On-Demand Scanner; On-Access Scanner Powered By Dazuko; Operation Principle - ESET FILE SECURITY - ANNEXE 22 Installation Manual

This chapter describes the On-demand and On-access scanner configuration which will
provide the most effective protection from virus and worm file system infections. ESET File
Security's scanning power is derived from the On-demand scanner command 'esets_scan' and
the On-access scanner command 'esets_dac'. The Linux version of ESET File Security offers an
additional On-access scanner technique which uses the preloaded library module libesets_pac.
so. All of these commands are described in the following sections.

5.1. On-demand scanner

The On-demand scanner can be invoked by a privileged user (usually a system administrator)
through the command line interface or by the operating system's automatic scheduling tool
(e.g., cron). Thus, the term "On-demand" refers to file system objects which are scanned on user
or system demand.
The On-demand scanner does not require special configuration in order to run. After the
ESETS package has been properly installed and a valid license has been moved to the license
keys directory (@ETCDIR@/license), the On-demand scanner can be run immediately using the
command line interface or scheduler tool. To run the On-demand scanner from the command
line, use the following syntax:
@SBINDIR@/esets_scan [option(s)] FILES
where FILES is a list of directories and/or files to be scanned.
Multiple command line options are available using ESETS On-demand scanner. To see the full
list of options, please see the esets_scan(8) man page.

5.2. On-access scanner powered by Dazuko

The On-access scanner is invoked by user(s) access and/or operating system access to file
system objects. This also explains the term "On-access"; the scanner is triggered on any attempt
to access a selected file system object.
The technique used by ESETS On-access scanner is powered by the Dazuko (da-tzu-ko) kernel
module and is based on the interception of kernel calls. The Dazuko project is open source,
which means that its source code is freely distributed. This allows users to compile the kernel
module for their own custom kernels. Note that the Dazuko kernel module is not a part of any
ESETS product and must be compiled and installed into the kernel prior to using the On-access
command esets_dac. On the other hand the Dazuko technique makes On-access scanning
independent of the file system type used. It is also suitable for controlling file system objects via
Network File System (NFS), Nettalk and Samba.
IMPORTANT: Before we provide detailed information related to the On-access scanner's
configuration and operation, it should be noted that the scanner has been primarily developed
and tested to protect file systems mounted externally. If there are multiple file systems which are
not externally mounted, they will need to be excluded from file access control in order to prevent
system hang-up. An example of a typical directory to be excluded is the '/dev' directory and any
directories used by ESETS.

5.2.1. Operation principle

The On-access scanner esets_dac (ESETS Dazuko-powered file Access Controller) is a resident
16
ESET File Security