On-Access Scanner Powered By Dazuko; Operation Principle - ESET NOD32 ANTIVIRUS - FOR LINUX-BSD FILE SERVER Installation Manual

of the NOD32LFS/NOD32BFS product and thus it must be compiled and installed into the kernel prior the NOD32 on-
access scanner (nod32dac daemon) initialization. On the other hand the Dazuko technique make on-access scanning
independent of used file system type. It is also suitable for controlling file system objects via Network File System (NFS),
Nettalk and Samba.
The additional installation of the Dazuko module can be non-wished for Linux OS system administrators which
carry on the critical systems where source code and/or configuration file appropriate to the currently running kernel
is not available or the kernel is rather monolithic than modular. In this case the second discussed on-access scanning
technique based on the preload LIBC library comes in handy.
IMPORTANT: Before we provide user with the detailed information related with the on-access scanner configuration
and operation, we would like to point out that any NOD32 on-access scanner is not assumed to provide protection of
whole file system where installed. It has been developed and tested to protect primarily the file systems mounted
externally. If this is not your case, you will have to count on exclusion of multiple directories from file access control
to prevent system from hang-up. Typical directory to be excluded in this case is ‚/dev' directory or directories used by
NOD32LFS/NOD32BFS.

4.2.1. On-access scanner powered by Dazuko

This section contains information concerned with operation, installation and configuration of on-access scanner
using Dazuko kernel module.

4.2.1.1. Operation principle

On-access scanner 'nod32dac' (NOD32 Dazuko powered file Access Controller) is a resident program (daemon)
providing permanent monitoring and control over the file system. Scanning of each file system object is performed
upon customizable file access event of the user and/or operating system. The following file access types are supported
by the current version:
ON_OPEN events
This file access type is controlled once the first bit of the integer parameter ' e vent_mask' in the main NOD32
configuration file (section [dac]) is 1. In this case ON_OPEN bit of Dazuko access mask is set on.
ON_CLOSE events
This file access type is controlled once second bit of the integer parameter ' e vent_mask' in the main NOD32
configuration file (section [dac]) is 1. In this case ON_CLOSE bit and ON_CLOSE_MODIFIED bit of Dazuko access mask
is set on.
Note that some of the kernel versions do not support interception of the ON_CLOSE events. In this case problems
could be detected when running nod32dac module.
ON_EXEC events
This file access type is controlled once third bit of the integer parameter 'event_mask' in the main NOD32
configuration file (section [dac]) is 1. In this case ON_EXEC bit of Dazuko access mask is set on.
By using this mechanism all opened, closed and executed regular files are scanned by daemon nod32d for viruses.
Based on the result of this scanning the access to the files is denied or allowed.
chapter 4 / Integration with Linux/BSD File System
13