VirusScan for Linux 1.7 Best Practices Guide - Errors - McAfee
VirusScan for Linux 1.7 Best Practices Guide - Errors - McAfee
VirusScan for Linux 1.7 Best Practices Guide - Errors - McAfee
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong><br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong><br />
<strong>1.7</strong>.0
COPYRIGHT<br />
Copyright © 2012 <strong>McAfee</strong>, Inc. Do not copy without permission.<br />
TRADEMARK ATTRIBUTIONS<br />
<strong>McAfee</strong>, the <strong>McAfee</strong> logo, <strong>McAfee</strong> Active Protection, <strong>McAfee</strong> AppPrism, <strong>McAfee</strong> Artemis, <strong>McAfee</strong> CleanBoot, <strong>McAfee</strong> DeepSAFE, ePolicy Orchestrator,<br />
<strong>McAfee</strong> ePO, <strong>McAfee</strong> EMM, <strong>McAfee</strong> Enterprise Mobility Management, Foundscore, Foundstone, <strong>McAfee</strong> NetPrism, <strong>McAfee</strong> Policy En<strong>for</strong>cer, Policy Lab,<br />
<strong>McAfee</strong> QuickClean, Safe Eyes, <strong>McAfee</strong> SECURE, SecureOS, <strong>McAfee</strong> Shredder, SiteAdvisor, SmartFilter, <strong>McAfee</strong> Stinger, <strong>McAfee</strong> Total Protection,<br />
TrustedSource, <strong>VirusScan</strong>, WaveSecure, WormTraq are trademarks or registered trademarks of <strong>McAfee</strong>, Inc. or its subsidiaries in the United States and<br />
other countries. Other names and brands may be claimed as the property of others.<br />
LICENSE INFORMATION<br />
License Agreement<br />
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS<br />
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU<br />
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR<br />
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A<br />
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET<br />
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF<br />
PURCHASE FOR A FULL REFUND.<br />
2 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
Contents<br />
1 Introduction 5<br />
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5<br />
2 Hardware and software requirements 7<br />
3 Pre-installation instructions 9<br />
Standalone machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9<br />
Managed using ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . 10<br />
4 Post-installation instructions 11<br />
Standalone machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
Testing On-access scanning . . . . . . . . . . . . . . . . . . . . . . . . . . 11<br />
Testing On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Managed using ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Testing On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Details of managed nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Configuring policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12<br />
Default Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13<br />
5 Product Configurations 15<br />
Scanning policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
On-access policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15<br />
On-demand policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
On-demand scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Anti-virus exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16<br />
Recovering quarantined items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17<br />
Run-time kernel modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
Third-party software coexistence . . . . . . . . . . . . . . . . . . . . . . . . . . . 18<br />
6 Tips and Tricks 19<br />
7 KnowledgeBase articles 21<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 3
Contents<br />
4 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
1 Introduction 1<br />
Features<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> delivers always on, real‑time anti‑virus protection <strong>for</strong> <strong>Linux</strong><br />
environments. Its unique, <strong>Linux</strong>‑based on‑access scanner constantly monitors the system <strong>for</strong> potential<br />
attacks.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> protects the <strong>Linux</strong> servers and desktops from viruses, Trojan<br />
horses, potentially unwanted programs, and other malware.<br />
This section describes the product features <strong>for</strong> the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> software.<br />
Features include:<br />
• Run‑time Kernel Module Support.<br />
• Support <strong>for</strong> the following Cluster services:<br />
• Novell Cluster Services (NCS)<br />
• Corosync OCFS2 File System Cluster<br />
• Red Hat GFS2 Clustering File System<br />
• Support <strong>for</strong> auditing subsystem.<br />
• Support <strong>for</strong> SAN and NAS.<br />
• Integration with Anti‑virus Engine version 5400.<br />
• Integration with <strong>McAfee</strong> Agent (MA) version 4.5 Patch 2, 4.6 and 4.6.1.<br />
• Integration with <strong>McAfee</strong> ePolicy Orchestrator (ePO) version 4.5.x , 4.6 and 4.6.1.<br />
• Enhanced File System support <strong>for</strong> on‑access scanning. Refer the KnowledgeBase article KB73344.<br />
• Default queries in ePolicy Orchestrator <strong>for</strong> compliance and threat event reports.<br />
• SMTP Notification mechanism.<br />
• History of critical events such as malware detections, on‑demand scanning and DAT/Engine<br />
updates.<br />
• Support <strong>for</strong> on‑demand and scheduled scan tasks simultaneously.<br />
• Web‑based interface to manage the software from anywhere.<br />
• Mod‑versioning <strong>for</strong> automatic kernel support.<br />
• Regular‑Expression based exclusions <strong>for</strong> on‑access scan and on‑demand scan from the user<br />
interface.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 5
1<br />
Introduction<br />
Features<br />
6 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
2 Hardware<br />
and software requirements<br />
The following hardware and software are required:<br />
Supported operating systems (32‑bit/64‑bit)<br />
• SuSE <strong>Linux</strong> Enterprise Server/Desktop 10.x<br />
• SuSE <strong>Linux</strong> Enterprise Server/Desktop 11.x<br />
• Red Hat Enterprise 5.x Advanced Plat<strong>for</strong>m, Desktop<br />
• Red Hat Enterprise 6.x Server,Workstation, Client<br />
• Novell Open Enterprise Server 2.x<br />
• CentOS 5.x<br />
• CentOS 6.x<br />
• Ubuntu 10.04, 10.10 and 11.04 (Desktop/Server edition)<br />
Supported kernels<br />
• <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> v<strong>1.7</strong> supports all kernels available on the supported<br />
distributions.<br />
Supported processors<br />
• Intel x86 architecture‑based processor<br />
• Intel x86_64 architecture‑based processor that supports Intel Extended Memory 64 Technology<br />
(Intel EM64T)<br />
• AMD x86_64 architecture‑based processor with AMD 64‑bit technology<br />
Memory<br />
• Minimum: 2 GB<br />
• Recommended: 4 GB<br />
Free Disk space<br />
• Minimum: 1 GB<br />
Supported browsers<br />
• Microsoft Internet Explorer 5.5, 6.0, 7.0 and 8.0<br />
• Konqueror 3.5.1, 4.1.3, 4.2.x, and 4.3.x<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 7
2<br />
Hardware and software requirements<br />
• Mozilla 0.9.9, 1.0.1, 1.2.1, 1.4, 1.6, <strong>1.7</strong>.8, 1.8.x, and 1.9.x<br />
• Firefox 1.0, 1.5, 2.0, 3.0, 3.5, 3.6, 4.0, 5.0, and 6.0<br />
Supported <strong>McAfee</strong> Management software<br />
• <strong>McAfee</strong> ePolicy Orchestrator 4.5<br />
• <strong>McAfee</strong> ePolicy Orchestrator 4.6<br />
Supported <strong>McAfee</strong> Agent software<br />
• <strong>McAfee</strong> Agent 4.5 Patch 2<br />
• <strong>McAfee</strong> Agent 4.6<br />
Display<br />
Monitor screen with a recommended minimum resolution of 1024 x 768.<br />
8 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
3 Pre-installation<br />
instructions<br />
This chapter covers the pre‑installation requirements and list of actions you must follow as a best<br />
practice, be<strong>for</strong>e installing <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>.<br />
Contents<br />
Standalone machine<br />
Managed using ePolicy Orchestrator<br />
Standalone machine<br />
This section provides a list of actions you must per<strong>for</strong>m be<strong>for</strong>e installing <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise<br />
<strong>for</strong> <strong>Linux</strong>. This is applicable only when the suite is installed on a machine in unmanaged mode.<br />
• Make sure the system meets the minimum hardware and software requirements <strong>for</strong> installing<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>. Refer to the Hardware and software requirements section.<br />
• You must have root or sudo privileges to install <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>. This account<br />
must be part of sudo users and so that you could authenticate the credentials during product<br />
installation.<br />
• If you are installing <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on Open Enterprise server, you must<br />
create a user nails and group nailsgroup in your e‑directory and enable LUM (<strong>Linux</strong> User Management)<br />
<strong>for</strong> them. Provide nails user with administrative privileges on all the NSS volumes. For more<br />
in<strong>for</strong>mation, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Installation <strong>Guide</strong>.<br />
• If you are installing <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on a 64‑bit RHEL 6.x system, ensure that the<br />
32‑bit RHEL 6.x PAM libraries are also installed.<br />
• If you are installing <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on a 64‑bit Ubuntu system, ensure that 32‑bit<br />
Ubuntu libraries are also installed. Refer to the following KnowledgeBase article <strong>for</strong> more details:<br />
https://kc.mcafee.com/corporate/index?page=content&id=KB71201<br />
• If you are installing <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on an Ubuntu system, make sure to run the<br />
installer script using bash shell.<br />
• Remove any previous versions of <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> product prior to the <strong>Linux</strong>Shield<br />
version 1.5.1, be<strong>for</strong>e installing this version.<br />
• Make sure that there are no third‑party anti‑virus products installed on your machine.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 9
3<br />
Pre-installation instructions<br />
Managed using ePolicy Orchestrator<br />
Managed using ePolicy Orchestrator<br />
This section provides list of actions you must per<strong>for</strong>m be<strong>for</strong>e deploying <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise<br />
<strong>for</strong> <strong>Linux</strong> using <strong>McAfee</strong> ePolicy Orchestrator version 4.5.x or 4.6.x.<br />
• Use administrator credentials <strong>for</strong> the ePolicy Orchestrator service.<br />
• Make sure that <strong>McAfee</strong> Agent is checked‑in to ePolicy Orchestrator's repository.<br />
• Make sure the <strong>McAfee</strong> Agent extensions are checked‑in to ePolicy Orchestrator.<br />
• You can directly deploy <strong>McAfee</strong> Agent from ePO 4.6.x by clicking on the New Systems tab and pushing<br />
the non‑windows agent to the <strong>Linux</strong> client.<br />
• Make sure the system meets the minimum hardware and software requirements <strong>for</strong> installing<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>. Refer to the Hardware and software requirements section.<br />
• To deploy <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> with customized settings, copy the nails.options<br />
file to the /root and / directory on your <strong>Linux</strong> client system. To know how to create the nails<br />
.options file, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Installation <strong>Guide</strong>.<br />
• If you are installing <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on Open Enterprise server, you must<br />
create a user nails and group nailsgroup in your e‑directory and enable LUM (<strong>Linux</strong> User Management)<br />
<strong>for</strong> them. Provide nails user with administrative privileges on all the NSS volumes. For more<br />
in<strong>for</strong>mation, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Installation <strong>Guide</strong>.<br />
• Remove any previous versions of <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> product prior to the <strong>Linux</strong>Shield<br />
version 1.5.1, be<strong>for</strong>e installing this version.<br />
• Copy the install.sh file from ePolicy Orchestrator to your <strong>Linux</strong> clients using SCP, FTP or by<br />
downloading the install.sh from a browser onto your <strong>Linux</strong> client. For more instructions on how<br />
to download the file, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Installation <strong>Guide</strong>.<br />
If you are using FTP to copy install.sh file, ensure that you copy the file in binary mode.<br />
• Make sure that there are no third‑party anti‑virus products installed on your machine.<br />
10 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
4 Post-installation<br />
instructions<br />
This chapter provides instructions on what you need to verify after installing <strong>McAfee</strong> <strong>VirusScan</strong><br />
Enterprise <strong>for</strong> <strong>Linux</strong>. This chapter has specific post‑installation instructions based on whether its a<br />
standalone installation or managed using ePolicy Orchestrator.<br />
Contents<br />
Standalone machine<br />
Managed using ePolicy Orchestrator<br />
Standalone machine<br />
This section provides you in<strong>for</strong>mation on what you need to verify after installing the software on a<br />
standalone machine.<br />
After installing <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>, you must verify if the following functionalities<br />
are working properly:<br />
• On‑access scanning<br />
• On‑demand scanning<br />
To verify On‑access scan and On‑demand scan, we will use EICAR test file. The EICAR test file is a file,<br />
developed by the European Institute <strong>for</strong> Computer Antivirus Research, to test the response of<br />
computer anti‑virus programs.<br />
Be<strong>for</strong>e you begin testing, make sure that <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> is updated with the<br />
latest DATs.<br />
Testing On-access scanning<br />
Use this task to verify on‑access scanning on a standalone machine.<br />
Ensure On‑Access scanning is disabled in <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> On‑Access settings.<br />
Task<br />
1 From a web‑browser, go to: https://:55443<br />
2 Log on with the user name and password provided during installation.<br />
3 Click On‑Access Settings, then Edit.<br />
4 Deselect Enable On‑Access scanning and click Apply.<br />
5 From your browser, go to: http://eicar.org.<br />
6 Click ANTI‑MALWARE TESTFILE and follow the instructions mentioned in The Anti‑Malware Testfile<br />
section to create the test file on the desktop.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 11
4<br />
Post-installation instructions<br />
Managed using ePolicy Orchestrator<br />
7 Enable On‑Access scanning from On‑access settings of the software.<br />
8 Try copying the eicar file downloaded to your <strong>Linux</strong> client's desktop to /tmp.<br />
You can see that the file is not copied to the target directory and missing from the desktop. The file<br />
gets quarantined and from the Host Summary section in the user interface, you can see one item as<br />
detected item.<br />
Testing On-demand scanning<br />
Use this task to verify on‑demand scanning on a standalone machine.<br />
Ensure On‑access scanning is disabled in <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> On‑access settings by<br />
following steps mentioned in above section.<br />
Task<br />
1 From your browser, go to: http://eicar.org.<br />
2 Click ANTI‑MALWARE TESTFILE and follow the instructions mentioned in The Anti‑Malware Testfile<br />
section, to create the test file on the desktop.<br />
3 From the <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> user interface, click Schedule Tasks.<br />
4 Create a new on‑demand scan task to scan the downloaded file immediately.<br />
5 Once the scan is complete, see the results of the scan.<br />
You can see that the eicar test virus is detected in the scan results. You can also view these results<br />
from Detected Items and System Events page.<br />
Managed using ePolicy Orchestrator<br />
After deploying <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> on managed nodes, you can verify the<br />
on‑demand scanning, details of managed nodes along with other tests in previous section.<br />
You can also en<strong>for</strong>ce policies to verify the reports on ePolicy Orchestrator server or the managed<br />
nodes.<br />
Testing On-demand scanning<br />
Use this task to verify on‑demand scanning using ePolicy Orchestrator.<br />
To test on‑demand scanning, download an EICAR test file on the <strong>Linux</strong> client after disabling On‑access<br />
scan, then schedule an on‑demand scan to run immediately. Refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong><br />
<strong>Linux</strong> — Configuration <strong>Guide</strong> <strong>for</strong> instructions on scheduling on‑demand scan tasks using ePolicy<br />
Orchestrator.<br />
Details of managed nodes<br />
You can verify the details of managed nodes in System Tree by clicking on it in ePolicy Orchestrator.<br />
Configuring policies<br />
For instructions on configuring and en<strong>for</strong>cing policies, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong><br />
<strong>1.7</strong> — Configuration <strong>Guide</strong>. To verify the On‑access and On‑demand scanning events, you can check in<br />
Reports <strong>for</strong> which you need to install report extensions of <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> on<br />
ePolicy Orchestrator.<br />
12 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
Default Queries<br />
This section provides details on the default queries. <strong>McAfee</strong> ePolicy Orchestrator has its own querying<br />
and reporting capabilities. When <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> reports extension is installed into<br />
ePolicy Orchestrator, it provides a set of default queries. However, you can create a new query, edit,<br />
and manage all the queries related to <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong>.<br />
By default there are two <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> queries.<br />
Table 4-1 <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> — Default queries<br />
Query Description<br />
VSEL: <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong><br />
Compliance<br />
VSEL: <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong><br />
Threats<br />
Post-installation instructions<br />
Managed using ePolicy Orchestrator 4<br />
Shows a graphical display of the compliant and non‑compliant linux<br />
systems in the network. When you run this query, you should see<br />
the <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> machine showing up in the<br />
report.<br />
Shows a graphical display of the threat summary and action taken<br />
on all linux systems in the network.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 13
4<br />
Post-installation instructions<br />
Managed using ePolicy Orchestrator<br />
14 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
5 Product<br />
Configurations<br />
This chapter provides recommendations <strong>for</strong> configuring the On‑access, On‑demand scanning policies,<br />
anti‑virus exclusions, recovering quarantined items, about runtime kernel modules and third‑party<br />
software coexistence on <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> software.<br />
For more in<strong>for</strong>mation on how to configure the product, please refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise<br />
<strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Product <strong>Guide</strong>.<br />
Contents<br />
Scanning policies<br />
Scanning policies<br />
On-demand scanning<br />
Anti-virus exclusions<br />
Recovering quarantined items<br />
Run-time kernel modules<br />
Third-party software coexistence<br />
This section provides recommendations <strong>for</strong> on‑access and on‑demand scanning policies.<br />
On-access policy<br />
Here are the best practices <strong>for</strong> configuring on‑access policies. However, this can vary as per your<br />
requirements.<br />
The following configuration identifies and eliminates viruses and other malicious programs from being<br />
copied or written to your <strong>Linux</strong> Machines in real‑time.<br />
• Disable the Scan files on network mounted volumes option. Enable this option only if you cannot install<br />
<strong>McAfee</strong> anti‑virus solution on your network servers.<br />
• Enable the Quarantine option always as a secondary action <strong>for</strong> virus detections, so that you can<br />
retrieve the files from the quarantine folder later if required. See the Recovering quarantined items<br />
section on how to retrieve quarantined files.<br />
• Set the Action if scan error occurs option to Deny access in On‑access settings.<br />
• Disable Decompress archives to increase per<strong>for</strong>mance.<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 15
5<br />
Product Configurations<br />
On-demand scanning<br />
On-demand policy<br />
Here are the best practices <strong>for</strong> configuring on‑demand policies. However, this can vary as per your<br />
requirements.<br />
The following configuration identifies and eliminates viruses and other malicious programs on your<br />
<strong>Linux</strong> Machines when scheduled or on‑demand scanning runs on the client system.<br />
• Always enable the Decompress archives to scan inside the archives and compressed files.<br />
• Select the Quarantine option always as secondary action <strong>for</strong> virus and spyware detections, so that<br />
you can retrieve the files from the quarantine folder later if required.<br />
On-demand scanning<br />
This section describes the best practices <strong>for</strong> scheduling on‑demand scans to improve per<strong>for</strong>mance.<br />
Scheduling scans<br />
• Schedule on‑demand scans during non‑peak hours such as weekends, during the maintenance<br />
period or when DAT/Engine updates are not running.<br />
• When scheduling an on‑demand scan <strong>for</strong> the first time, schedule a full on‑demand scan <strong>for</strong> local<br />
volumes.<br />
• Make sure to exclude network volumes, if you do not want to scan them explicitly.<br />
Update<br />
Ensure that at least 500 MB of memory is free be<strong>for</strong>e a DAT Update, as DAT needs significant amount<br />
of memory.<br />
Anti-virus exclusions<br />
This section provides recommendations <strong>for</strong> Anti‑virus exclusions. <strong>McAfee</strong> suggests these <strong>for</strong> better<br />
per<strong>for</strong>mance, however you can tweak these exclusions based on your requirements.<br />
This version supports, regular expression based exclusions <strong>for</strong> Anti‑malware. You can add regular<br />
expressions that match the required pattern to exclude multiple files and folders from being scanned.<br />
Some of the recommended exclusions are <strong>for</strong>:<br />
• Oracle database files<br />
• /opt/oracle/.*.dbf (if oracle is installed under /opt)<br />
• /opt/oracle/.*.ctl (if oracle is installed under /opt)<br />
• /opt/oracle/.*.log (if oracle is installed under /opt)<br />
• Evolution data files<br />
• Thunderbird data files<br />
• Encrypted files<br />
• /var/log <strong>for</strong> on‑access scan<br />
• /quarantine and /proc <strong>for</strong> on‑demand scan<br />
• JAR files <strong>for</strong> on‑access scan<br />
16 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
• Archive files <strong>for</strong> on‑access scan<br />
• DTX files <strong>for</strong> on‑access scan<br />
• WAR files<br />
• Exclusion of /media/nss//._NETWARE and /media/nss//._ADMIN in<br />
case of Open Enterprise Server<br />
The following are few examples of regular expressions you can use <strong>for</strong> different patterns.<br />
Table 5-1 Regular Expression Examples<br />
To exclude... Use...<br />
All files starting with abc available in /media/nss /media/nss/abc.*<br />
All files starting with "." under /media/nss /media/nss/..*<br />
All files with extensions ext and abc under /media/nss /media/nss/.*.(ext|abc)<br />
All users mailbox folders /home/.*/mailbox/.*<br />
All files and folders that begin with abc in the machine .*/abc.*<br />
Files with extension mdb .*.mdb<br />
Files with extension either mdb or odc .*.(mdb|odc)<br />
Files with extension jar or rar or war under /opt /opt/.*..+ar<br />
All files under /tmp starting with an alphabet and ending with a number /tmp/([A‑Z]|[a‑z]).*[0‑9]$<br />
All users mailbox folders recursively /home/.*/mailbox/.*<br />
All files ending with abc, abcc, abcccc .*abc{1,}<br />
Using regular expressions from ePolicy Orchestrator<br />
• You should include "/" as the first character. For example, to exclude all files and folders starting<br />
with abc in the machine use the regular expression: /.*/abc.*<br />
• Ensure that there are no escape sequences included in the regular expression. For example: From<br />
ePolicy Orchestrator, to exclude all files starting with "." under /media/nss use the regular<br />
expression: /media/nss/..*<br />
Recovering quarantined items<br />
This section provides in<strong>for</strong>mation on listing and recovering quarantined items. Remember that you<br />
need to have root privileges to run these commands. <strong>McAfee</strong> suggests recovering quarantined items<br />
only after consulting <strong>McAfee</strong> Labs.<br />
To list the quarantined items on a <strong>Linux</strong> machine<br />
1 From the terminal, login as root.<br />
2 Run the following command:<br />
/opt/NAI/<strong>Linux</strong>Shield/bin/nails quarantine ‑‑list<br />
This will list all the quarantined items on your machine. For example, if a file named file1 under /tmp<br />
directory is quarantined, by running above command you will see the output as:<br />
/quarantine/QXXX.XXXXXX.XXXXX.XXX.meta: /tmp/file1 where X is a random number.<br />
Product Configurations<br />
Recovering quarantined items 5<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 17
5<br />
Product Configurations<br />
Run-time kernel modules<br />
To recover a particular quarantined item<br />
1 From the terminal, login as root.<br />
2 Run the following command:<br />
/opt/NAI/<strong>Linux</strong>Shield/bin/nails quarantine ‑recover <br />
For example, if you want to recover file1 which is listed as quarantined item , you need to run the<br />
command as: /opt/NAI/<strong>Linux</strong>Shield/bin/nails quarantine ‑recover<br />
/quarantine/QXXX.XXXXXX.XXXXX.XXX.meta /tmp/file1<br />
This will restore file1 into/tmp directory.<br />
Run-time kernel modules<br />
Automatic support <strong>for</strong> new kernels released from the distribution vendors without any downtime in<br />
On‑access scanning. <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> Kernel modules will be created dynamically<br />
in case of a mod‑version failure.<br />
• You must have developer utilities such as make or gcc installed on your machine along with kernel<br />
headers package of the current kernel. If mod‑versioning fails during nails service start, the kernel<br />
modules gets compiled dynamically and on‑access scanner gets enabled.<br />
• If developer utilities are not installed in your production server, you can compile the kernel modules<br />
on a staging server and run the export command to archive the kernel modules. Import the kernel<br />
modules on to your production server by running the import command. For more in<strong>for</strong>mation,<br />
please refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> — Product <strong>Guide</strong>.<br />
• · Ensure that the kernel sources/headers and developer tools are installed on the computer. If the<br />
kernel sources/headers are installed in a non‑default location, set the KERNEL_HEADER_LOCATION<br />
environment variable be<strong>for</strong>e compilation.<br />
• You can check if the compiled or imported kernel modules are working properly by executing the<br />
command: /opt/NAI/<strong>Linux</strong>Shield/bin/khm_setup ‑t<br />
To view the logs, go to: /opt/NAI/<strong>Linux</strong>Shield/src/log<br />
Third-party software coexistence<br />
• <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> does not support coexistence with backup software such as<br />
ArcServe, Cava Agent, bacula backup software and so on. Hence <strong>McAfee</strong> recommends you to<br />
exclude directories or files associated with it.<br />
• There are few compatibility issues between <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> and <strong>McAfee</strong><br />
Solidcore. Please refer the following KnowledgeBase articles <strong>for</strong> the resolution of these issues.<br />
• https://kc.mcafee.com/corporate/index?page=content&id=KB70194<br />
• https://kc.mcafee.com/corporate/index?page=content&id=KB70857<br />
You can also log on to https://kc.mcafee.com and search using the KB article number.<br />
18 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
6 Tips<br />
and Tricks<br />
This chapter provides you more in<strong>for</strong>mation on the tips and tricks which can be helpful when you use<br />
the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> software.<br />
• You can deploy the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> from ePolicy Orchestrator (ePO) with<br />
customized settings. For this you need to copy the nails.options file to /root and / directory on<br />
your <strong>Linux</strong> client system. For more details, refer the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> —<br />
Installation <strong>Guide</strong>.<br />
• <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> provides advanced logging option, which is recommended to be<br />
enabled while troubleshooting specific issues. These settings however can only be enabled from the<br />
endpoint's user interface. The settings are Detail logging level, Additional log to syslog, Detail syslog level, Limit<br />
age of log entries, Maximum age of log entries which can be tweaked from product's user interface.<br />
• In a managed mode (ePO), the status of scheduled tasks is not reported back to ePO. In such<br />
cases setting up SMTP email notifications can monitor this. Users will get the email notification if the<br />
DAT is out‑of‑date, malware detected on the system, and notification based on error codes<br />
including system events on the user's email id.<br />
• By default, <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> uses the system PAM (Pluggable Authentication Modules)<br />
configuration in the Web Manager <strong>for</strong> authentication. In some instances, the system PAM settings<br />
might use external authentication modules that are not compatible with <strong>VirusScan</strong> Enterprise <strong>for</strong><br />
<strong>Linux</strong>. Refer the following KnowledgeBase article to know how to configure PAM, so that <strong>VirusScan</strong><br />
Enterprise <strong>for</strong> <strong>Linux</strong> can authenticate in the Web Manager: https://kc.mcafee.com/corporate/index?<br />
page=content&id=KB70568<br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 19
6<br />
Tips and Tricks<br />
20 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>
7 KnowledgeBase<br />
articles<br />
This chapter specifies the various KnowledgeBase articles related to the <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise<br />
<strong>for</strong> <strong>Linux</strong> software. Be<strong>for</strong>e you run into any issues with the software, verify if the issue is already<br />
available in the <strong>McAfee</strong> KnowledgeBase homepage.<br />
Accessing <strong>McAfee</strong> KnowledgeBase<br />
1 From your web‑browser, go to: https://kc.mcafee.com.<br />
2 Under Ask a Question, specify the KB article number or the topic title.<br />
Table 7-1 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> — KB articles<br />
KB article# Title<br />
KB73036 <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> DAT update fails on 64‑bit Ubuntu installations<br />
KB73043 VSEL <strong>1.7</strong> causes a kernel panic when Ubuntu runs as an NFS Client and Server at the<br />
same time<br />
KB73087 <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> authentication fails after an OS upgrade<br />
KB73205 Unable to reboot server in a Corosync cluster environment with Virus Scan <strong>for</strong> <strong>Linux</strong><br />
running<br />
KB73322 <strong>VirusScan</strong> <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong> installation fails when installing via the Dash Shell in Ubuntu<br />
KB70568 How to configure PAM <strong>for</strong> Virus Scan Enterprise <strong>for</strong> <strong>Linux</strong> manager authentication<br />
KB70857 Can <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> co‑exist with Solid core products?<br />
KB72999 How to determine if a <strong>Linux</strong> Server is supported by VSEL <strong>1.7</strong><br />
<strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong> 21
7<br />
KnowledgeBase articles<br />
22 <strong>McAfee</strong> <strong>VirusScan</strong> Enterprise <strong>for</strong> <strong>Linux</strong> <strong>1.7</strong>.0 <strong>Best</strong> <strong>Practices</strong> <strong>Guide</strong>