VirusScan Enterprise for Linux 1.9 Standalone ... - McAfeekb.mcafee.com/resources/sites/MCAFEE/content/live/.../en_US/McAfe… · McAfee VirusScan Enterprise for Linux 1.9.0 Standalone

Standalone Configuration Guide

McAfee VirusScan Enterprise for Linux 1.9.0

2 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide

COPYRIGHT

Copyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONS

McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION License Agreement

NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS

AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER

RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE

PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF

PURCHASE FOR A FULL REFUND.

McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 3

Contents

Preface 5 About this guide ................................................................................................................ 5

Audience .................................................................................................................... 5 Conventions ................................................................................................................ 6

Find product documentation ................................................................................................ 6

1 General settings 7 Browser interface............................................................................................................... 7 Logging ............................................................................................................................ 8

2 Notification settings 11 Item detected ................................................................................................................. 11 Out-of-date ..................................................................................................................... 12 Configuration change ....................................................................................................... 14 System events ................................................................................................................ 15 SMTP settings ................................................................................................................. 16 Substituting variables in notification templates .................................................................... 17

3 On-Access scanner settings 19 Anti-virus scanning options ............................................................................................... 19 Extension-based scanning ................................................................................................. 21 Handling exclusions ......................................................................................................... 22 Anti-virus actions ............................................................................................................. 24

4 On-Demand scanner settings 27 Anti-virus scanning options ............................................................................................... 27 Extension-based scanning ................................................................................................. 29 Handling exclusions ......................................................................................................... 30 Anti-virus actions ............................................................................................................. 31



Preface

This guide provides you with simple and fast access to modify the configuration settings, such as on-

access scanning, on-demand scanning, general settings, notifications, and exclusion settings.

Use this guide as an alternative method for configuring the VirusScan Enterprise for Linux software.

You can use this when no browser is available or you prefer to use a Linux command line interface to

access the VirusScan Enterprise for Linux software and perform configuration tasks.

To view a list commands that you can execute from the command line:

1 From the Linux server, open the terminal window.

2 Go to the directory /opt/NAI/LinuxShield/bin.

3 Specify the command: nails --help

4 Press Enter.

For more information on … See …

How to install, upgrade, or manage

the product on a standalone Linux server

McAfee VirusScan Enterprise for Linux 1.9.0 Software – Installation Guide

How to deploy, upgrade, or manage

the product using McAfee ePolicy Orchestrator

McAfee VirusScan Enterprise for Linux 1.9.0 Software – Configuration Guide

How to configure, use, and maintain the product

McAfee VirusScan Enterprise for Linux 1.9.0 Software – Product Guide

About this guide This information describes the guide's target audience, the typographical conventions and icons used

in this guide, and how the guide is organized.

Audience McAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

Administrators — People who implement and enforce the company's security program.

https://kc.mcafee.com/corporate/index?page=content&id=PD24545






General settings

Find product documentation


Users — People who are responsible for configuring the product options on their systems, or

for updating their systems.

Conventions This guide uses the following typographical conventions and icons.

Book title or Emphasis

Title of a book, chapter, or topic; introduction of a new term; emphasis.

Bold Text that is strongly emphasized.

User input, Path, or Code

Commands and other text that the user types; the path of a folder or program; a code sample.

Hypertext A live link to a topic or to a website.

Note: Additional information, like an alternate method of accessing an option.

Tip: Suggestions and recommendations.

Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.

Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.

Find product documentation McAfee provides the information you need during each phase of product implementation, from

installation to daily use and troubleshooting. After a product is released, information about the product

is entered into the McAfee online KnowledgeBase.

5 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

6 Under Self Service, access the type of information you need:

To access… Do this…

User documentation 1 Click Product Documentation.

2 Select a Product, then select a Version.

3 Select a product document.

KnowledgeBase Click Search the KnowledgeBase for answers to your product

questions.

Click Browse the KnowledgeBase for articles listed by product and version.

http://mysupport.mcafee.com/


1 General settings

Configure the browser interface options and logging behavior from the command prompt.

Note The default path for <RUNTIMEDIR> is: /var/opt/NAI/LinuxShield

Contents

Browser interface

Logging

Browser interface Configure browser interface settings such as the refresh interval, UTC offset, quick help and results per

page.

Configuration file: monitor.cfg

Default location: <RUNTIMEDIR>/etc

Browser interface options

Option Definition Parameter

Refresh interval (seconds)

The browser automatically

updates the contents of pages such as the Scanning Summary page. By default, the page refreshes every 10 seconds, but

you can adjust the interval between 5 and 600 seconds.

browser.refreshInterval:10

Results per page Number of rows of information

shown in certain pages under Results, namely in the Detected Items, Scheduled Tasks, and System Events pages.

By default, 10 rows are displayed at a time, but you can adjust the number between 1 and 50 rows.

browser.resultsPerPage:10

Display time UTC offset

Wherever time values are

displayed — as in scheduled

browser.displayUtcOffset:true

General settings

Logging



tasks and detections — an offset value is displayed in UTC form to help you understand any time‑

zone differences.

Use attributes:

true – To display time in UTC

form

false – To hide the UTC offset

value

Hide quick help on startup

To disable the Quick Help pane when logging on to the browser

interface.

Use attributes:

true – To show quick help

false – To hide quick help

browser.showQuickHelp:true

Logging Configure logging settings such as the level of detail that you require.

Configuration file: nailsd.cfg


Logging options


Detail level Level of logging information that

VirusScan Enterprise for Linux records in its database. A high level can affect performance and the database. By default, the level is Normal. You can use

attributes low, normal or high.

log.detailLevel:normal

Additionally log to SYSLOG

Indicates if information logged

to the VirusScan Enterprise for Linux database is also logged to

SYSLOG. By default, this is not required.

log.useSyslog:false

Detail level for SYSLOG

(This field is only available if Additionally log to SYSLOG is selected.)

log.syslogDetailLevel:low

General settings

Logging



Level of detail of the information to be logged to SYSLOG. disabled if logging to SYSLOG is checked. By default, the level is Low. You can use attributes low,

normal or high.

Limit age of log entries

Indicates if information in the

log will be automatically removed later, based on the age of the log entries.

Use attributes:

true – To enable this option

false – To disable this option

log.limitLogAge:true

Maximum age of log entries

(This field is only available if Limit

age of log entries is selected.)

Limits to the age of entries in the VirusScan Enterprise for Linux database to the specified days.

After the specified number of days, old entries are automatically removed. This

helps to limit the size of the database. Maximum age of log entries (days) ‑ By default, the

limit is 28 days, but you can

adjust the limit between 1 and

999 days.

log.maxLogAge:28


2 Notification settings

Specify who will receive email notification of events such as virus detection and changes to the

scanning options. VirusScan Enterprise for Linux sends the email messages using the SMTP email

protocol.


Contents

Item detected

Out-of-date

Configuration change

System events

SMTP settings

Substituting variables in notification templates

Item detected Configure notification settings in case of detection such as virus or other potentially unwanted

software.



Detected items notification options


Item detected Configure

notifications based on the detection of a

virus or other

potentially unwanted software.

Use attributes:

true – To

enable

notifications in case of detection.

notifications.virusDetected.active:true

Notification settings

Out-of-date



false – To

notifications in case of detection.

Use these parameters if you want to configure alerts or notifcations for a

specific detection:

Viruses Use attributes:

true – To

enable alerts for a detection type.

false – To

alerts for a detection type.

notifications.virusDetected.virusesAlert:true

Trojans notifications.virusDetected.trojansAlert:true

Test Viruses notifications.virusDetected.testVirusesAlert:true

Programs notifications.virusDetected.programsAlert:true

Jokes notifications.virusDetected.jokesAlert:true

Include alerts for on-demand tasks

notifications.virusDetected.includeOdsTasks:true

Subject Specify the

subject line you want in the notification email.

defaultNotifications.virusDetected.subject:Detection

Alert from McAfee VirusScan Enterprise for Linux on

%hostname%

Message Specify a

custom

message that you want to appear in the notification email, in case of detection.

defaultNotifications.virusDetected.message: The file

%path% is infected with the %detectedas%

%detectedtype%.\nThe result is %result%.\n\nDetected

on %hostname% by %detectedby% at %detectedutc% using

Scan engine version %engineversion% DAT version

%datversion%. Extra DAT in use - %extradatflag%.

Note The values specified within the ―%‖ symbol are substitution variables. For more information on the available variables, see the Substituting variables in notification templates section.

Out-of-date Configure notification settings based on the age of the DAT files.



DAT notification options



Out-of-date



Out of date Configure

notifications for out-of-date DAT files. You can use this to send a notification if

the DAT file is older than the specified date.

Use attributes:

true – To

enable

notifications in case of an older DAT.

false – To

disable notifications in case of an older DAT.

defaultNotifications.outOfDate.active:true

Alert for older DATs

Specify a value

based on the age of the DATs after which

notifications

are sent. By default, notifications are sent if the DAT age is more than 10.

defaultNotifications.outOfDate.datFilesAge:10

Subject Specify the

subject line you want in the notification email.

defaultNotifications.outOfDate.subject: Out of Date

Alert from McAfee VirusScan Enterprise for Linux on

%hostname%

Message Specify a custom

message that you want to appear in the notification email.

defaultNotifications.outOfDate.message: The DAT files

%datversion% is %datage% days old. Please update

software to ensure that your system is protected.





Configuration change Configure notification settings based on any changes to scanner settings such as on-access,

notifications and general. Please note that you cannot configure notifications for on-demand settings.



Configuration change notification options



Configure

notifications for any

changes to the on-

access, general or notification settings.

Use attributes:

true – To

enable notifications in case of a configuration change.

false – To

disable notifications for configuration changes.

defaultNotifications.configurationChange.active:true

Subject Specify the subject line

you want in the notification email.

defaultNotifications.configurationChange.subject:Configurati

on Alert from McAfee VirusScan Enterprise for Linux on

%hostname%

Message Specify a

custom

message that you want to appear in the notification

email, when there is a change in configuration settings.

defaultNotifications.configurationChange.message:%configchan

ge% on %hostname%.


System events



System events Configure notification settings for any important system event such as error or information.



System events notification options


System events

Configure notifications based

on the system events generated.

Use attributes:

true – To enable notifications

when a system event is triggerred.

false – To disable

notifications when a system event is triggerred.

defaultNotifications.critical.active:true

Use these parameters if you want to configure alerts or notifcations for specific

system events:

Error Code Use attributes:

true – To enable the alerts

based on error types.

false – To disable alerts

based on error types.

defaultNotifications.critical.codeAlert:true

Enable alerts defaultNotifications.critical.typeAlert:true

Error Code range

Specify the range, based on which a notification is sent.

defaultNotifications.critical.code:3000-3999

Error types Configure notification based

on the error type such as ―error‖ or ―information.

defaultNotifications.critical.type:error



SMTP settings


SMTP settings Configure notification settings for any change in the SMTP settings.



SMTP notification options


Server name

Specify the IP

address of the system that you want to

use as an

SMTP server from which notifications are sent.

defaultNotifications.smtp.host:192.168.200.10

Port Specify the

SMTP port number that you want to use to send the

notifications. The default port number is 25.

defaultNotifications.smtp.port:25

Sender Specify an

email address which will appear in the ―From‖ field as a default

sender in email notifications.

defaultNotifications.smtp.sender:McAfeeVSEforLinux@

hostname.com

Recipient Specify email

address of the recipient to deliver the notification.

To deliver notifications to multiple users, separate email

addresses with a comma.

defaultNotifications.smtp.recipients:[email protected]

notifications.smtp.recipients:[email protected],[email protected]




Substituting variables in notification templates VirusScan Enterprise for Linux substitutes these variables in notification messages when sending a

message to the user.

For example, the template message ―File, %filename% is infected on %hostname%‖ becomes

―File, example.exe is infected on computer1‖ in the notification email, when it reaches the end-

user.

Substitution variables

Variable Valid for Equivalent field in the user interface

Description

%hostname% All alerts <none> Name of the host on which VirusScan

enterprise for Linux is installed

%hostip% All alerts <none> IP address of host on

which VirusScan enterprise for Linux is installed

%productversion% All alerts Host Summary Page –Product Version

Version of the product

%detectedas% Item detected Detected Items page - Detected As

Name of the virus

%detectedby% Item detected Detected Items page - Task

"On-Access" if detected

by the on-access scanner

or name of the ―On-

Demand‖ scan task that detected the infection

%detectedtime% Item detected Detected Items page - Time

Date and time of the local host for the detected item

%detectedtype% Item detected Detected Items page — Detected Type

Type of the virus

%detectedutc% Item detected Detected Items page — Time

Date and time on the

local host, with UTC offset shown in brackets.

For example: June 26

2013 12:30:12 (+5:30 UTC)

%engineversion% Item detected Host Summary page — Engine Version

Version number of the scanning engine

%extradatcount% Item detected Host Summary page — Extra DAT

Number of signatures in the extra.dat file

%extradatflag% Item detected Host Summary page — Extra DAT

Yes or No to indicate if

an extra.dat file is present




Variable Valid for Equivalent field in the user interface

Description

%filename% Item detected Detected Items page — File Name

Name of the file which

was scanned (excluding path)

%path% Item detected Detected Items page — Path

Name of the file which

was scanned (including path)

%process% Item detected Detected Items page — Process

Name of process resulting in the scan

%result% Item detected Detected Items page — Result

Result of any action

taken for the detected infection

%user% Item detected Detected Items page — Result

Name of user who caused the scan

%datage% Out of date item detected

<none> Age of the DAT files in

days, based on the VirusScan Enterprise for

Linux host system’s date and time

%datdate% Out of date item detected

Host Summary page — DAT Date

Date when the current DAT files were created

%datversion% Out of date item

detected

Host Summary page —

DAT Version

Version of the DAT files

%configchange% Configuration Change <none> Configuration change

made — modified, on-access detection enabled, or on-access detection disabled

%eventcode% System events System Events page — Code

Error code for the event

%eventdescription% System events System Events page — Description

Error description for the event

%eventtime% System events System Events page —

Time

Date and time on the

local host for event

%eventtype% System events System Events page — Type

Error type for the event

%eventutc% System events System Events page — Time

Date and time for the

event on the local host, with UTC offset shown in brackets. For example: June 26 2013 12:30:12 (-5:00 UTC)


3 On-Access scanner settings

Specify On-Access settings on how VirusScan Enterprise for Linux will respond when it detects a virus or

other potentially unwanted software, whenever the files are accessed.


Contents

Anti-virus scanning options

Extension-based scanning

Handling exclusions

Anti-virus actions

Anti-virus scanning options Configure on-access scanning options to determine which file types VirusScan Enterprise for Linux will

scan. By default, all scanning options are available, unless stated.



On-Access Scanning options


Enable On‑Access Scanning

Use attributes:

true – To enable on-access

scanning.

false – To disable on-access

scanning.

nailsd.oasEnabled:true

Decompress archives

Configure to scan inside file archives such as .tar or .tgz files.

The decompression can reduce performance; any virus‑infected

file inside an archive cannot become active unless extracted.

Use attributes:



nailsd.profile.OAS.decompArchive:true

On-Access scanner settings




Find unknown program viruses

Configure to use heuristic analysis

to identify potential new file viruses.

Use attributes:



nailsd.profile.OAS.heuristicAnalysis:true

Find unknown macro viruses


to identify any potential new macro viruses in files created by Microsoft Office products.

Use attributes:



nailsd.profile.OAS.macroAnalysis:true

Decode MIME encoded files

Email messages are typically encoded in MIME format.

Use attributes:


Enabling this option can affect performance.

false –If your network has other

anti‑virus software for handling

emails, specify this attribute to

disable this option

nailsd.profile.OAS.mime:false

Find potentially unwanted programs

These programs might be dangerous but they are not viruses. They include programs such as spyware, remote‑access

utilities, and password crackers.

Use attributes:

true – To enable this option and

detect potentially unwanted programs


nailsd.profile.OAS.program:true

Find joke programs

Joke programs are not harmful.

They play tricks such as displaying a hoax message. This feature only becomes available if you have enabled Find potentially unwanted programs.

Use attributes:



nailsd.profile.OAS.noJokes:true

Scan files when writing

Scan the contents of each file nailsd.profile.OAS.scanOnWrite:true





to disk when it is closed.

Use attributes:



Scan files when reading from disk

Scan the contents of each file when it is opened.

Use attributes:



nailsd.profile.OAS.scanOnRead: true

Scan files on network mounted volumes

Scan the network mounted files on /mnt or any mounted folder.

Use attributes:



Disabling this option will not scan the network mounted volume, even if it contains infected files.

nailsd.profile.OAS.scanNWFiles:true

Maximum scan time (seconds)

Specify the number of seconds

after which scanning will stop. This feature prevents scanning of large files that reduce overall performance, and protects against corrupted files and denial‑of‑

service attacks.

The default value is 45 seconds, but you can specify between 10 and 300.

nailsd.profile.OAS.scanMaxTmo:45

Extension-based scanning VirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virus

definition files include a comprehensive list of file name extensions that are susceptible to attack. The

list includes popular extensions such as .doc and .exe, and it is referred to here as the default list. The

extension name is not case‑sensitive.

If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by Microsoft

Windows users, it might be useful to specify the types of files to scan according to their file name

extension. However, we recommend that all files are scanned where possible.

You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you can

specify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans those

in the default list. You cannot remove any extension names from the default list, although you can

build your own list of extension names based on those in the current default list.



Handling exclusions



Extension Based Scanning options


Scan all files Specify the parameter to

scan all files regardless of file name extension.

nailsd.profile.OAS.filter.extensions.mode:all

Default + specified

Use these parameters to

scan default and specified files.

Specify the file types in the first parameter and execute the next parameter to add the file types to the list.

nailsd.profile.OAS.filter.extensions.list:bin|dat|

data|exe

nailsd.profile.OAS.filter.extensions.mode:add

Specified Use this option to scan specific files. When there

is a new file type, which is not included in the virus definition files, the new file type will not be scanned. In order to resolve this issue,

VirusScan Enterprise for

Linux allows you to specify these new file types and scan based on the extension.

For example, to scan specific file types such as 00?, 386, 3GR, ??_, ACE, ACM, and ADE, use these parameters.

nailsd.profile.OAS.filter.extensions.list:00?|386|

3GR|??_|ACE|ACM|ADE|ADP

nailsd.profile.OAS.filter.extensions.mode:replace

Handling exclusions VirusScan Enterprise for Linux supports excluding specific paths/files (either path or regular expression

format) from being scanned.

Some shares/paths might not require scanning or you might prefer not to scan them frequently, such

as:

Only plain text files or other file types which are not prone to infection

Executable files that have file permissions that prevent them being modified


Handling exclusions


Large archive files and compressed files

Files already known to be infected (quarantined)



Exclusion options


Exclude Folder path

Specify the folder path to exclude.

nailsd.profile.OAS.filter.<number>.path:/var/log

Exclude Sub-directory

Specify true or false

on whether to exclude files in the the sub-directory.

nailsd.profile.OAS.filter.<number>.subdir:true

Exclusion type

Specify the

exclusion type as: exclude-path

nailsd.profile.OAS.filter.<number>.type: exclude-path

Note The <number> attribute denotes the priority in which VirusScan Enterprise for Linux considers the exclusion.

Here is an example of, how you could add exclusion entries in the nails.cfg file:

Specifying on-access exclusion options-Example

nailsd.profile.OAS.filter.0.path:/var/log

nailsd.profile.OAS.filter.0.subdir:true

nailsd.profile.OAS.filter.0.type:exclude-path

nailsd.profile.OAS.filter.1.path:.*.jar

nailsd.profile.OAS.filter.1.subdir:false


nailsd.profile.OAS.filter.2.path:/root



nailsd.profile.OAS.filter.3.path:/tmp



nailsd.profile.OAS.filter.4.path:.*.mdb



nailsd.profile.OAS.filter.5.path:.*.dbm




Anti-virus actions


Anti-virus actions Configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus or other


The actions are:

clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux

cannot repair any damage that has occurred to the file. For example, some viruses can

modify or erase data in spreadsheets.

continue — Reports the detection and continues scanning. This action is only available for on

‑demand scanning.

delete — Deletes the infected file.

deny access — Prevents further access to the infected file. This action is only available for on

‑access scanning.

quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent

the spread of infected files, VirusScan Enterprise for Linux will not move a file from a

remote file system into this area.

rename — Renames the extension of the infected file, to prevents its accidental use.

Renaming is useful in cases where the file extension (such as .exe or .txt) determines the

application that will open the file.

If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that action

fails, VirusScan Enterprise for Linux uses its fallback action. For on‑access scanning, VirusScan

Enterprise for Linux blocks access to the infected file.



On-access Anti-virus action options


Action for viruses and Trojan horses

Specify actions to

take when a virus or Trojan‑horse

program is detected.

Your second choice of action is limited by your first choice. You

cannot specify the same action for both choices.

nailsd.profile.OAS.action.App.primary:clean

nailsd.profile.OAS.action.App.secondary:quarantine

Action for applications and joke programs

Specify actions to

take when a potentially unwanted application or joke

nailsd.profile.OAS.action.Default.primary:clean

nailsd.profile.OAS.action.Default.secondary:quarantine


Anti-virus actions




Your second choice of action is limited by your first choice. You cannot specify the same action for both choices.

Action on time out

Specify an action to

take when the scanning takes too long to complete.

The scanner takes an

action if it fails to scan the file within the seconds mentioned under ―Maximum scan time‖.

Use attributes:

block – To deny

access to the suspected file

pass – To allow the

suspected file

nailsd.profile.OAS.action.timeout:pass

Action if an error occurs during scanning


take if a fault occurs

such as an internal fault in VirusScan Enterprise for Linux or the scanning engine, or a failure to

complete the second choice of action.

Use attributes:

block – To deny



suspected file

nailsd.profile.OAS.action.error:block

Quarantine directory

Specify the

quarantine folder location to store quarantined items. By default, the

quarantine directory is /quarantine.

Make sure that the directory is on the

local system and does not include

nailsd.profile.OAS.quarantineDirectory:/quarantine


Anti-virus actions



symbolic links.


4 On-Demand scanner settings

Specify On-Demand settings on how VirusScan Enterprise for Linux will respond when it detects a virus or

other potentially unwanted software, during an on-demand scan.


Contents



Handling exclusions

Anti-virus actions

Anti-virus scanning options Configure on-demand scanning options to determine which file types VirusScan Enterprise for Linux

will scan. By default, all scanning options are available, unless stated.

Configuration file: ods.cfg


On-Demand Scanning options


Decompress archives

Configure to scan inside file

archives such as .tar or .tgz files. The decompression can reduce performance; any virus‑infected

file inside an archive cannot become active unless extracted.

Use attributes:



nailsd.profile.ODS.decompArchive:true

Find unknown program viruses


to identify potential new file viruses.

Use attributes:



nailsd.profile.ODS.heuristicAnalysis:true

On-Demand scanner settings




Find unknown macro viruses


to identify any potential new macro viruses in files created by Microsoft Office products.

Use attributes:



nailsd.profile.ODS.macroAnalysis:true

Decode MIME encoded files

Email messages are typically encoded in MIME format.

Use attributes:


Enabling this option can affect performance.

false –If your network has other

anti‑virus software for handling

emails, specify this attribute to disable this option

nailsd.profile.ODS.mime:false

Find potentially unwanted programs

These programs might be dangerous but they are not

viruses. They include programs such as spyware, remote‑access

utilities, and password crackers.

Use attributes:

true – To enable this option and

detect potentially unwanted programs


nailsd.profile.ODS.program:true

Find joke programs

Joke programs are not harmful.

They play tricks such as displaying a hoax message. This feature only becomes available if you have

enabled Find potentially unwanted programs.

Use attributes:



nailsd.profile.ODS.noJokes:true

Maximum scan time (seconds)

Specify the number of seconds after which scanning will stop.

This feature prevents scanning of large files that reduce overall performance, and protects against corrupted files and denial‑of‑

service attacks.

The default value is 300 seconds, but you can specify between 10

nailsd.profile.ODS.scanMaxTmo:300





and 9999.

Extension-based scanning VirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virus

definition files include a comprehensive list of file name extensions that are susceptible to attack. The

list includes popular extensions such as .doc and .exe, and it is referred to here as the default list. The

extension name is not case‑sensitive.

If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by Microsoft

Windows users, it might be useful to specify the types of files to scan according to their file name

extension. However, we recommend that all files are scanned where possible.

You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you can

specify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans those

in the default list. You cannot remove any extension names from the default list, although you can

build your own list of extension names based on those in the current default list.



Extension Based Scanning options


Scan all files Specify the parameter to

scan all files regardless of file name extension.

nailsd.profile.ODS.filter.extensions.mode:all

Default + specified

Use these parameters to

scan default and specified files.

Specify the file types in the first parameter and execute the next parameter to add the file types to the list.

nailsd.profile.ODS.filter.extensions.list:bin|exe|

tar|zip

nailsd.profile.ODS.filter.extensions.mode:add

Specified Use this option to scan

specific files. When there is a new file type, which

is not included in the virus definition files, the new file type will not be scanned. In order to resolve this issue, VirusScan Enterprise for Linux allows you to

specify these new file types and scan based on

nailsd.profile.ODS.filter.extensions.list:00?|386|

3GR|??_|ACE|ACM|ADE|ADP

nailsd.profile.ODS.filter.extensions.mode:replace


Handling exclusions



the extension.

For example, to scan specific file types such as 00?, 386, 3GR, ??_, ACE, ACM, and ADE, use these parameters.

Handling exclusions VirusScan Enterprise for Linux supports excluding specific paths/files (either path or regular expression

format) from being scanned.

Some shares/paths might not require scanning or you might prefer not to scan them frequently, such

as:

Only plain text files or other file types which are not prone to infection

Executable files that have file permissions that prevent them being modified

Large archive files and compressed files

Files already known to be infected (quarantined)



Exclusion options


Exclude Folder path

Specify the folder path to exclude.

nailsd.profile.ODS.filter.<number>.path:/var/log

Exclude Sub-directory

Specify true or false

on whether to exclude files in the the sub-directory.

nailsd.profile.ODS.filter.<number>.subdir:true

Exclusion type

Specify the

exclusion type as: exclude-path

nailsd.profile.ODS.filter.<number>.type:exclude-path

Note The <number> attribute denotes the priority in which VirusScan Enterprise for Linux considers the exclusion.

Here is an example of, how you could add exclusion entries in the nails.cfg file:


Anti-virus actions


Specifying on-demand exclusion options-Example

nailsd.profile.ODS.filter.0.path:/proc

nailsd.profile.ODS.filter.0.subdir:true

nailsd.profile.ODS.filter.0.type:exclude-path

nailsd.profile.ODS.filter.1.path:.*.jar

nailsd.profile.ODS.filter.1.subdir:false


nailsd.profile.ODS.filter.2.path:/tmp

nailsd.profile.ODS.filter.2.subdir:false


Anti-virus actions Configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus or other


The actions are:

clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux

cannot repair any damage that has occurred to the file. For example, some viruses can

modify or erase data in spreadsheets.

continue — Reports the detection and continues scanning. This action is only available for on

‑demand scanning.

delete — Deletes the infected file.

deny access — Prevents further access to the infected file. This action is only available for on

‑access scanning.

quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent

the spread of infected files, VirusScan Enterprise for Linux will not move a file from a

remote file system into this area.

rename — Renames the extension of the infected file, to prevents its accidental use.

Renaming is useful in cases where the file extension (such as .exe or .txt) determines the

application that will open the file.

If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that action

fails, VirusScan Enterprise for Linux uses its fallback action. For on‑demand scanning, VirusScan

Enterprise for Linux reports that the file is infected.



On-demand Anti-virus action options


Action for viruses and

Specify actions to

take when a virus or

nailsd.profile.ODS.action.App.primary:clean

nailsd.profile.ODS.action.App.secondary:quarantine


Anti-virus actions



Trojan horses Trojan‑horse



Action for applications and joke programs

Specify actions to take when a

potentially unwanted application or joke program is detected.


nailsd.profile.ODS.action.Default.primary:clean

nailsd.profile.ODS.action.Default.secondary:quarantine

Action on time out


take when the scanning takes too

long to complete. The scanner takes an action if it fails to scan the file within

the seconds mentioned under ―Maximum scan time‖.

Use attributes:

block – To deny



suspected file

nailsd.profile.ODS.action.timeout:pass

Action if an error occurs during scanning


take if a fault occurs such as an internal fault in VirusScan

Enterprise for Linux or the scanning engine, or a failure to

complete the second choice of action.

Use attributes:

block – To deny



nailsd.profile.ODS.action.error:block


Anti-virus actions



suspected file

Quarantine directory

Specify the

quarantine folder location to store quarantined items. By default, the quarantine directory

is /quarantine.

Make sure that the directory is on the local system and

does not include symbolic links.

nailsd.profile.ODS.quarantineDirectory:/quarantine

Documents

VirusScan Enterprise for Linux 1.9 Standalone ... - McAfeekb.mcafee.com/resources/sites/MCAFEE/content/live/.../en_US/McAfe… · McAfee VirusScan Enterprise for Linux 1.9.0 Standalone