1. Manuals
  2. Brands
  3. F-SECURE Manuals
  4. Software
  5. ANTI-VIRUS LINUX CLIENT SECURITY -
  6. Administrator's manual

F-SECURE ANTI-VIRUS LINUX SERVER SECURITY Administrator's Manual

Hide thumbs Also See for ANTI-VIRUS LINUX SERVER SECURITY:
Table of Contents

Advertisement

Quick Links

See also: User Manual
F-Secure Anti-Virus
Linux Server Security
Administrator's Guide

Advertisement

Table of Contents
loading

Related Manuals for F-SECURE ANTI-VIRUS LINUX SERVER SECURITY

Summary of Contents for F-SECURE ANTI-VIRUS LINUX SERVER SECURITY

  • Page 1 F-Secure Anti-Virus Linux Server Security Administrator’s Guide...
  • Page 2 Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. F-Secure Corporation reserves the right to modify specifications cited in this document without prior notice.

  • Page 3: Table Of Contents

    Introduction Welcome ........................6 How the Product Works ....................6 Key Features and Benefits................... 9 F-Secure Anti-Virus Server and Gateway Products........... 11 Chapter 2 Deployment Deployment on Multiple Stand-alone Linux Workstations.......... 14 Deployment on Multiple Centrally Managed Linux Workstations ....... 14 Central Deployment Using Image Files..............
  • Page 4 3.10 Uninstallation......................30 Chapter 4 Getting Started Accessing the Web User Interface................32 Basics of Using F-Secure Policy Manager..............32 Testing the Antivirus Protection ................. 33 Chapter 5 User Interface - Basic Mode Summary ........................35 Common Tasks ......................36 Chapter 6 User Interface - Advanced Mode Alerts ..........................
  • Page 5 7.2.2 dbupdate......................74 Firewall Protection...................... 74 7.3.1 fsfwc ....................... 75 Integrity Checking ...................... 75 7.4.1 fsic ........................75 7.4.2 fsims ....................... 76 General Command Line Tools ................... 76 7.5.1 fssetlanguage ....................76 7.5.2 fsma........................ 77 7.5.3 fsav-config ...................... 78 Appendix A Installation Prerequisites A.1 All 64-bit Distributions ....................
  • Page 6 Appendix E Troubleshooting E.1 User Interface......................94 E.2 F-Secure Policy Manager................... 95 E.3 Integrity Checking ...................... 95 E.4 Firewall........................97 E.5 Virus Protection......................99 E.6 Generic Issues ......................99 Appendix F Man Pages Appendix G Config Files G.1 fsaua_config......................172 G.2 fssp.conf........................177 Technical Support Introduction ........................

  • Page 7: Introduction

    NTRODUCTION Welcome..................6 How the Product Works..............6 Key Features and Benefits ............9 F-Secure Anti-Virus Server and Gateway Products ....11...

  • Page 8: Welcome

    The solution can be easily deployed and managed either using the local graphical user interface or F-Secure Policy Manager. F-Secure Policy Manager provides a tightly integrated infrastructure for defining and distributing security policies and monitoring the security of different applications from one central location.
  • Page 9 Automatic Updates Automatic Updates keep the virus definitions always up-to-date. The virus definition databases are updated automatically after the product has been installed. The virus definitions updates are signed by the F-Secure Anti-Virus Research Team. Host Intrusion Prevention System The Host Intrusion Prevention System (HIPS) detects any malicious activity on the host, protecting the system on many levels.
  • Page 10 Firewall The firewall component is a stateful packet filtering firewall which is based on Netfilter and Iptables. It protects computers against unauthorized connection attempts. You can use predefined security profiles which are tailored for common use cases to select the traffic you want to allow and deny.

  • Page 11: Key Features And Benefits

    CHAPTER 1 Introduction Key Features and Benefits › Superior Protection The product scans files on any Linux-supported file system. This against Viruses and is the optimum solution for computers that run several different Worms operating systems with a multi-boot utility. ›...
  • Page 12 The product has extensive monitoring and alerting functions that Options can be used to notify any administrator in the company network about any infected content that has been found. › Alerts can be forwarded to F-Secure Policy Manager Console, e-mail and syslog.

  • Page 13: F-Secure Anti-Virus Server And Gateway Products

    CHAPTER 1 Introduction F-Secure Anti-Virus Server and Gateway Products The F-Secure Anti-Virus product line consists of workstation, file server, mail server and gateway products. › F-Secure Messaging Security Gateway delivers the industry's most complete and effective security for e-mail. It combines a...
  • Page 14 › F-Secure Anti-Virus for MIMEsweeper provides a powerful anti-virus scanning solution that tightly integrates with Clearswift MAILsweeper and WEBsweeper products. F-Secure provides top-class anti-virus software with fast and simple integration to Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web, giving the corporation the powerful combination of complete content security.

  • Page 15: Chapter 2 Deployment

    EPLOYMENT Deployment on Multiple Stand-alone Linux Workstations ..14 Deployment on Multiple Centrally Managed Linux Workstations 14 Central Deployment Using Image Files........15...

  • Page 16: Deployment On Multiple Stand-Alone Linux Workstations

    Console. After the installation on a host has completed, the host sends an autoregistration request to F-Secure Policy Manager. You can monitor with F-Secure Policy Manager Console which of the hosts have sent an autoregistration request. Deployment on Multiple Centrally Managed Linux...

  • Page 17: Central Deployment Using Image Files

    CHAPTER 2 Deployment Central Deployment Using Image Files When the company has a centralized IT department that install and maintains computers, the software can be installed centrally to all workstations. The recommended way to deploy the products is to create an image of a Linux workstation with the product preinstalled.

  • Page 18: Installation

    NSTALLATION System Requirements ..............17 Installation Instructions............... 18 Upgrading from a Previous Product Version ......24 Upgrading the Evaluation Version ..........25 Replicating Software Using Image Files........26 Preparing for Custom Installation ..........26 Creating a Backup..............29 Uninstallation................30...

  • Page 19: System Requirements

    CHAPTER 3 Installation System Requirements › Novell Linux Desktop 9 Operating system: › SUSE Linux 9.0, 9.1, 9.2, 9.3, 10, 10.1, 10.2 › Ubuntu 5.10 (Breezy), 6.06 (Dapper Drake) › SUSE Linux Enterprise Server 8, 9, 10 › SUSE Linux Enterprise Desktop 10 ›...

  • Page 20: Installation Instructions

    “right-mouse click” function. For installation instructions, see “Stand-alone Installation”, 19. › Centrally Managed installation. The product is installed locally, and it is managed with F-Secure Policy Manager that is installed on a separate computer.

  • Page 21: Stand-Alone Installation

    1. Copy the installation file to your hard disk. Use the following command to extract the installation file: tar zxvf f-secure-linux-server-security-<version>.<build>.tgz 2. Make sure that the installation file is executable: chmod a+x f-secure-linux-server-security-<version>.<build>...
  • Page 22 4. Select the language you want to use in the web user interface during the installation. Select language to use in Web User Interface [1] English (default) [2] Japanese [3] German 5. The installation displays the license agreement. If you accept the agreement, answer press to continue.

  • Page 23: Centrally Managed Installation

    “Installation Prerequisites”, 79. When you install the product in centrally managed mode, you must first have F-Secure Policy Manager installed on a separate computer. For F-Secure Policy Manager Console installation instructions, see the F-Secure Policy Manager Administrator’s Guide. IMPORTANT: Before you start the installation, you have to copy the admin.pub key from F-Secure Policy Manager to the computer...
  • Page 24 ENTER 7. Type to select the centrally managed installation. 8. Enter the address of the F-Secure Policy Manager Server. Address of F-Secure Policy Manager Server: [http://localhost/]: 9. Enter the location of the admin.pub key. This is the key that you created during F-Secure Policy Manager Console Installation.
  • Page 25 Select Installation Packages in the Tools menu. b. Select to import the fsav_linux_*_mib.jar file. 17. The product receives the policy file from the F-Secure Policy Manager within 10 minutes after the installation. If you do not want to wait for the policy file, run the following command: /etc/init.d/fsma fetch...

  • Page 26: Upgrading From A Previous Product Version

    If you have an earlier version, upgrade it to 5.20 first, or uninstall it before you install the latest version. The uninstallation preserves all settings and the host identity, so you do not need to import the host to the F-Secure Policy Manager again. For more information, see “Uninstalling Earlier...

  • Page 27: Upgrading The Evaluation Version

    CHAPTER 3 Installation Uninstalling Earlier Version If you have version 5.x, run the following command from the command line to uninstall it /opt/f-secure/fsav/bin/uninstall-fsav. If you have version 4.x, remove the following directories and files to uninstall it: /opt/f-secure/fsav/ /var/opt/f-secure/fsav/ /etc/opt/f-secure/fsav/ /usr/bin/fsav /usr/share/man/man1/fsav.1...

  • Page 28: Replicating Software Using Image Files

    1. Install the system and all the software that should be in the image file, including the product. 2. Configure the product to use the correct F-Secure Policy Manager Server. However, do not import the host to F-Secure Policy Manager Console if the host has sent an autoregistration request to the F-Secure Policy Manager Server.

  • Page 29: Unattended Installation

    MODE standalone managed centrally managed installation. , you have to provide the URL to F-Secure Policy MODE managed Manager Server and the location of the administrator public key, for example: fspms=http://fspms.company.com/ adminkey=/root/admin.pub Use the following options in the command line: lang Select the language for the web user interface.

  • Page 30: Installing Command Line Scanner Only

    The command line only installation installs only the command line scanner and the automatic update agent. The installation mode is designed for users migrating from F-Secure Anti-Virus for Linux 4.6x series and for users who do not need the real-time protection, integrity checking, web user interface or central management, for example users running AMaViS mail virus scanner.

  • Page 31: Creating A Backup

    Use the /etc/opt/f-secure/fssp/fssp.conf configuration file to configure the command line scanner only installation. See the file for detailed descriptions of the available settings.

  • Page 32: Uninstallation

    3.10 Uninstallation Run the script /opt/f-secure/fsav/bin/uninstall-fsav as root to uninstall the product. The uninstall script does not remove configuration files. If you are sure that you do not need them any more, remove all files in the /etc/opt/ f-secure/fsma path.

  • Page 33: Getting Started

    ETTING TARTED Accessing the Web User Interface ..........32 Basics of Using F-Secure Policy Manager ......... 32 Testing the Antivirus Protection ..........33...

  • Page 34: Accessing The Web User Interface

    HTTPS address: https://<host.domain>:28082/ It is possible to have in use both F-Secure Policy Manager and the web user interface at the same time. Note that the user can locally override the settings created with F-Secure Policy Manager unless the administrator has prevented this by selecting the Final checkbox in the F-Secure Policy Manager settings.

  • Page 35: Testing The Antivirus Protection

    You can use the EICAR test file also to test your E-mail Scanning. EICAR is the European Institute of Computer Anti-virus Research. The Eicar info page can be found at http://www.europe.f-secure.com/virus-info/eicar_test_file.shtml You can test your antivirus protection as follows: 1. You can download the EICAR test file from http://www.europe.f-secure.com/virus-info/...

  • Page 36: User Interface Basic Mode

    NTERFACE ASIC Summary ..................35 Common Tasks................36...
  • Page 37 CHAPTER 5 User Interface - Basic Mode Summary The summary page displays the product status and the latest reports. The product status displays the protection status and any possible errors or malfunctions. Status Virus Protection Shows the current Virus Protection level. Virus Protection levels allow you to change the level of protection according to your needs.

  • Page 38: Common Tasks

    Common Tasks You can configure the manual scan and firewall settings and check the latest virus definition database updates from the common tasks page. Choose one of the following actions: Scan the computer Opens a scanning wizard that can scan the for malware and computer for any type of malware and riskware, riskware...

  • Page 39: User Interface Advanced Mode

    NTERFACE DVANCED Alerts ..................38 Virus Protection ................40 Firewall Protection..............51 Integrity Checking............... 59 General Settings................. 66...

  • Page 40: Alerts

    Alerts On the Alerts page, you can read and delete alert messages. To find the alert message you want to view, follow these instructions: 1. Select the Status of security alerts you want to view. Select All to view All alerts. Select Unread to view new alerts.
  • Page 41 CHAPTER 6 User Interface - Advanced Mode Security Level Description For example, the virus definition database update is older than the previously accepted version. Fatal Error Unrecoverable error on the host that requires attention from the administrator. For example, a process fails to start or loading a kernel module fails.

  • Page 42: Virus Protection

    Virus Protection Real-Time Scanning Real-time scanning is completely transparent. By default, all files are scanned automatically when they are opened and executed. Scheduled Scanning If you want to scan the computer for viruses regularly, for example once a week, you can create a scheduled scanning task.
  • Page 43 CHAPTER 6 Report and deny Displays and alerts about the found virus and access blocks access to it. No other action is taken against the infected file. View Alerts to check security alerts. For more information, see “Alerts”, 38. Disinfect Disinfects viruses.
  • Page 44 The renamed file has .suspected extension. Delete Deletes the suspected file. Deny access Blocks the access to the suspected file, but does not send any alerts or reports. What to scan Directories excluded Define directories which are excluded from the from the scan virus scan.
  • Page 45 CHAPTER 6 Scan when running Select whether files are scanned every time they an executable are run. If Scan on open and Scan on execute are disabled, nothing is scanned even if Scan only executables is enabled. Archive scanning Scan inside archives Scan files inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR, BZ2, GZ, JAR and TGZ archives.
  • Page 46 Riskware scanning Scan for riskware Select whether files should be scanned for riskware during the real-time scanning. The riskware scan detects suspicious applications when they are installed or run on the system. Select the primary and secondary actions to take when a riskware is found.

  • Page 47: Scheduled Scanning

    CHAPTER 6 Category.Platform.Family where category, platform or family can be * wildcard. For example, Client-IRC.*.* excludes all riskware entries in the Client-IRC category. If the product is installed on NFS server, the real-time scan does not scan files automatically when a client accesses a file on the server.

  • Page 48: Manual Scanning

    6.2.3 Manual Scanning The manual scanning settings are used when you want to scan files or directories for viruses manually and during the scheduled scanning. If you have received a suspicious file, for example an executable or an archive file via e-mail, it is always a good idea to scan it for viruses manually.
  • Page 49 CHAPTER 6 Delete Deletes the infected file when a virus is found. Custom Performs the action you define. To define the custom action, enter the command to the Primary or Secondary custom action field. Deny access Blocks the access to the infected file, but does not send any alerts or reports.
  • Page 50 Only files with specified extensions - Scans only files with the extensions specified in the Included extensions field. The Included extensions field appears after you have selected Only files with specified extensions, Enable exclusions Files with the extensions specified in the Directories excluded from scanning field are not scanned.
  • Page 51 CHAPTER 6 Stop on first infection Select whether the whole archive should be inside an archive scanned even after an infection is found inside the archive. Riskware scanning Scan for riskware Select whether files should be scanned for riskware during the real-time scanning. The riskware scan detects suspicious applications when they are installed or run on the system.
  • Page 52 Category.Platform.Family where category, platform or family can be * wildcard. For example, Client-IRC.*.* excludes all riskware entries in the Client-IRC category. For more information, see “Riskware Types”, 86. Scanning a File Manually on a Workstation When the product scans files, it must have at least read access to them. If you want the product to disinfect infected files, it must have write access to the files.

  • Page 53: Firewall Protection

    CHAPTER 6 Firewall Protection The firewall protects the computers against unauthorized access from the Internet as well as against attacks originating from inside the local-area network. It provides protection against information theft as unauthorized access attempts can be prohibited and detected. Security Profiles The firewall contains predefined security profiles which have a set of pre-configured firewall rules.

  • Page 54: Security Profiles

    Security Profiles You can change the current security profile from the Summary page. For more information, see “Summary”, 35. The following table contains a list of the security profiles available in the product and the type of traffic each of them either allow or deny. Security profiles Description Block All...

  • Page 55: General Settings

    CHAPTER 6 Security profiles Description Strict Allows outbound web browsing, e-mail and News traffic, encrypted communication, FTP file transfers and remote updates. Everything else is denied. Normal Allows all outbound traffic, and denies some specific inbound services. Disabled Allows all inbound and outbound network traffic.

  • Page 56: Firewall Rules

    6.3.2 Firewall Rules Each security profile has a set of pre-configured Firewall Rules. Profile to edit Select the firewall profile you want to edit. For more information, see “Security Profiles”, 52. The current security profile is displayed on the top of the Firewall Rules page. You can change the current security profile from the Summary page.
  • Page 57 CHAPTER 6 If the profile contains more than 10 rules, use <<, <, > >> arrows to browse rules. Changing the order of the rules may affect all the other rules you have created. Add And Edit Rules You can add a new firewall rule, for example, to allow access to a new service in the network.

  • Page 58: Network Services

    Direction For every service you selected, choose the direction in which the rule applies. in = all incoming traffic that comes to your computer from the internet. out = all outgoing traffic that originates from your computer. Click Add to firewall rules to add the rule to the end of the list of rules.
  • Page 59 CHAPTER 6 Add And Edit Services Service name Enter a name for the service. Protocol Select the protocol (ICMP, TCP, UDP) or define the protocol number for the service you want to specify. Initiator ports Enter initiator ports. Responder ports Enter responder ports.
  • Page 60 8. The next step is to create a Firewall Rule that allows use of the service you just defined. Select Firewall Rules in the Advanced mode menu. 9. Select the profile where you want to add a new rule and click new rule to create a new rule.

  • Page 61: Integrity Checking

    CHAPTER 6 Integrity Checking Integrity Checking protects important system files against unauthorized modifications. Integrity Checking can block any modification attempts of protected files, regardless of file system permissions. Integrity Checking compares files on the disk to the baseline, which is a cryptographically signed list of file properties.
  • Page 62 Using The Search Status Select files you want to view in the known files list. Modified and new - Displays all files that have been modified or added to the baseline. Modified - Displays all files that have been modified. New - Displays all files that have been added to the baseline.
  • Page 63 CHAPTER 6 Action Displays whether the product allows or denies modifications to the file. Alert Displays whether the product sends an alert when the file is modified. Protection Displays whether the file is monitored or protected. Protected files cannot be modified while monitored files are only monitored and can be modified.
  • Page 64 Action The product can prevent the access to modified files. Allow - The access to the modified file is allowed when it is executed or opened. Deny - The access to the modified file is denied. Modified files cannot be opened or executed. Click Add to known files to add the entry to the Known Files List.

  • Page 65: Verify Baseline

    CHAPTER 6 When the Software Installation Mode is enabled, any process can load any kernel modules regardless whether they are in the baseline or not and any process can change any files in the baseline, whether those files are protected or not. The real-time scanning is still enabled and it alerts of any malware found during the installation.
  • Page 66 do not enable the Kernel Module Verification during the installation, you have to generate the baseline manually before Integrity Checking is enabled. All files that are added to the baseline during the installation are set to Allow and Alert protection mode. Passphrase The generated baseline has to be signed to prevent anyone from modifying the protected files.

  • Page 67: Rootkit Prevention

    CHAPTER 6 6.4.4 Rootkit Prevention When the Integrity Checking is enabled, the product can prevent rootkits. Hackers can use rootkits to gain access to the system and obtain administrator-level access to the computer and the network. Kernel module Protects the system against rootkits by verification preventing unknown kernel modules from loading.

  • Page 68: General Settings

    6.5.1 Communications Change Communications settings to configure where alerts are sent. Management Server Server Address Define the URL of the F-Secure Policy Manager Server address. This setting is only available in the centrally managed installation mode. Alert Forwarding Alert Level Specify where an alert is sent according to its severity level.
  • Page 69 CHAPTER 6 E-mail Settings The e-mail settings are used for all alert messages that have been configured to send e-mail alerts. Server Enter the address of the SMTP server in the Server Address field. You can use either the DNS-name or IP-address of the SMTP server. If the mail server is not running or the network is down, it is possible that some e-mail alerts are lost.

  • Page 70: Automatic Updates

    Enable and disable the automatic virus definition updates. By default they are enabled. Policy Manager Proxies Displays a list of virus definition database update sources and F-Secure Policy Manager proxies. If no update servers are configured, the product retrieves the latest virus definition updates from F-Secure Update Server automatically.
  • Page 71 Define (in minutes) the failover time to connect failover time to specified update servers. If the product cannot connect to update servers during the specified time, it retrieves the latest virus definition updates from F-Secure Update Server if Allow fetching updates from F-Secure Update Server is enabled.
  • Page 72 Using F-Secure Anti-Virus Proxies F-Secure Anti-Virus Proxy offers a solution to bandwidth problems in distributed installations of F-Secure Anti-Virus Linux Server Security by significantly reducing load on networks with slow connections. When you...

  • Page 73: About

    CHAPTER 6 6.5.3 About The About page displays the license terms, the product version number and the database version. If you are using the evaluation version of the product, you can enter the keycode in the About page to upgrade the product to the fully licensed version.

  • Page 74: Command Line Tools

    Command Line Tools Overview..................73 Virus Protection ................73 Firewall Protection..............74 Integrity Checking............... 75 General Command Line Tools............ 76...

  • Page 75: Overview

    CHAPTER 7 Command Line Tools Overview For more information on command line options, see “Man Pages”, 102. Virus Protection You can use the fsav command line tool to scan files and the dbupdate command line tool to update virus definition databases from the shell. 7.2.1 fsav Follow these instructions to scan files from the shell:...

  • Page 76: Dbupdate

    1. Run the following command crontab -e 2. Add # to the beginning of the following line to comment it out: */1 * * * * /opt/f-secure/fsav/bin/fsavpmd --dbupdate-only >/dev/null 2>&1 Follow these instructions to update virus definition databases manually from the command line: 1.

  • Page 77: Fsfwc

    CHAPTER 7 Command Line Tools 7.3.1 fsfwc Use the following command to change the current security profile: /opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office, strict, normal, bypass} For more information about security profiles, see “Security Profiles”, 52. Integrity Checking You can use the fsic command line tool to check the system integrity and fsims to use the Software Installation Mode from the shell.

  • Page 78: Fsims

    2. Recalculate the baseline. The baseline update progress is displayed during the process, and you are prompted to select whether to include the new files in the baseline: /opt/f-secure/fsav/bin/fsic --baseline 3. Enter a passphrase to create the signature. Verifying the Baseline Follow these instructions to verify the baseline from the command line: 1.

  • Page 79: Fsma

    The following table lists all product modules: Module Process Description F-Secure Alert /opt/f-secure/fsav/sbin/fsadhd Stores alerts to a local database. Alerts can Database Handler be viewed with the web user interface. Daemon F-Secure FSAV /opt/f-secure/fsav/bin/fsavpmd Handles all F-Secure Policy Manager Console...

  • Page 80: Fsav-Config

    Module Process Description F-Secure FSAV /opt/f-secure/fsav/bin/fstatusd Checks the current status of every component Status Daemon keeps desktop panel applications and web user interface up-to-date. F-Secure FSAV Web /opt/f-secure/fsav/tomcat/bin/ Handles the web user interface. catalina.sh start F-Secure FSAV /opt/f-secure/common/ Stores alerts that can be viewed with the web PostgreSQL daemon postgresql/bin/startup.sh...

  • Page 81: Appendix A Installation Prerequisites

    Installation Prerequisites All 64-bit Distributions..............80 Red Hat Enterprise Linux 4 ............80 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06........81 SuSE ..................82 Turbolinux 10................82...

  • Page 82: All 64-Bit Distributions

    All 64-bit Distributions Some 64-bit distributions do not install 32-bit compatibility libraries by default. Make sure that these libraries are installed. The name of the compatibility library package may vary, see the documentation of the ditribution you use for the package name for 32-bit compatibility libraries. On 64-bit Ubuntu, install ia32-libs.

  • Page 83: Debian 3.1 And Ubuntu 5.04, 5.10, 6.06

    CHAPTER A Installation Prerequisites The system tray applet requires the following RPM packages: › kdelibs › compat-libstdc++ Install the product normally. Debian 3.1 and Ubuntu 5.04, 5.10, 6.06 To install the product on a server running either Debian 3.1 or Ubuntu 5.04, 5.10 or 6.06: Install a compiler, kernel headers and RPM before you install the product.

  • Page 84: Suse

    SuSE To install the product on a server running SuSE version 9.1, 9.2, 9.3 or 10.0: Before you install the product, make sure that kernel-source, make and gcc packages are installed. Use YaST or another setup tool. Install the product normally. Turbolinux 10 Turbolinux kernel sources may not be configured and so they cannot be used to compile kernel drivers.

  • Page 85: Appendix B Installing Required Kernel Modules Manually

    Installing Required Kernel Modules Manually Introduction................. 84 Before Installing Required Kernel Modules ........ 84 Installation Instructions............... 84...

  • Page 86: Introduction

    Installation Instructions Follow the instructions below to install required kernel modules: Run the following command as the root user: /opt/f-secure/fsav/bin/fsav-compile-drivers If the summary page in the user interface does not show any errors, the product is working correctly.
  • Page 87 The product has been extensively tested only with the Dazuko version that ships with the product, which is installed in /opt/f-secure/fsav/ dazuko.tar.gz. If your Linux distribution has a preinstalled Dazuko, it cannot be used as Dazuko depends on the included patches and configuration options, which are likely different in the preinstalled Dazuko.

  • Page 88: Appendix C Riskware Types

    Riskware Types Riskware Categories and Platforms ........... 87...

  • Page 89: Riskware Categories And Platforms

    CHAPTER C Riskware Types Riskware Categories and Platforms Use the following list of riskware categories and platforms to exclude specific riskware from the riskware scan. Category: Platform: › › Adware Apropos › › AVTool › › Client-IRC Casino › › Client-SMTP ClearSearch ›...
  • Page 90 Category: Platform: › › Server-FTP Perl › › Server-Proxy › › Server-Telnet Searcher › › Server-Web Solomon › › Tool Symantec › TrendMicro › UNIX › › › Win16 › Win32 › Wintol › ZenoSearch...
  • Page 91 CHAPTER C Riskware Types...

  • Page 92: Appendix D List Of Used System Resources

    List of Used System Resources Overview..................91 Installed Files................91 Network Resources ..............91 Memory..................92 CPU.................... 92...

  • Page 93: Overview

    Installed Files All files installed by the product are in the following directories: /opt/f-secure /etc/opt/f-secure /var/opt/f-secure In addition, the installation creates the following symlinks: /usr/bin/fsav -> /opt/f-secure/fssp/bin/fsav /usr/bin/fsic -> /opt/f-secure/fsav/bin/fsic /usr/bin/fsui -> /opt/f-secure/fsav/bin/fsui /usr/share/man/man1/fsav.1 -> /opt/f-secure/fssp/man/fsav.1 /usr/share/man/man8/fsavd.8 -> /opt/f-secure/fssp/man/fsavd.8 Network Resources...

  • Page 94: Memory

    Memory The Web User Interface reserves over 200 MB of memory, but since the WebUI is not used all the time, the memory is usually swapped out. The other product components sum up to about 50 MB of memory, the on-access scanner uses the majority of it.

  • Page 95: Appendix E Troubleshooting

    Troubleshooting User Interface................94 F-Secure Policy Manager............95 Integrity Checking............... 95 Firewall ..................97 Virus Protection ................99 Generic Issues................99...

  • Page 96: User Interface

    If you are using Gnome Desktop, make sure you have a notification area in your Gnome Panel. Q. How do I enable the debug log for the web user interface? A. Change /opt/f-secure/fsav/tomcat/bin/catalina.sh from: #CATALINA_OUT="$LOGS_BASE"/catalina.out CATALINA_OUT=/dev/null CATALINA_OUT="$LOGS_BASE"/catalina.out #CATALINA_OUT=/dev/null The logfile is in /var/opt/f-secure/fsav/tomcat/catalina.out.

  • Page 97: F-Secure Policy Manager

    Q. How can I use F-Secure Linux Server Security with F-Secure Policy Manager 6.0x for Linux? A. F-Secure Policy Manager Server has to be configured to retrieve new riskware and spyware databases for the product. Note that these instructions apply to F-Secure Policy Manager Server 6.0x for Linux only, the product is not compatible with other Linux or...
  • Page 98 Q. I forgot to use Software Installation Mode and my system is not working properly. What can I do? A. Create a new baseline. Execute the following commands: /opt/f-secure/fsav/bin/fslistfiles | fsic --add - fsic --baseline Q. Can I update the Linux kernel when I use Integrity Checking? A.

  • Page 99: Firewall

    CHAPTER E Troubleshooting Q. Do I have to use the same passphrase every time I generate the baseline? A. No, you have to verify the baseline using the same passphrase that was used when the baseline was generated, but you do not have to use the same passphrase again when you generate the baseline again.
  • Page 100 Type: ACCEPT Remote Host: [myNetwork] Description: Windows Networking Local Browsing Service (select box): Windows Networking Local Browsing Direction: in h. Click Add Service to this Rule Add to Firewall Rules. The new rule should be visible at the bottom of the firewall rule list. If you cannot see the rule, click >>...

  • Page 101: Virus Protection

    The log file is in /var/opt/f-secure/fsav/fsoasd.log Q. How can I use an HTTP proxy server to downloading database updates? A. In Policy Manager Console, go to F-Secure Automatic Update Agent / Settings / Communications / HTTP Settings / User-defined proxy settings and set Address to:...
  • Page 102 -qa | grep f-secure rpm -qa | grep fsav b. Remove installed packages. Run the following command for each installed package: rpm -e --noscripts <package_name> c. 3. Remove all of the product installation directories: rm -rf /var/opt/f-secure/fsav rm -rf /var/opt/f-secure/fsma...
  • Page 103 /var/opt/f-secure/fsav/pgsql/data/postmaster.pid b. As root, restart the product: /etc/init.d/fsma restart Q. I get reports that "F-Secure Status Daemon is not running", how can I start it? A. Sometimes, after a hard reset for example, F-Secure Status Daemon may fail to start. Restart the product to solve the issue: /etc/init.d/fsma restart...

  • Page 104: Appendix F Man Pages

    Man Pages fsav................... 103 fsavd..................137 dbupdate................... 155 fsfwc ..................159 fsic .................... 162...

  • Page 105: Fsav

    Linux viruses, macro viruses infecting Microsoft Office files, Windows viruses and DOS file viruses. F-Secure Anti-Virus can also detect spy- ware, adware and other riskware (in selected products). fsav can scan files inside ZIP, ARJ, LHA, RAR, GZIP, TAR, CAB and BZ2 archives and MIME messages.
  • Page 106 Synonym to --virus-action1, depre- cated. --action2={none|report,disinf|clean,rename,de lete|remove,abort,custom|exec} Synonym to --virus-action2, depre- cated. --action1-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the primary action is set to custom/exec. --action2-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the secondary action is set to custom/exec. --action-timeout={e,c} What to do when the scan times out: Treat the timeout as error (e) or clean (c).
  • Page 107 PATH as the configuration file instead of the default configuration file (/etc/opt/ f-secure/fssp/fssp.conf). fsma: Use the F-Secure Policy Manager based management method optionally specifying the OID used in sending alerts. --databasedirectory=path Read virus definition data- bases from the directory path. The default is ".".
  • Page 108 command-line! This option is intended to be used only with the dbupdate script. --allfiles[={on,off,yes,no,1,0}] Scan files regardless of the extension. By default, the setting is on. (In previous versions, this option was called 'dumb'.) --exclude=path Do not scan the given path. --exclude-from=file Do not scan paths listed in the file.
  • Page 109 CHAPTER F --list[={on,off,yes,no,1,0}] List all files that are scanned. --maxnested=value Should be used together with the --archive option. Set the maximum number of nested archives (an archive containing another archive). If the fsav encounters an archive that contains more nested archives than the specified value, it reports a scan error for the file.
  • Page 110 NOTE: Certain password- protected archives are reported as suspected infections instead password-pro- tected archives. --orion[={on,off,yes,no,1,0}] Enable/disable Orion scanning engine for the scan and the disinfection. If any engine is enabled, all other engines are disabled unless explicitly enabled. --preserveatime[={on,off,yes,no,1,0}] Preserve the last access time of the file after it is scanned.
  • Page 111 CHAPTER F remove. --riskware-action2={none|report,rename,delete |remove} Secondary action to take if primary action fails. Parameters are the same as for primary action. --scanexecutables[={on,off,yes,no,1,0}] Enable the executable scanning. If a file has any of user/group/other executable bits set, it is scanned regardless of the file exten- sion.
  • Page 112 --silent[={on,off,yes,no,1,0}] Do not generate any output (except error messages). --socketname=socket path Use the given socket path to communicate with fsavd. The default socket path is /tmp/.fsav-<UID>, or fsav /tmp/.fsav-<UID>-sa, started with the --standalone option. Show the status of the fsavd scanning --status daemon and exit.
  • Page 113 --skiplarge[={on,off,yes,no,1,0}] Do not scan files equal larger than (2,147,483,648 bytes). If this option is not set, an error will be reported for large files. Show F-Secure Anti-Virus version, --version engine versions and dates of database files, and exit.
  • Page 114 Note Database versions contain date of the databases only. There may be several databases released on same day. If you need more detailed version information, open header.ini in the database directory and search for the following lines: [FSAV_Database_Version] Version=2003-02-27_03 The string after “Version=” is the version of databases.
  • Page 115 CHAPTER F By default, fsav reports the infected and suspected infections to stdout. Scan errors are reported to stderr. An example of an infection in the scan report: /tmp/eicar.com: Infected: EICAR-Test-File [AVP] where the file path is on the left, the name of the infection in the middle and the name of the scan engine that reports the infection in brackets.
  • Page 116 encoding and cannot be scanned. Invalid MIME header found. Explanation: Scanned MIME message uses non-standard header and cannot be scanned. The --list option shows the clean files in the report. An example of the output: /tmp/test.txt - clean The --archive option scans the archive content and the output is as follows for the infected or suspected archive con- tent: [/tmp/eicar.zip] eicar.com: Infected:...
  • Page 117 CHAPTER F ary action is rename. fsav must have write access to the file to be disinfected. Dis- infection is not always possible and fsav may fail to disinfect a file. Especially, files inside archives cannot be disinfected. Infected files renamed <original_filename>.virus and clears executable and SUID bits from the file.
  • Page 118 action that failed, i.e. if the user does not want to take the pri- mary action, the secondary action is tried next. The action confirmation can be disabled with --auto -option. WARNINGS fsav warnings are written to the standard error stream (stderr).
  • Page 119 CHAPTER F Illegal archive scanning value '<user given value>' in configuration file <file path> line <line number> Explanation: The archivescanning field in the configura- tion file has an incorrect value. Resolution: Edit the configuration file and set the archives- canning field to one of the following: 1 or 0. Restart fsav to take new values in use.
  • Page 120 <file valid configuration file path> line <line number>. Explanation: The maxnestedarchives field in the configu- ration file is not a number. Resolution: Edit the configuration file. Maximum nested archives value '<user given value>' is out of range in configuration file <file path>...
  • Page 121 CHAPTER F Scan timeout value '<user given value>' is not valid in configuration file <file path> line <line number> Explanation: The scantimeout field in the configuration file is not a valid number. Resolution: Edit the configuration file. Scan timeout value '<user given value>' is out of range in configuration file <file path>...
  • Page 122 abort, custom or exec. Restart fsav to take new values in use. Unknown syslog facility '<user given value>' in configuration file <file path> line <line number> Explanation: The syslogfacility ield in the configuration file has an incorrect value. Resolution: Edit configuration file and set the syslog- facility field to one of the facility names found in syslog(3) manual page.
  • Page 123 CHAPTER F Resolution: fsav exits with fatal error status (exit code 1). The user has to correct the command-line parameters or configu- ration file or remove the file from path and start the fsav again. Invalid socket path '<socket path>': <OS error>. Explanation: The user has given invalid socket path from configuration file or from command-line, either socket does not exist or is not accessible.
  • Page 124 Explanation: The user has given a file path to the --con- figfile option which either does not exist or is not accessi- ble. Resolution: The user has to correct command-line options and try again. Scan engine directory '<directory path>' is not valid in configuration file at line <line number>: <OS error message>...
  • Page 125 CHAPTER F from the configuration file. Resolution: The user has to correct the path and start fsav again. Database directory '<directory path>' valid: <OS error message> Explanation: The user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line.
  • Page 126 option>'. Explanation: The user has entered an unknown com- mand-line option from the command-line. Resolution: The user has to correct command-line options and try again. Illegal scan timeout value '<value>'. Explanation: The user has entered an illegal scan timeout value from the command-line. Resolution: The user has to correct command-line options and try again.
  • Page 127 CHAPTER F Explanation: The user has tried to request the server version with version but the request processing failed. Resolution: The server is not running. The product may be installed incorrectly. The installdirectory is either miss- ing or wrong in the configuration file. The system may be low in resources so launching might have failed because of e.g.
  • Page 128 Resolution: The server has died unexpectly. The user should restart the server and try to scan the file again. If the problem persists, the user should send a bug report and a file sample to F-Secure. Update directory '<file path>' is not valid: <OS error message>...
  • Page 129 CHAPTER F path>' exists. Explanation: The database directory contains an update flag file which is created while the database update is in progress. Resolution: The user has to check if an other database update is in progress. If no other update process exists, the user should delete the flag file and try to update the data- bases again.
  • Page 130 Resolution: The database update process does not have proper rights to the lock file and fails. The user has to make sure the update process runs with proper rights or the data- base directory has proper access rights. Could not release lock for lock file '<file path>'. Explanation: The database update process has failed to release the lock for the lock file in the database directory.
  • Page 131 CHAPTER F Explanation: The database update process has successfully updated databases, but failed to remove the update flag file. Resolution: fsavd is halted. The user should remove the update flag file manually. SCAN ERRORS fsav scan errors are written to the standard error stream (stderr).
  • Page 132 [<scan engine>] Explanation: The scan engine could not open the file for scanning because the scan engine does not have a read access to the file. Resolution: The user has to make file readable for fsavd and try to scan the file again. If the user or fsav launches fsavd, fsavd has same access rights as the user and can only open samexs files the user is authorized to open.
  • Page 133 CHAPTER F Resolution: The user may try scanning the file again with big- ger scan timeout value. <file path>: ERROR: Could not read from file [<scan engine>] Explanation: The scanning failed because of read from file failed. Resolution: The file is probably corrupted and cannot be scanned.
  • Page 134 If the same error message appears every time the file is scanned, either exclude the file from the scan or send a sam- ple file to F-Secure Anti-Virus Research. See the instruc- tions for more information.
  • Page 135 CHAPTER F A boot virus or file virus found. Riskware (potential spyware) found. At least one virus was removed and no infected files left. Out of memory. Suspicious files found; these are not necessarily infected by a virus. Scan error, at least one file scan failed. Program was terminated by pressing CTRL-C, or by a sigterm or suspend event.
  • Page 136 Scan all files in a directory '/mnt/smbshare': $ fsav /mnt/smbshare Scan all files and archive contents with the scan time limit set to 3 minutes: $ fsav --archive --scantimeout=180 --allfiles /mnt/smbshare Scan and list files with '.EXE' or '.COM' extension in a direc- tory '/mnt/smbshare': $ fsav --list --extensions='exe,com' /mnt/smbshare...
  • Page 137 CHAPTER F host Scan files found by the find(1) command and feed infected/ suspected files to the mv(1) command to move infected/sus- pected files to /var/quarantine directory. Any errors occured during the scan are mailed to admin@localhost. $ (find /mnt/smbshare -type f | fsav --short --input | \ xargs -n 1 --replace mv {} /var/ quarantine) 2>&1 | \...
  • Page 138 Bugs Please refer to 'Known Problems' -section in release notes. Authors F-Secure Corporation Copyright Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. Portions Copyright (c) 2001-2006 Kaspersky Labs. See Also dbupdate(8), fsavd(8) For more information, see F-Secure home page.

  • Page 139: Fsavd

    F-Secure Anti-Virus daemon fsavd options DESCRIPTION fsavd is a scanning daemon for F-Secure Anti-Virus. In the startup it reads the configuration file (the default configuration file or the file specified in the command line) in the startup and starts to listen to connections to the UNIX domain socket specified in the configuration file.
  • Page 140 PATH as the configuration file instead of the default configuration file (/etc/opt/ f-secure/fssp/fssp.conf). fsma: Use the F-Secure Policy Manager based management method optionally specifying the OID used in sending alerts. --databasedirectory=path Read virus definition data- bases from the directory path. The default is ".".
  • Page 141 CHAPTER F The default is "/tmp/.fsav-<UID>". If the file exists and is a socket, the file is removed and new socket is created. The file removal shuts down all existing fsavd instances. If the path contains non-existing directo- ries, the directories are created and the directory permission is set to read/write/ exec permission for owner and read/ exec permission for group and others.
  • Page 142 Do not fork program into the back- --nodaemon ground. Show command line options and exit. --help Show F-Secure Anti-Virus version and --version dates of signature files, and exit. LOGGING fsavd logs scan failures, infected and suspected files to the fsavd's log file defined with the logfile fsavd writes errors during start-up to standard error stream.
  • Page 143 CHAPTER F Failed to scan file <file path>: Time limit exceeded. Explanation: fsavd reports that the file scan failed because the scan time limit is exceeded. Failed to scan file <file path>: Scan aborted. Explanation: fsavd reports that the file scan failed because the scan was aborted.
  • Page 144 Unknown action '<user given value>' in configu- ration file <file path> line <line number> Explanation: The action in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit the configuration file and set the action field to one of the fol- lowing: disinfect, rename or delete.
  • Page 145 CHAPTER F <file path> <line configuration file line number> Explanation: The mimescanning field in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit con- figuration file and set the mimescanning field to one of the following: 1, 0, on, off, yes, or no.
  • Page 146 valid in configuration file <file path> line <line number> Explanation: The scantimeout field in the configuration file is not a valid number. Resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Scan timeout value '<user given value>' is out of range in configuration file <file path>...
  • Page 147 CHAPTER F Resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Maximum scan engine instances value '<user given value>' is not valid in configuration file <file path> line <line number> Explanation: The engineinstancemax field in the configu- ration file is not a number.
  • Page 148 number> Explanation: The syslogfacility ield in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit con- figuration file and set the syslogfacility field to one of the facility names found in syslog(3) manual page. The user has to restart fsavd to take values in effect.
  • Page 149 CHAPTER F restart the scan engine. The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically. Database file <file path> is not a valid data- base. Explanation: The scan engine reports that the database file <file path>...
  • Page 150 If problem still occurs, the user may try to update databases or scan engine to resolve the problem. If the problem persists the user needs to contact F-Secure support. <engine name> scan engine inactive for too long, going for shutdown.
  • Page 151 If the user can recognize the source as a problematic file, the user should make a bug report and send a file sample to F-Secure. Resolution: fsavd shuts down the scan engine process and restarts the scan engine.
  • Page 152 Resolution: fsavd exits with error status. Installation or engine directory in configuration file maybe incorrect or --engine- directory command-line option has incorrect path. Failed load required symbol from scan engine library. Explanation: fsavd finds required scan engine shared library files but fails to load correct library calls from the library. Resolution: fsavd exits with error status.
  • Page 153 CHAPTER F Explanation: The user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line. Resolution: fsavd exits with error status. The user has to cor- rect the path and start fsavd again. Database update directory '<directory path>' not valid in configuration file at line <line...
  • Page 154 long from the command-line. Resolution: fsavd exits with error status. The user has to cor- rect the path and start the fsavd again. Could not open configuration file <file path>: <OS error message> Explanation: The configuration file path given from the com- mand-line, the file does not exist or it is not accessible.
  • Page 155 <install directory>/etc/fsav Startup file F-Secure Anti-Virus <install directory>/databases Directory Anti-Virus signature database files. <install directory>/lib Directory for Anti-Virus scan engine and F-Secure Anti-Virus shared library files. EXAMPLES Start fsavd as a background daemon process using the default configuration file: $ fsavd...
  • Page 156 Bugs Please refer to 'Known Problems' -section in release notes. AUTHORS F-Secure Corporation Copyright Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. Portions Copyright (c) 2001-2006 Kaspersky Labs. SEE ALSO dbupdate(8), fsav(1), fssp.conf(5) For more information, see F-Secure home page.

  • Page 157: Dbupdate

    DESCRIPTION dbupdate is a shell script for updating F-Secure Anti-Virus Virus Definition Databases. It can update databases down- loaded by F-Secure Automatic Update Agent (a fully auto- matic background process) or databases transferred to the host by other means (such as ftp).
  • Page 158 SCHEDULED UPDATE OVER NETWORK Typically, dbupdate is started from cron(8) frequently with the following command: dbupdate --auto. This takes into use updates that F-Secure Automatic Update Agent has the pre- viously downloaded. OPERATION If new databases are available, database files are copied to updatedirectory.
  • Page 159 An error has occurred. See program out- put and /var/opt/f-secure/fssp/ dbupdate.log for details. Virus definition databases were succes- fully updated. BUGS Please refer to 'Known Problems' section in the release notes. AUTHORS F-Secure Corporation Copyright Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved.
  • Page 160 SEE ALSO fsav(1) and fsavd(8) For more information, see F-Secure home page.

  • Page 161: Fsfwc

    CHAPTER F support@F-Secure.com fsfwc (1) fsfwc command line interface for firewall daemon fsfwc options Description With this tool firewall can be set to different security levels. If invoked without any options, it will show current security level and minimum allowed.
  • Page 162 Profile for roadwarr- mobile iriors: ssh and VPN protocols allowed. DHCP, HTTP, common email pro- tocols are allowed. All incoming con- nections blocked. Profile office office use. It is assumed that some external firewall exists between Internet and the host. Any outgoing TCP con- nections allowed.
  • Page 163 Allow everything in bypass and out. RETURN VALUES fsfwc has the following return values. 0Normal exit; 1Error occurred. AUTHORS F-Secure Corporation COPYRIGHT Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. SEE ALSO For more information, see F-Secure home page.

  • Page 164: Fsic

    Command line interface for integrity checker fsic options target ... Description F-Secure Integrity Checker will monitor system integrity against tampering and unauthorized modification. If invoked without any options, fsic will verify all files in the known files list and report any anomalies.
  • Page 165 CHAPTER F changed, only base- lined inode informa- tion is shown. If file differs from baselined informa- tion, detailed com- parison is shown. --virus-scan={yes=default,no} Scan viruses when verifying. (default: yes) --ignore={attr,hash} Ignore speci- fied file properties if they differ from the baseline informa- tion.
  • Page 166 been given at all. (default: no) -v, --verifyfile [options] This mode will validate only files given from command line OR stdin. This option same sub-options as verify. -B, --baseline [options] Calculate baseline informa- tion for all of the files. If a previous base- line already exists, it will be overwritten.
  • Page 167 CHAPTER F -b, --baselinefile [options] This mode will add only entries given from command line OR stdin to baseline. This option has same sub-options as baseline. -a, --add [options] target ... Add a target[s] to the known files list. Targets must be real files or links.
  • Page 168 an alert if file differs from baselined information. -d, --delete target ... Remove target[s] from the known files list. A new baseline needs to be generated after all file deletions have been performed. verify action reports If --show-all is specified, then also clean files are reported, as follows.
  • Page 169 CHAPTER F So even if inode data is changed Hash might be same (touch on a file will change inode data) however IF hash is changed and inode data is still same then file contents has been modi- fied and it's mtime set back to what it was with utime() (man 2 utime).
  • Page 170 late hash and inode information for all files known to the integrity checker. Previously generated baseline will be over- written. User will be asked to confirm adding files to new baseline. For example, /bin/ls: Accept to baseline? (Yes,No,All yes, Disregard new entries) If file has been modified fsic will ask [Note] /bin/ls seems to differ from baselined entry.
  • Page 171 Return value of 3 indicates that one or more of the following happened; * Incorrect passphrase, or * Files do not match baselined information, or * A virus was detected in one of the files FILES None. EXAMPLES None. NOTES None. BUGS None. AUTHORS F-Secure Corporation COPYRIGHT...
  • Page 172 Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. SEE ALSO For more information, see F-Secure home page.

  • Page 173: Appendix G Config Files

    APPENDIX: Config Files fsaua_config ................172 fssp.conf ................... 177...

  • Page 174: Fsaua_Config

    # This directive controls which update server the Automatic Update Agent tries # to fetch the updates from. If this directive is empty, the master server # hosted by F-Secure is used (see Fallback options below). # In centrally managed mode, this defaults to the Policy Management Server.
  • Page 175 APPENDIX G Config Files # The format is as follows: # update_servers=[http://]<address>[:<port>][,[http://]<address>[:<port>]] # Examples: # update_servers=http://pms # update_servers=http://server1,http://backup_server1,http://backup_server2 #update_servers= # Update proxies # This directive controls which Policy Manager Proxies the Automatic Update # Agent tries to use. Note that this is different from HTTP proxies (see below). # The format is the same as for Update Servers.
  • Page 176 # polls the Update Server for updates. # The default is 3600 seconds, which is 1 hour #poll_interval=3600 # Failover to root # Specifies whether Automatic Update Agent is allowed to fall back to update # servers hosted by F-Secure. # The default is yes...
  • Page 177 # Failover timeout # Specifies the timei after which Automatic Update Agent is allowed to check # for updates from update servers hosted by F-Secure. This is the time elapsed # (in seconds) since the last successful connection with your main update # servers.
  • Page 178 #log_level=normal # Log Facility # Specify the syslog facility for Automatic Update Agent # Possible values are: daemon, local0 to local7 # The default is daemon #log_facility=daemon os_version_distribution=”testingunstable”...

  • Page 179: Fssp.conf

    APPENDIX G Config Files fssp.conf # This is a configuration file for F-Secure Security Platform # Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. # Specify whether the product should scan all files or only the files that # match the extensions specified in the ‘Extensions to Scan’ setting.
  • Page 180 odsIncludedExtensions .,acm,app,arj,asd,asp,avb,ax,bat,bin,boo,bz2,cab,ceo,chm,cmd,cnv,com,cpl,csc,dat,dll,do ?,drv,eml,exe,gz,hlp,hta,htm,html,htt,inf,ini,js,jse,lnk,lzh,map,mdb,mht,mif,mp?,msg,mso, nws,obd,obt,ocx,ov?,p?t,pci,pdf,pgm,pif,pot,pp?,prc,pwz,rar,rtf,sbf,scr,shb,shs,sys,tar,td0, tgz,tlb,tsp,tt6,vbe,vbs,vwp,vxd,wb?,wiz,wml,wpc,ws?,xl?,zip,zl?,{* # Specify whether executables should be scanned. If a file has any # user/group/other executable bits set, it is scanned regardless of the file # extension. # Possible values: # 0 - No # 1 - Yes odsScanExecutables 0 # Determines whether some paths (either files or directories) will be excluded # from scanning.
  • Page 181 APPENDIX G Config Files # Determines whether some files can be excluded from scanning. Please note # that the files specified here are excluded from scanning even if they would # be included in scanning according to what is defined in the other scanning # settings # Possible values: # 0 - Disabled...
  • Page 182 # recommended to set this value too high as this will make the product more # vulnerable to DoS (Denial of Service) attacks. If an archive has more nested # levels than the limit, a scan error is generated. odsFileMaximumNestedArchives 5 # Define whether MIME encoded data should be scanned for malicious content.
  • Page 183 APPENDIX G Config Files # Possible values: # 0 - No # 1 - Yes odsFileIgnorePasswordProtected 1 # Defines what happens when the first infection is found inside an archive. If # set to ‘Yes’, scanning will stop on the first infection. Otherwise the whole # archive is scanned.
  • Page 184 # 3 - Rename # 4 - Delete # 5 - Abort scan # 6 - Custom odsFilePrimaryActionOnInfection 2 # If “Custom” is chosen as the primary action, the custom action must be # specified here. Please note that the custom action will be executed as the # super user of the system so consider and check carefully the command you # specify.
  • Page 185 APPENDIX G Config Files # 3 - Rename # 4 - Delete # 5 - Abort scan # 6 - Custom odsFileSecondaryActionOnInfection 3 # If “Custom” is chosen as the secondary action, the custom action must be # specified here. Please note that the custom action will be executed as the # super user of the system so consider and check carefully the command you # specify.
  • Page 186 odsFilePrimaryActionOnSuspected 1 # Specify the secondary action to take when suspected infection is detected # and the primary action has failed. # Possible values: # 0 - Do nothing # 1 - Report only # 3 - Rename # 4 - Delete odsFileSecondaryActionOnSuspected 0 # Set this on to report and handle riskware detections.
  • Page 187 APPENDIX G Config Files # Type of riskware that should not be detected. odsExcludedRiskware ; # Specify the primary action to take when riskware is detected. # Possible values: # 0 - Do nothing # 1 - Report only # 3 - Rename # 4 - Delete odsFilePrimaryActionOnRiskware 1 # Specify the secondary action to take when riskware is detected and the...
  • Page 188 # 1 - Report only # 3 - Rename # 4 - Delete odsFileSecondaryActionOnRiskware 0 # Defines the upper limit for the time used for scanning a file (1 second # resolution). A recommended upper limit would be, for example, 1 minute. odsFileScanTimeout 60 # Specify the action to take after a scan timeout has occurred.
  • Page 189 APPENDIX G Config Files # each action. # Possible values: # 0 - No # 1 - Yes odsAskQuestions 1 # Read files to scan from from standard input. # Possible values: # 0 - No # 1 - Yes odsInput 0 # Print out all the files that are scanned, together with their status.
  • Page 190 odsList 0 # Should infected filenames be printed as they are or should potentially # dangerous control and escape characters be removed. # Possible values: # 0 - No # 1 - Yes odsRaw 0 # In standalone mode a new fsavd daemon is launched for every client. Usually # you do not want this because launching the daemon has considerable overhead.
  • Page 191 APPENDIX G Config Files # If “No”, fsav command line client does not follow symlinks. If “Yes”, # symlinks are followed. This affects e.g. scanning a directory containing # symlinks pointing to files outside of the directory. # Possible values: # 0 - No # 1 - Yes odsFollowSymlinks 0...
  • Page 192 # 0 - No # 1 - Yes odsShort 0 # If this setting is on, file access times are not modified when they are # scanned. If a file is modified due to disinfection, then both access and # modify times will change. # Possible values: # 0 - No # 1 - Yes...
  • Page 193 APPENDIX G Config Files odsFileIgnoreMimeDecodeErrors 0 # Defines how partial MIME messages should be handled. If set to ‘Yes’, # partial MIME messages are considered safe and access is allowed. Partial # MIME messages cannot reliably be unpacked and scanned. # Possible values: # 0 - No # 1 - Yes...
  • Page 194 # Do not scan files equal or larger than 2 GB (2,147,483,648 bytes). If this # option is not set an error will be reported for large files. # Possible values: # 0 - No # 1 - Yes odsFileSkipLarge 0 # If “On”, the Libra scanning engine is used for scanning files.
  • Page 195 # If “On”, the AVP scanning engine is used for scanning files. If “Off”, AVP # is not used. # Possible values: # 0 - Off # 1 - On odsUseAVP 1 # F-Secure internal. Do not touch. daemonAvpFlags 0x08D70002...
  • Page 196 # Set this on to enable riskware scanning with the AVP scan engine. If you set # this off, riskware scanning is not available for clients. # Possible values: # 0 - Off # 1 - On odsAVPRiskwareScanning 1 # Maximum size of MIME message. Files larger than this are not detected as # MIME messages.
  • Page 197 # F-Secure Internal. Do not change. This is the directory where in-use # databases are kept. daemonDatabaseDirectory /var/opt/f-secure/fssp/databases # F-Secure internal. Do not change. This is the directory into which new # databases are stored before they are taken into use. daemonUpdateDirectory /var/opt/f-secure/fssp/update...
  • Page 198 # engine libraries are loaded. daemonEngineDirectory /opt/f-secure/fssp/lib # If “Yes”, fsavd writes a log file. If “No”, no log file is written. # Possible values: # 0 - No # 1 - Yes daemonLogfileEnabled 0 # Log file location: stderr - write log to standard error stream syslog - # write log to syslog facility Anything else is interpreted as a filename to # write log into.
  • Page 199 APPENDIX G Config Files daemonMaxScanProcesses 4 # FSAV will add the current user-id to the path to make it possible for # different users to run independent instances of the server. daemonSocketPath /tmp/.fsav # Octal number specifying the mode (permissions) of the daemon socket. See # chmod(1) and chmod(2) unix manual pages.
  • Page 200 # Syslog facility to use when logging to syslog. # Possible values: # auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7 - auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7 daemonSyslogFacility daemon...
  • Page 201 # 5 - Warning # 6 - Notice # 7 - Info # 8 - Debug # 9 - Everything debugLogLevel 0 # Specify the full name of the debug logfile. debugLogFile /var/opt/f-secure/fssp/fssp.log # The keycode entered during installation. licenseNumber unset...
  • Page 202 /opt/f-secure/fssp # Unix time() when installation done. installationTimestamp 0 # F-Secure internal. Do not change. Text to be printed every day during # evaluation use. naggingText EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS.\nTo purchase license, please check http://www.F-Secure.com/purchase/\n # F-Secure internal.

  • Page 203: Technical Support

    Technical Support Introduction................202 F-Secure Online Support Resources........202 Web Club.................. 203 Virus Descriptions on the Web ..........203...

  • Page 204: Introduction

    If you have questions about F-Secure Anti-Virus Linux Server Security not covered in this manual or on the F-Secure support web pages, you can contact your local F-Secure distributor or F-Secure Corporation directly.

  • Page 205: Web Club

    Logfile from the machines running F-Secure products. Web Club The F-Secure Web Club provides assistance and updated versions of F-Secure products. To connect to the Web Club directly from within your Web browser, go to: http://www.F-Secure.com/anti-virus/webclub/corporate/ Virus Descriptions on the Web F-Secure Corporation maintains a comprehensive collection of virus-related information on its Web site.
  • Page 208 www.f-secure.com...

Table of Contents