manualshive.com logo in svg

F-SECURE LINUX SECURITY, Manual, Page: 40 / 219

Share
Download
F-SECURE LINUX SECURITY Manual Download Page 40

Solomon

Symantec

TrendMicro

UNIX

VBA

VBS

Win16

Win32

Wintol

ZenoSearch

Rootkits

Rootkits are programs that make other

malware

difficult to find.

Rootkit programs subvert the control of the operating system from its legitimate functions. Usually,
a rootkit tries to obscure its installation and prevent its removal by concealing running processes,
files or system data from the operating system. In general, rootkits do this to hide malicious
activity on the computer.

Protection Against Userspace Rootkits

If an attacker has gained an access to the system and tries to install a userspace rootkit by
replacing various system utilities,

HIPS

detects modified system files and alerts the administrator.

Protection Against Kernel Rootkits

If an attacker has gained an access to the system and tries to install a kernel rootkit by loading
a kernel module for example through

 /sbin/insmod

or

 /sbin/modprobe

,

HIPS

detects

the attempt, prevents the unknown kernel module from loading and alerts the administrator.

If an attacker has gained an access to the system and tries to install a kernel rootkit by modifying
the running kernel directly via /dev/kmem, HIPS detects the attempt, prevents write attempts
and alerts the administrator.

Stopping Viruses and Other Malware

The product protects the computer from programs that may damage files, steal personal
information or use it for illegal purposes.

By default, the product protects the computer from

malware

in real time in the background. The

computer is protected from

malware

all the time.

40

| F-Secure Linux Security | Using the Product

Summary of Contents for LINUX SECURITY

Page 1: ...F Secure Linux Security...

Page 2: ......

Page 3: ...ter 2 Deployment 11 Deployment on Multiple Stand alone Linux Workstations 12 Deployment on Multiple Centrally Managed Linux Workstations 12 Central Deployment Using Image Files 12 Chapter 3 Installati...

Page 4: ...34 I Want to 34 Scanning for Viruses 37 What are Viruses and Other Malware 37 Stopping Viruses and Other Malware 40 Methods of Protecting the Computer from Malware 42 Firewall Protection 50 What Is a...

Page 5: ...es 74 Appendix A Command Line Tools 77 fsav 78 fsav config 78 dbupdate 80 fsfwc 80 fsic 81 fsims 81 fsma 82 fssetlanguage 83 fschooser 83 Appendix B Before You Install 85 64 bit Distributions 86 Distr...

Page 6: ...Scheduled Scanning 99 Manual Scanning 100 Firewall 105 General Settings 105 Rules 106 Network Services 106 Integrity Checking 107 Known Files 107 Rootkit Prevention 107 General Settings 108 Communicat...

Page 7: ...eal time antivirus and riskware protection and a host intrusion prevention HIPS functionality that provides protection against unauthorized connection attempts from network unauthorized system modific...

Page 8: ...onfigured to scan a limited set of files the manual scanning can be used to scan the full system or you can use the scheduled scanning to scan the full system at regular intervals Automatic Updates ke...

Page 9: ...nts write attempts and alerts the administrator Key Features and Benefits The product offers superior protection against viruses and worms and is transparent to end users Superior Protection against V...

Page 10: ...ot possible to install for example a trojan version of a software The administrator can define that all Linux kernel modules are verified before the modules are allowed to be loaded An alert is sent t...

Page 11: ...Chapter 2 Deployment Topics Deployment on Multiple Stand alone Linux Workstations Deployment on Multiple Centrally Managed Linux Workstations Central Deployment Using Image Files...

Page 12: ...few Linux computers the web user interface can be used to manage Linux workstations instead of F Secure Policy Manager Deployment on Multiple Centrally Managed Linux Workstations If computers are mana...

Page 13: ...nly hosts on which the image file will be installed should be imported 3 Run the following command etc init d fsma clearuid The utility program resets the Unique ID in the product installation 4 Shut...

Page 14: ......

Page 15: ...Chapter 3 Installation Topics System Requirements Stand alone Installation Centrally Managed Installation Upgrading Custom Installations Creating a Backup Uninstallation...

Page 16: ...8 04 LTS Hardy Heron The following 64 bit AMD64 EM64T distributions are supported with 32 bit compatibility packages Asianux 2 0 Asianux Server 3 0 Debian 4 0 Fedora Core 7 Red Hat Enterprise Linux 4...

Page 17: ...Firefox browsers Note About Dazuko Version The product needs the Dazuko kernel module for the real time virus protection integrity checking and rootkit protection Dazuko is an open source kernel modu...

Page 18: ...ks are added to the crontab when they are created Network Resources When running the product reserves the following IP ports Comment Port Protocol Interface Web User Interface internal communication p...

Page 19: ...he following command to extract the installation file tar zxvf f secure linux security version build tgz 2 Make sure that the installation file is executable chmod a x f secure linux security version...

Page 20: ...products Use the Advanced mode You will need to install the product using an account with root privileges 1 Copy the installation file to your hard disk Use the following command to extract the instal...

Page 21: ...all alerts generated with the earlier version Manual scanning scheduled scanning and database update settings have changed in version 5 30 and later If you have modified these settings before the upg...

Page 22: ...he following directories and files to uninstall it opt f secure fsav var opt f secure fsav etc opt f secure fsav usr bin fsav usr share man man1 fsav 1 usr share man man5 fsav conf 5 usr share man man...

Page 23: ...for Custom Installation The RPM files can be extracted from the installation package if you need to create a custom installation package The product installation package is a self extracting package w...

Page 24: ...the local account to use for the web user interface login user USER Turn on the kernel module verification kernelverify Turn off the kernel module verification nokernelverify Specify the passphrase f...

Page 25: ...le for detailed descriptions of the available settings Using The Product With Samba Servers The product can protect the whole Samba server in addition to the data on shared directories All the protect...

Page 26: ...n that you want to administer 2 Select Linux Security 7 00 and open the Firewall tab 3 In the Rules section check that you have the security level you want to edit 4 Click Add Before 5 In the Rule Wiz...

Page 27: ...f secure tar xpsf backup filename tar etc init d fsaua start etc init d fsma start Make sure that fsma and fsaua users and fsc group exist after the backup has been restored for exampe by backing up a...

Page 28: ......

Page 29: ...Chapter 4 Administering the Product Topics Basics of Using F Secure Policy Manager Accessing the Web User Interface Testing the Antivirus Protection...

Page 30: ...for Linux F Secure Management Agent and F Secure Automatic Update Agent branches to change the behavior of the product as well For more information about F Secure Policy Manager see F Secure Policy M...

Page 31: ...ngs Testing the Antivirus Protection To test whether the product operates correctly you can use a special test file that is detected as a virus The EICAR EICAR is the European Institute of Computer An...

Page 32: ......

Page 33: ...ction If you allow the remote access to the web user interface you can access it with the following HTTPS address https host domain 28082 Integrity Checking General Settings Where host domain is eithe...

Page 34: ...ant the product to disinfect infected files the product must have write access to the files Check and edit the manual scanning settings before you start the manual scan 1 To start the full computer sc...

Page 35: ...defined b Select the profile where you want to add a new rule and click Add new rule to create a new rule c Select Accept or Deny as a rule Type to choose whether the rule allows or denies the servic...

Page 36: ...latest updates to your computer when you are connected to the Internet Information about the latest virus definition database update can be found at http www F Secure com download purchase updates sht...

Page 37: ...e added to the baseline during the installation are set to Allow and Alert protection mode Note The default list of known files is generated upon installation and contains the most important system fi...

Page 38: ...not designed specifically to harm the computer but it has security critical functions that may harm the computer if misused These programs perform some useful but potentially dangerous function Exampl...

Page 39: ...dmin RiskTool Server FTP Server Proxy Server Telnet Server Web Tool List of platforms Apropos BAT Casino ClearSearch DOS DrWeb Dudu ESafe HTML Java JS Linux Lop Macro Maxifiles NAI NaviPromo NewDotNet...

Page 40: ...ministrator Protection Against Kernel Rootkits If an attacker has gained an access to the system and tries to install a kernel rootkit by loading a kernel module for example through sbin insmod or sbi...

Page 41: ...the infected file Does Real Time Scanning Affect the System Performance The amount of time and system resources that real time scanning takes depends on the contents location and type of the file File...

Page 42: ...nd Choose one of the following actions Select Report and deny access to display and alert about the found virus and block access to it No other action is taken against the infected file View Alerts to...

Page 43: ...condary action The secondary action takes place if the primary action cannot be performed By default the secondary action is Deny access After configuring the suspected file settings configure how ale...

Page 44: ...les every time they are opened turn on Scan when opening a file 6 If you want to scan files every time they are closed turn on Scan when closing a file 7 If you want to scan files every time when they...

Page 45: ...eport and deny access to display and alert about the found riskware and block access to it No other action is taken against the infected file View Alerts to check security alerts Not available during...

Page 46: ...nnot cause any damage The renamed file has virus extension Select Delete to delete the infected file By default the primary action for infections is Disinfect 2 Select the secondary action The seconda...

Page 47: ...rectory on a new line only one directory per line If scanning a certain directory takes a long time and you know that no user can create or copy an infected file in it or you get false alarms during t...

Page 48: ...archive 4 If you want the archive scan to stop immediately when it finds an infected file turn on Stop on first infection inside an archive to stop scanning the archive If the setting is turned off t...

Page 49: ...e web user interface click Modify advanced settings to view and configure advanced virus scanning settings Note that the scheduled scanning tasks use the Manual Scanning settings To set the scanning s...

Page 50: ...ovides protection against information theft as unauthorized access attempts can be prohibited and detected The firewall keeps the computer protected after the product is installed automatically What I...

Page 51: ...before it can be taken into use Allows normal web browsing and file retrievals HTTP HTTPS FTP as well as e mail and Mobile Usenet news traffic Encryption programs such as VPN and SSH are also allowed...

Page 52: ...you want to use in the Firewall Protection Editing Security Profile Different security profiles can be assigned and edited to suit different users needs Each security profile has a set of pre configur...

Page 53: ...may have to add a new firewall rule if you want to allow traffic that is blocked or if you want to block specific Internet traffic By adding all the services that the program or device needs to the s...

Page 54: ...to allow traffic that is blocked or if you want to block specific net traffic When you create or edit firewall rules you should allow only the needed services and deny all the rest to minimize securit...

Page 55: ...e network interfaces you want the rule to apply to the Flag field The rule is applied to all network interfaces if you leave the Flag field empty For example if eth0 if eth3 h Click Add Service to Thi...

Page 56: ...Settings tab you can select network packet logging settings and configure trusted network interfaces Logging Unhandled Network Packets You can log unhandled network packets in problem solving situati...

Page 57: ...modification attempts of the monitored files Known Files List The Known Files List contains all files that the product monitors and protects The baseline is created from the Known Files List by readin...

Page 58: ...nds an alert when the file is modified Alert Displays whether the file is monitored or protected Protected files cannot be modified Protection while monitored files are only monitored and can be modif...

Page 59: ...anges to file group are ignored Size Changes to file size are ignored Modification time Changes to file modification time are ignored Hash Changes to the content of the file are ignored Note Ignoring...

Page 60: ...Software Installation Mode when you want to update or modify protected files To access the Software Installation Mode follow these instructions 1 Open the Web User Interface 2 Go to I want to page 3 C...

Page 61: ...ing the passphrase should be limited Verify Baseline You can verify the baseline manually to make sure that your system is safe and all baselined files are unmodified 1 Enter your passphrase to verify...

Page 62: ...cts a write attempt to dev kmem file but it does not prevent the write operation 3 Specify Allowed kernel module loaders Specified programs are allowed to load kernel modules when the kernel module ve...

Page 63: ...alert For example a virus alert The alert includes information of the infection and the performed operation Processing Alerts You can search and delete specific alerts from hosts To find the alert me...

Page 64: ...mail Local Alert is displayed in the Web User Interface Syslog Alert is written to the system log The syslog facility is LOG_DAEMON and alert priority varies Policy Manager Alert is sent to F Secure...

Page 65: ...url to the PM Proxy address field b Click Add PM Proxy to add the new entry to the list 3 Configure HTTP Proxy if you need to use proxy to access the Internet a Check the Use HTTP Proxy check box to u...

Page 66: ...anager Proxy offers a solution to bandwidth problems in distributed installations of the product by significantly reducing load on networks with slow connections When you use F Secure Policy Manager P...

Page 67: ...Chapter 6 Troubleshooting Topics Installing Required Kernel Modules Manully User Interface F Secure Policy Manager Integrity Checking Firewall Virus Protection Generic Issues...

Page 68: ...does not show any errors the product is working correctly fsav compile drivers is a shell script that configures and compiles the Dazuko driver automatically for your system and for the product For mo...

Page 69: ...init d fsma restart How can I get the F icon visible in the system tray You may need to logout and login again to get the F icon in your systray If you are using GNOME Desktop make sure you have a no...

Page 70: ...and the file where the symlink points to is not in the baseline For example modprobe uses lib libz so 1 which is really a symlink to a real file lib libz so 1 2 2 The symlink is in the baseline but t...

Page 71: ...mba shares on my computer how can I fix this The Office firewall profile contains a rule that allows Windows Networking but that rule is disabled by default Enable the rule to allow accesses to samba...

Page 72: ...wsing should work now How can I set up firewall rules to access NFS servers You need to allow the following network traffic through the firewall portmapper tcp and udp port 111 nfsd tcp and udp 2049 m...

Page 73: ...se the setting in the Automatic Updates page in the advanced mode Does the real time scan work on NFS server If the product is installed on NFS server the real time scan does not scan files automatica...

Page 74: ...the product How can I clean an interrupted installation If the product installation is interrupted you may have to remove the product components manually 1 List all installed rpm packages rpm qa grep...

Page 75: ...ing to scan consider adding it to the excluded list 4 If you are using the centralized administration mode make sure that the DNS queries return addresses quickly or use IP addresses with F Secure Pol...

Page 76: ...ed to compile kernel drivers manually how do I do that You may need to compile kernel drivers that the product need manually if you did not have compilers and other required tools intalled during the...

Page 77: ...Appendix A Command Line Tools For more information on command line tools and options see man pages Topics fsav fsav config dbupdate fsfwc fsic fsims fsma fssetlanguage fschooser...

Page 78: ...uch slower than scanning the local file system If you want to scan the network file system run fsav on the server If you cannot run fsav on the server you can scan the network file system from the cli...

Page 79: ...trally managed installation enter the address of the F Secure Policy Manager Server Address of F Secure Policy Manager Server http localhost b In the centrally managed installation enter the location...

Page 80: ...ly from the command line 1 Download the fsdbupdate run file from http download f secure com latest fsdbupdate run fsdbupdate run is a self extracting file that stops the automatic update agent daemon...

Page 81: ...n the baseline opt f secure fsav bin fsic baseline c Enter a passphrase to create the signature In this example the product is also configured to send an alert about unauthorized modification attempts...

Page 82: ...n F Secure Management Agent opt f secure fsav bin fsfwd run F Secure Firewall Daemon and the iptables netfilter firewall Checks and informs how many days are left in the opt f secure fsav libexec fslm...

Page 83: ...cure fsav bin fssetlanguage language Where language is en english ja japanese de german fschooser With fschooser you can turn certain product features or or off You can turn off some product component...

Page 84: ...Note Press ctrl C to cancel your changes 84 F Secure Linux Security Command Line Tools...

Page 85: ...eriodically from cron to make linked libraries run faster Run this manually 64 bit Distributions if it is not run automatically before you activate the Integrity Checker Distributions Using Prelink Re...

Page 86: ...tions like Asianux run prelink periodically from cron to reduce the startup time of binaries which use dynamic libraries Prelinking modifies binaries and dynamic libraries on the disk which conflicts...

Page 87: ...that the administrator has to enter Red Hat Enterprise Linux Miracle Linux Asianux The following steps are required to install the product on a computer running Red Hat Enterprise Linux Miracle Linux...

Page 88: ...anux 3 0 Make sure that the following packages are installed For example use the search tab in Applications Add Remove Software or use the rpm command gcc glibc devel glibc headers kernel devel Debian...

Page 89: ...nents during the installation Turbolinux The following steps are required to install the product on a computer running Turbolinux Turbolinux 10 You need to install the Turbolinux package groups Develo...

Page 90: ...on a computer running Ubuntu Linux Ubuntu 6 06 You need to install the compiler kernel headers RPM and possibly additional utilities to be able to install the product To install them use the followin...

Page 91: ...Appendix C Basic Web User Interface Following tables display the settings that appear on the Basic Web User Interface Topics I Want To...

Page 92: ...atic Updates page in Update virus definitions Advanced Mode where you can alter the settings for automatic virus definition updates You should use this wizard to set the product Install software in so...

Page 93: ...ndix D Advanced Web User Interface Following tables display the settings that appear on the Advanced Web User Interface Topics Summary Alerts Virus Protection Firewall Integrity Checking General Setti...

Page 94: ...ccording the currently active security level When enabled Integrity Checking will detect modification of baselined files Firewall Protection Alerts The following user interface controls appear on the...

Page 95: ...ad simultaneously Select how old and which alert severity messages you want to edit and click Perform action to delete or mark selected messages as read Virus Protection Following tables display the v...

Page 96: ...ted file to suspected extension Delete Delete the infected file Deny access Deny access Do not send an alert If the primary action fails the secondary action is applied If also the secondary actions f...

Page 97: ...s List of executables for which all file access is Whitelisted executables Whitelisted executables must match baseline always allowed Enter full paths to executables one per line Executable on the whi...

Page 98: ...d If set to Yes password protected archives are considered to be safe and access is allowed Otherwise access is not allowed Defines what happens when the first infection Stop on first infection inside...

Page 99: ...he infected file Deny access Deny access Do not send an alert If the primary action fails the secondary action is applied If also the secondary actions fails an alert is sent describing the failed act...

Page 100: ...ile Rename Rename the infected file to virus extension Delete Delete the infected file Custom Run a command specified in the custom primary action field Abort scan Abort further scanning If both prima...

Page 101: ...describing the failed actions If Custom is chosen as the secondary action Secondary custom action the custom action must be specified here Please note that the custom action will be executed as the s...

Page 102: ...actions fails an alert is sent describing the failed actions Specify whether the product should scan all Scan files files or only the files that match the extensions specified in the Extensions to Sca...

Page 103: ...n is launched The supported archive formats include for example tar gz zip Defines how many levels deep to scan in Maximum number of nested archives nested archives It is not recommended to set this v...

Page 104: ...n fails the secondary action is applied If also the secondary actions fails an alert is sent describing the failed actions Specify the secondary action to take when Secondary Riskware Action riskware...

Page 105: ...enabled the firewall rules of the currently selected security level are applied to inbound and outbound packets When disabled all traffic is allowed To disable the firewall component completely use th...

Page 106: ...his table contains the firewall rules Firewall Firewall Rules rules filter IP packets based on IP addresses port numbers etc Note that there usually are more than one security level defined and that y...

Page 107: ...evention The following user interface controls appear on the Advanced User Interface Integrity Checking Rootkit Prevention page Description Element When enabled integrity checking will verify Kernel m...

Page 108: ...the general settings Communications The following user interface controls appear on the Advanced User Interface General Communications page Description Element URL of the F Secure Management Server T...

Page 109: ...alert message subject Besides the text Subject the following symbols could be used SEVERITY informational warning error fatal error security alert HOST_DNS DNS address of the host that sent the alert...

Page 110: ...Proxy is used to reduce the load on the server by caching Policy Manager content in the proxy F Secure Automatic Update Agent will first connect to the Policy Manager Update Server through the config...

Page 111: ...the time of how long F Secure Intermediate server failover time min Automatic Update Agent should try to connect to Intermediater server before switching over to F Secure Update server Specifies if t...

Page 112: ...days must have passed Database age in days before reminders are sent since the publishing of currently used virus definitions before the user is reminded of the need to update them 112 F Secure Linux...

Page 113: ...has Security alert 711 been compromised or the passphrase used to verify the baseline is incorrect File failed integrity check Security alert 730 Could not save the baseline entries to policy Error 7...

Page 114: ...riod expired Security alert 170 Evaluation version Informational 171 Virus Alert Security alert 200 Virus Alert Disinfected Security alert 201 Virus Alert File deleted Security alert 202 Virus Alert F...

Page 115: ...or missing F Secure Corporation certificate Warning 518 Bad or missing certificate from virus definition database publisher Warning 519 No certificate from the publisher matches the manifest file cert...

Page 116: ...atabase type Warning 552 DBTool The list of DBTool traps Description Severity Trap Number File was not found Error 4 Cannot open file Error 308 File is encrypted Error 309 Scanning of a file could not...

Page 117: ...urity alert 200 Virus Alert Disinfected Security alert 201 Virus Alert File deleted Security alert 202 Virus Alert File renamed Security alert 203 Virus Alert Action failed Security alert 205 Riskware...

Page 118: ...sed Security alert 730 Integrity checker prevented a modification attempt to a protected file Security alert 731 Kernel module loader tried to open unbaselined file Security alert 733 Kernel module lo...

Page 119: ...created on the current directory The report contains information about F Secure products as well as operating system logs and system settings The collected data is essential for problem solving and tr...

Page 120: ...G 1 G Man Pages fsav 2 fsavd 32 dbupdate 48 fsfwc 52 fsic 55 fschooser 62 fsims 64 fssetlanguage 67...

Page 121: ...s viruses and DOS file viruses F Secure Security Platform can also detect spy ware adware and other riskware in selected products fsav can scan files inside ZIP ARJ LHA RAR GZIP TAR CAB and BZ2 archiv...

Page 122: ...out Treat the timeout as error e or clean c archive on off yes no 1 0 Scan files inside archives default Archives are still scanned as normal files with or without this option See NOTES section below...

Page 123: ...ath The default is This option cannot be used to change the database directory of fsavd that is running The option is effective only when fsav launches fsavd The default value is var opt f secure fsav...

Page 124: ...xtensions ext ext Specify the list of filename extensions to be scanned You can use or as wildcard characters The default list is fse on off yes no 1 0 Enable disable the FS Engine for the scan and th...

Page 125: ...rror for the file See NOTES section below about nested archives If the value is set to 0 the archive is scanned but if it contains another archive fsav reports a scan error for the file The default va...

Page 126: ...ime field raw on off yes no 1 0 Write ESC character 033 as is to output By default ESC char acter is shown in reverse video as string ESC riskware on off yes no 1 0 Report riskware detections Riskware...

Page 127: ...an finishes or a scan error occurs short on off yes no 1 0 Use the short output format Only the path to infected or renamed files is shown shutdown By default fsavd does not immediately exit after com...

Page 128: ...take when a suspected virus infection is found report only to terminal and as an alert rename or delete remove suspected action2 none report rename delete remove Secondary action to take if the primar...

Page 129: ...f yes no 1 0 Do not scan files equal or larger than 2 GB 2 147 483 648 bytes If this option is not set an error will be reported for large files version Show F Secure Security Platform version engine...

Page 130: ...imary action SCAN REPORTS By default fsav reports the infected and suspected infections to stdout Scan errors are reported to stderr An example of an infection in the scan report tmp eicar com Infecte...

Page 131: ...tput tmp test txt clean The archive option scans the archive content and the output is as follows for the infected or suspected archive content tmp eicar zip eicar com Infected EICAR Test File AVP whe...

Page 132: ...the infected suspected riskware file The user running the scan must have write access to the directory in order to delete the file By default actions are confirmed before the execution For example fo...

Page 133: ...figuration file has failed because of the invalid syntax Resolution Edit the configuration file Could not open exclude file file path OS error Explanation A file path to the exclude option does not ex...

Page 134: ...e new values in use Maximum nested archives value user given value is not valid in configura tion file file path line line number Explanation The maxnestedarchives field in the configuration file is n...

Page 135: ...solution Edit the configuration file Scan timeout value user given value is out of range in configuration file file path line line number Explanation The timeout field in the configuration file is les...

Page 136: ...ors are written to the standard error stream stderr In case of fatal error program execution stops immediately with exit code 1 Fatal erros reported by fsav and the descriptions are listed below Error...

Page 137: ...atal error status exit code 1 The user has to correct the command line parameters and start the fsav again Unknown command line option option Explanation The user has given unknown option from the com...

Page 138: ...either does not exist is not accessible or is too long from the configuration file Resolution The user has to correct the path and start fsav again Database directory directory path is not valid OS er...

Page 139: ...planation The user has entered an illegal scan timeout value from the command line Resolution The user has to correct command line options and try again Illegal maximum nested archives value value Exp...

Page 140: ...do anything If fsavd is running but the user does not have rights to access to the socket the user may try to use kill 1 command to shutdown the server Failed to launch fsavd Explanation fsavd is not...

Page 141: ...directory file path Explanation The database update directory given in the configuration file or from the command line is same as in use database directory Resolution The user has to change the datab...

Page 142: ...e lock for lock file file path Explanation The database update process has failed to acquire the lock for lock file in the database directory Resolution The database update process does not have prope...

Page 143: ...tion fsavd is halted The user should remove the update flag file manually SCAN ERRORS fsav scan errors are written to the standard error stream stderr In case of scan error file scanning is immediatel...

Page 144: ...path ERROR Password protected file engine name Explanation The scan engine could not open the file for scanning because the file is password protected i e encrypted Resolution The user may try to decr...

Page 145: ...scan engine Explanation The file scan failed because too many nested archives encountered Resolution Increase maximum nested archives limit and try to scan again Scanning file file path failed connect...

Page 146: ...i Virus Research See the instructions for more information EXIT CODES fsav has following exit codes 0 Normal exit no viruses or suspicious files found 1 Fatal error unrecoverable error Usually a missi...

Page 147: ...des in following priority order 130 7 1 3 4 8 6 9 0 EXAMPLES Scan a file test exe using the default configuration file If fsavd is not running fsavd is launched fsav test exe Scan files in a directory...

Page 148: ...smbshare Scan files found by find 1 command and feed the scan report to the mail 1 com mand find mnt smbshare type f fsav input 2 1 mail s FSAV Report admin localhost Scan files found by the find 1 c...

Page 149: ...containing only other ZIP archives can be nested up to 29 archives The archive scanning consumes memory and scanning big archives takes lot of time during which fsavd process can not process other sca...

Page 150: ...CHAPTERG G 31 For more information see F Secure home page...

Page 151: ...savd is launched by the fsav client fsavd terminates automatically after 30 seconds of idle time when no client has connected to fsavd during that time If you want fsavd to stay loaded in the memory s...

Page 152: ...an engines from the directory path The default is pidfile path Create a file containing the process identifier and remove it on the normal exit Without this option no pid file is created If path is no...

Page 153: ...e also given for the group The setting is affected by the current umask The socket mode can be changed with the socketmode option from policy settings avpriskware on off yes no 1 0 Enable disable risk...

Page 154: ...n to the following activity log entries Failed to scan file file path error message scan engine Explanation The scan engine reports it failed to scan the file The error message contains the reason for...

Page 155: ...figuration file has an incorrect value Resolution fsavd tries to proceed The user has to edit the configuration file and set the action field to one of the following disinfect rename or delete The use...

Page 156: ...avd to take values in effect Illegal scan executables value user given value in configuration file file path line line number Explanation The scanexecutables field in the configuration file has an inc...

Page 157: ...d in configura tion file file path line line number Explanation The maxnestedarchives field in the configuration file is not a number Resolution fsavd tries to proceed The user has to edit the configu...

Page 158: ...onfiguration file contains an unknown option name Resolution fsavd tries to proceed The user has to edit the configuration file and restart fsavd Unknown syslog facility user given value in configurat...

Page 159: ...ls to start fsavd will tries to restart the scan engine The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically Database file file pa...

Page 160: ...o start fsavd tries to restart the scan engine The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically engine name scan engine initia...

Page 161: ...writes logs to default logfile stderr The user may reconfigure the logfile location and restart fsavd Cannot change working directory to file path Explanation fsavd failed change working directory da...

Page 162: ...th which either does not exist is not accessible or is too long from the configuration file Resolution fsavd exits with error status The user has to correct the path and start fsavd again Database dir...

Page 163: ...and line Resolution fsavd exits with error status The user has to correct the path and start the fsavd again Could not open configuration file file path OS error message Explanation The configuration...

Page 164: ...un out of memory Explanation The accept 2 has failed because system ran out of the memory Resolution fsavd exits with error status The user has to free some memory and start fsavd again FILES etc opt...

Page 165: ...fsavd as a background daemon process using fssp test conf as a configuration file fsavd config file fssp test conf Check fsavd scan engine and database versions fsavd version Bugs Please refer to Know...

Page 166: ...CHAPTERG G 47 dbupdate 8 fsav 1 For more information see F Secure home page...

Page 167: ...a shell script for updating F Secure Security Platform Virus Definition Databases It can update databases downloaded by F Secure Automatic Update Agent a fully automatic background process or databas...

Page 168: ...ted using daastool and dbtool After the validation database files are copied to databasedirectory using the fsav dbup date updatedirectory command ERROR CODES If update with F Secure Automatic Update...

Page 169: ...no new updates were available 1 An error has occurred See program output and var opt f secure fssp dbupdate log for details 2 Virus definition databases were succesfully updated BUGS Please refer to...

Page 170: ...CHAPTERG G 51 fsav 1 and fsavd 8 For more information see F Secure home page...

Page 171: ...ut any options it will show current security level and minimum allowed Options mode block server mobile office strict normal bypass Will set firewall to requested security level if allowed by minimum...

Page 172: ...nd the host Any outgoing TCP connec tions are allowed A rule to allow Windows networking inside the same network is included but is not enabled by default strict Very much like the mobile profile exce...

Page 173: ...CHAPTERG G 54 4Invalid arguments AUTHORS F Secure Corporation COPYRIGHT Copyright c 1999 2008 F Secure Corporation All Rights Reserved SEE ALSO For more information see F Secure home page...

Page 174: ...y options fsic will verify all files in the known files list and report any anomalies Options V verify options Default operation if invoked without any options Verify the sys tem and report any deviat...

Page 175: ...isables the auto switch same as if auto would not have been given at all default no force check all Check all attributes of the file even if some of them were marked as ignored when add ing the file v...

Page 176: ...command line OR stdin to baseline This option has same sub options as baseline a add options target Add a target s to the known files list Targets must be real files or links By default all files are...

Page 177: ...st A new baseline needs to be generated after all file deletions have been performed no progress bar Can be used to disable progressbar This is useful for example when verifying with show all verify a...

Page 178: ...h is changed and inode data is still same then file contents has been modified and it s mtime set back to what it was with utime man 2 utime If show details is specified then deviations against baseli...

Page 179: ...adding files to new baseline For example bin ls Accept to baseline Yes No All yes Disregard new entries If file has been modified fsic will ask Note bin ls seems to differ from baselined entry Want t...

Page 180: ...ssphrase or Files do not match baselined information or A virus was detected in one of the files FILES None EXAMPLES None NOTES None BUGS None AUTHORS F Secure Corporation COPYRIGHT Copyright c 1999 2...

Page 181: ...are ready to exit the tool The product will be automatically restarted in order to apply the changes Currently Firewall and Web User Interface are the only components that this tool can be used for I...

Page 182: ...base will still be running so any alerts received will be available in the Web User Interface when it is re enabled BUGS None AUTHORS F Secure Corporation COPYRIGHT Copyright c 2008 F Secure Corporati...

Page 183: ...sion and or new kernel modules If software installation mode is not used when installing a new kernel and or kernel modules F Secure Linux Security might prevent the new kernel from booting up This ha...

Page 184: ...ine is auto matically regenerated and a new passphrase must be entered RETURN VALUES fsims returns the following return values 0Operation performed successfully 1User tried to execute fsims without ro...

Page 185: ...CHAPTERG G 66 Copyright c 2008 F Secure Corporation All Rights Reserved SEE ALSO fsic 1 For more information see F Secure home page...

Page 186: ...er the product is restarted the default language selected with this tool will be activated The tool will try to find a suitable locale on the computer where it is run and gives a warning if one was no...

Page 187: ...uage RETURN VALUES fssetlanguage always returns 0 FILES None EXAMPLES None NOTES None BUGS None AUTHORS F Secure Corporation COPYRIGHT Copyright c 2008 F Secure Corporation All Rights Reserved SEE ALS...

Page 188: ...H 69 H Config Files fsaua_config 70 fssp conf 75...

Page 189: ...ndalone mode This option only has effect if FSMA is installed and configured properly The default is yes which means centrally managed mode enable_fsma yes Update servers This directive controls which...

Page 190: ...Examples update_servers http pms update_servers http server1 http backup_server1 http backup_server2 update_servers Update proxies This directive controls which Policy Manager Proxies the Automatic Up...

Page 191: ...ser passwd address port http user passwd address port Examples http_proxies http proxy1 8080 http backup_proxy 8880 http_proxies Poll interval This directive specifies in seconds how often the Automat...

Page 192: ...ut Specifies the timei after which Automatic Update Agent is allowed to check for updates from update servers hosted by F Secure This is the time elapsed in seconds since the last successful connectio...

Page 193: ...log information on each succesful download and all errors nolog log nothing The default is normal log_level normal Log Facility Specify the syslog facility for Automatic Update Agent Possible values...

Page 194: ...match the extensions specified in the Extensions to Scan setting Possible values 0 All files 1 Only files with specified extensions odsFileScanFiles 0 Specify the list of filename extensions to be sca...

Page 195: ...tar td0 tgz tlb tsp tt6 vbe vbs v wp vxd wb wiz wml wpc ws xl zip zl Specify whether executables should be scanned If a file has any user group other executable bits set it is scanned regardless of t...

Page 196: ...if they would be included in scanning according to what is defined in the other scanning settings Possible values 0 Disabled 1 Enabled odsFileEnableExcludedPaths 1 Specifies whether archives should b...

Page 197: ...than the limit a scan error is generated odsFileMaximumNestedArchives 5 Define whether MIME encoded data should be scanned for malicious content NOTE Current MIME decoding support does not work for m...

Page 198: ...considered to be safe and access is allowed Otherwise access is not allowed Possible values 0 No 1 Yes odsFileIgnorePasswordProtected 1 Defines what happens when the first infection is found inside a...

Page 199: ...ort scan 6 Custom odsFilePrimaryActionOnInfection 2 If Custom is chosen as the primary action the custom action must be specified here Please note that the custom action will be executed as the super...

Page 200: ...e values 0 Do nothing 1 Report only 2 Disinfect 3 Rename 4 Delete 5 Abort scan 6 Custom odsFileSecondaryActionOnInfection 3 If Custom is chosen as the secondary action the custom action must be specif...

Page 201: ...Action Specify the primary action to take when suspected infection is detected Possible values 0 Do nothing 1 Report only 3 Rename 4 Delete odsFilePrimaryActionOnSuspected 1 Specify the secondary acti...

Page 202: ...0 Set this on to report and handle riskware detections Riskware is potential spyware Possible values 0 No 1 Yes odsScanRiskware 1 Type of riskware that should not be detected odsExcludedRiskware Spec...

Page 203: ...ctionOnRiskware 1 Specify the secondary action to take when riskware is detected and the primary action has failed Possible values 0 Do nothing 1 Report only 3 Rename 4 Delete odsFileSecondaryActionOn...

Page 204: ...ut 60 Specify the action to take after a scan timeout has occurred Possible values 0 Report as Scan Error 2 Report as Clean File odsFileScanTimeoutAction 0 Should actions be taken automatically or sho...

Page 205: ...0 No 1 Yes odsInput 0 Print out all the files that are scanned together with their status Possible values 0 No 1 Yes odsList 0 Should infected filenames be printed as they are or should potentially da...

Page 206: ...this because launching the daemon has considerable overhead Possible values 0 No 1 Yes 2 Auto odsStandalone 2 If No fsav command line client does not follow symlinks If Yes symlinks are followed This...

Page 207: ...88 1 Yes odsFollowSymlinks 0 If enabled only infected filenames are reported Possible values 0 No 1 Yes odsSilent 0 If enabled only infected filenames are reported Possible values 0 No 1 Yes odsShort...

Page 208: ...ange Possible values 0 No 1 Yes odsFilePreserveAccessTimes 0 Specifies how MIME messages with broken attachments will be handled If set to Yes files for which MIME decoding fails will be considered sa...

Page 209: ...1 Yes odsFileIgnorePartialMime 0 Defines how MIME messages with broken headers should be handled If set to Yes broken MIME headers will be considered safe and access is allowed If set to No an error...

Page 210: ...le values 0 No 1 Yes odsFileSkipLarge 0 If On the Libra scanning engine is used for scanning files If Off Libra is not used Possible values 0 Off 1 On odsUseLibra 1 If On the Orion scanning engine is...

Page 211: ...scanning files If Off AVP is not used Possible values 0 Off 1 On odsUseAVP 1 F Secure internal Do not touch daemonAvpFlags 0x08D70002 Set this on to enable riskware scanning with the AVP scan engine I...

Page 212: ...larger than this are not detected as MIME messages Increasing this number will increase scan time of large files daemonMaxMimeMessageSize 10485760 MIME recognition frame size specifies how many bytes...

Page 213: ...e in use databases are kept daemonDatabaseDirectory var opt f secure fssp databases F Secure internal Do not change This is the directory into which new databases are stored before they are taken into...

Page 214: ...Possible values 0 No 1 Yes daemonLogfileEnabled 0 Log file location stderr write log to standard error stream syslog write log to syslog facility Anything else is interpreted as a filename to write l...

Page 215: ...ependent instances of the server daemonSocketPath tmp fsav Octal number specifying the mode permissions of the daemon socket See chmod 1 and chmod 2 unix manual pages daemonSocketMode 0600 If fsavd ha...

Page 216: ...al2 local3 local4 local5 local6 local7 auth authpriv cron daemon ftp kern lpr mail news syslog user uucp local0 local1 local2 local3 local4 local5 local6 local7 daemonSyslogFacility daemon Obsolete se...

Page 217: ...rt 3 Critical 4 Error 5 Warning 6 Notice 7 Info 8 Debug 9 Everything debugLogLevel 0 Specify the full name of the debug logfile debugLogFile var opt f secure fssp fssp log The keycode entered during i...

Page 218: ...llation done installationTimestamp 0 F Secure internal Do not change Text to be printed every day during evaluation use naggingText EVALUATION VERSION FULLY FUNCTIONAL FREE TO USE FOR 30 DAYS nTo purc...

Page 219: ...H 100 expiredText EVALUATION PERIOD EXPIRED nTo purchase license please check http www F Secure com purchase n...

Reviews:

No comments