manualshive.com logo in svg

KAPERSKY ANTI-VIRUS 5.0 - FOR SENDMAIL WITH MILTER..., Administrator'S Manual

Share
Download
KAPERSKY ANTI-VIRUS 5.0 - FOR SENDMAIL WITH MILTER... Administrator'S Manual Download Page 86

86 

Kaspersky Anti-Virus

®

 for Sendmail with Milter API 

files and changes their attributes to 

777

. At the same time it creates 

user 

snoopy 

with the rights 777 as well in the main password list of 

the infected workstation. 

Linux.Bliss 

is a group of non-resident viruses that infect Linux executables; 

these viruses are written in GNU C and have ELF format. 

Algorithm of virus activity

: once commenced the virus searches for ex-

ecutable files on a workstation and infects them by shifting file con-
tents lower and writing itself into the space thus freed, appending 
an identification string to the end of file. Virus activity is limited by 
the rights of the user who started it (only accessible files are in-
fected). If a user has system privileges, the virus may spread to the 
whole computer. 

Linux.Diesel

 is a harmless non-resident Linux virus that infects Linux ex-

ecutables. 

Algorithm of virus activity

: once started, the virus reads its code from the 

carrier file, searches for Linux executables in system subdirectories 
and writes itself into the middle of each file, thus increasing the size 
of the last section. 

Linux.Siilov 

is a harmless non-resident Linux virus that infects Linux execu-

tables in ELF format.  

Algorithm of virus activity

: it uses two methods of file infection: resident 

and non-resident. The resident method: the virus remains in system 
memory and infects files in background. Non-resident method: the 
virus searches for executable files on disk and infects them. 

Linux.Winter

 is a harmless non-resident Linux virus. It is very small – just 

341 bytes.  

Algorithm of virus activity

: after start the virus receives control, searches 

for ELF files (Linux executables) in the current directory and infects 
them. 

B.2. Trojan software 

Trojan horse software is a program that performs actions which the user has not 
authorized. Upon commencement, a Trojan horse installs itself in the system and 
then begins monitoring it; the user receives no notifications about actions of the 
Trojan in the system. Such a computer is open for remote control. 

Trojan software spreads through networks.

 

One typical representative of the Trojan software family in Unix is 

TROJ_IRCKILL

 – a Trojan which is actually a collection of software tools for 

user disconnection from IRC channels. The collection integrates four attack 

Summary of Contents for ANTI-VIRUS 5.0 - FOR SENDMAIL WITH MILTER...

Page 1: ...KASPERSKY LAB Kaspersky Anti Virus 5 0 for Sendmail with Milter API ADMINISTRATOR S MANUAL...

Page 2: ...K A S P E R S K Y A N T I V I R U S 5 0 F O R S E N D M A I L W I T H M I L T E R A P I Administrator s manual Kaspersky Lab http www kaspersky com Revision date March 2005...

Page 3: ...UNINSTALLATION OF KASPERSKY ANTI VIRUS 16 3 1 Software installation on a server running Linux 16 3 2 Software installation on a server running FreeBSD or OpenBSD 17 3 3 Installation process 17 3 4 Po...

Page 4: ...jects 42 6 8 Selecting objects to be filtered and assigning actions 43 6 9 Configuring backup options 44 6 10 Configuring database and kernel module updates 45 6 11 Customizing notifications 46 6 11 1...

Page 5: ...RFIFYING PROPER OPERATION OF THE ANTI VIRUS 71 CHAPTER 10 FREQUENTLY ASKED QUESTIONS 73 APPENDIX A ADDITIONAL INFORMATION 77 A 1 Application configuration file 77 A 2 Error return codes 84 APPENDIX B...

Page 6: ...hen restore original messages from these backup copies Handle infected objects of e mail messages detected during the scan Filter e mail messages This version of the product filters messages by MIME t...

Page 7: ...drive this amount does not include space necessary for storing backup message copies Optimal hardware requirements For a mail server with about 800 MB of traffic per day 250 300 mail ac counts address...

Page 8: ...f mail traffic processed by the application during one day This information is provided in the license key Licensing by mail addresses covers the mail addresses of the domains that are listed in the a...

Page 9: ...ab is not willing to license the software product to you and you should return the unused product to your Kaspersky Anti Virus dealer for a full refund making sure the envelope with CD or diskettes is...

Page 10: ...f dialog boxes etc Note Additional information notes Attention Information that should be paid special heed In order to perform the action 1 Step 1 2 Description of procedure for user s steps and poss...

Page 11: ...se They differ only in the method of interaction between Kaspersky Anti Virus and Sendmail To configure Kaspersky Anti Virus consider other Milter filters integrated into your mail system If you have...

Page 12: ...nfigure socket options for Sendmail and Kaspersky Anti Virus during the installation of Kaspersky Anti Virus In this deployment scenario it is recommended that you use the local socket rather than the...

Page 13: ...mail then forwards messages to Kaspersky Anti Virus through a network socket The processed mail thread together with anti virus notifications is sent back to the mail system for further delivery If Ka...

Page 14: ...ed for further processing Therefore another filter located behind Kaspersky Anti Virus will deal with a processed and therefore altered email thread Consider this factor when configuring filters behin...

Page 15: ...irus please see para 1 1 on p 7 Enter the system as superuser root 3 1 Software installation on a server running Linux Kaspersky Anti Virus is distributed as three different installation packages depe...

Page 16: ...kav under which Kaspersky Anti Virus will operate 2 Adding application settings to the var db kav applications setup file that is used to update the anti virus database and program modules 3 Registeri...

Page 17: ...tializes the anti virus filtration of mail traffic 8 Registering a cron task for automatically updating the anti virus database and the anti virus kernel modules The database will be updated for the f...

Page 18: ...A on page 77 This is required to update the database and kernel modules 4 If necessary perform additional configuration of the application see Chapter 6 on page 36 5 Install the Kaspersky Anti Virus...

Page 19: ...rectory that contains report files if the applica tion is configured to save reports to a file rather than the system log The location of Kaspersky Anti Virus files on xBSD differs from those for Linu...

Page 20: ...n a server running FreeBSD or OpenBSD In order to remove Kaspersky Anti Virus if installed from a pkg pack age enter the following text in the command line pkg_delete package_name 3 8 Uninstallation p...

Page 21: ...local file should be edited 6 Rolling back the registration of Kaspersky Anti Virus application with the system the corresponding section is removed from var db kav applications setup 7 Deleting the...

Page 22: ...ration file kavmilter conf is a copy of this file kavmilter high scanspeed conf With this configuration the program scans e mail traffic at its fastest sacrificing functionality for speed see sec tion...

Page 23: ...rd protected objects These objects cannot be scanned for viruses and are potentially hazardous to your computer The program scans e mail messages using a combined scan policy every letter is first sca...

Page 24: ...fications Notifications about the actions applied to a message or its object are sent to the sender and recipient The program does not notify the administrator about this All program messages and even...

Page 25: ...tifications about the actions applied to a message or object are sent only to the recipient The program does not notify the administrator or the sender Critical events information messages and error m...

Page 26: ...ribe task configuration only by editing the con figuration file Remote management options using Webmin are not dis cussed in the documentation Most of the examples below require that be application be...

Page 27: ...5 0 kavmilter templates MessageSubject Anti virus notification message kavmilter log LogFacility syslog LogOption scan all kavmilter statistics TrackStatistics all DataFormat xml DataFile var log kav...

Page 28: ...ndmailPath usr sbin sendmail NotifyAdmin infected AdminAddresses admin localhost UseCustomTemplates on AdminSubject Anti virus notification message Task Reject infected messages from the sender return...

Page 29: ...t turns out to be infected Task Deliver protected messages even if they are infected notify the administrator of such Make the following changes in the application configuration kavmilter global ScanP...

Page 30: ...ates MessageSubject Anti virus notification message You can customize the format of notifications For more detail about this see section 6 9 on page 44 Below we consider several examples of how to con...

Page 31: ...ons ProtectedAction skip kavmilter notifications EnableNotifications on NotifyRecipients protected NotifyAdmin protected AdminAddresses admin localhost MessageDir var db kav 5 0 kavmilter templates Me...

Page 32: ...ering e mail traffic by attachments The application can filter e mail messages by attachment name attachment MIME type and attachment size Task Deliver messages with attachments whose size is below 50...

Page 33: ...lication kernel During the application installation the cron task of updating the database and application kernel is registered on the server Updating is performed every four hours after Kaspersky Ant...

Page 34: ...task make the following configuration changes kavmilter global ScanPolicy combined kavmilter engine ScanArchives yes ScanPacked yes ScanCodeanalyzer yes kavmilter actions DefaultAction cure kavmilter...

Page 35: ...ng command line options add filter Change the Sendmail configuration file del filter Roll back to the previous Sendmail configuration and cancel the latest changes check filter Check the Sendmail conf...

Page 36: ...rollback all changes in the Webmin configuration concerned with kavmilter default domains Specify the domain name and add the domain and all its subdomains to the application configuration file as th...

Page 37: ...above are used only with add filter del filter and check filter options For example to use different configuration file sendmail cf and add into it the modification concerned with using kavmilter fil...

Page 38: ...of the Anti Virus with the Webmin package For example using Webmin you can limit access to the application by setting up user passwords about Webmin settings see the documentation for this product No...

Page 39: ...essage than a combined policy see below If a message is flagged as infected and the preset action for such messages is cure or delete the program will subsequently analyze all message objects combined...

Page 40: ...i virus scanning has a significant impact on the server 6 5 Selecting objects to scan During anti virus scanning of server mail traffic the application searches all attachments for viruses Since scann...

Page 41: ...ssage with a notification that this object contains a virus cure Disinfect the infected object in the message If disinfection fails delete the object and add the corresponding notification to the mess...

Page 42: ...he value of the IncludeMime IncludeName and IncludeSize parameters The type of message objects from the mass of the IncludeMime IncludeName and IncludeSize objects to be excluded from filtering for ex...

Page 43: ...n Messages with the following statuses can be backed up cured Messages to be disinfected deleted Messages containing at least one part to be deleted dropped Messages that are accepted but will not be...

Page 44: ...al or exceeded The warn only and delete oldest options cannot be used concurrently because they are mutually exclusive path Change the location of the backup storage by specifying the full path to the...

Page 45: ...which the utility will run on the server 6 11 Customizing notifications Notification is an e mail message containing a description of the processed message that is sent to the recipient sender and se...

Page 46: ...scan error or is corrupted One of the following actions could be performed warn delete or skip Filtered Give notice about a filtered message that underwent one of the following actions delete skip or...

Page 47: ...can be used to create notifications the templates are stored in a directory defined by the MessageDir parameter of the configuration file Template for notifications about deleted objects Text added t...

Page 48: ...r notifications sent to the recipient sender and administrator Set the UseCustomTemplates parameter to on in order to use these templates The following templates are available message_sender_notify Te...

Page 49: ...e size of each template that cannot exceed 8KB 6 11 2 Customizing notification templates Kaspersky Anti Virus gives users the flexibility to customize the default notification templates that will be s...

Page 50: ...cape symbol see section 6 11 2 5 on page 54 Example FOR _macro_name_parent_ _value_1 end of IC definition and the beginning of iterator body The symbol that is not the end of IC definition must be hid...

Page 51: ...AVFilter2 KAVFilter3 the construct FOR FILTERNAME KAVFilter2 FILTERNAME FOR will produce the text KAVFilter1 KAVFilter3 SimpleFilter the construct FOR FILTERNAME KAV FILTERNAME FOR will produce the te...

Page 52: ...be screened see section 6 11 2 5 on page 54 VNAME variable name in the format 1 nchar nchar the maximum length is 64 bytes VOP assignment operation in the format the length is 1 byte VVALUE variable v...

Page 53: ...2 5 Language syntax Special symbols marks a macro The macro should be between two symbols Example VIRUSNAME opening bracket of a tag Example FOR FILTERNAME KAVFilter1 closing bracket of a tag Example...

Page 54: ...acros CRLF Line feed macro CR LF TAB Tab macro The processing is performed within a global section no statement is needed or within a condition construct FOR KAV_LANGUAGE 5 0 FOR Escape sequences The...

Page 55: ...s to include additional information on the properties of an original message or object or about actions applied to them The administrator can use the following macro in notifications concerning entire...

Page 56: ...caused by application performance but provide important informa tion This information can be the size of the backup storage program errors license policy events etc The administrator can decide what i...

Page 57: ...ayed writing you should enable the rotation of log file LogRotate on In this mode when the report file grows and reaches RotateSize it is copied to kavmilter number log and the initial log truncates t...

Page 58: ...fo Important information messages e g whether the component is running or not the path to the configuration file information regarding the anti virus database license keys and resulting statistics 3 A...

Page 59: ...age etc Virus statistics displays information on the last ten detected viruses and IP addresses from which most viruses were received To determine what type of statistics you want to receive set the T...

Page 60: ...d The return code of 0 means that the applica tion has been stopped restart Stop and start the application again according to the proce dure initiated by the stop and start options reload Restart the...

Page 61: ...ation oper ability display error messages on the console f Run the application and work with the current console do not switch to background mode after startup s socket Define the socket for data tran...

Page 62: ...he kavmilter locale section of the application configuration file You can define the following formats I M S P for time output in twelve hour format TimeFormat parameter y m d and m d y for date outpu...

Page 63: ...alues to generate the report check Automatically check application operation configuration and re lated issues that may cause problems with Anti Virus functionality to email Send requests about encoun...

Page 64: ...tion date information about distributors etc Besides the right to use the product during the period of license validity you are entitled to the following round the clock technical support daily update...

Page 65: ...hat specifies the sender s domain or the recipient s domain 7 1 1 Viewing license key information You can review information about installed license keys in the logs produced by the kavmilter componen...

Page 66: ...ill be output to the server console Kaspersky license manager Version 5 0 0 0 RELEASE Copyright C Kaspersky Lab 1998 2003 Product name Kaspersky Anti Virus 5 Business Optimal 1 month Creation date 23...

Page 67: ...r to install a new key you will need to enter for example the following in the command line licensemanager a 00053E3D key The following information will be output to the server console Kaspersky licen...

Page 68: ...erver console Kaspersky license manager Version 5 0 0 0 RELEASE Copyright C Kaspersky Lab 1998 2003 Active key was successfully removed In order to remove your additional key enter for example the fol...

Page 69: ...ude the Sendmail queue directory from the kavmonitor scan area During installation of Kaspersky Anti Virus for Sendmail with Milter API on the same server that Kaspersky Anti Virus for Unix Linux is o...

Page 70: ...ile htm If you have no Internet access you can create a test virus manually To do so enter the line below in any text editor and save it to a file under the name eicar com X5O P AP 4 PZX54 P 7CC 7 EIC...

Page 71: ...efixes which should be added to the line beginning the standard test virus e g CORR X5O P AP 4 PZX54 P 7CC 7 EICAR STANDARD ANTIVIRUS TEST FILE H H The second column contains the types of objects iden...

Page 72: ...ation of the anti virus vendor viruses from their databases as well as file formats that require complicated analysis e g PDF Kaspersky Lab believes that the purpose of its anti virus is to provide re...

Page 73: ...tacting the company from which you purchased your Kaspersky Anti Virus or writing a e mail to the Technical Support Service support kaspersky com The following steps will facilitate prompt processing...

Page 74: ...e Kaspersky Lab and the databases are dated after the date of license expiry Kaspersky Anti Virus will not use such databases Question are the architecture processors supported PowerPC SPARC Alpha PA...

Page 75: ...n standard location In such cases Kasper sky Lab Technical Support will be unable to help you Question how do I decompress a tgz or tar gz archive Archives belonging to tgz or tar gz types are decompr...

Page 76: ...ns The parameter can be in the follow ing format socket_type parth_to_socket for example inet port ip address listen on specified port local path to socket listen on local Unix socket WatchdogMaxRetri...

Page 77: ...d executables To disable this mode set the parameter to no ScanCodeanalyzer yes Scan using an heuristic code analyzer to detect malicious programs virus modifications and unknown viruses To dis able t...

Page 78: ...ct Reject the message and return an error code to the sender delete Delete the infected object and add the corresponding notifica tion to the original message UsePlaceholderNotice yes Attach a notific...

Page 79: ...dd a corresponding notification warn Replace the message with a notification drop Accept the message but do not deliver it to the recipient reject Reject the message and return an error code to the se...

Page 80: ...messages message objects with this status The status options are the same as for the NotifySender parameter NotifyAdmin none Notify the administrator of discarded messages or special conditions The s...

Page 81: ...orts LogOption all category of messages and events to be recorded in the report Select one of the following values internal System messages application initialization signals and processes scan Anti v...

Page 82: ...mats text text format as category field value xml root element is statistic children elements are category and field and value is body element DataFile var opt kav log statistics data Full path to the...

Page 83: ...egion name ConnectTimeout 30 Number of seconds within which the application can attempt to connect to the update source ProxyAddress IP address of a proxy server if it is used for Internet con nection...

Page 84: ...ter filter 9 failed to initialize the KAV engine 10 failed to start main kavmilter loop 255 unidentified error Engine errors 51 Error initializing the database manager 52 Database load error 54 Failur...

Page 85: ...ding to their functioning algorithm Memory resident TSR virus means a virus which leaves a resident part after infection in the RAM system this residual part subsequently inter cepts system calls to i...

Page 86: ...of each file thus increasing the size of the last section Linux Siilov is a harmless non resident Linux virus that infects Linux execu tables in ELF format Algorithm of virus activity it uses two met...

Page 87: ...channel Root kit is a collection of tools used by hackers in order to receive root access to a remote computer It uses standard Unix programs ps and ls The only ef ficient method of recovery for compu...

Page 88: ...sswords in the mail log file and then sends it to 1i0nsniffer china com e mail address In addition the worm attempts to contact the www 51 net site 51 net domain is registered in China via the Interne...

Page 89: ...it there downloads its main portion and executes it Infection source via networks the worm spreads by sending its copies in fecting remote Linux systems using a hole in Linux protection the so called...

Page 90: ...ection against new types of threats That advantage serves as the basis for the products and services offered by Kaspersky Lab We are always one step ahead of our competitors providing our customers wi...

Page 91: ...Virus Personal supports more than 700 formats of archived and compressed files and ensures that their contents will be automatically scanned as well as removing dangerous code from ZIP archives Kaspe...

Page 92: ...lows fine tuning of the firewall for an individual user and a specific computer Kaspersky Security for PDA Kaspersky Security for PDA provides reliable anti virus protection for the data stored in han...

Page 93: ...rface The software suite ensures that you will establish a security system completely compatible with the system requirements of your network Kaspersky Corporate Suite provides for full scale antiviru...

Page 94: ...The high efficiency of the program is achieved through daily automatic updates of the content filtration database which uses samples provided by the linguistic laboratory experts C 2 Our contact infor...

Page 95: ...FUND YOUR RIGHT TO RETURN AND REFUND EXPIRES 30 DAYS AFTER PURCHASE FROM AN AUTHORISED KASPERSKY LABS DISTRIBUTOR OR RESELLER THE RIGHT TO RETURN AND REFUND EXTENDS ONLY TO THE ORIGINAL PURCHASER All...

Page 96: ...grams will be provided by Kaspersky Lab by request on payment of its reasonable costs and expenses for procuring and supplying such information In the event that Kaspersky Lab notifies you that it doe...

Page 97: ...thorized by the volume licence provided that each such copy contains all of the Document s proprietary notices 2 Duration This Agreement is effective for one 1 year unless and until earlier terminated...

Page 98: ...rsky Lab You shall not disclose provide or otherwise make available such confidential information in any form to any third party without the prior written consent of Kaspersky Lab You shall implement...

Page 99: ...to satisfactory quality fitness for purpose or as to the use of reasonable skill and care 7 Liability i Nothing in this Agreement shall exclude or limit Kaspersky Lab s liability for i the tort of de...

Page 100: ...tween you and Kaspersky Lab whether oral or in writing which have been given or may be implied from anything written or said in negotiations between us or our representatives prior to this Agreement a...

Reviews:

No comments

Brands by name

Popular brands

Load more brands