On-Access Scanner Using Preload Libc Library; Operation Principle - ESET FILE SECURITY Installation Manual
Hide thumbs
Also See for FILE SECURITY:
- Installation manual (23 pages) ,
- Datasheet (2 pages) ,
- Installation manual (32 pages)
Table of Contents
Advertisement
initialization statement, insert the following line:
/sbin/modprobe dazuko
For BSD OS's the line
/sbin/kldconfig dazuko
must be inserted into the '/usr/local/etc/rc.d/esets_daemon.sh' script.
Warning! It is extremely important that these steps be executed in the exact order given. If the
kernel module is not located within the kernel modules directory 'modprobe' (resp. 'kldload' in
BSD OS) the module will not properly load, resulting in system hang-up.
5.3. On-access scanner using preload LIBC library
In previous sections we described the integration of the On-access scanner powered by
Dazuko with Linux/BSD file system services. In this section we would like to point out that the
technique using Dazuko may not be desired by system administrators who maintain critical
systems where:
The source code and/or configuration files related to the currently running kernel are not
y
available
The kernel is more monolithic than modular
y
The Dazuko module simply does not support the given OS
y
In any of these cases, the On-access scanning technique based on the preload LIBC library
should be used. See section 5.3.1 below for detailed information. Please note that this section is
relevant only for Linux OS users and contains information regarding the operation, installation
and configuration of the On-access scanner using the preload library 'libesets_pac.so'.
5.3.1. Operation principle
The On-access scanner libesets_pac.so (ESETS Preload library-based file Access Controller) is a
shared objects preloaded library which is activated at system start-up. This library is used by
file system servers for LIBC calls to other devices such as FTP server, Samba server etc. Every file
system object is scanned based on customizable file access event types. The following event
types are supported by the current version:
open events
This file access type is activated if the word 'open' is present in the 'event_mask' parameter
in the eset.cfg file ([pac] section).
close events
This file access type is activated if the word 'close' is present in the 'event_mask' parameter in
the eset.cfg file ([pac] section). In this case, all file descriptor and FILE stream close functions of
the LIBC are intercepted.
exec events
This file access type is activated if the word 'exec' is present in the 'event_mask' parameter in
the eset.cfg ([pac] section). In this case, all exec functions of the LIBC are intercepted. All opened,
18
ESET File Security
Advertisement
Table of Contents
Need help?
Do you have a question about the FILE SECURITY and is the answer not in the manual?
Questions and answers