Integration With File System Services; On-Demand Scanner; On-Access Scanner Powered By Dazuko; Operation Principle 5.2.2 - ESET FILE SECURITY - FOR LINUX BSD AND SOLARIS Installation Manual

5. Integration with File System services

This chapter describes the On-demand and On-access scanner configuration which will provide the most effective protection
from virus and worm file system infections. ESET File Security's scanning power is derived from the On-demand scanner
command 'esets_sca n' and the On-access scanner command 'esets_da c' . The Linux version of ESET File Security offers an
additional On-access scanner technique which uses the preloaded library module libesets_pa c.so . All of these commands are
described in the following sections.
W a rning ! Novell Storage Services (NSS) break common unix security principles the scanner relies on when limiting privileges.
This results in no threat detection on NSS mounted volumes. If you have such mounted volume, set the 'esets_user' parameter to
'root' in ESETS configuration file and restart ESETS daemon.

5.1 On-demand scanner

The On-demand scanner can be invoked by a privileged user (usually a system administrator) through the command line
interface or web interface, or by the operating system's automatic scheduling tool (e.g., cron). Thus, the term O n-dema nd refers to
file system objects which are scanned on user or system demand.
The On-demand scanner does not require special configuration in order to run. After the ESETS package has been properly
installed and a valid license has been moved to the license keys directory (@ETCDIR@/license), the On-demand scanner can be
run immediately using the command line interface or the Scheduler tool. To run the On-demand scanner from the command line,
use the following syntax:
@SBINDIR@/esets_scan [option(s)] FILES
where FILES is a list of directories and/or files to be scanned.
Multiple command line options are available using ESETS On-demand scanner. To see the full list of options, please see the
esets_sca n(8 ) man page.

5.2 On-access scanner powered by Dazuko

The On-access scanner is invoked by user(s) access and/or operating system access to file system objects. This also explains
the term O n-a ccess ; the scanner is triggered on any attempt to access a selected file system object.
The technique used by ESETS On-access scanner is powered by the Dazuko (da-tzu-ko) kernel module and is based on the
interception of kernel calls. The Dazuko project is open source, which means that its source code is freely distributed. This
allows users to compile the kernel module for their own custom kernels. Note that the Dazuko kernel module is not a part of any
ESETS product and must be compiled and installed into the kernel prior to using the On-access command esets_da c . On the other
hand the Dazuko technique makes On-access scanning independent from the file system type used. It is also suitable for
scanning of file system objects via Network File System (NFS), Nettalk and Samba.
Importa nt: Before we provide detailed information related to On-access scanner configuration and use, it should be noted
that the scanner has been primarily developed and tested to protect externally mounted file systems. In case of multiple file
systems that are not externally mounted, you will need to exclude them from file access control in order to prevent system hang
ups. An example of a typical directory to exclude is the '/dev' directory and any directories used by ESETS.
5.2.1 Operation principle
The On-access scanner esets_da c (ESETS Dazuko-powered file Access Controller) is a resident program which provides
continuous monitoring and control over the file system. Every file system object is scanned based on customizable file access
event types. The following event types are supported by the current version:
Open events
To activate this file access type set the value of the 'event_ma sk' parameter to open in the [da c] section of the esets.cfg file.
This will enable the ON_OPEN bit of the Dazuko access mask.
Close events
To activate this file access type set the value of the 'event_ma sk' parameter to close in the [da c] section of the esets.cfg file.
This will enable the ON_OPEN bit of the Dazuko access mask. This will enable the ON_CLOSE and ON_CLOSE_MODIFIED bits of the
Dazuko access mask.
NOTE: Some OS kernel versions do not support the interception of ON_CLOSE events. In these cases, close events will not be
monitored by esets_da c .
Exec events
To activate this file access type set the value of the 'event_ma sk' parameter to exec in the [da c] section of the esets.cfg file. This
10