Operation Principle 5.3.2; Installation And Configuration; Tips - ESET FILE SECURITY - FOR LINUX BSD AND SOLARIS Installation Manual

5.3.1 Operation principle
The On-access scanner libesets_pa c.so (ESETS Preload library based file Access Controller) is a shared objects library which is
activated at system start-up. This library is used for LIBC calls by file system servers such as FTP server, Samba server etc. Every
file system object is scanned based on customizable file access event types. The following event types are supported by the
current version:
Open events
This file access type is activated if the word 'open' is present in the 'event_ma sk' parameter in the esest.cfg file ( [pa c] section).
Close events
This file access type is activated if the word 'close' is present in the 'event_ma sk' parameter in the esets.cfg file ( [pa c] section).
In this case, all file descriptor and FILE stream close functions of the LIBC are intercepted.
Exec events
This file access type is activated if the word 'exec' is present in the 'event_ma sk' parameter in the esets.cfg ( [pa c] section). In
this case, all exec functions of the LIBC are intercepted.
All opened, closed and executed files are scanned by the ESETS daemon for viruses. Based on the result of such scans, access
to given files is denied or allowed.
5.3.2

Installation and configuration

The libesets_pa c.so library module is installed using a standard installation mechanism of the preloaded libraries. One has
just to define the environment variable 'LD_PRELO A D' with the absolute path to the libesets_pa c.so library. For more information,
please refer to the ld.so(8 ) man page.
NOTE: It is important that the 'LD_PRELO A D' environment variable is defined only for the network server daemon processes
(ftp, Samba, etc.) that will be under control of the On-access scanner. Generally, preloading LIBC calls for all operating system
processes is not recommended, as this can dramatically slow the performance of the system or even cause the system to hang. In
this sense, the '/etc/ld.so.preload' file should not be used, nor should the 'LD_PRELOAD' environment variable be exported
globally. Both would override all relevant LIBC calls, which could lead to system hang-up during initialization.
To ensure that only relevant file access calls within a given file system are intercepted, executable statements can be
overridden using the following line:
LD_PRELOAD=/usr/lib/libesets_pac.so COMMAND COMMAND-ARGUMENTS
where 'COMMAND COMMAND-ARGUMENTS' is the original executable statement.
Review and edit the [g loba l] and [pa c] sections of the ESETS configuration file (esets.cfg). In order for the On-access scanner to
function correctly, you must define the file system objects (i.e. directories and files) that are required to be under control of the
preload library. This can be achieved by defining the parameters of the 'ctl_incl' and 'ctl_excl' options in the [pa c] section of the
ESETS configuration file. After making changes to the esets.cfg file, you can force the newly created configuration to be re-read by
reloading the ESETS daemon.
5.3.3

Tips

In order to activate the On-access scanner immediately after file system start-up, the 'LD_PRELO A D' environment variable must
be defined within the appropriate network file server initialization script.
Exa mple: Let's assume we want to have the On-access scanner to monitor all file system access events immediately after
starting the Samba server. Within the Samba daemon initialization script (/etc/init.d/smb), we would replace the statement
daemon /usr/sbin/smbd $SMBDOPTIONS
with the following line:
LD_PRELOAD=/usr/lib/libesets_pac.so daemon /usr/sbin/smbd $SMBDOPTIONS
In this way, selected file system objects controlled by Samba will be scanned at system start-up.
12