F-Secure Linux Security

F-Secure Linux Security

Table of Contents

Chapter 1: Welcome ...........................................................................7How the Product Works ...........................................................................................................8

Protection Against Malware ..........................................................................................8Host Intrusion Prevention System .................................................................................8

Key Features and Benefits ......................................................................................................9Superior Protection against Viruses and Worms ..........................................................9Transparent to End-users ...........................................................................................10Protection of Critical System Files ..............................................................................10Easy to Deploy and Administer ...................................................................................10Extensive Alerting Options ..........................................................................................10

Chapter 2: Deployment ....................................................................11Deployment on Multiple Stand-alone Linux Workstations .....................................................12Deployment on Multiple Centrally Managed Linux Workstations ..........................................12Central Deployment Using Image Files .................................................................................12

Chapter 3: Installation .....................................................................15System Requirements ...........................................................................................................16

List of Used System Resources ..................................................................................17Stand-alone Installation .........................................................................................................19Centrally Managed Installation ..............................................................................................20Upgrading...............................................................................................................................21

Upgrading from a Previous Product Version ...............................................................21Upgrading the Evaluation Version ..............................................................................22

Custom Installations...............................................................................................................23Preparing for Custom Installation.................................................................................23Unattended Installation ...............................................................................................23

F-Secure Linux Security | TOC | 3

Installing Command Line Scanner Only .....................................................................24Using The Product With Samba Servers.....................................................................25

Creating a Backup .................................................................................................................27Uninstallation .........................................................................................................................27

Chapter 4: Administering the Product ...........................................29Basics of Using F-Secure Policy Manager ............................................................................30Accessing the Web User Interface ........................................................................................30Testing the Antivirus Protection .............................................................................................31

Chapter 5: Using the Product..........................................................33Summary................................................................................................................................34

I Want to.......................................................................................................................34Scanning for Viruses...............................................................................................................37

What are Viruses and Other Malware?........................................................................37Stopping Viruses and Other Malware..........................................................................40Methods of Protecting the Computer from Malware ...................................................42

Firewall Protection..................................................................................................................50What Is a Firewall?......................................................................................................50What Are Security Profiles?.........................................................................................51Firewall Rules..............................................................................................................53Firewall Settings...........................................................................................................56

Integrity Checking ..................................................................................................................57Known Files List ..........................................................................................................57Software Installation Mode ..........................................................................................59Baseline.......................................................................................................................60Rootkit Prevention .......................................................................................................61

General Settings ....................................................................................................................62Alerts ...........................................................................................................................62Automatic Updates ......................................................................................................65F-Secure Policy Manager Proxies ..............................................................................66About ...........................................................................................................................66

4 | F-Secure Linux Security | TOC

Chapter 6: Troubleshooting.............................................................67Installing Required Kernel Modules Manully .........................................................................68User Interface.........................................................................................................................68F-Secure Policy Manager.......................................................................................................69Integrity Checking...................................................................................................................70Firewall...................................................................................................................................71Virus Protection......................................................................................................................72Generic Issues........................................................................................................................74

Appendix A: Command Line Tools..................................................77fsav ........................................................................................................................................78fsav-config .............................................................................................................................78dbupdate ................................................................................................................................80fsfwc .......................................................................................................................................80fsic .........................................................................................................................................81fsims ......................................................................................................................................81fsma .......................................................................................................................................82fssetlanguage ........................................................................................................................83fschooser................................................................................................................................83

Appendix B: Before You Install........................................................8564-bit Distributions .................................................................................................................86Distributions Using Prelink......................................................................................................86Red Hat Enterprise Linux, Miracle Linux, Asianux.................................................................87Debian....................................................................................................................................88SUSE......................................................................................................................................89Turbolinux...............................................................................................................................89Ubuntu....................................................................................................................................90

Appendix C: Basic Web User Interface ..........................................91

F-Secure Linux Security | TOC | 5

"I Want To"..............................................................................................................................92

Appendix D: Advanced Web User Interface...................................93Summary................................................................................................................................94Alerts.......................................................................................................................................94Virus Protection......................................................................................................................95

Realtime Scanning.......................................................................................................95Scheduled Scanning ...................................................................................................99Manual Scanning ......................................................................................................100

Firewall.................................................................................................................................105General Settings .......................................................................................................105Rules .........................................................................................................................106Network Services ......................................................................................................106

Integrity Checking.................................................................................................................107Known Files ..............................................................................................................107Rootkit Prevention......................................................................................................107

General Settings...................................................................................................................108Communications .......................................................................................................108Automatic Updates.....................................................................................................110

Appendix E: List of Traps...............................................................113

Appendix F: Get More Help ...........................................................119

6 | F-Secure Linux Security | TOC

Chapter

1Welcome

Computer viruses are one of the most harmful threats to thesecurity of data on computers. While some viruses are harmlesspranks, other viruses can destroy data and pose a real threat.

Topics:

• How the Product Works• Key Features and Benefits The product provides an integrated, out-of-the-box ready security

solution with a strong real-time antivirus and riskware protectionand a host intrusion prevention (HIPS) functionality that providesprotection against unauthorized connection attempts fromnetwork, unauthorized system modifications, userspace andkernel rootkits. The solution can be easily deployed andmanagedeither using the web user interface or F-Secure Policy Manager.

F-Secure Policy Manager provides a tightly integratedinfrastructure for defining and distributing security policies andmonitoring the security of different applications from one centrallocation.

How the Product WorksThe product detects and prevents intrusions and protects against malware.

With the default settings, computers are protected right after the installation without any timespent configuring the product.

Protection Against MalwareThe product protects the system against viruses and potentially malicious files.

When user downloads a file from the Internet, for example by clicking a link in an e-mail message,the file is scanned when the user tries to open it. If the file is infected, the product protects thesystem against the malware.

• Real-time scanning gives you continuous protection against viruses and riskware items asfiles are opened, copied, and downloaded from the Web. Real-time scanning functionstransparently in the background, looking for viruses whenever you access files on the harddisk, diskettes, or network drives. If you try to access an infected file, the real-time protectionautomatically stops the virus from executing.

• When the real-time scanning has been configured to scan a limited set of files, the manualscanning can be used to scan the full system or you can use the scheduled scanning to scanthe full system at regular intervals.

• Automatic Updates keep the virus definitions always up-to-date. The virus definition databasesare updated automatically after the product has been installed. The virus definitions updatesare signed by the F-Secure Anti-Virus Research Team.

Host Intrusion Prevention SystemThe Host Intrusion Prevention System (HIPS) detects anymalicious activity on the host, protectingthe system on many levels.

• Integrity Checking protects the system against unauthorized modifications. It is based on theconcept of a known good configuration - the product should be installed before the computeris connected to the network to guarantee that the system is in a known good configuration.

You can create a baseline of the system files you want to protect and block modificationattempts of protected files for all users.

• The firewall component is a stateful packet filtering firewall which is based on Netfilter andiptables. It protects computers against unauthorized connection attempts. You can use

8 | F-Secure Linux Security | Welcome

predefined security profiles which are tailored for common use cases to select the traffic youwant to allow and deny.

• If an attacker gains a shell access to the system and tries to add a user account to login tothe system later, Host Intrusion Prevention System ( HIPS) detects modified system files andalerts the administrator.

• If an attacker has gained an access to the system and tries to install a userspace rootkit byreplacing various system utilities, HIPS detects modified system files and alerts theadministrator.

• If an attacker has gained an access to the system and tries to install a kernel rootkit by loadinga kernel module for example through /sbin/insmod or /sbin/modprobe, HIPS detectsthe attempt, prevents the unknown kernel module from loading and alerts the administrator.

If an attacker has gained an access to the system and tries to install a kernel rootkit bymodifying the running kernel directly via /dev/kmem, HIPS detects the attempt, preventswrite attempts and alerts the administrator.

Key Features and BenefitsThe product offers superior protection against viruses and worms and is transparent to end-users.

Superior Protection against Viruses and WormsThe product scans files on any Linux-supported file system. This is the optimum solution forcomputers that run several different operating systems with a multi-boot utility.

• Scans files on any Linux-supported file system.

Note: The real-time scanning is not supported when using an NFS server, but otherscan methods work.

• Superior detection rate with multiple scanning engines.• A heuristic scanning engine can detect suspicious, potentially malicious files.• The product can detect and categorize riskware items.• The product can be configured so that the users cannot bypass the protection.• Files are scanned for viruses when they are opened or closed and before they are executed.• You can specify what files to scan, how to scan them, what action to take when malicious

content is found and how to alert about the infections.• Recursive scanning of archive files.• Virus definition database updates are signed for security.

F-Secure Linux Security | Welcome | 9

• Integrated firewall component with predefined security levels. Each security level comprisesa set of rules that allow or deny network traffic based on the protocols used.

Transparent to End-usersThe product works totally transparently to the end users.

• The product has an easy-to-use user interface.• Virus definition databases are updated automatically without any need for end-user

intervention.

Protection of Critical System FilesCritical information of system files is stored and automatically checked before access is allowed.

• The administrator can protect files against changes so that it is not possible to install, forexample, a trojan version of a software.

• The administrator can define that all Linux kernel modules are verified before the modulesare allowed to be loaded.

• An alert is sent to the administrator when a modified system file is found.

Easy to Deploy and AdministerThe default settings apply in most systems and the product can be taken into use without anyadditional configuration.

• Security policies can be configured and distributed from one central location.

Extensive Alerting OptionsThe product has extensive monitoring and alerting functions that can be used to notify anyadministrator in the company network about any infected content that has been found.

• Alerts can be forwarded to F-Secure Policy Manager Console, e-mail and syslog.

10 | F-Secure Linux Security | Welcome

Chapter

2Deployment

Topics:

• Deployment on MultipleStand-alone LinuxWorkstations

• Deployment on MultipleCentrally Managed LinuxWorkstations

• Central Deployment UsingImage Files

Deployment on Multiple Stand-alone Linux WorkstationsCentrally Managed installation with F-Secure Policy Manager installed on a separate computeris recommended.

In centrally managed installation mode, F-Secure Policy Manager is used to manage Linuxcomputers. The recommended deployment method is to delegate the installation responsibilityto each user and then monitor the installation progress via F-Secure Policy Manager Console.After the installation on a host has completed, the host sends an autoregistration request toF-Secure Policy Manager. You can monitor with F-Secure Policy Manager Console which ofthe hosts have sent an autoregistration request.

When the company has multiple Linux computers deployed, but they are not managed centrally,users can install the software themselves.

In organizations with few Linux computers, the web user interface can be used to manage Linuxworkstations instead of F-Secure Policy Manager.

Deployment on Multiple Centrally Managed LinuxWorkstations

If computers are managed through an existing management framework, it can be used to pushthe product to computers.

When the company has multiple Linux computers deployed and they are managed through RedHat network, Ximian Red Carpet, or similar, the software can be pushed to workstations usingthe existing management framework.

Central Deployment Using Image FilesWhen the company has a centralized IT department that install and maintains computers, thesoftware can be installed centrally to all computers.

If you are going to install the product on several computers, you can create a disk image file thatincludes the product and use this image to replicate the software on the computers. Make surethat each computer on which the software is installed will create a new unique identificationcode.

12 | F-Secure Linux Security | Deployment

Follow these steps to make sure that each computer uses a personalized Unique ID when adisk imaging software is used.

1. Install the system and all the software that should be in the image file, including the product.2. Configure the product to use the correct F-Secure Policy Manager Server. However, do not

import the host to F-Secure Policy Manager Console if the host has sent an autoregistrationrequest to the F-Secure Policy Manager Server. Only hosts on which the image file will beinstalled should be imported.

3. Run the following command: /etc/init.d/fsma clearuidThe utility program resets the Unique ID in the product installation.

4. Shut down the computer and do not restart the computer before the image file has beencreated.

5. Create the disk image file.

A new Unique ID is created automatically when the system is restarted. This will happenindividually on each computer where the image file is installed.

Computers will send autoregistration requests to F-Secure Policy Manager when they arerestarted. These request can be processed as usual.

F-Secure Linux Security | Deployment | 13

Chapter

3Installation

Topics:

• System Requirements• Stand-alone Installation• Centrally Managed

Installation• Upgrading• Custom Installations• Creating a Backup• Uninstallation

System RequirementsA list of system requirements.

Operating system:• Asianux 2.0, 3.0• Debian 4.0• Miracle Linux 3.0• Red Hat Enterprise Linux 3, 4, 5• SUSE Linux 9.0, 9.3, 10, 10.1• openSUSE 10.2, 10.3• SUSE Linux Enterprise Desktop 10• SUSE Linux Enterprise Server 9, 10• Turbolinux 10, 11• Ubuntu 6.06 LTS (Dapper Drake), 7.10

(Gutsy Gibbon), 8.04 LTS (Hardy Heron)

The following 64-bit (AMD64/EM64T)distributions are supported with 32-bitcompatibility packages:

• Asianux 2.0• Asianux Server 3.0• Debian 4.0• Fedora Core 7• Red Hat Enterprise Linux 4, 5• SUSE Linux Enterprise Desktop 10• SUSE Linux Enterprise Server 9, 10• openSUSE 10.3• SUSE Linux 10.1• Turbolinux 10, 11• Ubuntu 7.10 (Gutsy Gibbon), 8.04 LTS

(Hardy Heron)

Note:

F-Secure has tested the productextensively on the listed distributions. Thecommand line installation mode should

16 | F-Secure Linux Security | Installation

work on any Linux distribution that hasglibc 2.3.2 or later and Linux kernel 2.4 or2.6, but any product upgrades may notwork on unsupported platforms.

You should report any issues that you mayencounter with other distributions, but wecannot guarantee that they will be fixed.

Linux kernel 2.4 or later (for 64-bit support,Linux kernel 2.6 or later)

Kernel version:

Glibc 2.3.2 or laterGlibc version

Intel x86, x86-64Processor:

512 MB RAM or more (256 MB RAM forcommand-line only)

Memory:

200 MBDisk space:

Note: Konqueror is not a supported browser with the local user interface. It is recommendedto use Mozilla or Firefox browsers.

Note About Dazuko Version

The product needs the Dazuko kernel module for the real-time virus protection, integrity checkingand rootkit protection. Dazuko is an open-source kernel module that provides an interface forthe file access control. More information is at http://www.dazuko.org.

The product installs the Dazuko driver during the product installation.

The product has been tested extensively with the Dazuko version that is included with the product.Operation with other Dazuko versions or Linux distribution provided Dazuko versions is notsupported or recommended.

List of Used System ResourcesA summary of the system resources that the product uses.

Installed Files

All files installed by the product are in the following directories:

• /opt/f-secure

F-Secure Linux Security | Installation | 17

http://www.dazuko.org

• /etc/opt/f-secure

• /var/opt/f-secure

In addition, the installation creates the following symlinks:

• /usr/bin/fsav -> /opt/f-secure/fssp/bin/fsav• /usr/bin/fsic -> /opt/f-secure/fsav/bin/fsic• /usr/bin/fsui -> /opt/f-secure/fsav/bin/fsui• /usr/share/man/man1/fsav.1 -> /opt/f-secure/fssp/man/fsav.1• /usr/share/man/man8/fsavd.8 -> /opt/f-secure/fssp/man/fsavd.8

Changed System Files

• /etc/passwd: Two new user accounts (fsma and fsaua) are created during the installation• /etc/group: A new group (fsc) is created during the installation• crontab of the root user: The virus definition database update command is added to the root

crontab during the installation. Scheduled scanning tasks are added to the crontab whenthey are created.

Network Resources

When running, the product reserves the following IP ports:

CommentPortProtocolInterface

Web User Interface internal communication port28005tcplo

PostgreSQL alert database28078tcplo

Local Web User Interface access28080tcplo

Remote SSL Web User Interface access (if enabled)28082tcpany

Memory

The Web User Interface reserves over 200 MB of memory, but since the WebUI is not used allthe time, the memory is usually swapped out. The other product components sum up to about128 MB of memory, the on-access scanner uses the majority of it.

The memory consumption depends on the amount of file accesses on the system. If severalusers are logged in to the system and all of them access lots of files, the memory consumptiongrows.


CPU

The load on the processor depends on the amount of file accesses on the system, as theon-access scanner scans every file that is opened, closed and executed.The CPU usage grows when many users are logged in to the system at the same time.

Some software products are designed to access many files and the on-access scanning canslow down these products noticeably.

Stand-alone InstallationThe stand-alone installation mode is meant for evaluation use and for environments with fewLinux computer where central administration with F-Secure Policy Manager is not necessary.

You must have a compiler and the kernel source installed. Read the distribution-specificinstructions in the Appendix B on how to check that the required tools are installed.

You will need to install the product using an account with root privileges.

1. Copy the installation file to your hard disk. Use the following command to extract the installationfile: tar zxvf f-secure-linux-security-<version>.<build>.tgz

2. Make sure that the installation file is executable: chmod a+xf-secure-linux-security-<version>.<build>

3. Run the following command to start the installation:./f-secure-linux-security-<version>.<build>

4. The installation displays the license agreement. If you accept the agreement, answer yespress enter to continue.

The installation is complete.

After the installation, you can configure the product settings using the web browser. Open thefollowing web page: http://localhost:28080/fsecure/webui/

If you need a remote access to the web user interface, run the fsav-config command-lineutility to enable it. After you have enabled the remote access, open the following web page:https://host.domain:28082/fsecure/webui/

Where host.domain is either the hostname or the ip address of the computer where the productis running.

For more information about the fsav-config utility and the settings you can configure withit, see the man page for fsav-config.


Note: If you want to disable some features of the product completely, run the fschoosercommand-line utility.

Centrally Managed InstallationIn centrally managed mode, the product is installed locally, and it is managed with F-SecurePolicy Manager that is installed on a separate computer. Centrally managed installation is therecommended installation mode when taking the product into use in a large network environment.

You must have a compiler and the kernel source installed. Read the distribution-specificinstructions in the Appendix B on how to check that the required tools are installed.

You must have F-Secure Policy Manager installed on a separate computer before you installthe product. For F-Secure Policy Manager Console installation instructions, see the F-SecurePolicy Manager Administrator’s Guide.

Note: You cannot use the Anti-Virus mode of F-Secure Policy Manager Console toadminister Linux products. Use the Advanced mode.

You will need to install the product using an account with root privileges.

1. Copy the installation file to your hard disk. Use the following command to extract the installationfile: tar zxvf f-secure-linux-security-<version>.<build>.tgz

2. Make sure that the installation file is executable: chmod a+xf-secure-linux-security-<version>.<build>

3. Run the following command to start the installation:./f-secure-linux-security-<version>.<build>

4. The installation displays the license agreement. If you accept the agreement, answer yespress enter to continue.

The installation is complete.

After the installation, you can configure the product settings using the web browser. Open thefollowing web page: http://localhost:28080/fsecure/webui/

If you need a remote access to the web user interface, run the fsav-config command-lineutility to enable it. After you have enabled the remote access, open the following web page:https://host.domain:28082/fsecure/webui/

Where host.domain is either the hostname or the ip address of the computer where the productis running.


For more information about the fsav-config utility and the settings you can configure withit, see the man page for fsav-config.

Note: If you want to disable some features of the product completely, run the fschoosercommand-line utility.

UpgradingYou can upgrade the evaluation version or a previous product version without uninstalling theproduct.

Upgrading from a Previous Product VersionIf you are running version F-Secure Linux Server Security 5.20 or later, you can install the productwithout uninstalling the previous version. If you have an earlier version, uninstall it before youinstall the latest version.

The uninstallation preserves all settings and the host identity, so you do not need to import thehost to the F-Secure Policy Manager again. Note that the upgrade deletes all alerts generatedwith the earlier version.

Manual scanning, scheduled scanning and database update settings have changed in version5.30 and later. If you have modified these settings before the upgrade, you have to make thesame modifications again after the upgrade.

F-Secure Linux Client Security

You cannot upgrade any version of F-Secure Linux Client Security.

Uninstall the previous Client Security product before you install F-Secure Linux Security 7.

F-Secure Linux Server Security 5.5x and F-Secure Anti-Virus for Linux 4-series

Run the installation as usual to upgrade the product.

After the upgrade, you have to reboot the computer. The previous version of the kernel driver isincompatible with new real-time protection features and it is not running after the upgrade. Theupgraded driver is loaded after the reboot.

Important: In centrally managed installations, remember to upgrade the MIB in yourF-Secure Policy Manager installation.


Note: When you upgrade from F-Secure Linux Server Security 5.xx or earlier, the upgraderemoves your previous keycode and the product is running in the evaluation version. Upgradethe evaluation version to full product version before using the product.

Uninstalling Earlier VersionThe earlier version of the product can be uninstalled with the uninstallation command or bydeleting program files and directories.

1. If you have version 5.x, run the following command from the command line to uninstall it:/opt/f-secure/fsav/bin/uninstall-fsav

2. If you have version 4.x, remove the following directories and files to uninstall it:

/opt/f-secure/fsav/

/var/opt/f-secure/fsav/

/etc/opt/f-secure/fsav/

/usr/bin/fsav

/usr/share/man/man1/fsav.1

/usr/share/man/man5/fsav.conf.5

/usr/share/man/man5/fsavd.conf.5

/usr/share/man/man8/dbupdate.8

/usr/share/man/man8/fsavd.8

/usr/share/man/man8/fsavschedule.8

Upgrading the Evaluation VersionThe evaluation version of the product can be upgraded to the full, licensed version of the product.

If you evaluated a previous version of the product and the evaluation period has expired, uninstallthe previous version first.

Follow these instructions if you want to upgrade the evaluation version to the full, licensed versionof the product.

1. Open the Web User Interface.2. Open the About page.


3. Enter the keycode to upgrade to the licensed version of the product. Enter the keycode inthe format you received it, including the hyphens that separate sequences of letters anddigits.

After you have entered the keycode, the evaluation version is upgraded to the full version.

To upgrade the evaluation version from the command line, run the following command:/opt/f-secure/fsav/sbin/convert_to_full_installation.sh

Note: If the evaluation period of the current version of the product has expired before youupgrade to the full version, you have to restart the product after entering the keycode.

Custom InstallationsIf you do not want to install stand-alone or centrally managed product with the default options,you can do a custom install.

Preparing for Custom InstallationThe RPM files can be extracted from the installation package if you need to create a custominstallation package.

The product installation package is a self extracting package, which contains the software asRPMs. The RPM files can be extracted from the package as follows:

1. Type the following command: ./f-secure-linux-security-<version>.<build>rpm

2. Install RPM packages.3. Run the following script: /opt/f-secure/fsav/fsav-config

Unattended InstallationIn unattended installation mode, you can provide a set of default settings on the installer commandline. This way, you can force the Integrity Checking baseline to be generated as a part of theinstallation process.

Use the following command line switch during the installation:

--auto MODE [fspms=FSPMSURL adminkey=/PATH/TO/ADMIN.PUB] lang=en|de|ja[no]remotewui [no]locallogin user=USER kernelverify|nokernelverifypass=PASSPHRASE keycode=KEYCODE


Where MODE is standalone for the standalone installation or managed for the centrally managedinstallation.

If MODE is managed, you have to provide the URL to F-Secure Policy Manager Server and thelocation of the administrator public key, for example:

fspms=http://fspms.company.com/ adminkey=/root/admin.pub

Use the following options in the command line:

Select the language for the web user interface.lang

Allow remote access to the web user interface.remotewui

Do not allow remote access to the web userinterface.

noremotewui

Allow local access to the web user interfacewithout login.

nolocallogin

Require login for the local access to the webuser interface.

locallogin

Specify the local account to use for the webuser interface login.

user=USER

Turn on the kernel module verification.kernelverify

Turn off the kernel module verification.nokernelverify

Specify the passphrase for the baselinegeneration.

pass=PASS

Specify the keycode for license checks. If nokeycode is provided, the product is installed inthe evaluation mode.

keycode=KEYCODE

For example, to install the product in standalone mode with English web user interface, with noremote access to user interface and not requiring login for local user interface access and notusing kernel module verification:

./f-secure-linux-security-<version>.<build> --auto standalone lang=ennoremotewui nolocallogin nokernelverify

Installing Command Line Scanner OnlyThe command line only installation installs only the command line scanner and the automaticupdate agent.


The installation mode is designed for users migrating from F-Secure Anti-Virus for Linux 4.6xseries and for users who do not need the real-time protection, integrity checking, web userinterface or central management, for example users running AMaViS mail virus scanner.

Use the following command line when running the installer to install the command line scanneronly version of the product:

./f-secure-linux-security-<version>.<build> --command-line-only

You need the following files during the installation

• f-secure-automatic-update-agent.<version> .rpm• f-secure-security-platform.<version> .rpm• fssp-common• f-secure-linux-security-<version>.<build>

If you are running an earlier version and you want to upgrade to the latest version, but you wantto install the command line scanner only, you have to uninstall the earlier version first.

Use the /etc/opt/f-secure/fssp/fssp.conf configuration file to configure the commandline scanner only installation. See the file for detailed descriptions of the available settings.

Using The Product With Samba ServersThe product can protect the whole Samba server in addition to the data on shared directories.

All the protection features of the product are in use for Samba servers.

1. If you have F-Secure Anti-Virus for Samba Server installed, uninstall it before installing theproduct. Use the following command: /opt/f-secure/fsav/bin/uninstall-fsav

2. Follow the normal installation instructions.The product protects samba shares after the installation, no additional setup is needed. Afterthe installation, the firewall blocks incoming Windows Network share (Samba) access, soyou have to change the firewall rules.

3. Change firewall rules to allow Samba traffic.

• Use the Firewall Rule Wizard in the Web User interface.

1. Open I want to page and click Create a firewall rule.2. Select Allow access to a service running on this machine.3. Select Windows networking (1).4. Finish the wizard.5. Run the wizard again and add another rule for Windows networking (2) service.

• Use the Firewall Rule Editor in the Advanced Mode of the Web User interface.


In Web User Interface, go to Advanced Mode.1.2. Select Firewall.3. On the Firewall page, select profile you want to use to the Profile to edit field.4. Click Add rule.5. Enter, for example, [myNetwork] in the Remote Host field and add a short

description for the rule.6. Select Windows networking (1) from the drop-down menu and click Add service

to this rule to add it as a service.7. Select Windows networking (2) from the drop-down menu and click Add service

to this rule to add it as a service.8. Use arrows on the right side of the table to move the rule above the deny rules in the

firewall rules list.9. Click Save to take new rules in the use.

• Use the Firewall Rule Editor in F-Secure Policy Manager Console.

1. In the advanced mode of F-Secure Policy Manager Console, select the host or policydomain that you want to administer.

2. Select Linux Security 7.00 and open the Firewall tab.3. In the Rules section, check that you have the security level you want to edit.4. Click Add Before.5. In the Rule Wizard, allow inbound traffic for the Windows networking (1).6. Run the Rule Wizard again to add Windows networking (2).7. Distribute the policy.

Note: If the firewall rules have been edited locally, configure the setting as Finalbefore you distribute the policy.

When you want to add new rules, you have to disable the firewall temporarily:

1. Change Firewall protection to Disabled or run the following command:/opt/f-secure/fsav/bin/fsfwc --mode bypass.

2. Select the Security Level you want to edit and edit firewall rules as described.3. Enable the firewall after you have finished in Web User Interface or run the following

commdand: /opt/f-secure/fsav/bin/fsfwc --mode your_profile, whereyour_pfofile is the profile edited (block, mobile, home, office, strict or normal).


Creating a BackupYou can backup and restore all product data.

To backup all relevant data, run the following commands:

# /etc/init.d/fsma stop

# /etc/init.d/fsaua stop

# tar cpsf <backup-filename>.tar /etc/init.d/fsma /etc/init.d/fsaua/etc/opt/f-secure /var/opt/f-secure /opt/f-secure

# /etc/init.d/fsaua start

# /etc/init.d/fsma start

To restore data from backup file, run the following commands:

# /etc/init.d/fsma stop

# /etc/init.d/fsaua stop

# cd /

# rm -rf /var/opt/f-secure

# tar xpsf <backup-filename>.tar

# /etc/init.d/fsaua start

# /etc/init.d/fsma start

Make sure that fsma and fsaua users and fsc group exist after the backup has been restored,for exampe by backing up also /etc/passwd, /etc/shadow and /etc/group files.

UninstallationYou can uninstall the product with the uninstall-fsav command-line command.

Run the following script as root user to uninstall the product/opt/f-secure/fsav/bin/uninstall-fsav

The uninstall script does not remove configuration files. If you are sure that you do not needthem any more, remove all files in the /etc/opt/f-secure/fsma path.


Chapter

4Administering the Product

Topics:

• Basics of Using F-SecurePolicy Manager

• Accessing the Web UserInterface

• Testing the AntivirusProtection

Basics of Using F-Secure Policy ManagerIn the centralized administration mode, F-Secure Policy Manager Console is used to changesettings and view statistics of the F-Secure products.

If your corporate network utilizes F-Secure Policy Manager to configure and manage F-Secureproducts, you can add the product to the existing F-Secure Policy Manager environment.

Note: You cannot use the Anti-Virus mode of F-Secure Policy Manager Console toadminister Linux products. Use the Advanced mode.

Use the settings in the F-Secure Linux Security ➤ Settings tabs to configure the product.

Note: You can edit the settings under F-Secure Security Platform for Linux, F-SecureManagement Agent and F-Secure Automatic Update Agent branches to change thebehavior of the product as well.

For more information about F-Secure Policy Manager, see F-Secure Policy ManagerAdministrator’s Guide.

Accessing the Web User InterfaceYou can access the Web User Interface from the system tray, or with a web address.

The Web User Interface is available locally in the following address:

http://localhost:28080/fsecure/webui/

If you allow the remote access to the web user interface, you can access it with the followingHTTPS address:

https://<host.domain>:28082/

Follow these instructions to add the product icon to the system tray.

1. Install the product icon.

• If you are using GNOME, follow these instructions:

1. Right-click on the GNOME panel.2. Choose Add Panel applet .

30 | F-Secure Linux Security | Administering the Product

3. Select F-Secure Panel Applet from the list of installed GNOME panel applets.

• If you are not using GNOME, enter fsui command from the command line.

2. Double-click the product icon in the system tray to open the Web User Interface.

After the product icon is installed to the system tray, you can access the Web User Interfacewith it.

It is possible to have both F-Secure Policy Manager and the Web User Interface in use at thesame time.

Note: The user can locally override the settings created with F-Secure Policy Managerunless the administrator has prevented this by selecting the Final checkbox in the F-SecurePolicy Manager settings.

Testing the Antivirus ProtectionTo test whether the product operates correctly, you can use a special test file that is detectedas a virus.

The EICAR (EICAR is the European Institute of Computer Anti-virus Research) standard antivirustest file is detected by several antivirus programs. The Eicar info page can be found athttp://www.europe.f-secure.com/virus-info/eicar_test_file.shtml .

1. Download or create the EICAR test file.

• Download the EICAR test file fromhttp://www.europe.f-secure.com/virus-info/eicar_test_file.shtml , or

• Use any text editor to create the eicar.com file with the following single line in it:X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

2. Run the following command: fsav eicar.com

The product should detect the EICAR test file as a virus.

F-Secure Linux Security | Administering the Product | 31

http://www.europe.f-secure.com/virus-info/eicar_test_file.shtml




Chapter

5Using the Product

The Web User Interface is available locally in the followingaddress:

http://localhost:28080/fsecure/webui/

Topics:

• Summary• Scanning for Viruses• Firewall Protection

If you allow the remote access to the web user interface, youcan access it with the following HTTPS address:

https://<host.domain>:28082/

• Integrity Checking• General Settings

Where host.domain is either the hostname or IP address of thecomputer where the product is installed. Refer to fsav-configmanual page for instructions on how to enable remote accessto the Web User Interface.

SummaryThe summary page displays the product status and the latest reports.

The product status displays the protection status and any possible errors or malfunctions.

You can turn virus protection and integrity protection on and off and change the firewall protectionlevel on the summary screen.

The report section offers guidance for any issues that may need your immediate attention.

I Want to...You can configure the manual scan and firewall settings and check latest virus definition databaseupdates from the I want to... page.

Note: Click Modify advanced settings... to view and configure advanced settings.

Scanning The Computer ManuallyYou can scan the whole computer for malware manually with the Web User Interface.

When the product scans files, it must have at least read access to them. If you want the productto disinfect infected files, the product must have write access to the files.

Check and edit the manual scanning settings before you start the manual scan.

1. To start the full computer scan, select I want to... in the basic user interface mode.2. Click Scan the computer for malware.

Note: If you have the nautilus-actions package installed, scan actions are integratedinto the right-click menu in GNOME file manager.

Creating Firewall Services and RulesYou can create new firewall services and rules if you want to allow traffic that is blocked or if youwant to block specific net traffic. When you create or edit firewall rules, you should allow onlythe needed services and deny all the rest to minimize security risks.

To use the Firewall Wizard, go to I want to... and click Create a firewall rule, follow the onscreeninstructions and finish the wizard.

Follow these instructions to create a new service and rule in the advaced user interface:

34 | F-Secure Linux Security | Using the Product

1. Create a new service.a) Select the Network Services in the Advanced mode menu.b) Define a unique name for the service in the Service Name field.c) Enter a descriptive comment in the Description field to distinguish this service from other

services.d) Select a protocol number for the service from the Protocol drop-down list.

If your service does not use ICMP, TCP or UDP protocol, select Numeric and type theprotocol number in the field reserved for it.

e) If your service uses the TCP or UDP protocol, define Initiator Ports the service covers.f) If your service uses TCP or UDP protocols, define Responder Ports the service covers.g) Click Add as a new service to add the service to the Network services list.h) Click Save.

The new service is saved to the service list.

2. Create a new rule for the service.a) Select Firewall Rules in the Advanced mode menu to create a firewall rule that uses

the service you have defined.b) Select the profile where you want to add a new rule and click Add new rule to create a

new rule.c) Select Accept or Deny as a rule Type to choose whether the rule allows or denies the

service.d) Enter details about target addresses to the Remote host field. Enter the IP address and

the subnet in bit net mask format.For example: 192.168.88.0/29You can use the following aliases as the target address:

• [myNetwork] - The local-area network with the same subnet on all interfaces.• [myDNS] - All configured DNS servers.

e) Enter a descriptive comment in the Description field to distinguish this rule.f) Select the new service you have created in the Service field and the direction when the

rule applies.

• in = all incoming traffic that comes to your computer from the Internet.• out = all outgoing traffic that originates from your computer.

g) Choose network interfaces to which the rule applies. Type network interfaces you wantthe rule to apply to the Flag field. The rule is applied to all network interfaces if you leavethe Flag field empty.For example, [if:eth0], [if:eth3].

F-Secure Linux Security | Using the Product | 35

h) Click Add Service to This Rule.The service is added to the new rule.

i) If you do not want to add other services to the same rule, click Add to Firewall Rules.Each rule must have at least one service. If the rule contains a new service, make sureyou have saved the service list in the Network Services page.The rule is added to the active set of rules on the Firewall Rules table.

j) Click Save to save the new rule list.

Verify BaselineYou can verify the baseline manually to make sure that your system is safe and all baselinedfiles are unmodified.

1. Enter your passphrase to verify the baseline.2. Do not start any other integrity checking processes while the product verifies the baseline.

If an attacker has managed to gain a root access to the system and regenerated the baseline,the regenerated baseline does not match against your passphrase when you verify the baseline.

Automatic UpdatesF-Secure Automatic Update Agent keeps the protection on your computer updated.

F-Secure Automatic Update Agent retrieves the latest updates to your computer when you areconnected to the Internet.

Information about the latest virus definition database update can be found at:http://www.F-Secure.com/download-purchase/updates.shtml

Software Installation ModeUse the Software Installation Mode when you want to modify system files and programs.

Integrity Checking prevents unauthorized and unwanted modifications of system files andprograms. When you update your operating system, apply a security update or install newversions of software, you need to modify files that Integrity Checking monitors.

When the Software Installation Mode is enabled, any process can load any kernel modulesregardless whether they are in the baseline or not and any process can change any files in thebaseline, whether those files are protected or not. The real-time scanning is still enabled and italerts of any malware found during the installation.

When leaving the Software Installation Mode, the product updates the known files list with newfiles and generates the new baseline. If the integrity checking and the rootkit protection featureshave been enabled, they are turned back on after the new baseline is generated.


http://www.F-Secure.com/download-purchase/updates.shtml


Important: If you install software without the Software Installation Mode when IntegrityChecking monitors updated files, you may be unable to install or use the new software. Forexample, Integrity Checking may prevent a kernel update from booting properly as newdrivers are not in the baseline.

BaselineIntegrity Checking is set up by creating a baseline of the system files that you want to protect.

A default set of system files is added to the Known Files List during the installation. By default,Kernel Module Verification is enabled during the installation and the baseline is generated fromthe Known Files List. If you do not enable the Kernel Module Verification during the installation,you have to generate the baseline manually before Integrity Checking is enabled.

All files that are added to the baseline during the installation are set to Allow and Alert protectionmode.

Note: The default list of known files is generated upon installation, and contains the mostimportant system files. The list of files differs between distributions. Run/opt/f-secure/fsav/bin/fslistfiles to retrieve the exact list of files.

Scanning for VirusesThe product stops viruses and other malware.

What are Viruses and Other Malware?Malware are programs specifically designed to damage the computer, use the computer forillegal purposes without users knowledge or steal information from the computer.

Malware can:

• take control over the web browser,• redirect the web search attempts,• show unwanted advertising,• keep track on the visited web sites,• steal personal information such as your banking information,• use the computer to send spam, and• use the computer to attack other computers.

Malware programs can also cause the computer to become slow and unstable.


VirusesA virus is usually a program that can attach itself to files and replicate itself repeatedly; they canalter and replace the contents of other files in a way that may damage the computer.

A virus is a program that is normally installed without users knowledge on the computer. Oncethere, the virus tries to replicate itself. The virus:

• uses some of the system resources• may alter or damage files on the computer• tries to use the computer to infect other computers• may allow the computer to be used for illegal purposes.

RiskwareRiskware is not malware; it is not designed specifically to harm the computer, but it has securitycritical functions that may harm the computer if misused.

These programs perform some useful but potentially dangerous function. Examples of suchprograms are:

• programs for Instant messaging (like IRC, Internet relay chat),• programs for transferring files over the Internet from one computer to another, or• Internet phone programs (VoIP, Voice Over Internet Protocol ).

If the program is identified as riskware but it is explicitly installed and correctly set it up, it is lesslikely to be harmful.

Riskware TypesRiskware categories and platforms.

List of categories

• Adware• AVTool• Client-IRC• Client-SMTP• CrackTool• Dialer• Downloader• Effect• FalseAlarm• Joke• Monitor


• NetTool• Porn-Dialer• Porn-Downloader• Porn-Tool• Proxy• PSWTool• RemoteAdmin• RiskTool• Server-FTP• Server-Proxy• Server-Telnet• Server-Web• Tool

List of platforms

• Apropos• BAT• Casino• ClearSearch• DOS• DrWeb• Dudu• ESafe• HTML• Java• JS• Linux• Lop• Macro• Maxifiles• NAI• NaviPromo• NewDotNet• Palm• Perl• PHP• Searcher


• Solomon• Symantec• TrendMicro• UNIX• VBA• VBS• Win16• Win32• Wintol• ZenoSearch

RootkitsRootkits are programs that make other malware difficult to find.

Rootkit programs subvert the control of the operating system from its legitimate functions. Usually,a rootkit tries to obscure its installation and prevent its removal by concealing running processes,files or system data from the operating system. In general, rootkits do this to hide maliciousactivity on the computer.

Protection Against Userspace Rootkits

If an attacker has gained an access to the system and tries to install a userspace rootkit byreplacing various system utilities, HIPS detects modified system files and alerts the administrator.

Protection Against Kernel Rootkits

If an attacker has gained an access to the system and tries to install a kernel rootkit by loadinga kernel module for example through /sbin/insmod or /sbin/modprobe, HIPS detectsthe attempt, prevents the unknown kernel module from loading and alerts the administrator.

If an attacker has gained an access to the system and tries to install a kernel rootkit by modifyingthe running kernel directly via /dev/kmem, HIPS detects the attempt, prevents write attemptsand alerts the administrator.

Stopping Viruses and Other MalwareThe product protects the computer from programs that may damage files, steal personalinformation or use it for illegal purposes.

By default, the product protects the computer from malware in real time in the background. Thecomputer is protected from malware all the time.


The product can scan specified files and directories, any removable media (such as portabledrives) and downloaded content automatically. The product guards the computer for any changesthat may indicate malware.

How Does Real-time Scanning Protect Your Computer?Real-time scanning protects the computer by scanning files when they are accessed and blockingaccess to files that contain malware.

Real-time scanning works as follows:

1. The computer tries to access a file.2. The file is immediately scanned for malware before the computer is allowed access to the

file.3. If malware is found in the file, real-time scanning blocks access to the file so the malware

cannot harm the computer.4. Based on the real-time scanning settings, real-time scanning either renames, deletes or tries

to disinfect the infected file.

Does Real-Time Scanning Affect the System Performance?

The amount of time and system resources that real-time scanning takes depends on the contents,location and type of the file.

Files that take a longer time to scan:

• Compressed files, such as .zip archives. Note that these files are not scanned by default.• Files on network file systems.• Large files.

Real-time scanning may slow down your computer when a lot of files are accessed at the sametime.

Scanning The Computer ManuallyYou can scan the whole computer for malware manually with the Web User Interface.

When the product scans files, it must have at least read access to them. If you want the productto disinfect infected files, the product must have write access to the files.

Check and edit the manual scanning settings before you start the manual scan.

1. To start the full computer scan, select I want to... in the basic user interface mode.2. Click Scan the computer for malware.


Note: If you have the nautilus-actions package installed, scan actions are integratedinto the right-click menu in GNOME file manager.

Methods of Protecting the Computer from MalwareThere are multiple methods of protecting the computer from malware; deciding which methodto use depends on how powerful the computer is and how high a level of protection is needed.

Turning on all the virus protection features on can have a noticeable effect on the speed of thecomputer.

Scanning the Computer in Real TimeReal-time scanning scans for malware in real time so that the computer is always protected.Action on Virus InfectionSelect the primary and secondary action to take when a virus is found.

In the I want to... page in the web user interface, click Modify advanced settings... to viewand configure advanced virus scanning settings.

1. Select the primary action to take when a virus is found. Choose one of the following actions:

• Select Report and deny access to display and alert about the found virus and blockaccess to it. No other action is taken against the infected file. View Alerts to check securityalerts.

• Select Disinfect to disinfect viruses. Note that some viruses cannot be disinfected. If thevirus cannot be disinfected, the access to the infected file is still blocked.

• Select Rename to rename the infected file and remove its execute permissions. Renamedinfected file stays on the computer, but it cannot cause any damage. The renamed filehas .virus extension.

• Select Delete to delete the infected file.• Select Deny access to block the access to the infected file without sending any alerts or

reports.

By default, the primary action for infections is Disinfect.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.By default, the secondary action is Rename.

After configuring the virus infection actions, configure how alerts and reports are handled in theAlerts page.


Suspected FilesSelect the primary and secondary actions to take when heuristics scanning engine finds asuspected file.


1. Select the primary action to take when heuristics scanning engine finds a suspected file.Choose one of the following actions:

• Select Report and deny access to display and alert about the suspected file and blockaccess to it. No other action is taken. View Alerts to check security alerts.

• Select Rename to renames the suspected file and remove its execute permissions.Renamed suspected file stays on the computer, but it cannot cause any damage. Therenamed file has .suspected extension.

• Select Delete to delete the suspected file.• Select Deny access to block the access to the suspected file without sending any alerts

or reports.

By default, the primary action for suspected files is Report only.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.By default, the secondary action is Deny access.

After configuring the suspected file settings, configure how alerts and reports are handled in theAlerts page.Select What to ScanSpecify files and directories that you want to scan for malware.


1. Specify Files and directories excluded from scanning to define files and directories whichare excluded from the virus scan. Type each directory on a new line, only one directory perline.If scanning a certain directory takes a long time and you know that no user can create orcopy an infected file in it, or you get false alarms during the scan, you can exclude the directoryfrom the virus scan.

Tip: The list can also contain files if you want to exclude specific files from the scan.

2. If you do not want to scan any other files for viruses except executables, turn Scan onlyexecutables on. Clear the check box to scan all specified files for viruses.


Note: If Scan on open and Scan on execute are turned off, nothing is scanned evenif Scan only executables is enabled.

3. Define Whitelisted executables which may access any files. The virus scan does not blockany file accesses from whitelisted executables.

Note: Be sure that you can trust the executable file that you add as a whitelistedapplication. It is recommended to limit the file access for whitelisted applications.Whitelisting an application is always a potential security risk and should be used withcaution.

4. If you want to use the whitelist setting with Integrity Checking, turn on Whitelistedexecutables must match baseline to require that whitelisted executables are unmodifiedin the known files list. If this setting is enabled and the executable cannot be found in theintegrity checking baseline, it is not whitelisted.

Note: If you have defined whitelisted applications, it is highly recommended to turn onthis option.

5. If you want to scan files every time they are opened, turn on Scan when opening a file.6. If you want to scan files every time they are closed, turn on Scan when closing a file.7. If you want to scan files every time when they are run, turn on Scan when running an

executable.

Note: Only regular files on mounted filesystems can be scanned. Special files, such asCD-ROM or DAT devices (/dev/st0, /dev/hda and such), cannot be scanned unless they aremounted as filesystems, or files are extracted on a filesystem from the tape first.

Archive ScanningThe archive scanning can scan files inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR,BZ2, GZ, JAR and TGZ archives.

In the I want to... page in the Web User Interface, click Modify advanced settings... to viewand configure advanced virus scanning settings.

1. Turn on Scan inside archives if you want to scan files inside archives.

Note: When the archive scanning is enabled, some e-mail clients may stop processingfurther e-mails when an infected e-mail is opened.

2. In Maximum number of nested archives, set the number of levels in nested archives theproduct scans. Nested archives are archives inside other archives.


3. Select how to treat password protected archives. Password protected archives cannot bescanned for viruses.

• Turn on Treat password protected archives as safe to allow access to passwordprotected archives. The user who opens the password protected archive should have anup-to-date virus protection on the computer if password protected archives are treated assafe.

• Turn off Treat password protected archives as safe to deny users from accessing thearchive.

4. If you want the archive scan to stop immediately when it finds an infected file, turn on Stopon first infection inside an archive to stop scanning the archive. If the setting is turned off,the product scans the whole archive.

Riskware ScanningSelect the primary and secondary action to take when riskware is found.


1. Select the primary action to take when riskware is found. Choose one of the following actions:

• Select Report and deny access to display and alert about the found riskware and blockaccess to it. No other action is taken against the infected file. View Alerts to check securityalerts. (Not available during the manual scanning.)

• Select Rename to rename the riskware file and remove its execute permissions. Renamedfile stays on the computer, but it cannot cause any damage. The renamed file has.riskware extension.

• Select Delete to delete the riskware file.• Select Deny access to block the access to the riskware file without sending any alerts

or reports. (Not available during the manual scanning.)• Select Report only.

By default, the primary action for infections is Report only.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.By default, the secondary action is Deny access.

3. In the Excluded Riskware field, specify riskware types that the product should not scan.Use the following format to specify riskware you want to exclude and separate each entrywith a semicolon (;) Category.Platform.Familywhere category, platform or family canbe * wildcard.For example, Client-IRC.*.* excludes all riskware entries in the Client-IRC category.


After configuring the risware scanning settings, configure how alerts and reports are handled inthe Alerts page.

Scanning the Computer ManuallyYou can scan the computer for viruses manually to make sure that specified files or every possiblefile is checked for viruses.Action on Virus Infection During Manual ScanSelect the primary and secondary action to take when a virus is found during the manual scan.


1. Select the primary action to take when a virus is found. Choose one of the following actions:

• Select Disinfect to disinfect viruses. Note that some viruses cannot be disinfected. If thevirus cannot be disinfected, the access to the infected file is still blocked.

• Select Rename to rename the infected file and remove its execute permissions. Renamedinfected file stays on the computer, but it cannot cause any damage. The renamed filehas .virus extension.

• Select Delete to delete the infected file.

By default, the primary action for infections is Disinfect.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.By default, the secondary action is Rename.

After configuring the virus infection actions, configure how alerts and reports are handled in theAlerts page.Suspected Files Found During the Manual ScanSelect the primary and secondary actions to take when heuristics scanning engine finds asuspected file during the manual scan.


1. Select the primary action to take when heuristics scanning engine finds a suspected file.Choose one of the following actions:

• Select Rename to renames the suspected file and remove its execute permissions.Renamed suspected file stays on the computer, but it cannot cause any damage. Therenamed file has .suspected extension.

• Select Delete to delete the suspected file.


By default, the primary action for suspected files is Report only.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.

After configuring the suspected file settings, configure how alerts and reports are handled in theAlerts page.Select What to Scan During the Manual ScanSpecify files and directories that you want to scan for malware when you run a manual scan.


1. In Scan files setting, select whether you want to scan all files during the manual scan orfiles with specified extensions.If you select to scan Only files with specified extensions, Included extensions fieldopens. Specify file extensions you want to be scanned, separate each extension with a comma(,).

2. Specify Files and directories excluded from scanning to define files and directories whichare excluded from the virus scan. Type each directory on a new line, only one directory perline.If scanning a certain directory takes a long time and you know that no user can create orcopy an infected file in it, or you get false alarms during the scan, you can exclude the directoryfrom the virus scan.

Tip: The list can also contain files if you want to exclude specific files from the scan.

3. If you do not want to scan any other files for viruses except executables, turn Scan onlyexecutables on. Clear the check box to scan all specified files for viruses.

Note: If Scan on open and Scan on execute are turned off, nothing is scanned evenif Scan only executables is enabled.

4. If you do not want the manual scan to change the last access time of the file when it isscanned, select the Preserve access times check box.


Archive ScanningThe archive scanning can scan files inside compressed ZIP, ARJ, LZH, RAR, CAB, TAR,BZ2, GZ, JAR and TGZ archives.


In the I want to... page in the Web User Interface, click Modify advanced settings... to viewand configure advanced virus scanning settings.

1. Turn on Scan inside archives if you want to scan files inside archives.

Note: When the archive scanning is enabled, some e-mail clients may stop processingfurther e-mails when an infected e-mail is opened.

2. In Maximum number of nested archives, set the number of levels in nested archives theproduct scans. Nested archives are archives inside other archives.

3. Select how to treat password protected archives. Password protected archives cannot bescanned for viruses.

• Turn on Treat password protected archives as safe to allow access to passwordprotected archives. The user who opens the password protected archive should have anup-to-date virus protection on the computer if password protected archives are treated assafe.

• Turn off Treat password protected archives as safe to deny users from accessing thearchive.

4. If you want the archive scan to stop immediately when it finds an infected file, turn on Stopon first infection inside an archive to stop scanning the archive. If the setting is turned off,the product scans the whole archive.

Riskware Found During the Manual ScanSelect the primary and secondary action to take when riskware is found during the manual scan.


1. Select the primary action to take when riskware is found. Choose one of the following actions:

• Select Rename to rename the riskware file and remove its execute permissions. Renamedfile stays on the computer, but it cannot cause any damage. The renamed file has.riskware extension.

• Select Delete to delete the riskware file.• Select Report only.

By default, the primary action for infections is Report only.2. Select the secondary action. The secondary action takes place if the primary action cannot

be performed.3. In the Excluded Riskware field, specify riskware types that the product should not scan.


Use the following format to specify riskware you want to exclude and separate each entrywith a semicolon (;) Category.Platform.Familywhere category, platform or family canbe * wildcard.For example, Client-IRC.*.* excludes all riskware entries in the Client-IRC category.

After configuring the risware scanning settings, configure how alerts and reports are handled inthe Alerts page.

Scanning the Computer at Set TimesYou can use scheduled scanning to scan the computer for malware at regular intervals, forexample daily, weekly or monthly.Creating a Scheduled Scanning TaskCreate scheduled scanning tasks to scan the computer for malware at regular intervals.


Note that the scheduled scanning tasks use the Manual Scanning settings. To set the scanningschedule, follow these instructions:

1. Click Add a new task.2. Set the date and time when the scheduled scan should start.

Settings are defined the same way as regular crontab entries. For example:

• To perform the task each sunday at 4 am:Minute: 0, Hour: 4, Day of the Month: *, Month: *, Day of the Week:sun

• To perform the task every day at 5:30 am:Minute: 30, Hour: 5, Day of the Month: *, Month: *, Day of theWeek: *

Note: Use of of the following values for the day of the week:

• Mon or 1 = Monday• Tue or 2 = Tuesday• Wed or 3 = Wednesday• Thu or 4 = Thursday• Fri or 5 = Friday• Sat or 6 = Saturday• Sun or 7 (or 0) = Sunday

Use * for a task that should be run on every day of the week.


3. Add directories that should be scanned to the Directories to scan box. Add one directoryper line.

4. Click Save task to add the scheduled scanning task into the schedule.

A scheduled scan can take several hours, so it is a good idea to run it when the system is idle,for exampe during the night. Another alternative is to configure several scheduled scan tasks,and to scan only some directories at one time.

Configure how alerts and reports are handled in the Alerts page.

Firewall ProtectionThe firewall protects the computer against unsafe Internet traffic as well as against attacksoriginating from inside the local-area network.

The product:

• Protects against intruders who try to access the computer without a permission. They may,for example, try to steal personal information, such as files, passwords or credit card numbers.

• Provides protection against information theft as unauthorized access attempts can beprohibited and detected.

The firewall keeps the computer protected after the product is installed automatically.

What Is a Firewall?The firewall protects the computer by allowing safe Internet traffic and blocking unsafe traffic.

Typically, the firewall allows all traffic from your computer to the Internet, but blocks all trafficfrom the Internet to your computer unless you specifically allow it. By blocking the inbound traffic,the firewall protects your computer against malicious software, such as worms, and preventsintruders from accessing your computer.

The computer is protected with the predefined firewall settings. Usually, you do not have tochange them. However, you may have to change the settings, if you use a very strict securitylevel, or if you have added your own firewall rules or services.

Caution: Do not turn the firewall off. If you do, the computer is vulnerable to all networkattacks.


What Are Security Profiles?Firewall security profiles define the level of protection on the computer.

Each security profile has a predefined set of firewall rules, which define the type of traffic thatis allowed to or denied from your computer. To some levels you can also add rules that you havecreated yourself.

The following table contains a list of the security profiles available in the product and the type oftraffic each of them either allow or deny.

DescriptionSecurity profile

Blocks all network traffic (excluding loopback).Block All

Allows only IP configuration via DHCP, DNSlookups and ssh protocol out and in.

Server

Important: The server profile has to becustomized before it can be taken into use.

Allows normal web browsing and file retrievals(HTTP, HTTPS, FTP), as well as e-mail and

Mobile

Usenet news traffic. Encryption programs, suchas VPN and SSH are also allowed. Everythingelse is denied. Local rules can be added afterthe malware probes detection.

Allows all outbound TCP traffic and FTP fileretrievals. Everything else is denied. Local rules

Home

can be added to enable new networkfunctionality.

Allows all outbound TCP traffic and FTP fileretrievals. Everything else is denied by default.

Office

With this profile, a firewall should exist between0.0.0.0/0 and the host.

Allows outbound web browsing, e-mail andNews traffic, encrypted communication, FTP

Strict

file transfers and remote updates. Everythingelse is denied.

Allows all outbound traffic, and denies somespecific inbound services.

Normal


DescriptionSecurity profile

Allows all inbound and outbound network traffic.Disabled

How are security profiles related to firewall rules and services?

A security profile consists of several firewall rules. A firewall rule consistsof several firewall services. Services are defined by the protocols and portsthey use.

For example, the Normal security profile has a firewall rule called Webbrowsing. This rule allows you to browse the web. The rule includes theservices that are needed for web browsing, such as the HyperText TransferProtocol (HTTP) service. This service uses the TCP and port number 80.

Changing the Firewall Protection LevelFirewall protection levels allow you to instantly change your firewall rule set.

1. Open I want to... page in the Web User Interface2. Select the level you want to use in the Firewall Protection.

Editing Security ProfileDifferent security profiles can be assigned and edited to suit different users' needs.

Each security profile has a set of pre-configured firewall rules.

1. Select the firewall profile you want to edit. You can change the current security profile fromthe Summary page.The current security profile is displayed on the top of the Firewall Rules page.

2. The list of rules displays the currently used ruleset. To edit the ruleset:

• Clear the Enabled checkbox to disable the rule temporarily.• Use up and down arrows to change the order of rules in the ruleset.

Note: Changing the order of the rules may affect all the other rules you have created.

• Click X to delete the rule permanently.• To edit a rule, select it from the list of rules. The selected rule is displayed in the Edit

Rule pane below the list of rules.

3. If the profile contains more than 10 rules, use <<, <, > and >> arrows to browse rules.


Firewall RulesFirewall rules define what kind of Internet traffic is allowed or blocked.

Each security level has a predefined set of firewall rules, which you cannot change. The selectedsecurity level affects the priority which your own rules receive in relation to the predefined rules.

A firewall rule can be applied to traffic from the Internet to your computer (inbound), or fromyour computer to the Internet (outbound). A rule can also be applied to both directions at thesame time.

A firewall rule consists of firewall services, which specify the type of traffic and the ports thatthis type of traffic uses. For example, a rule called Web browsing has a service called HTTP,which uses the TCP and port number 80.

Firewall rules also define whether firewall alert pop-ups are shown to you about the traffic thatmatches the firewall rules.

When do you have to add a new firewall rule?

You may have to add a new firewall rule if you want to allow traffic that isblocked or if you want to block specific Internet traffic.

By adding all the services that the program or device needs to the same rule,you can easily:

• turn the rule on or off later, or• remove the rule if you uninstall the program or remove the device.

You also have to add a new rule if you have denied certain type of traffic butyou want to allow it to certain IP addresses. In this case, you already have ageneral "deny" firewall rule. To allow the traffic to certain IP addresses, youhave to create a more specific "allow" rule.

Firewall ServicesFirewall services define the type of traffic to which a firewall rule applies.

Network services, such as web browsing, file sharing or remote console access, are examplesof these firewall services.

A service uses a certain protocol and port. For example, the HTTP service uses the TCPprotocol and the port number 80.

A firewall service uses two kinds of ports:

• Initiator port: the port on the computer that starts the connection.


• Responder port: the port on the computer where the connection ends.

Whether the port on the computer is an initiator port or responder port depends on the directionof the traffic:

• If the firewall service is for outbound traffic, the initiator port is the port on your own computer.The responder port is then the port on a remote computer.

• If the firewall service is for inbound traffic, the initiator port is the port on a remote computer.The responder port is then the port on your own computer.

The responder ports are typically mentioned in the software documentation. The initiator portcan usually be any port higher than 1023. However, for some games you may also have todefine specific initiator ports. In this case, they are also mentioned in the software documentation.

If you create a new firewall rule, you have several predefined services that you can add to therule. You can also create and add your own services if the service that you need is not on theservices list.

Creating Firewall Services and RulesYou can create new firewall services and rules if you want to allow traffic that is blocked or if youwant to block specific net traffic. When you create or edit firewall rules, you should allow onlythe needed services and deny all the rest to minimize security risks.

To use the Firewall Wizard, go to I want to... and click Create a firewall rule, follow the onscreeninstructions and finish the wizard.

Follow these instructions to create a new service and rule in the advaced user interface:

1. Create a new service.a) Select the Network Services in the Advanced mode menu.b) Define a unique name for the service in the Service Name field.c) Enter a descriptive comment in the Description field to distinguish this service from other

services.d) Select a protocol number for the service from the Protocol drop-down list.

If your service does not use ICMP, TCP or UDP protocol, select Numeric and type theprotocol number in the field reserved for it.

e) If your service uses the TCP or UDP protocol, define Initiator Ports the service covers.f) If your service uses TCP or UDP protocols, define Responder Ports the service covers.g) Click Add as a new service to add the service to the Network services list.h) Click Save.

The new service is saved to the service list.

2. Create a new rule for the service.


Select Firewall Rules in the Advanced mode menu to create a firewall rule that usesthe service you have defined.

a)

b) Select the profile where you want to add a new rule and click Add new rule to create anew rule.

c) Select Accept or Deny as a rule Type to choose whether the rule allows or denies theservice.

d) Enter details about target addresses to the Remote host field. Enter the IP address andthe subnet in bit net mask format.For example: 192.168.88.0/29You can use the following aliases as the target address:

• [myNetwork] - The local-area network with the same subnet on all interfaces.• [myDNS] - All configured DNS servers.

e) Enter a descriptive comment in the Description field to distinguish this rule.f) Select the new service you have created in the Service field and the direction when the

rule applies.

• in = all incoming traffic that comes to your computer from the Internet.• out = all outgoing traffic that originates from your computer.

g) Choose network interfaces to which the rule applies. Type network interfaces you wantthe rule to apply to the Flag field. The rule is applied to all network interfaces if you leavethe Flag field empty.For example, [if:eth0], [if:eth3].

h) Click Add Service to This Rule.The service is added to the new rule.

i) If you do not want to add other services to the same rule, click Add to Firewall Rules.Each rule must have at least one service. If the rule contains a new service, make sureyou have saved the service list in the Network Services page.The rule is added to the active set of rules on the Firewall Rules table.

j) Click Save to save the new rule list.

How Does the Priority Order of Firewall RulesWork?Firewall rules have a priority order that determines the order in which the rules are applied tonetwork traffic.

Firewall rules are shown as a list on the Rules page. The rules are applied from top to bottom,and the first rule that matches the traffic overrides all the other rules below. The main principleis to allow only the needed traffic and block the rest. Therefore, the last rule of a security levelis the Deny rest rule. It blocks all the traffic that the rules above it do not specifically allow.


An example of how the priority order works

Following examples clarify how you can control which rules are applied to aspecific network traffic by changing the order of firewall rules.

• You have added a rule that denies all outbound FTP traffic. Above therule in the rules list, you add another rule that allows an FTP connectionto your Internet Service Provider's IP address. This rule allows you tocreate an FTP connection to that IP address.

• You have added a rule that allows you to create an FTP connection toyour Internet Service Provider's IP address. Above the rule in the ruleslist, you add another rule that denies all FTP traffic. This rule preventsyou from creating an FTP connection to your Internet Service Provider'sIP address (or any other IP address).

Firewall SettingsOn the Settings tab, you can select network packet logging settings and configure trustednetwork interfaces.

Logging Unhandled Network PacketsYou can log unhandled network packets in problem solving situations.

By default, you do not need to log unhandled network packets.

1. Open the Web User Interface.2. Select the Advanced check box turn on the advanced mode.3. Go to Firewall Protection ➤ General .4. Check the Log all unhandled network packets check box to log all network packets that

do not match to any firewall rules.

All network packets that do not match any firewall rules are logged using syslog (may varydepending on the Linux distribution you use).

Editing Trusted Network InterfacesFirewall rules apply to all network interfaces on the host. All interfaces on the trusted list havea pass-by rule that accepts all traffic.

1. Open the Web User Interface.2. Select the Advanced check box turn on the advanced mode.3. Go to Firewall Protection ➤ General .


4. Add network interfaces to the Trusted network interfaces list and separate each entry witha comma.

All traffic to trusted network interfaces is allowed.

Integrity CheckingIntegrity Checking protects important system files against unauthorized modifications.

You can use Integrity Checking to block any modification attempts to protected files, regardlessof file system permissions.

Use Integrity Checking Wizards on the I want to... page to generate and verify the file systembaseline. The file system baseline guards your computer against unauthorized file changes. Formore integrity checking options, configure settings in the Advanced mode.

Integrity Checking works by comparing files on the disk to the baseline, which is acryptographically signed list of file properties. Integrity Checking can be configured to send alertsto the administrator about modification attempts of the monitored files.

Known Files ListThe Known Files List contains all files that the product monitors and protects.

The baseline is created from the Known Files List by reading the properties of the files in thelist and cryptographically signing the result. Integrity Checking compares this result to real-timefile accesses.

Note: The Known Files List in the Web User Interface shows only the baseline status thatis currently stored in the product. To view the actual, up-to-date file system status, use theVerify baseline operation in Web User Interface or run the fsic command line utility.

Using the Known Files List SearchUse search filters to select files you want to view in the Known Files List.

1. Select files you want to view in the known files list.

• Select Modified and new to display all files that have been modified or added to thebaseline.

• Select Modified to display all files that have been modified.• Select New to display all files that have been added to the baseline.


• Select Unmodified to display all baselined files that have not been modified.• Select All to display all files in the known files list.

2. If you want to limit the search by the filename, enter any part of the filename of the monitoredfile you want to view in the known files list to the Filename field.

3. Click Search.The Known Files List displays search results.

4. View the search results.

DescriptionOption

Displays the name of the file.Filename

Displays the time when a modification wasdetected.

Detection time

Displays the filename of the process thatmodified the file.

Detected modifier

Displays whether the product allows or deniesmodifications to the file.

Action

Displays whether the product sends an alertwhen the file is modified.

Alert

Displays whether the file is monitored orprotected. Protected files cannot be modified

Protection

while monitored files are only monitored andcan be modified.

5. Select the action you want to perform:

• To regenarate the baseline, select new and modified files you want to baseline and clickRegenerate baseline for highlighted files.

• If you want to remove files from the baseline, click files to select them and click Removehighlighted files to stop monitoring the selected files.

Note: Integrity Checking does not protect new or modified files before you regenerate thebaseline. If you add files to the Known Files List or files have been modified, regeneratethe baseline to protect those files.

Adding Files to the Known Files ListYou can add files to known files list to protect them from unwanted modifications.


1. Enter the filename of the file you want to monitor to the Filename field. If you want to addmore than one file, separate each filename with a space.

2. Select the protection method you want to use.

• Select Monitor to only monitor the file. Monitored file may be modified.• Select Protect to deny all modifications of the file. The protected file can be opened but

it cannot be changed.

3. Select whether you want to prevent the access to the modified file.

• Select Allow to allow the access to the modified file when it is executed or opened.• Select Deny to deny the access to the modified file. Modified files cannot be opened or

executed.

4. If you want to ignore changes to some attributes of the file, select one or more of the IgnoredAttributes checkboxes:

• Mode: Changes to file permissions are ignored• User: Changes to file ownership are ignored• Group: Changes to file group are ignored• Size: Changes to file size are ignored• Modification time: Changes to file modification time are ignored• Hash: Changes to the content of the file are ignored

Note: Ignoring only the hash attribute is not usually desirable, since modifying filecontents usually changes the modification time and size as well.

5. Click Add to known files to add the entry to the Known Files List.

Integrity checking does not protect new or modified files before you regenerate the baseline.Regenerate the baseline to protect files you have added.

Note: You can add a single file or multiple files to the baseline at the same time.

Software Installation ModeUse the Software Installation Mode when you want to modify system files and programs.

Integrity Checking prevents unauthorized and unwanted modifications of system files andprograms. When you update your operating system, apply a security update or install newversions of software, you need to modify files that Integrity Checking monitors.


When the Software Installation Mode is enabled, any process can load any kernel modulesregardless whether they are in the baseline or not and any process can change any files in thebaseline, whether those files are protected or not. The real-time scanning is still enabled and italerts of any malware found during the installation.

When leaving the Software Installation Mode, the product updates the known files list with newfiles and generates the new baseline. If the integrity checking and the rootkit protection featureshave been enabled, they are turned back on after the new baseline is generated.

Important: If you install software without the Software Installation Mode when IntegrityChecking monitors updated files, you may be unable to install or use the new software. Forexample, Integrity Checking may prevent a kernel update from booting properly as newdrivers are not in the baseline.

Turning on the Software Installation ModeTurn on the Software Installation Mode when you want to update or modify protected files.

To access the Software Installation Mode, follow these instructions.

1. Open the Web User Interface.2. Go to I want to... page.3. Click Install software.

The Software Installation Mode wizard opens.

The Software Installation Mode wizard guides you through the software installation and updatesthe baseline with new software that you install on your system.

You can also use fsims command line tool to use the Software Installation Mode from theshell.

BaselineIntegrity Checking is set up by creating a baseline of the system files that you want to protect.

A default set of system files is added to the Known Files List during the installation. By default,Kernel Module Verification is enabled during the installation and the baseline is generated fromthe Known Files List. If you do not enable the Kernel Module Verification during the installation,you have to generate the baseline manually before Integrity Checking is enabled.

All files that are added to the baseline during the installation are set to Allow and Alert protectionmode.


Note: The default list of known files is generated upon installation, and contains the mostimportant system files. The list of files differs between distributions. Run/opt/f-secure/fsav/bin/fslistfiles to retrieve the exact list of files.

Baseline PassphraseThe baseline has to be signed to prevent anyone from modifying the protected files.

The product verifies the baseline and the system integrity cryptographically. A cryptographicalgorithm is applied to the baseline contents and the passphrase to generate a signature (aHMAC signature) of the baselined information.

Important: You must take great care not to forget the passphrase used as it cannot berecovered and the baseline cannot be verified against tampering without using the samepassphrase.

Note: All administrators who know the passphrase can regenerate the baseline, so sharingthe passphrase should be limited.

Verify BaselineYou can verify the baseline manually to make sure that your system is safe and all baselinedfiles are unmodified.

1. Enter your passphrase to verify the baseline.2. Do not start any other integrity checking processes while the product verifies the baseline.

If an attacker has managed to gain a root access to the system and regenerated the baseline,the regenerated baseline does not match against your passphrase when you verify the baseline.

Rootkit PreventionWhen the Integrity Checking is enabled, the product can prevent rootkits.

Hackers can use rootkits to gain access to the system and obtain administrator-level access tothe computer and the network.

Configuring Rootkit PreventionWhen Integrity Checking is on, the product can prevent rootkit infiltrations.

In the I want to... page in the web user interface, click Modify advanced settings... to viewand configure Integrity Checking settings.

1. Turn Kernel module verification on or off.


The kernel module verification protects the system against rootkits by preventing unknownkernel modules from loading. When the kernel module verification is on, only those kernelmodules that are listed in the known files list and which have not been modified can be loaded.If the kernel module verification is set to Report only, the product sends an alert when anunknown or modified kernel module is loaded but does not prevent it from loading.

2. Turn Write protect kernel memory on or off.Kernel memory write-protection protects the /dev/kmem file against write attempts. Arunning kernel cannot be directly modified through the device. If the write protection is set toReport only, the product sends an alert when it detects a write attempt to /dev/kmem file,but it does not prevent the write operation.

3. Specify Allowed kernel module loaders.Specified programs are allowed to load kernel modules when the kernel module verificationis on. By default, the list contains the most common module loaders. If the Linux system youuse uses some other module loaders, add them to the list. Type each entry on a new line,only one entry per line.

General SettingsIn general settings, you can configure alerting and automatic virus definition database updatesand view the product information.

AlertsOn the Alerts page, you can read and delete alert messages.

Alert Severity LevelsAlerts are divided into severity levels.

DescriptionSyslog prioritySeverity Level

Normal operatinginformation from the host.

infoInformational

A warning from the host.warningWarning

For example, an errorwhen trying to read a file.


DescriptionSyslog prioritySeverity Level

Recoverable error on thehost.

errError

For example, the virusdefinition database updateis older than thepreviously acceptedversion.

Unrecoverable error onthe host that requires

emergFatal Error

attention from theadministrator.

For example, a processfails to start or loading akernel module fails.

A security alert on thehost.

alertSecurity alert

For example, a virus-alert.The alert includesinformation of the infectionand the performedoperation.

Processing AlertsYou can search and delete specific alerts from hosts.

To find the alert message you want to view, follow these instructions:

1. Select the Status of security alerts you want to view.

• Select All to view All alerts.• Select Unread to view new alerts.• Select Read to view alerts you have already viewed.

2. Select the Severity of security alerts you want to view.3. You can delete or mark multiple messages as read simultaneously.


Click alerts to highlight them and click Mark highlighted as read to flag them as read.•• Click Delete highlighted to delete all highlighted alerts.

Note: You can delete or mark multiple messages as read simultaneously. Select how oldand which alert severity messages you want to edit and click Perform action to delete ormark selected messages as read.

Configuring AlertsChange Communications settings to configure where alerts are sent.

In the centrally managed installation mode, make sure that the URL of the F-Secure PolicyManager Server address is correct in the Server Address field. Use Upload Policy ManagerServer Certificate field to enter the location of the admin.pub key. This is the key that youcreated during F-Secure Policy Manager Console Installation

1. In Alert Level, specify where an alert is sent according to its severity level. You can sendan alert to any of the following:

• E-mail to - Enter the e-mail address where the alert is sent as an e-mail.• Local - Alert is displayed in the Web User Interface.• Syslog - Alert is written to the system log. The syslog facility is LOG_DAEMON and alert

priority varies.• Policy Manager - Alert is sent to F-Secure Policy Manager.

Note: F-Secure Panel Applet in the GNOME system tray displays local alerts as pop-ups.

2. Specify E-mail Settings.The e-mail settings are used for all alert messages that have been configured to send e-mailalerts.a) Enter the address of the SMTP server in the Server Address field. You can use either

the DNS-name or IP-address of the SMTP server. The server port is always 25 and itcannot be changed.

Note: If the mail server is not running or the network is down, it is possible that somee-mail alerts are lost. To prevent this, configure a local mail server to port 25 and useit for relaying e-mail alerts.

b) Enter the full e-mail address ([email protected]) that you want to use as a sender ofthe alert in the e-mail message to the From field.

c) Enter the e-mail alert message subject. Use %DESCRIPTION% as the subject to displaya short description of the alert in the subject line to the Subject field.


Automatic UpdatesF-Secure Automatic Update Agent keeps the protection on your computer updated.

F-Secure Automatic Update Agent retrieves the latest updates to your computer when you areconnected to the Internet.

Information about the latest virus definition database update can be found at:http://www.F-Secure.com/download-purchase/updates.shtml

Configuring Automatic Updates OptionsConfigure automatic updates if you use proxy services and you want to control how the productretrieves virus definition updates automatically.

1. Check the Updates enabled check box to enable automatic virus definition updates. Bydefault automatic updates are enabled.

2. Configure F-Secure Policy Manager Proxies.The Policy Manager Proxies list displays a list of virus definition database update sourcesand F-Secure Policy Manager proxies. If no update servers are configured, the productretrieves the latest virus definition updates from F-Secure Update Server automatically.a) To add a new address to the list, enter the url to the PM Proxy address field.b) Click Add PM Proxy to add the new entry to the list.

3. Configure HTTP Proxy if you need to use proxy to access the Internet.a) Check the UseHTTPProxy check box to use an HTTP proxy server to download database

updates.b) Enter the HTTP proxy server address in the HTTP Proxy Address field. Use the following

format: http://[username:password@]host[:port]For example: http://user:[email protected]:8080

4. Configure periodic updates.a) Define (in minutes) how often the product checks the virus definition database update

sources for new updates in the Automatic updates interval field.b) Define (in minutes) the failover time to connect to specified update servers in the

Intermediate server failover time field.If the product cannot connect to update servers during the specified time, it retrieves thelatest virus definition updates from F-Secure Update Server if Allow fetching updatesfrom F-Secure Update Server is enabled.

c) Check the Allow fetching updates from F-Secure Update Server check box to enablethe product to download virus definition updates from F-Secure Update Server when itcannot connect to specified update servers.




d) Select whether a virus scan should be launched automatically after the virus definitionshave been updated. The virus scan scans all local files and directories and it can take along time. The scan uses themanual scanning settings. By default, the scan is not launchedautomatically.

5. Configure reminders.a) If the virus definition databases have not been updated in a while, the product can be set

to send a reminder. To enable reminders, check the Send reminders check box.The severity of the reminder is security alert.The database age field appears.

b) Specify the age of the virus definition databases when they are considered old (3-30 days,the default value is 7 days). An alert is sent as a reminder when the database is olderthan the specified age.

F-Secure Policy Manager ProxiesF-Secure Policy Manager Proxy offers a solution to bandwidth problems in distributed installationsof the product by significantly reducing load on networks with slow connections.

When you use F-Secure Policy Manager Proxy as an updates source, F-Secure products canbe configured to retrieve virus definition database updates from a local update repository ratherthan from the central F-Secure Policy Manager Server.

Note: For information about how to install and configure F-Secure Policy Manager Proxy,see F-Secure Policy Manager Administrator’s Guide.

AboutThe About page in theWeb User Interface displays the license terms, the product version numberand the database version.

If you are using the evaluation version of the product, you can enter the keycode in the Aboutpage to upgrade the product to the fully licensed version.

Note: If the evaluation period has expired before you upgrade to the full version, you haveto restart the product after entering the keycode.


Chapter

6Troubleshooting

Topics:

• Installing Required KernelModules Manully

• User Interface• F-Secure Policy Manager• Integrity Checking• Firewall• Virus Protection• Generic Issues

Installing Required Kernel Modules ManullyYoumay need to install required kernel modules manualy if you forgot to use Software InstallationMode and the system is not working properly or in large installations when some hosts do notinclude development tools or kernel source.

Make sure that the running kernel version is the same as the version of the kernel sourcesinstalled. The kernel configuration must also be the same. On some distributions, such as olderSUSE distributions, youmay need to go to /usr/src/linux and run the following commandsbefore the kernel sources match the installed kernel: make cloneconfig makemodules_prepare

Follow the instructions below to install required kernel modules:

Run the following command as the root user:/opt/f-secure/fsav/bin/fsav-compile-driversIf the summary page in the user interface does not show any errors, the product is workingcorrectly.

fsav-compile-drivers is a shell script that configures and compiles the Dazuko driver automaticallyfor your system and for the product. For more information on the Dazuko driver, visitwww.dazuko.org.

Note: You can download the Dazuko driver from www.dazuko.org and use it with theproduct, but it is not recommended. The product has been extensively tested only with theDazuko version that ships with the product, which is installed in/opt/f-secure/fsav/dazuko.tar.gz.

If your Linux distribution has a preinstalled Dazuko, it cannot be used as Dazuko depends onthe included patches and configuration options, which are likely different in the preinstalledDazuko. Uninstall the preinstalled Dazuko or make sure that it is not run during the system startupand follow the installation instructions above to install Dazuko with all required patches andconfiguration options.

User InterfaceTroubleshooting issues with the Web User Interface.

68 | F-Secure Linux Security | Troubleshooting




I cannot log in to the Web User Interface. What can I do?

On some distributions, you have to comment (add a hash sign (#) at the beginning of the line)the following line in /etc/pam.d/login:

# auth requisite pam_securetty.so

The F-icon has a red cross over it, what does it mean?

When the F-icon in the system tray or in GNOMEPanel Applet has a red cross over it, the producthas encoutered an error. Open the Web User Interface to see a detailed report about the issue.

To fix the problem, try to restart the product. Run the following command:

/etc/init.d/fsma restart

How can I get the F-icon visible in the system tray?

You may need to logout and login again to get the F-icon in your systray. If you are using GNOMEDesktop, make sure you have a notification area in your GNOME Panel and follow theseinstructions:

1. Right-click on the GNOME panel.2. Choose Add Panel applet.3. Select F-Secure Panel Applet from the list of installed GNOME panel applets.

How do I enable the debug log for the web user interface?

Add the following setting to /opt/f-secure/fsav/tomcat/conf/logging.properties:

.level=FINEST

The logfile is in /var/opt/f-secure/fsav/tomcat/catalina.out.

F-Secure Policy ManagerTroubleshooting issues with F-Secure Policy Manager.

F-Secure Linux Security | Troubleshooting | 69

My network stopped working after I upgraded the product, how can I fix this?

You have to upgrade the MIB file in your F-Secure Policy Manager installation, otherwise theupgraded product uses the Server firewall profile, which blocks virtually all traffic.

Integrity CheckingTroubleshooting issues with the integrity checking feature.

Symlinks are not working for Integrity Checking or Rootkit Protection, what can I do?

You may be denied to load a kernel module if the file containing the kernel module is a symlinkand the real file where the symlink points to is not in the Integrity Checking baseline. The sameapplies if modprobe or insmod utilities (the module loaders) use files or libraries which aresymlinks and the file where the symlink points to is not in the baseline.

For example, modprobe uses /lib/libz.so.1, which is really a symlink to a real file/lib/libz.so.1.2.2. The symlink is in the baseline but the real file is not. In this case,modprobe is not allowed to run as it tried to open a file that is not in the baseline.

You should never add only symlinks to the baseline, you should always add both the symlinkand the real file where the symlink points.

I forgot to use Software Installation Mode and my system is not working properly. Whatcan I do?

Create a new baseline. Execute the following commands:

/opt/f-secure/fsav/bin/fslistfiles | fsic --add -

fsic --baseline

Can I update the Linux kernel when I use Integrity Checking?

Use the Software Installation Mode. After you have updated the kernel, disable the SoftwareInstallation Mode to restore the normal protection level.


There are too many modified files to update with the user interface.

Create a new baseline. Execute the following commands:

/opt/f-secure/fsav/bin/fslistfiles | fsic --add -

fsic --baseline

Do I have to use the same passphrase every time I generate the baseline?

No, you have to verify the baseline using the same passphrase that was used when the baselinewas generated, but you do not have to use the same passphrase again when you generate thebaseline again.

FirewallTroubleshooting issues with the firewall.

After installing the product, users cannot access samba shares on my computer, howcan I fix this?

The Office firewall profile contains a rule that allowsWindows Networking but that rule is disabledby default. Enable the rule to allow accesses to samba shares.

After intalling the product, I cannot browse local are network domains and workgroups(SMB). How can I fix this?

You need to add a rule to the firewall that allows browsing Windows shares on your local areanetwork. Follow these instructions:

1. Go to Firewall ➤ Network Services page in the Web User Interface advanced mode.2. Click Add new service.3. Create the following service:

• Service Name: Windows Networking Local Browsing• Protocol: UDP• Initiator ports: 137-138• Responder: >1023• Description: SMB LAN browsing


4. Click Add as a new service and Save.5. Go to the firewall menu and click Firewall Rules.6. Click Add new rule.7. Create the following rule:

• Type: ACCEPT• Remote Host: [myNetwork]• Description: Windows Networking Local Browsing• Service (select box): Windows Networking Local Browsing• Direction: in

8. Click Add Service to this Rule and Add to Firewall Rules. The new rule should be visibleat the bottom of the firewall rule list. If you cannot see the rule, click >> to move to the endof the list.

9. Click on the up arrow next to the new rule to move the rule above any "Deny rest" rule.10. Click Save to save your new rule set and apply new firewall rules.

Your SMB LAN browsing should work now.

How can I set up firewall rules to access NFS servers?

You need to allow the following network traffic through the firewall:

• portmapper (tcp and udp port 111)• nfsd (tcp and udp 2049)• mountd (variable port from portmapper)

Mountd is needed only when the NFS share is mounted. After the mount is completed, all trafficis to the nfsd.

As the mountd port is not always the same, follow these instructions to mount NFS shares:

• Either turn off the firewall, mount (or umount) the NFS share and turn on the firewall again,or

• on the NFS server, start mountd with the --port PORT option, which forces mountd touse a fixed port number instead of a random port.

• Then, create a firewall rule that allows udp and tcp traffic to that port number.

Virus ProtectionTroubleshooting issues with the virus protection feature.


How do I enable the debug log for real-time virus scanner?

In Policy Manager Console, go to Product ➤ Settings ➤ Advanced and set fsoasd loglevel to Debug.

In standalone installation, run the following command:

/opt/f-secure/fsma/bin/chtest s 44.1.100.11 9

The log file is in /var/opt/f-secure/fsav/fsoasd.log.

How can I use an HTTP proxy server to downloading database updates?

In Policy Manager Console, go to F-Secure Automatic Update Agent ➤ Settings ➤Communications ➤ HTTP Settings ➤ User-defined proxy settings and set Address to:http://[[user][:pass]@]proxyhost[:port].

In Web User Interface, use the setting in the Automatic Updates page in the advanced mode.

Does the real-time scan work on NFS server?

If the product is installed on NFS server, the real-time scan does not scan files automaticallywhen a client accesses a file on the server.

How do I disable the real-time virus scan temporarily?

During some administrative tasks (for example, backup or restore) you may want to temporarilydisable all virus scanning in the background.

Run the following commands to disable the virus scan and integrity checking:



To enable real-time scan and integrity checking again, run the following commands:




Does the real-time scan scan files when they are renamed or linked?

The real-time scan can scan files every time they are opened, closed or executed. It does notscan them when you rename or create or remove a link to a file.

Generic IssuesGeneric troubleshooting issues with the product.

How can I clean an interrupted installation?

If the product installation is interrupted, you may have to remove the product componentsmanually.

1. List all installed rpm packages:

rpm -qa | grep f-secure

rpm -qa | grep fsav

2. Remove installed packages. Run the following command for each installed package:

rpm -e --noscripts <package_name>

3. Remove all of the product installation directories:

rm -rf /var/opt/f-secure/fsav

rm -rf /var/opt/f-secure/fsma

rm -rf /etc/opt/f-secure/fsav


rm -rf /etc/opt/f-secure/fsma

rm -rf /opt/f-secure/fsav

rm -rf /opt/f-secure/fsma

System is very slow. What is causing this?

The real-time virus scan and Integrity Checking can slow down the system.

1. Use basic Linux tools (top and vmstat) to check what is slowing down the system.2. Make sure that you are using the dazuko version that is shipped with the product.3. If a file that is accessed often is time-consuming to scan, consider adding it to the excluded

list.4. If you are using the centralized administration mode, make sure that the DNS queries return

addresses quickly or use IP addresses with F-Secure Policy Manager.

The product is unable to contact the database, how can I fix this?

Sometimes, after a hard reset for example, the product may be unable to contact the database.Follow these instructions to resolve the issue:

1. As root, remove the database PID file:

rm /var/opt/f-secure/fsav/pgsql/data/postmaster.pid

2. As root, restart the product:



I get reports that "F-Secure Status Daemon is not running", how can I start it?

Sometimes, after a hard reset for example, F-Secure Status Daemon may fail to start. Restartthe product to solve the issue:


.

Alternatively, you may start F-Secure Status Deamon manually:

/opt/f-secure/fsav/bin/fstatusd

I need to compile kernel drivers manually, how do I do that?

You may need to compile kernel drivers that the product need manually, if

• you did not have compilers and other required tools intalled during the installation,• you did not have kernel headers or sources installed during the installation, or• you have upgraded the kernel and you need to compile drivers for the new kernel.

To compile and install drivers, run the following command:

/opt/f-secure/fsav/bin/fsav-compile-drivers


Appendix

ACommand Line Tools

For more information on command line tools and options, seeman pages.

Topics:

• fsav• fsav-config• dbupdate• fsfwc• fsic• fsims• fsma• fssetlanguage• fschooser

fsavfsav is a program that scans files for viruses and other malicious code.

fsav scans specified targets (files or directories) and reports any malicious code it detects.Optionally, fsav disinfects, renames or deletes infected files.

Follow these instructions to scan files from the shell:

• To scan all default file types on all local disks, type: fsav /• To scan all files in a directory and its subdirectories, enter the directory name. For example:

fsav mydirectory

• To scan a single file, enter the file name (without wildcards). For example: fsavmyfile.exe

Recursive scan detects mounted network file system subdirectories and does not scan networkfile systems. Scanning a network file system from the client would create unnecessary load onthe network and it is much slower than scanning the local file system.

If you want to scan the network file system, run fsav / on the server.

If you cannot run fsav on the server, you can scan the network file system from the client byexplicitly specifying mounted network file system directories on the fsav command line.

For example, if an NFS file system is mounted in /mnt/server1, scan it with the followingcommand: fsav /mnt/server1


For more information on command line options, see the fsavman pages or type: fsav --help

fsav-configfsav-config tool creates the initial product configuration.

If you install the product using RPM packages, you have to use the fsav-config commandline tool.

78 | F-Secure Linux Security | Command Line Tools

1. Use the following command to create the initial product configuration:/opt/f-secure/fsav/fsav-configThe script will display some questions. The default value is shown in brackets after thequestion. Press ENTER to select the default value.

2. Select the language you want to use in the Web User Interface.

Select language to use in Web User Interface[1] English (default)[2] Japanese[3] German

3. Enter the keycode to set up the full, licensed version of the product. Enter the keycode in theformat you received it, including the hyphens that separate sequences of letters and digits.If you want to evaluate the product and do not have a keycode, press ENTER.

4. Select between the stand-alone and centrally managed installation.a) In the centrally managed installation, enter the address of the F-Secure Policy Manager

Server.

Address of F-Secure Policy Manager Server:[http://localhost/]:

b) In the centrally managed installation, enter the location of the admin.pub key. This isthe key that you created during F-Secure Policy Manager Console Installation.

5. Select whether you want to allow remote accesses to the Web User Interface.

Allow remote access to the web user interface? [no]

6. Select whether the Web User Interface can be opened from the localhost without a login.

Allow connections from localhost to the web user interface without login? [yes]

7. Enter the user name who is allowed to use the Web User Interface.

Please enter the user name who is allowed to use the web user interface.

Note: The user name is a local Linux account. You have to create the account if it doesnot exist yet. Do not use the root account for this purpose.

F-Secure Linux Security | Command Line Tools | 79

8. Select whether you want add currently installed kernel modules to the Integrity Checker knownfiles list and generate the baseline.

Would you like to enable Linux kernel module verification [yes]?

9. Enter the baseline passphrase.

Please insert passphrase for HMAC creation (max 80 characters)

dbupdatedbupdate is a shell script for updating F-Secure Anti-Virus virus definition databases.

Before you can update virus definition databases manually, you have to disable the periodicdatabase update.

Follow these instructions to update virus definition databases manually from the command line:

1. Download the fsdbupdate.run file from:http://download.f-secure.com/latest/fsdbupdate.runfsdbupdate.run is a self-extracting file that stops the automatic update agent daemon,updates databases and restarts the automatic update agent.

2. Run the following command as root user: dbupdate fsdbupdate.runwhere fsdbupdate.run is the absolute or relative path to the fsdbupdate.run file.

For more information on command line options, see the dbupdate man pages or type: dbupdate--help

fsfwcfsfwc is a command line tool for setting firewall security levels.

Use the following command to change the current security profile:/opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office,strict, normal, bypass}


http://download.f-secure.com/latest/fsdbupdate.run

http://download.f-secure.com/latest/fsdbupdate.run

fsicYou can create the baseline, add files to the baseline and verify the baseline with the fsiccommand line tool.

1. To create the baseline, follow these instructions:a) Run the fsic tool with the --baseline option: fsic --baselineb) Enter a passphrase to create the signature.A new baseline has been created.

2. To add files to the baseline, follow these instructions:a) Run the fsic tool with the --add, --alert and --protect options:

/opt/f-secure/fsav/bin/fsic --add --alert=yes --protect=yes/etc/passwd /etc/shadow

b) Recalculate the baseline. The baseline update progress is displayed during the process,and you are prompted to select whether to include the new files in the baseline:/opt/f-secure/fsav/bin/fsic --baseline

c) Enter a passphrase to create the signature.In this example, the product is also configured to send an alert about unauthorizedmodificationattempts of the protected files.

3. To verify the baseline:a) Run the command: /opt/f-secure/fsav/bin/fsicb) Enter the passphrase that you used when you created the baseline.The product validates files and displays whether the files are intact.

fsimsYou can use fsims command to use the Software Installation Mode from the shell.

Follow these instructions to install new software:

1. Use the following command to enable Software Installation Mode:/opt/f-secure/fsav/bin/fsims on

2. Install the new software.3. Disable the Software Installation Mode to restore the normal protection level:

/opt/f-secure/fsav/bin/fsims off


fsmaYou can use fsma command to check the status of the product modules.

Run the following command: /etc/init.d/fsma status

DescriptionProcessModule

Stores alerts to a localdatabase. Alerts can be

/opt/f-secure/fsav/sbin/fsadhd

F-Secure Alert DatabaseHandler Daemon

viewed with the web userinterface.

Handles all F-Secure PolicyManager Console operations

/opt/f-secure/fsav/bin/fsavpmd

F-Secure FSAV PolicyManager Daemon

(for example, Scan all harddisks now, Update databasenow, Reset statistics)

The interface betweenF-SecureManagement Agent

/opt/f-secure/fsav/bin/fsfwd.run

F-Secure Firewall Daemon

and the iptables/netfilterfirewall.

Checks and informs howmany days are left in the

/opt/f-secure/fsav/libexec/fslmalerter

F-Secure FSAV LicenseAlerter

evaluation period when theproduct is installed in theevaluation mode.

Provides all real-timeprotection features: real-time

/opt/f-secure/fsav/sbin/fsoasd

F-Secure FSAV On-AccessScanner Daemon

virus scanning, real-timeintegrity checking and rootkitprotection.

Checks the current status ofevery component keeps

/opt/f-secure/fsav/bin/fstatusd

F-Secure FSAV StatusDaemon

desktop panel applicationsand web user interfaceup-to-date.


DescriptionProcessModule

Handles the web userinterface.

/opt/f-secure/fsav/tomcat/bin/catalina.sh start

F-Secure FSAV Web UI

Stores alerts that can beviewed with the web userinterface.

/opt/f-secure/common/postgresql/bin/startup.sh

F-Secure FSAV PostgreSQLdaemon

fssetlanguageYou can use the fssetlanguage tool to change the Web User Interface language.

Use the following command to set the language:/opt/f-secure/fsav/bin/fssetlanguage <language>

Where language is:

• en - english• ja - japanese• de - german

fschooserWith fschooser , you can turn certain product features or or off.

You can turn off some product components that you do not need or if you do not have enoughsystem resources to run them.

1. Run the following command: /opt/f-secure/fsav/sbin/fschooser.The screen lists security components of the product.

2. Follow the on-screen instructions to turn components or of off.Firewall - ENABLED, press f+RET to toggle

Web User Interface - ENABLED, press w+RET to toggle

3. Press RETURN to accept your selection.


Note: Press ctrl+C to cancel your changes.


Appendix

BBefore You Install

Topics: Note: Some distributions run prelink periodically fromcron to make linked libraries run faster. Run this manually

• 64-bit Distributions if it is not run automatically before you activate the IntegrityChecker.• Distributions Using Prelink

• Red Hat Enterprise Linux,Miracle Linux, Asianux

• Debian• SUSE• Turbolinux• Ubuntu

64-bit DistributionsSome 64-bit distributions do not install 32-bit compatibility libraries by default. Make sure thatthese libraries are installed.

The name of the compatibility library package may vary, see the documentation of the distributionyou use for the package name for 32-bit compatibility libraries.

On 64-bit Ubuntu and Debian, install ia32-libs.

Distributions Using PrelinkPrelinking can reduce the startup time of binaries, but it conflicts with the Integrity Checker inthe product.

You should disable automatic prelink runs from cron. On Asianux, RedHat, or Turbolinux, edit/etc/sysconfig/prelink and change the line: PRELINKING=yes to PRELINKING=noand run /etc/cron.daily/prelink before you install the product.

Some distributions, like Asianux, run prelink periodically from cron to reduce the startuptime of binaries which use dynamic libraries. Prelinking modifies binaries and dynamic librarieson the disk, which conflicts with the purpose of the Integrity Checker, which detects modificationsto system files.

If you have already installed F-Secure Linux Security, follow these instructions:

1. Run /opt/f-secure/fsav/bin/fsims on from the command line to turn on the softwareinstallation mode.In the software installation mode, the product allows modifications to system files.

2. Edit /etc/sysconfig/prelink and change the line: PRELINKING=yes toPRELINKING=no.

3. Run /etc/cron.daily/prelink.4. Running /opt/f-secure/fsav/bin/fsims off from the command line to turn off the

software installation mode.

When the software installation mode is turned off, the state of system files is stored in the IntegrityChecker baseline.

86 | F-Secure Linux Security | Before You Install

To use prelinking, you have to turn on the software installation mode before prelinking and turnit off when prelinking is finished. This allows the prelink to make the changes in system files ina controlled way. For example:

# /opt/f-secure/fsav/bin/fsims on# prelink -a# /opt/f-secure/fsav/bin/fsims off

Note: This operation cannot be automated easily - Turning off the software installationmode creates a new baseline, which needs to be signed with a passphrase that theadministrator has to enter.

Red Hat Enterprise Linux, Miracle Linux, AsianuxThe following steps are required to install the product on a computer running Red Hat EnterpriseLinux, Miracle Linux or Asianux.

Red Hat EL 3 / MIRACLE LINUX 3 (Asianux 1.0)

Following packages are needed.

• gcc• glibc-devel• glibc-headers• glibc-kernheaders• kernel-source

Red Hat EL 4 / MIRACLE LINUX 4 (Asianux 2.0)

Compared to the default installation, the following additional rpm packages are needed.

• gcc• glibc-devel• glibc-headers• glibc-kernheaders

At least one of the following rpm packages are needed.

• kernel-devel• kernel-hugemem-devel

F-Secure Linux Security | Before You Install | 87

• kernel-smp-devel

To see which kernel is in use, enter the following command: uname -r

For the 'F-Icon' System Tray applet to work, the following rpm packages are required:

• kdelibs• compat-libstdc++

Install the rpms from system CDs either with command rpm -ivh, Applications ➤ SystemSettings ➤ Add/Remove Applications , or use up2date command line tool in Red Hat.

Red Hat EL 5 / Asianux 3.0

Make sure that the following packages are installed. For example, use the search tab inApplications ➤ Add/Remove Software or use the rpm command:

• gcc• glibc-devel• glibc-headers• kernel-devel

DebianThe following steps are required to install the product on a computer running Debian Linux.

Debian 4.0

You need to install the compiler, kernel headers, RPM and possibly additional utilities to be ableto install the product. To install them, use the following commands:

sudo apt-get install gcc rpm make libc6-dev psmisc


sudo apt-get install linux-headers-`uname -r`

SUSEThe following steps are required to install the product on a computer running SUSE Linux.

These instructions have been tested on the following SUSE versions: 9.1, 9.2, 9.3, 10.0, 10.1.

Make sure that the following packages are installed. You can use YaST or some other packagemanager.

• kernel-source• make• patch• gcc

The product installer warns you if it cannot find all the necessary components during theinstallation.

TurbolinuxThe following steps are required to install the product on a computer running Turbolinux.

Turbolinux 10

You need to install the Turbolinux package groups, Development tools, and Kernel recompilekit in order to be able to compile the Dazuko kernel module.

Use the following list if you want to install individual packages:

• gcc• cpp• glibc-devel• kernel-headers• kernel-source

Sometimes Turbolinux kernel sources are not configured and they cannot be used to compilekernel drivers. To fix this, run the make oldconfig command in the kernel source tree.

F-Secure Linux Security | Before You Install | 89

Turbolinux 11

For Dazuko kernel module compilation, you need to install the same packages as in Turbolinux10. Use the following commands:

cd /usr/src/linux-2.major.minor

./SetupKernelSource.sh architecture

make oldconfig

where major.minor is the kernel version and architecture is either i686,i686smp64G, or x86_64.

UbuntuThe following steps are required to install the product on a computer running Ubuntu Linux.

Ubuntu 6.06

You need to install the compiler, kernel headers, RPM and possibly additional utilities to be ableto install the product. To install them, use the following commands:

sudo apt-get install gcc rpm make libc6-dev psmisc

sudo apt-get install linux-headers-`uname -r`

Ubuntu 7.10

sudo apt-get install rpm libc6-dev patch linux-libc-dev

Ubuntu 8.04

sudo apt-get install rpm libc6-dev patch linux-libc-dev

Ubuntu 8.04 Server

sudo apt-get install rpm libc6-dev patch linux-libc-dev make gcc


Appendix

CBasic Web User Interface

Following tables display the settings that appear on the BasicWeb User Interface.

Topics:

• "I Want To"

"I Want To"The following user interface controls appear on the Main User Interface ➤ I want to page.

DescriptionElement

Use this wizard to manually scan for malware.You can select files and/or directories to scan.

Scan the computer for malware

Use this wizard to create a firewall rule. If youCreate a firewall ruleneed to create a new service for the rule,please use the Firewall Rules screen inAdvanced Mode.

Use this wizard to run an integrity check for theCheck the integrity of the file systemfile system. This verifies that all files in theIntegrity Checking baseline are unmodified.

This is a link to the Automatic Updates page inUpdate virus definitionsAdvanced Mode, where you can alter thesettings for automatic virus definition updates.

You should use this wizard to set the productInstall softwarein software installation mode when you aregoing to upgrade your system. After you haveupgraded the system, you can return to thiswizard and regenerate the Integrity Checkingbaseline. This will make sure that the updatedsystem files do not cause unneccessary alerts.This is especially important if you are updatingyour Linux kernel, because if the new kernelmodules are not in the Integrity Checkingbaseline, the product will refuse loading of themand prevent system boot.

You can generate an Integrity Checking filesystem baseline with this wizard.

Create a baseline

92 | F-Secure Linux Security | Basic Web User Interface

Appendix

DAdvanced Web User Interface

Following tables display the settings that appear on the AdvancedWeb User Interface.

Topics:

• Summary• Alerts• Virus Protection• Firewall• Integrity Checking• General Settings

SummaryThe following user interface controls appear on the Advanced User Interface ➤ Summarypage.

DescriptionElement

When enabled, all file accesses done by theVirus Protectionsystem is scanned for malware. This alsoneeds to be enabled for on-access integritychecking.

Specifies the currently active security level.Firewall rules and application control arehandled according the currently active securitylevel.

When enabled, Integrity Checking will detectmodification of baselined files.

Firewall Protection

AlertsThe following user interface controls appear on the Advanced User Interface ➤ Alerts page.

DescriptionElement

On the Alerts page, you can read and deleteAlert tablealert messages. To find thealert message you want to view, follow theseinstructions:

1. Select the Status of security alerts you wantto view.* Select All to view All alerts.* Select Unread to view new alerts.

94 | F-Secure Linux Security | Advanced Web User Interface

DescriptionElement

* Select Read to view alerts you have alreadyviewed.

2. Select the Severity of security alerts youwant to view. For moreinformation, see “Alert Severity Levels”, 38.

Click alerts to highlight them and click Markhighlighted as read to flagthem as read messages. Click Deletehighlighted to delete allhighlighted alerts.

You can delete or mark multiple messages asAlert database maintenanceread simultaneously. Selecthow old and which alert severity messages youwant to edit and clickPerform action to delete or mark selectedmessages as read.

Virus ProtectionFollowing tables display the virus protection settings.

Realtime ScanningThe following user interface controls appear on the Advanced User Interface ➤ VirusProtection ➤ Real-time Scanning page.

DescriptionElement

Specify the primary action to take when anPrimary actioninfection is detected.

Report and deny access = Deny access. Sendan alert.Disinfect = Deny access. Attempt to disinfect

F-Secure Linux Security | Advanced Web User Interface | 95

DescriptionElement

the file, if successful access is allowed.Rename = Deny access. Rename the infectedfile to .virus extension.Delete = Deny access. Delete the infected file.Deny access = Deny access. Do not send analert.

If both primary and secondary actions fail,access is denied and a security alert is sent.

Specify the primary action to take whenPrimary Action on Suspected Filessuspected infection is detected.

Report and deny access = Deny access. Sendan alert.Rename = Rename the suspected file to.suspected extension.Delete = Delete the infected file.Deny access = Deny access. Do not send analert.

If the primary action fails, the secondary actionis applied. If also the secondary actions failsan alert is sent describing the failed actions.

Specify the secondary action to take whenSecondary Action on Suspected Filessuspected infection is detected and the primaryaction has failed.

Report and deny access = Deny access. Sendan alert.Rename = Rename the suspected file to.suspected extension.Delete = Delete the infected file.Deny access = Deny access. Do not send analert.

If the primary action fails, the secondary action


DescriptionElement

is applied. If also the secondary actions failsan alert is sent describing the failed actions.

Directories listed here will not be scanned.Files and directories excluded from scanning

Specify the names of the directories to beexcluded from scanning. Use full, absolutepath. Enter each directory on its own line.Directory names may contain whitespaces.

Scanning may be restricted to executable filesScan only executablesonly (= files with execute bit on). Generally thisis not recommended, since malware can alsospread through non-executable files, such asword processor macros.

List of executables for which all file access isWhitelisted executablesWhitelisted executables must match baseline always allowed.

Enter full paths to executables, one per line.

Executable on the whitelist is allowed freeWhitelisted executables must match baselineaccess only if it matches the Integrity Checkerbaseline.

Specify whether files should scanned whenthey are opened.

Scan when opening a file

Specify whether files should scanned whenthey are closed.

Scan when closing a file

Specify whether files should be scanned whenthey are executed

Scan when running an executable

Specifies whether archives should be includedScan inside archivesin real-time scanning. The supported archiveformats include, for example, .tar.gz, .zip


DescriptionElement

Defines how many levels deep to scan inMaximum number of nested archivesnested archives. It is not recommended to setthis value too high as this will make the productmore vulnerable to DoS (Denial of Service)attacks

If an archive has more nested archives thanthe limit, a scan error is generated.

The action the product takes after a scan errorcan be defined with the 'Real-timeProtection/Error Handling/Action After ScanError' setting.

Defines how password-protected archivesTreat password protected archives as safeshould be handled. If set to Yes, passwordprotected archives are considered to be safeand access is allowed. Otherwise access is notallowed.

Defines what happens when the first infectionStop on first infection inside an archiveis found inside an archive. If set to 'Yes',scanning will stop on the first infection.Otherwise he whole archive is scanned.

Set this on to report and handle riskwareScan for Riskwaredetections. Riskware is potential spyware andother software that may be used maliciously.

Specify the primary action to take whenPrimary Riskware Actionriskware is detected.

Report and deny access = Deny access. Sendan alert.Rename = Rename the infected file to .riskwareextension.Delete = Delete the infected file.


DescriptionElement

Deny access = Deny access. Do not send analert.


Specify the secondary action to take whenSecondary Riskware Actionriskware is detected and the primary action hasfailed.

Report and deny access = Deny access. Sendan alert.Rename = Rename the infected file to .riskwareextension.Delete = Delete the infected file.Deny access = Deny access. Do not send analert.


Riskware that should be excluded fromscanning.

Excluded Riskware

Scheduled ScanningThe following user interface controls appear on the Advanced User Interface ➤ VirusProtection ➤ Scheduled Scanning page.

DescriptionElement

This table contains scheduled scanning tasksScheduledefined in a similar manner as in the crontab.The scanning uses the settings defined in theManual Scanning branch.


DescriptionElement

See 'man crontab' for allowed values forMinute, Hour, Day of Month, Month and Day ofWeek fields.

Manual ScanningThe following user interface controls appear on the Advanced User Interface ➤ VirusProtection ➤ Manual Scanning page.

DescriptionElement

Specify the primary action to take when anPrimary actioninfection is detected.

Do nothing = Do nothing. (Only show theinfection to the user.)Report only = Only send an alert.Disinfect = Attempt to disinfect the file.Rename = Rename the infected file to .virusextension.Delete = Delete the infected file.Custom = Run a command specified in thecustom primary action field.Abort scan = Abort further scanning.

If both primary and secondary actions fail analert is sent describing the failed actions.

If "Custom" is chosen as the primary action,Primary custom actionthe custom action must be specified here.

Please note that the custom action will beexecuted as the super user of the system soconsider and check carefully the command youspecify.

Custom action script or program receives oneparameter, full pathname of the infected file.


DescriptionElement

Specify the secondary action to take when anSecondary actioninfection is detected and the primary action hasfailed.

Do nothing = Do nothing. (Only show theinfection to the user.)Report only = Only send an alert.Disinfect = Attempt to disinfect the file.Rename = Rename the infected file to .virusextension.Delete = Delete the infected file.Custom = Run a command specified in thecustom primary action field.Abort scan = Abort further scanning.

If both primary and secondary actions fail analert is sent describing the failed actions.

If "Custom" is chosen as the secondary action,Secondary custom actionthe custom action must be specified here.

Please note that the custom action will beexecuted as the super user of the system soconsider and check carefully the command youspecify.

Custom action script or program receives oneparameter, full pathname of the infected file.

Specify the primary action to take whenPrimary Action on Suspected Filessuspected infection is detected.

Do nothing = Do nothing. (Only show theinfection to the user.)Report only = Only send an alert.Rename = Rename the suspected file to.suspected extension.Delete = Delete the infected file.


DescriptionElement


Specify the secondary action to take whenSecondary Action on Suspected Filessuspected infection is detected and the primaryaction has failed.

Do nothing = Do nothing. (Only show theinfection to the user.)Report only = Only send an alert.Rename = Rename the suspected file to.suspected extension.Delete = Delete the infected file.


Specify whether the product should scan allScan filesfiles or only the files that match the extensionsspecified in the 'Extensions to Scan' setting.

All filesOnly files with specified extensions

Specify the list of filename extensions to beIncluded extensionsscanned. You can also use wildcards: '?'matches exactly one character, '*' matches anynumber of characters, including zero (0)characters. '.' (a single dot), if given alone,matches files without extension. The matchingis case-insensitive.

Determines whether some files can beEnable exclusionsexcluded from scanning.

Please note that the files specified here areexcluded from scanning even if they would be


DescriptionElement

included in scanning according to what isdefined in the other scanning settings

Determines whether some paths (either filesFiles and directories excluded from scanningor directories) will be excluded from scanning.

Use full, absolute path name. Type each pathon its own line. Path names may containwhitespaces.

Specify whether executables should beScan executablesscanned. If a file has any user/group/otherexecutable bits set, it is scanned regardless ofthe file extension.

Specifies whether archives should be scannedScan inside archiveswhen a manual scan is launched. Thesupported archive formats include, for example,.tar.gz, .zip

Defines how many levels deep to scan inMaximum number of nested archivesnested archives. It is not recommended to setthis value too high as this will make the productmore vulnerable to DoS (Denial of Service)attacks.

If an archive has more nested levels than thelimit, a scan error is generated.

Defines how password-protected archivesTreat password protected archives as safeshould be handled. If set to Yes, passwordprotected archives are considered to be safeand access is allowed. Otherwise access is notallowed.

Defines what happens when the first infectionStop on first infection inside an archiveis found inside an archive. If set to 'Yes',


DescriptionElement

scanning will stop on the first infection.Otherwise the whole archive is scanned.

Set this on to report and handle riskwaredetections. Riskware is potential spyware.

Scan for Riskware

Specify the primary action to take whenPrimary Riskware Actionriskware is detected.

Do nothing = Do nothing. (Only show thedetection to the user.)Report only = Only send an alert.Rename = Rename the infected file to .riskwareextension.Delete = Delete the infected file.


Specify the secondary action to take whenSecondary Riskware Actionriskware is detected and the primary action hasfailed.

Do nothing = Do nothing. (Only show thedetection to the user.)Report only = Only send an alert.Rename = Rename the infected file to .riskwareextension.Delete = Delete the infected file.


Type of riskware that should not be detected.Excluded Riskware


DescriptionElement

If this setting is on, file access times are notPreserve access timesmodified when they are scanned. If a file ismodified due to disinfection, then both accessand modify times will change.

FirewallFollowing tables display the firewall settings.

General SettingsThe following user interface controls appear on the Advanced User Interface ➤ Firewall➤ General Settings page.

DescriptionElement

Specifies whether the firewall is enabled orEnable firewalldisabled. When enabled, the firewall rules ofthe currently selected security level are appliedto inbound and outbound packets. Whendisabled, all traffic is allowed. To disable thefirewall component completely, use thefschooser program.

When enabled, firewall will create rule thatLog all unhandled network packetswrites to syslog all packets that are not machedby any firewall rules in current security level.

If enabled, this might create a lot of log entries(depending on firewall rules and network traffictype).

Trusted network interface names can beTrusted network interfaces (comma-separatedlist) specified here, separate multiple names with


DescriptionElement

comma. All traffic to and from these interfaceswill be allowed.

RulesThe following user interface controls appear on the Advanced User Interface ➤ Firewall ➤Firewall Rules page.

DescriptionElement

This table contains the names and descriptionsProfile to editof the security levels. There are somepredefined security levels to supportadministrator in creating his own administeredenvironment. Some of these security levels areenabled by default and some are disabled.

This table contains the firewall rules. FirewallFirewall Rulesrules filter IP packets based on IP addresses,port numbers, etc. Note that there usually aremore than one security level defined, and thatyou can only define the rules for one securitylevel at a time.

Network ServicesThe following user interface controls appear on the Advanced User Interface ➤ Firewall➤ Network Services page.

DescriptionElement

This table contains the definitions of servicesNetwork Servicesthat can be used to configure firewall-rules.

Protocols can be found from IANA or with "grepIPPROTO.\*= /usr/include/netinet/in.h"(assuming you have includes installed)


DescriptionElement

Officially assigned ports are available from:ftp://ftp.iana.org/assignments/port-numbers

Integrity CheckingFollowing tables display the integrity checking settings.

Known FilesThe following user interface controls appear on the Advanced User Interface ➤ IntegrityChecking ➤ Known Files page.

DescriptionElement

This table contains files that have been addedto integrity checking.

Known files

Rootkit PreventionThe following user interface controls appear on the Advanced User Interface ➤ IntegrityChecking ➤ Rootkit Prevention page.

DescriptionElement

When enabled, integrity checking will verifyKernel module verificationkernel modules before they are allowed to load.NoOnly baselined and matching kernel modulesYes

Report are allowed to load.

If disabled, integrity checking will not performany checking for kernel modules.

If report only, integrity checking will check thekernel modules against baselined informationbut will only alert if kernel modules do not


DescriptionElement

match baseline, allowing all kernel modules toload.

If enabled, integrity checking will write protectWrite protect kernel memorykernel memory (/dev/kmem).No

YesReport If disabled, integrity checking will not write

protect kernel memory (/dev/kmem).

If report only, integrity checking will only reportwhen kernel memory is modified (/dev/kmemis opened in write mode).

General SettingsFollowing tables display the general settings.

CommunicationsThe following user interface controls appear on the Advanced User Interface ➤ General➤ Communications page.

DescriptionElement

URL of the F-SecureManagement Server. TheServer Addresscontents of the Communication Directory Aliasand the service specific directory and filenameare concatenated to this address when doingHTTP GETs. The URL Tail is concatenated tothis address when accessing the other serverfunctions.

Admin can change the management key to anew one using this setting.

Upload Policy Manager Server Certificate


DescriptionElement

Specifies where the alerts are sent based ontheir severity classification.

Alert Forwarding

The address of the SMTP server in the formServer<host>[:<port>] where "host" is the DNS-nameor IP-address of the SMTP server, and "port"is the SMTP server port number.

For details see RFC 2821 specification.

The sender's e-mail address to be put into theFrom"From:" field of the e-mail message containingthe alert.

SMTP alert message subject. Besides the textSubjectthe following symbols could be used:- %SEVERITY% (informational, warning, error,fatal error, security alert)- %HOST_DNS% (DNS address of the hostthat sent the alert)- %HOST_IP% (IP address of the host that sentthe alert)- %USER% (active user login name)- %PRODUCT_NAME% (name of the productthat generated the alert)- %PRODUCT_OID% (OID of the product thatgenerated the alert)- %DESCRIPTION% (alert description)- %DATE% (date when an alert sent in formatYYYY-MM-DD)- %TIME% (time when an alert sent in formatHH:MM:SS+GMT)- %ALERT_NUMBER% (alert number duringsession)


Automatic UpdatesThe following user interface controls appear on the Advanced User Interface ➤ General➤ Automatic Updates page.

DescriptionElement

Enable or disable automatic checking for newUpdates enabledupdates.

If set to 'Disabled', Automatic Update Agent willnot automatically check for any kind of newupdates. This does not prevent user initiatedupdates ('check now' button).

Note that this setting is only applicable forworkstation products.

This table contains the list of Policy MangerPolicy Manager ProxiesProxies in priority order. A Policy ManagerProxy is used to reduce the load on the serverby caching Policy Manager content in the proxy.

F-Secure Automatic Update Agent will firstconnect to the Policy Manager Update Serverthrough the configured Policy Manager Proxies.Next it will connect to the Policy ManagerUpdate Server directly. Next it will connect tothe F-Secure Update Server through theconfigured Policy Manager Proxies. Next it willconnect to the F-Secure Update Server directly.

Configures using HTTP proxy. Note that inUse HTTP ProxyWindows NT, 2000, XP and 2003 the browser'sproxy settings are user account specific, andcannot (in most cases) be detected while nouser is logged on.

All connections from Automatic Update Agent


DescriptionElement

to an Update Server or PM proxy go throughHTTP proxy. If an HTTP proxy cannot bereached, Automatic Update Agent will fall backto using a direct connection.

User-defined HTTP proxy address - this is usedHTTP Proxy Addressif 'Use HTTP proxy' is set to 'User-defined'. Thiscan be defined ashttp://[user[:password]@]host:port, for example:http://myproxy.comhttp://myproxy.com:8080http://[email protected]://johndoe:[email protected]

User name and password are optional fields;authentication can also be configured in theapplication's user interface.

Specifies the time of how long F-SecureIntermediate server failover time (min)Automatic Update Agent should try to connectto Intermediater server before switching overto F-Secure Update server.

Specifies if the Automatic Update Agent isAllow fetching updates from F-Secure UpdateServer allowed to connect to F-Secure Update Server.

If this setting is set to No the Automatic UpdateAgent will never connect directly to F-SecureUpdate Server.

Specifies whether all local disks are scannedafter new databases have been taken into use.

Launch scan after updates

Defines whether users are reminded of theSend remindersneed to update virus definition databasesmanually when the databases become olderthan thedefined time limit.


DescriptionElement

Defines how many days must have passedDatabase age in days before reminders aresent since the publishing of currently used virus

definitions before the user is reminded of theneed to update them.


Appendix

EList of Traps

Integrity Checking

The list of FSIC traps:

DescriptionSeverityTrapNumber

Integrity checking baselinegenerated at host

Security alert710

Integrity checking baselineverification failed. Baseline has

Security alert711

been compromised or thepassphrase used to verify thebaseline is incorrect

File failed integrity checkSecurity alert730

Could not save the baselineentries to policy

Error799

Policy Manager

The list of FSAVPMD traps. All other alerts that are possibly sentfrom perl script are sent with ERROR level.


Scan startedInformational50

Scan finishedInformational51


Database update startedInformational60

Database update finishedInformational61

On-Access Virus AlertSecurity alert100

Process startedInformational150

Process stoppedInformational151

Process crashedFatal error152

Process failed to startFatal error153

F-Secure Anti-Virus LinuxSecurity started

Informational158

F-Secure Anti-Virus LinuxSecurity stopped

Informational159

Evaluation period expiredSecurity alert170

Evaluation versionInformational171

Virus AlertSecurity alert200

Virus Alert: DisinfectedSecurity alert201

Virus Alert: File deletedSecurity alert202

Virus Alert: File renamedSecurity alert203

Virus Alert: Not disinfectedSecurity alert204

Virus Alert: Action failedSecurity alert205

Virus Alert: Custom actionexecuted

Security alert206

Virus Alert: Scan abortedSecurity alert207

Database update filesreceived successfully

Informational322

Virus definition databaseintegrity verified successfully

Informational500

Debug outputInformational999

114 | F-Secure Linux Security | List of Traps

Virus Definition Database Verification

The list of DAAS traps.


Extra files were detected in thedatabase update package

Warning506

The package has been modifiedWarning512

Bad or missing manifest fileWarning513

Bad or missing manifest filecertificate

Warning514

The virus definition database updateis older than the previously acceptedone

Warning515

The manifest file does not have amatching certificate

Warning516

Bad or missing F-SecureCorporation certificate

Warning518

Bad or missing certificate from virusdefinition database publisher

Warning519

No certificate from the publishermatches the manifest file certificate

Warning520

The certificate in the package hasnot been issued by F-SecureCorporation

Warning521

The publisher's certificate was notvalid when the database update waspublished

Warning522

The publisher's certificate in thepackage does not express the rightto publish database updates

Warning523

The publisher's certificate in thepackage had been revoked whenthe database update was published

Warning530

F-Secure Linux Security | List of Traps | 115


The publisher's certificate in thepackage has been revoked with highseverity

Warning531

Bad or missing revocation fileWarning535

There was not enough memory tocomplete the operation

Warning550

A file I/O error occurred during theoperation

Warning551

Unsupported database typeWarning552

DBTool

The list of DBTool traps.


File was not foundError4

Cannot open fileError308

File is encryptedError309

Scanning of a file could not becompleted at this time

Error310

Cannot write to fileError311

Virus definition database file isinvalid

Error323

Virus definition database file isinvalid. The integrity check failedfor the database file.

Error324

Firewall

The list of firewall daemon traps.


DescriptionSeverityTrap Number


Firewall enabledInformational801

Firewall disabledError802

Could not set firewall rulesError803

Firewall rules updatedInformational804

Anti-virus

The list of on-access scanner traps


Process startedInformational150


Virus AlertSecurity alert200

Virus Alert: DisinfectedSecurity alert201

Virus Alert: File deletedSecurity alert202

Virus Alert: File renamedSecurity alert203

Virus Alert: Action failedSecurity alert205

Riskware AlertSecurity alert220

Riskware Alert: DisinfectedSecurity alert221

Riskware Alert: File deletedSecurity alert222

Riskware Alert: File renamedSecurity alert223

Riskware Alert: Action failedSecurity alert225

Scanning ErrorError301

File EncryptedError309

Scanning AbortedError318

Real-time protection fatalerror

Security alert600

F-Secure Linux Security | List of Traps | 117


Integrity checking fatal errorSecurity alert700

Integrity checking hashcalculation failed

Security alert720

Integrity checking file attributecheck failed

Security alert721

Integrity checked filecompromised

Security alert730

Integrity checker prevented amodification attempt to aprotected file

Security alert731

Kernel module loader tried toopen unbaselined file

Security alert733

Kernel module loader tried toopen compromised file

Security alert734

Unknown kernel moduleloader detected

Security alert735

Kernel protected frommodification

Security alert736

Kernel modifiedSecurity alert741


Appendix

FGet More Help

The fsdiag report, which is generated by the F-SecureDiagnostics Tool, contains vital information from your system.The information is needed by our support engineers so that theycan solve your problem. After you run fsdiag, thefsdiag.tar.gz report file is created on the current directory.

The report contains information about F-Secure products, aswell as operating system logs and system settings. The collecteddata is essential for problem solving and troubleshooting. Insome cases this information might be considered confidential.Please note that the data collected will only be stored locally.

Go to http://support.f-secure.com to see more troubleshootinginformation and for instructions on how to contact our technicalsupport team.

http://support.f-secure.com/enu/home/

G - 1

G Man Pages

fsav............................................................................................... 2fsavd........................................................................................... 32dbupdate..................................................................................... 48fsfwc ........................................................................................... 52fsic .............................................................................................. 55fschooser .................................................................................... 62fsims ........................................................................................... 64fssetlanguage ............................................................................. 67

CHAPTER G G - 2

[email protected]

fsav (1)

fsav

command line interface for F-Secure Security Platform

fsav options target ...

Description

fsav is a program that scans files for viruses and other malicious code. fsav scansspecified targets (files or directories) and reports any maliciouscode it detects.Optionally, fsav disinfects, renames or deletes infected files.

The types of viruses F-Secure Security Platform detects anddisinfects include butare not limited to: Linux viruses, macro viruses infecting Microsoft Office files, Win-dows viruses and DOS file viruses. F-Secure Security Platform can also detect spy-ware, adware and other riskware (in selected products). fsav can scan files insideZIP, ARJ, LHA, RAR, GZIP, TAR, CAB and BZ2 archives and MIME messages. F-Secure Security Platform utilizes multiple scanners to scan files: F-Secure Corpora-tions Hydra scan engine and Kaspersky Lab AVP scan engine.

fsav requires the fsavd scanner deamon to scan files. fsav uses UNIX domainsockets to communicate with the daemon. If fsavd is not running, fsav launchesfsavd before the scan.

Options

--action1={none|report,disinf|clean,rename,delete|remove,abort,custom|exec}

Synonym to --virus-action1, deprecated.

--action2={none|report,disinf|clean,rename,delete|remove,abort,custom|exec}

CHAPTER G G - 3

Synonym to --virus-action2, deprecated.

--action1-exec=PROGRAM

F-Secure Security Platform runs PROGRAM if the primary actionis set to custom/exec.

--action2-exec=PROGRAM

F-Secure Security Platform runs PROGRAM if the secondaryaction is set to custom/exec.

--action-timeout={e,c}

What to do when the scan times out: Treat the timeout as error(e) or clean (c).

--archive[={on,off,yes,no,1,0}]

Scan files inside archives (default). Archives are still scanned asnormal files with or without this option. See NOTES -sectionbelow about nested archives.

--auto[={on,off,yes,no,1,0}]

Disable action confirmation. Assumes 'Yes' to all enabledactions.

--avp[={on,off,yes,no,1,0}]

Enable/disable the AVP scanning engine for the scan and thedisinfection. If any engine is enabled, all other engines are dis-abled (unless explicitly enabled).

--config={file[:PATH]|fsma[:OID]}

CHAPTER G G - 4

file: Use the configuration file based management methodoptionally using PATH as the configuration file instead of thedefault configuration file (/etc/opt/f-secure/fssp/fssp.conf).

fsma: Use the F-Secure Policy Manager based managementmethod optionally specifying the OID used in sending alerts.

--databasedirectory=path

Read virus definition databases from the directory path. Thedefault is ".".

This option cannot be used to change the database directory offsavd that is running. The option is effective only when fsavlaunches fsavd.

The default value is /var/opt/f-secure/fsav/data-bases/.

--dbupdate=update directory

Initiate the database update from the update directory. Theupdate directory should contain new virus definition databases.

Warning

Do not use this option directly from the command-line! Thisoption is intended to be used only with the dbupdate script.

--allfiles[={on,off,yes,no,1,0}]

Scan all files regardless of the extension. By default, the setting

CHAPTER G G - 5

is on. (In previous versions, this option was called 'dumb'.)

--exclude=path

Do not scan the given path.

--exclude-from=file

Do not scan paths listed in the file. Paths should be absolutepaths ending with a newline character.

--extensions=ext,ext,...

Specify the list of filename extensions to be scanned. You canuse “?” or “*” as wildcard characters.

The default list is:

*

--fse[={on,off,yes,no,1,0}]

Enable/disable the FS-Engine for the scan and the disinfection. Ifany engine is enabled, all other engines are disabled unlessexplicitly enabled.

--help

Show the short help of command line options and exit.

--input

Read files to scan from the standard input.

--list[={on,off,yes,no,1,0}]

CHAPTER G G - 6

List all files that are scanned.

--maxnested=value

Should be used together with the --archive option. Set themaximum number of nested archives (an archive containinganother archive). If the fsav encounters an archive that containsmore nested archives than the specified value, it reports a scanerror for the file. See NOTES -section below about nestedarchives.

If the value is set to 0, the archive is scanned but if it containsanother archive, fsav reports a scan error for the file.

The default value is 5.

--mime[={on,off,yes,no,1,0}]

Enable MIME message scanning. MIME messages are scannedthe same way as archives and the --maxnested option applies tothem as well.

--noinvalidmime

Ignore MIME header anomalies.

--nomimeerr

Ignore MIME decoding errors.

--nomimepart

Ignore errors due to partial MIME content.

--nopass

CHAPTER G G - 7

Ignore password-protected archives. NOTE: Certain password-protected archives are reported as suspected infections insteadof password-protected archives.

--preserveatime[={on,off,yes,no,1,0}]

Preserve the last access time of the file after it is scanned. If theoption is enabled, the last access time of the file does notchange when it is scanned. The option can be used for examplewith some back-up systems that back up only files that have anupdated last access time field.

--raw[={on,off,yes,no,1,0}]

Write ESC character (\033) as is to output. By default ESC char-acter is shown in reverse video as string “<ESC>”.

--riskware[={on,off,yes,no,1,0}]

Report riskware detections. Riskware is potential spyware. Thisfeature is available in selected products.

--riskware-action1={none|report,rename,delete|remove}

Primary action to take when riskware is found: report only (to ter-minal and as an alert), rename, or delete/remove.

--riskware-action2={none|report,rename,delete|remove}

Secondary action to take if primary action fails. Parameters arethe same as for primary action.

--scanexecutables[={on,off,yes,no,1,0}]

Enable the executable scanning. If a file has any of user/group/

CHAPTER G G - 8

other executable bits set, it is scanned regardless of the fileextension.

--scantimeout=value

Set a time limit in seconds for a single file scan or disinfectiontask. If scanning or disinfecting the file takes longer than thespecified value, fsav reports a scan error for the file.

If the value is set to 0 (default), the scan timeout is disabled andthe file is scanned until the scan finishes (or a scan error occurs).

--short[={on,off,yes,no,1,0}]

Use the short output format. Only the path to infected orrenamed files is shown.

--shutdown

By default, fsavd does not immediately exit after completing a filescan but hangs around waiting for new scan tasks. This optioncan be used to make an idle fsavd exit immediately.

--silent[={on,off,yes,no,1,0}]

Do not generate any output (except error messages).

--socketname=socket path

Use the given socket path to communicate with fsavd. Thedefault socket path is /tmp/.fsav-<UID>, or /tmp/.fsav-<UID>-sa, if fsav is started with the --standalone option.

--status

CHAPTER G G - 9

Show the status of the fsavd scanning daemon and exit. If thedaemon is running, the exit code is zero. Otherwise, the exitcode is non-zero.

NOTE: Usually, a scanning daemon which is not running is notan error, as fsav launches the daemon before the scan bydefault. The daemon that was launched by fsav exits after someidle time. To run a permanent instance of the scanning daemon,see fsavd(8).

--suspected-action1={none|report,rename,delete|remove}

Primary action to take when a suspected virus infection is found:report only (to terminal and as an alert), rename, or delete/remove.

--suspected-action2={none|report,rename,delete|remove}

Secondary action to take if the primary action fails. Parametersare the same as for primary action.

--standalone[={on,off,yes,no,1,0}]

Use the standalone version to scan files. The option forces thelaunch of a new fsavd.

--stoponfirst[={on,off,yes,no,1,0}]

Stop after finding the first infection with any scan engine. If filecontains multiple infections, only the first is reported. If severalscan engines can detect the infection, only the first one isreported. By default, the option is disabled.

--symlink[={on,off,yes,no,1,0}]

CHAPTER G G - 10

Follow symbolic links. Symbolic links are not followed by default.

--usedaemon[={on,off,yes,no,1,0}]

Use the existing daemon to scan files. fsavd must be running orthe command fails. See fsavd(8) for more information.

If the connection to the server fails, fsav generates an error.Without this option, if the connection fails, fsav launches fsavdautomatically.

--skiplarge[={on,off,yes,no,1,0}]

Do not scan files equal or larger than 2 GB (2,147,483,648bytes). If this option is not set, an error will be reported for largefiles.

--version

Show F-Secure Security Platform version, engine versions anddates of database files, and exit.

Note

Database versions contain date of the databases only. Theremay be several databases released on same day. If you needmore detailed version information, open header.ini in thedatabase directory and search for the following lines:

[FSAV_Database_Version]Version=2003-02-27_03

The string after “Version=” is the version of databases.

CHAPTER G G - 11

--virus-action1={report,disinf|clean,rename,delete|remove,abort, custom|exec}

Primary action to take when a virus infection is found: report only(to terminal and as an alert), disinfect/clean, rename, delete/remove, abort scanning or execute a user-defined program (cus-tom/exec).

--virus-action2={report,disinf|clean,rename,delete|remove,abort, custom|exec}

Secondary action to take if primary action fails. Parameters arethe same as for primary action.

SCAN REPORTS

By default, fsav reports the infected and suspected infections to stdout. Scan errorsare reported to stderr.

An example of an infection in the scan report:

/tmp/eicar.com: Infected: EICAR-Test-File [AVP]

where the file path is on the left, the name of the infection in the middle and the nameof the scan engine that reports the infection in brackets.

An example of a suspected infection in the scan report:

/tmp/sample.img: Suspected: Type_Boot [AVP]

which differs from infected output only by the type of the suspection in the middle.

The following suspections can occur when the MIME scanning is enabled:

Partial MIME message.

CHAPTER G G - 12

Explanation: Partial MIME messages are splitted into several files and cannot bescanned. Typically, the message contains the following header information 'Content-Type: message/partial;'.

MIME decompression error.

Explanation: Scanned MIME message uses non-standard encoding and cannot bescanned.

Invalid MIME header found.

Explanation: Scanned MIME message uses non-standard header and cannot bescanned.

The --list option shows the clean files in the report. An example of the output:

/tmp/test.txt - clean

The --archive option scans the archive content and the output is as follows for theinfected or suspected archive content:

[/tmp/eicar.zip] eicar.com: Infected: EICAR-Test-File[AVP]

where the path to the archive surrounded by brackets is on the left followed by thepath to the infected file in the archive. In the current release, the nested archives andthe clean archive content is not listed in the output.

ACTIONS

fsav can be instructed to take actions on infected files. Possible actions are: report,disinfect/clean, rename, delete/remove, abort or custom/exec. There is a primaryaction, which is taken first. If the primary action fails a secondary action is executed.

CHAPTER G G - 13

The default primary action is disinfect and the default secondary action is rename.

fsav must have write access to the file to be disinfected. Disinfection is not alwayspossible and fsav may fail to disinfect a file. Especially, files inside archives cannot bedisinfected.

Infected files are renamed to <original_filename>.virus and clears execut-able and SUID bits from the file. Suspected files are renamed to<original_filename>.suspected. Riskware files are renamed to<original_filename>.riskware. The user running the scan must have writeaccess to the directory in order to rename the file.

The delete action removes the infected/suspected/riskware file. The user running thescan must have write access to the directory in order to delete the file.

By default, actions are confirmed before the execution. For example, for the disinfec-tion fsav asks the following confirmation:

eicar.com: Disinfect? (Yes, No, yes to All)

where the answer 'Y', 'y', 'Yes' or 'yes' confirms the action.

The answer 'A', 'a', 'All' or 'all' automatically confirms any further disinfections. If otheractions are enabled, they are still confirmed unless they are automatically confirmedas well.

Any other answer will not confirm the action and the action is not taken. An action nottaken is treated the same way as an action that failed, i.e. if the user does not want totake the primary action, the secondary action is tried next.

The action confirmation can be disabled with --auto -option.

WARNINGS

CHAPTER G G - 14

fsav warnings are written to the standard error stream (stderr). Warnings do not stopthe program. fsav ignores the reason for the warning and the execution continues asnormal.

Unknown option '<user given option name>' in configuration file <file path> line<line number>

Explanation: The configuration file contains an unknown option name.

Resolution: Edit the configuration file.

Configuration file <file path> has invalid syntax at line <line number>

Explanation: The parsing of the configuration file has failed because of the invalidsyntax.


Could not open exclude file <file path>: <OS error>

Explanation: A file path to the exclude -option does not exist or is not accessible.

Resolution: Edit command-line options.

Illegal archive scanning value '<user given value>' in configuration file <filepath> line <line number>

Explanation: The archivescanning field in the configuration file has an incorrectvalue.

Resolution: Edit the configuration file and set the archivescanning field to one of thefollowing: 1 or 0. Restart fsav to take new values in use.

Illegal MIME scanning value '<user given value>' in configuration file <file path>line <line number>

CHAPTER G G - 15

Explanation: The mimescanning field in the configuration file has an incorrect value.

Resolution: Edit the configuration file and set the mimescanning field to one of the fol-lowing: 1 or 0. Restart fsav to take new values in use.

Illegal scan executables value '<user given value>' in configuration file <filepath> line <line number>

Explanation: The scanexecutables field in the configuration file has an incorrectvalue.

Resolution: Edit the configuration file and set the scanexecutables field to one of thefollowing: 1 or 0. Restart fsav to take new values in use.

Maximum nested archives value '<user given value>' is not valid in configura-tion file <file path> line <line number>.

Explanation: The maxnestedarchives field in the configuration file is not a number.


Maximum nested archives value '<user given value>' is out of range in configu-ration file <file path> line <line number>

Explanation: The maxnestedarchives field in the configuration file is less thanzero or more than LONG_MAX.


Maximum scan engine instances value '<user given value>' is not valid in con-figuration file <file path> line <line number>

Explanation: The engineinstancemax field in the configuration file is not a number.


CHAPTER G G - 16

Maximum scan engine instances value '<user given value>' is out of range inconfiguration file <file path> line <line number>

Explanation: The engineinstancemax field in the configuration file is less thanzero or more than LONG_MAX.


Scan timeout value '<user given value>' is not valid in configuration file <filepath> line <line number>

Explanation: The scantimeout field in the configuration file is not a valid number.


Scan timeout value '<user given value>' is out of range in configuration file<file path> line <line number>

Explanation: The timeout field in the configuration file is less than zero or more thanLONG_MAX.


Scan extensions list is too long in configuration file <file path> line <line num-ber>, list is truncated.

Explanation: The extensions field in the configuration file is more than 4096 byteslong.


Unknown action '<user given value>' in configuration file <file path> line <linenumber>

Explanation: The action field in the configuration file has an incorrect value.

CHAPTER G G - 17

Edit configuration file and set the action field to one of the following: report, disinfect,clean, rename, delete, remove, abort, custom or exec. Restart fsav to take new val-ues in use.

Unknown syslog facility '<user given value>' in configuration file <file path>line <line number>

Explanation: The syslogfacility ield in the configuration file has an incorrectvalue.

Resolution: Edit configuration file and set the syslogfacility field to one of the facilitynames found in syslog(3) manual page. Restart fsav to take new values in use.

FATAL ERRORS

fsav fatal errors are written to the standard error stream (stderr). In case of fatal errorprogram execution stops immediately with exit code 1.

Fatal erros reported by fsav and the descriptions are listed below:

Error: no files to scan.

Explanation: The user has not given files to scan..

Resolution: fsav exits with fatal error status (exit code 1). The user has to correct thecommand-line parameters and start the fsav again.

Invalid socket path '<socket path>': not a socket.

Explanation: The user has given socket path which already exists but is not a socketfrom configuration file or from command-line.

Resolution: fsav exits with fatal error status (exit code 1). The user has to correct thecommand-line parameters or configuration file or remove the file from path and startthe fsav again.

CHAPTER G G - 18

Invalid socket path '<socket path>': <OS error>.

Explanation: The user has given invalid socket path from configuration file or fromcommand-line, either socket does not exist or is not accessible.

Resolution: fsav exits with fatal error status (exit code 1). The user has to correct thecommand-line parameters or configuration file or remove the file from path and startthe fsav again.

Input file '<file path>' is invalid: <OS error>.

Explanation: The user has given invalid input file path, either file does not exist or isnot readable.

Resolution: fsav exits with fatal error status (exit code 1). The user has to correct thecommand-line parameters and start the fsav again.

Unknown command line option '<option>'.

Explanation: The user has given unknown option from the command-line.

Resolution: fsav exits with error status. The user has to correct the command-lineparameters and start the fsav again.

Could not open configuration file <file path>: <OS error>

Explanation: The user has given a file path to the --configfile option which eitherdoes not exist or is not accessible.

Resolution: The user has to correct command-line options and try again.

Scan engine directory '<directory path>' is not valid in configuration file at line<line number>: <OS error message>

Explanation: The user has specified a scan engine directory path which either does

CHAPTER G G - 19

not exist, is not accessible or is too long in the configuration file.

Resolution: The user has to correct the path and start fsav again.

Scan engine directory '<directory path>' is not valid: <OS error message>

Explanation: The user has entered a scan engine directory path which either does notexist, is not accessible or is too long from the command-line.


Database directory '<directory path>' is not valid in configuration file at line<line number>: <OS error message>

Explanation: The user has entered a database directory path which either does notexist, is not accessible or is too long from the configuration file.


Database directory '<directory path>' is not valid: <OS error message>

Explanation: The user has entered a database directory path which either does notexist, is not accessible or is too long from the command-line.


Database update directory '<directory path>' is not valid in configuration file atline <line number>: <OS error message>

Explanation: The user has entered a database update directory path which eitherdoes not exist, is not accessible or is too long from the configuration file.


Could not open input file <file path>: <OS error>

CHAPTER G G - 20

Explanation: The user has given a file path to the input option which either does notexist or is not accessible.


Illegal command line option value '<user given option>'.

Explanation: The user has entered an unknown command-line option from the com-mand-line.


Illegal scan timeout value '<value>'.

Explanation: The user has entered an illegal scan timeout value from the command-line.


Illegal maximum nested archives value '<value>'.

Explanation: The user has entered an illegal maximum nested archives value fromthe command-line.


Given database update path is invalid.

Explanation: The database update path given with --dbupdate is invalid, i.e. thepath does not exist, it is not accessible or it is not a directory.


Server status query failed.

CHAPTER G G - 21

Explanation: The user has tried to request the server version with version but therequest processing failed.

Resolution: The server is not running. The product may be installed incorrectly. Theinstalldirectory is either missing or wrong in the configuration file. The systemmay be low in resources so launching might have failed because of e.g. insufficientmemory.

Shutdown failed.

Explanation: The user has tried to request server shutdown with shutdown but therequest processing failed.

Resolution: If fsavd is not running, the user does not need to do anything. If fsavd isrunning, but the user does not have rights to access to the socket, the user may try touse kill(1) command to shutdown the server.

Failed to launch fsavd.

Explanation: fsavd is not running and fsav has tried to launch fsavd in the stand-alonemode but failed.

Resolution: The product may be installated incorrectly. The installdirectory iseither missing or wrong in the configuration file. The system may be low in resourcesso launching might have failed because of e.g. insufficient memory.

Scanning file '<file path>' failed: connect to fsavd failed.

Disinfect file '<file path>' failed: connect to fsavd failed.

Explanation: The file scanning failed because the connection to fsavd can not beestablished.

Re-scanning file '<file path>' failed due IPC error.

CHAPTER G G - 22

Explanation: The file re-scanning failed because the connection to server is broken.

Resolution: The server has died unexpectly. The user should restart the server andtry to scan the file again. If the problem persists, the user should send a bug reportand a file sample to F-Secure.

Update directory '<file path>' is not valid: <OS error message>

Explanation: The database update directory given in the configuration file or from thecommand-line does not exist or it is not accessible.

Resolution: The user has to change the database update directory and try to updatethe databases again.

Can not do update from in-use database directory: '<file path>'

Explanation: The database update directory given in the configuration file or from thecommand-line is same as in-use database directory.

Resolution: The user has to change the database update directory and try to updatethe databases again.

An other database update in progress, flag file '<file path>' exists.

Explanation: The database directory contains an update flag file which is createdwhile the database update is in progress.

Resolution: The user has to check if an other database update is in progress. If noother update process exists, the user should delete the flag file and try to update thedatabases again.

Could not create flag file '<file path>'.

Explanation: The database directory contains an update flag file which is createdwhile the database update is in progress and the creation of the file has failed.

CHAPTER G G - 23

Resolution: The database update process does not have proper rights to create theflag file and fails. The user has to make sure the update process runs with properrights or the database directory has proper access rights.

Could not open lock file '<file path>'.

Explanation: The database update process has failed to open lock file in the data-base directory.

Resolution: The database update process does not have proper rights to open thelock file and fails. The user has to make sure the update process runs with properrights or the database directory has proper access rights.

Could not acquire lock for lock file '<file path>'.

Explanation: The database update process has failed to acquire the lock for lock filein the database directory.

Resolution: The database update process does not have proper rights to the lock fileand fails. The user has to make sure the update process runs with proper rights or thedatabase directory has proper access rights.

Could not release lock for lock file '<file path>'.

Explanation: The database update process has failed to release the lock for the lockfile in the database directory.

Resolution: fsavd is halted. The user should stop fsavd and remove the lock file, dodatabase update and start fsavd again.

Database update and restore failed! Server halted.

Explanation: The database update process has failed to perform an update and failedto restore the database backups.

CHAPTER G G - 24

Resolution: fsavd is halted. The user should stop fsavd, remove the update flag file,do database update and start fsavd again.

Database update failed, restored old ones.

Explanation: The database update process has failed to perform the update but suc-ceeded to restore the database backups.

Resolution: The user should try to update the databases again later.

Could not remove update flag file '<file path>'. Server halted.

Explanation: The database update process has successfully updated databases, butfailed to remove the update flag file.

Resolution: fsavd is halted. The user should remove the update flag file manually.

SCAN ERRORS

fsav scan errors are written to the standard error stream (stderr). In case of scan errorfile scanning is immediately stopped and the scan continues with next file in input. Ifno files is found infected or suspected, the scan error is indicated with exit code 9.

Scan erros reported by fsav and the descriptions are listed below:

<file path>: ERROR: <OS error message>

Explanation: The file could not be scanned, reason is given in OS error message.

Resolution: Common reason is the file does not exist or is not readable. Check thefile path and access rights.

<file path>: ERROR: path too long - NOT SCANNED

Explanation: The file path is too long ( > PATH_MAX). The file cannot be scanned.

CHAPTER G G - 25

Resolution: The user has to move the file to a shorter path and try to scan the fileagain.

<file path>: ERROR: Could not open the file [<scan engine>]

Explanation: The scan engine could not open the file for scanning because the scanengine does not have a read access to the file.

Resolution: The user has to make file readable for fsavd and try to scan the file again.If the user or fsav launches fsavd, fsavd has same access rights as the user and canonly open same files the user is authorized to open.

<file path>: ERROR: Password protected file [<engine name>]

Explanation: The scan engine could not open the file for scanning because the file ispassword protected, i.e. encrypted.

Resolution: The user may try to decrypt the file and try scanning again.

<file path>: ERROR: Scan aborted [<scan engine>]

Explanation: The scanning was aborted for example because of the scan timeout.

Resolution: The user may try scanning the file again.

<file path>: ERROR: Scan timeout [<scan engine>]

Explanation: The scanning was aborted because of the scan timeout.

Resolution: The user may try scanning the file again with bigger scan timeout value.

<file path>: ERROR: Could not read from file [<scan engine>]

Explanation: The scanning failed because of read from file failed.

CHAPTER G G - 26

Resolution: The file is probably corrupted and cannot be scanned.

<file path>: ERROR: Could not write to file [<scan engine>]

Explanation: The disinfect failed because of write to file failed.

Resolution: The file is write-protected, archive or corrupted and cannot be disin-fected.

<file path>: ERROR: Internal error: Bad file [<scan engine>]

Explanation: The file scan failed because the scan engine could not handle the fileproperly.

Resolution: The file is probably corrupted and cannot be scanned.

<file path>: ERROR: Maximum nested archives encountered. [<scan engine>]

Explanation: The file scan failed because too many nested archives encountered.

Resolution: Increase maximum nested archives limit and try to scan again.

Scanning file '<file path>' failed: connection to fsavd lost due timeout.

Disinfect file '<file path>' failed: connection to fsavd lost due timeout.

Explanation: The file scanning failed because the connection to fsavd is lost becauseof IPC timeout.

Resolution: The server has died unexpectly. The user should restart fsavd and try toscan the file again. If the problem persists, the user should send a bug report and afile sample to F-Secure.

In case of other error messages type of '<filename>: ERROR: <error message>[<scan engine>]' not listed here, the probable source of the error is a problematic file

CHAPTER G G - 27

to be scanned. If the same error message appears every time the file is scanned,either exclude the file from the scan or send a sample file to F-Secure Anti-VirusResearch. See the instructions for more information.

EXIT CODES

fsav has following exit codes:

0

Normal exit; no viruses or suspicious files found.

1

Fatal error; unrecoverable error. (Usually a missing or corruptedfile.)

3

A boot virus or file virus found.

4

Riskware (potential spyware) found.

6

At least one virus was removed and no infected files left.

7

Out of memory.

8

CHAPTER G G - 28

Suspicious files found; these are not necessarily infected by avirus.

9

Scan error, at least one file scan failed.

130

Program was terminated by pressing CTRL-C, or by a sigterm orsuspend event.

fsav reports the exit codes in following priority order:

130, 7, 1, 3, 4, 8, 6, 9, 0.

EXAMPLES

Scan a file 'test.exe' using the default configuration file. If fsavd is not running, fsavdis launched:

$ fsav test.exe

Scan files in a directory '/mnt/smbshare' which match the extension list:

$ fsav --extensions=exe,doc,dot,xls /mnt/smbshare

Scan all files in a directory '/mnt/smbshare':

$ fsav /mnt/smbshare

Scan all files and archive contents with the scan time limit set to 3 minutes:

CHAPTER G G - 29

$ fsav --archive --scantimeout=180 --allfiles /mnt/smbshare

Scan and list files with '.EXE' or '.COM' extension in a directory '/mnt/smbshare':

$ fsav --list --extensions='exe,com' /mnt/smbshare

Scan and disinfect or rename infected/suspected files without confirmation:

$ fsav --virus-action1=disinf --virus-action2=rename --auto /mnt/smbshare

Scan files found by find(1) -command and feed the scan report to the mail(1) com-mand:

$ find /mnt/smbshare -type f | \ fsav --input 2>&1 | \ mail -s 'FSAV Report' admin@localhost

Scan files found by the find(1) command and feed infected/suspected files to themv(1) command to move infected/suspected files to /var/quarantine directory. Anyerrors occured during the scan are mailed to admin@localhost.

$ (find /mnt/smbshare -type f | fsav --short --input | \ xargs -n 1 --replace mv {} /var/quarantine) 2>&1 | \ mail -e -s 'FSAV Error Report' admin@localhost

CHAPTER G G - 30

Check fsav, fsavd, scan engine and database versions:

$ fsav --version

Notes

Nested archives may cause scan engine failures, if the archive scanning is enabled.The --maxnested option may be used to limit nested archive scanning and to pre-vent scan engine failures. The amount of nested archives that can be scanned with-out scan engine failures depend on archive types. For example, .ZIP archivescontaining only other .ZIP archives can be nested up to 29 archives.

The archive scanning consumes memory and scanning big archives takes lot of timeduring which fsavd process can not process other scan tasks. The recommendedmethod to scan archives is to use --scantimeout -option and in case the timeoutoccurs, the archive is scanned with a separate fsavd instance.

Bugs

Please refer to 'Known Problems' -section in release notes.

Authors

F-Secure Corporation

Copyright

Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved.

Portions Copyright (c) 2001-2008 Kaspersky Labs.

See Also

dbupdate(8), fsavd(8)

CHAPTER G G - 31

For more information, see F-Secure home page.

CHAPTER G G - 32

[email protected]

fsavd (8)

fsavd

F-Secure Security Platform daemon

fsavd options

DESCRIPTION

fsavd is a scanning daemon for F-Secure Security Platform. In the startup it readsthe configuration file (the default configuration file or the file specified in the commandline) in the startup and starts to listen to connections to the UNIX domain socket spec-ified in the configuration file. By default, fsavd forks itself into the background.

By default, fsav launches fsavd automatically if fsavd is not running. When fsavd islaunched by the fsav client, fsavd terminates automatically after 30 seconds of idletime, when no client has connected to fsavd during that time.

If you want fsavd to stay loaded in the memory, start fsavd using the <install-dir>/etc/fsavd startup script. It is recomended that you run fsavd as a non-priv-iledged user like fsav. The script can be installed under the init.d directory.

OPTIONS

fsavd reads option values from the policy / configuration file and from the commandline. Options given from the command line override the policy / configuration file set-tings.

Default options or policy / configuration file options can be overridden from the com-mand line with the following command line options:

--config={file[:PATH]|fsma[:OID]}

CHAPTER G G - 33

file: Use the configuration file based management methodoptionally using PATH as the configuration file instead of thedefault configuration file (/etc/opt/f-secure/fssp/fssp.conf).

fsma: Use the F-Secure Policy Manager based managementmethod optionally specifying the OID used in sending alerts.

--databasedirectory=path

Read virus definition databases from the directory path. Thedefault is ".".

--enginedirectory=path

Load scan engines from the directory path. The default is ".".

--pidfile=path

Create a file containing the process identifier and remove it onthe normal exit. Without this option, no pid file is created. If pathis not specified, /var/opt/f-secure/fssp/run/fsavd.pid is created. If path specifies a relative pathname, /var/opt/f-secure/fssp/run/path is created. If pathspecifies an absolute pathname, file with that path is created.

--socketname=path

Use the socket specified in the path. The default is "/tmp/.fsav-<UID>".

If the file exists and is a socket, the file is removed and newsocket is created. The file removal shuts down all existing fsavdinstances.

CHAPTER G G - 34

If the path contains non-existing directories, the directories arecreated and the directory permission is set to read/write/execpermission for owner and read/exec permission for group andothers. Created directories will have sticky bit on by default.Directory permissions can be changed with dirmode configura-tion file option.

Socket file permissions are set to read and write for the owner, ifthe daemon is started in the stand-alone mode. If the daemon isstarted as a daemon, the read and write permissions are alsogiven for the group. The setting is affected by the current umask.The socket mode can be changed with the socketmode optionfrom policy settings.

--avpriskware[={on,off,yes,no,1,0}]

Enable/disable riskware scanning with the AVP scan engine (inselected products).

--standalone

Start in the stand-alone mode. fsavd terminates automaticallyafter a period of idle time. The option causes fsavd to send analarm signal to the parent process when the socket is ready toaccept connections. When the option is used, fsavd does notfork(2) itself during the launch.

The option is intended to be used with fsav when fsav automati-cally launches fsavd. In the normal use the option can beignored.

--nodaemon

Do not fork program into the background.

CHAPTER G G - 35

--help

Show command line options and exit.

--version

Show F-Secure Security Platform version and dates of signaturefiles, and exit.

LOGGING

fsavd logs scan failures, infected and suspected files to the fsavd's log file definedwith the logfile fsavd writes errors during start-up to standard error stream. Aftersuccessful start-up log entries are written to a log file. Error messages listed in errorssection are also logged in addition to the following activity log entries:

Failed to scan file <file path>: <error message> [<scan engine>]

Explanation: The scan engine reports it failed to scan the file. The error messagecontains the reason for the failure.

Failed to scan file <file path>: Time limit exceeded.

Explanation: fsavd reports that the file scan failed because the scan time limit isexceeded.

Failed to scan file <file path>: Scan aborted.

Explanation: fsavd reports that the file scan failed because the scan was aborted.The scan is aborted if the client disconnects.

File <file path> disinfected.

Explanation: fsavd reports that one of the scan engines disinfected the file success-fully.

CHAPTER G G - 36

File <file path> disinfect failed.

Explanation: fsavd reports that all the scan engines failed to disinfect the file.

File <file path> infected: <infection name> [<scan engine>]

Explanation: The scan engine reports that the file was found infected.

File <file path> contains suspected infection: <infection name> [<scan engine>]

Explanation: The scan engine reports that the file contains a suspected infection.

WARNINGS

Unknown action '<user given value>' in configuration file <file path> line <linenumber>

Explanation: The action in the configuration file has an incorrect value.

Resolution: fsavd tries to proceed. The user has to edit the configuration file and setthe action field to one of the following: disinfect, rename or delete. The userhas to restart fsavd to take values in effect.

Configuration file <file path> has invalid syntax at line <line number>

Explanation: The configuration file parsing has failed because of invalid syntax.

Resolution: fsavd tries to proceed and probably encounter some other error later. Theuser has to edit the configuration file and restart fsavd.

Illegal archive scanning value '<user given value>' in configuration file <filepath> line <line number>

Explanation: The archivescanning field in the configuration file has an incorrectvalue.

CHAPTER G G - 37

Resolution: fsavd tries to proceed. The user has to edit configuration file and set thearchivescanning field to one of the following: 1, 0, on, off, yes, or no. Theuser has to restart fsavd to take values in effect.

Illegal MIME scanning value '<user given value>' in configuration file <file path>line <line number>

Explanation: The mimescanning field in the configuration file has an incorrect value.

Resolution: fsavd tries to proceed. The user has to edit configuration file and set themimescanning field to one of the following: 1, 0, on, off, yes, or no. Theuser has to restart fsavd to take values in effect.

Illegal scan executables value '<user given value>' in configuration file <filepath> line <line number>

Explanation: The scanexecutables field in the configuration file has an incorrectvalue.

Resolution: The user has to edit configuration file and set the scanexecutablesfield to one of the following: 1, 0, on, off, yes, or no. The user has to restartfsav to take values in effect.

Scan extensions list is too long in configuration file <file path> line <line num-ber>, list is truncated.

Explanation: The extensions field in the configuration file is more than 4096 byteslong.

Resolution: fsavd tries to proceed. The user has to edit the configuration file and tryagain.

Scan timeout value '<user given value>' is not valid in configuration file <filepath> line <line number>

CHAPTER G G - 38

Explanation: The scantimeout field in the configuration file is not a valid number.

Resolution: fsavd tries to proceed. The user has to edit the configuration file andrestart fsavd.

Scan timeout value '<user given value>' is out of range in configuration file<file path> line <line number>

Explanation: The timeout field in the configuration file is less than zero or more thanLONG_MAX.


Maximum nested archives value '<user given value>' is not valid in configura-tion file <file path> line <line number>

Explanation: The maxnestedarchives field in the configuration file is not a number.


Maximum nested archives value '<user given value>' is out of range in configu-ration file <file path> line <line number>

Explanation: The maxnestedarchives field in the configuration file is less thanzero or more than LONG_MAX.


Maximum scan engine instances value '<user given value>' is not valid in con-figuration file <file path> line <line number>

Explanation: The engineinstancemax field in the configuration file is not a number.

CHAPTER G G - 39


Maximum scan engine instances value '<user given value>' is out of range inconfiguration file <file path> line <line number>

Explanation: The engineinstancemax field in the configuration file is less thanzero or more than LONG_MAX.


Unknown option '<user given option name>' in configuration file <file path> line<line number>

Explanation: The configuration file contains an unknown option name.


Unknown syslog facility '<user given value>' in configuration file <file path>line <line number>

Explanation: The syslogfacility ield in the configuration file has an incorrectvalue.

Resolution: fsavd tries to proceed. The user has to edit configuration file and set thesyslogfacility field to one of the facility names found in syslog(3) manual page.The user has to restart fsavd to take values in effect.

<engine name> scan engine seems to be dead.

Explanation: The scan engine <engine name> has died. Either the timeout occuredduring the file scan or the scan engine process has died unexpectly.

CHAPTER G G - 40

Resolution: fsavd has noticed the scan engine has died. fsavd tries to restart the scanengine. If the scan engine was scanning a file, the file is reported to be failed to scan.

Database file <file path> not needed and should be deleted.

Explanation: The scan engine reports that the database directory contains a depra-cated database file.

Resolution: The message is only informational. The user may delete the file in path<file path>.

Database file <file path> is missing.

Explanation: The scan engine reports that the database file <file path> is missingfrom the database directory.

Resolution: The scan engine fails to start. fsavd will tries to restart the scan engine.The user needs to perform database update and possibly restart fsavd if fsavd fails tostart the scan engine automatically.

Database file <file path> is not a valid database.

Explanation: The scan engine reports that the database file <file path> is not a validdatabase file in the database directory.

Resolution: The scan engine fails to start. fsavd tries to restart the scan engine. Theuser needs to perform database update and possibly restart fsavd if fsavd fails tostart the scan engine automatically.

Database file <file path> is not a database file.


Resolution: The scan engine fails to start. fsavd tries to restart the scan engine. The

CHAPTER G G - 41

user needs to perform database update and possibly restart fsavd if fsavd fails tostart scan engine automatically.

Database file <file path> is corrupted.



Database file <file path> has wrong database version.

Explanation: The scan engine reports that the database file <file path> has an incor-rect version.


<engine name> scan engine initialization time limit exceeded, going for shutdown.

Explanation: The scan engine has exceeded its initialization time limit (300 seconds).The reason may be a high system load and thus the scan engine processes do notget enough processing time to load the databases. Furthermore, the hardware failuremay cause the scan engine to hang while reading the databases.

Resolution: fsavd shuts down the scan engine process and tries to restart the scanengine. If problem still occurs, the user may try to update databases or scan engineto resolve the problem. If the problem persists the user needs to contact F-Securesupport.

<engine name> scan engine inactive for too long, going for shutdown.

CHAPTER G G - 42

Explanation: The scan engine is not responding to the keep-alive messages and ithas not reported scan nor initialization statuses for a limited time period (300 sec-onds). The problem may be in a file which the scan engine is scanning. If the usercan recognize the source as a problematic file, the user should make a bug reportand send a file sample to F-Secure.

Resolution: fsavd shuts down the scan engine process and restarts the scan engine.

Could not open logfile <file path>: <OS error message>

Explanation: fsavd failed to open the logfile <file path> for logging.

Resolution: fsavd writes logs to default logfile (stderr). The user may reconfigure thelogfile location and restart fsavd.

Cannot change working directory to '<file path>'.

Explanation: fsavd failed change working directory database directory.

Resolution: fsavd tries to continue using the current directory as working directory.

ERRORS

Failed to open scan engine shared library.

Explanation: fsavd cannot find required scan engine shared library files which arenormally found from <install directory>/lib.

Resolution: fsavd exits with error status. Installation or engine directory in configura-tion file maybe incorrect or --enginedirectory command-line option has incorrectpath.

Failed to load required symbol from scan engine library.

Explanation: fsavd finds required scan engine shared library files but fails to load cor-

CHAPTER G G - 43

rect library calls from the library.

Resolution: fsavd exits with error status. Scan engine shared libraries are corrupted.Product needs to be re-installed.

Options parsing failed.

Explanation: The user has given an unknown option or an option value from the com-mand-line.

Resolution: fsavd exits with error status. The user has to correct the command-lineparameters and start fsavd again.

Database directory '<directory path>' is not valid in configuration file at line<line number>: <OS error message>

Explanation: The user has entered a database directory path which either does notexist, is not accessible or is too long from the configuration file.

Resolution: fsavd exits with error status. The user has to correct the path and startfsavd again.

Database directory '<directory path>' is not valid: <OS error message>

Explanation: The user has entered a database directory path which either does notexist, is not accessible or is too long from the command-line.

Resolution: fsavd exits with error status. The user has to correct the path and startfsavd again.

Database update directory '<directory path>' is not valid in configuration file atline <line number>: <OS error message>

Explanation: The user has entered a database update directory path which eitherdoes not exist, is not accessible or is too long from the configuration file.

CHAPTER G G - 44

Resolution: The user has to correct the path and start fsavd again.

Scan engine directory '<directory path>' is not valid in configuration file at line<line number>: <OS error message>

Explanation: The user has entered a scan engine directory path which either does notexist, is not accessible or is too long from the configuration file.

Resolution: fsavd exits with error status. The user has to correct the path and start thefsavd again.

Scan engine directory '<directory path>' is not valid: <OS error message>

Explanation: The user has entered a scan engine directory path which either does notexist, is not accessible or is too long from the command-line.

Resolution: fsavd exits with error status. The user has to correct the path and start thefsavd again.

Could not open configuration file <file path>: <OS error message>

Explanation: The configuration file path given from the command-line, the file doesnot exist or it is not accessible.

Resolution: fsavd tries to proceed and probably encounters some other error later.The user has to create the configuration file to the default path or give the correctpath to an accessible configuration file and restart fsavd.

Access to database index file '<file path>' failed: <OS error message>

Explanation: The database directory path (set in the configuration file or from thecommand-line) is not correct and the daemon cannot find the dbindex.cpt file.

Resolution: fsavd exits with error status. The user has to give the correct databasepath and start fsavd again.

CHAPTER G G - 45

stat for database index file failed: <path to dbindex.cpt>

Explanation: The database directory path (set in the configuration file or from thecommand-line) is not correct and fsavd cannot find the dbindex.cpt file.

Resolution: fsavd exits with error status. The user has to give the correct databasepath and start fsavd again.

accept failed because run out of memory.

Explanation: The accept(2) has failed because system ran out of the memory.

Resolution: fsavd exits with error status. The user has to free some memory and startfsavd again.

FILES

/etc/opt/f-secure/fssp/fssp.conf

The default configuration file for F-Secure Security Platform

<install directory>/etc/fsav

Startup file for F-Secure Security Platform

<install directory>/databases

Directory for Anti-Virus signature database files.

<install directory>/lib

Directory for Anti-Virus scan engine and F-Secure Security Plat-form shared library files.

EXAMPLES

CHAPTER G G - 46

Start fsavd as a background daemon process using the default configuration file:

$ fsavd

Start fsavd as a foreground process using the default configuration file:

$ fsavd --nodaemon

Start fsavd as a background daemon process using 'fssp-test.conf' as a configurationfile:

$ fsavd --config=file:fssp-test.conf

Check fsavd, scan engine and database versions:

$ fsavd --version

Bugs

Please refer to 'Known Problems' -section in release notes.

AUTHORS


Copyright

Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved. Portions Copy-right (c) 2001-2007 Kaspersky Labs.

SEE ALSO

CHAPTER G G - 47

dbupdate(8), fsav(1)


CHAPTER G G - 48

[email protected]

dbupdate (8)

dbupdate

Virus definition database update for F-Secure Security Platform

dbupdate --help --auto

PARAMETERS

--help

Show the short help of command line options and exit.

--auto

Do not download databases synchronously but update data-bases previously downloaded by F-Secure Automatic UpdateAgent. Used for fully automatic database updates.

DESCRIPTION

dbupdate is a shell script for updating F-Secure Security Platform Virus DefinitionDatabases. It can update databases downloaded by F-Secure Automatic UpdateAgent (a fully automatic background process) or databases transferred to the host byother means (such as ftp). Before databases are updated, dbupdate performs thenecessary validation for databases to prevent any corrupted or tampered databasesto be taken into use.

ON DEMAND UPDATE OVER NETWORK

Use the dbupdate command (without any parameters) if there is a need to checknew database updates immediately over the network and take new databases intouse.

CHAPTER G G - 49

SCHEDULED UPDATE OVER NETWORK

Typically, dbupdate is started from cron(8) frequently with the following command:dbupdate --auto. This takes into use updates that F-Secure Automatic UpdateAgent has the previously downloaded.

OPERATION

If new databases are available, database files are copied to updatedirectory.Database files are then validated using daastool and dbtool. After the validation,database files are copied to databasedirectory using the fsav --dbup-date=updatedirectory command.

ERROR CODES

If update with F-Secure Automatic Update Agent fails, an error message

Database update failed. Error code: XX

with one of the following errorcodes will be printed:

2

Connection to AUA daemon timed out. Try restarting AUA dae-mon.

30

Could not connect to AUA daemon. Perhaps AUA daemon is notrunning.

50

Could not copy update. Copying database update failed, proba-bly because lack of free disk space.

CHAPTER G G - 50

51

Could not extract update. Extracting database update failed,probably because lack of free disk space.

EXIT VALUE

0

Nothing was updated since no new updates were available.

1

An error has occurred. See program output and /var/opt/f-secure/fssp/dbupdate.log for details.

2

Virus definition databases were succesfully updated.

BUGS

Please refer to 'Known Problems' section in the release notes.

AUTHORS


Copyright


SEE ALSO

CHAPTER G G - 51

fsav(1) and fsavd(8)


CHAPTER G G - 52

[email protected]

fsfwc (1)

fsfwc

command line interface for firewall daemon

fsfwc options

Description

With this tool firewall can be set to different security levels.

If invoked without any options, it will show current security level and minimumallowed.

Options

--mode {block,server,mobile,office,strict,normal,bypass}

Will set firewall to requested security level if allowed by minimumsecurity level setting.

block

Won't allow any packets to go in or out(excluding the loopback interface)

server

Will allow only IP configuration via DHCP,DNS lookups and ssh protocol out and IN

mobile

CHAPTER G G - 53

Profile for roadwarririors: ssh and VPN pro-tocols are allowed. DHCP, HTTP, FTP andcommon email protocols are allowed. Allincoming connections are blocked.

office

Profile for office use. It is assumed thatsome external firewall exists between Inter-net and the host. Any outgoing TCP connec-tions are allowed. A rule to allow Windowsnetworking inside the same network isincluded but is not enabled by default.

strict

Very much like the mobile profile, except itdoes not allow DHCP.

normal

All outgoing connections are allowed. Allincoming connections are denied.

bypass

Allow everything in and out.

RETURN VALUES

fsfwc has the following return values.

0Normal exit; 1Error occurred. 2Incorrect profile supplied to --mode switch

CHAPTER G G - 54

4Invalid arguments

AUTHORS


COPYRIGHT


SEE ALSO


CHAPTER G G - 55

[email protected]

fsic (1)

fsic

Command line interface for integrity checker

fsic options target ...

Description

F-Secure Integrity Checker will monitor system integrity against tampering and unau-thorized modification.

If invoked without any options, fsic will verify all files in the known files list andreport any anomalies.

Options

-V, --verify [options]

Default operation if invoked without any options. Verify the sys-tem and report any deviations against baselined information.

--show-all

Enable listing of all files in the baseline (bydefault only files which do not match base-lined information are shown)

--show-details

Enable full listing of file signatures.

If nothing has changed, only baselined

CHAPTER G G - 56

inode information is shown.

If file differs from baselined information,detailed comparison is shown.

--virus-scan={yes=default,no}

Scan for viruses when verifying. (default:yes)

--auto={yes,no=default}

Disable action confirmation. Assumes 'Yes'to all enabled actions. Please note that --auto=no disables the auto switch, same as if--auto would not have been given at all.(default: no)

--force-check-all

Check all attributes of the file, even if someof them were marked as ignored when add-ing the file.

-v, --verifyfile [options]

This mode will validate only files given from command line ORstdin. This option has the same sub-options as verify.

-B, --baseline [options]

Calculate baseline information for all of the files. If a previousbaseline already exists, it will be overwritten.

--virus-scan={yes=default,no}

CHAPTER G G - 57

Enable/disable virus scanning of the filesduring baselining. Viruses are scanned withoptions --dumb and --archive. (See fsav(1))

--auto={yes,no=default}

Disable the action confirmation. Assumes'Yes' to all enabled actions. Please note that--auto=no disables the auto switch, same asif --auto would not have been given at all.(default: no)

-b, --baselinefile [options]

This mode will add only entries given from command line ORstdin to baseline. This option has same sub-options as baseline.

-a, --add [options] target ...

Add a target[s] to the known files list. Targets must be real files orlinks. By default all files are added as monitored. A new baselineneeds to be generated after all file additions have been per-formed.

--protect={yes,no=default}

Add the file as protected, instead of moni-tored. When a file is added as protected, thefile can only be opened for reading. Openingthe file in write mode will fail.

--access={allow=default,deny}

Specify whether file access is allowed ordenied if file data or metadata does not

CHAPTER G G - 58

match baselined information.

--alert={yes=default,no}

Specify whether to send an alert if file differsfrom baselined information.

--ignore={hash,mtime,mode,uid,gid,size}

Specify which properties of the file are notmonitored. Any combination of propertiescan be ignored. By default all properties aremonitored.

-d, --delete target ...

Remove target[s] from the known files list. A new baseline needsto be generated after all file deletions have been performed.

--no-progress-bar

Can be used to disable progressbar. This is useful for examplewhen verifying with '--show-all'

verify action reports

If --show-all is specified, then also clean files are reported, as follows.

[ OK ] PRA /bin/ls [ OK ] P.D /bin/chmod

Characters on second column tell how file is handled in integrity checking. P impliesProtected, R is for Report (send alert for every access to this file if file differs frombaselined), A is Allow access even if differs from baseline, D means that access is

CHAPTER G G - 59

denied if file does not match with baselined information. '.' on either P or R columnmeans that Protection or Reporting respectively is not enabled.

If a change is detected against the baseline, it is reported as follows

[Note] .RA /bin/ls Hash does not match baselined hash [Note] .RA /bin/ls inode information does not match base-lined data

So even if inode data is changed Hash might be same (touch on a file will changeinode data) however IF hash is changed and inode data is still same then file contentshas been modified and it's mtime set back to what it was with utime() (man 2 utime).

If --show-details is specified, then deviations against baseline are reported as follows

[Note] ( RA) /bin/ls Hash does not match baselined hash [Note] ( RA) /bin/ls inode information does not matchbaselined data mode:uid:gid:len:mtime hash Old 81ed:0:0:31936:1096007887e2c2f03d5460690211fa497592543371 Now 81ed:0:0:31940:109638868908c4eae2cf02c4214ba48cb89197aa66

If no deviations are found and --show-all is also specified then following will bereported

[ OK ] ( RA) /bin/ls (81ed:0:0:620676:1077202297)

baseline action reports

CHAPTER G G - 60

When --baseline is specified the integrity checker will recalculate hash and inodeinformation for all files known to the integrity checker. Previously generated baselinewill be overwritten.

User will be asked to confirm adding files to new baseline. For example,

/bin/ls: Accept to baseline? (Yes,No,All yes, Disregardnew entries)

If file has been modified fsic will ask

[Note] /bin/ls seems to differ from baselined entry. Wantto rebaseline it? [no]

WARNINGS

None.

FATAL ERRORS

None.

SCAN ERRORS

None.

RETURN VALUES

fsic has the following return values.

0Success. Normal exit 1Error in invocation, baselining or verification 2No baseline exists yet. 3System compromised.

CHAPTER G G - 61

Return value of 3 indicates that one or more of the following happened;

* Incorrect passphrase, or * Files do not match baselined information, or * A virus was detected in one of the files

FILES

None.

EXAMPLES

None.

NOTES

None.

BUGS

None.

AUTHORS


COPYRIGHT


SEE ALSO


CHAPTER G G - 62

[email protected]

fschooser (8)

fschooser

Command line tool for enabling and disabling some features of F-Secure Linux Security.

fschooser

Description

This tool can be used to completely enable and disable some features of F-SecureLinux Security. The tool is invoked without any parameters and has an interactiveprompt where it is possible to enable or disable the features. Follow the instructionsgiven in the prompt and then press enter when you are ready to exit the tool. Theproduct will be automatically restarted in order to apply the changes.

Currently, Firewall and Web User Interface are the only components that this tool canbe used for. If you want to do the same for the on-access scanner, please disableboth Virus Protection and Integrity Checking features on the Summary Screen of theWeb User Interface. Note that disabling a component with this tool means that theprocesses related to that component will be stopped and will no longer start whenrestarting the product. The disk space required by the components will not be freed.

RETURN VALUES

fschooser always returns 0.

FILES

None.

EXAMPLES

None.

CHAPTER G G - 63

NOTES

When Web User Interface is disabled, the local alert database will still be running soany alerts received will be available in the Web User Interface when it is re-enabled.

BUGS

None.

AUTHORS


COPYRIGHT

Copyright (c) 2008 F-Secure Corporation. All Rights Reserved.

SEE ALSO


CHAPTER G G - 64

[email protected]

fsims (8)

fsims

Command line tool for switching F-Secure Linux Security software installation mode on or off (F-Secure Install Mode Switcher).

fsims on|off

Description

This tool can be used to switch F-Secure Linux Security into software installationmode and back to normal mode after the new software has been installed. It is impor-tant to use the software installation mode if the Integrity Checking feature of the prod-uct is in use. When in software installation mode, some product features are disabledto allow easy installation of new software, including a new kernel version and/or newkernel modules.

If software installation mode is not used when installing a new kernel and/or kernelmodules, F-Secure Linux Security might prevent the new kernel from booting up. Thishappens because the new kernel modules are not properly included in the IntegrityChecking baseline unless the baseline is generated again after installing the newsoftware. The fsims command line tool automatically regenerates the Integrity Check-ing baseline when the software installation mode is switched off.

If invoked without any options, fsims will display a help text.

Options

on

Switches the product into software installation mode. Some product features are now disabled to allow easy installation and upgrade of software. Remember to switch software installation mode off after installing the software.

CHAPTER G G - 65

off

Switches the software installation mode off. Integrity Checking file system baseline is auto-matically regenerated and a new passphrase must be entered.

RETURN VALUES

fsims returns the following return values:

0Operation performed successfully. 1User tried to execute fsims without root privileges.

FILES

None.

EXAMPLES

None.

NOTES

None.

BUGS

None.

AUTHORS


COPYRIGHT

CHAPTER G G - 66


SEE ALSO

fsic(1)


CHAPTER G G - 67

[email protected]

fssetlanguage (8)

fssetlanguage

Command line tool for setting the default language in Web User Interface

fssetlanguage language

Description

This tool can be used to set the default language in F-Secure Linux Security's WebUser Interface. The user can still change the language in the Web User Interface, butwhenever the product is restarted, the default language selected with this tool will beactivated.

The tool will try to find a suitable locale on the computer where it is run, and gives awarning if one was not found. Currently only UTF-8 locales are searched for. Thelocale is then set when starting up the Web User Interface so that the locale specificformats are applied for times, dates, etc.

If invoked without any options, fssetlanguage will display a help text.

Options

en

Sets English as the default language.

ja

Sets Japanese as the default language.

de

CHAPTER G G - 68

Sets German as the default language.

RETURN VALUES

fssetlanguage always returns 0.

FILES

None.

EXAMPLES

None.

NOTES

None.

BUGS

None.

AUTHORS


COPYRIGHT


SEE ALSO


H
Config Files
fsaua_config ............................................................................... 70fssp.conf ..................................................................................... 75

H - 69

H - 70

H.1 fsaua_config#

# Configuration for F-Secure Automatic Update Agent

#

# Enable FSMA

#

# This directive controls whether Automatic Update Agent works in centrally

# managed or standalone mode.

#

# This option only has effect, if FSMA is installed and configured properly

#

# The default is ‘yes’, which means centrally managed mode

#enable_fsma=yes

# Update servers

#

# This directive controls which update server the Automatic Update Agent tries

# to fetch the updates from. If this directive is empty, the master server

# hosted by F-Secure is used (see Fallback options below).

#

H - 71

# In centrally managed mode, this defaults to the Policy Management Server.

#

# The format is as follows:

# update_servers=[http://]<address>[:<port>][,[http://]<address>[:<port>]]

#

# Examples:

# update_servers=http://pms

# update_servers=http://server1,http://backup_server1,http://backup_server2

#

#update_servers=

# Update proxies

#

# This directive controls which Policy Manager Proxies the Automatic Update

# Agent tries to use. Note that this is different from HTTP proxies (see below).

#

# The format is the same as for Update Servers.

#

#update_proxies=

# Http Proxies

H - 72

#

# This directive controls which HTTP proxies are used by the Automatic

# Update Agent

#

# The format is as follows:

# http_proxies=[http://][user[:passwd]@]<address>[:port][,[http://][user[:passwd]@]<address>[:port]]

#

# Examples:

# http_proxies=http://proxy1:8080/,http://backup_proxy:8880/

#

#http_proxies=

# Poll interval

#

# This directive specifies (in seconds) how often the Automatic Update Agent

# polls the Update Server for updates.

#

# The default is 3600 seconds, which is 1 hour

#

#poll_interval=3600

# Failover to root

#

H - 73

# Specifies whether Automatic Update Agent is allowed to fall back to update

# servers hosted by F-Secure.

#

# The default is yes

#

#failover_to_root=yes

# Failover timeout

#

# Specifies the timei after which Automatic Update Agent is allowed to check

# for updates from update servers hosted by F-Secure. This is the time elapsed

# (in seconds) since the last successful connection with your main update

# servers.

#

# The default is 3600, which is 1 hour

#

#failover_timeout=3600

# Log Level

#

# The amount of logging generated by the Automatic Update Agent

#

H - 74

# Possible values are:

# debug - log all messages

# informational - log information on each update check plus

# normal - log information on each succesful download and all errors

# nolog - log nothing

#

# The default is normal

#

#log_level=normal

# Log Facility

#

# Specify the syslog facility for Automatic Update Agent

#

# Possible values are: daemon, local0 to local7

#

# The default is daemon

#

#log_facility=daemon

os_version_distribution=”testingunstable”

H - 75

H.2 fssp.conf#

# This is a configuration file for F-Secure Security Platform

#

# Copyright (c) 1999-2006 F-Secure Corporation. All Rights Reserved.

#

#

# Specify whether the product should scan all files or only the files that

# match the extensions specified in the ‘Extensions to Scan’ setting.

#

# Possible values:

# 0 - All files

# 1 - Only files with specified extensions

#

odsFileScanFiles 0

#

# Specify the list of filename extensions to be scanned. You can also use

# wildcards: ‘?’ matches exactly one character, ‘*’ matches any number of

# characters, including zero (0) characters. ‘.’ (a single dot), if given

# alone, matches files without extension. The matching is case-insensitive.

#

H - 76

odsIncludedExtensions .,acm,app,arj,asd,asp,avb,ax,bat,bin,boo,bz2,cab,ceo,chm,cmd,cnv,com,cpl,csc,dat,dll,do?,drv,eml,exe,gz,hlp,hta,htm,html,htt,inf,ini,js,jse,lnk,lzh,map,mdb,mht,mif,mp?,msg,mso,nws,obd,obt,ocx,ov?,p?t,pci,pdf,pgm,pif,pot,pp?,prc,pwz,rar,rtf,sbf,scr,shb,shs,sys,tar,td0,tgz,tlb,tsp,tt6,vbe,vbs,vwp,vxd,wb?,wiz,wml,wpc,ws?,xl?,zip,zl?,{*

#

# Specify whether executables should be scanned. If a file has any

# user/group/other executable bits set, it is scanned regardless of the file

# extension.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsScanExecutables 0

#

# Determines whether some paths (either files or directories) will be excluded

# from scanning. Use full, absolute path name. Type each path on its own line.

# Path names may contain whitespaces.

#

odsFileExcludedPaths /proc\n/sys

H - 77

#

# Determines whether some files can be excluded from scanning. Please note

# that the files specified here are excluded from scanning even if they would

# be included in scanning according to what is defined in the other scanning

# settings

#

# Possible values:

# 0 - Disabled

# 1 - Enabled

#

odsFileEnableExcludedPaths 1

#

# Specifies whether archives should be scanned when a manual scan is launched.

# The supported archive formats include, for example, .tar.gz, .zip

#

# Possible values:

# 0 - Disabled

# 1 - Enabled

#

H - 78

odsFileScanInsideArchives 1

#

# Defines how many levels deep to scan in nested archives. It is not

# recommended to set this value too high as this will make the product more

# vulnerable to DoS (Denial of Service) attacks. If an archive has more nested

# levels than the limit, a scan error is generated.

#

odsFileMaximumNestedArchives 5

#

# Define whether MIME encoded data should be scanned for malicious content.

# NOTE: Current MIME decoding support does not work for mail folders where

# multiple e-mail messages are stored in a single file, such as Netscape,

# Mozilla, Thunderbird, Evolution or mbox mail folders. MIME decoding only

# works if each e-mail message is stored as a separate file.

#

# Possible values:

# 0 - Disabled

# 1 - Enabled

#

H - 79

odsFileScanInsideMIME 0

#

# Defines how password-protected archives should be handled. If set to Yes,

# password protected archives are considered to be safe and access is allowed.

# Otherwise access is not allowed.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFileIgnorePasswordProtected 1

#

# Defines what happens when the first infection is found inside an archive. If

# set to ‘Yes’, scanning will stop on the first infection. Otherwise the whole

# archive is scanned.

#

# Possible values:

# 0 - No

# 1 - Yes

#

H - 80

odsStopOnFirst 0

#

# Specify the primary action to take when an infection is detected.

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

# 2 - Disinfect

# 3 - Rename

# 4 - Delete

# 5 - Abort scan

# 6 - Custom

#

odsFilePrimaryActionOnInfection 2

#

# If “Custom” is chosen as the primary action, the custom action must be

# specified here. Please note that the custom action will be executed as the

# super user of the system so consider and check carefully the command you

# specify. Custom action script or program receives one parameter, full

# pathname of the infected file.

#

H - 81

odsFileCustomPrimaryAction

#

# Specify the secondary action to take when an infection is detected and the

# primary action has failed.

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

# 2 - Disinfect

# 3 - Rename

# 4 - Delete

# 5 - Abort scan

# 6 - Custom

#

odsFileSecondaryActionOnInfection 3

#

# If “Custom” is chosen as the secondary action, the custom action must be

# specified here. Please note that the custom action will be executed as the

# super user of the system so consider and check carefully the command you

H - 82

# specify. Custom action script or program receives one parameter, full

# pathname of the infected file.

#

odsFileCustomSecondaryAction

#

# Specify the primary action to take when suspected infection is detected.

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

# 3 - Rename

# 4 - Delete

#

odsFilePrimaryActionOnSuspected 1

#

# Specify the secondary action to take when suspected infection is detected

# and the primary action has failed.

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

H - 83

# 3 - Rename

# 4 - Delete

#

odsFileSecondaryActionOnSuspected 0

#

# Set this on to report and handle riskware detections. Riskware is potential

# spyware.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsScanRiskware 1

#

# Type of riskware that should not be detected.

#

odsExcludedRiskware ;

#

# Specify the primary action to take when riskware is detected.

H - 84

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

# 3 - Rename

# 4 - Delete

#

odsFilePrimaryActionOnRiskware 1

#

# Specify the secondary action to take when riskware is detected and the

# primary action has failed.

#

# Possible values:

# 0 - Do nothing

# 1 - Report only

# 3 - Rename

# 4 - Delete

#

odsFileSecondaryActionOnRiskware 0

#

# Defines the upper limit for the time used for scanning a file (1 second

H - 85

# resolution). A recommended upper limit would be, for example, 1 minute.

#

odsFileScanTimeout 60

#

# Specify the action to take after a scan timeout has occurred.

#

# Possible values:

# 0 - Report as Scan Error

# 2 - Report as Clean File

#

odsFileScanTimeoutAction 0

#

# Should actions be taken automatically or should user be prompted to confirm

# each action.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsAskQuestions 1

H - 86

#

# Read files to scan from from standard input.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsInput 0

#

# Print out all the files that are scanned, together with their status.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsList 0

#

# Should infected filenames be printed as they are or should potentially

# dangerous control and escape characters be removed.

#

# Possible values:

H - 87

# 0 - No

# 1 - Yes

#

odsRaw 0

#

# In standalone mode a new fsavd daemon is launched for every client. Usually

# you do not want this because launching the daemon has considerable overhead.

#

# Possible values:

# 0 - No

# 1 - Yes

# 2 - Auto

#

odsStandalone 2

#

# If “No”, fsav command line client does not follow symlinks. If “Yes”,

# symlinks are followed. This affects e.g. scanning a directory containing

# symlinks pointing to files outside of the directory.

#

# Possible values:

# 0 - No

H - 88

# 1 - Yes

#

odsFollowSymlinks 0

#

# If enabled, only infected filenames are reported.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsSilent 0

#

# If enabled, only infected filenames are reported.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsShort 0

#

H - 89

# If this setting is on, file access times are not modified when they are

# scanned. If a file is modified due to disinfection, then both access and

# modify times will change.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFilePreserveAccessTimes 0

#

# Specifies how MIME messages with broken attachments will be handled. If set

# to ‘Yes’, files for which MIME decoding fails will be considered safe. If

# set to no, an error will be generated.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFileIgnoreMimeDecodeErrors 0

#

# Defines how partial MIME messages should be handled. If set to ‘Yes’,

H - 90

# partial MIME messages are considered safe and access is allowed. Partial

# MIME messages cannot reliably be unpacked and scanned.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFileIgnorePartialMime 0

#

# Defines how MIME messages with broken headers should be handled. If set to

# ‘Yes’, broken MIME headers will be considered safe and access is allowed. If

# set to ‘No’, an error will be generated.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFileIgnoreInvalidMimeHeaders 0

#

# Do not scan files equal or larger than 2 GB (2,147,483,648 bytes). If this

H - 91

# option is not set an error will be reported for large files.

#

# Possible values:

# 0 - No

# 1 - Yes

#

odsFileSkipLarge 0

#

# If “On”, the Libra scanning engine is used for scanning files. If “Off”,

# Libra is not used.

#

# Possible values:

# 0 - Off

# 1 - On

#

odsUseLibra 1

#

# If “On”, the Orion scanning engine is used for scanning files. If “Off”,

# Orion is not used.

#

# Possible values:

# 0 - Off

H - 92

# 1 - On

#

odsUseOrion 1

#

# If “On”, the AVP scanning engine is used for scanning files. If “Off”, AVP

# is not used.

#

# Possible values:

# 0 - Off

# 1 - On

#

odsUseAVP 1

#

# F-Secure internal. Do not touch.

#

daemonAvpFlags 0x08D70002

#

# Set this on to enable riskware scanning with the AVP scan engine. If you set

# this off, riskware scanning is not available for clients.

H - 93

#

# Possible values:

# 0 - Off

# 1 - On

#

odsAVPRiskwareScanning 1

#

# Maximum size of MIME message. Files larger than this are not detected as

# MIME messages. Increasing this number will increase scan time of large

# files.

#

daemonMaxMimeMessageSize 10485760

#

# MIME recognition frame size specifies how many bytes are searched from

# beginning of file for MIME headers.

#

daemonMaxMimeRecognitionFrameSize 4096

#

H - 94

# Turn this setting on to use House Keeping Engine.

#

# Possible values:

# 0 - Off

# 1 - On

#

daemonUseHKE 1

#

# F-Secure Internal. Do not change. This is the directory where in-use

# databases are kept.

#

daemonDatabaseDirectory /var/opt/f-secure/fssp/databases

#

# F-Secure internal. Do not change. This is the directory into which new

# databases are stored before they are taken into use.

#

daemonUpdateDirectory /var/opt/f-secure/fssp/update

#

# F-Secure internal. Do not change. This is the directory from where scan

# engine libraries are loaded.

H - 95

#

daemonEngineDirectory /opt/f-secure/fssp/lib

#

# If “Yes”, fsavd writes a log file. If “No”, no log file is written.

#

# Possible values:

# 0 - No

# 1 - Yes

#

daemonLogfileEnabled 0

#

# Log file location: stderr - write log to standard error stream syslog -

# write log to syslog facility Anything else is interpreted as a filename to

# write log into.

#

daemonLogfile syslog

#

# Maximum number of simultaneously running fsavd scanner processes. (min. 1,

# max. 100)

H - 96

#

daemonMaxScanProcesses 4

#

# FSAV will add the current user-id to the path to make it possible for

# different users to run independent instances of the server.

#

daemonSocketPath /tmp/.fsav

#

# Octal number specifying the mode (permissions) of the daemon socket. See

# chmod(1) and chmod(2) unix manual pages.

#

daemonSocketMode 0600

#

# If fsavd has to create the directory for socket path, this is the mode

# (permissions) used for the created directory.

#

daemonDirectoryMode 3755

H - 97

#

# Syslog facility to use when logging to syslog.

#

# Possible values:

# auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7 - auth, authpriv, cron, daemon, ftp, kern, lpr, mail, news, syslog, user, uucp, local0, local1, local2, local3, local4, local5, local6, local7

#

daemonSyslogFacility daemon

#

# Obsolete setting. Not used anymore.

#

# Possible values:

# 0 - No

# 1 - Yes

# 2 - Auto

#

daemonStandalone 0

#

# Specify the level of messages to log to the debug logfile.

#

# Possible values:

H - 98

# 0 - Nothing

# 1 - Emergency

# 2 - Alert

# 3 - Critical

# 4 - Error

# 5 - Warning

# 6 - Notice

# 7 - Info

# 8 - Debug

# 9 - Everything

#

debugLogLevel 0

#

# Specify the full name of the debug logfile.

#

debugLogFile /var/opt/f-secure/fssp/fssp.log

#

# The keycode entered during installation.

#

licenseNumber unset

H - 99

#

# The complete path that tells where this product is installed in the

# filesystem.

#

installationDirectory /opt/f-secure/fssp

#

# Unix time() when installation done.

#

installationTimestamp 0

#

# F-Secure internal. Do not change. Text to be printed every day during

# evaluation use.

#

naggingText EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS.\nTo purchase license, please check http://www.F-Secure.com/purchase/\n

#

# F-Secure internal. Do not change. Text to be printed when evaluation period

# has expired.

#

H - 100

expiredText EVALUATION PERIOD EXPIRED\nTo purchase license, please check http://www.F-Secure.com/purchase/\n

Documents

F-Secure Linux Security