

― delete incurable files;

spm

― move suspicious files; ●

spr

― rename suspicious files.

When Scanner is started with

Cure

action specified, it will try to restore the previous state of infected object. It is possible only if detected virus is known virus, and cure instructions for it are available in virus database, though even in this case cure attempt may fail if infected file is seriously damaged by virus.

If infected files are found inside archives they will not be cured, deleted, moved or renamed. To cure such files you must manually unpack archives to the separate directory and instruct Scanner to check it.

When Scanner is started with action

Delete

specified, it will delete all infected files from disk. This option is suitable for incurable (irreversibly damaged by virus) files.

Action Rename makes Scanner replace file extension with a certain specified extension (

*.#??

by default, i.e. first extension symbol is replaced with

«#»

symbol). Enable this parameter for files of other OS (e.g., DOS/Windows) detected heuristically as suspicious. Renaming helps to avoid accidental startup of executable files in these OS and therefore prevents infection by possible virus and its further expansion.

With action Move enabled Scanner will move infected or suspicious files to the quarantine directory

(

/var/drweb/infected/

by default). This parameter actually has a little value because infected and suspicious files for other OS can not bring any damage to UNIX system. Moving of suspicious files for UNIX system itself can cause system malfunction and failure.

Recommended Scanner command line for everyday use looks as follows:

$ drweb -path <path> -cu -icd -spm -ar -ha -fl- -ml -sd

Such command line can be saved as a text file and converted into the simple shell script by the following command:

# chmod a+x [file name]

However, default parameters can be changed in Scanner configuration file, which is described in the next section.

5.2. Configuration

Scanner can be used with default settings, but it is much more convenient to set it up according your specific requirements and situations. Scanner settings are stored in configuration file (

drweb32.ini

by default) which is located in

/etc/drweb/

directory. To use another configuration file specify full path to it with command line parameter, e.g.:

(27)

Configuration

$ /opt/drweb/drweb -ini=/opt/drweb/etc/drweb.ini

Description of configuration file structure and parameter types can be found in p. 1.5 of this Manual. Parameters are described in the order they are presented in main configuration file.

[Scanner]

section.

EnginePath = {path to file, usual extension is *.dll}

Location of

drweb32.dll

module (Engine). This parameter is also used by update utility. Default value:

EnginePath = /opt/drweb/lib/drweb32.dll

VirusBase = {list of paths (masks) to files, usual extension is *.vdb}

Masks for loading virus databases. This parameter is also used by update utility. Multiple values are allowed. Default value:

VirusBase = /var/drweb/bases/*.vdb,/var/drweb/bases/*.VDB

UpdatePath = {path to directory}

This parameter is used by update utility (

update.pl

) and is mandatory. Default value:

UpdatePath = /var/drweb/updates/

TempPath = {path to directory}

Directory for Engine to create temporary files. Usually it is not used, but sometimes appears to be necessary for unpacking archives or when system is short of memory resources.

Default value:

TempPath = /tmp/

LngFileName = {path to the language file, usual extension is *.dwl}

Language file location. Default value:

LngFileName = /opt/drweb/lib/ru_scanner.dwl

Key = {path to license key file, usual extension is *.key}

Key file location (license or demo). Default value:

Key = /opt/drweb/drweb32.key

OutputMode = {Terminal | Quiet}

Information output mode at start:

Terminal

outputs to console,

Quiet

disables output. Default value:

OutputMode = Terminal

HeuristicAnalysis = {Yes | No}

Enable/disable heuristic detection of unknown viruses. Enabling heuristic analysis allows detection of unknown viruses using knowledge about specific architecture of viral code. Approximate nature of this type of virus detection makes us talk about «suspicious», not «infected» objects. With this option disabled only known viruses will be detected by Dr.Web. Some programs may trigger heuristic analyzer name files «suspicious» by mistake due to code similar to virus structure. Besides, this mode may slightly increase time of virus scan. These considerations may lead you to disabling heuristic analysis. At the same time, heuristic analysis improves reliability of antivirus protection. We recommend you to send all

(28)

Configuration

files detected by heuristic analyzer to developers using http://vms.drweb.com/sendvirus/ (preferably) or via e-mail

newvirus@drweb.com. Follow this procedure to upload files: make password protected archive, include password in message body and attach Scanner report.

Default value:

HeuristicAnalysis = Yes

ScanPriority = {value}

Scanner process priority. Value must be within

–20

(highest priority) to

20

(lowest priority) range. Default value:

ScanPriority = 0

FilesTypes = {list of extensions}

File types to be checked «by type», i.e. when

ScanFiles

parameter (explained below) has

ByType

value.

«*»

and

«?»

symbols are allowed. This parameter can be multi-string (specified lists are summed up). Default value:

FilesTypes = EXE, COM, SYS, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD,

VXD, 386, DLL, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, AR?, ZIP, R??,

PP?, OBJ, LIB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SHS, SHB, PIF, SO, CHM,

REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, BMP, MPP, OCX, DVB, CPY, MSG,

EML

FilesTypesWarnings = {Yes | No}

Notify about files of unknown types. Default value

:

FilesTypesWarnings = Yes

ScanFiles = {All | ByType}

Additional restriction for files to be checked. With

ByType

value set, file extensions specified either by default or in

FilesTypes

parameter (or parameters) are considered. Mode

All

is always enabled for files in mailboxes.

ByType

value can be used only in local scan mode. Default value:

ScanFiles = All

ScanSubDirectories = {Yes | No}

Enable/disable scanning subdirectories contents. Default value:

ScanSubDirectories = Yes

CheckArchives = {Yes | No}

Enable/disable extracting files archived with ZIP (WinZip, InfoZIP, etc.), RAR, ARJ, TAR, GZIP, CAB and other archivers. Default value:

CheckArchives = Yes

CheckEMailFiles = {Yes | No}

Enable/disable checking files in mailboxes. Default value:

(29)

Configuration

ExcludePaths = {list of paths (masks) to be excluded from scan}

Masks for files which should not be checked. Default value:

ExcludePaths = /proc,/sys,/dev

FollowLinks = {Yes | No}

Enable/disable following symbolic links. Default value:

FollowLinks = No

RenameFilesTo = {rename mask}

Mask for renaming infected or suspicious files if action

Rename

is specified. For example, when rename mask looks like:

#??

- the first character of file extension will be replaced by

«#»

symbol, and all other subsequent characters will be preserved. If file has no extension, it will consist only of

«#»

symbol.

Default value:

RenameFilesTo = #??

MoveFilesTo = {path to directory}

Path to quarantine directory. Default value

:

MoveFilesTo = /var/drweb/infected/

EnableDeleteArchiveAction = {Yes | No}

Enable/disable action

Delete

for compound objects (archives, mailboxes, html pages) if they contain infected files. Please note: with this option enabled the whole compound object will be deleted (archive, mailbox, etc.), not only infected file or message. Use this option carefully!

Default value:

EnableDeleteArchiveAction = No

InfectedFiles = {Report | Cure | Delete | Move | Rename | Ignore}

Sets program reaction when file infected with known virus is detected. Allowable parameter values include: ●

Report

― output information to log file;

Cure

― try to cure an object (only for

InfectedFiles

parameter); ●

Delete

― delete infected file;

Move

― move file to directory specified by

MoveFilesTo

parameter; ●

Rename

― rename file using mask specified by

RenameFilesTo

parameter; ●

Ignore

– skip the file.

Default value:

InfectedFiles = Report

Delete

,

Move

and

Rename

actions, specified for archives, containers and mailboxes containing infected files, are applied to the whole archive, container or mailbox!

Similar values are also used for the following parameters:

(30)

Configuration

ActionAdware

— file contains program for displaying advertisements (adware); ●

ActionDialers

— file contains dialer program;

ActionJokes

— file contains joke program, which can frighten or irritate user;

ActionRiskware

— file contains dangerous program, which can be used not only by its legitimate user, but also by the intruder;

ActionHacktools

— file contains hacking tool;

ActionInfectedMail

― mailbox contains infected file;

ActionInfectedArchive

― archive (ZIP, TAR, RAR, etc.) contains infected file;

ActionInfectedContainer

― container (OLE, HTML, PowerPoint, etc.) contains infected file.

For all these parameters same values as for

InfectedFiles

parameter (except for

Cure

action) can be specified. Default value for each parameter:

SuspiciousFiles = Report

IncurableFiles = Report

ActionAdware = Report

ActionDialers = Report

ActionJokes = Report

ActionRiskware = Report

ActionHacktools = Report

ActionInfectedMail = Report

ActionInfectedArchive = Report

ActionInfectedContainer = Report

LogFileName = {path to log file}

Log file name. You can specify

syslog

as log filename and logging will be carried out by

syslogd

system service. In this case

SyslogFacility

and

SyslogPriority

parameters must be also specified. As

syslogd

uses several files for logging various events of different importance, these two parameters and

syslogd

configuration file (usually

/

etc/syslogd.conf

) determine location where information is logged to.

Default value:

LogFileName = syslog

SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}

Log type when

syslogd

system service is used for activity logging (please refer to

syslog

documentation for further details).

Default value:

SyslogFacility = Daemon

SyslogPriority = {Alert | Warning | Notice | Info | Error}

Log priority when

syslogd

system service is used. Default value:

SyslogPriority = Info

LimitLog = {Yes | No}

(31)

Configuration

Enable/disable limit for log file size. When

LogFileName = syslog

, parameter value is ignored. When Scanner is started it checks log file size and if it exceeds

MaxLogSize

parameter value, log file contents get cleared and log file is started from scratch.

Default value:

LimitLog = No

MaxLogSize = {value in Kbytes}

Maximum log file size. Can be used with

LimitLog = Yes

only. Default value:

MaxLogSize = 512

LogScanned = {Yes | No}

Enable/disable logging of information about all scanned objects, not only about infected and suspicious. Default value:

LogScanned = Yes

LogPacked = {Yes | No}

Enable/disable logging of additional information about files packed with DIET, PKLITE and other utilities. Default value:

LogPacked = Yes

LogArchived = {Yes | No}

Enable/disable logging of additional information about files archived with various archiving utilities. Default value:

LogArchived = Yes

LogTime = {Yes | No}

Enable/disable logging of time for each record. Parameter is not used if

LogFileName = syslog

. Default value:

LogTime = Yes

LogStatistics = {Yes | No}

Enable/disable logging of total scan statistics. Default value:

LogStatistics = Yes

RecodeNonprintable = {Yes | No}

Nonprintable characters output mode for given terminal. Default value:

RecodeNonprintable = Yes

RecodeMode = {Replace | QuotedPrintable}

Decoding mode for nonprintable characters if

RecodeNonprintable = Yes

. When

RecodeMode = Replace

all nonprintable characters are substituted with

RecodeChar

parameter value (see below). When

RecodeMode =

QuotedPrintable

all nonprintable characters are converted to

Quoted Printable

format. Default value:

Figure

Updating...

References