F-Secure Anti-Virus Linux Client Security Administrator’s Guide
"F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others.
Contents Chapter 1 Introduction 5 1.1 Welcome ...................................................................................................................... 6 1.2 How the Product Works ............................................................................................... 6 1.3 Key Features and Benefits........................................................................................... 9 1.4 F-Secure Anti-Virus Server and Gateway Products.....................................
3.10 Uninstallation.............................................................................................................. 30 Chapter 4 Getting Started 31 4.1 Accessing the Web User Interface............................................................................. 32 4.2 Basics of Using F-Secure Policy Manager.................................................................32 4.3 Testing the Antivirus Protection ............................................................................
7.2.2 dbupdate......................................................................................................... 72 7.3 Firewall Protection...................................................................................................... 72 7.3.1 fsfwc ............................................................................................................... 73 7.4 Integrity Checking ......................................................................................................
D.3 Integrity Checking ...................................................................................................... 89 D.4 Firewall....................................................................................................................... 91 D.5 Virus Protection.......................................................................................................... 93 D.6 Generic Issues ...................................................................................................
1 INTRODUCTION Welcome....................................................................................... 6 How the Product Works................................................................ 6 Key Features and Benefits ........................................................... 9 F-Secure Anti-Virus Server and Gateway Products ...................
6 1.1 Welcome Welcome to F-Secure Anti-Virus Linux Server Security. Computer viruses are one of the most harmful threats to the security of data on computers. Viruses have increased in number from just a handful a few years ago to many thousands today. While some viruses are harmless pranks, other viruses can destroy data and pose a real threat.
CHAPTER 1 Introduction Real-time Scanning Real-time scanning gives you continuous protection against viruses as files are opened, copied, and downloaded from the Web. Real-time scanning functions transparently in the background, looking for viruses whenever you access files on the hard disk, diskettes, or network drives. If you try to access an infected file, the real-time protection automatically stops the virus from executing.
8 Firewall The firewall component is a stateful packet filtering firewall which is based on Netfilter and Iptables. It protects computers against unauthorized connection attempts. You can use predefined security profiles which are tailored for common use cases to select the traffic you want to allow and deny.
CHAPTER 1 Introduction 1.3 Key Features and Benefits Superior Protection against Viruses and Worms › › › › › › › › › Transparent to End-users › › › The product scans files on any Linux-supported file system. This is the optimum solution for computers that run several different operating systems with a multi-boot utility. Superior detection rate with multiple scanning engines. A heuristic scanning engine can detect suspicious, potentially malicious files.
10 Protection of Critical System Files › › › › Easy to Deploy and Administer › › Extensive Alerting Options › › Critical information of system files is stored and automatically checked before access is allowed. The administrator can protect files against changes so that it is not possible to install, for example, a trojan version. The administrator can define that all Linux kernel modules are verified before the modules are allowed to be loaded.
CHAPTER 1 Introduction 1.4 F-Secure Anti-Virus Server and Gateway Products The F-Secure Anti-Virus product line consists of workstation, file server, mail server and gateway products. › › › › F-Secure Messaging Security Gateway delivers the industry's most complete and effective security for e-mail.
12 › › F-Secure Anti-Virus for MIMEsweeper provides a powerful anti-virus scanning solution that tightly integrates with Clearswift MAILsweeper and WEBsweeper products. F-Secure provides top-class anti-virus software with fast and simple integration to Clearswift MIMEsweeper for SMTP and MIMEsweeper for Web, giving the corporation the powerful combination of complete content security.
2 DEPLOYMENT Deployment on Multiple Stand-alone Linux Workstations .......... 14 Deployment on Multiple Centrally Managed Linux Workstations 14 Central Deployment Using Image Files......................................
14 2.1 Deployment on Multiple Stand-alone Linux Workstations When the company has multiple Linux workstations deployed, but they are not managed centrally, the workstation users can install the software themselves. › In organizations with few Linux machines, the graphical user interface can be used to manage Linux workstations instead of F-Secure Policy Manager. For more information on stand-alone installation without F-Secure Policy Manager, see “Stand-alone Installation”, 19.
CHAPTER 2 Deployment 2.3 Central Deployment Using Image Files When the company has a centralized IT department that install and maintains computers, the software can be installed centrally to all workstations. The recommended way to deploy the products is to create an image of a Linux workstation with the product preinstalled. For instructions on how to do this, see “Replicating Software Using Image Files”, 26.
3 INSTALLATION System Requirements ................................................................ 17 Installation Instructions............................................................... 18 Upgrading from a Previous Product Version .............................. 24 Upgrading the Evaluation Version .............................................. 25 Replicating Software Using Image Files..................................... 26 Preparing for Custom Installation ............................................
CHAPTER 3 Installation 3.1 System Requirements Operating system: › › Novell Linux Desktop 9 › Ubuntu 5.10 (Breezy), 6.06 (Dapper Drake) › › › › › › › › SUSE Linux Enterprise Server 8, 9, 10 SUSE Linux 9.0, 9.1, 9.2, 9.3, 10, 10.1, 10.2 SUSE Linux Enterprise Desktop 10 Red Hat Enterprise Linux 4, 3, 2.1 AS Miracle Linux 2.1 Miracle Linux 3.0 Asianux 2.0 Turbolinux 10 Debian 3.
18 Konqueror is not a supported browser with the local user interface. It is recommended to use Mozilla or Firefox browsers. Note About Dazuko Version The product needs the Dazuko kernel module for the real-time virus protection, integrity checking and rootkit protection. Dazuko is an open-source kernel module that provides an interface for the file access control. More information is at http://www.dazuko.org. The product installs the Dazuko driver during the product installation.
CHAPTER 3 Installation Centrally managed installation is the recommended installation mode when taking the product into use in a large network environment. For installation instructions, see “Centrally Managed Installation”, 21. › For information on how to install the product on multiple computers, see “Replicating Software Using Image Files”, 26.
20 4. Select the language you want to use in the web user interface during the installation. Select language to use in Web User Interface [1] English (default) [2] Japanese [3] German 5. The installation displays the license agreement. If you accept the agreement, answer yes press ENTER to continue. 6. Enter the keycode to install the full, licensed version of the product.
CHAPTER 3 Installation 12. Enter the baseline passphrase. For more information, see “Passphrase”, 62. Please insert passphrase for HMAC creation (max 80 characters) 13. The installation is complete. After the installation is complete, you can start the F-icon systray applet with the fsui command. For information how to access the web user interface and to see that the virus protection is working, see “Getting Started”, 31. 3.2.
22 chmod a+x f-secure-linux-client-security-. 3. Run the following command to start the installation: ./f-secure-linux-client-security-. The setup script will display some questions. The default value is shown in brackets after the question. Press ENTER to select the default value. 4. Select the language you want to use in the web user interface during the installation. Select language to use in Web User Interface [1] English (default) [2] Japanese [3] German 5.
CHAPTER 3 Installation 11. Select whether the web user interface can be opened from the localhost without a login. Allow connections from localhost to the web user interface without login? [yes] 12. Enter the user name who is allowed to use the web user interface. Please enter the user name who is allowed to use the web user interface. The user name is a local Linux account. You have to create the account if it does not exist yet. Do not use the root account for this purpose. 13.
24 3.3 Upgrading from a Previous Product Version If you are running version 5.20 or later, you can install the new version without uninstalling the previous version. If you have an earlier version, upgrade it to 5.20 first, or uninstall it before you install the latest version. The uninstallation preserves all settings and the host identity, so you do not need to import the host to the F-Secure Policy Manager again. For more information, see “Uninstalling Earlier Version”, 25.
CHAPTER 3 Installation Uninstalling Earlier Version If you have version 5.x, run the following command from the command line to uninstall it /opt/f-secure/fsav/bin/uninstall-fsav. If you have version 4.x, remove the following directories and files to uninstall it: /opt/f-secure/fsav/ /var/opt/f-secure/fsav/ /etc/opt/f-secure/fsav/ /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man5/fsav.conf.5 /usr/share/man/man5/fsavd.conf.5 /usr/share/man/man8/dbupdate.8 /usr/share/man/man8/fsavd.
26 3.5 Replicating Software Using Image Files If you are going to install the product on several computers, you can create a disk image file that includes the product and use this image to replicate the software on the computers. Make sure that each computer on which the software is installed will create a new unique identification code. Follow these steps to make sure that each computer uses a personalized Unique ID when a disk imaging software is used: 1.
CHAPTER 3 Installation 1. Type the following command: ./f-secure-linux-client-security-. rpm 2. Install RPM packages. IMPORTANT: The /opt/f-secure/fsav/fsav-config script must be executed after the RPMs have been installed, otherwise the product will not operate. 3.7 Unattended Installation You can install the product in the unattended mode. In unattended mode, you provide all the information on the installer command line (or fsav-config command line, if you install from RPM packages).
28 locallogin Require login for the local access to the web user interface. user=USER Specify the local account to use for the web user interface login. kernelverify Turn on the kernel module verification. nokernelverify Turn off the kernel module verification. pass=PASS Specify the passphrase for the baseline generation. keycode=KEYCODE Specify the keycode for license checks. If no keycode is provided, the product is installed in the evaluation mode.
CHAPTER 3 Installation If you are running an earlier version and you want to upgrade to the latest version, but you want to install the command line scanner only, you have to uninstall the earlier version first. Use the /etc/opt/f-secure/fssp/fssp.conf configuration file to configure the command line scanner only installation. See the file for detailed descriptions of the available settings. 3.9 Creating a Backup To backup all relevant data, run the following commands: # /etc/init.d/fsma stop # /etc/init.
30 3.10 Uninstallation Run the script /opt/f-secure/fsav/bin/uninstall-fsav as root to uninstall the product. The uninstall script does not remove configuration files. If you are sure that you do not need them any more, remove all files in the /etc/opt/ f-secure/fsma path.
4 GETTING STARTED Accessing the Web User Interface ............................................. 32 Basics of Using F-Secure Policy Manager ................................. 32 Testing the Antivirus Protection ..................................................
32 4.1 Accessing the Web User Interface In small deployments where F-Secure Policy Manager is not available, the web user interface can be used to configure the product. You can access the web user interface from the system tray, or with the http://localhost:28080/ address. If you allow the remote access to the web user interface, you can access it with the following HTTPS address: https://:28082/.
CHAPTER 4 Getting Started 4.3 Testing the Antivirus Protection To test whether the product operates correctly, you can use a special test file that is detected as a virus. This file, known as the EICAR Standard Anti-Virus Test File, is also detected by several other anti-virus programs. You can use the EICAR test file also to test your E-mail Scanning. EICAR is the European Institute of Computer Anti-virus Research. The Eicar info page can be found at http://www.europe.f-secure.
5 USER INTERFACE BASIC MODE Summary .................................................................................... 35 Common Tasks...........................................................................
CHAPTER 5 User Interface - Basic Mode 5.1 Summary The summary page displays the product status and the latest reports. The product status displays the protection status and any possible errors or malfunctions. Status Virus Protection Shows the current Virus Protection level. Virus Protection levels allow you to change the level of protection according to your needs. If Virus Protection is disabled, your computer is vulnerable to virus attacks.
36 5.2 Common Tasks You can configure the manual scan and firewall settings and check the latest virus definition database updates from the common tasks page. Choose one of the following actions: Scan the computer for malware Opens a scanning wizard that can scan the computer for any type of malware, including viruses, worms and trojans. Follow the on-screen instructions for more details. For more information, see “Manual Scanning”, 44. Create a firewall rule Create a new firewall rule.
6 USER INTERFACE ADVANCED MODE Alerts .......................................................................................... 38 Virus Protection .......................................................................... 40 Firewall Protection...................................................................... 49 Integrity Checking....................................................................... 57 General Settings.........................................................................
38 6.1 Alerts On the Alerts page, you can read and delete alert messages. To find the alert message you want to view, follow these instructions: 1. Select the Status of security alerts you want to view. Select All to view All alerts. Select Unread to view new alerts. Select Read to view alerts you have already viewed. 2. Select the Severity of security alerts you want to view. For more information, see “Alert Severity Levels”, 38.
CHAPTER 6 User Interface - Advanced Mode Security Level Description For example, the virus definition database update is older than the previously accepted version. Fatal Error Unrecoverable error on the host that requires attention from the administrator. For example, a process fails to start or loading a kernel module fails. Security alert For example, a virus-alert. The alert includes information of the infection and the performed operation.
40 6.2 Virus Protection Real-Time Scanning Real-time scanning is completely transparent. By default, all files are scanned automatically when they are opened and executed. Scheduled Scanning If you want to scan the computer for viruses regularly, for example once a week, you can create a scheduled scanning task. Scheduled scanning uses the settings you have defined for manual scanning.
CHAPTER 6 Report and deny access Displays and alerts about the found virus and blocks access to it. No other action is taken against the infected file. View Alerts to check security alerts. For more information, see “Alerts”, 38. Disinfect Disinfects viruses. Note that some viruses cannot be disinfected. If the virus cannot be disinfected, the access to the infected file is still blocked. Rename Renames the infected file and removes its execute permissions.
42 The renamed file has .suspected extension. Delete Deletes the suspected file. Deny access Blocks the access to the suspected file, but does not send any alerts or reports. What to scan Directories excluded from the scan Define directories which are excluded from the virus scan. Type each directory on a new line, only one directory per line.
CHAPTER 6 Scan when running an executable Select whether files are scanned every time they are run. If Scan on open and Scan on execute are disabled, nothing is scanned even if Scan only executables is enabled. Archive scanning Scan inside archives Scan files inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR, BZ2, GZ, JAR and TGZ archives. Scanning archives with the real-time scanning can degrade the overall system performance.
44 6.2.2 Scheduled Scanning You can use the scheduled scanning to scan files for viruses regularly at predefined times. To set the scanning schedule, follow these instructions: 1. Click Add a new task. 2. Set the date and time when the scheduled scan should start. For example: a. To perform the task each sunday at 4 am: Minute: 0, Hour: 4, Day of the Month: *, Month: *, Day of the Week: sun b.
CHAPTER 6 If you have received a suspicious file, for example an executable or an archive file via e-mail, it is always a good idea to scan it for viruses manually. By default, the archive scanning is disabled during the real-time scan. The real-time scan scans the archive when it is extracted, but if you copy or forward the archive without extracting it first, you should manually scan the archive to make sure that it does not contain any viruses. To start the manual scan, select I want to...
46 Custom Performs the action you define. To define the custom action, enter the command to the Primary or Secondary custom action field. Deny access Blocks the access to the infected file, but does not send any alerts or reports. Abort Scan Stops the scan. Suspected files Select the primary and secondary actions to take when heuristics scanning engine finds a suspected file. The secondary action takes place if the primary action cannot be performed.
CHAPTER 6 Only files with specified extensions - Scans only files with the extensions specified in the Included extensions field. The Included extensions field appears after you have selected Only files with specified extensions, Enable exclusions Files with the extensions specified in the Directories excluded from scanning field are not scanned. The Directories excluded from scanning field appears after you have enabled exclusions.
48 The user who opens the password protected archive should have an up-to-date virus protection on the workstation if password protected archives are treated as safe. Stop on first infection Select whether the whole archive should be inside an archive scanned even after an infection is found inside the archive. Scanning a File Manually on a Workstation When the product scans files, it must have at least read access to them.
CHAPTER 6 6.3 Firewall Protection The firewall protects the computers against unauthorized access from the Internet as well as against attacks originating from inside the local-area network. It provides protection against information theft as unauthorized access attempts can be prohibited and detected. Security Profiles The firewall contains predefined security profiles which have a set of pre-configured firewall rules.
50 Security Profiles You can change the current security profile from the Summary page. For more information, see “Summary”, 35. The following table contains a list of the security profiles available in the product and the type of traffic each of them either allow or deny. Security profiles Description Block All Blocks all network traffic (excluding loopback). Server Allows only IP configuration via DHCP, DNS lookups and ssh protocol out and in.
CHAPTER 6 6.3.1 Security profiles Description Strict Allows outbound web browsing, e-mail and News traffic, encrypted communication, FTP file transfers and remote updates. Everything else is denied. Normal Allows all outbound traffic, and denies some specific inbound services. Disabled Allows all inbound and outbound network traffic. General Settings On the General Settings page, you can select network packet logging settings and configure trusted network interfaces.
52 6.3.2 Firewall Rules Each security profile has a set of pre-configured Firewall Rules. Profile to edit Select the firewall profile you want to edit. For more information, see “Security Profiles”, 50. The current security profile is displayed on the top of the Firewall Rules page. You can change the current security profile from the Summary page. For more information, see “Summary”, 35. List of rules The list of rules displays the currently used ruleset.
CHAPTER 6 If the profile contains more than 10 rules, use <<, <, > and >> arrows to browse rules. Changing the order of the rules may affect all the other rules you have created. Add And Edit Rules You can add a new firewall rule, for example, to allow access to a new service in the network. To add a new rule, click Add new rule below the list of rules. When you edit the firewall rules, you should allow only the needed services and deny all the rest to minimize the security risk.
54 Direction For every service you selected, choose the direction in which the rule applies. in = all incoming traffic that comes to your computer from the internet. out = all outgoing traffic that originates from your computer. Click Add to firewall rules to add the rule to the end of the list of rules. Click Save after you have added or edited a rule to activate all changes. Click Cancel to discard all changes made after the previous save. 6.3.
CHAPTER 6 Add And Edit Services Service name Enter a name for the service. Protocol Select the protocol (ICMP, TCP, UDP) or define the protocol number for the service you want to specify. Initiator ports Enter initiator ports. Responder ports Enter responder ports. Description Enter a short description of the service. Click Save after you have added or edited a service to activate all changes. Click Cancel to discard all changes made after the previous save.
56 8. The next step is to create a Firewall Rule that allows use of the service you just defined. Select Firewall Rules in the Advanced mode menu. 9. Select the profile where you want to add a new rule and click Add new rule to create a new rule. 10. Select Accept or Deny as a rule Type. Enter a descriptive comment in the Description field to distinguish this rule. 11. Define Remote Host to which the rule applies. Enter the IP address of the host in the field. 12.
CHAPTER 6 6.4 Integrity Checking Integrity Checking protects important system files against unauthorized modifications. Integrity Checking can block any modification attempts of protected files, regardless of file system permissions. Integrity Checking compares files on the disk to the baseline, which is a cryptographically signed list of file properties. Integrity Checking can be configured to send alerts to the administrator about modification attempts of the monitored files. “Communications”, 64.
58 Using The Search Status Select files you want to view in the known files list. Modified and new - Displays all files that have been modified or added to the baseline. Modified - Displays all files that have been modified. New - Displays all files that have been added to the baseline. Unmodified - Displays all baselined files that have not been modified. All - Displays all files in the known files list.
CHAPTER 6 Action Displays whether the product allows or denies modifications to the file. Alert Displays whether the product sends an alert when the file is modified. Protection Displays whether the file is monitored or protected. Protected files cannot be modified while monitored files are only monitored and can be modified. To regenarate the baseline, select new and modified files you want to baseline and click Regenerate baseline for highlighted files.
60 Action The product can prevent the access to modified files. Allow - The access to the modified file is allowed when it is executed or opened. Deny - The access to the modified file is denied. Modified files cannot be opened or executed. Click Add to known files to add the entry to the Known Files List. Integrity Checking does not protect new or modified files before you regenerate the baseline. Regenerate the baseline to protect files you have added. For more information, see “Generate Baseline”, 61.
CHAPTER 6 When the Software Installation Mode is enabled, any process can load any kernel modules regardless whether they are in the baseline or not and any process can change any files in the baseline, whether those files are protected or not. The real-time scanning is still enabled and it alerts of any malware found during the installation.
62 do not enable the Kernel Module Verification during the installation, you have to generate the baseline manually before Integrity Checking is enabled. All files that are added to the baseline during the installation are set to Allow and Alert protection mode. Passphrase The generated baseline has to be signed to prevent anyone from modifying the protected files. The product verifies the baseline and the system integrity cryptographically.
CHAPTER 6 6.4.4 Rootkit Prevention When the Integrity Checking is enabled, the product can prevent rootkits. Hackers can use rootkits to gain access to the system and obtain administrator-level access to the computer and the network. Kernel module verification Protects the system against rootkits by preventing unknown kernel modules from loading. When the kernel module verification is on, only those kernel modules that are listed in the known files list and which have not been modified can be loaded.
64 6.5 General Settings Communications Configure alerting. Automatic Updates Configure automatic virus definition database updates. About View the product and version information. 6.5.1 Communications Change Communications settings to configure where alerts are sent. Management Server Server Address Define the URL of the F-Secure Policy Manager Server address. This setting is only available in the centrally managed installation mode.
CHAPTER 6 E-mail Settings The e-mail settings are used for all alert messages that have been configured to send e-mail alerts. Server Enter the address of the SMTP server in the Server Address field. You can use either the DNS-name or IP-address of the SMTP server. If the mail server is not running or the network is down, it is possible that some e-mail alerts are lost. To prevent this, configure a local mail server to port 25 and use it for relaying e-mail alerts.
66 6.5.2 Variable Description %PRODUCT_OID% The OID of the product that generated the alert. %DESCRIPTION% The alert description. %DATE% The date when an alert sent in format YYYY-MM-DD. %TIME% The time when an alert sent in format HH:MM:SS+GMT. %ALERT_NUMBER% The alert number during the session. Automatic Updates It is of the utmost importance that the virus definition databases are up-to-date. The product updates them automatically.
CHAPTER 6 Priority Displays the priority level of the update source. The priority numbers are used to define the order in which the host tries to connect servers. Virus definition updates are downloaded from the primary sources first, secondary update sources can be used as a backup. The product connects to the source with the smallest priority number first (1). If the connection to that source fails, it tries to connect to the source with the next smallest number (2) until the connection succeeds.
68 Allow fetching updates from F-Secure Update Server Enable the product to download virus definition updates from F-Secure Update Server when it cannot connect to specified update servers. Launch scan after updates Select whether a virus scan should be launched automatically after the virus definitions have been updated. The virus scan scans all local files and directories and it can take a long time. The scan uses the manual scanning settings. By default, the scan is not launched automatically.
CHAPTER 6 6.5.3 About The About page displays the license terms, the product version number and the database version. If you are using the evaluation version of the product, you can enter the keycode in the About page to upgrade the product to the fully licensed version.
7 Command Line Tools Overview..................................................................................... 71 Virus Protection .......................................................................... 71 Firewall Protection...................................................................... 72 Integrity Checking....................................................................... 73 General Command Line Tools....................................................
CHAPTER 7 Command Line Tools 7.1 Overview For more information on command line options, see “Man Pages”, 96. 7.2 Virus Protection You can use the fsav command line tool to scan files and the dbupdate command line tool to update virus definition databases from the shell. 7.2.1 fsav Follow these instructions to scan files from the shell: › To scan all default file types on all local disks, type: fsav / › To scan all files in a directory and its subdirectories, enter the directory name.
72 For more information on command line options, see the fsav man pages or type fsav --help. 7.2.2 dbupdate Before you can update virus definition databases manually, you have to disable the periodic database update. To disable periodic database updates, edit the crontab of root: 1. Run the following command crontab -e 2.
CHAPTER 7 Command Line Tools 7.3.1 fsfwc Use the following command to change the current security profile: /opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office, strict, normal, bypass} For more information about security profiles, see “Security Profiles”, 50. 7.4 Integrity Checking You can use the fsic command line tool to check the system integrity and fsims to use the Software Installation Mode from the shell. 7.4.
74 2. Recalculate the baseline. The baseline update progress is displayed during the process, and you are prompted to select whether to include the new files in the baseline: /opt/f-secure/fsav/bin/fsic --baseline 3. Enter a passphrase to create the signature. Verifying the Baseline Follow these instructions to verify the baseline from the command line: 1. Run the command: /opt/f-secure/fsav/bin/fsic 2. Enter the passphrase that you used when you created the baseline. 3.
CHAPTER 7 Command Line Tools Where language is: en - english ja - japanese de - german 7.5.2 fsma Use the following command to check the status of the product modules: /etc/init.d/fsma status The following table lists all product modules: Module Process Description F-Secure Alert Database Handler Daemon /opt/f-secure/fsav/sbin/fsadhd Stores alerts to a local database. Alerts can be viewed with the web user interface.
76 Module Process Description F-Secure FSAV Status Daemon /opt/f-secure/fsav/bin/fstatusd Checks the current status of every component keeps desktop panel applications and web user interface up-to-date. F-Secure FSAV Web /opt/f-secure/fsav/tomcat/bin/ UI catalina.sh start Handles the web user interface. F-Secure FSAV /opt/f-secure/common/ PostgreSQL daemon postgresql/bin/startup.sh Stores alerts that can be viewed with the web user interface. 7.5.
A Installation Prerequisites All 64-bit Distributions................................................................. 78 Red Hat Enterprise Linux 4 ........................................................ 78 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06..................................... 79 SuSE .......................................................................................... 80 Turbolinux 10..............................................................................
78 A.1 All 64-bit Distributions Some 64-bit distributions do not install 32-bit compatibility libraries by default. Make sure that these libraries are installed. The name of the compatibility library package may vary, see the documentation of the ditribution you use for the package name for 32-bit compatibility libraries. On 64-bit Ubuntu, install ia32-libs. A.2 Red Hat Enterprise Linux 4 Follow these instructions to install the product on a server running Red Hat Enterprise Linux 4 AS: 1.
CHAPTER A Installation Prerequisites The system tray applet requires the following RPM packages: › › kdelibs compat-libstdc++ 2. Install the product normally. A.3 Debian 3.1 and Ubuntu 5.04, 5.10, 6.06 To install the product on a server running either Debian 3.1 or Ubuntu 5.04, 5.10 or 6.06: 1. Install a compiler, kernel headers and RPM before you install the product.
80 A.4 SuSE To install the product on a server running SuSE version 9.1, 9.2, 9.3 or 10.0: 1. Before you install the product, make sure that kernel-source, make and gcc packages are installed. Use YaST or another setup tool. 2. Install the product normally. A.5 Turbolinux 10 Turbolinux kernel sources may not be configured and so they cannot be used to compile kernel drivers.
B Installing Required Kernel Modules Manually Introduction................................................................................. 82 Before Installing Required Kernel Modules ................................ 82 Installation Instructions...............................................................
82 B.1 Introduction This section describes how to install required kernel modules manually. You may need to do this in the following cases: › › B.2 You forgot to use Software Installation Mode and the system is not working properly. In large installations some hosts may not include development tools or kernel source. Before Installing Required Kernel Modules Before installing required kernel modules, you must do the following: › › B.
CHAPTER B Installing Required Kernel Modules Manually fsav-compile-drivers is a shell script that configures and compiles the Dazuko driver automatically for your system and for the product. For more information on the Dazuko driver, visit www.dazuko.org. You can download the Dazuko driver from www.dazuko.org and use it with the product, but it is not recommended.
C List of Used System Resources Overview..................................................................................... 85 Installed Files.............................................................................. 85 Network Resources .................................................................... 85 Memory....................................................................................... 86 CPU............................................................................................
CHAPTER C List of Used System Resources C.1 Overview This appendix summarizes the system resources used by the product. C.2 Installed Files All files installed by the product are in the following directories: /opt/f-secure /etc/opt/f-secure /var/opt/f-secure In addition, the installation creates the following symlinks: /usr/bin/fsav -> /opt/f-secure/fssp/bin/fsav /usr/bin/fsic -> /opt/f-secure/fsav/bin/fsic /usr/bin/fsui -> /opt/f-secure/fsav/bin/fsui /usr/share/man/man1/fsav.
86 C.4 Memory The Web User Interface reserves over 200 MB of memory, but since the WebUI is not used all the time, the memory is usually swapped out. The other product components sum up to about 50 MB of memory, the on-access scanner uses the majority of it. The memory consumption depends on the amount of file accesses on the system. If several users are logged in to the system and all of them access lots of files, the memory consumption grows. C.
D Troubleshooting User Interface............................................................................. 88 F-Secure Policy Manager........................................................... 89 Integrity Checking....................................................................... 89 Firewall ....................................................................................... 91 Virus Protection .......................................................................... 93 Generic Issues.........
88 D.1 User Interface Q. I cannot log in to the Web User Interface. What can I do? A. On some distributions, you have to comment (add a hash sign (#) at the beginning of the line) the following line in /etc/pam.d/login: # auth requisite pam_securetty.so Q. The F-icon in the system tray has a red cross over it, what does it mean? A. When the F-icon has a red cross over it, the product has encoutered an error. Open the Web User Interface to see a detailed report about the issue.
CHAPTER D Troubleshooting D.2 F-Secure Policy Manager Q. How can I use F-Secure Linux Server Security with F-Secure Policy Manager 6.0x for Linux? A. F-Secure Policy Manager Server has to be configured to retrieve new riskware and spyware databases for the product. Note that these instructions apply to F-Secure Policy Manager Server 6.0x for Linux only, the product is not compatible with other Linux or Windows F-Secure Policy Manager Server versions.
90 Q. I forgot to use Software Installation Mode and my system is not working properly. What can I do? A. Create a new baseline. Execute the following commands: /opt/f-secure/fsav/bin/fslistfiles | fsic --add fsic --baseline Q. Can I update the Linux kernel when I use Integrity Checking? A. Use the Software Installation Mode. After you have updated the kernel, disable the Software Installation Mode to restore the normal protection level. For more information, see “Software Installation Mode”, 60. Q.
CHAPTER D Troubleshooting Q. Do I have to use the same passphrase every time I generate the baseline? A. No, you have to verify the baseline using the same passphrase that was used when the baseline was generated, but you do not have to use the same passphrase again when you generate the baseline again. D.4 Firewall Q. After installing the product, users cannot access samba shares on my computer, how can I fix this? A.
92 Type: ACCEPT Remote Host: [myNetwork] Description: Windows Networking Local Browsing Service (select box): Windows Networking Local Browsing Direction: in h. Click Add Service to this Rule and Add to Firewall Rules. The new rule should be visible at the bottom of the firewall rule list. If you cannot see the rule, click >> to move to the end of the list. i. Click on the up arrow next to the new ruleto move the rule above any "Deny rest" rule. j.
CHAPTER D Troubleshooting D.5 Virus Protection Q. How do I enable the debug log for real-time virus scanner? A. In Policy Manager Console, go to Product/Settings/Advanced/ and set fsoasd log level to Debug. In standalone installation, run the following command: /opt/f-secure/fsma/bin/chtest s 44.1.100.11 9 The above command works for Client Security product. If you are using Server Security, replace 44 with 45. The log file is in /var/opt/f-secure/fsav/fsoasd.log Q.
94 rpm -qa | grep f-secure rpm -qa | grep fsav b. Remove installed packages. Run the following command for each installed package: rpm -e --noscripts c. 3. Remove all of the product installation directories: rm -rf /var/opt/f-secure/fsav rm -rf /var/opt/f-secure/fsma rm -rf /etc/opt/f-secure/fsav rm -rf /etc/opt/f-secure/fsma rm -rf /opt/f-secure/fsav rm -rf /opt/f-secure/fsma Q. System is very slow. What is causing this? A.
CHAPTER D Troubleshooting Q. The product is unable to contact the database, how can I fix this? A. Sometimes, after a hard reset for example, the product may be unable to contact the database. Follow these instructions to resolve the issue: a. As root, remove the database PID file: rm /var/opt/f-secure/fsav/pgsql/data/postmaster.pid b. As root, restart the product: /etc/init.d/fsma restart Q. I get reports that "F-Secure Status Daemon is not running", how can I start it? A.
E Man Pages fsav............................................................................................. 97 fsavd......................................................................................... 131 dbupdate................................................................................... 149 fsfwc ......................................................................................... 153 fsic ............................................................................................
CHAPTER E support@F-Secure.com fsav (1) fsav command line interface for F-Secure Anti-Virus fsav options target ... Description fsav is a program that scans files for viruses and other malicious code. fsav scans specified targets (files or directories) and reports any maliciouscode it detects. Optionally, fsav disinfects, renames or deletes infected files.
98 Synonym to --virus-action1, deprecated. --action2={none|report,disinf|clean,rename,de lete|remove,abort,custom|exec} Synonym to --virus-action2, deprecated. --action1-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the primary action is set to custom/exec. --action2-exec=PROGRAM F-Secure Anti-Virus runs PROGRAM if the secondary action is set to custom/exec. --action-timeout={e,c} What to do when the scan times out: Treat the timeout as error (e) or clean (c).
CHAPTER E explicitly enabled). --config={file[:PATH]|fsma[:OID]} file: Use the configuration file based management method optionally using PATH as the configuration file instead of the default configuration file (/etc/opt/ f-secure/fssp/fssp.conf). fsma: Use the F-Secure Policy Manager based management method optionally specifying the OID used in sending alerts. --databasedirectory=path Read virus definition databases from the directory path. The default is ".".
100 command-line! This option is intended to be used only with the dbupdate script. --allfiles[={on,off,yes,no,1,0}] Scan all files regardless of the extension. By default, the setting is on. (In previous versions, this option was called 'dumb'.) --exclude=path Do not scan the given path. --exclude-from=file Do not scan paths listed in the file. Paths should be absolute paths ending with a newline character. --extensions=ext,ext,... Specify the list of filename extensions to be scanned.
CHAPTER E --list[={on,off,yes,no,1,0}] List all files that are scanned. --maxnested=value Should be used together with the --archive option. Set the maximum number of nested archives (an archive containing another archive). If the fsav encounters an archive that contains more nested archives than the specified value, it reports a scan error for the file. See NOTES -section below about nested archives.
102 NOTE: Certain password- protected archives are reported as suspected infections instead of password-protected archives. --orion[={on,off,yes,no,1,0}] Enable/disable the Orion scanning engine for the scan and the disinfection. If any engine is enabled, all other engines are disabled unless explicitly enabled. --preserveatime[={on,off,yes,no,1,0}] Preserve the last access time of the file after it is scanned. If the option is enabled, the last access time of the file does not change when it is scanned.
CHAPTER E remove. --riskware-action2={none|report,rename,delete |remove} Secondary action to take if primary action fails. Parameters are the same as for primary action. --scanexecutables[={on,off,yes,no,1,0}] Enable the executable scanning. If a file has any of user/group/other executable bits set, it is scanned regardless of the file extension. --scantimeout=value Set a time limit in seconds for a single file scan or disinfection task.
104 --silent[={on,off,yes,no,1,0}] Do not generate any output (except error messages). --socketname=socket path Use the given socket path to communicate with fsavd. The default socket path is /tmp/.fsav-, or /tmp/.fsav--sa, if fsav is started with the --standalone option. --status Show the status of the fsavd scanning daemon and exit. If the daemon is running, the exit code is zero. Otherwise, the exit code is non-zero.
CHAPTER E standalone version to scan files. The option forces the launch of a new fsavd. --stoponfirst[={on,off,yes,no,1,0}] Stop after finding the first infection with any scan engine. If file contains multiple infections, only the first is reported. If several scan engines can detect the infection, only the first one is reported. By default, the option is disabled. --symlink[={on,off,yes,no,1,0}] Follow symbolic links. Symbolic links are not followed by default.
106 Note Database versions contain date of the databases only. There may be several databases released on same day. If you need more detailed version information, open header.ini in the database directory and search for the following lines: [FSAV_Database_Version] Version=2003-02-27_03 The string after “Version=” is the version of databases.
CHAPTER E By default, fsav reports the infected and suspected infections to stdout. Scan errors are reported to stderr. An example of an infection in the scan report: /tmp/eicar.com: EICAR-Test-File [AVP] Infected: where the file path is on the left, the name of the infection in the middle and the name of the scan engine that reports the infection in brackets. An example of a suspected infection in the scan report: /tmp/sample.
108 encoding and cannot be scanned. Invalid MIME header found. Explanation: Scanned MIME message uses non-standard header and cannot be scanned. The --list option shows the clean files in the report. An example of the output: /tmp/test.txt - clean The --archive option scans the archive content and the output is as follows for the infected or suspected archive content: [/tmp/eicar.zip] eicar.
CHAPTER E ary action is rename. fsav must have write access to the file to be disinfected. Disinfection is not always possible and fsav may fail to disinfect a file. Especially, files inside archives cannot be disinfected. Infected files are renamed to .virus and clears executable and SUID bits from the file. Suspected files are renamed to .suspected. Riskware files are renamed to .riskware.
110 action that failed, i.e. if the user does not want to take the primary action, the secondary action is tried next. The action confirmation can be disabled with --auto -option. WARNINGS fsav warnings are written to the standard error stream (stderr). Warnings do not stop the program. fsav ignores the reason for the warning and the execution continues as normal.
CHAPTER E Illegal archive scanning value '' in configuration file line Explanation: The archivescanning field in the configuration file has an incorrect value. Resolution: Edit the configuration file and set the archivescanning field to one of the following: 1 or 0. Restart fsav to take new values in use.
112 is not valid in configuration path> line . file ' is out of range in configuration file line Explanation: The maxnestedarchives field in the configuration file is less than zero or more than LONG_MAX. Resolution: Edit the configuration file.
CHAPTER E Scan timeout value '' is not valid in configuration file line Explanation: The scantimeout field in the configuration file is not a valid number. Resolution: Edit the configuration file. Scan timeout value '' is out of range in configuration file line Explanation: The timeout field in the configuration file is less than zero or more than LONG_MAX. Resolution: Edit the configuration file.
114 abort, custom or exec. Restart fsav to take new values in use. Unknown syslog facility '' in configuration file line Explanation: The syslogfacility ield in the configuration file has an incorrect value. Resolution: Edit configuration file and set the syslog- facility field to one of the facility names found in syslog(3) manual page. Restart fsav to take new values in use. FATAL ERRORS fsav fatal errors are written to the standard error stream (stderr).
CHAPTER E Resolution: fsav exits with fatal error status (exit code 1). The user has to correct the command-line parameters or configuration file or remove the file from path and start the fsav again. Invalid socket path '': . Explanation: The user has given invalid socket path from configuration file or from command-line, either socket does not exist or is not accessible. Resolution: fsav exits with fatal error status (exit code 1).
116 Explanation: The user has given a file path to the --configfile option which either does not exist or is not accessible. Resolution: The user has to correct command-line options and try again. Scan engine directory '' is not valid in configuration file at line : Explanation: The user has specified a scan engine directory path which either does not exist, is not accessible or is too long in the configuration file.
CHAPTER E from the configuration file. Resolution: The user has to correct the path and start fsav again. Database directory ' path>' is not Explanation: The user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line. Resolution: The user has to correct the path and start fsav again.
118 option>'. Explanation: The user has entered an unknown command-line option from the command-line. Resolution: The user has to correct command-line options and try again. Illegal scan timeout value ''. Explanation: The user has entered an illegal scan timeout value from the command-line. Resolution: The user has to correct command-line options and try again. Illegal maximum nested archives value ''.
CHAPTER E Explanation: The user has tried to request the server version with version but the request processing failed. Resolution: The server is not running. The product may be installed incorrectly. The installdirectory is either missing or wrong in the configuration file. The system may be low in resources so launching might have failed because of e.g. insufficient memory. Shutdown failed. Explanation: The user has tried to request server shutdown with shutdown but the request processing failed.
120 Explanation: The file scanning failed because the connection to fsavd can not be established. Re-scanning file '' failed due IPC Explanation: The file re-scanning failed because the connection to server is broken. Resolution: The server has died unexpectly. The user should restart the server and try to scan the file again. If the problem persists, the user should send a bug report and a file sample to F-Secure.
CHAPTER E path>' exists. Explanation: The database directory contains an update flag file which is created while the database update is in progress. Resolution: The user has to check if an other database update is in progress. If no other update process exists, the user should delete the flag file and try to update the databases again. Could not create flag file ''.
122 Resolution: The database update process does not have proper rights to the lock file and fails. The user has to make sure the update process runs with proper rights or the database directory has proper access rights. Could not release lock for lock file ''. Explanation: The database update process has failed to release the lock for the lock file in the database directory. Resolution: fsavd is halted.
CHAPTER E Explanation: The database update process has successfully updated databases, but failed to remove the update flag file. Resolution: fsavd is halted. The user should remove the update flag file manually. SCAN ERRORS fsav scan errors are written to the standard error stream (stderr). In case of scan error file scanning is immediately stopped and the scan continues with next file in input. If no files is found infected or suspected, the scan error is indicated with exit code 9.
124 [] Explanation: The scan engine could not open the file for scanning because the scan engine does not have a read access to the file. Resolution: The user has to make file readable for fsavd and try to scan the file again. If the user or fsav launches fsavd, fsavd has same access rights as the user and can only open samexs files the user is authorized to open.
CHAPTER E Resolution: The user may try scanning the file again with bigger scan timeout value. : ERROR: Could not read from file [] Explanation: The scanning failed because of read from file failed. Resolution: The file is probably corrupted and cannot be scanned. : ERROR: Could not write to file [] Explanation: The disinfect failed because of write to file failed. Resolution: The file is write-protected, archive or corrupted and cannot be disinfected.
126 Resolution: Increase maximum nested archives limit and try to scan again. Scanning file '' failed: connection to fsavd lost due timeout. Disinfect file '' failed: connection to fsavd lost due timeout. Explanation: The file scanning failed because the connection to fsavd is lost because of IPC timeout. Resolution: The server has died unexpectly. The user should restart fsavd and try to scan the file again.
CHAPTER E 3 A boot virus or file virus found. 4 Riskware (potential spyware) found. 6 At least one virus was removed and no infected files left. 7 Out of memory. 8 Suspicious files found; these are not necessarily infected by a virus. 9 Scan error, at least one file scan failed. 130 Program was terminated by pressing CTRL-C, or by a sigterm or suspend event. fsav reports the exit codes in following priority order: 130, 7, 1, 3, 4, 8, 6, 9, 0. EXAMPLES Scan a file 'test.
128 Scan all files in a directory '/mnt/smbshare': $ fsav /mnt/smbshare Scan all files and archive contents with the scan time limit set to 3 minutes: $ fsav --archive --scantimeout=180 --allfiles /mnt/smbshare Scan and list files with '.EXE' or '.
CHAPTER E host Scan files found by the find(1) command and feed infected/ suspected files to the mv(1) command to move infected/suspected files to /var/quarantine directory. Any errors occured during the scan are mailed to admin@localhost.
130 archives is to use --scantimeout -option and in case the timeout occurs, the archive is scanned with a separate fsavd instance. Bugs Please refer to 'Known Problems' -section in release notes. Authors F-Secure Corporation Copyright Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. Portions Copyright (c) 2001-2006 Kaspersky Labs. See Also dbupdate(8), fsavd(8) For more information, see F-Secure home page.
CHAPTER E support@F-Secure.com fsavd (8) fsavd F-Secure Anti-Virus daemon fsavd options DESCRIPTION fsavd is a scanning daemon for F-Secure Anti-Virus. In the startup it reads the configuration file (the default configuration file or the file specified in the command line) in the startup and starts to listen to connections to the UNIX domain socket specified in the configuration file. By default, fsavd forks itself into the background.
132 overridden from the command line with the following command line options: --config={file[:PATH]|fsma[:OID]} file: Use the configuration file based management method optionally using PATH as the configuration file instead of the default configuration file (/etc/opt/ f-secure/fssp/fssp.conf). fsma: Use the F-Secure Policy Manager based management method optionally specifying the OID used in sending alerts. --databasedirectory=path Read virus definition databases from the directory path. The default is ".
CHAPTER E The default is "/tmp/.fsav-". If the file exists and is a socket, the file is removed and new socket is created. The file removal shuts down all existing fsavd instances. If the path contains non-existing directories, the directories are created and the directory permission is set to read/write/ exec permission for owner and read/ exec permission for group and others. Created directories will have sticky bit on by default.
134 send an alarm signal to the parent process when the socket is ready to accept connections. When the option is used, fsavd does not fork(2) itself during the launch. The option is intended to be used with fsav when fsav automatically launches fsavd. In the normal use the option can be ignored. --nodaemon Do not fork program into the background. --help Show command line options and exit. --version Show F-Secure Anti-Virus version and dates of signature files, and exit.
CHAPTER E Failed to scan file : Time limit Explanation: fsavd reports that the file scan failed because the scan time limit is exceeded. Failed to scan file : Scan aborted. Explanation: fsavd reports that the file scan failed because the scan was aborted. The scan is aborted if the client disconnects. File disinfected. Explanation: fsavd reports that one of the scan engines disinfected the file successfully. File disinfect failed.
136 Unknown action '' in configuration file line Explanation: The action in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit the configuration file and set the action field to one of the following: disinfect, rename or delete. The user has to restart fsavd to take values in effect.
CHAPTER E configuration number> file line
138 valid in configuration file line Explanation: The scantimeout field in the configuration file is not a valid number. Resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Scan timeout value '' is out of range in configuration file line Explanation: The timeout field in the configuration file is less than zero or more than LONG_MAX. Resolution: fsavd tries to proceed.
CHAPTER E Resolution: fsavd tries to proceed. The user has to edit the configuration file and restart fsavd. Maximum scan engine instances value '' is not valid in configuration file line Explanation: The engineinstancemax field in the configuration file is not a number. Resolution: fsavd tries to proceed. The user has to edit the configuration file and try again.
140 number> Explanation: The syslogfacility ield in the configuration file has an incorrect value. Resolution: fsavd tries to proceed. The user has to edit configuration file and set the syslogfacility field to one of the facility names found in syslog(3) manual page. The user has to restart fsavd to take values in effect. scan engine seems to be dead. Explanation: The scan engine has died.
CHAPTER E restart the scan engine. The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically. Database file is not a valid database. Explanation: The scan engine reports that the database file is not a valid database file in the database directory. Resolution: The scan engine fails to start. fsavd tries to restart the scan engine.
142 restart the scan engine. The user needs to perform database update and possibly restart fsavd if fsavd fails to start the scan engine automatically. Database file has wrong database Explanation: The scan engine reports that the database file has an incorrect version. Resolution: The scan engine fails to start. fsavd tries to restart the scan engine.
CHAPTER E Explanation: The scan engine is not responding to the keep-alive messages and it has not reported scan nor initialization statuses for a limited time period (300 seconds). The problem may be in a file which the scan engine is scanning. If the user can recognize the source as a problematic file, the user should make a bug report and send a file sample to F-Secure. Resolution: fsavd shuts down the scan engine process and restarts the scan engine.
144 Resolution: fsavd exits with error status. Installation or engine directory in configuration file maybe incorrect or --enginedirectory command-line option has incorrect path. Failed to load engine library. required symbol from scan Explanation: fsavd finds required scan engine shared library files but fails to load correct library calls from the library. Resolution: fsavd exits with error status. Scan engine shared libraries are corrupted. Product needs to be re-installed. Options parsing failed.
CHAPTER E Explanation: The user has entered a database directory path which either does not exist, is not accessible or is too long from the command-line. Resolution: fsavd exits with error status. The user has to correct the path and start fsavd again.
146 long from the command-line. Resolution: fsavd exits with error status. The user has to correct the path and start the fsavd again. Could not open configuration file : Explanation: The configuration file path given from the command-line, the file does not exist or it is not accessible. Resolution: fsavd tries to proceed and probably encounters some other error later.
CHAPTER E accept failed because run out of memory. Explanation: The accept(2) has failed because system ran out of the memory. Resolution: fsavd exits with error status. The user has to free some memory and start fsavd again. FILES /etc/fssp.conf The default configuration F-Secure Anti-Virus file for $HOME/.fssp.
148 ration file: $ fsavd --nodaemon Start fsavd as a background daemon process using 'fsav-test.conf' as a configuration file: $ fsavd --configfile=fsav-test.conf Check fsavd, scan engine and database versions: $ fsavd --version Bugs Please refer to 'Known Problems' -section in release notes. AUTHORS F-Secure Corporation Copyright Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. Portions Copyright (c) 2001-2006 Kaspersky Labs. SEE ALSO dbupdate(8), fsav(1), fssp.
CHAPTER E support@F-Secure.com dbupdate (8) dbupdate Virus definition database update for F-Secure Anti-Virus dbupdate --help --auto directory PARAMETERS --help Show the short help of command line options and exit. --auto Do not download databases synchronously but update databases previously downloaded by F-Secure Automatic Update Agent. Used for fully automatic database updates.
150 ON DEMAND UPDATE OVER NETWORK Use the dbupdate command (without any parameters) if there is a need to check new database updates immediately over the network and take new databases into use. SCHEDULED UPDATE OVER NETWORK Typically, dbupdate is started from cron(8) frequently with the following command: dbupdate --auto. This takes into use updates that F-Secure Automatic Update Agent has the previously downloaded. OPERATION If new databases are available, database files are copied to updatedirectory.
CHAPTER E 50 Could not copy update. Copying database update failed, probably because lack of free disk space. 51 Could not extract update. Extracting database update failed, probably because lack of free disk space. EXIT VALUE 0 Nothing was updated since no new updates were available. 1 An error has occurred. See program output and /var/opt/f-secure/fssp/ dbupdate.log for details. 2 Virus definition databases were succesfully updated.
152 SEE ALSO fsav(1) and fsavd(8) For more information, see F-Secure home page.
CHAPTER E support@F-Secure.com fsfwc (1) fsfwc command line interface for firewall daemon fsfwc options Description With this tool firewall can be set to different security levels. If invoked without any options, it will show current security level and minimum allowed. Options --mode {block,server,mobile,office,st rict,normal,bypass} Will set firewall to requested security level if allowed by minimum security level setting.
154 mobile Profile for roadwarririors: ssh and VPN protocols are allowed. DHCP, HTTP, FTP and common email protocols are allowed. All incoming connections are blocked. office Profile for office use. It is assumed that some external firewall exists between Internet and the host. Any outgoing TCP connections are allowed. A rule to allow Windows networking inside the same network is included but is not enabled by default. strict Very much like the mobile profile, except it does not allow DHCP.
CHAPTER E nections are denied. bypass Allow everything in and out. RETURN VALUES fsfwc has the following return values. 0Normal exit; 1Error occurred. AUTHORS F-Secure Corporation COPYRIGHT Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. SEE ALSO For more information, see F-Secure home page.
156 support@F-Secure.com fsic (1) fsic Command line interface for integrity checker fsic options target ... Description F-Secure Integrity Checker will monitor system integrity against tampering and unauthorized modification. If invoked without any options, fsic will verify all files in the known files list and report any anomalies. Options -V, --verify [options] Default operation if invoked without any options. Verify the system and report any deviations against baselined information.
CHAPTER E changed, only baselined inode information is shown. If file differs from baselined information, detailed comparison is shown. --virus-scan={yes=default,no} Scan for viruses when verifying. (default: yes) --ignore={attr,hash} Ignore specified file properties if they differ from the baseline information. Only attr or hash can be specified at a time, not both. (default: nothing is ignored) --auto={yes,no=default} Disable action confirmation. Assumes 'Yes' to all enabled actions.
158 been given at all. (default: no) -v, --verifyfile [options] This mode will validate only files given from command line OR stdin. This option has the same sub-options as verify. -B, --baseline [options] Calculate baseline information for all of the files. If a previous baseline already exists, it will be overwritten. --virus-scan={yes=default,no} Enable/disable virus scanning of the files during baselining. Viruses are scanned with options --dumb and --archive.
CHAPTER E -b, --baselinefile [options] This mode will add only entries given from command line OR stdin to baseline. This option has same sub-options as baseline. -a, --add [options] target ... Add a target[s] to the known files list. Targets must be real files or links. By default all files are added as monitored. A new baseline needs to be generated after all file additions have been performed. --protect={yes,no=default} Add the file as protected, instead of monitored.
160 an alert if file differs from baselined information. -d, --delete target ... Remove target[s] from the known files list. A new baseline needs to be generated after all file deletions have been performed. verify action reports If --show-all is specified, then also clean files are reported, as follows. [ OK ] PRA /bin/ls [ OK ] P.D /bin/chmod Characters on second column tell how file is handled in integrity checking.
CHAPTER E So even if inode data is changed Hash might be same (touch on a file will change inode data) however IF hash is changed and inode data is still same then file contents has been modified and it's mtime set back to what it was with utime() (man 2 utime).
162 late hash and inode information for all files known to the integrity checker. Previously generated baseline will be overwritten. User will be asked to confirm adding files to new baseline. For example, /bin/ls: Accept to baseline? (Yes,No,All yes, Disregard new entries) If file has been modified fsic will ask [Note] /bin/ls seems to differ from baselined entry. Want to rebaseline it? [no] WARNINGS None. FATAL ERRORS None. SCAN ERRORS None. RETURN VALUES fsic has the following return values. 0Success.
CHAPTER E 2No baseline exists yet. 3System compromised. Return value of 3 indicates that one or more of the following happened; * Incorrect passphrase, or * Files do not match baselined information, or * A virus was detected in one of the files FILES None. EXAMPLES None. NOTES None. BUGS None.
164 Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved. SEE ALSO For more information, see F-Secure home page.
F Technical Support Introduction............................................................................... 166 F-Secure Online Support Resources........................................ 166 Web Club.................................................................................. 167 Virus Descriptions on the Web .................................................
166 Introduction F-Secure Technical Support is available through F-Secure support web pages, e-mail and by phone. Support requests can be submitted through a form on F-Secure support web pages directly to F-Secure support. F-Secure Online Support Resources F-Secure support web pages for any F-Secure product can be accessed at http://support.f-secure.com/. All support issues, frequently asked questions and hotfixes can be found under the support pages.
CHAPTER F Technical Support › › A detailed description of the problem, including any error messages displayed by the program, and any other details that could help us replicate the problem. Logfile from the machines running F-Secure products. Web Club The F-Secure Web Club provides assistance and updated versions of F-Secure products. To connect to the Web Club directly from within your Web browser, go to: http://www.F-Secure.
168
www.f-secure.
