Avira AntiVir Server | Unix Avira AntiVir Professional | Unix User Manual
Contents 1. About this Manual ................................................................................. 3 1.1 Introduction ..................................................................................................................................... 1.2 The Structure of the Manual ........................................................................................................... 1.3 Signs and Symbols......................................................................................
1 About this Manual In this Chapter you can find an overview of the structure and contents of this manual. After a short introduction, you can read information about the following issues: • The Structure of the Manual – Page 3 • Signs and Symbols – Page 4 1.1 Introduction We have included in this manual all the information you need about Avira AntiVir Server/ Professional and it will guide you step by step through installation, configuration and operation of the software.
1.3 Signs and Symbols The manual uses the following signs and symbols: Symbol Meaning 3 ... shown before a condition that must be met prior to performing an action. ... shown before a step you have to perform. ... shown before the result that directly follows the preceding action. ... shown before a warning if there is a danger of critical data loss or hardware damage. ... shown before a note containing particularly important information, e.g. on the steps to be followed. ...
2 Product Information You are responsible for numerous workstations and servers in your network but you are only human. The servers are the heart of the network. So if viruses can freely penetrate and spread on your servers, your network is only a step away from breakdown. This is where AntiVir products for servers come in. UNIX computers are more often used as file servers or email gateway servers. Thus they transfer and store files that have no connection to UNIX, e.g.
2.1 Features AntiVir Server/ Professional offers you extensive configuration possibilities to keep control of your network. The current features of AntiVir Server/ Professional are: • Easy installation, using the installation script. • Command Line Scanner (on demand): Configurable on-demand search for all known malware types (viruses, Trojans, backdoor programs, hoaxes, worms etc.
Self-Integrity Check Each AntiVir executable binary is signed and performs a self-integrity check during startup. The self-integrity check cannot protect against forgery (e.g. to check if the complete package is faked) or crafted attacks (e.g. the function call that performs the self-integrity check is bypassed). Such a verification has to be performed from outside the package. 2.
- Red Hat Enterprise Linux 5 Server - Red Hat Enterprise Linux 4 Server - Novell SUSE Linux Enterprise Server 10 - 10.
3 Installation You can find the current version of Avira AntiVir Server/ Professional on our website www.avira.com. AntiVir is supplied as a packed archive. It contains AntiVir Engine, Guard, Command Line Scanner and the Avira Updater. You will be guided step by step throughout the installation procedure.
You can easily acquire Avira AntiVir Server/ Professional using our Online Shop (for details, visit http://www.avira.com). Copying the License File Copy the license file hbedv.key to the installation directory on your system ./tmp/antivir-server-prof- or in ./tmp/antivir-workstation-prof-. You can also perform the installation without having a license key from the beginning. You can copy the license file at any time to the AntiVir program directory /usr/lib/AntiVir/guard. 3.
Please note the dot and slash in the command syntax. Typing the command without this path specification, leads to another command, which is not related to AntiVir installation process and this would result in error messages and unwanted actions. Press q to close the license text view. The installation script starts. After you agree with the license terms, it will copy the program files. The Installer can read an existing license key: Do you agree to the license terms? [n] y creating /usr/lib/AntiVir/guard .
If you selected daily updates, you can specify the time of the day when the updates should start: The AntiVir Updater can be set to always check for updates at a particular time of day. This is specified in a HH:MM format (where HH is the hour and MM is the minutes). If you do not have a permanent connection, you may set it to a time when you are usually online. available option: HH:MM What time should updates be done [00:15]? Press Enter or set another time first.
The installer then reads /etc/fstab, to check the directories to be mounted as dazukofs. If no entry is found, it asks you to enter one directory to be scanned by the Guard: Guard will automatically protect all directories which are mounted upon dazukofs filesystem.
The automatic system start is configured: setting up boot script ... done installation of AVIRA Guard complete Then the script can install the optional plug-in for Avira Security Management Center: 4) activate SMC support The AntiVir Security Management Center (SMC) requires this feature. Would you like to activate the SMC support? [y] If you are using Avira SMC, type y or confirm with Enter. The plug-in is installed and the installation process is complete.
or, for AntiVir Professional: cd /tmp/antivir-workstation-prof- Type: ./install The installation script performs as described in Installing AntiVir – Page 10). Make the changes you need during installation procedure. AntiVir is installed with the required features. Uninstalling AntiVir You can use the uninstall script, located in the temporary AntiVir directory, to remove Avira AntiVir Server/ Professional.
3.5 Integration in AMaViS "A Mail Virus Scanner (AMaViS)" project (http://www.amavis.org/) is already prepared for integration with the AntiVir Scanner. You can either install AMaViS after installing AntiVir, for automatic detection, or explicitly activate AntiVir support during AMaViS installation using the option --enable-all or --enable-hbedv for the command ./configure. Please note that AMaViS uses the Command Line Scanner and runs it as a separate process for every message.
4 Configuration You can adjust AntiVir Server/ Professional for optimum performance. You can make the main adjustments immediately after installation. The most common settings are suggested. You can modify these settings anytime, to adjust the product to your requirements. After a short overview, you will be guided step by step through the configuration process: • Description of the configuration files: - Configuration of AntiVir Guard in avguard.
When set to auto Guard will determine if the system has dazuko/dazukofs support at startup and use it to provide on-access protection automatically. If you set it to no or the system has no dazuko/dazukofs support, Guard will not provide any on-access protection. In this case only the on-demand scanner (avscan) can be used.. All on-access options will be inactive if you disable the Guard. For setting on-demand scanner options check the avscan.conf file.
Alert Conditions Alert Actions Based on Configurable Conditions: You can set actions based on the reported alert condition (eg. for encrypted files or archives that are tagged as suspicious). Specific alert actions are only available for scan result flags that are supported by Savapi. In case multiple alert flags trigger simultaneously, the action with the highest escalation level takes precedence. Based on the specific action, the alert is treated as follows: • ignore - the alert is ignored.
You can specify only one folder in a command line. You can enter more folders by typing the command for each one. Example: IncludePath /var/tmp IncludePath /tmp If no folder is specified, AntiVir Guard will not start! Dazuko3 ignores this option. It it therefore not advisable to use it in conjunction with Dazuko3. AntiVir Guard will otherwise fail to start.
ExcludeExt Excluded file extensions: This option allows you to specify file extensions that should be excluded from on-access scanning. ExcludeExt [spec] where [spec] is a colon-separated list of file extensions, e.g. exe:bat:com. Default: ExcludeExt NONE Temporary Directory Temporary location of Guard files: Temporary files of the Guard are written in this directory. Example: TemporaryDirectory /tmp Note: Please make sure that there is sufficient disk space, i.e.
amount of memory when decompressed. The zero value means all archives are completely decompressed, regardless of their compression rate. Default: ArchiveMaxRatio 150 Archive MaxCount Number of files in an archive: The archive scanning is limited to a given number of files within a recursion level. The zero value means no limit is set.
External Program Please use this feature with extreme caution! Check your external programs for correctness and keep in mind, that an attacker might use crafted file names (containing spaces, commands, etc.) for injecting arguments into your external program. Starting External Programs When Suspicious Files Are Found: AntiVir Guard can start an external program when a virus or an unwanted program is found. This can send a notification or perform an action using AntiVir Guard options.
There are no status reports on the invocation of external programs. EmailTo Suppress Notification Below Email messages: AntiVir Guard can send emails, when it detects viruses or unwanted programs. There is no default setting. You must setup your mail daemon and specify a recipient in order to send emails: EmailTo root@localhost Filtering email notifications as required: This option can exclude certain messages, when notifications are sent, according to their priority level.
• • • • • • hiddenext - a file with an executable extension, hidden behind a harmless one. joke - a harmless joke program, present as file. pck- a file compressed with an unusual runtime compression tool. phish - faked emails that are supposed to prompt the victim to reveal confidential information such as user accounts, passwords or online-banking data on certain websites.
AlertAction Action when detecting viruses or unwanted programs: If RepairConcerningFiles is not set or repair is not possible, access to the file is blocked and the action is logged. The following options define the actions of the CLS (check the user permissions!): • none or ignore: no further action • rename or ren: renaming the file by adding the .XXX extension. • delete or del: delete the concerning file.
Temporary Directory Temporary location of CLS files: Temporary files of the CLS are written in this directory. Example: TemporaryDirectory /tmp FollowSymlink Setting the on-demand scanner behavior for symlinks: Symbolic links are followed by default. You can use this option to change the behavior. FollowSymlink yes ScanMode Configuring files to be scanned: This entry sets the procedure to determine whether a file is to be scanned or not.
Archive MaxCount Number of files in an archive: The archive scanning is limited to a given number of files within a recursion level. The zero value means no limit is set. Default: ArchiveMaxCount 0 You can speed up the archive scanning process by adjusting the settings manually: ARCHIVE_MAX_RECURSION 1 ARCHIVE_MAX_COUNT 10 ARCHIVE_MAX_SIZE 1000KB The reliability of the scan will not be affected.
You can use macros (preceded by %) to pass the results as arguments to the external program. Thus the data can be treated differently and adjusted to the local conditions.
DetectPrefixes Detection of other types of unwanted programs: Besides viruses, there are other types of harmful or unwanted software. You can activate their detection using the following options. The virus detection is not optional and you can not deactivate it. The available categories are: • adspy - Software that displays advertising pop-ups or software that very often without the user's consent sends user specific data to third parties and might therefore be unwanted.
backend. Usually, you don't have to change the options in this file, but there might be a few exceptions. Syslog Facility ReportLevel Facility used when logging. SyslogFacility user The scanner can be set to log on different levels: • 0 - Log errors • 1 - Log errors and alerts • 2 - Log errors, alerts and warnings • 3 - Log errors, alerts, warnings and debug messages "alerts" means information about potential malicious code. Default: ReportLevel 0 LogFileName AlertURL Path to the scanner logfile.
install-dir=/usr/lib/AntiVir/guard temp-dir Temporary directory for downloading update files. temp-dir=/tmp/avira_update/guard HTTP proxy settings proxy... If you use an http proxy server for Internet updates, you have to provide the following data: proxy-host= proxy-port= proxy-username= proxy-password= Setting update email reports All reports on AntiVir updates are sent to the email address given in avupdate-guard.conf: smtp... Authentication for smtp connection.
4.2 Testing AntiVir Server/ ProfessionalTesting After completing the installation and configuration, you can test the functionality of AntiVir Server/ Professional using a test virus. This will not cause any damage, but it will force the security program to react when the computer is scanned. Testing AntiVir Guard with a Test-Virus Go to http://www.eicar.org. Read the information about the test virus eicar.com. Download the test virus to your computer (for exp, in a directory named /TEST).
5 Operation After concluding installation and configuration, AntiVir Guard guarantees continuous scanning on your system. During operation, there may be the need for occasional changes in Configuration – Page 17. Nevertheless, a manual scan for viruses or unwanted programs might be needed. This is where you can use AntiVir Command Line Scanner. This program enables scanning for many specific targets. AntiVir Command Line Scanner can be integrated into scripts and also regularly activated by cron jobs.
Avira GmbH --archive-max-count-action= Alert action for the above condition. It can be set to ignore, warn, block or alert. See “Alert Conditions” on page 19 --archive-max-ratio= Limits the archive or mailbox ratio. The Guard does not scan beyond the configured limits. --archive-max-ratio-action= Alert action for the above condition. It can be set to ignore, warn, block or alert. See “Alert Conditions” on page 19 --archive-max-recursion= Limits the archive or mailbox recursion.
-C Use a specific configuration file instead of the default one. --detect-prefixes= Specifies which kind of malware or unwanted software should get detected. (Virus detection is always active.) Accepts whitespace or colon separated list of "[=]". --detectprefixes='adspy=yes:joke=no:spr: bdc' To scan for all types of malware: --detect-prefixes=alltypes See the list of accepted types at DetectPrefixes – Page 24.
--scan-in-mbox[=] Enables or disables recursion into archive mailbox. By default on. --scan-incomplete-action= Alert action in case of incomplete scan. It can be set to ignore, warn, block or alert. See “Alert Conditions” on page 19. --scan-mode= Instructs the scanner how a sample should be scanned. ScanMode {all|smart|ext} 5.2 --send-snmp-traps=yes|no Enables or disables SNMP traps. Default: no.
--archive-max-count= Sets a limit to the number of files in an archive or mailbox that will be scanned by the Guard. Guard will stop scanning at the set number of files. --archive-max-ratio= Limits the archive or mailbox ratio. The CLS does not scan beyond the configured limits. --archive-max-recursion= Limits the archive or mailbox recursion. The CLS does not scan beyond the configured limits. --archive-max-size= Limits the archive or mailbox size.
--exclude-pattern= Specifies what to exclude from scanning (a comma separated list of PCRE- Perlcompatible regular expressions, using absolute paths). Example: --exclude-pattern="^/tmp/TEST/" Warning: Please take into account that filenames are normalized before the pattern match is applied. Therefore, parts of the pathname may also trigger an unwanted match if the expression is not written carefully. Note: When scanning symbolic links, the files they point to are matched.
--query-statistics In scheduler mode avscan queries the database and shows statistics about the last scheduled scan and overall scheduled scan results. Note: Option must not be invoked at the same time as --scan-scheduled-files. --quarantine-dir=
Specifies the quarantine directory for infected files. -s This option enables recursive scanning of all subdirectories within a specified path. --scan-continue-file= In scheduler mode, avscan resumes an aborted scheduled scanning.-v --verbose Set verbose mode on. This option should be used in exceptional cases only, as for example after a virus detection/removal. --version Prints version information. Exit Codes AntiVir Command Line Scanner issues exit codes after operation. UNIX users can include them in scripts. Exit Code Meaning 0 Normal program termination, nothing found, no error. 1 Found concerning file. 3 Suspicious file found. 4 Warnings were issued. 249 Scan process not completed.
--scan-mode=all Scans all files. -s Scans all subfolders. --scan-in-archive Scans packed files, too. If your DOS partitions are in /mnt and the incoming and outgoing files are in /var: Use the command: avscan --scan-mode=all -s --scan-in-archive /var /mnt Example: Deleting Infected Files Avira AntiVir Server/ Professional can delete files which contain viruses or unwanted programs. Optionally, AntiVir can first try to repair these files. Otherwise, the program will delete them completely; i.e.
Submit Infected Files to Avira GmbH Please send us the viruses, unwanted programs and suspicious files that our product does not yet recognize or detect and also any suspicious files. Send us the virus or unwanted program packed in a password-protected archive (PGP, gzip, WinZIP, PKZip, Arj) attached to an email message to virus@avira.com. When packing, use the password virus. This way the file will not be deleted by virus scanners on the email gateway.
6 Updates With Avira Updater you can update Avira software on your computers, using Avira update servers. The program can be configured either by editing the configuration file (see 4.1.4 Configuration of Avira Updater in avupdate-guard.conf), or by using parameters in the command line. It is recommended to run the Updater as root. If the Updater does not run as root, it does not have the necessary rights to restart AntiVir daemons, so the restart has to be made manually, as root.
If successful, a report will appear in the logfile /var/log/avupdate.
7 The Dazuko Kernel Module Dazuko kernel module is required by all platforms, for allowing the on-access scanner AntiVir Guard to run. AntiVir Server/ Professional can be installed even without dazuko, but in this case it will run without AntiVir Guard. For using AntiVir Server/ Professional (Unix) v.3 with AntiVir Guard, we recommend and support dazuko3/dazukofs.
cd /tmp/antivir-server-prof-/contrib/dazuko/ dazuko- Check the configuration of your computer with the configure script. This information will provide appropriate guidance for further installation of the software: ./configure Compile Dazuko: make Optionally: verify if the newly installed module works with the computer's running kernel: make test Depending on your operating system, you will receive the file dazuko.o or dazuko.ko in the temporary directory.
This will prevent apache from using the sendfile() system call. Dazukofs also currently does not support writing via the mmap() system call. This may lead to problems (data loss at worst) if applications rely on memory mapped writing.
8 Service 8.1 Support Support Service Our website http://www.avira.com contains all the necessary information on our extensive support service. The expertise and experience of our developers is available to you. The experts of Avira answer your questions and help you with difficult technical problems. During the first 30 days after you have purchased a license, you can use our AntiVir Installation Support by phone, email or by online form.
8.2 Online Shop Would you like to buy our products with a mouse-click? You can visit Avira Online Shop at http://www.avira.com and buy, upgrade or extend AntiVir licenses quickly and safely. The Online Shop guides you step by step through the order menu. A multi-lingual Customer Care Center explains the order process, payment transactions and delivery. Resellers can order by invoice and use a reseller panel. 8.
9 Appendix 9.1 Glossary Item Meaning Backdoor (BDC) A backdoor is a program infiltrated in order to steal data or to control the computer, without the user’s knowledge. This program is manipulated by third parties using a backdoor client via the Internet or local network. cron (daemon) A daemon which starts other programs at specified times. Daemon A background process for administration on UNIX systems. On average, there are about a dozen daemons running on a computer.
Item Meaning SMTP Simple Mail Transfer Protocol: protocol for email transmission on the Internet. SNMP Simple Network Management Protocol: SNMP is used by network management systems to monitor network-attached devices for events that require administrative attention. syslog daemon A daemon used by programs for logging various information. These reports are written in different logfiles. The syslog daemon configuration is in /etc/syslog.conf.
9.3 Golden Rules for Protection Against Viruses Always keep boot floppy-disks for your network server and for your workstations. Always remove floppy disks from the drive after finishing the work. Even if they have no executable programs, disks can contain program code in the boot sector and these can serve to carry boot sector viruses. Regularly back up your files. Limit program exchange: particularly with other networks, mailboxes, Internet and acquaintances.
Avira AntiVir Server | Unix Avira AntiVir Professional | Unix www.avira.com Avira GmbH Lindauer Str. 21 88069 Tettnang Germany Telephone: +49 (0) 7542-500 0 Fax: +49 (0) 7542-525 10 Internet: http://www.avira.com AntiVir® is a registered trademark of the Avira GmbH. All other brand and product names are trademarks or registered trademarks of their respective owners. Protected trademarks are not marked as such in this manual. However, this does not mean that they may be used freely. © Avira GmbH.