Avira AntiVir WebGate / Avira WebGate Suite User Manual
1 About this Manual ................................................................................................. 4 1.1 Introduction .................................................................................................. 4 1.2 The Structure of the Manual ........................................................................ 5 1.3 Signs and Symbols ........................................................................................ 5 1.4 Abbreviations ....................................
4.10 SNMP Traps .............................................................................................. 73 4.11 WebGate Access Control .......................................................................... 74 4.11.1 ACL elements ................................................................................... 74 4.11.2 Access lists ........................................................................................ 77 4.12 Proxy Configuration ................................................
About this Manual 1 About this Manual This Chapter contains an overview of the structure and content of this manual. After a short introduction, you can read information about the following issues: 1.1 The Structure of the Manual – Page 5 Signs and Symbols – Page 5 Abbreviations – Page 6 Introduction We have enclosed in this manual all the information you need about Avira AntiVir WebGate and it will guide you step by step through installation, configuration and operation of the software.
About this Manual 1.
About this Manual be used in the text: 1.4 Emphasis in text Explanation Ctrl+Alt /usr/lib/AntiVir/webgate/avupdatewebgate ls /usr/lib/AntiVir/webgate Choose component Select all Key or key combination Path and filename http://www.avira.
Product Information 2 Product Information Internet connection is an underestimated invasion doorway for malware on your computer. If you transfer unfiltered data from the Internet on your system, you can spread all types of malware throughout the entire network. Avira AntiVir WebGate is a reliable protection for your computer, by scanning, filtering and if necessary blocking access to all files from the Internet. Furthermore, Avira AntiVir WebGate also scans the entire outgoing traffic.
Product Information 2.1 Features Avira AntiVir WebGate supports a variety of configuration settings for controlling Internet data transfer. The essential features are: • Extended access control, for setting rules to allow tunneling for certain types of requests and responses.
Product Information • • Newsletter Service (per email) Internet Update Service for program files and VDF After installing an AntiVir product, you can read the information on your current license, using the license tool avlinfo: Change to /usr/lib/AntiVir/webgate and call ./avlinfo Use avlinfo -h to get information about using this tool. 2.
Product Information • • • CPU: 32-bit or 64-bit UNIX Running AntiVir software on 64-bit UNIX systems, requires the ability to execute 32-bit binaries. For instructions about checking and eventually enabling this behavior, please refer to the documentation of your UNIX system.
Installation 3 Installation You can find the current version of Avira AntiVir WebGate on our Website: http://www.avira.com/en/support-download-avira-antivir-webgate. Avira AntiVir WebGate is supplied as packed archive. This archive contains the AntiVir Engine and VDF files, the Avira Updater, the WebGate Main Program and the optional SMC plug-in. You are guided through the installation process, step-by-step.
Installation Unpacking Program Files Go to the temporary directory: cd /tmp Unpack the AntiVir archive: tar -xzvf antivir-webgate-prof-tar.gz in the temporary directory will then appear antivir-webgate-prof- . 3.3 Licensing You must have a license for AntiVir WebGate, in order to use the program (see Licensing Concept). The license comes in a file named hbedv.key. This license file contains information regarding the range and period of the license.
Installation 3.4 Installing Avira AntiVir WebGate Avira AntiVir WebGate installation is performed automatically using an installation script. This script performs the following tasks: • Checks integrity of the installation files • Checks for the required permissions for installation • Checks for existing installed versions of AntiVir products on the computer • Copies the program files and overwrites the existing obsolete files • Copies the configuration files.
Installation After you type the path to the key file, the installer continues with updates configuration: Enter the path to your key file: [] /root/Desktop/HBEDV.KEY copying /root/Desktop/HBEDV.KEY to /usr/lib/AntiVir/webgate/hbedv.key ... done installation of AntiVir Core Components (Engine, Savapi and Avupdate) complete 2) Configuring updates An internet updater is available... ... Would you like to create a link in /usr/sbin for avupdate-webgate ? [y] Type Y.
Installation The program is installed. Then you are asked if you want to create a link to avwebgate and if the Updater should be automatically activated at system start: Would you like to create a link in /usr/sbin for avwebgate ? [y] linking /usr/sbin/avwebgate to /usr/lib/AntiVir/webgate/avwebgate ... done Please specify if boot scripts should be set up. Set up boot scripts [y]: Confirm with Enter. You can change these settings later. The automatic system start is configured: setting up boot script ...
Installation ensure up-to-date protection. This can be done by running: /usr/lib/AntiVir/webgate/avupdate-webgate --product=WebGate For more details on updating, Updates – Page 85. 3.5 Reinstalling and uninstalling AntiVir You can re-launch the installation script anytime. There are more situations possible: • Installing a new version (upgrade). The installation script checks the previous version and installs the necessary new components.
Installation ./uninstall --product=Webgate The script starts uninstalling the product, asking you step by step, if you want to keep backups for the license file, for the configuration files and logfiles; it can also remove the cronjobs you made for WebGate and Scanner. Answer the questions with y or n and press Enter. AntiVir WebGate is removed from your system. Avira Operations GmbH & Co.
Configuration 4 Configuration You can configure Avira AntiVir WebGate for optimum performance. The most common settings are suggested in this Chapter. You can modify these settings anytime, to adjust WebGate to your requirements. You will be guided step by step through the configuration process: 4.1 In Monitoring HTTP Traffic – Page 18 you can read about the different possibilities for WebGate’s network setting.
Configuration WebGate directs the Clients’ enquiries to the Internet and scans the answer from the Internet. The access to infected files from a Website is blocked and only not infected files are forwarded to the Client. From the Client’s point of view, WebGate is functioning as a proxy server. Make the following settings in avwebgate.conf (example): HTTPPort 8080 Configure the browser according to the Clients.
Configuration directed to the Clients. If WebGate and the proxy server are installed on the same computer: It is usually easier to adapt the settings of the proxy server and to inherit the initial settings of the WebGate. In this way, you do not need to make any changes on the Clients.This example assumes the following proxy server configuration: host proxy.mycompany.com serverport 3128 So, the proxy server communicates with the Clients over port 3128. Install WebGate on the machine proxy.mycompany.com.
Configuration It is also possible to install WebGate on a computer, other than the proxy server. The settings must be done accordingly. In this network configuration, a Client could also be a proxy server (for example, by installing WebGate between two proxies). WebGate between Proxy Server and Internet (Network Configuration 2) If you already use a proxy server, it is better to install WebGate between the proxy and the Internet. In this way malicious software is intercepted by the proxy server.
Configuration – Example for a Squid proxy server: In this configuration, you must first start WebGate and then the proxy server. Squid proxy has to direct all inquiries to WebGate (parent proxy), so you have to configure the Squid configuration file squid.conf as follows: cache_peer proxy.mycompany.
Configuration Client: Assumption: WebGate runs on a machine with the IP address 192.168.0.1 and receives inquiries from FTP Clients on port 2121. You should establish a connection to a remote FTP server with the IP address 10.0.0.1, the user name "foo" and the password "bar". $ ftp 192.168.0.1 2121 Connected to 192.168.0.1. 220 AntiVir WebGate FTP proxy. Login with @[:] Name (192.168.0.1:user): foo@10.0.0.1 331 Password required for foo. Password: bar 230 User foo logged in.
Configuration integrated with the ICAP interface. WebGate can still scan and block incoming (RESPMOD) and outgoing (REQMOD) files. In avwebgate.conf you must set the port, through which WebGate will communicate with the ICAP Client: ICAPPort 1344 Scanning Incoming Data Traffic (Response Modification) The ICAP Client sends an HTTP response for WebGate to scan (ICAP server). If the data is not infected, it is returned to the ICAP Client and from there forwarded to the Client. If the answer is blocked (e.
Configuration the server anymore. You can find further details about ICAP server integration in the ICAP Client documentation. 4.4 Configuration Files This part describes the contents of Avira AntiVir WebGate configuration files: • /etc/avira/avwebgate.conf - Product configuration • /etc/avira/avwebgate-scanner.conf - Scanner configuration • /etc/avira/avupdate-webgate.conf - Updater configuration The program is provided with default values, which are important for many procedures.
Configuration HTTPPort Port for scanning HTTP connections: This sets the port on which WebGate responds to HTTP requests from Client or proxy computers. There are various setups needed, according to the configuration (see Monitoring HTTP Traffic – Page 18). The default is: HTTPPort [host_ip_or_name:]8080 We recommend not to allow access to WebGate from outside your network. WebGate should be therefore connected only to the internal network interface.
Configuration Connection Settings HTTPProxy Settings for HTTP proxy server: These settings work only for Network Configuration 1.
Configuration Default: ScannerListenAddress /var/run/avwebgate/scanner If you modify this parameter, you must also change the value for ListenAddress in /etc/avira/avwebgate-scanner.conf. See Scanner Configuration in avwebgatescanner.conf – Page 39 Temporary Dir Temporary directory: You can change the name of the temporary directory. The standard is /tmp. This directory contains for example, the files during scanning.
Configuration LogFile Path and name of the logfile: All important WebGate operations are logged through a syslog daemon. You could specify an additional logfile, by entering the full path. Example: LogFile /var/log/avwebgate.log Default: NONE LogLevel Level for log notes: This option defines the logging level for WebGate notifications (possible values: 0 to 7). The higher the level, the more information is logged.
Configuration Syntax: AllowHTTPSTunnel "YES|NO" Default: AllowHTTPSTunnel NO The data transferred through the HTTPS tunnel will not be scanned by WebGate. AllowedHTTP ConnectPorts Tunneling SSL-encrypted connections: If you want to allow HTTPS connections to non-standard ports, you can do so by adding the desired ports to this list. Each port will be separated by a comma or a whitespace.
Configuration AddViaHeader Header analysis: This option adds a Via Header when WebGate is used in ICAP mode. Syntax: AddViaHeader "YES|NO" Default: AddViaHeader NO AddIcapDate Header Header analysis This option adds a Date header when WebGate is used in ICAP mode. By default WebGate does not send a Date header when replying to an ICAP request. To enable sending the Date header with each reply, this option should be set to "YES".
Configuration Redirect Interval Redirect Interval Range: minimum 0, maximum 3600 Example: RedirectInterval 1800 Default: RedirectInterval 0 • The above method does not work for all Clients. When encountering problems, use the KeepaliveInterval option, to make WebGate send messages to the Client at certain intervals. The value must be smaller than the one set in the Client or proxy server.
Configuration . It is NOT recommended to enable data trickling unless you are experiencing problems using the other timeout prevention methods. Be aware of the risks and limitations before you enable this feature. By enabling the trickle option the data will be sent in small segments to the client. This holds the risk of an infection, eventhough WebGate scans everything that is sent to the client.
Configuration ArchiveMax Ratio Maximum compression rate for archives: This option limits the scanning to archives which do not exceed a certain compression level. It ensures protection against so-called "Mail bombs", which occupy unexpectedly large amount of memory when decompressed. The null value means all archives are completely decompressed, regardless of their compression rate.
Configuration Default: BlockArchiveBomb YES This option is not affected by ArchiveMaxSize, ArchiveMaxRecursion and ArchiveMaxRatio. Block Unsupported Archive Block emails with unsupported archives Emails with archives which the scanner does not support are blocked. Syntax: BlockUnsupportedArchive "YES|NO" Default: BlockUnsupportedArchive YES Block Extensions Blocking certain file extensions: WebGate can block files that have certain extensions. It will also apply for file names in archives.
Configuration Default: NONE Move Concerning FilesTo Quarantine directory: By default, blocked files are deleted. But you can specify a quarantine directory to store them. Syntax: MoveConcerningFilesTo "path" For example: MoveConcerningFilesTo /home/quarantine Default: NONE Heuristics Level Win32-Heuristics: Sets the detection level of Win32-Heuristics. available values are 0 (off), 1 (low), 2 (medium) and 3 (high).
Configuration DetectSPR NO If you want to enable detection for all the categories above, you can uncomment the following parameter. Note that this will enable detection for all the unwanted programs, overwriting their individual values. Syntax: DetectAllTypes "YES|NO" Default: DetectAllTypes YES SMC Settings GUI...
Configuration Default: NONE GuiCertPass GuiCertPass Specifies the password for the certificate file. Syntax: GuiCertPass "string" Example: GuiCertPass antivir_default Default: NONE Please refer to WebGate’s installation directory, for more details about advanced configuration options. GuiHostname GUI hostname The GuiHostname is used by the command avwg_stats as an interface to listen to connections from SMC. Syntax: GuiHostname host Default: GuiHostname 127.0.0.
Configuration Default: NONE 4.4.2 Scanner Configuration in avwebgate-scanner.conf A new configuration file has been introduced, starting with WebGate v.3: /etc/avira/avwebgate-scanner.conf. It contains configuration options specific to the new scanner backend. Usually, you don't have to change the options in this file, but there might be a few exceptions. User, Group User, Group: If you change one of these options, you have to make sure that the files avwebgate-scanner.conf and avwebgate.
Configuration ScannerListenAddress): ListenAddress unix:/var/run/avwebgate/scanner ScannerListenAddress /var/run/avwebgate/scanner CreateSocket Dir CreateSocketDir If this option is enabled and the provided socket file path does not exist, SAVAPI Service will create the parent directory of the socket file at startup.
Configuration Default: LogFileName NONE SyslogFacility SyslogFacility: The facility that is used, when logging to syslog. Example: SyslogFacility home Default: SyslogFacility user ReportLevel ReportLevel: The scanner can be set to log on different levels: • 0 - Log errors • 1 - Log errors and alerts • 2 - Log errors, alerts, warnings and info • 3 - Log errors, alerts, warnings, info and debug messages "alerts" means information about potential malicious code.
Configuration Specifies the master.idx file. master-file=/idx/master.idx install-dir temp-dir Installation directory: Specifies the installation directory for updated product files. install-dir=/usr/lib/AntiVir Temporary Direetcory: Temporary directory for downloading update files. temp-dir=/tmp/avira_update/webgate Setting update email reports All reports on AntiVir updates are sent to the email address given in avupdatewebgate.
Configuration Example: email-to root@localhost Default: email-to root@localhost Connection settings for updates proxy... Proxy settings: If the machine uses a HTTP proxy server, proxy configuration settings must be specified in order to make Internet updates. proxy-host= proxy-port= proxy-username= proxy-password= Default: NONE user-agent User agent: Specifies the user agent string (--user-agent), which is reported to the http server. Default: @AUVI@1.
Configuration product-namefile Product-name-file: Specifies the file in which the product name is stored (for example WEBGATE3.3). The file path is relative to the update binary location. The product name is added to the field in the --user-agent string. The file must be readable and it must contain the product name, as ASCII printable string, without whitespaces and with a maximum length of 64 characters. Otherwise, an error message is displayed and the update process stops.
Configuration Example: intranet-svrs=http://iumserver:7080 product-root=/update intranet Setting fallback update servers If you like to set up fallback update servers, for example in case the intranet servers do not work appropriately and you like to update from Internet servers, you can do a setup by adding the option peak-handling-srvs in the configuration file or in the command line. The option has the same syntax as intranet-srvs. Example: peak-handling-srvs=http://profpeak.avira-update.
Configuration progress template. These templates are usually created and saved in /usr/lib/AntiVir/webgate/ templates. You may also set another directory, using the following entry in /etc/ avira/avwebgate.conf: Syntax: /usr/lib/AntiVir/webgate/avwebgate.bin --dump-config|grep -i Template Default: TemplateDir templates Example: TemplateDir /home/templates You can use different keywords for editing template files. Following is a description of the available templates.
Configuration Email Templates Template Meaning alert.mail Used when an alert is found by AntiVir WebGate. Used when AntiVir WebGate has blocked a suspicious file (using various block-settings in avwebgate.conf) blocked.mail In order for WebGate to be able to send email messages, an MTA must be configured. WebGate can use either mail or sendmail. WebGate searches for /usr/sbin/ sendmail, /usr/lib/sendmail or /usr/local/bin/main, /bin/mail, / usr/bin/mail.
Configuration Keyword Description Availability DATA_SIZE Number of total expected bytes of file being downloaded P DETERMINED_CLIENT_ADDRESS Address of originating client A,B DETERMINED_SERVER_ADDRESS Address of destination server A,B ENGINE_VERSION Version of AntiVir engine A,B,E ERROR_CODE HTTP response code used for the response E ERROR_DESC A short description in text form of the error E ERROR_REASON Description of the HTTP status code E PRODUCT_NAME "AntiVir WebGate" A,B,E,P,
Configuration Keyword Description Availability REQUEST_METHOD "GET", "POST", etc. A,B,E RESPONSE_STATUS HTTP response code from server A,B,E MATCHED_CATEGORIES All the blocked categories that the requested URL matched W MATCHED_CATEGORIES_LI Al the blocked categories that the requested URL matched represented as a html list. The template designer must surround it with the list directives W SERVER_IP IP address of server A,B VDF_VERSION Version of AntiVir VDF file A,B,E 4.
Configuration can get the file from WebGate by clicking on the link provided with the last progress message. If the file is blocked, an HTML page with an alert message is generated from the appropriate template and is sent to the client. 4.6.2 Redirect If the refresh method is not used (because it is disabled or the client is a nonbrowser) HTTP redirect messages can be sent to the client at the specified interval (RedirectInterval).
Configuration merely terminates the connection to the client. This may result in leaving small incomplete (mostly unusable) files on the client machine that should be deleted by the user. It is not recommended to enable data trickling unless you are experiencing problems using the other timeout prevention methods. Be aware of the risks and limitations before you enable this feature. 4.7 Advanced Options The following options can be used to fine-tune WebGate.
Configuration Number of seconds to wait for a request from the server until a timeout occurs and the session is aborted. OpenMax OpenMax Range: minimum 0, maximum 2147483647 Example: OpenMax 1000 Default: OpenMax 0 Specify the maximum number of opened files for the WebGate process. With the default value 0, WebGate will not change any existing system values.
Configuration 4.7.2 Database Support WebGate support logging statistics to a database. For details on how to set up the database and other requirements, see Database Setup Requirements. The database consists of two tables, called alerts and counter. Alerts contains information about WebGate’s alerts. Depending on the settings of the LogCleanRequests parameter, the alerts table may also contain information about all requests. Counter contains WebGate specific statistics for a quick look-up.
Configuration DBodbcIni DBodbcIni If you have enabled the DBSupport option, the ODBC driver manager uses the specified odbc.ini file. Default setting: the installed ODBC driver manager decides which odbc.ini file to load. Syntax: DBodbcIni "string" Example: DBodbcIni /path/to/odbc.ini DBodbcIni /etc/avira/avwebgate-odbc.ini DBodbcLib DBodbcLib If you have enabled the DBSupport option WebGate loads the library specified here and uses it as the ODBC driver manager.
Configuration change the default setting. Syntax: DBLogCleanRequest "YES|NO" Example: DBLogCleanRequests YES Default: DBLogCleanRequests NO Database Setup Requirements This is a list of version numbers of MySQL servers, MySQL ODBC drivers and ODBC driver managers which should be compatible: MySQL 5.0.70 MySQL ODBC driver 3.51.11 iODBC 3.52.4 Setup Before you enable database support, you have to install an ODBC driver manager and set it up. There are two driver managers available: iODBC - www.iodbc.
Configuration running on the specified host): # mysql -u -p -h < create-db.sql Enter password. 2. Install iODBC You should choose a thread safe library. Please consult the distribution manual to check if your ODBC library was built with thread support. # apt-get install libiodbc2 3. Install the corresponding database driver for your database You should choose a thread safe driver. Please consult the distribution manual to check if your ODBC driver is thread safe.
Configuration Please consult the documentation of your database driver for details on the available options. [WebGate] Driver = /usr/lib/odbc/libmyodbc.so Server = hostname.of.my.sql.server User = username Password = password Database = webgate [WebGate]: The DSN used by WebGate Driver: This is the path to the driver's library Server: Database server User: Username for accessing the database Password: Username's password Database: Name of the database to use 6. Enable database support in avwebgate.
Configuration $ /usr/lib/AntiVir/webgate/gui/bin/avwg_stats -S Using these settings: ODBC ini: ODBC library: libodbc.so.1 ODBC source: WebGate Preparing connection ... => OK Connecting ... => OK Disconnecting ... => OK Successfully verified database connectivity! ... and something similar if errors occur (example for MySQL, the error message may vary depending on the error type): Using these settings: ODBC ini: ODBC library: libodbc.so.
Configuration table's rows. The results are not sorted. Example: Print the "alerts" table: # /usr/lib/AntiVir/webgate/gui/bin/avwg_stats -o csv Print the "counter" table: # /usr/lib/AntiVir/webgate/gui/bin/avwg_stats -o csv -t counter CSV separator: Specify a field separator using one character: -o csv:"s" You must quote the separator for it not to be interpreted by the shell.
Configuration Alerts table description When a mail is blocked, information about the alert(s) is immediately written to the database. Column Description id reason This column is an auto-incremented number. The reason why the request was blocked.
Configuration Column Description filename action The requested URL received by WebGate. The action taken: deleted, quarantined, allowed, blocked, tunneled. The IP of the client that made the request The categories returned by WebProtector, RTPS and UrlCheck, if the option BlockCategories is enabled. An URL with more information about the alert (in case an alert was found). E.g.: for the Eicar test file the URL http://www.avira.com/en/threats?q=Eicar%2DTest%2DSignature is added.
Configuration Column Description id accepted clean alerts acl total_size errors This column is an auto-incremented number. Total count of scanned files. Count of clean files. Count of malware found. Count of blocked files by ACLs. Total size of traffic. Count of requests which caused an error while processing. Count of requests which could not be scanned completely. Count of requests which contained an unsupported compression method. Count of requests with encrypted attachments.
Configuration Use this option with caution. WebGate does not check the data transferred over the tunnel connection! Use AllowHTTPSTunnel instead if you want to limit the allowed connections to the ports 443 (HTTPS) and 563 (SNEWS). ProgressAuto Send ProgressAutoSend Syntax: ProgressAutoSend "YES|NO" Default: ProgressAutoSend NO After showing the download progress (as refreshing HTML pages), send the downloaded file automatically to the client once the download has finished (may not work with every client).
Configuration link provided with the final progress page. This allows a client to retrieve the temporarily cached file multiple times. If no request is received within the specified time, the file is deleted. By default, a file is immediately deleted after it is sent once to the client. For Squid (version < 2.5.STABLE9) this should be set to something greater than 0, since Squid retries a request three times if a 403 response is submitted, but after the first request WebGate deletes the requested page.
Configuration Default: RefreshTimeout 30 If there is no refresh or redirect request received within the specified timeout interval in seconds (plus refresh/ redirect time), the download is aborted automatically. CheckHTTPS Handshake CheckHTTPSHandshake Syntax: CheckHTTPSHandshake "YES|NO" Default: CheckHTTPSHandshake YES By default WebGate tries to determine if a CONNECT request is followed by an actual HTTPS handshake. If this is not desired, CheckHTTPSHandshake should be set to NO.
Configuration avoided. 4.7.4 FTP Connection Settings FTPDefault Server FTPDefaultServer Example: FTPDefaultServer ftp.example.com:21 Default: NONE Specifies an FTP server to which WebGate will connect by default when running as FTP proxy. May be useful to protect a single FTP server "transparently".
Configuration 4.7.6 Timeout Prevention Settings The timeout prevention method is chosen dynamically, based on the type of client and the WebGate configuration settings. All settings specify how often repetitively a method is used.
Configuration Size for the packets WebGate sends to the client when using trickling. By default the size is specified in bytes. An optional quantifier can be used to change this. K, M and G can be used for Kilobytes, Megabytes and Gigabytes. For example 1K will be equivalent to 1024 with no quantifier given. Reserve DataSize ReserveDataSize Example: ReserveDataSize 1 Default: ReserveDataSize 1024 Size of the total data WebGate has to receive before trickling it to the client.
Configuration Control library. For this option to take effect a valid WebGate Suite license must be installed. Normally there is no need to change this. LocalFilter LocalFilter Syntax: LocalFilter "YES|NO" Default: LocalFilter YES Controls the usage of local URL filter implemented by Avira URL Filtering library. This filter is enabled by default with every WebGate or WebGate Suite license. By setting this to NO the filter will be disabled.
Configuration SNMP Community SNMPCommunity Example: SNMPCommunity CompanyName Default: SNMPCommunity Avira The community string used when sending SNMP traps. A SNMP host can receive traps from WebGate only if it has the same community string or has no community string set. 4.8 Client Configuration Once WebGate is running, web browsers will need to set WebGate as HTTP/FTP proxy (Network Configuration 0 and Network Configuration 1).
Configuration The categories WebGate will block are specified as a list of numbers using the BlockCategories in the configuration file.
Configuration Numeric Value Category 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 59 60 61 62 63 66 73 76 77 78 79 Search Engines / Web Catalogs / Portals Software / Hardware / Distributors Communication Services IT Security / IT Information Website Translation Anonymous Proxies Illegal Drugs Alcohol Tobacco Self-Help / Addiction Dating / Relationships Restaurants / Bar Travel Fashion / Cosmetics / Jewelry Sports Building / Residence / Architecture / Furniture Nature / E
Configuration 4.10 SNMP Traps WebGate may be configured so that the administrator is informed about internal errors and malware alerts via SNMP traps. A specification of these traps is available in the MIB files. SNMP itself does not define which information (which variables) a managed system should offer. Rather, SNMP uses an extensible design, where the available information is defined by management information bases (MIBs).
Configuration wgtMatched CategoryBy RTPSFilter wgtMatchedCategoryByRTPSFilter WebGate has matched the request against a configured category with the RTPS filter. Parameters: the category name and the URL of the matched category. This feature is available only with a WebGate RTPS license.
Configuration browser Syntax: acl browser [-i] Enables filtering of connections based on the User-Agent. The [-i] flag generates a case insensitive regexp evaluation. If a regular expression starts with -i followed by space, it has to be escaped by \-i. src Syntax: acl src acl src Enables filtering of connections based on the IP address. You can specify a single IP or a range of IP addresses.
Configuration dstdomain_regexp Syntax: acl dstdomain_regexp [-i] acl dstdomain_regexp -f "/path" Enables filtering of connections based on the destination domain, but for matching regular expressions are used. You can use the -f switch for reading a list of regular expressions from a file. The path towards a file must be marked by quotes. Each line in the file represents a regular expression and must have the format: [-i] .
Configuration Enables searching for in the reply mime type header. You can use this element for detecting file downloads. When using http_access rules this element is invalid. set Syntax: acl set
Configuration scanning). scan The request is allowed and passed directly to the scanning module. URL filters have no effect. deny The request is blocked by WebGate. tunnel The data will be forwarded, WebGate will not interfere with this transaction. Because the data will not be scanned, the tunnel-action should be used with caution. 4.
Configuration Another way is to tell squid explicitly to forward "only" HTTP and FTP requests to WebGate and to bypass WebGate for all other types (squid.conf): cache_peer parent 0 no-query nodigest default acl SCAN_ACL proto HTTP acl SCAN_ACL proto FTP cache_peer_access allow SCAN_ACL cache_peer_access deny !SCAN_ACL never_direct allow SCAN_ACL If WebGate is used as parent proxy, you need to start WebGate before the proxy is started. 4.12.
Operation 5 Operation After concluding installation and configuration and Avira AntiVir WebGate is running, WebGate guarantees continuous monitoring of your system. During operation you might have to make occasional changes in settings, as described in Configuration – Page 18. This Chapter is divided in the following parts: 5.1 Starting and Stopping Avira AntiVir WebGate manually – Page 80, describing the start and stop procedure of WebGate from the console.
Operation --filter-version --status --dump-config --help Shows version information about the used scanner and filters Shows if WebGate is running as configured Shows the currently active configuration values Shows the list of options with their description Without a working license key, WebGate will not start. To acquire an evaluation key, please send email to: sales@avira.
Operation Restarting AntiVir WebGate This is used, for example, after making changes in configuration scripts. Type: /usr/lib/AntiVir/webgate/avwebgate restart The program restarts after showing the following message: Stopping AVIRA AntiVir WebGate ... Stopping: avwebgate.bin Stopping: savapi Starting AVIRA AntiVir WebGate ... Starting: savapi Starting: avwebgate.
Operation Avira AntiVir WebGate will block the access to the file and issues a warning in the browser: 5.3 Check the logfile for detailed notifications about the detection. Procedures when Detecting Viruses or Unwanted Programs If correctly configured, Avira AntiVir WebGate is set to deal automatically with all the tasks on your computer: The infected file is repaired or at least deleted.
Updates 6 Updates With Avira Updater you can update Avira software on your computers, using Avira update servers. The program can be configured either by editing the configuration file (Updater Configuration in avupdate-webgate.conf – Page 41), or by using parameters in the command line. It is recommended to run the Updater as root. If the Updater does not run as root, it does not have the necessary rights to restart Avira AntiVir WebGate daemons, so the restart has to be made manually, as root.
Updates Example: for an hourly update at *:23, enter the following command: 23 * * * * root /usr/lib/AntiVir/webgate/avupdate-webgate --product=[product] As [product], you can use: • Scanner - (recommended) to update the scanner, engine and vdf files. • WebGate - complete update (WebGate, scanner, engine and vdf files). Start the update process to test the settings: /usr/lib/AntiVir/webgate/avupdate-webgate --product=[product] where [product] takes the same values as above.
Service 7 Service 7.1 FAQs 7.1.1 How to watch for SNMP traps on Debian 5 1.) Install the snmpd package: $ apt-get install snmpd 2.) Copy the MIB files from the Avira AntiVir WebGate package to a folder: $ cp antivir-webgate-prof-/etc/AVIRA-*-MIB.txt /usr/share/snmp/mibs 3.) Configure snmpd in such way that the WebGate MIB files are read: $ echo "+mibs AVIRA-MIB" >> /etc/snmp/snmp.conf $ echo "+mibs AVIRA-WEBGATE-V0-MIB" >> /etc/snmp/ snmp.conf 4.
Service #!/bin/bash name= url= while read oid val do if [ "$oid" = "AVIRA-WEBGATE-V0-MIB::wgtMalwareName.0" ] then name=$val fi if [ "$oid" = "AVIRA-WEBGATE-V0-MIB::wgtRequestURL.0" ] then url=$val fi done echo "WebGate found $name when accessing $url" 5.) Run the following: $ snmptrapd -f -c /etc/snmp/snmptrapd.
Service Message Board There is also a message board in which you can participate for free: http://forum.avira.com Please use the Search option, your questions may already have been answered for another user and posted on the board. Email Support Support via email can be obtained at http://www.avira.com. 7.3 Online Shop Would you like to buy our products per mouse-click? You can visit Avira Online Shop at http://www.avira.com and buy, upgrade or extend AntiVir licenses fast and safely.
Service 7.4 Contact Address Avira Operations GmbH & Co. KG Kaplaneiweg 1 D-88069 Tettnang Germany Internet You can find further information about us and our products by visiting http://www.avira.com. Avira Operations GmbH & Co.
Appendix 8 Appendix 8.1 Glossary Item Meaning Backdoor (BDC) A backdoor is a program infiltrated in order to steal data from the computer, without the user’s knowledge. This program is manipulated by third-parties using a remote backdoor-control software, over the Internet or network. AntiVir detects backdoor-control programs. cron (daemon) A daemon which starts other programs on specified times. Daemon A background process for administration on Unix systems.
Appendix Item Meaning Signature A bytes-combination used for recognizing a virus or unwanted program. Script A text file containing commands to be executed by the system. (similar to batch files in DOS) SMC Avira Security Management Center SMP (Symmetric Multi Processing) Unix SMP: Unix version for computers with parallel processors. SMTP Simple Mail Transfer Protocol: protocol for email transport on the Internet. syslog daemon A daemon used by programs for logging various information.
Appendix 8.3 Golden Rules for Protection Against Viruses Always keep boot floppy-disks, for your network server and for your workstations. Always remove floppy-disks from the drive after finishing the work. Even if they have no executable programs, disks can contain program code in the boot sector and these can serve to carry boot sector viruses. Regularly backup your files. Limit program exchange: particularly with other networks, mailboxes, Internet and acquaintances.
This manual was created with great care. However, errors in design and contents cannot be excluded. The reproduction of this publication or parts thereof in any form is prohibited without previous written consent from Avira Operations GmbH & Co. KG. Issued Q3-2012 Brand and product names are trademarks or registered trademarks of their respective owners. Protected trademarks are not marked as such in this manual. However, this does not mean that they may be used freely. © 2012 Avira Operations GmbH & Co.
