"Dr.Web for UNIX file servers" Administrator's manual
"Dr.Web for UNIX file servers" Administrator's manual
"Dr.Web for UNIX file servers" Administrator's manual
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Doctor <strong>Web</strong><br />
<strong>Dr</strong>.<strong>Web</strong>®<br />
<strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers<br />
(OS Linux, FreeBSD and Solaris x86)<br />
Administrator Manual<br />
Version 5.0.0.1
© 2003-2009 Doctor <strong>Web</strong>. All rights reserved.<br />
This document is a property of Doctor <strong>Web</strong>. No part of this document may be reproduced, published or transmitted in any <strong>for</strong>m or by any means <strong>for</strong><br />
any other purpose than the purchaser’s personal use without proper attribution.<br />
TRADEMARKS<br />
<strong>Dr</strong>.<strong>Web</strong> is a registered trademark of Doctor <strong>Web</strong>.<br />
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.<br />
<strong>UNIX</strong>® is a registered trademark of The Open Group.<br />
Other trademarks, registered trademarks and company names used in this document are property of their respective owners.<br />
DISCLAIMER<br />
In no event shall Doctor <strong>Web</strong> and its resellers or distributors be liable <strong>for</strong> errors or omissions, or any loss of profit or any other damage caused or<br />
alleged to be caused directly or indirectly by this document, the use of or inability to use in<strong>for</strong>mation contained in this document.<br />
<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers (OS Linux, FreeBSD and Solaris x86)<br />
Version 5.0.0.1<br />
Administrator Manual<br />
Release date: 24.12.09<br />
Doctor <strong>Web</strong> Head Office<br />
2-12A, 3rd str. Yamskogo polya<br />
Moscow, Russia<br />
125124<br />
<strong>Web</strong> site: http://www.drweb.com<br />
Phone: +7 (495) 789-45-87<br />
Refer to the official web site <strong>for</strong> regional and international office in<strong>for</strong>mation.<br />
2
Contents<br />
1. Introduction...............................................................................................................................................5<br />
1.1. What is this Manual about............................................................................................................................5<br />
1.2. Terms and abbreviations..............................................................................................................................5<br />
1.3. System requirements...................................................................................................................................6<br />
1.4. Package <strong>file</strong>s location...................................................................................................................................6<br />
1.5. Configuration <strong>file</strong>s........................................................................................................................................7<br />
2. Installation and deinstallation.................................................................................................................10<br />
2.1. Installation from distribution package <strong>for</strong> <strong>UNIX</strong> systems...............................................................................10<br />
2.1.1. On computers using X Window system................................................................................................11<br />
2.1.2. On computers working in command-line mode.....................................................................................11<br />
2.2. Installation of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer from source codes..............................................................................12<br />
2.3. Removal of distribution package <strong>for</strong> <strong>UNIX</strong> systems.......................................................................................13<br />
2.4. Upgrade of distribution package <strong>for</strong> <strong>UNIX</strong> systems.......................................................................................14<br />
2.5. User interface of graphical installer.............................................................................................................15<br />
2.6. User interface of graphical uninstaller.........................................................................................................19<br />
3. «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution startup....................................................................................22<br />
3.1. For Linux and Solaris..................................................................................................................................22<br />
3.2. For FreeBSD..............................................................................................................................................22<br />
3.3. Preparing OS protected by SELinux to interaction with Scanner and Daemon................................................22<br />
4. Software registration. License key <strong>file</strong>....................................................................................................24<br />
5. Updating components and virus databases.............................................................................................25<br />
6. Updating module <strong>Dr</strong>.<strong>Web</strong> Updater...........................................................................................................26<br />
6.1. Cron configuration.....................................................................................................................................26<br />
6.2. Command line parameters..........................................................................................................................26<br />
6.3. Configuration.............................................................................................................................................27<br />
6.4. Updating process.......................................................................................................................................29<br />
7. Console Scanner <strong>Dr</strong>.<strong>Web</strong> Scanner............................................................................................................30<br />
7.1. Command Line Parameters.........................................................................................................................30<br />
7.2. Configuration.............................................................................................................................................32<br />
7.3. Start.........................................................................................................................................................38<br />
8. Antivirus Module <strong>Dr</strong>.<strong>Web</strong> Daemon...........................................................................................................40<br />
8.1. Command Line Parameters.........................................................................................................................40<br />
8.2. Configuration.............................................................................................................................................40<br />
8.3. Start.........................................................................................................................................................48<br />
8.4. Signal Processing.......................................................................................................................................49<br />
8.5. Verifying Availability of <strong>Dr</strong>.<strong>Web</strong> Daemon......................................................................................................49<br />
8.6. Scanning Modes........................................................................................................................................52<br />
9. Integrating Daemon with Samba File Server..........................................................................................53<br />
9.1. Requirements............................................................................................................................................53<br />
9.2. Plug-in of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer Module.....................................................................................................53<br />
9.3. Start.........................................................................................................................................................53<br />
9.4. Configuration.............................................................................................................................................54<br />
9.5. Interaction with Distributed File System (MS DFS).......................................................................................59<br />
10. «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»................................................................................................61<br />
10.1. Installation..............................................................................................................................................61<br />
10.2. Basic configuration...................................................................................................................................68<br />
10.3. User interface..........................................................................................................................................69<br />
10.3.1. «Configuration»...............................................................................................................................70<br />
10.3.1.1. «General settings» tab..............................................................................................................71<br />
10.3.2. «Quarantine»...................................................................................................................................72<br />
11. Contact in<strong>for</strong>mation...............................................................................................................................73<br />
Appendix 1. The License Policy....................................................................................................................74<br />
3
4<br />
Protection of <strong>file</strong> servers (http://products.drweb.com/<strong>file</strong>server/unix/).................................................................74
Introduction<br />
1. Introduction<br />
1.1. What is this Manual about<br />
This Manual describes the following <strong>Dr</strong>.<strong>Web</strong>® solutions <strong>for</strong> <strong>file</strong> servers in <strong>UNIX</strong>® based operating systems:<br />
●«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» <strong>for</strong> Linux;<br />
●«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» <strong>for</strong> FreeBSD;<br />
●«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» <strong>for</strong> Solaris.<br />
As far as all these solutions <strong>for</strong> various <strong>UNIX</strong> based operating systems («<strong>UNIX</strong> systems» hereinafter) differ from each<br />
other only slightly, then hereinafter all of them will be referred to as «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers». Critical differences<br />
will be described in separate chapters and paragraphs.<br />
Manual is designed <strong>for</strong> the person responsible <strong>for</strong> antivirus protection and security («Administrator» hereinafter).<br />
Protection of <strong>file</strong> servers in <strong>UNIX</strong> systems consists of checking content of shared directories on viruses to prevent virus<br />
expansion and contamination of the whole network. Viruses can be (and in most cases, they are) designed not directly<br />
<strong>for</strong> <strong>UNIX</strong> systems. Through local networks ordinary Windows viruses are distributed, including macro-viruses <strong>for</strong> Word,<br />
Excel and other office applications.<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution consists of three major components:<br />
●Scanning package <strong>Dr</strong>.<strong>Web</strong> Scanner detects and cures viruses on local system.<br />
●Antivirus package <strong>Dr</strong>.<strong>Web</strong> Daemon can be used almost in any data processing schemes as an external antivirus filter<br />
plug-in.<br />
●<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer is a monitor of <strong>file</strong> operations <strong>for</strong> Samba <strong>file</strong> servers. It is implemented as a plug-in <strong>for</strong> a<br />
VFS interface (Virtual File System) in Samba. At the same time it works as a client of <strong>Dr</strong>.<strong>Web</strong> Daemon. <strong>Dr</strong>.<strong>Web</strong><br />
Samba VFS SpIDer package allows to integrate all other packages with Samba <strong>file</strong> servers.<br />
In the present <strong>manual</strong> basic steps of setup, adjustment and startup procedures of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution<br />
will be discussed.<br />
●general in<strong>for</strong>mation (chapter 1);<br />
●installation of <strong>Dr</strong>.<strong>Web</strong> solution <strong>for</strong> <strong>file</strong> servers in <strong>UNIX</strong> systems (chapter 2);<br />
●startup of <strong>Dr</strong>.<strong>Web</strong> solution <strong>for</strong> <strong>file</strong> servers in <strong>UNIX</strong> systems (chapters 3-4);<br />
●usage of updating package <strong>Dr</strong>.<strong>Web</strong> Updater (chapters 5-6);<br />
●usage of console scanner <strong>Dr</strong>.<strong>Web</strong> Scanner (chapter 7);<br />
●usage of antivirus package <strong>Dr</strong>.<strong>Web</strong> Daemon (chapter 8);<br />
●usage of <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer (chapters 9-10).<br />
In the end of this Manual you will find technical support service contact in<strong>for</strong>mation.<br />
<strong>Dr</strong>.<strong>Web</strong> products are being constantly developed. Add-ons to virus databases are released daily or even several times a<br />
day. New versions of programs appear. Diagnostics techniques and methods of antivirus protection, as well as integration<br />
with other applications of <strong>UNIX</strong> systems are improved regularly. Besides that, the list of applications compatible with<br />
<strong>Dr</strong>.<strong>Web</strong> is constantly expanding, there<strong>for</strong>e some settings and functions described in this Manual will slightly differ from<br />
current program version. To get up-to-date program in<strong>for</strong>mation please refer to documentation <strong>file</strong>s included in delivery<br />
package.<br />
1.2. Terms and abbreviations<br />
The following terms and abbreviations are used in this Manual (table 1).<br />
Table 1. Legend.<br />
5
Terms and abbreviations<br />
Legend<br />
Please note...<br />
/var/drweb/<br />
OS<br />
Interpretation<br />
Important remark or instruction<br />
File and directory names, excerpts<br />
from configuration <strong>file</strong>s, parameter<br />
definition examples, system library<br />
and <strong>file</strong> names<br />
Operating system<br />
To define directories to which components of the software complex are installed, specific conventional symbols are used:<br />
%bin_dir, %etc_dir and %var_dir. Depending on the used OS, these symbols refer to the following directories:<br />
<strong>for</strong> Linux and Solaris:<br />
%bin_dir = /opt/drweb/<br />
%etc_dir = /etc/drweb/<br />
%var_dir = /var/drweb/<br />
<strong>for</strong> FreeBSD:<br />
%bin_dir = /usr/local/drweb/<br />
%etc_dir = /usr/local/etc/drweb/<br />
%var_dir = /var/drweb/<br />
1.3. System requirements<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is compatible:<br />
●with Linux distributions with kernel version 2.4.x and later;<br />
●with FreeBSD version 6.x and later <strong>for</strong> Intel x86 plat<strong>for</strong>m;<br />
●with Solaris version 10 <strong>for</strong> Intel x86 plat<strong>for</strong>m.<br />
Installed Samba v.3.0.x to v.3.4.x is also required.<br />
<strong>Dr</strong>.<strong>Web</strong> hardware requirements are similar to command line interface (CLI) hardware requirements <strong>for</strong> the appropriate<br />
OS. No more than 20 Mb of disk space is required to install «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution.<br />
Depending on the range of problems to be solved by «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution and total system load during<br />
its operation, hardware requirements may vary widely.<br />
1.4. Package <strong>file</strong>s location<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is installed by default to %bin_dir, %etc_dir and %var_dir directories.<br />
OS-independent directory tree is created in these directories:<br />
●%bin_dir ― executable modules of <strong>Dr</strong>.<strong>Web</strong> solution and updating package <strong>Dr</strong>.<strong>Web</strong> Updater (perl script<br />
update.pl);<br />
●%bin_dir/lib/ ― antivirus engine as loadable library (drweb32.dll). In the same subdirectory various<br />
service libraries <strong>for</strong> packages of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution can reside;<br />
●%var_dir/bases/*.vdb ― databases of known viruses;<br />
●%etc_dir/drweb32.ini ― main configuration <strong>file</strong>;<br />
●%etc_dir/smb_spider.conf ― <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer configuration <strong>file</strong>;<br />
6<br />
●%bin_dir/lib/ru_scanner.dwl, %bin_dir/lib/ru_daemon.dwl ― language <strong>file</strong>s <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong><br />
Scanner and <strong>Dr</strong>.<strong>Web</strong> Daemon packages;
Package <strong>file</strong>s location<br />
●%bin_dir/doc/ ― documentation. All documentation is presented in plain text <strong>file</strong>s in English and Russian<br />
(KOI8-R and UTF-8 encodings) languages;<br />
●%bin_dir/doc/samba/ ― documentation <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer module and shell script updatelinks.sh<br />
<strong>for</strong> automatic creation and update of symbolic links;<br />
●%var_dir/infected/ ― quarantine directory to move infected or suspicious <strong>file</strong>s to if such reaction is<br />
specified in settings <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> software system components.<br />
1.5. Configuration <strong>file</strong>s<br />
Setup of <strong>Dr</strong>.<strong>Web</strong> software system components is per<strong>for</strong>med using configuration <strong>file</strong>s. Configuration <strong>file</strong>s are plain text <strong>file</strong>s<br />
(so they can be modified with any text editor) with the following structure:<br />
--- beginning of <strong>file</strong> ---<br />
[Section 1 name]<br />
Parameter1 = value1, ..., valueK<br />
...<br />
ParameterM = value1, ..., valueK<br />
...<br />
[Section X name]<br />
Parameter1 = value1, ..., valueK<br />
...<br />
ParameterY = value1, ..., valueK<br />
--- end of <strong>file</strong> ---<br />
If the line begins with «;» or «#» symbols, it is considered to be the line of comments. These lines are skipped when<br />
reading parameters from the configuration <strong>file</strong>.<br />
If any parameter is commented out or not specified, it does not mean that this parameter has no value. In this case the<br />
hardcoded default value will be used. Only few parameters are optional or do not have default values. Every such case<br />
will be described separately.<br />
When a parameter is set incorrectly <strong>Dr</strong>.<strong>Web</strong> software system outputs error message and terminates.<br />
When any unknown parameter is found in configuration <strong>file</strong>, packages of <strong>Dr</strong>.<strong>Web</strong> software system continue execution and<br />
output a warning into the log <strong>file</strong>.<br />
Parameter values can be enclosed in quotation marks (and must be enclosed in quotation marks when contain white<br />
spaces). Some parameters can have several values. These values can be delimited by comma, or each value can be set in<br />
a separate string of configuration <strong>file</strong>. Possibility to have multiple values is clearly stated in parameter description.<br />
Examples:<br />
Multiple values delimited by commas:<br />
Names = XXXXX, YYYYY<br />
Multiple values set in several strings:<br />
Names = XXXXX<br />
Names = YYYYY<br />
All parameters in this Manual are described in the following way:<br />
ParameterName = {parameter type | possible values}<br />
Parameter description.<br />
7
Configuration <strong>file</strong>s<br />
{possibility to have multiple values}.<br />
Default value:<br />
ParameterName = {value | empty}<br />
Parameters are described in the order they are presented in the corresponding configuration <strong>file</strong>.<br />
Parameter type can be:<br />
●Numerical value ― parameter value is an integer positive number;<br />
●Time ― parameter value is set in time measurement units. Value is a positive number followed by time<br />
measurement unit type (s ― seconds, m ― minutes, h ― hours; case insensitive). If time measurement unit type<br />
is omitted, value is considered to be set in seconds.<br />
Examples: 30s, 15m;<br />
●Capacity ― parameter value is set in memory capacity measurement units (either disk space or memory<br />
capacity). Value is an integer number followed by memory capacity measurement unit type (b ― bytes, k ―<br />
kilobytes, m ― megabytes, g ― gigabytes; case insensitive). If memory capacity measurement unit type is<br />
omitted, value is considered to be set in bytes.<br />
Examples: 20b, 15k;<br />
●Path to <strong>file</strong> | directory ― parameter sets <strong>file</strong> or directory location within <strong>file</strong> system;<br />
●Actions ― actions to be per<strong>for</strong>med with objects induced a reaction of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution<br />
components. Set of acceptable actions <strong>for</strong> different parameters may vary, and in this case it is clearly specified in<br />
the description of each parameter separately.<br />
All possible actions:<br />
●Cure ― cure the infected <strong>file</strong>;<br />
●Move ― remove the infected <strong>file</strong> to quarantine directory;<br />
●Truncate ― cut the <strong>file</strong> to zero length;<br />
●Delete ― delete the infected <strong>file</strong>;<br />
●Rename ― rename the infected <strong>file</strong>;<br />
●Ignore – skip the <strong>file</strong>;<br />
●Pass ― output in<strong>for</strong>mation about the <strong>file</strong> to log only (<strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> Scanner package);<br />
●Report ― output in<strong>for</strong>mation about the <strong>file</strong> to log only.<br />
●Address ― socket addresses of <strong>Dr</strong>.<strong>Web</strong> software system components and external packages. These parameters<br />
are specified in type:address <strong>for</strong>mat. The following address types are acceptable:<br />
●inet - TCP sockets are used, address is specified in port@hostname <strong>for</strong>mat. hostname can be either<br />
direct IP address or host domain name.<br />
Example: Address = inet:3003@localhost;<br />
●local – local <strong>UNIX</strong> sockets are used, address is a path to socket <strong>file</strong>.<br />
Example: Address = local:/var/drweb/run/.drwebd;<br />
●PID ― real address of the process must be read from its pid-<strong>file</strong>. This address type is acceptable only in<br />
some cases, and in such case it will be explicitly indicated in parameter description.<br />
●Text ― parameter value is a text string, which can be enclosed in quotation marks (and must be enclosed in<br />
quotation marks when contain white spaces);<br />
8
Configuration <strong>file</strong>s<br />
●Strings and <strong>file</strong>s ― sets of text values delimited by commas. If parameter value is set in<br />
<strong>file</strong>:/path_to_<strong>file</strong> <strong>for</strong>mat, then text values are taken from the <strong>file</strong> path_to_<strong>file</strong>. In this <strong>file</strong> each<br />
text value must be specified in a separate line. If it appears to be impossible to read values from<br />
path_to_<strong>file</strong> <strong>file</strong>, components of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution continue execution and output a<br />
warning into the log <strong>file</strong>;<br />
●Other values ― some parameters may have parameter types not described in this list.<br />
Logging <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> software system components may be exceptionally detailed (when Debug value is specified, and<br />
logged in<strong>for</strong>mation is used <strong>for</strong> debugging) or may be omitted (when Quiet value is specified, and no in<strong>for</strong>mation is<br />
logged at all). For all parameters responsible <strong>for</strong> logging values are taken from the following list: Quiet, Error, Info,<br />
Alert, Notice, Warning, Verbose, Debug.<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon and <strong>Dr</strong>.<strong>Web</strong> Scanner components have the following log detalization levels: Error, Info, Notice,<br />
Warning, Alert. <strong>Dr</strong>.<strong>Web</strong> Updater component work with levels: Quiet, Error, Alert, Info, Debug, Verbose.<br />
<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer component uses the following values when specifying log detalization levels: Debug,<br />
Verbose, Info, Alerts, Errors, Quiet.<br />
9
Installation and deinstallation<br />
2. Installation and deinstallation<br />
Below you can find detailed description of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution installation and deinstallation<br />
procedures <strong>for</strong> Linux. Administrator (root) privileges are necessary to per<strong>for</strong>m all these operations.<br />
You must carefully uninstall all other packages of earlier product versions (delivered in rpm or deb <strong>for</strong>mats) from previous<br />
installations.<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution distribution package <strong>for</strong> <strong>UNIX</strong> systems is delivered in EPM <strong>for</strong>mat (script-based<br />
distribution package with installation and removal scripts and standard install/uninstall GUIs) designed to use with ESP<br />
Package Manager (EPM). Please note, that all these scripts belong only to EPM-package itself, not to any of the<br />
components of <strong>Dr</strong>.<strong>Web</strong> software system.<br />
Installation, deinstallation and upgrade procedures <strong>for</strong> «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution can be carried out in the<br />
following ways:<br />
●via install/uninstall GUIs;<br />
●via install/uninstall console scripts.<br />
In the process of setup dependencies are supported. For installation of some components, other components must be<br />
previously installed (<strong>for</strong> example, drweb-daemon requires drweb-common and drweb-bases components to be<br />
already installed). With dependencies such step-by-step installation will be per<strong>for</strong>med automatically.<br />
In the process of deinstallation dependencies are supported only <strong>for</strong> graphical uninstaller. When deinstallation is<br />
per<strong>for</strong>med with uninstall console scripts, only explicitly specified component will be removed.<br />
Please note, that if you install «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution to the computer, where some other <strong>Dr</strong>.<strong>Web</strong><br />
products have been previously installed from EPM-packages, then at every attempt to remove some modules via uninstall<br />
GUI you will be prompted to remove absolutely all <strong>Dr</strong>.<strong>Web</strong> modules, including those from other products. Please, pay<br />
special attention to the actions you per<strong>for</strong>m and selections you make during deinstallation to avoid accidental removal of<br />
some useful components.<br />
Please note, that during initial installation only software itself is installed. None of the components are started after setup<br />
or after reboot.<br />
2.1. Installation from distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is distributed as a self-extracting package drweb-<strong>file</strong>servers_5.0.X_[OS<br />
name].run (i.e. drweb-<strong>file</strong>-servers_5.0.X_linux.run – <strong>for</strong> Linux OS,<br />
drweb-<strong>file</strong>-servers_5.0.X_bsd.run — <strong>for</strong> FreeBSD OS and drweb-<strong>file</strong>servers_5.0.X_solaris.run<br />
— <strong>for</strong> Solaris OS, where X is the version number). The following components are<br />
included into this distribution:<br />
●drweb-common: contains main configuration <strong>file</strong> drweb32.ini, libraries, documentation and directory<br />
structure. During installation of this component drweb user and drweb group will be created;<br />
●drweb-bases: contains antivirus search engine (Engine) and virus databases. It requires drweb-common<br />
package to be previously installed;<br />
●drweb-updater: contains update utility (Updater) <strong>for</strong> Engine, virus databases and content-specific black lists. It<br />
requires drweb-common package to be previously installed;<br />
●drweb-daemon: contains <strong>Dr</strong>.<strong>Web</strong> Daemon executable <strong>file</strong>s and its documentation. It requires drweb-bases<br />
package to be previously installed;<br />
●drweb-scanner: contains <strong>Dr</strong>.<strong>Web</strong> Scanner executable <strong>file</strong>s and its documentation. It requires drweb-bases<br />
package to be previously installed;<br />
●drweb-smbspider: contains compiled libraries <strong>for</strong> different versions of Samba servers. It requires drwebcommon<br />
package to be previously installed;<br />
10
Installation from distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
●drweb-smbspider-src: contains source codes to enable user compile libraries <strong>for</strong> his own version of Samba<br />
server or system architecture;<br />
●drweb-<strong>file</strong>-servers-doc: contains Administrator <strong>manual</strong> in english and russian languages.<br />
2.1.1. On computers using X Window system<br />
To install all the components of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution automatically you may use either console (CLI) or<br />
the default <strong>file</strong> manager of your GUI-based shell. In the first case allow the execution of the corresponding self-extracting<br />
package with the following command:<br />
and then run it:<br />
# chmod +x drweb-<strong>file</strong>-servers_5.0.X_[OS name].run<br />
# ./drweb-<strong>file</strong>-servers_5.0.X_[OS name].run<br />
As a result drweb-<strong>file</strong>-servers_5.0.X_[OS name] directory will be created, and install GUI will be initialized<br />
(<strong>for</strong> the detailed description of graphical user interface refer to the subsequent chapters of this Manual). If startup has<br />
been per<strong>for</strong>med without root privileges, install GUI will try to gain appropriate privileges by itself.<br />
If you want only to extract the content of the package without starting install GUI, use --noexec command line<br />
parameter:<br />
# ./drweb-<strong>file</strong>-servers_5.0.X_[OS name].run --noexec<br />
After you extract the content, you may initialize install GUI and continue setup with the following command:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/install.sh<br />
If it is impossible or unacceptable to use install GUI, you may use corresponding install scripts. Run executable<br />
*.install <strong>file</strong>s in console with the following commands:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/[component_name].install<br />
If you want to per<strong>for</strong>m installation without any additional movements (eg. confirmations on various setup stages), you<br />
may use now command line parameter. Please note, that if you choose to use this parameter, you automatically confirm<br />
and accept the Software License Agreement. (Text <strong>file</strong>s with Software License Agreement in english and russian<br />
languages - LICENSE and LICENSE.ru – are included in the distribution package.)<br />
2.1.2. On computers working in command-line mode<br />
When you get access to the Unix server, copy installation package to the temporary directory and extract its content.<br />
# mkdir /tmp/<strong>file</strong>servers/<br />
# cp /root/drweb/<strong>file</strong>servers/drweb-<strong>file</strong>-servers_5.0.X_[OS name].run<br />
/tmp/<strong>file</strong>servers/<br />
# cd /tmp/<strong>file</strong>servers/<br />
# chmod +x /tmp/<strong>file</strong>servers/drweb-<strong>file</strong>-servers_5.0.X_[OS name].run<br />
# /tmp/<strong>file</strong>servers/drweb-<strong>file</strong>-servers_5.0.X_[OS name].run -–noexec<br />
All extracted <strong>file</strong>s will be saved to the /tmp/<strong>file</strong>servers/drweb-<strong>file</strong>-servers_5.0.X_[OS name]<br />
directory.<br />
Run executable *.install <strong>file</strong>s <strong>for</strong> all necessary components with the following commands:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/[component_name].install<br />
Setup procedure is identical <strong>for</strong> all the packages. Immediately after start you will be prompted to confirm your intention<br />
to per<strong>for</strong>m the installation. After that you will be offered to read and accept the Software License Agreement (by entering<br />
yes in reply to the corresponding system question).<br />
11
Installation from distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
You can also use now command line parameter to per<strong>for</strong>m installation without any additional movements (e.g.<br />
confirmations on various setup stages).<br />
During the installation the following processes take place:<br />
●original configuration <strong>file</strong>s are recorded to the %etc_dir/software/conf/ directory with the following<br />
names: [configuration_<strong>file</strong>_name].N;<br />
●operational copies of configuration <strong>file</strong>s are placed to the corresponding directories of the installing software;<br />
●other <strong>file</strong>s are installed. If in the corresponding directory <strong>file</strong> with the same name already exists (e.g. after<br />
inaccurate removal of previous versions of the packages), it will be overwritten with the new <strong>file</strong>, and its copy will<br />
be saved as [<strong>file</strong>_name].O. If some [<strong>file</strong>_name].O <strong>file</strong> already exists in this directory, it will be replaced<br />
with the new <strong>file</strong> of the same name;<br />
●update-links.sh script is executed. It checks <strong>for</strong> the version of Samba server and then creates a symbolic link<br />
in /usr/lib/samba/vfs/ directory to the library from %bin_dir/lib/ directory <strong>for</strong> the specific Samba<br />
version. Please note, that if two different versions of Samba were installed in one directory, then the symbolic link<br />
will be created <strong>for</strong> only one of them. If different versions of Samba were installed in separate directories, then <strong>for</strong><br />
each Samba individual symbolic link will be created. The following lines will be output to log <strong>for</strong> each Samba<br />
installed.<br />
Example <strong>for</strong> Linux OS:<br />
--- cut ---<br />
Update links <strong>for</strong> /usr/sbin/smbd<br />
create symlink /opt/drweb/lib/libsmb_spider.so.3.X.X --> /usr/lib/samba/vfs/<br />
smb_spider.so<br />
Please, update your config /etc/samba/smb.conf<br />
--- cut ---<br />
2.2. Installation of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer from source codes<br />
If you use some other versions of Samba or Samba <strong>for</strong> 64-bit operating system, you can compile <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer<br />
from source codes included in drweb-smbspider-src distribution package. To per<strong>for</strong>m this operation you will also<br />
need source codes of your Samba (corresponding packages can be downloaded from Samba.org web-site at<br />
http://us1.samba.org/samba/ftp/old-versions/).<br />
To compile <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer from source codes, per<strong>for</strong>m the following actions:<br />
●Install drweb-smbspider-src package:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/drweb-smbspider-src.install<br />
If you want to per<strong>for</strong>m installation without any additional movements (eg. confirmations on various setup stages),<br />
you may use now command line parameter. Please note, that if you choose to use this parameter, you<br />
automatically confirm and accept the Software License Agreement. (Text <strong>file</strong>s with Software License Agreement in<br />
english and russian languages - LICENSE and LICENSE.ru – are included in the distribution package.)<br />
After the installation drweb-smbspider-5.0.0.src.tar.gz tarball-archive will appear in /usr/src/<br />
directory.<br />
●Change your directory to /usr/src/ and extract content of the archive:<br />
# tar -xzvf drweb-smbspider-5.0.0.src.tar.gz<br />
Please note, that <strong>for</strong> Solaris OS a differenr set of commands is required to extract content of the archive:<br />
# gunzip drweb-smbspider-5.0.0.src.tar.gz<br />
12
Installation of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer from source codes<br />
# tar -xvf drweb-smbspider-5.0.0.src.tar<br />
●Change your directory to /usr/src/drweb-smbspider-5.0.0.src and execute the following command:<br />
# ./configure –with-samba-source=/directory/with/source/codes/of/Samba<br />
By default Samba binary is taken from /usr/sbin/. But if there several versions of Samba are installed on your<br />
computer or some alternative location has been chosen <strong>for</strong> installation of the sole Samba, then path to the<br />
directory with Samba binary must be specified <strong>manual</strong>ly with --with-smbd command line parameter.<br />
Example:<br />
# ./configure --with-smbd=/directory/with/Samba/binary –with-sambasource=/directory/with/source/codes/of/Samba<br />
Please note, that <strong>for</strong> the successful execution of this command m4 macro processor, GCC compiler system and<br />
make utility must be installed to your system.<br />
●Complete the compilation of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer and install it with the following commands:<br />
# make<br />
# make install<br />
After make command is executed a libsmb_spider.so library is created and placed to the hidden folder in<br />
the directory with <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer source codes.<br />
During the execution of make install command the following actions are per<strong>for</strong>med:<br />
• libsmb_spider.so library is copied to the /opt/drweb/lib/ directory;<br />
• libsmb_spider.so is renamed to libsmb_spider.so.X.Y.Z (where X.Y.Z is the<br />
version number of the Samba, path to which was specified <strong>for</strong> the configure command),<br />
• a symbolic link pointing to the renamed library is created<br />
/directory/with/Samba/libraries/vfs/smb_spider.so. (where path to the<br />
directory with Samba libraries is taken from the Samba binary specified <strong>for</strong> the configure<br />
command).<br />
2.3. Removal of distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
To remove all the components of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution via uninstall GUI, initialize it with the following<br />
command:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/remove.sh<br />
For the detailed description of graphical user interface refer to the subsequent chapters of this Manual.<br />
If it is impossible or unacceptable to use uninstall GUI, you may use corresponding uninstall scripts. Run executable<br />
*.remove <strong>file</strong>s in console with the following commands:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/[component_name].remove<br />
If you want to per<strong>for</strong>m deinstallation without any additional movements (eg. confirmations on various uninstall stages),<br />
you may use now command line parameter.<br />
After deinstallation you can also remove drweb user and drweb group from your system.<br />
During the deinstallation the following processes take place:<br />
●original configuration <strong>file</strong>s are removed from the %etc_dir/software/conf/ directory;<br />
●if operational copies of configuration <strong>file</strong>s were not modified by the user, they are also removed. If the user has<br />
made any changes to them, they will be preserved;<br />
13<br />
●other <strong>Dr</strong>.<strong>Web</strong> <strong>file</strong>s are removed. If during the installation a [<strong>file</strong>_name].O copy of some old <strong>file</strong> has been<br />
created, this <strong>file</strong> will be restored under the name it had be<strong>for</strong>e the installation.
Removal of distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
●license key <strong>file</strong>s and log <strong>file</strong>s are preserved in corresponding directories;<br />
●update-links.sh script is executed with --remove parameter. It removes symbolic link usr/lib/samba/<br />
vfs/smb_spider.so. Please note, that if there were several symbolic links <strong>for</strong> different versions of Samba, all<br />
of them will be removed. The following lines will be output to log:<br />
--- cut ---<br />
Remove link /usr/lib/samba/vfs/smb_spider.so<br />
Please, update your config /etc/samba/smb.conf<br />
--- cut ---<br />
2.4. Upgrade of distribution package <strong>for</strong> <strong>UNIX</strong> systems<br />
Upgrade process combines install and uninstall procedures. If you want to upgrade «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»<br />
solution you must download the latest version of corresponding software, remove the previous version (refer to p. 2.3 of<br />
this Manual <strong>for</strong> the detailed description of deinstallation) and install the new one (refer to p. 2.1 of this Manual <strong>for</strong> the<br />
detailed description of setup).<br />
When you upgrade «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution, its license key <strong>file</strong>s, log <strong>file</strong>s and configuration <strong>file</strong>s that have<br />
been modified by the user are preserved in corresponding directories.<br />
14
User interface of graphical installer<br />
2.5. User interface of graphical installer<br />
When you run install GUI with the following command:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/install.sh<br />
setup program window appears.<br />
Figure 1. «Welcome» screen<br />
Navigation is per<strong>for</strong>med with «Back» and «Next» buttons. Setup can be aborted at any moment by clicking<br />
«Cancel» button. In the «Install Type» screen you can choose preferable installation type: typical configuration<br />
of «<strong>Dr</strong><strong>Web</strong> <strong>for</strong> <strong>file</strong> servers» with all the components selected by default, or custom configuration.<br />
Figure 2. «Install Type» screen<br />
If you choose «Custom Configuration», you will be offered to select necessary components <strong>for</strong> the subsequent<br />
installation from the list on the «Select Software» screen.<br />
15
User interface of graphical installer<br />
Figure 3. «Select Software» screen<br />
Please note, that if <strong>for</strong> installation of any component some other components must be previously installed, all<br />
corresponding dependencies will be selected <strong>for</strong> installation automatically. For example if you select «<strong>Dr</strong><strong>Web</strong><br />
Antivirus Daemon» checkbox, «<strong>Dr</strong><strong>Web</strong> Bases» and «<strong>Dr</strong><strong>Web</strong> Common Files» checkboxes will be selected<br />
as well.<br />
If you click «Install All» button, all components will be selected. If you click «Install None» button, all<br />
selection marks will be removed.<br />
When you select everything you consider necessary (or if you have selected typical configuration on the previous stage),<br />
you will be offered to overview and confirm all the choices made on the «Confirm» screen.<br />
Figure 4. «Confirm» screen<br />
16
User interface of graphical installer<br />
On the next screen you will be offered to take notice of Software License Agreement and accept it to continue the<br />
installation. With «Language» menu you may choose preferred display language (english or russian) <strong>for</strong> the Software<br />
License Agreement.<br />
Figure 5. «License» screen<br />
On the «Installing» screen log of installation process is output in real-time mode.<br />
Figure 6. «Installing» screen<br />
At the same time log of installation process is written to install.log <strong>file</strong> from the drweb-<strong>file</strong>servers_5.0.X_[OS<br />
name] directory.<br />
The last «Finish» screen contains notification about the necessity of further setup in order to provide proper operation<br />
of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution.<br />
17
User interface of graphical installer<br />
Figure 7. «Finish» screen<br />
Click the «Close» button to close setup program window.<br />
18
User interface of graphical uninstaller<br />
2.6. User interface of graphical uninstaller<br />
When you run uninstall GUI with the following command:<br />
# drweb-<strong>file</strong>-servers_5.0.X_[OS name]/remove.sh<br />
deinstallation program window appears.<br />
Figure 8. «Welcome» screen<br />
Navigation is per<strong>for</strong>med with «Back» and «Next» buttons. You can quit the program at any moment by clicking<br />
«Cancel» button. On the next «Select Software» screen you will be offered to select components <strong>for</strong> the<br />
removal from the list. All corresponding dependencies will be selected <strong>for</strong> deinstallation automatically.<br />
Please note, that if you installed «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution to the computer, where some other <strong>Dr</strong>.<strong>Web</strong><br />
products have been previously installed from EPM-packages, then absolutely all <strong>Dr</strong>.<strong>Web</strong> modules will be included in the<br />
list of components available <strong>for</strong> removal, including those from other products. Please, pay special attention to the actions<br />
you per<strong>for</strong>m and selections you make during deinstallation to avoid accidental removal of some useful components.<br />
Figure 9. «Select Software» screen<br />
19
User interface of graphical uninstaller<br />
If you click «Remove All» button, all components will be selected. If you click «Remove None» button, all<br />
selection marks will be removed.<br />
When you select everything you consider necessary, you will be offered to overview and confirm all the choices made on<br />
the «Confirm» screen.<br />
Figure 10. «Confirm» screen<br />
On the last «Removing» screen log of deinstallation process is output in real-time mode.<br />
Figure 11. «Removing» screen<br />
20
User interface of graphical uninstaller<br />
Click the «Close» button to close deinstallation program window.<br />
21
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution startup<br />
3. «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution startup<br />
3.1. For Linux and Solaris<br />
To run the «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution you must do the following:<br />
●register the software;<br />
●place the key <strong>file</strong> drweb32.key to the directory <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> executable <strong>file</strong>s (default directory <strong>for</strong> <strong>UNIX</strong> systems is<br />
%bin_dir). Please note, that if you want to use key <strong>file</strong> from the different location, you must specify full path to<br />
it as a Key paremeter value of main configuration <strong>file</strong> drweb32.ini;<br />
●configure the software by making necessary changes to configuration <strong>file</strong>s. Please refer to the corresponding<br />
chapters of this Manual <strong>for</strong> the detailed in<strong>for</strong>mation on configuration;<br />
●in drwebd.enable <strong>file</strong> from %etc_dir directory set 1 as a value of ENABLE variable to enable startup of<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon. If it is not required to run <strong>Dr</strong>.<strong>Web</strong> Daemon (properly configured and working Daemon on some<br />
other computer in the network is used), ENABLE value must be set to 0 (it is also used as default value);<br />
●run <strong>Dr</strong>.<strong>Web</strong> Daemon with the following command:<br />
$ %bin_dir/drwebd<br />
3.2. For FreeBSD<br />
To run the «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution you must do the following:<br />
●register the software;<br />
●place the key <strong>file</strong> drweb32.key to the directory <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> executable <strong>file</strong>s (default directory <strong>for</strong> <strong>UNIX</strong> systems is<br />
%bin_dir). Please note, that if you want to use key <strong>file</strong> from the different location, you must specify full path to<br />
it as a Key paremeter value of main configuration <strong>file</strong> drweb32.ini;<br />
●configure the software by making necessary changes to configuration <strong>file</strong>s. Please refer to the corresponding<br />
chapters of this Manual <strong>for</strong> the detailed in<strong>for</strong>mation on configuration;<br />
●add the following line to /etc/rc.conf <strong>file</strong>: drwebd_enable="YES" – to enable startup of <strong>Dr</strong>.<strong>Web</strong><br />
Daemon. If it is not required to run <strong>Dr</strong>.<strong>Web</strong> Daemon (properly configured and working Daemon on some other<br />
computer in the network is used), then you can just not include the specified line in the rc.conf <strong>file</strong>.<br />
●run <strong>Dr</strong>.<strong>Web</strong> Daemon with the following command:<br />
$ %bin_dir/drwebd<br />
3.3. Preparing OS protected by SELinux to interaction with Scanner and Daemon<br />
22<br />
To set up successful operation of <strong>Dr</strong>.<strong>Web</strong> Scanner and <strong>Dr</strong>.<strong>Web</strong> Daemon components in OS protected by SELinux, you must<br />
compile politics <strong>for</strong> operation with corresponding modules drweb-scanner and drweb-daemon.<br />
Please note, that templates used in compilation of modules <strong>for</strong> politics may vary widely, depending on the type of Linux<br />
distribution, its version, set of SELinux politics and user settings. To receive more detailed in<strong>for</strong>mation on compilation of<br />
politics you may refer to corresponding documentation on your Linux distribution.<br />
To create necessary politics you may use policygentool command, which takes two parameters: the name of the<br />
policy module (interaction with which has to be adjusted) and the full path to the corresponding executable.<br />
Example:<br />
# policygentool drweb-scanner %bin_dir/drweb.real - <strong>for</strong> Scanner.<br />
# policygentool drweb-daemon %bin_dir/drwebd.real - <strong>for</strong> Daemon.<br />
You will be prompted to enter a few common domain characteristics, and <strong>for</strong> each module three <strong>file</strong>s will be created:<br />
[module_name].te, [module_name].fc and [module_name].if.
Preparing OS protected by SELinux to interaction with Scanner and Daemon<br />
To compile the [module_name].te <strong>file</strong> execute the following command:<br />
checkmodule -M -m -o module-name [module_name].te<br />
Please note, that <strong>for</strong> successful policy compilation a checkpolicy package must be installed to the system.<br />
To compile a required policy execute the following command:<br />
semodule_package -o [module_name].pp -m module-name<br />
To install the new policy module into the module store execute the following command:<br />
semodule -i [module_name].pp<br />
23
Software registration. License key <strong>file</strong><br />
4. Software registration. License key <strong>file</strong><br />
24<br />
User privileges <strong>for</strong> using «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution are controlled by special <strong>file</strong> called license key <strong>file</strong>.<br />
License key <strong>file</strong> contains the following in<strong>for</strong>mation:<br />
●list of <strong>Dr</strong>.<strong>Web</strong> components licensed to user;<br />
●license expiration date;<br />
●other restrictions (<strong>for</strong> example, number of protected PCs).<br />
License key <strong>file</strong> has *.key extension and by default must be placed in directory <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> executable <strong>file</strong>s. License key<br />
<strong>file</strong> is digitally signed to prevent its editing. Edited license key <strong>file</strong> becomes invalid. It is not recommended to open your<br />
license key <strong>file</strong> in text editors to avoid its accidental corruption.<br />
Users who have purchased «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution from <strong>Dr</strong>.<strong>Web</strong> certified partners obtain the license key<br />
<strong>file</strong>. The parameters of the key <strong>file</strong> are specified according to the license user has paid <strong>for</strong>. The license key <strong>file</strong> contains<br />
the name of the user (or a company name), and the name of the selling company. For evaluation purposes users may<br />
also obtain demo key <strong>file</strong>. It allows user to enjoy full functionality of the «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution, but has<br />
a limited term of use, and no technical support is provided.<br />
License key <strong>file</strong> may be supplied as a <strong>file</strong> with *.key extension, or as a zip archive containing license key <strong>file</strong>.<br />
License key <strong>file</strong> may be received using one of the following ways:<br />
●sent by e-mail as a zip archive containing license key <strong>file</strong> with *.key extension (usually after registration on the<br />
web site). Extract license key <strong>file</strong> using the appropriate archiving utility and copy/move it to the directory <strong>for</strong><br />
<strong>Dr</strong>.<strong>Web</strong> executable <strong>file</strong>s (default directory <strong>for</strong> <strong>UNIX</strong> systems is %bin_dir);<br />
●included into the distribution package;<br />
●supplied on a separate media as a <strong>file</strong> with *.key extension. In this case user must copy it <strong>manual</strong>ly to the<br />
%bin_dir directory.<br />
License key <strong>file</strong> is sent to user via e-mail usually after registration on the web site (web site location is specified in<br />
registration card accompanying the product). Visit the site, fill in the web <strong>for</strong>m with your customer data and submit your<br />
registration serial number (printed on the registration card). As a result of this procedure license is activated, and license<br />
key <strong>file</strong> is created <strong>for</strong> the serial number provided. Then it is sent to user on the e-mail address specified.<br />
It is recommended to keep license key <strong>file</strong> until it expires, and use it when reinstalling or repairing «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong><br />
servers» solution installation. If the license key <strong>file</strong> is damaged or lost, it can be recovered by the same procedure as<br />
during license activation. In this case you must use the same product serial number and customer data you have entered<br />
during the registration, only e-mail address can be changed (in this case license key <strong>file</strong> will be sent to the new e-mail<br />
address). If serial number matches any entry in <strong>Dr</strong>.<strong>Web</strong> database, the corresponding key <strong>file</strong> will be dispatched to user by<br />
automatic system using e-mail address provided.<br />
Registration with the same product serial number can be per<strong>for</strong>med up to 25 times. If you need to recover lost license<br />
key <strong>file</strong> after 25th registration, you must make a request <strong>for</strong> license key <strong>file</strong> recovery on<br />
http://support.drweb.com/request/, and also specify all data used during registration, valid e-mail address and detailed<br />
description of the situation. Request will be considered by <strong>Dr</strong>.<strong>Web</strong> technical support service engineers, and after approval<br />
license key <strong>file</strong> will be provided to user via automatic support system or dispatched via e-mail.<br />
Path to license key <strong>file</strong> of the certain component must be specified as a Key parameter value in corresponding<br />
configuration <strong>file</strong> (drweb32.ini).<br />
Example:<br />
Key = %bin_dir/drweb32.key<br />
If license key <strong>file</strong> specified as Key parameter value is failed to read (wrong path, permission denied), expired, blocked or<br />
invalid, the corresponding component terminates. When less than two weeks left until the license expiration, <strong>Dr</strong>.<strong>Web</strong><br />
Scanner outputs warning message at start and <strong>Dr</strong>.<strong>Web</strong> Daemon notifies user via e-mail. Messages are sent at every<br />
startup, restart or reload of the Daemon <strong>for</strong> every license key <strong>file</strong> installed. To enable this option you must set up<br />
MailCommand parameter in [Daemon] section of drweb32.ini configuration <strong>file</strong>.
Updating components and virus databases<br />
5. Updating components and virus databases<br />
Components of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution require regular updating. For successful operation of antivirus and<br />
traffic filtering modules, virus databases of the known viruses and content-specific black and white lists must be updated<br />
regularly.<br />
<strong>Dr</strong>.<strong>Web</strong> virus databases contains several *.vdb <strong>file</strong>s, representing separate parts of it. On update servers these <strong>file</strong>s are<br />
also stored in lzma-archives. When new viruses appear, small <strong>file</strong>s (only several Kbytes in size) with base segments<br />
describing these viruses are released <strong>for</strong> amendment.<br />
Add-ons are the same <strong>for</strong> all supported plat<strong>for</strong>ms. There are two types of them: daily "hot" add-ons (drwtoday.vdb)<br />
and regular weekly updates (drwXXXYY.vdb), where XXX is <strong>for</strong> antivirus engine version number, and YY is a<br />
sequential number, beginning from 00 (<strong>for</strong> example, the first regular update <strong>for</strong> version 5.0 will be named<br />
drw50000.vdb).<br />
«Hot» add-ons may be issued daily or even several times a day to provide effective protection against new viruses. This<br />
type of add-ons must be installed over the old ones: i.e. previous drwtoday.vdb <strong>file</strong> will be overwritten. When new<br />
regular add-on is released, all records from drwtoday.vdb are copied to drwXXXYY.vdb, and new empty<br />
drwtoday.vdb <strong>file</strong> is issued.<br />
If you want to update virus databases <strong>manual</strong>ly, you must install all missing regular add-ons first, and then overwrite<br />
drwtoday.vdb <strong>file</strong>.<br />
To add the add-on to the main virus databases, place the corresponding <strong>file</strong> to the directory <strong>for</strong> «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong><br />
servers» solution executable <strong>file</strong>s (%var_dir/bases/ by default) or to any other directory specified in the<br />
configuration <strong>file</strong>.<br />
Signatures <strong>for</strong> virus-like malicious programs (adware, dialers, hacktools, etc.) are supplied in two additional <strong>file</strong>s -<br />
drwrisky.vdb and drwnasty.vdb - with the structure similar to virus databases. These <strong>file</strong>s are also updated<br />
regularly: dwrXXYYY.vdb and dwnXXYYY.vdb are <strong>for</strong> regular updates, and dwrtoday.vdb and<br />
dwntoday.vdb are <strong>for</strong> «hot» updates.<br />
From time to time (as brand new viruses and antivirus techniques appear), new versions of the antivirus package are<br />
released, containing the updated algorithms, implemented in the antivirus Engine. At the same time, all released add-ons<br />
are brought together, and the new package version is completed with the updated main virus databases with descriptions<br />
of all known viruses. Usually, when upgrading the package to the new version the portability of bases is assured: i.e. new<br />
bases can be linked up to the old Engine. Please note, that this does not guarantee detection or curing of new viruses, as<br />
it requires upgrading of algorithms in the antivirus engine.<br />
After regular updating, virus databases attain the following structure:<br />
●drwebase.vdb ― general virus database, received with the new version of the package<br />
●drwXXXYY.vdb ― regular weekly add-ons;<br />
●drwtoday.vdb ― «hot» add-ons issued daily or several times a day;<br />
●drwnasty.vdb ― general database of malware, received with the new version of the package;<br />
●dwnXXXYY.vdb ― regular weekly add-ons;<br />
●dwntoday.vdb ― «hot» add-ons issued daily or several times a day;<br />
●drwrisky.vdb ― general database of riskware, received with the new version of the package;<br />
●dwrXXXYY.vdb ― regular weekly add-ons;<br />
●dwrtoday.vdb ― «hot» add-ons issued daily or several times a day.<br />
25
Updating module <strong>Dr</strong>.<strong>Web</strong> Updater<br />
6. Updating module <strong>Dr</strong>.<strong>Web</strong> Updater<br />
For automatic receipt and installation of the anti-virus add-ons and content-specific black and white lists you must use a<br />
special updating module <strong>Dr</strong>.<strong>Web</strong> Updater.<br />
Updating module is a script update.pl written in Perl. It can be found in directory containing executable <strong>file</strong>s of<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution.<br />
<strong>Dr</strong>.<strong>Web</strong> Updater settings are stored in [Updater] section of the main configuration <strong>file</strong> (drweb32.ini by default)<br />
from %etc_dir directory. If you want to use alternative configuration <strong>file</strong>, specify the full path to it by command line<br />
parameter at start.<br />
To run the script use the following command:<br />
$ %bin_dir/update.pl [parameters]<br />
6.1. Cron configuration<br />
For Linux: a special <strong>file</strong> with user settings will be created in /etc/cron.d/ during installation of the software complex.<br />
It will enable interaction between cron and <strong>Dr</strong>.<strong>Web</strong> Updater.<br />
For FreeBSD and Solaris: <strong>manual</strong> configuration of cron is required to enable its interaction with <strong>Dr</strong>.<strong>Web</strong> Updater. For<br />
example, when you use FreeBDS you may add the following string to the crontab of drweb user:<br />
*/30 * * * * /usr/local/drweb/update.pl<br />
If you work with Solaris, the following set of commands can be used:<br />
# crontab -e drweb<br />
# 0,30 * * * * /opt/drweb/update.pl<br />
6.2. Command line parameters<br />
At this stage, two <strong>for</strong>mats of the command line parameters <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> Updater are supported. Using the first <strong>for</strong>mat<br />
version, you can specify only one parameter - full name of the used configuration <strong>file</strong>. With the second version the<br />
following parameters can be specified in any order:<br />
●--ini=path_to_configuration_<strong>file</strong><br />
●--what=component_to_be_updated<br />
Instead of component_to_be_updated value scanner or daemon values must be used. If value of this<br />
command line parameter is not specified, in<strong>for</strong>mation from configuration <strong>file</strong> is used.<br />
Also --not-need-restart parameter can be specified as command line parameter. It can be used in several ways:<br />
●If this parameter is not specified, all daemons (<strong>Dr</strong>.<strong>Web</strong> Daemon in «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution) will be<br />
restarted after update.pl script finishes its work. (Note: daemons will be restarted only if any of their<br />
components has been updated/removed/added during script operation.).<br />
●If --not-need-restart parameter is specified, but no value is set <strong>for</strong> it, none of the daemons will be<br />
restarted after update.pl script finishes its work, even if any of their components has been updated/removed/<br />
added during script operation.<br />
●Daemons names can be used as values <strong>for</strong> --not-need-restart parameter. Several names can be specified in<br />
one string, without white spaces and with comma, used as delimiter. Values are case insensitive. Daemons, which<br />
names are specified as parameter values, will not be restarted.<br />
Example:<br />
$ %bin_dir/update.pl --not-need-restart=drwebd<br />
26
Configuration<br />
6.3. Configuration<br />
27<br />
Description of configuration <strong>file</strong> structure and parameter types can be found in p. 1.5 of this Manual. Parameters are<br />
described in the order they are presented in main configuration <strong>file</strong>.<br />
[Updater] section.<br />
UpdatePluginsOnly = {Yes | No}<br />
With Yes value specified <strong>Dr</strong>.<strong>Web</strong> Updater will not update Daemon and Scanner. It will update only plug-ins.<br />
Default value:<br />
UpdatePluginsOnly = No<br />
Section = {Daemon | Scanner}<br />
Specifies from which section Updater will take settings to determine program version, paths to virus databases, etc. Value<br />
of this parameter can be overridden by --what= command line parameter at start.<br />
Default value:<br />
Section = Daemon<br />
ProgramPath = {path to <strong>file</strong>}<br />
Path to the Daemon/Scanner. It is used by <strong>Dr</strong>.<strong>Web</strong> Updater <strong>for</strong> getting the product version and API in<strong>for</strong>mation of the<br />
installed executable <strong>file</strong>.<br />
Default value:<br />
ProgramPath = %bin_dir/drwebd<br />
SignedReader = {path to <strong>file</strong>}<br />
This program is used by <strong>Dr</strong>.<strong>Web</strong> Updater to read signed <strong>file</strong>s.<br />
Default value:<br />
SignedReader = %bin_dir/read_signed<br />
LzmaDecoderPath = {path to <strong>file</strong>}<br />
Path to program used <strong>for</strong> unpacking of lzma-archives.<br />
Default value:<br />
LzmaDecoderPath =<br />
LockFile = {path to <strong>file</strong>}<br />
Path to lock <strong>file</strong> used to prevent sharing of certain <strong>file</strong>s during their processing by <strong>Dr</strong>.<strong>Web</strong> Updater.<br />
Default value:<br />
LockFile = %var_dir/run/update.lock<br />
CronSummary = {Yes | No}<br />
If Yes value is specified, <strong>Dr</strong>.<strong>Web</strong> Updater will output statistics on each session to stdout. This mode can be used to<br />
send administrator notifications by email, if Updater is run by the cron daemon.<br />
Default value:<br />
CronSummary = Yes<br />
<strong>Dr</strong>lFile = {path to <strong>file</strong>}<br />
Path to <strong>file</strong> containing list of accessible <strong>Dr</strong>.<strong>Web</strong> updating servers. <strong>Dr</strong>.<strong>Web</strong> Updater selects the server from this list in a<br />
random manner. This <strong>file</strong> is signed by Doctor <strong>Web</strong> and must not be modified by the user. It is updated automatically.<br />
Default value:
Configuration<br />
<strong>Dr</strong>lFile = %var_dir/bases/update.drl<br />
<strong>Dr</strong>lDir = {path to directory}<br />
Path to directory where signed *.drl <strong>file</strong>s with lists of update servers <strong>for</strong> every plug-in are stored.<br />
Default value:<br />
<strong>Dr</strong>lDir = %var_dir/drl/<br />
Timeout = {numerical value in seconds}<br />
Maximum time <strong>for</strong> download of updates.<br />
Default value:<br />
Timeout = 90<br />
Tries = {numerical value}<br />
Number of attempts to be made by <strong>Dr</strong>.<strong>Web</strong> Updater to establish a connection with update server.<br />
Default value:<br />
Tries = 3<br />
ProxyServer = {proxy server name or IP}<br />
Name or IP address of proxy server used.<br />
Default value:<br />
ProxyServer =<br />
ProxyLogin = {proxy server user login}<br />
User login <strong>for</strong> proxy server.<br />
Default value:<br />
ProxyLogin =<br />
ProxyPassword = {proxy server user password}<br />
User password <strong>for</strong> proxy server.<br />
Default value:<br />
ProxyPassword =<br />
Log settings <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> Updater are specified below:<br />
LogFileName = {path to <strong>file</strong>}<br />
Log <strong>file</strong> name. You can specify syslog as log <strong>file</strong>name and logging will be carried out by syslogd system service. In<br />
this case SyslogFacility and SyslogPriority parameters must be also specified. As syslogd uses several<br />
<strong>file</strong>s <strong>for</strong> logging various events of different importance, these two parameters and syslogd configuration <strong>file</strong> (usually /<br />
etc/syslogd.conf) determine location where in<strong>for</strong>mation is logged to.<br />
Default value:<br />
LogFileName = syslog<br />
SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}<br />
Log type when syslogd system service is used <strong>for</strong> activity logging (please refer to syslog documentation <strong>for</strong> further<br />
details).<br />
Default value:<br />
SyslogFacility = Daemon<br />
28<br />
LogLevel = {Debug | Verbose | Info | Warning | Error | Quiet}
Configuration<br />
Log verbosity level.<br />
Default value:<br />
LogLevel = Verbose<br />
6.4. Updating process<br />
The updating process includes the following stages:<br />
●<strong>Dr</strong>.<strong>Web</strong> Updater reads the configuration <strong>file</strong>.<br />
●Parameters to be used are located in [Updater] section of main configuration <strong>file</strong>, except <strong>for</strong> the following:<br />
EnginePath (serves both to determine the Daemon version and to specify the directory, where updated<br />
drweb32.dll <strong>file</strong> is downloaded), VirusBase (serves to specify the directory, where updated virus<br />
databases are downloaded.), UpdatePath (serves to specify the directory, where all other updated <strong>file</strong>s are<br />
downloaded) and PidFile (serves to specify path to <strong>file</strong>, from which the drwebd process identifier used <strong>for</strong><br />
the restart of the Daemon is read).<br />
●<strong>Dr</strong>.<strong>Web</strong> Updater requests the list of updates from the server, then tries to download lzma-archives of the<br />
corresponding bases. If no lzma-archives are found, it downloads necessary bases in *.vdb and *.dws <strong>for</strong>mats.<br />
To extract <strong>file</strong>s from lzma-archives special lzma-utility is used, path to which is specified by LzmaDecoderPath<br />
parameter value in the [Updater] section of main configuration <strong>file</strong>.<br />
●Downloaded updates are placed to the corresponding directories as described above.<br />
29
Console Scanner <strong>Dr</strong>.<strong>Web</strong> Scanner<br />
7. Console Scanner <strong>Dr</strong>.<strong>Web</strong> Scanner<br />
7.1. Command Line Parameters<br />
30<br />
<strong>Dr</strong>. <strong>Web</strong> Scanner is a command line interface (CLI) program operating in command line mode (or X Window terminal<br />
emulator). To run <strong>Dr</strong>.<strong>Web</strong> Scanner you can use the following command:<br />
$ ./drweb -path [command line parameters]<br />
where - is the path to scanned directory or the mask <strong>for</strong> checked <strong>file</strong>s.<br />
When Scanner is started only with argument without any parameters specified, it scans the specified directory<br />
using the default set of parameters. In the following example user home directory is being checked:<br />
$ ./drweb -path ~<br />
When scan is finished, Scanner outputs in<strong>for</strong>mation about all detected infected and suspicious <strong>file</strong>s in the following<br />
manner:<br />
/path/<strong>file</strong> infected [virus] VIRUS_NAME<br />
After presenting in<strong>for</strong>mation about infected or suspicious <strong>file</strong>s, Scanner outputs summary report in the following manner:<br />
Report <strong>for</strong> "/opt/drweb/tmp":<br />
Scanned : 34/32 Cured : 0<br />
Infected : 5/5 Removed : 0<br />
Modifications : 0/0 Renamed : 0<br />
Suspicious : 0/0 Moved : 0<br />
Scanning time : 00:00:02 Speed : 5233 KB/s<br />
Numbers divided by slash «/» mean: the first one - total number of <strong>file</strong>s, the second one - number of <strong>file</strong>s in archives.<br />
Please note, that <strong>Dr</strong>.<strong>Web</strong> distribution package contains special text <strong>file</strong> readme.eicar.rus. With the text editor you<br />
can easily create the eicar.com program (refer to instructions inside readme.eicar.rus <strong>file</strong> <strong>for</strong> more details),<br />
which is used to test antiviruses and there<strong>for</strong>e is included in all virus databases.<br />
The following report will be output:<br />
%bin_dir/doc/eicar.com infected by Eicar Test File (Not a Virus!)<br />
Like any other <strong>UNIX</strong> program <strong>Dr</strong>.<strong>Web</strong> Scanner supports numerous command line parameters. They are separated from<br />
specified path by white space and are prefixed by hyphen «-». To get complete list of parameters, start Scanner with<br />
-?, -h or -help parameters.<br />
Main program parameters can be classified in the following way:<br />
●scan area parameters;<br />
●diagnostics parameters;<br />
●actions parameters;<br />
●interface parameters.<br />
Scan area parameters determine where the virus check must be per<strong>for</strong>med. They include:<br />
●path — specify path <strong>for</strong> scan. Several paths can be specified in one parameter;<br />
●@[+] ― check objects listed in . Plus «+» instructs Scanner not to delete <strong>file</strong>s from the list of<br />
objects after scan is completed. List <strong>file</strong> may contain paths to directories that must be scanned regularly, or list of<br />
<strong>file</strong>s to be checked only once;<br />
●sd ― recursive search and scan of <strong>file</strong>s in subdirectories starting from the current directory;
Command Line Parameters<br />
●fl ― follow links, both to <strong>file</strong>s and directories; links causing loops are ignored;<br />
31<br />
●mask — ignore masks <strong>for</strong> <strong>file</strong> names.<br />
Diagnostics parameters determining what types of objects must be scanned <strong>for</strong> viruses:<br />
●al ― scan all <strong>file</strong>s on specified drive or in specified directory;<br />
●ar[d|m|r][n] ― scan <strong>file</strong>s in archives (ARJ, CAB, GZIP, RAR, TAR, ZIP, etc.). d - delete, m - move, r - rename<br />
archives containing infected objects, n - archiver name output disabled. Archives can be in simple (*.tar) or<br />
compressed <strong>for</strong>ms (*.tar.bz2, *.tbz);<br />
●cn[d|m|r][n] ― scan <strong>file</strong>s in containers (HTML, RTF, PowerPoint,..). d - delete, m - move, r - rename<br />
containers containing infected objects, n - container type output disabled;<br />
●ml[d|m|r][n] ― scan <strong>file</strong>s in mailboxes. d - delete, m - move, r - rename mailboxes, containing infected<br />
objects; n - mailbox type output disabled;<br />
●upn ― scan executable <strong>file</strong>s packed with LZEXE, DIET, PKLITE, EXEPACK with compression type output disabled;<br />
●ex ― diagnostics using <strong>file</strong> masks (see FilesTypes parameter in configuration <strong>file</strong>);<br />
●ha ― heuristic analysis (search <strong>for</strong> unknown viruses).<br />
Actions parameters determine what actions must be per<strong>for</strong>med if infected or suspicious <strong>file</strong>s are detected. They include:<br />
●cu[d|m|r] ― cure infected <strong>file</strong>s: d - delete, m - move, r - rename infected <strong>file</strong>s;<br />
●ic[d|m|r] ― actions <strong>for</strong> incurable <strong>file</strong>s: d - delete, m - move, r - rename incurable <strong>file</strong>s;<br />
●sp[d|m|r] ― actions <strong>for</strong> suspicious <strong>file</strong>s: d - delete, m - move, r - rename suspicious <strong>file</strong>s;<br />
●adw[d|m|r|i] ― actions <strong>for</strong> <strong>file</strong>s containing adware: d - delete, m - move, r - rename, i - ignore;<br />
●dls[d|m|r|i] ― actions <strong>for</strong> dialers: d - delete, m - move, r - rename, i - ignore;<br />
●jok[d|m|r|i] ― actions <strong>for</strong> joke programs: d - delete, m - move, r - rename, i - ignore;<br />
●rsk[d|m|r|i] ― actions <strong>for</strong> potentially dangerous programs: d - delete, m - move, r - rename, i - ignore;<br />
●hck[d|m|r|i] ― actions <strong>for</strong> hacktools: d - delete, m - move, r - rename, i - ignore;<br />
Interface parameters configure Scanner report output and include:<br />
●v, version – output in<strong>for</strong>mation about product and Engine versions;<br />
●ki – output in<strong>for</strong>mation about key <strong>file</strong> and its owner (in UTF8 encoding only);<br />
●<strong>for</strong>eground[yes|no] – enable Scanner to run in <strong>for</strong>eground or in background;<br />
●ot ― output in<strong>for</strong>mation to standard output (stdout);<br />
●oq ― disable in<strong>for</strong>mation output;<br />
●ok ― display «Ok» <strong>for</strong> not infected <strong>file</strong>s;<br />
●log= ― logging to specified <strong>file</strong>;<br />
●ini= ― use alternative configuration <strong>file</strong>;<br />
●lng= ― use alternative language <strong>file</strong>. If English interface has been chosen during installation,<br />
you may specify ru_scanner.dwl <strong>file</strong> to display reports in Russian.<br />
You can use hyphen «-» postfix to disable the following parameters:<br />
-ar -cu -ha -ic -fl -ml -ok -sd -sp<br />
For example, if you start Scanner with the following command:
Command Line Parameters<br />
$ drweb -path -haheuristic<br />
analysis (enabled by default) will be disabled.<br />
By default (if Scanner configuration was not customized and no parameters were specified) Scanner starts with the<br />
following parameters:<br />
-ar -ha -fl- -ml -sd<br />
Default Scanner parameters (including scan of archives, packed <strong>file</strong>s and mailboxes, recursive search, heuristic analysis,<br />
etc.) is sufficient <strong>for</strong> everyday diagnostics and can be used in typical cases. You can also use hyphen «-» postfix to<br />
disable some parameters, as it was explained above.<br />
Disabling scan of archives and packed <strong>file</strong>s will significantly decrease antivirus protection level, because in archives<br />
(especially, self-extracting) enclosed in e-mail attachments viruses are distributed. Office documents potentially<br />
susceptible to infection with macro viruses (Word, Excel) are also dispatched via e-mail in archives and containers.<br />
When you run Scanner with default parameters, no cure actions and no actions <strong>for</strong> incurable and suspicious <strong>file</strong>s are<br />
taken. For these actions to be per<strong>for</strong>med, you must specify corresponding command line parameters explicitly.<br />
Set of actions parameters may vary in particular cases. We recommend the following:<br />
●cu ― cure infected <strong>file</strong>s and system areas without deletion, moving or renaming infected <strong>file</strong>s;<br />
●icd ― delete incurable <strong>file</strong>s;<br />
●spm ― move suspicious <strong>file</strong>s;<br />
●spr ― rename suspicious <strong>file</strong>s.<br />
When Scanner is started with Cure action specified, it will try to restore the previous state of infected object. It is<br />
possible only if detected virus is known virus, and cure instructions <strong>for</strong> it are available in virus database, though even in<br />
this case cure attempt may fail if infected <strong>file</strong> is seriously damaged by virus.<br />
If infected <strong>file</strong>s are found inside archives they will not be cured, deleted, moved or renamed. To cure such <strong>file</strong>s you must<br />
<strong>manual</strong>ly unpack archives to the separate directory and instruct Scanner to check it.<br />
When Scanner is started with action Delete specified, it will delete all infected <strong>file</strong>s from disk. This option is suitable <strong>for</strong><br />
incurable (irreversibly damaged by virus) <strong>file</strong>s.<br />
Action Rename makes Scanner replace <strong>file</strong> extension with a certain specified extension (*.#?? by default, i.e. first<br />
extension symbol is replaced with «#» symbol). Enable this parameter <strong>for</strong> <strong>file</strong>s of other OS (e.g., DOS/Windows)<br />
detected heuristically as suspicious. Renaming helps to avoid accidental startup of executable <strong>file</strong>s in these OS and<br />
there<strong>for</strong>e prevents infection by possible virus and its further expansion.<br />
With action Move enabled Scanner will move infected or suspicious <strong>file</strong>s to the quarantine directory<br />
(%var_dir/infected/ by default). This parameter actually has a little value because infected and suspicious <strong>file</strong>s<br />
<strong>for</strong> other OS can not bring any damage to <strong>UNIX</strong> system. Moving of suspicious <strong>file</strong>s <strong>for</strong> <strong>UNIX</strong> system itself can cause<br />
system malfunction and failure.<br />
Recommended Scanner command line <strong>for</strong> everyday use looks as follows:<br />
$ drweb -path -cu -icd -spm -ar -ha -fl- -ml -sd<br />
Such command line can be saved as a text <strong>file</strong> and converted into the simple shell script by the following command:<br />
# chmod a+x [<strong>file</strong> name]<br />
However, default parameters can be changed in Scanner configuration <strong>file</strong>, which is described in the next section.<br />
7.2. Configuration<br />
32<br />
Scanner can be used with default settings, but it is much more convenient to set it up according your specific<br />
requirements and situations. Scanner settings are stored in configuration <strong>file</strong> ( drweb32.ini by default) which is<br />
located in %etc_dir directory. To use another configuration <strong>file</strong> specify full path to it with command line parameter,<br />
e.g.:
Configuration<br />
$ %bin_dir/drweb -ini=%bin_dir/etc/drweb.ini<br />
Description of configuration <strong>file</strong> structure and parameter types can be found in p. 1.5 of this Manual. Parameters are<br />
described in the order they are presented in main configuration <strong>file</strong>.<br />
[Scanner] section.<br />
EnginePath = {path to <strong>file</strong>, usual extension is *.dll}<br />
Location of drweb32.dll module (Engine). This parameter is also used by update utility.<br />
Default value:<br />
EnginePath = %bin_dir/lib/drweb32.dll<br />
VirusBase = {list of paths (masks) to <strong>file</strong>s, usual extension is *.vdb}<br />
Masks <strong>for</strong> loading virus databases. This parameter is also used by update utility. Multiple values are allowed.<br />
Default value:<br />
VirusBase = %var_dir/bases/*.vdb,%var_dir/bases/*.VDB<br />
UpdatePath = {path to directory}<br />
This parameter is used by update utility (update.pl) and is mandatory.<br />
Default value:<br />
UpdatePath = %var_dir/updates/<br />
TempPath = {path to directory}<br />
Directory <strong>for</strong> Engine to create temporary <strong>file</strong>s. Usually it is not used, but sometimes appears to be necessary <strong>for</strong><br />
unpacking archives or when system is short of memory resources.<br />
Default value:<br />
TempPath = /tmp/<br />
LngFileName = {path to the language <strong>file</strong>, usual extension is *.dwl}<br />
Language <strong>file</strong> location.<br />
Default value:<br />
LngFileName = %bin_dir/lib/ru_scanner.dwl<br />
Key = {path to license key <strong>file</strong>, usual extension is *.key}<br />
Key <strong>file</strong> location (license or demo).<br />
Default value:<br />
Key = %bin_dir/drweb32.key<br />
OutputMode = {Terminal | Quiet}<br />
In<strong>for</strong>mation output mode at start: Terminal outputs to console, Quiet disables output.<br />
Default value:<br />
OutputMode = Terminal<br />
HeuristicAnalysis = {Yes | No}<br />
Enable/disable heuristic detection of unknown viruses. Enabling heuristic analysis allows detection of unknown viruses<br />
using knowledge about specific architecture of viral code. Approximate nature of this type of virus detection makes us<br />
talk about «suspicious», not «infected» objects. With this option disabled only known viruses will be detected by <strong>Dr</strong>.<strong>Web</strong>.<br />
Some programs may trigger heuristic analyzer name <strong>file</strong>s «suspicious» by mistake due to code similar to virus structure.<br />
Besides, this mode may slightly increase time of virus scan. These considerations may lead you to disabling heuristic<br />
analysis. At the same time, heuristic analysis improves reliability of antivirus protection. We recommend you to send all<br />
33
Configuration<br />
<strong>file</strong>s detected by heuristic analyzer to developers using http://vms.drweb.com/sendvirus/ (preferably) or via e-mail<br />
newvirus@drweb.com. Follow this procedure to upload <strong>file</strong>s: make password protected archive, include password in<br />
message body and attach Scanner report.<br />
Default value:<br />
ScanPriority = {value}<br />
HeuristicAnalysis = Yes<br />
Scanner process priority. Value must be within –20 (highest priority) to 20 (lowest priority) range.<br />
Default value:<br />
ScanPriority = 0<br />
FilesTypes = {list of extensions}<br />
File types to be checked «by type», i.e. when ScanFiles parameter (explained below) has ByType value. «*» and<br />
«?» symbols are allowed. This parameter can be multi-string (specified lists are summed up).<br />
Default value:<br />
FilesTypes = EXE, COM, SYS, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD,<br />
VXD, 386, DLL, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, AR?, ZIP, R??,<br />
PP?, OBJ, LIB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SHS, SHB, PIF, SO, CHM,<br />
REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, BMP, MPP, OCX, DVB, CPY, MSG,<br />
EML<br />
FilesTypesWarnings = {Yes | No}<br />
Notify about <strong>file</strong>s of unknown types.<br />
Default value:<br />
FilesTypesWarnings = Yes<br />
ScanFiles = {All | ByType}<br />
Additional restriction <strong>for</strong> <strong>file</strong>s to be checked. With ByType value set, <strong>file</strong> extensions specified either by default or in<br />
FilesTypes parameter (or parameters) are considered. Mode All is always enabled <strong>for</strong> <strong>file</strong>s in mailboxes. ByType<br />
value can be used only in local scan mode.<br />
Default value:<br />
ScanFiles = All<br />
ScanSubDirectories = {Yes | No}<br />
Enable/disable scanning subdirectories contents.<br />
Default value:<br />
ScanSubDirectories = Yes<br />
CheckArchives = {Yes | No}<br />
Enable/disable extracting <strong>file</strong>s archived with ZIP (WinZip, InfoZIP, etc.), RAR, ARJ, TAR, GZIP, CAB and other archivers.<br />
Default value:<br />
CheckArchives = Yes<br />
CheckEMailFiles = {Yes | No}<br />
Enable/disable checking <strong>file</strong>s in mailboxes.<br />
Default value:<br />
CheckEMailFiles = Yes<br />
34
Configuration<br />
ExcludePaths = {list of paths (masks) to be excluded from scan}<br />
Masks <strong>for</strong> <strong>file</strong>s which should not be checked.<br />
Default value:<br />
ExcludePaths = /proc,/sys,/dev<br />
FollowLinks = {Yes | No}<br />
Enable/disable following symbolic links.<br />
Default value:<br />
FollowLinks = No<br />
RenameFilesTo = {rename mask}<br />
Mask <strong>for</strong> renaming infected or suspicious <strong>file</strong>s if action Rename is specified. For example, when rename mask looks like:<br />
#?? - the first character of <strong>file</strong> extension will be replaced by «#» symbol, and all other subsequent characters will be<br />
preserved. If <strong>file</strong> has no extension, it will consist only of «#» symbol.<br />
Default value:<br />
RenameFilesTo = #??<br />
MoveFilesTo = {path to directory}<br />
Path to quarantine directory.<br />
Default value:<br />
MoveFilesTo = %var_dir/infected/<br />
EnableDeleteArchiveAction = {Yes | No}<br />
Enable/disable action Delete <strong>for</strong> compound objects (archives, mailboxes, html pages) if they contain infected <strong>file</strong>s.<br />
Please note: with this option enabled the whole compound object will be deleted (archive, mailbox, etc.), not only<br />
infected <strong>file</strong> or message. Use this option carefully!<br />
Default value:<br />
EnableDeleteArchiveAction = No<br />
InfectedFiles = {Report | Cure | Delete | Move | Rename | Ignore}<br />
Sets program reaction when <strong>file</strong> infected with known virus is detected. Allowable parameter values include:<br />
●Report ― output in<strong>for</strong>mation to log <strong>file</strong>;<br />
●Cure ― try to cure an object (only <strong>for</strong> InfectedFiles parameter);<br />
●Delete ― delete infected <strong>file</strong>;<br />
●Move ― move <strong>file</strong> to directory specified by MoveFilesTo parameter;<br />
●Rename ― rename <strong>file</strong> using mask specified by RenameFilesTo parameter;<br />
●Ignore – skip the <strong>file</strong>.<br />
Default value:<br />
InfectedFiles = Report<br />
Delete, Move and Rename actions, specified <strong>for</strong> archives, containers and mailboxes containing infected <strong>file</strong>s, are<br />
applied to the whole archive, container or mailbox!<br />
Similar values are also used <strong>for</strong> the following parameters:<br />
●SuspiciousFiles ― <strong>file</strong> is probably infected by unknown virus;<br />
35<br />
●IncurableFiles ― <strong>file</strong> is infected and incurable (used only if InfectedFiles = Cure);
Configuration<br />
●ActionAdware — <strong>file</strong> contains program <strong>for</strong> displaying advertisements (adware);<br />
●ActionDialers — <strong>file</strong> contains dialer program;<br />
●ActionJokes — <strong>file</strong> contains joke program, which can frighten or irritate user;<br />
●ActionRiskware — <strong>file</strong> contains dangerous program, which can be used not only by its legitimate user, but also<br />
by the intruder;<br />
●ActionHacktools — <strong>file</strong> contains hacking tool;<br />
●ActionInfectedMail ― mailbox contains infected <strong>file</strong>;<br />
●ActionInfectedArchive ― archive (ZIP, TAR, RAR, etc.) contains infected <strong>file</strong>;<br />
●ActionInfectedContainer ― container (OLE, HTML, PowerPoint, etc.) contains infected <strong>file</strong>.<br />
For all these parameters same values as <strong>for</strong> InfectedFiles parameter (except <strong>for</strong> Cure action) can be specified.<br />
Default value <strong>for</strong> each parameter:<br />
SuspiciousFiles = Report<br />
IncurableFiles = Report<br />
ActionAdware = Report<br />
ActionDialers = Report<br />
ActionJokes = Report<br />
ActionRiskware = Report<br />
ActionHacktools = Report<br />
ActionInfectedMail = Report<br />
ActionInfectedArchive = Report<br />
ActionInfectedContainer = Report<br />
LogFileName = {path to log <strong>file</strong>}<br />
Log <strong>file</strong> name. You can specify syslog as log <strong>file</strong>name and logging will be carried out by syslogd system service. In<br />
this case SyslogFacility and SyslogPriority parameters must be also specified. As syslogd uses several<br />
<strong>file</strong>s <strong>for</strong> logging various events of different importance, these two parameters and syslogd configuration <strong>file</strong> (usually /<br />
etc/syslogd.conf) determine location where in<strong>for</strong>mation is logged to.<br />
Default value:<br />
LogFileName = syslog<br />
SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}<br />
Log type when syslogd system service is used <strong>for</strong> activity logging (please refer to syslog documentation <strong>for</strong> further<br />
details).<br />
Default value:<br />
SyslogFacility = Daemon<br />
SyslogPriority = {Alert | Warning | Notice | Info | Error}<br />
Log priority when syslogd system service is used.<br />
Default value:<br />
LimitLog = {Yes | No}<br />
SyslogPriority = Info<br />
36
Configuration<br />
Enable/disable limit <strong>for</strong> log <strong>file</strong> size. When LogFileName = syslog, parameter value is ignored. When Scanner is<br />
started it checks log <strong>file</strong> size and if it exceeds MaxLogSize parameter value, log <strong>file</strong> contents get cleared and log <strong>file</strong> is<br />
started from scratch.<br />
Default value:<br />
LimitLog = No<br />
MaxLogSize = {value in Kbytes}<br />
Maximum log <strong>file</strong> size. Can be used with LimitLog = Yes only. Each time Scanner starts, size of the log <strong>file</strong> is<br />
checked. If it is greater then MaxLogSize parameter value, log <strong>file</strong> will be overwritten. Set this parameter value to 0 if<br />
you do not want log <strong>file</strong> to be unexpectedly modified at start up.<br />
Default value:<br />
MaxLogSize = 512<br />
LogScanned = {Yes | No}<br />
Enable/disable logging of in<strong>for</strong>mation about all scanned objects, not only about infected and suspicious.<br />
Default value:<br />
LogScanned = Yes<br />
LogPacked = {Yes | No}<br />
Enable/disable logging of additional in<strong>for</strong>mation about <strong>file</strong>s packed with DIET, PKLITE and other utilities.<br />
Default value:<br />
LogPacked = Yes<br />
LogArchived = {Yes | No}<br />
Enable/disable logging of additional in<strong>for</strong>mation about <strong>file</strong>s archived with various archiving utilities.<br />
Default value:<br />
LogTime = {Yes | No}<br />
LogArchived = Yes<br />
Enable/disable logging of time <strong>for</strong> each record. Parameter is not used if LogFileName = syslog.<br />
Default value:<br />
LogTime = Yes<br />
LogStatistics = {Yes | No}<br />
Enable/disable logging of total scan statistics.<br />
Default value:<br />
LogStatistics = Yes<br />
RecodeNonprintable = {Yes | No}<br />
Nonprintable characters output mode <strong>for</strong> given terminal.<br />
Default value:<br />
RecodeNonprintable = Yes<br />
RecodeMode = {Replace | QuotedPrintable}<br />
Decoding mode <strong>for</strong> nonprintable characters if RecodeNonprintable = Yes. When RecodeMode = Replace<br />
all nonprintable characters are substituted with RecodeChar parameter value (see below). When RecodeMode =<br />
QuotedPrintable all nonprintable characters are converted to Quoted Printable <strong>for</strong>mat.<br />
37
Configuration<br />
Default value:<br />
RecodeMode = QuotedPrintable<br />
RecodeChar = {"?" | "_" | ...}<br />
Symbol to replace nonprintable characters if RecodeMode = Replace.<br />
Default value:<br />
RecodeChar = "?"<br />
The following parameters can be used to reduce archive scan time (some objects in archives will not be checked).<br />
MaxCompressionRatio = {value}<br />
Maximum compression ratio, i.e. ratio of unpacked <strong>file</strong> size to packed <strong>file</strong> size (inside archive). If the ratio exceeds<br />
specified value, <strong>file</strong> will not be extracted and there<strong>for</strong>e will not be checked.<br />
Default value:<br />
MaxCompressionRatio = 5000<br />
CompressionCheckThreshold = {value in Kbytes}<br />
Minimum size of <strong>file</strong> inside archive beginning from which compression ratio check will be per<strong>for</strong>med (if it is specified by<br />
MaxCompressionRatio parameter value).<br />
Default value:<br />
CompressionCheckThreshold = 1024<br />
MaxFileSizeToExtract = {value in Kbytes}<br />
Maximum size of <strong>file</strong> extracted from archive. If <strong>file</strong> size inside archive exceeds specified value, it will be skipped.<br />
Default value:<br />
MaxFileSizeToExtract = 500000<br />
MaxArchiveLevel = {value}<br />
Maximum archive nesting level (archive in archive in archive, etc.). If archive nesting level exceeds specified value, it will<br />
be skipped.<br />
Default value:<br />
MaxArchiveLevel = 8<br />
7.3. Start<br />
To start <strong>Dr</strong>.<strong>Web</strong> Scanner you can use the following command:<br />
$ %bin_dir/drweb<br />
If %bin_dir directory is added to PATH environment variable, you can run <strong>Dr</strong>.<strong>Web</strong> Scanner from any directory only by<br />
typing «drweb». However, the last variant (as well as making a symbolic link to <strong>Dr</strong>.<strong>Web</strong> Scanner executable <strong>file</strong> in<br />
directories like /bin/, /usr/bin/, etc.) is not recommended due to security reasons.<br />
<strong>Dr</strong>.<strong>Web</strong> Scanner can be started both with Administrator and user privileges. In the last case virus check will be executed<br />
only in directories, where user has read access, and infected <strong>file</strong>s will be cured only in directories, where user has write<br />
access (usually it is user home directory, $HOME). There also exist some other restrictions when Scanner is started with<br />
user privileges, <strong>for</strong> example, with moving and renaming infected <strong>file</strong>s.<br />
After Scanner is started, it outputs the following in<strong>for</strong>mation: program name, plat<strong>for</strong>m name, version number, release<br />
date and contact in<strong>for</strong>mation. Then it shows user registration in<strong>for</strong>mation and statistics about loaded virus databases<br />
including add-ons (if installed):<br />
<strong>Dr</strong>.<strong>Web</strong> (R) Scanner <strong>for</strong> Linux, v5.0.0 (February 19, 2009)<br />
38
Start<br />
Copyright (c) Igor Daniloff, 1992-2009<br />
Support service: http://support.drweb.com/<br />
To purchase: http://buy.drweb.com/<br />
Program version: 5.0.0.10060 <br />
Engine version: 5.0.0.9170 <br />
Loading /var/drweb/bases/drwtoday.vdb - Ok, virus records: 1533<br />
Loading /var/drweb/bases/drw50012.vdb - Ok, virus records: 3511<br />
--------------------------------------------<br />
Loading /var/drweb/bases/drw50000.vdb - Ok, virus records: 1194<br />
Loading /var/drweb/bases/dwn50001.vdb - Ok, virus records: 840<br />
Loading /var/drweb/bases/drwebase.vdb - Ok, virus records: 78674<br />
Loading /var/drweb/bases/drwrisky.vdb - Ok, virus records: 1271<br />
Loading /var/drweb/bases/drwnasty.vdb - Ok, virus records: 4867<br />
Total virus records: 538681<br />
Key <strong>file</strong>: /opt/drweb/drweb32.key<br />
Key <strong>file</strong> number: XXXXXXXXXX<br />
Key <strong>file</strong> activation date: XXXX-XX-XX<br />
Key <strong>file</strong> expiration date: XXXX-XX-XX<br />
After this report shell invitation is returned.<br />
All other Scanner actions (detection, cure, etc.) require additional command line parameters.<br />
39
Antivirus Module <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
8. Antivirus Module <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon is a permanently loaded <strong>Dr</strong>.<strong>Web</strong> antivirus module, which can scan <strong>for</strong> viruses <strong>file</strong>s on disk or data,<br />
transferred through socket on request from other components. Requests are made using special protocol via <strong>UNIX</strong><br />
sockets or TCP sockets. <strong>Dr</strong>.<strong>Web</strong> Daemon uses the same antivirus engine and virus databases as Scanner and is able to<br />
detect and cure all known viruses.<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon is always running and has clear and easy protocol <strong>for</strong> sending scanning requests, which makes it a<br />
perfect solution to be used as antivirus filter <strong>for</strong> <strong>file</strong> servers. «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is a ready-made<br />
solution <strong>for</strong> integrating <strong>Dr</strong>.<strong>Web</strong> Daemon with Samba <strong>file</strong> servers v.3.0 or later.<br />
8.1. Command Line Parameters<br />
Like any other <strong>UNIX</strong> program <strong>Dr</strong>.<strong>Web</strong> Daemon supports command line parameters. They are separated from specified<br />
path by white space and are prefixed by hyphen «-». To get complete list of parameters, run Daemon with -?, -h or -<br />
help parameters.<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon has the following command line parameters:<br />
●-ini= ― use of alternative configuration <strong>file</strong>;<br />
●-lng= ― use of alternative language <strong>file</strong>. If English interface has been chosen during<br />
installation, specify ru_daemon.dwl to display program messages in Russian language;<br />
●--<strong>for</strong>eground= - setting up Daemon operation mode at start. If «Yes» value is specified, Daemon<br />
will work in <strong>for</strong>eground; with «No» value specified, Daemon will operate in daemon mode.<br />
8.2. Configuration<br />
Daemon can be used with default settings, but it is much more convenient to set it up according your specific<br />
requirements and situations. Daemon settings are stored in configuration <strong>file</strong> ( drweb32.ini by default) which is<br />
located in %etc_dir directory. To use another configuration <strong>file</strong> specify full path to it by the command line parameter at<br />
start.<br />
Description of configuration <strong>file</strong> structure and parameter types can be found in p. 1.5 of this Manual. Parameters are<br />
described in the order they are presented in main configuration <strong>file</strong>.<br />
[Daemon] section.<br />
EnginePath = {path to <strong>file</strong>, usual extension is *.dll}<br />
Location of drweb32.dll module (Engine). This parameter is also used by update utility.<br />
Default value:<br />
EnginePath = %bin_dir/lib/drweb32.dll<br />
VirusBase = {list of paths (masks) to <strong>file</strong>s, usual extension is *.vdb}<br />
Masks <strong>for</strong> loading virus databases. This parameter is also used by update utility. Multiple values are allowed.<br />
Default value:<br />
VirusBase = %var_dir/bases/*.vdb,%var_dir/bases/*.VDB<br />
UpdatePath = {path to directory}<br />
This parameter is used by update utility (update.pl) and is mandatory.<br />
Default value:<br />
UpdatePath = %var_dir/updates/<br />
TempPath = {path to directory}<br />
40
Configuration<br />
Directory <strong>for</strong> Engine to create temporary <strong>file</strong>s. Usually it is not used, but sometimes appears to be necessary <strong>for</strong><br />
unpacking archives or when system is short of memory resources.<br />
Default value:<br />
TempPath = %var_dir/spool/<br />
LngFileName = {path to language <strong>file</strong>, usual extension is *.dwl}<br />
Language <strong>file</strong> location. If value of this parameter is not specified, all messages will be displayed in English.<br />
Default value:<br />
LngFileName =<br />
Key = {path to <strong>file</strong>, usual extension is *.key}<br />
Key <strong>file</strong> location (license or demo).<br />
Default value:<br />
Key = %bin_dir/drweb32.key<br />
Please note, that Daemon and Scanner can have different license key <strong>file</strong>s. In this case you must change the value of this<br />
parameter correspondingly. Daemon can use several license key <strong>file</strong>s simultaneously. For each of them Key parameter<br />
value in [Daemon] section of drweb32.ini <strong>file</strong> must be specified. In this case Daemon tries to merge all license<br />
permissions from all available license key <strong>file</strong>s.<br />
MailAddressesList = {path to <strong>file</strong>}<br />
This parameter is used only if you have e-mail license <strong>for</strong> 15 or 30 addresses. Specified <strong>file</strong> must contain a list of e-mail<br />
addresses (15 or 30 as specified by the license, one e-mail address per line), <strong>for</strong> which both incoming and outgoing<br />
messages will be checked. Aliases are considered as separate addresses.<br />
Default value:<br />
MailAddressesList = %etc_dir/email.ini<br />
OutputMode = {Terminal | Quiet}<br />
In<strong>for</strong>mation output mode at start: Terminal outputs to console, Quiet disables output.<br />
Default value:<br />
OutputMode = Terminal<br />
RunForeground = {Yes | No}<br />
Disables/enables daemon mode <strong>for</strong> <strong>Dr</strong>.<strong>Web</strong> Daemon. With «Yes» value it can no longer act in the background without<br />
controlling terminal. This option can be used by certain monitoring utilities (i.e., daemontools).<br />
Default value:<br />
User = {user name}<br />
RunForeground = No<br />
User account with appropriate privileges to be used by Daemon. It is strongly recommended to create a separate<br />
«drweb» user account, which will be used by Daemon and filters. It is not recommended to run Daemon with root<br />
privileges, although it may take less time to set it up. This parameter value cannot be changed when reloading<br />
configuration using SIGHUP.<br />
Default value:<br />
User = drweb<br />
UserID = {numeric ID}<br />
GroupID = {numeric ID}<br />
41
Configuration<br />
Identifiers of user and group with appropriate privileges to be used by Daemon. These parameters are ignored, if User<br />
parameter value is specified. Values of these parameters cannot be changed when reloading configuration using<br />
SIGHUP.<br />
Default value:<br />
UserID =<br />
GroupID =<br />
PidFile = {path to <strong>file</strong>}<br />
Specified <strong>file</strong> contains Daemon PID and <strong>UNIX</strong> socket (if Socket parameter enables usage of <strong>UNIX</strong> socket) or port<br />
number (if Socket parameter enables usage of TCP socket). If more than one Socket parameter is specified, this <strong>file</strong><br />
will contain in<strong>for</strong>mation on all the sockets (one per line). This <strong>file</strong> is created every time Daemon starts.<br />
Default value:<br />
PidFile = %var_dir/run/drwebd.pid<br />
BusyFile = {path to <strong>file</strong>}<br />
File where Daemon execution flag is stored. This <strong>file</strong> is created by a Daemon's child process upon a receipt of the<br />
corresponding command and removed after successful execution of this command. Filenames created by each Daemon<br />
child process are appended by a point and ASCIIZ representation of PID (e.g.,<br />
/var/run/drwebd.bsy.123456).<br />
Default value:<br />
BusyFile = %var_dir/run/drwebd.bsy<br />
MaxChildren = {numeric value}<br />
Maximum amount of simultaneously working child processes. The main process does not per<strong>for</strong>m a scan, so the<br />
maximum number of Daemon processes will be equal to MaxChildren + 1. Recommended value range is from 4 to 16<br />
processes per CPU.<br />
Default value:<br />
PreFork = {Yes | No<br />
MaxChildren = 16<br />
Child process creation mode. If parameter is set to «No», new scanning process is created <strong>for</strong> each query. If parameter<br />
is set to «Yes», Daemon will create child scanning processes in advance in amount equal to MaxChildren value<br />
(explained above) immediately after start. PreFork mode is very efficient, but it consumes more memory resources<br />
(because all created scanning processes are memory-resident). Please note, that you must restart Daemon after<br />
changing PreFork parameter value. This parameter value cannot be changed when reloading configuration using<br />
SIGHUP.<br />
Default value:<br />
PreFork = Yes<br />
MailCommand = {command}<br />
Command used by Daemon and update utility <strong>for</strong> sending out notifications and in<strong>for</strong>mation bulletins on new updates to<br />
user (administrator) via e-mail. If less than two weeks left until the key <strong>file</strong> (or one of the key <strong>file</strong>s) expires, Daemon<br />
starts sending out notifications every time system starts, restarts or reboots.<br />
Default value:<br />
MailCommand = "/usr/sbin/sendmail -i -bm -f drweb – root"<br />
NotifyPeriod = {numeric value}<br />
42
Configuration<br />
This parameter value specifies the length of a period (in days) be<strong>for</strong>e the license expiration date, from the beginning of<br />
which Daemon starts sending out notifications of license renewal. When parameter value is set to 0 Daemon starts<br />
sending out notifications immediately after the key <strong>file</strong> expires.<br />
Default value:<br />
NotifyPeriod = 14<br />
NotifyFile = {path to <strong>file</strong>}<br />
File with a timestamp of last notification of license renewal. It is send out to administrator after the key <strong>file</strong> expires.<br />
Default value:<br />
NotifyFile = %var_dir/.notify<br />
NotifyType = {Ever | Everyday | Once}<br />
Frequency of dispatch of notifications about license expiration. Once - notification is sent only once. Everyday -<br />
notification is sent daily. Ever - notification is sent every time Daemon restarts or every time bases update.<br />
Default value:<br />
NotifyType = Ever<br />
FileTimeout = {value in seconds}<br />
Maximum time <strong>for</strong> Daemon to per<strong>for</strong>m a scan of one <strong>file</strong>.<br />
Default value:<br />
FileTimeout = 30<br />
StopOnFirstInfected = {Yes | No}<br />
Enables/disables termination of the process of message scan after the detection of first virus. «Yes» value may<br />
considerably reduce mail-server load and message scan time.<br />
Default value:<br />
ScanPriority = {value}<br />
StopOnFirstInfected = No<br />
Daemon process priority. Value must be within –20 (highest priority) to 20 (lowest priority) range.<br />
Default value:<br />
ScanPriority = 0<br />
FilesTypes = {list of extensions}<br />
File types to be checked «by type», i.e. when ScanFiles parameter (explained below) has ByType value. «*» and<br />
«?» symbols are allowed. This parameter can be multi-string (specified lists are summed up).<br />
Default value:<br />
FilesTypes = EXE, COM, SYS, OV?, BAT, BIN, DRV, PRG, BOO, SCR, CMD,<br />
VXD, 386, DLL, FON, DO?, XL?, WIZ, RTF, CL*, HT*, VB*, JS*, INF, AR?, ZIP, R??,<br />
PP?, OBJ, LIB, HLP, MD?, INI, MBR, IMG, CSC, CPL, MBP, SHS, SHB, PIF, SO, CHM,<br />
REG, XML, PRC, ASP, LSP, MSO, OBD, THE*, NWS, SWF, BMP, MPP, OCX, DVB, CPY, MSG,<br />
EML<br />
FilesTypesWarnings = {Yes | No}<br />
Notify about <strong>file</strong>s of unknown types.<br />
Default value:<br />
FilesTypesWarnings = Yes<br />
43
Configuration<br />
ScanFiles = {All | ByType}<br />
44<br />
Additional restriction <strong>for</strong> <strong>file</strong>s to be checked. With ByType value set, <strong>file</strong> extensions specified either by default or in<br />
FilesTypes parameter (or parameters) are considered. Mode All is always enabled <strong>for</strong> <strong>file</strong>s in mailboxes. ByType<br />
value can be used only in local scan mode.<br />
Default value:<br />
ScanFiles = All<br />
CheckArchives = {Yes | No}<br />
Enable/disable extracting <strong>file</strong>s archived with ZIP (WinZip, InfoZIP, etc.), RAR, ARJ, TAR, GZIP, CAB and other archivers.<br />
Default value:<br />
CheckArchives = Yes<br />
CheckEMailFiles = {Yes | No}<br />
Enable/disable checking <strong>file</strong>s in mailboxes.<br />
Default value:<br />
CheckEMailFiles = Yes<br />
ExcludePaths = {list of paths (masks) to be excluded from scan}<br />
Masks <strong>for</strong> <strong>file</strong>s which should not be checked.<br />
Default value:<br />
ExcludePaths = /proc,/sys,/dev<br />
FollowLinks = {Yes | No}<br />
Enable/disable following symbolic links.<br />
Default value:<br />
FollowLinks = No<br />
RenameFilesTo = {rename mask}<br />
Mask <strong>for</strong> renaming infected or suspicious <strong>file</strong>s if action Rename is specified. For example, when rename mask looks like:<br />
#?? - the first character of <strong>file</strong> extension will be replaced by «#» symbol, and all other subsequent characters will be<br />
preserved. If <strong>file</strong> has no extension, it will consist only of «#» symbol.<br />
Default value:<br />
RenameFilesTo = #??<br />
MoveFilesTo = {path to directory}<br />
Path to quarantine directory.<br />
Default value:<br />
MoveFilesTo = %var_dir/infected/<br />
BackupFilesTo = {path to directory}<br />
Directory <strong>for</strong> backup copies of infected <strong>file</strong>s if requested action was Cure.<br />
Default value:<br />
BackupFilesTo = %var_dir/infected/<br />
LogFileName = {path to log <strong>file</strong>}<br />
Log <strong>file</strong> name. You can specify syslog as log <strong>file</strong>name and logging will be carried out by syslogd system service. In<br />
this case SyslogFacility and SyslogPriority parameters must be also specified. As syslogd uses several
Configuration<br />
<strong>file</strong>s <strong>for</strong> logging various events of different importance, these two parameters and syslogd configuration <strong>file</strong> (usually /<br />
etc/syslogd.conf) determine location where in<strong>for</strong>mation is logged to.<br />
Default value:<br />
LogFileName = syslog<br />
SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail}<br />
Log type when syslogd system service is used <strong>for</strong> activity logging (please refer to syslog documentation <strong>for</strong> further<br />
details).<br />
Default value:<br />
SyslogFacility = Daemon<br />
SyslogPriority = {Alert | Warning | Notice | Info | Error}<br />
Log priority when syslogd system service is used.<br />
Default value:<br />
LimitLog = {Yes | No}<br />
SyslogPriority = Info<br />
Enable/disable limit <strong>for</strong> log <strong>file</strong> size. When LogFileName = syslog, parameter value is ignored. When Daemon is<br />
started it checks log <strong>file</strong> size and if it exceeds MaxLogSize parameter value, log <strong>file</strong> contents get cleared and log <strong>file</strong> is<br />
started from scratch.<br />
Default value:<br />
LimitLog = No<br />
MaxLogSize = {value in Kbytes}<br />
Maximum log <strong>file</strong> size. Can be used with LimitLog = Yes only. Each time Daemon starts, size of the log <strong>file</strong> is<br />
checked. If it is greater then MaxLogSize parameter value, log <strong>file</strong> will be overwritten. The same thing happens when<br />
Daemon receives SIGHUP signal. Set this parameter value to 0 if you do not want log <strong>file</strong> to be unexpectedly modified<br />
at start up.<br />
Default value:<br />
MaxLogSize = 512<br />
LogScanned = {Yes | No}<br />
Enable/disable logging of in<strong>for</strong>mation about all scanned objects, not only about infected and suspicious.<br />
Default value:<br />
LogScanned = Yes<br />
LogPacked = {Yes | No}<br />
Enable/disable logging of additional in<strong>for</strong>mation about <strong>file</strong>s packed with DIET, PKLITE and other utilities.<br />
Default value:<br />
LogPacked = Yes<br />
LogArchived = {Yes | No}<br />
Enable/disable logging of additional in<strong>for</strong>mation about <strong>file</strong>s archived with various archiving utilities.<br />
Default value:<br />
LogTime = {Yes | No}<br />
LogArchived = Yes<br />
45
Configuration<br />
Enable/disable logging of time <strong>for</strong> each record. Parameter is not used if LogFileName = syslog.<br />
46<br />
Default value:<br />
LogTime = Yes<br />
LogProcessInfo = {Yes | No}<br />
Enable/disable logging of every scanning process PID and filter address (host name or IP) from which scanning has been<br />
activated. This data is placed be<strong>for</strong>e each record.<br />
Default value:<br />
LogProcessInfo = Yes<br />
RecodeNonprintable = {Yes | No}<br />
Nonprintable characters output mode <strong>for</strong> given terminal.<br />
Default value:<br />
RecodeNonprintable = Yes<br />
RecodeMode = {Replace | QuotedPrintable}<br />
Decoding mode <strong>for</strong> nonprintable characters if RecodeNonprintable = Yes. When RecodeMode = Replace<br />
all nonprintable characters are substituted with RecodeChar parameter value (see below). When RecodeMode =<br />
QuotedPrintable all nonprintable characters are converted to Quoted Printable <strong>for</strong>mat.<br />
Default value:<br />
RecodeMode = QuotedPrintable<br />
RecodeChar = {"?" | "_" | ...}<br />
Symbol to replace nonprintable characters if RecodeMode = Replace.<br />
Default value:<br />
RecodeChar = "?"<br />
Socket = {PORT [interfaces] | FILE [access]}<br />
Description of a socket used <strong>for</strong> communication with Daemon. The first string describes TCP socket. PORT value is <strong>for</strong><br />
decimal port number, interfaces value is <strong>for</strong> the list of interface names or IP-addresses <strong>for</strong> incoming requests.<br />
Example:<br />
Socket = 3000 127.0.0.1, 192.168.0.100<br />
The second string describes <strong>UNIX</strong> sockets. FILE value is <strong>for</strong> socket name, access is <strong>for</strong> access permissions definition<br />
in octal <strong>for</strong>m.<br />
Example:<br />
Socket = %var_dir/.drwebd 0660<br />
Number of Socket parameters is not limited. Daemon will work with all correctly described sockets. To enable receipt of<br />
requests vial all available interfaces set 3000 0.0.0.0 as a value of this parameter.<br />
Default value:<br />
Socket = %var_dir/run/.daemon<br />
SocketTimeout = {value in seconds}<br />
Maximum time <strong>for</strong> data transfer via socket (<strong>file</strong> scanning time is not included).<br />
Default value:<br />
SocketTimeout = 10
Configuration<br />
ListeningQueue = {value}<br />
47<br />
Maximum queue size <strong>for</strong> sockets. Value may vary from 0 to SOMAXCONN constant (its value depends on the OS).<br />
Default value:<br />
ListeningQueue = 128<br />
The following parameters can be used to reduce archive scan time (some objects in archives will not be checked). If<br />
object falls under restrictions set by these parameters, ArchiveRestriction procedure is applied.<br />
ArchiveRestriction parameter value is specified in configuration <strong>file</strong>s of various filters.<br />
MaxCompressionRatio = {value}<br />
Maximum compression ratio, i.e. ratio of unpacked <strong>file</strong> size to packed <strong>file</strong> size (inside archive). If the ratio exceeds<br />
specified value, <strong>file</strong> will not be extracted and there<strong>for</strong>e will not be checked.<br />
Default value:<br />
MaxCompressionRatio = 500<br />
CompressionCheckThreshold = {value in Kbytes}<br />
Minimum size of the <strong>file</strong> inside archive, beginning from which maximum compression ratio check will be per<strong>for</strong>med (if it is<br />
specified by MaxCompressionRatio parameter value).<br />
Default value:<br />
CompressionCheckThreshold = 1024<br />
MaxFileSizeToExtract = {value in Kbytes}<br />
Maximum <strong>file</strong> size to extract <strong>file</strong> from archive. If <strong>file</strong> size inside archive exceeds specified value, it will be skipped.<br />
Default value:<br />
MaxFileSizeToExtract = 40960<br />
MaxArchiveLevel = {value}<br />
Maximum archive nesting level (archive in archive in archive, etc.). If archive nesting level exceeds specified value, <strong>file</strong><br />
will be skipped.<br />
Default value:<br />
MaxArchiveLevel = 8<br />
As it was stated above, <strong>Dr</strong>.<strong>Web</strong> Daemon has built-in e-mail filtering capabilities based on the message header analysis.<br />
Filtering rules are specified in configuration <strong>file</strong>. Compliance check is per<strong>for</strong>med sequentially, until the first matching rule<br />
is found. Then the corresponding rule is applied. None of the filtering rules specified are applied automatically. To enable<br />
the header analysis you must specify appropriate parameters in built-in filters. If you work with custom solutions based<br />
on <strong>Dr</strong>.<strong>Web</strong> Daemon you must set up special flags.<br />
Compliance with any of the Reject* rules cancels further message scanning.<br />
Compliance with any of the Accept* rules enables anti-virus check.<br />
ScanEncodedHeaders = {Yes | No}<br />
Enables/disables message header processing be<strong>for</strong>e decoding. For example, «Yes» value combined with<br />
RejectCondition Subject = "iso-8859-5" allows to filter out all messages with Subject field in iso-<br />
8859-5 encoding. Please note, that with «Yes» value all encoded headers will be scanned twice: be<strong>for</strong>e and after<br />
decoding.<br />
Default value:<br />
ScanEncodedHeaders = No<br />
RejectCondition {set of rules}
Configuration<br />
AcceptCondition {set of rules}<br />
Description of filtering rules <strong>for</strong> message headers. Each rule contains header name and regular expression describing<br />
value of this field. Several rules can be combined by round brackets and logical operators OR and AND.<br />
Example:<br />
RejectCondition Subject = "money" AND "Content-Type" = "text/html"<br />
Also it is possible to use «!=» (not equal) operator.<br />
Filtering rules may also include some special conditions. No "HEADER" condition allows filtering out messages, where<br />
specified header fields are absent. HEADER = "8bit" allows filtering out messages with header fields containing 8-bit<br />
symbols.<br />
MissingHeader {fields list}<br />
List of essential headers. Messages without specified headers will be filtered out. For example, MissingHeader<br />
"To", "From".<br />
FilterParts = {Yes | No}<br />
Enables/disables applying rules, set by RejectPartCondition and AcceptPartCondition parameters.<br />
Default value:<br />
FilterParts =<br />
RejectPartCondition {set of rules}<br />
AcceptPartCondition {set of rules}<br />
Set of filtering rules <strong>for</strong> message headers. These parameters are similar to RejectCondition and<br />
AcceptCondition, but are applied only to particular message parts. Set of rules can be defined as FileName =<br />
{mask}, where «mask» is a POSIX 1003.2 compatible regular expression. Filtering by these rules is enabled only<br />
when FilterParts parameter is set to «Yes» (explained above).<br />
8.3. Start<br />
When Daemon is started (with default settings) the following actions are per<strong>for</strong>med:<br />
●configuration <strong>file</strong> is located and loaded. If configuration <strong>file</strong> is not found loading process terminates. Path to<br />
configuration <strong>file</strong> can be specified at startup, by the command line parameter -ini:<br />
{path/to/your/drweb32.ini}, or default value (%etc_dir/drweb32.ini) can be used. At start<br />
several parameters get validated, and if parameter value is not allowable default value is applied;<br />
●language <strong>file</strong> is loaded from the location specified in configuration <strong>file</strong>. If language <strong>file</strong> is not found, all messages are<br />
displayed in English;<br />
●log <strong>file</strong> is created. User account used by Daemon must have appropriate privileges to write to the directory where<br />
log <strong>file</strong> is situated. Please note, that users have no write access to the default /var/log/ directory. If User<br />
parameter is specified, you must also redefine LogFileName parameter and provide alternative location;<br />
●key <strong>file</strong> is loaded from the location specified in configuration <strong>file</strong>. If the key <strong>file</strong> is not found, loading process<br />
terminates;<br />
●if User parameter (or UserID and GroupID) parameter is specified, Daemon will offer to create an appropriate<br />
user account (default value: «drweb») and to use it with the permissions provided;<br />
●Engine (drweb32.dll) is loaded. If Engine is damaged or not found (because of some errors in configuration<br />
<strong>file</strong>), loading process terminates;<br />
●virus databases are loaded in arbitrary sequence from the location specified in configuration <strong>file</strong>. If virus databases<br />
are damaged or absent, loading process proceeds;<br />
48
Start<br />
●Daemon enters daemon mode, so all in<strong>for</strong>mation about loading problems can not be output to console and is<br />
written to log <strong>file</strong>;<br />
●socket <strong>for</strong> interaction between Daemon and other «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution modules is created. When<br />
TCP-sockets are used, there can be several connections (loading continues if at least one connection is<br />
established). When <strong>UNIX</strong> socket is used, Daemon's user account must have appropriate privileges to read from<br />
the directory containing this socket and write to it. User accounts <strong>for</strong> modules must have execution access to the<br />
directory itself and write and read access to the socket <strong>file</strong>. Please note, that users have no write or execution<br />
access to the default /var/run/ directory. If User parameter is specified, you must also redefine Socket<br />
parameter and provide alternative location. If socket can not be created, Daemon loading stops;<br />
●pid-<strong>file</strong> with Daemon PID in<strong>for</strong>mation and transport addresses is created. User account used by Daemon must have<br />
appropriate privileges to write to the directory containing pid-<strong>file</strong>. Please note, that users have no write access to<br />
the default /var/run/ directory. If User parameter is specified, you must also redefine PidFile parameter<br />
and provide alternative location. If pid-<strong>file</strong> is not created, loading process terminates.<br />
8.4. Signal Processing<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon can also receive and process the following signals:<br />
●SIGHUP ― reload of configuration <strong>file</strong>;<br />
●SIGTERM ― correct termination of Daemon process;<br />
●SIGKILL ― <strong>for</strong>ced termination of Daemon process (if any problems have emerged).<br />
8.5. Verifying Availability of <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
49<br />
If no evident problems have occurred during load, Daemon is ready to work. To make sure Daemon was loaded correctly,<br />
run:<br />
$ netstat -a<br />
to check whether all necessary sockets were created.<br />
If TCP sockets are used:<br />
--- cut ---<br />
Active Internet connections (servers and established)<br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
tcp 0 0 localhost:3000 *:* LISTEN<br />
raw 0 0 *:icmp *:* 7<br />
raw 0 0 *:tcp *:* 7<br />
Active <strong>UNIX</strong> domain sockets (servers and established)<br />
Proto RefCnt Flags Type State I-Node Path<br />
unix 0 [ ACC ] STREAM LISTENING 384 /dev/gpmctl<br />
unix 0 [ ] STREAM CONNECTED 190 @0000001b<br />
unix 1 [ ] STREAM CONNECTED 1091 @00000031<br />
unix 0 [ ACC ] STREAM LISTENING 403 /tmp/.font-unix/fs7100<br />
unix 4 [ ] DGRAM 293 /dev/log<br />
unix 1 [ ] STREAM CONNECTED 1092 /dev/gpmctl<br />
unix 0 [ ] DGRAM 450<br />
unix 0 [ ] DGRAM 433
Verifying Availability of <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
unix 0 [ ] DGRAM 416<br />
50<br />
unix 0 [ ] DGRAM 308<br />
--- cut ---<br />
If <strong>UNIX</strong> sockets are used:<br />
--- cut ---<br />
Active Internet connections (servers and established)<br />
Proto Recv-Q Send-Q Local Address Foreign Address State<br />
raw 0 0 *:icmp *:* 7<br />
raw 0 0 *:tcp *:* 7<br />
Active <strong>UNIX</strong> domain sockets (servers and established)<br />
Proto RefCnt Flags Type State I-Node Path<br />
unix 0 [ ACC ] STREAM LISTENING 384 /dev/gpmctl<br />
unix 0 [ ] STREAM CONNECTED 190 @0000001b<br />
unix 1 [ ] STREAM CONNECTED 1091 @00000031<br />
unix 0 [ ACC ] STREAM LISTENING 1127 /opt/drweb/run/drwebd.skt<br />
unix 0 [ ACC ] STREAM LISTENING 403 /tmp/.font-unix/fs7100<br />
unix 4 [ ] DGRAM 293 /dev/log<br />
unix 1 [ ] STREAM CONNECTED 1092 /dev/gpmctl<br />
unix 0 [ ] DGRAM 450<br />
unix 0 [ ] DGRAM 433<br />
unix 0 [ ] DGRAM 416<br />
unix 0 [ ] DGRAM 308<br />
--- cut ---<br />
If output to console differs from the result given above and any of the sockets from the list is missing, some errors during<br />
load have occurred.<br />
To run functional test and obtain service in<strong>for</strong>mation use console client <strong>for</strong> Daemon (drwebdc).<br />
If TCP sockets are used:<br />
$ drwebdc -nHOSTNAME -pPORTNUM -sv -sb<br />
If <strong>UNIX</strong> socket is used:<br />
$ drwebdc -uSOCKETFILE -sv -sb<br />
Client's output to console must contain all the parameters supported. The following in<strong>for</strong>mation should appear:<br />
--- cut ---<br />
- Version: <strong>Dr</strong><strong>Web</strong> Daemon 5.00<br />
- Loaded bases:<br />
Base /var/drweb/bases/drwtoday.vdb contains 5 records.<br />
Base /var/drweb/bases/drw50003.vdb contains 409 records.<br />
Base /var/drweb/bases/drw50002.vdb contains 543 records.<br />
Base /var/drweb/bases/drwebase.vdb contains 51982 records.
Verifying Availability of <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
Base /var/drweb/bases/drw50001.vdb contains 364 records.<br />
51<br />
Total 53303 virus-finding records.<br />
--- cut ---<br />
If output to console differs from the result given above, try to run drwebdc in enhanced diagnostic mode.<br />
If TCP sockets are used:<br />
$ drwebdc -nHOSTNAME -pPORTNUM -sv -sb -v<br />
If <strong>UNIX</strong> socket is used:<br />
$ drwebdc -uSOCKETFILE -sv -sb -v<br />
More detailed output may clarify the situation:<br />
--- cut ---<br />
dwlib: fd: connect() failed - Connection refused<br />
dwlib: tcp: connecting to 127.0.0.1:3300 - failed<br />
dwlib: cannot create connection with a <strong>Dr</strong><strong>Web</strong> daemon<br />
ERROR: cannot retrieve daemon version<br />
Error -12<br />
--- cut ---<br />
Open readme.eicar.rus test <strong>file</strong> from distribution package and follow instructions to make eicar.com program<br />
in text editor. Then try to scan it with Daemon.<br />
If you have license <strong>for</strong> mail servers with 50 and more addresses:<br />
For TCP sockets:<br />
For <strong>UNIX</strong> socket:<br />
$ drwebdc -nHOSTNAME -pPORTNUM -e -f eicar.com<br />
$ drwebdc -uSOCKETFILE -e -f eicar.com<br />
If you have license <strong>for</strong> mail servers with 15 or 30 addresses:<br />
For TCP sockets:<br />
$ drwebdc -nHOSTNAME -pPORTNUM -e -FEMAIL_ADDRESS -REMAIL_ADDRESS -f<br />
eicar.com<br />
For <strong>UNIX</strong> socket:<br />
$ drwebdc -uSOCKETFILE -e -FEMAIL_ADDRESS -REMAIL_ADDRESS -f eicar.com<br />
where EMAIL_ADDRESS is one of addresses from email.ini.<br />
If you have license <strong>for</strong> <strong>file</strong> servers or <strong>file</strong>-servers:<br />
For TCP sockets:<br />
For <strong>UNIX</strong> socket:<br />
$ drwebdc -nHOSTNAME -pPORTNUM -f eicar.com<br />
$ drwebdc -uSOCKETFILE -f eicar.com<br />
Output to console must contain the following in<strong>for</strong>mation:<br />
--- cut ---<br />
Results: daemon return code 0x20
Verifying Availability of <strong>Dr</strong>.<strong>Web</strong> Daemon<br />
(known virus is found)<br />
--- cut ---<br />
If diagnostics failed and no output appeared, check Daemon’s log <strong>file</strong> <strong>for</strong> the record on the event. If there is no record,<br />
try to run drwebdc in enhanced diagnostic mode. If you receive the same output that is given above, Daemon is ready<br />
to work.<br />
8.6. Scanning Modes<br />
<strong>Dr</strong>.<strong>Web</strong> Daemon has two major scanning modes:<br />
●scanning chunks of data received from socket;<br />
●scanning <strong>file</strong>s on disk (local scan).<br />
In the first mode Daemon receives from socket chunks of data <strong>for</strong> scan. They can be named or anonymous (this will<br />
affect only the way records are made in Daemon’s log <strong>file</strong>). Daemon can per<strong>for</strong>m scan of any chunk of data received from<br />
socket, even a <strong>file</strong>. For example, in the previous section of this Manual console client <strong>for</strong> Daemon reads the <strong>file</strong> specified<br />
and sent it to Daemon <strong>for</strong> scan. Operation in this mode can be enabled by specifying No as a value of LocalScan<br />
parameter in smb-spider.conf configuration <strong>file</strong>.<br />
In the second mode Daemon per<strong>for</strong>ms scan of the selected <strong>file</strong> on disk. Two major advantages of local scan mode are<br />
increased productivity and simplicity. Local scan mode is much more efficient. Console client or mail filter sends Daemon<br />
only a path to <strong>file</strong>, not the whole <strong>file</strong>. Since clients can be located on different computers, the path must be specified with<br />
regard to the actual location of Daemon. Besides that, usage of this mode simplifies creation and deployment of reliable<br />
solutions <strong>for</strong> content scan and curing of infected <strong>file</strong>s (e.g. on <strong>file</strong> servers). Operation in this mode can be enabled by<br />
specifying Yes as a value of LocalScan parameter in smb-spider.conf configuration <strong>file</strong>.<br />
Please note, that local scan mode requires more accurate adjustment of user privileges. Daemon must have read access<br />
to each <strong>file</strong> specified. If you run Daemon on mail server with Cure and Delete options enabled, you must allow write<br />
access either.<br />
Usage of Daemon with mail servers requires special attention because mail filters usually act on behalf of the mail system<br />
and use its privileges. In local scan mode mail filter usually creates a <strong>file</strong> with the message received from the mail system<br />
and provides Daemon a path to it. At this point you must carefully specify access permissions to the directory where<br />
filters create appropriate <strong>file</strong>s. We recommend either to include user whose privileges are used by Daemon into the mail<br />
subsystem group, or to run Daemon with the privileges of the mail system user.<br />
Properly adjusted system doesn't require Daemon to use root privileges.<br />
52
Integrating Daemon with Samba File Server<br />
9. Integrating Daemon with Samba File Server<br />
9.1. Requirements<br />
●Installed <strong>Dr</strong>.<strong>Web</strong> Daemon v.4.44 or higher;<br />
●<strong>Dr</strong>.<strong>Web</strong> Samba SpIDer plug-in module;<br />
●Samba v.3.0.x to v.3.4.x.<br />
9.2. Plug-in of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer Module<br />
Add the following section to Samba configuration <strong>file</strong> (/etc/samba/smb.conf by default):<br />
--- cut ---<br />
[drweb_audit]<br />
comment = <strong>Dr</strong>.<strong>Web</strong> protected directory<br />
path = /directory/to/protect/<br />
vfs objects = smb_spider<br />
writeable = yes<br />
browseable = yes<br />
guest ok = yes<br />
public = yes<br />
--- cut ---<br />
You must restart Samba <strong>file</strong> server after editing the configuration <strong>file</strong>.<br />
9.3. Start<br />
<strong>Dr</strong>.<strong>Web</strong> Samba SpIDer monitor is activated, when the first client opens a shared resource at the server. After its<br />
initialization the following actions are per<strong>for</strong>med:<br />
●versions of <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer interface and Samba server are checked;<br />
●<strong>Dr</strong>.<strong>Web</strong> Samba SpIDer reads the configuration <strong>file</strong> (%etc_dir/smb_spider.conf by default);<br />
●<strong>Dr</strong>.<strong>Web</strong> Samba SpIDerr starts monitoring clients <strong>file</strong> operations.<br />
At the first and second stages <strong>Dr</strong>.<strong>Web</strong> Samba SpIDer outputs in<strong>for</strong>mation to the system log (syslog). By default the<br />
following values are specified <strong>for</strong> parameters, controlling operation of syslogd system utility:<br />
SyslogFacility = Daemon<br />
SyslogPriority = Info<br />
The recommended starting order is the following:<br />
●<strong>Dr</strong>.<strong>Web</strong> Daemon;<br />
●<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer.<br />
Please note, that If Daemon is started with the privileges not sufficient to read from (<strong>for</strong> anti-virus check) and write to<br />
(<strong>for</strong> deletion, cure, etc.) <strong>file</strong>s on a shared resource, it will operate in non-local scan mode by default and receive all<br />
necessary <strong>file</strong>s via socket. In this mode total system per<strong>for</strong>mance will be considerably reduced.<br />
If you want to assure best per<strong>for</strong>mance, please pay special attention to providing Daemon with all the privileges<br />
necessary to access shared resources.<br />
53
Configuration<br />
9.4. Configuration<br />
54<br />
<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer can be used with default settings, but it is much more convenient to set it up according your<br />
specific requirements and situations. <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer settings are stored in configuration <strong>file</strong> (smbspider.conf<br />
by default) which is located in %etc_dir directory. To use another configuration <strong>file</strong> specify full path<br />
to it in the smb.conf configuration <strong>file</strong> by adding the following string:<br />
smb_spider: config = /my/new/path/smb_spider.conf<br />
Description of configuration <strong>file</strong> structure and parameter types can be found in p. 1.5 of this Manual. Parameters are<br />
described in the order they are presented in main configuration <strong>file</strong>.<br />
Address = {FAMILY : ADDRESS}<br />
List of socket addresses of <strong>Dr</strong>.<strong>Web</strong> Daemon. Addresses in the list are delimited by comma and specified in<br />
FAMILY:ADDRESS <strong>for</strong>mat.<br />
FAMILY part can have one of the following values:<br />
●inet — TCP sockets are used, ADDRESS is PORT@HOST;<br />
●local — <strong>UNIX</strong> socket is used, ADDRESS is SOCKETFILE;<br />
●pid — real address of Daemon process from its pid-<strong>file</strong> is used, ADDRESS is PIDFILE.<br />
Default value:<br />
Cache = {Yes | No}<br />
Address = pid:%var_dir/run/drwebd.pid<br />
Allows caching of the resolved IP address of Daemon's host. Otherwise its IP address will be requested each time the<br />
necessity to scan a <strong>file</strong> emerges. This parameter is used only if Daemon uses TCP sockets <strong>for</strong> communication.<br />
Default value:<br />
Cache = Yes<br />
Timeout = {value in seconds}<br />
Timeout <strong>for</strong> the one scanning session. When parameter value is set to 0, maximum time <strong>for</strong> scan of one <strong>file</strong> is not limited.<br />
Default value:<br />
Timeout = 120<br />
UseTcpNodelay = {Yes | No}<br />
TCP_NODELAY parameter can be used to set up operation of TCP socket if there are any problems with the network.<br />
Please, do not change the default value, if your connection to the network is stable, and the network itself operates fine.<br />
Default value:<br />
UseTcpNodelay = No<br />
HeuristicAnalysis = {Off | On}<br />
Enable/disable heuristic detection of unknown viruses. Enabling heuristic analysis allows detection of unknown viruses<br />
using knowledge about specific architecture of viral code. Approximate nature of this type of virus detection makes us<br />
talk about «suspicious», not «infected» objects. With this option disabled only known viruses will be detected by <strong>Dr</strong>.<strong>Web</strong>.<br />
Some programs may trigger heuristic analyzer name <strong>file</strong>s «suspicious» by mistake due to code similar to virus structure.<br />
Besides, this mode may slightly increase time of virus scan. These considerations may lead you to disabling heuristic<br />
analysis. At the same time, heuristic analysis improves reliability of antivirus protection. We recommend you to send all<br />
<strong>file</strong>s detected by heuristic analyzer to developers using http://vms.drweb.com/sendvirus/ (preferably) or via e-mail<br />
newvirus@drweb.com. Follow this procedure to upload <strong>file</strong>s: make password protected archive, include password in<br />
message body and attach Scanner report.<br />
Default value:
Configuration<br />
HeuristicAnalysis = On<br />
StripPath = {numeric value}<br />
Allows to remove the certain amount of segments from the beginning of specified scan path. When value of this<br />
parameter is set to 0, path stays unmodified. When value is set to 1, the first segment is removed, including slash («/»)<br />
symbol. When value is set to 2, two segments are removed from the beginning of the path, including corresponding slash<br />
(«/») symbol.<br />
Example:<br />
If we have /some/path/to/<strong>file</strong>.ext specified as a scan path, then:<br />
●when StripPath = 1, the path will look like the following:<br />
path = some/path/to/<strong>file</strong>.ext<br />
●when StripPath = 2, the path will look like the following:<br />
Default value:<br />
path = path/to/<strong>file</strong>.ext.<br />
StripPath = 0<br />
PrefixPath = {path to <strong>file</strong>}<br />
Specifies path segment to be added to the beginning of scan path after its processing by StripPath parameter. Please<br />
note, that value of this parameter must not be ended with slash («/») symbol. Required slash will be inserted to the new<br />
scan path automatically.<br />
Example:<br />
If we have /some/path/to/<strong>file</strong>.ext specified as a scan path, and after processing by StripPath parameter<br />
with 2 set as a value it looks like the following:<br />
path = path/to/<strong>file</strong>.ext<br />
then after automatic insertion of slash symbol and processing by PrefixPath = /just/another, it will look like<br />
the following:<br />
path = /just/another/path/to/<strong>file</strong>.ext<br />
Default value:<br />
PrefixPath =<br />
MaxFileSizeToScan = {value in Kbytes}<br />
Maximum size of <strong>file</strong> <strong>for</strong> scan. When parameter value is set to 0, maximum <strong>file</strong> size is not limited.<br />
Default value:<br />
MaxFileSizeToScan = 0<br />
ScanMode = {onWrite | onRead | onAccess}<br />
This parameter can have one of the following values:<br />
●onAccess — <strong>file</strong>s will be scanned on each attempt to open or run them and also on closing after creation or<br />
modification.<br />
●onRead — <strong>file</strong>s will be scanned on each attempt to open or run them, only. This mode allows to increase operation<br />
speed, but decreases antivirus protection level (infected <strong>file</strong> can be copied to the shared directory and executed by<br />
the user, who has local access to shared resource, not via Samba-server).<br />
●onWrite — <strong>file</strong>s will be scanned on closing after creation or modification, only. This mode allows to increase<br />
Default value:<br />
operation speed, but decreases antivirus protection level (infected <strong>file</strong> can be copied to the shared directory and<br />
executed by the user, who has local access to shared resource, not via Samba-server).<br />
ScanMode = onAccess<br />
55
Configuration<br />
RewriteDataBase = {Yes | No}<br />
56<br />
When parameter value is set to Yes, cache <strong>for</strong> md5 hashes of infected and clean <strong>file</strong>s is created from scratch each time<br />
new user accesses shared directory. All data cached during previous session is overwritten.<br />
Default value:<br />
RewriteDataBase = Yes<br />
BlockedCacheSize = {size in bytes}<br />
Size of cache to store md5 hashes of scanned infected (and there<strong>for</strong>e blocked) <strong>file</strong>s. When parameter value is set to 0,<br />
md5 hashes are not cached. This parameter allows to increase operation speed, because if md5 hash of requested <strong>file</strong> is<br />
the same as cached md5 hash, <strong>file</strong> is considered infected and is not sent to Daemon <strong>for</strong> repeated scan.<br />
Default value:<br />
BlockedCacheSize = 4096<br />
AllowedCacheSize = {size in bytes}<br />
Size of cache to store md5 hashes of scanned clean <strong>file</strong>s. When parameter value is set to 0, md5 hashes are not cached.<br />
This parameter allows to increase operation speed, because if md5 hash of requested <strong>file</strong> is the same as cached md5<br />
hash, <strong>file</strong> is considered clean and is not sent to Daemon <strong>for</strong> repeated scan.<br />
Default value:<br />
LocalScan = {Yes | No}<br />
AllowedCacheSize = 4096<br />
Allows to use local scan mode, when Daemon receives not the whole <strong>file</strong>, but only the path of it. With LocalScan =<br />
Yes Daemon will operate in local scan mode.<br />
Default value:<br />
LocalScan = Yes<br />
In non-local scan mode or when Daemon does not have sufficient permissions to access certain <strong>file</strong>, <strong>Dr</strong>.<strong>Web</strong> Samba VFS<br />
SpIDer can per<strong>for</strong>m actions with <strong>file</strong>s independently.<br />
LicenseLimit = {reject | pass}<br />
Action to be applied to <strong>file</strong>s which have not been scanned due to license expiration. Possible values are: pass — allow<br />
access to <strong>file</strong>, reject — block access to <strong>file</strong>.<br />
Default value:<br />
LicenseLimit = reject<br />
Infected = {reject | quarantine | discard | rename | cure}<br />
Action to be applied to <strong>file</strong>s, infected with known virus. Possible values are: cure — try to cure infected <strong>file</strong>, rename —<br />
rename <strong>file</strong> and block access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and block access to<br />
it, reject — block access to <strong>file</strong>. Rename mask looks like: #?? - the first character of <strong>file</strong> extension is replaced by «#»<br />
symbol, and all other subsequent characters are preserved. If <strong>file</strong> has no extension, it will consist only of «#» symbol.<br />
Default value:<br />
Infected = quarantine<br />
Suspicious = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to suspicious <strong>file</strong>s (possibly infected with unknown virus). Possible values are: pass — allow access<br />
to <strong>file</strong>, rename — rename <strong>file</strong> and block access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine<br />
and block access to it, reject — block access to <strong>file</strong>.<br />
Default value:
Configuration<br />
Suspicious = quarantine<br />
Incurable = {reject | quarantine | discard | rename}<br />
Action to <strong>file</strong>s that cannot be cured. Possible values are: rename — rename <strong>file</strong> and block access to it, discard —<br />
delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and block access to it, reject — block access to <strong>file</strong>.<br />
Default value:<br />
Incurable = quarantine<br />
Adware = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to adware. Possible values are: pass — allow access to <strong>file</strong>, rename — rename <strong>file</strong> and block<br />
access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and block access to it, reject — block<br />
access to <strong>file</strong>.<br />
Default value:<br />
Adware = quarantine<br />
Dialers = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to dialer programs. Possible values are: pass — allow access to <strong>file</strong>, rename — rename <strong>file</strong> and<br />
block access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and block access to it, reject —<br />
block access to <strong>file</strong>.<br />
Default value:<br />
Dialers = quarantine<br />
Jokes = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to joke programs, which can scare or annoy user. Possible values are: pass — allow access to <strong>file</strong>,<br />
rename — rename <strong>file</strong> and block access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and<br />
block access to it, reject — block access to <strong>file</strong>.<br />
Default value:<br />
Jokes = quarantine<br />
Riskware = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to riskware. Possible values are: pass — allow access to <strong>file</strong>, rename — rename <strong>file</strong> and block<br />
access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong> to quarantine and block access to it, reject — block<br />
access to <strong>file</strong>.<br />
Default value:<br />
Riskware = quarantine<br />
Hacktools = {reject | quarantine | discard | rename | pass}<br />
Action to be applied to programs used to gain unauthorized access to computer systems. Possible values are: pass —<br />
allow access to <strong>file</strong>, rename — rename <strong>file</strong> and block access to it, discard — delete <strong>file</strong>, quarantine — move <strong>file</strong><br />
to quarantine and block access to it, reject — block access to <strong>file</strong>.<br />
Default value:<br />
Hacktools = quarantine<br />
Archives = {reject | quarantine | discard | rename}<br />
Action to be applied to archives containing infected <strong>file</strong>s. To enable deletion of such archives set<br />
EnableDeleteArchiveAction = Yes in main configuration <strong>file</strong> drweb32.ini. Possible values are: rename<br />
— rename archive and block access to it, discard — delete archive, quarantine — move archive to quarantine and<br />
block access to it, reject — block access to archive.<br />
57
Configuration<br />
Default value:<br />
Archives = quarantine<br />
SkipObject = {reject | pass}<br />
Action to be applied to <strong>file</strong>s, which cannot be scanned by Daemon (password protected or broken archives, symbolic links<br />
or non regular <strong>file</strong>s). Possible values are: pass — allow access to <strong>file</strong>, reject — block access to <strong>file</strong>.<br />
Default value:<br />
SkipObject = pass<br />
ArchiveRestriction = {reject | pass}<br />
Action to be applied to archives, which cannot be scanned by Daemon due to the excess of limits set <strong>for</strong> archives in main<br />
configuration <strong>file</strong> drweb32.ini. Possible values are: pass — allow access to <strong>file</strong>, reject — block access to <strong>file</strong>.<br />
Default value:<br />
ArchiveRestriction = pass<br />
ScanningErrors = {reject | pass}<br />
Action to be applied to <strong>file</strong>s causing Daemon errors during scan (e.g. Daemon has run short of memory or does not have<br />
proper privileges <strong>for</strong> further processing). Possible values are: pass — allow access to <strong>file</strong>, reject — block access to<br />
<strong>file</strong>.<br />
Default value:<br />
ScanningErrors = reject<br />
ProcessingErrors = {reject | pass}<br />
Action to be applied to <strong>file</strong>s causing Samba SpIDer errors during scan (e.g. Samba VFS SpIDer was not configured<br />
properly or cannot connect to Daemon). Possible values are: pass — allow access to <strong>file</strong>, reject — block access to<br />
<strong>file</strong>.<br />
Default value:<br />
ProcessingErrors = reject<br />
SendNotifyToUser = {Off | On}<br />
Allows to notify users about detection of a virus in a <strong>file</strong>. Windows Messenger (WinPopup) is used <strong>for</strong> sending<br />
notifications in Windows systems. LinPopup (<strong>for</strong> Linux) is used <strong>for</strong> sending notifications in <strong>UNIX</strong> systems. <strong>UNIX</strong> users<br />
must have properly configured message receiving utility to receive these notifications.<br />
Default value:<br />
SendNotifyToUser = off<br />
SendNotifyToAdmin = {Off | On}<br />
Allows to notify Administrator about events emerging during scan (e.g. detection of a virus). Windows Messenger<br />
(WinPopup) is used <strong>for</strong> sending notifications in Windows systems. LinPopup (<strong>for</strong> Linux) is used <strong>for</strong> sending notifications in<br />
<strong>UNIX</strong> systems. For <strong>UNIX</strong> systems it is also possible to send notifications via e-mail. To enable this option add the<br />
following line to smb.conf configuration <strong>file</strong>:<br />
message command = /usr/bin/mail -s 'Messages from %f on %m' {address} < %s ; rm<br />
%s<br />
where {address} is e-mail address of the Administrator.<br />
Default value:<br />
SendNotifyToAdmin = off<br />
AdminAddress = {Address}<br />
58
Configuration<br />
IP address of <strong>Administrator's</strong> computer.<br />
Default value:<br />
AdminAddress = "127.0.0.1"<br />
ShellScriptForBlockedFile = {path to <strong>file</strong>}<br />
Path to shell script to be initialized upon blocking of the <strong>file</strong>. <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer passes to script the following<br />
parameters: FileName — name of the infected <strong>file</strong>; UserName — login name of the user, who have tried to open<br />
infected <strong>file</strong>; UserHost — name of the host from which user have tried to open infected <strong>file</strong>; DaemonReport —<br />
report from the Daemon. Example of such script can be found in %bin_dir/doc/samba/ directory (<strong>file</strong><br />
smb_script.sh).<br />
Default value:<br />
ShellScriptForBlockedFile =<br />
Quarantine = {path to directory}<br />
Path to quarantine directory.<br />
Default value:<br />
Quarantine = %var_dir/infected/<br />
QuarantineFilesMode = {access permissions}<br />
Access permissions to <strong>file</strong>s in quarantine.<br />
Default value:<br />
QuarantineFilesMode = 0660<br />
Level = {Debug | Verbose | Info | Alerts | Errors | Quiet}<br />
Log verbosity level.<br />
Default value:<br />
Level = Info<br />
SyslogFacility = {Local7 | ... | Local0 | Daemon | Mail}<br />
Log type when syslogd system service is used <strong>for</strong> activity logging (please refer to syslog documentation <strong>for</strong> further<br />
details).<br />
Default value:<br />
SyslogFacility = Daemon<br />
SyslogPriority = {Alert | Notice | Info | Debug}<br />
Priority of record when using syslogd system service.<br />
Default value:<br />
SyslogPriority = Info<br />
<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer can also receive configuration in<strong>for</strong>mation from <strong>Dr</strong>.<strong>Web</strong> Agent module. To enable this option<br />
insert the following line to smb.conf configuration <strong>file</strong>:<br />
smb_spider: config = %var_dir/ipc/.agent<br />
9.5. Interaction with Distributed File System (MS DFS)<br />
59<br />
Distributed File System allows administrators to organize shared folders located on different servers into the integrated<br />
structure with its own hierarchy design and directory names – so that the user will consider it a separate resource and be<br />
able to navigate it without needing to know the server names or shared folders hosting the data.
Interaction with Distributed File System (MS DFS)<br />
<strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer can work with Samba-based MS DFS only if installed on backend servers. If <strong>Dr</strong>.<strong>Web</strong> Samba<br />
VFS SpIDer is installed on frontend server, it will be able to check only those <strong>file</strong>s, which are written exactly to this server<br />
(or read directly from it).<br />
60
«<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»<br />
10. «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»<br />
Setup and configuration of «<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» can be per<strong>for</strong>med via separate web interface «<strong>Dr</strong>.<strong>Web</strong> console<br />
<strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers». It is implemented as a plug-in to <strong>Web</strong>min (detailed in<strong>for</strong>mation about <strong>Web</strong>min interface is available<br />
on its official website at http://www.webmin.com/).<br />
To achieve optimal per<strong>for</strong>mance of «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» web interface, please, make sure that the<br />
following Perl modules are installed to your system:<br />
●XML::Parser — Perl module <strong>for</strong> parsing XML documents;<br />
●XML::XPath — set of modules <strong>for</strong> parsing and evaluating XPath statements;<br />
●CGI — Perl module enabling operation with Common Gateway Interface;<br />
●Text::Iconv — Perl interface to iconv() codeset conversion function;<br />
●perl-devel (or libperl-dev, depending on the <strong>UNIX</strong> distribution) — a package to build Text::Iconv;<br />
●JSON — Perl module <strong>for</strong> parsing and converting to JSON (JavaScript Object Notation).<br />
If some modules are missing, it is recommended to install them from console. Names of the modules may vary, but<br />
usually they are included into the following packages: perl-Convert-BinHex, perl-IO-stringy, perl-<br />
XML-Parser, perl-XML-XPath. For installation in rpm-systems it is recommended to choose noarch.rpm<br />
packages.<br />
<strong>Web</strong> interface layout and appearance may differ depending on <strong>Web</strong>min version and browser used. All screenshots<br />
provided in this document were made with <strong>Web</strong>min 1.450 and Firefox 3.0.7 (Mozilla/5.0 (Windows; U; Windows NT 5.1;<br />
ru; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7) using default settings.<br />
10.1. Installation<br />
To start working with «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers», do the following:<br />
●set up <strong>Web</strong>min;<br />
●download installation packages with <strong>Web</strong>min modules from the <strong>Dr</strong>.<strong>Web</strong> website at http://download.drweb.com/:<br />
drweb-lib-web-5.0.0.tar.bz2 with common libraries and drweb-samba-web-5.0.0.tar.bz2<br />
with the web interface of «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»;<br />
●plug in both modules to <strong>Web</strong>min.<br />
<strong>Web</strong>min modules can be plugged in and their additional parameters can be set up via <strong>Web</strong>min's web interface.<br />
Figure 12. Main page of <strong>Web</strong>min web interface<br />
61
Installation<br />
Installation of the new modules can be per<strong>for</strong>med on «<strong>Web</strong>min Configuration» page of the «<strong>Web</strong>min» section<br />
of main menu, in «<strong>Web</strong>min Modules» subsection.<br />
Figure 13. «<strong>Web</strong>min Configuration» page<br />
To install necessary modules, click the «Browse» button near the «From local <strong>file</strong>» text field on the «<strong>Web</strong>min<br />
Modules» page. A separate browser window will be opened to provide navigation through folders and <strong>file</strong>s. Choose<br />
the corresponding installation package from the list.<br />
Figure 14. «<strong>Web</strong>min modules» subsection<br />
62
Installation<br />
One click on any item from the list selects it to the field below. With the second click on previously selected folder, it<br />
opens. With the second click on previously selected <strong>file</strong>, navigation window closes, and full path to selected <strong>file</strong> appears<br />
in «From local <strong>file</strong>» text field. You may also click «OK» button when you are finished with selection of required<br />
<strong>file</strong>.<br />
After finishing with selection of the installation package <strong>file</strong>, click the «Install Module» button. Please note, that<br />
common libraries (from drweb-lib-web-5.0.0.tar.bz2 package) must be installed be<strong>for</strong>e the «<strong>Dr</strong>.<strong>Web</strong> console<br />
<strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» web interface (from drweb-samba-web-5.0.0.tar.bz2 package).<br />
After installation is finished, in «Servers» section of main menu a link to the new «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong><br />
<strong>file</strong> servers» module will appear.<br />
Figure 15. Link to the new «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» module<br />
63
Basic configuration<br />
10.2. Basic configuration<br />
To adjust the language of <strong>Web</strong>min and «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» web interfaces, go to the «Change<br />
Language and Theme» page in «<strong>Web</strong>min» section of main menu.<br />
Figure 16. «Change Language and Theme» page<br />
If you want to russify both web interfaces, choose «Russian KOI8 (RU_SU)» or «Russian CP1251<br />
(RU_RU)» option from the «<strong>Web</strong>min UI language -> Personal choice..» drop-down menu. If you<br />
choose «Russian UTF-8 (RU.UTF-8)» option, only «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» web interface will be<br />
russified.<br />
On the same page you can change layout of <strong>Web</strong>min web interface (with the «<strong>Web</strong>min UI theme -> Personal<br />
choice..» drop-down menu) and set new password to access <strong>Web</strong>min (in the «<strong>Web</strong>min login password -><br />
Set to..» text field).<br />
To save and apply all changes, click «Make Changes» button and refresh the page afterwards.<br />
At the very top of «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» pages «Module config» link is located, under which basic<br />
module settings are gathered. There you can specify path to configuration <strong>file</strong> smb_spider.conf.<br />
Figure 17. Module configuration<br />
64
User interface<br />
10.3. User interface<br />
Please note, that you will not be able to use standard browser «Back» function navigating through the «<strong>Dr</strong>.<strong>Web</strong> console<br />
<strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» chapter. If you click «Back» button or corresponding key combination, you will get straight to the<br />
previous chapter from main menu.<br />
Figure 18. «<strong>Dr</strong>.<strong>Web</strong> console <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers»<br />
65
User interface<br />
On the right side of the module header in<strong>for</strong>mation about current versions of <strong>Dr</strong>.<strong>Web</strong> Samba VFS SpIDer and <strong>Dr</strong>.<strong>Web</strong> web<br />
interface is shown.<br />
Under the module header there are two sections: «Quarantine» and «Configuration». By default «General<br />
Settings» tab of «Configuration» section is opened.<br />
10.3.1. «Configuration»<br />
Parameters values can be selected from drop-down menus or specified <strong>manual</strong>ly in corresponding text fields.<br />
After changing any parameter value, you can immediately undo the change or restore default value only with one click on<br />
the corresponding icon appeared beside. You will be able to restore default values at any time, even after you save the<br />
changes.<br />
To revise all changes made on current tab use «Preview» button. On the appeared screen you can choose whether to<br />
save or not all changes or some of them (by unchecking the box against each changed value). If something seems not<br />
ready, return to the previous screen by clicking «Continue editing» button.<br />
Figure 19. Preview screen<br />
When you click «Save» or «Save and apply» button, notification message appears. Click on it to return to main<br />
screen.<br />
Figure 20. Save screen<br />
66
User interface<br />
10.3.1.1. «General settings» tab<br />
Figure 21. General settings<br />
Values <strong>for</strong> parameters on this tab can be selected from drop-down menus or specified <strong>manual</strong>ly in corresponding text<br />
fields. Detailed description of almost each parameter can be found in corresponding reference under «more» link.<br />
67
User interface<br />
10.3.2. «Quarantine»<br />
When action «move» is specified as a value <strong>for</strong> parameters from «General settings» tab, blocked objects are<br />
placed in quarantine directory. Suspicious <strong>file</strong>s are put in corresponding directory in whole. On the main page of<br />
«Quarantine» section you will find list of links to these <strong>file</strong>s and will be able to download any of them <strong>for</strong> more<br />
detailed inspection.<br />
Figure 22. Quarantine<br />
You can delete any <strong>file</strong> from quarantine directory by selecting corresponding checkbox and clicking «Delete» button.<br />
68
Contact in<strong>for</strong>mation<br />
11. Contact in<strong>for</strong>mation<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is being constantly improved. The news and latest in<strong>for</strong>mation on its updates are<br />
available on the web-site http://www.drweb.com/.<br />
Sales department:<br />
http://buy.drweb.com/<br />
e-mail: sales@drweb.com.<br />
Technical support service:<br />
http://support.drweb.com/<br />
e-mail: support@drweb.com.<br />
Please include the following in<strong>for</strong>mation into your problem report:<br />
●full name and version of your <strong>UNIX</strong> distribution;<br />
●<strong>Dr</strong>.<strong>Web</strong> product version;<br />
●configuration <strong>file</strong>s of the components installed;<br />
●log <strong>file</strong>s of the components installed.<br />
69
Appendix 1. The License Policy<br />
Appendix 1. The License Policy<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is available as a separate product and as a part of «universal» and «economy»<br />
<strong>Dr</strong>.<strong>Web</strong> kits. Types of licenses vary correspondingly.<br />
All licenses can be purchased <strong>for</strong> definite terms, i.e. <strong>for</strong> 1, 2 or 3 years. Amount of protected <strong>file</strong> servers may also vary.<br />
License terms, their quantitative parameters and limitations may be different <strong>for</strong> various regional partners of Doctor <strong>Web</strong>,<br />
or may be revised hereafter. To learn more about regional license terms, contact our partner in your region. List of the<br />
trusted partners of Doctor <strong>Web</strong> can be found on the corporate web site http://partners.drweb.com/list/.<br />
During the whole license term client have the right to receive updates from the <strong>Dr</strong>.<strong>Web</strong> Global Updating system servers<br />
and to receive a technical support from Doctor <strong>Web</strong> and its partners.<br />
Protection of <strong>file</strong> servers (http://products.drweb.com/<strong>file</strong>server/unix/)<br />
«<strong>Dr</strong>.<strong>Web</strong> <strong>for</strong> <strong>UNIX</strong> <strong>file</strong> servers» solution is being licensed according the number of <strong>file</strong> servers used. Minimal license covers<br />
protection of 1 <strong>file</strong> server.<br />
70