1.9.0 Software McAfee VirusScan Enterprise for Linux · Linux server can harbor these viruses,...

Product Guide

McAfee VirusScan Enterprise for Linux1.9.0 Software

COPYRIGHTCopyright © 2013 McAfee, Inc. Do not copy without permission.

TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator,McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab,McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection,TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other names and brands may be claimed as the property of others.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.

2 McAfee VirusScan Enterprise for Linux 1.9.0 Software Product Guide

Contents

Preface 5About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5What's in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1 Introduction 9What is McAfee VirusScan Enterprise for Linux . . . . . . . . . . . . . . . . . . . . . . 9How does VirusScan Enterprise for Linux work . . . . . . . . . . . . . . . . . . . . . . 10

How VirusScan Enterprise for Linux installations interact . . . . . . . . . . . . . . . 10Product Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11What’s new in this release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2 Scanning for viruses and other potentially unwanted software 15How does scanning work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15What and when to scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Types of scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3 VirusScan Enterprise for Linux interface 17Opening the VirusScan Enterprise for Linux interface . . . . . . . . . . . . . . . . . . . 17Introducing the VirusScan Enterprise for Linux interface . . . . . . . . . . . . . . . . . . 18

Navigation pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Quick Help pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Links bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Using the interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Expanding and collapsing tables of information . . . . . . . . . . . . . . . . . . . 20Sorting by table columns . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Navigating through long tables . . . . . . . . . . . . . . . . . . . . . . . . . 20Changing the settings on a page . . . . . . . . . . . . . . . . . . . . . . . . 21Automatically refreshing information on pages . . . . . . . . . . . . . . . . . . . 21Using wizards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Understanding error messages . . . . . . . . . . . . . . . . . . . . . . . . . 22Displaying dates and times . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

4 Viewing VirusScan Enterprise for Linux information 23Host Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Scanning Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Scanning statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Recently detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Recently scanned items . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Obtaining a diagnostic report . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Detected items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

McAfee VirusScan Enterprise for Linux 1.9.0 Software Product Guide 3

Analyzing the detected items . . . . . . . . . . . . . . . . . . . . . . . . . . 28Viewing the results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Exporting the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . 29

System events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Analyzing the system events . . . . . . . . . . . . . . . . . . . . . . . . . . 30Exporting the results for analysis . . . . . . . . . . . . . . . . . . . . . . . . 31

Scheduled tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Running a task immediately . . . . . . . . . . . . . . . . . . . . . . . . . . 33Modifying an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . 33Deleting an existing scheduled task . . . . . . . . . . . . . . . . . . . . . . . 33Stopping a task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Information about extra DAT files . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5 Setting up schedules 35Using a wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Updating the product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Creating a schedule to update the product . . . . . . . . . . . . . . . . . . . . 37Running on-demand scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Creating a schedule to run an on-demand scan . . . . . . . . . . . . . . . . . . . 39

6 Configuring VirusScan Enterprise for Linux 41General settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Browser interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Clearing statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Resetting configuration settings . . . . . . . . . . . . . . . . . . . . . . . . . 43

On-access settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Scanning options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Paths excluded from scanning . . . . . . . . . . . . . . . . . . . . . . . . . 45Extension-based scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Anti-virus actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

On-demand settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

SMTP notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50SMTP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

7 Advanced features 53Substituting variables in notification templates . . . . . . . . . . . . . . . . . . . . . . 53How the quarantine action works . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

8 Troubleshooting 57Frequently asked questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Runtime kernel module support . . . . . . . . . . . . . . . . . . . . . . . . 58Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Viruses and detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60General information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Index 63

Contents


Preface

This guide provides the information you need to configure, use, and maintain your McAfee product.

For instructions on how to install McAfee®

VirusScan®

Enterprise for Linux software on a stand‑alonecomputer, see the McAfee VirusScan Enterprise for Linux — Installation Guide for your productversion. For instructions on how to configure, use and maintain McAfee VirusScan Enterprise for Linuxusing McAfee® ePolicy Orchestrator (McAfee ePO) software, see the McAfee VirusScan Enterprise forLinux — Configuration Guide for your product version.

Contents About this guide Find product documentation

About this guideThis information describes the guide's target audience, the typographical conventions and icons usedin this guide, and how the guide is organized.

AudienceMcAfee documentation is carefully researched and written for the target audience.

The information in this guide is intended primarily for:

• Administrators — People who implement and enforce the company's security program.

• Users — People who use the computer where the software is running and can access some or all ofits features.

ConventionsThis guide uses these typographical conventions and icons.

Book title, term,emphasis

Title of a book, chapter, or topic; a new term; emphasis.

Bold Text that is strongly emphasized.

User input, code,message

Commands and other text that the user types; a code sample; a displayedmessage.

Interface text Words from the product interface like options, menus, buttons, and dialogboxes.

Hypertext blue A link to a topic or to an external website.

Note: Additional information, like an alternate method of accessing anoption.

Tip: Suggestions and recommendations.


Important/Caution: Valuable advice to protect your computer system,software installation, network, business, or data.

Warning: Critical advice to prevent bodily harm when using a hardwareproduct.

What's in this guide This guide is organized to help you find the information you need.

This guide provides you with an introduction to McAfee VirusScan Enterprise for Linux and providesthe information you need for all phases of product use from, scanning to configuring totroubleshooting.

Introduction

This chapter provides detailed information about the software, how it works and interacts, productfeatures, what's new in this release and contact information.

Scanning for viruses and other potentially unwanted software

This chapter provides detailed information on how the scanning works, what to scan and when toscan, and the different types of scanning.

VirusScan Enterprise for Linux interface

This chapter provides detailed information on how to access the user interface, introducing thesections in the interface, using the interface such as using wizards, understanding error messages anddisplaying dates and times.

Viewing VirusScan Enterprise for Linux information

This chapter provides detailed information on viewing the host summary, scanning summary, detecteditems, system events, schedules tasks and information about extra detection definition (DAT) files.

Setting up schedules

This chapter provides detailed information on how to use wizards to schedule a product update task orschedule to run an on‑demand scan.

Configuring VirusScan Enterprise for Linux

This chapter provides detailed information on how to access the general settings such as browserinterface, clearing statistics and resetting configuration settings; on‑access settings, on‑demandsettings, notifications and repositories.

Advanced features

This chapter provides detailed information on the advanced settings such as how to substitutevariables in notification templates, configure features from a file, control the software from commandline and an overview on how the quarantine action works.

Troubleshooting

This chapter provides detailed information on answers to common situations that you might encounterwhile installing or using the software.

PrefaceAbout this guide


Find product documentationMcAfee provides the information you need during each phase of product implementation, frominstallation to daily use and troubleshooting. After a product is released, information about the productis entered into the McAfee online KnowledgeBase.

Task1 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.

2 Under Self Service, access the type of information you need:

To access... Do this...

User documentation 1 Click Product Documentation.

2 Select a product, then select a version.

3 Select a product document.

KnowledgeBase • Click Search the KnowledgeBase for answers to your product questions.

• Click Browse the KnowledgeBase for articles listed by product and version.

PrefaceFind product documentation


http://mysupport.mcafee.com

PrefaceFind product documentation


1 Introduction

McAfee VirusScan Enterprise for Linux detects and removes viruses and other potentially unwantedsoftware on Linux‑based systems.

This information is intended for network administrators who are responsible for their company’santi‑virus and security program.

Contents What is McAfee VirusScan Enterprise for Linux How does VirusScan Enterprise for Linux work Product Features What’s new in this release Contact information

What is McAfee VirusScan Enterprise for LinuxVirusScan Enterprise for Linux detects and removes viruses and other potentially unwanted softwareon Linux‑based systems. VirusScan Enterprise for Linux uses a web‑browser interface and a powerfulMcAfee scanning engine — the engine common to all our anti‑virus products.

Although a few years ago, the Linux operating system was considered a secure environment, it is nowseeing more occurrences of software specifically written to attack or exploit security weaknesses inLinux‑based systems. Increasingly, Linux‑based systems interact with Windows‑based computers.Although viruses written to attack Windows‑based systems do not directly attack Linux systems, aLinux server can harbor these viruses, ready to infect any client that connects to it.

When installed on your Linux server, VirusScan Enterprise for Linux provides protection againstviruses, Trojan horses, and other types of potentially unwanted software.

VirusScan Enterprise for Linux scans files as they are opened and closed — a technique known ason‑access scanning. VirusScan Enterprise for Linux also incorporates an on‑demand scanner thatenables you to scan any directory or file in your host at any time.

When kept up‑to‑date with the latest virus‑definition (DAT) files, VirusScan Enterprise for Linux is animportant part of your network security. We recommend that you set up an anti‑virus security policyfor your network, incorporating as many protective measures as possible.

1


How does VirusScan Enterprise for Linux workThis section describes how VirusScan Enterprise for Linux works when correctly installed andconfigured.

Once VirusScan Enterprise for Linux software has been correctly installed and configured on yourLinux server, it provides two functions:

• VirusScan Enterprise for Linux runs as a daemon (which is similar to a service in MicrosoftWindows).

As files are accessed via the Linux kernel, VirusScan Enterprise for Linux intercepts the files andscans them for viruses and other potentially unwanted software. (See Events that trigger VirusScanEnterprise for Linux scanning for more information.) This form of protection is called on‑accessscanning. VirusScan Enterprise for Linux also maintains a record of files that it has recentlyscanned to avoid any unnecessary repeated scanning.

• VirusScan Enterprise for Linux runs an HTTPS‑based monitoring service.

VirusScan Enterprise for Linux activities can be monitored and configured through an HTTPSinterface. For example, you can configure which types of files VirusScan Enterprise for Linux willscan, and actions that VirusScan Enterprise for Linux will take against infected files, such ascleaning, deletion or quarantining. Using the simple and secure web‑browser interface, you canmonitor and control virus detection.

Events that trigger VirusScan Enterprise for Linux scanning

VirusScan Enterprise for Linux begins to scan files on these events:

• File open — When a file is opened.

• File release — In the simple case, this is when a file is closed. If a process has multiple referencesto a file, for example, via dup or a memory mapping, this is when the last reference is released.

How VirusScan Enterprise for Linux installations interactVirusScan Enterprise for Linux requires a web browser to monitor and control virus scanning on ahost.

The diagram shows a web browser connected via a secure HTTPS link to a web monitor service thatwe supply as a component of the VirusScan Enterprise for Linux software.

The next table explains how the components operate in this simple set up.

Component Function

scanner This component provides anti‑virus protection, scanning files as instructed bynailsd.

nailsd This component communicates between the web monitoring service and thescanner, passing information about the anti‑virus scans and configurationdetails.

1 IntroductionHow does VirusScan Enterprise for Linux work


Component Function

mon This component of the web monitor examines VirusScan Enterprise for Linuxactivity on the host, and can configure the anti‑virus activity.

nailswebd This component of the web monitor communicates with a web browser such asKonqueror, using a secure HTTPS link. A name and password is required foruser authentication.

kernel hook modules(file)

This component provides on‑access scanning support by hooking on to thekernel.

Product FeaturesThis section describes the product features for the McAfee VirusScan Enterprise for Linux software.

McAfee VirusScan Enterprise for Linux software has these features:

• Support for Amazon EC2 Linux machines (2.6.x kernels)

• Support for Novell Cluster Services

• Support for Corosync OCFS2 File System Cluster

• Runtime kernel module support (RKMS)

McAfee VirusScan Enterprise for Linux Kernel modules will be created dynamically in case of amod‑version failure. To manually compile the kernel module, refer Frequently asked questions —Runtime kernel module support in the Product Guide.

• Support for 64‑bit AMD64/Intel EM64T operating systems.

• The latest version (5600) of the McAfee anti‑virus engine.

• Incremental Virus Signature (DAT) updates.

• Mod‑versioning for automatic kernel support.

• Regular expression based exclusions for On‑access scan and On‑demand scan from the userinterface.

• Scanning• Comprehensive on‑access anti‑virus scanning and cleaning using the McAfee scanning engine.

• On‑access scanning for local file systems, NFS and Samba/CIFS.

• Kernel‑level scan cache for improved performance.

• Scheduling of on‑demand scans.

• Scheduling of updates for scanning engine and virus definition files.

• Administration• Remote administration using browser‑based interface.

• Secure browser interface with authentication and HTTPS (SSL) support.

• Reporting• Real‑time statistics.

• Detailed database for detected items and system events.

IntroductionProduct Features 1


• Ability to query the database by date range or individual field values, for example, virus name.Results of query can be exported to a CSV file.

• Configurable email notification for detected items, out‑of‑date virus definition files, configurationchanges, and system events.

• Diagnostic report for use when reporting a problem with the product.

What’s new in this releaseThis section describes the new enhancements in this release of VirusScan Enterprise for Linux.

These new features are available in this release, that could be used from McAfee ePolicy Orchestratorto configure McAfee VirusScan Enterprise for Linux client systems.

General policies

• Enable or disable Web GUI Apache services

• Enable or disable SMTP notifications

• Enable or disable Syslogging with different levels

• Enable logging from ePolicy Orchestrator

On‑Access policy

• Specify primary and secondary actions for Programs and Jokes

On‑Demand scan task

• Specify primary and secondary actions for Programs and Jokes

• Specify custom Maximum scan time for each on‑demand scan task

Product deployment task

• Deploy the product successfully without PAM libraries

Password change task

• Set the McAfee VirusScan Enterprise for Linux administrator password from ePolicy Orchestrator

System properties

• Scanning summary information on Files Scanned and Number of Infections for the selected Linux client

• Threat information is available now

Events

• On‑demand scan task status events

• Password change task status events

Queries and reports

• Threat report

• Compliance report

1 IntroductionWhat’s new in this release


Help Content

New ePolicy Orchestrator Help extension for McAfee VirusScan Enterprise for Linux

Contact informationThis section specifies McAfee's contact information such as the threat center, download site, technicalsupport, customer service, and professional services.

McAfee Threat Center

McAfee Labs: http://www.mcafee.com/us/mcafee_labs/index.html

McAfee Avert Labs Threat Library: http://vil.mcafeesecurity.com

McAfee Avert Labs WebImmune & Submit a Sample (logon credentials required): https://www.webimmune.net/default.asp

McAfee Labs .DAT Notification Service Opt‑In: https://secure.mcafee.com/apps/mcafee‑labs/dat‑notification‑signup.aspx

McAfee Download Site

Homepage: http://www.mcafee.com/us/downloads/

• Products and Upgrades (requires a valid grant number)

• Product Documentation

• Product Evaluation

• McAfee Beta Program

McAfee Technical Support

Homepage: http://www.mcafee.com/us/support/index.html

KnowledgeBase Search: http://knowledge.mcafee.com

McAfee Technical Support ServicePortal (logon credentials required): https://mysupport.mcafee.com/eservice_enu/start.swe

McAfee Customer Service

Web: http://www.mcafee.com/us/support/index.html or http://www.mcafee.com/us/about/contact/index.html

Phone: +1‑888‑VIRUS NO or +1‑888‑847‑8766 Monday ‑ Friday, 8 a.m. — 8 p.m., Central Time

McAfee Professional Services

Enterprise: http://www.mcafee.com/us/enterprise/services/index.html

Small & Medium Business: http://www.mcafee.com/us/smb/services/index.html

IntroductionContact information 1


http://www.mcafee.com/us/mcafee_labs/index.html

http://vil.mcafeesecurity.com

https://www.webimmune.net/default.asp

https://www.webimmune.net/default.asp

https://secure.mcafee.com/apps/mcafee-labs/dat-notification-signup.aspx

https://secure.mcafee.com/apps/mcafee-labs/dat-notification-signup.aspx

http://www.mcafee.com/us/downloads/

http://www.mcafee.com/us/support/index.html

http://knowledge.mcafee.com

https://mysupport.mcafee.com/eservice_enu/start.swe

https://mysupport.mcafee.com/eservice_enu/start.swe

http://www.mcafee.com/us/support/index.html

http://www.mcafee.com/us/about/contact/index.html

http://www.mcafee.com/us/about/contact/index.html

http://www.mcafee.com/us/enterprise/services/index.html

http://www.mcafee.com/us/smb/services/index.html

1 IntroductionContact information


2 Scanning for viruses and otherpotentially unwanted software

This section describes briefly how scanning works and the types of scanning that are available.

McAfee VirusScan Enterprise for Linux software can perform several types of scanning on your Linuxserver in order to provide as much anti‑virus protection as possible. You can configure a number ofthese scanning features, the type of scan, which objects (for example archive files) to scan, and whento run the scan.

Contents How does scanning work What and when to scan Types of scanning

How does scanning workYour McAfee anti‑virus software contains the McAfee scanning engine and the virus definition (DAT)files. The engine is a complex data analyzer. The DAT files contain a great deal of information,including thousands of different drivers, each of which contains detailed instructions on how to identifya virus or type of virus.

The McAfee scanning engine works together with the DAT files. It identifies the type of object beingscanned (often a file) and decodes the contents of that object. The engine then uses the informationin the DAT files to search for known viruses. Many viruses have a distinctive signature — a sequenceof characters unique to that virus.

The engine uses a technique called heuristic analysis to search for unknown viruses. This involvesanalysis of some of the object’s program code and searching for distinctive features typically found inviruses.

Once the engine has confirmed the identity of a virus, it cleans the object as far as possible. Forexample, the anti‑virus software can remove an infected macro from a document or delete the viruscode in an executable file. If the virus has destroyed data, and the file cannot be fixed, the anti‑virussoftware must make the file safe so that it cannot be activated and infect other files.

What and when to scanThe threat from viruses can come from many directions, including infected macros, shared programfiles, files shared across a network, email, floppy disks, and files downloaded from the Internet. Each

2


McAfee anti‑virus software product targets a specific area of vulnerability. We recommend amulti‑tiered approach to provide the full range of virus detection, security and cleaning capability.

You can configure your VirusScan Enterprise for Linux software according to the demands of yoursystem. These demands depend on when and how the parts of your system operate and how theyinteract with each other and with the outside world, particularly through email and Internet access.

A variety of options can be configured or enabled which allow you to determine how your anti‑virussoftware deals with different types of file and what it does with infected or suspect items.

Types of scanningScanning fall into these main groups — on‑access scanning and on‑demand scanning.

The types of scanning detect the same viruses, but they work at different points on the network andon the Linux server. The types of scanning can take place at different times, and at different stages inthe handling of objects.

On‑access scanning

On‑access scanning (or real‑time scanning) examines objects as they are accessed by the user or thesystem. For example, an on‑access scanner examines a file when the user opens it.

When you first install VirusScan Enterprise for Linux, on‑access scanning defaults are set but you canconfigure these to suit your system. You can set global options that determine how scanning is carriedout, including how the scanner deals with different types of object, specifying what is to be done withinfected items, and how quarantine and notification is handled.

On‑demand scanning

The types of on‑demand scan are:

• Standard on‑demand scan — The user instructs the scanning software to perform a scan, this islaunched manually.

• Scheduled on‑demand scan — This is scheduled to run automatically at predetermined intervals ortimes. You may choose to schedule a scan of this type to run after the regular DAT update.

You may run an on‑demand scan for many reasons, for example:

• To check a file that has been downloaded from the Internet or obtained from an external source.

• To check if your Linux server is virus‑free, possibly following DAT update, in case new viruses canbe detected.

• To check if your Linux server is completely clean, following a recent single detection.

2 Scanning for viruses and other potentially unwanted softwareTypes of scanning


3 VirusScan Enterprise for Linux interface

After VirusScan Enterprise for Linux has been correctly installed and configured, it runs as a daemon.To make changes to your VirusScan Enterprise for Linux software configuration, or to view informationabout your software, you use the VirusScan Enterprise for Linux interface.

McAfee recommends you to use the browser‑based interface to manage VirusScan Enterprise for Linuxfeatures. Although some features can be configured using text‑based files (described on Configuringfeatures from a file), McAfee does not recommend this.

Contents Opening the VirusScan Enterprise for Linux interface Introducing the VirusScan Enterprise for Linux interface Using the interface

Opening the VirusScan Enterprise for Linux interfaceView the VirusScan Enterprise for Linux interface by specifying the IP address and port number in anyof the supported web‑browsers.

Task1 To open the McAfee VirusScan Enterprise for Linux interface:

• Open a supported web‑browser, such as Microsoft Internet Explorer, Mozilla or Konqueror andtype the IP address and port number in this format:https://<hostname or ip address>:<port>

For example: https://server1:55443 or https://192.168.200.200:55443

Letter case is not important. VirusScan Enterprise for Linux regards server1 and SERVER1 assimilar. The browser tries to connect to the port on the Linux host where the VirusScanEnterprise for Linux web‑monitoring service runs, and displays the log on page. If your browseror its version are not supported, you see a warning message. You may continue to log on, butyou might experience problems later with the display and operation of features of the interface.

2 Type the default user name nails and the password that you specified during installation, thenclick Log on.

After a short time, the VirusScan Enterprise for Linux homepage appears. On Konqueror browsers, thefollowing message appears in a dialog box: Server certificate failed the authenticity test...

This happens because the certificate is self‑signed. You may ignore this message and click Continue.

3


The Host Summary page is displayed. To return to this page at any time, click Home from the navigationpane (on the left side). The Host Summary page provides some brief information (such as IP address,DAT version, engine version, product version, files scanned, status, and detected items) about theLinux server where VirusScan Enterprise for Linux is installed. See the Host Summary section for moreinformation about this page.

Introducing the VirusScan Enterprise for Linux interfaceThis section helps you understand the VirusScan Enterprise for Linux user interface and describes thepurpose of each area in the interface.

The VirusScan Enterprise for Linux has the following main areas:

• Left — Navigation pane

• Middle — Console

• Right — Quick Help pane

Navigation paneThe navigation pane, on the left side of the VirusScan Enterprise for Linux interface, provides links toeach page.

Similar links are grouped together.

Figure 3-1 Navigation pane

The name of the currently selected Linux host appears above the navigation pane as a host name andport number, for example: "server1:55443".

3 VirusScan Enterprise for Linux interfaceIntroducing the VirusScan Enterprise for Linux interface


The groups of items in the menu (View, Schedule and Configure) refer to this host.

• View — These options display Host Summary, Scanning Summary, Detected Items, System Events, and ScheduledTasks information about the selected host.

• Schedule — These options display Product Update and On‑Demand Scan information, where you can set upschedules for running on‑demand scans and updating the virus definition (DAT) files.

• Configure — These options display General Settings, On‑Access Settings, On‑Demand Settings, and Notificationsinformation where you can configure VirusScan Enterprise for Linux on the selected host.

The navigation pane also includes:

• Home — To display summary information about the host that is being monitored.

• Show/Hide Quick Help — To show or hide the quick help which is usually displayed on the right pane ofthe user interface.

ConsoleThe console, in the middle of the VirusScan Enterprise for Linux interface, displays each page that isselected from the navigation pane.

Quick Help paneThe Quick Help pane on the right side of the window, displays basic information about each pagedisplayed within the console area of the interface. Quick Help includes links to the online Help system,to our web site and to other sources of product information.

You can show or hide Quick Help, using the Show Quick Help or Hide Quick Help menu options fromthe navigation pane. See also Hide quick help on startup under General settings.

Links barThe links bar, at the top of the VirusScan Enterprise for Linux interface, contains links to usefulresources such as the Virus Information Library and the Help Topics.

This black bar contains the following links:

Table 3-1 Option definitions

Option Definition

Log off Return to the VirusScan Enterprise for Linux logon screen.

Technical Support Frequently asked questions on our Technical Support web site.

Submit a Sample Instructions for submitting a virus sample to us.

Virus Information Links to the Virus information Library, which provides full informationabout every virus and other potentially unwanted software that ourproducts can detect and clean.

About VirusScan Enterprise for Linux Product and licensing information.

Resources Contact information.

Help Topics Online Help.

The web addresses of the links are listed under Contact information page.

Depending on the configuration that your organization requires, some of these links may not beavailable or they may redirect to other locations. See the Advanced Features section.

VirusScan Enterprise for Linux interfaceIntroducing the VirusScan Enterprise for Linux interface 3


Using the interfaceThis section describes the features of the VirusScan Enterprise for Linux interface.

Expanding and collapsing tables of informationThe interface contains several tables of information. For convenience, you can expand or collapsesome tables.

• Click — To hide the information. (Collapse)

• Click — To show the information. (Expand)

Sorting by table columnsThe interface contains several tables. For convenience, you can sort the information.

For example, to sort rows into time order, click on the column heading, Time. An arrow on the rightside of a column heading appears and indicates the order of the sorting.

^ — The information is displayed in ascending ordering (0‑9, A‑Z).

v — The information is displayed in descending ordering (9‑0, Z‑A).

To reverse the order of sorting, click the column heading again.

Time ^ File Name

May 2, 2012 12:01:05 foo1

May 2, 2012 12:11:35 foo2

May 3, 2012 01:01:53 foo3

May 4, 2012 02:01:06 foo4

This action does not refresh or update the contents of a table. The action does not sort all theinformation; it changes the order of the currently displayed rows of information only.

Navigating through long tablesIf VirusScan Enterprise for Linux has too much information to display normally within a page,VirusScan Enterprise for Linux displays just a few rows at a time.

Navigation arrows and numbers appear at the foot of the table to enable you to access the rest of theinformation.

For example: << 1 2 3 4 5 >>


Option Definition

<< Click to go to the previous section of the table.

2 You are currently viewing section 2 of the table. The number is displayed larger than theothers.

4 Click to go to section 4 of the table.

>> Click to go to the next section of the table.

To increase the number of rows of information that you can view in one page, see Results per pageunder the General settings section.

3 VirusScan Enterprise for Linux interfaceUsing the interface


VirusScan Enterprise for Linux applies a limit to the amount of information that can be viewed overseveral pages. For example, on the Detected Items page and the System Events page, you can viewup to 20 pages each containing up to 50 rows. You can effectively view more results by using a queryto filter the information.

Changing the settings on a pageFrom several pages within the interface, you can change settings, such as which types of file to scan.These pages have a button marked Edit at the top right of the page.

Task1 To enable any changes to the settings, click Edit.

The Edit button is replaced by other buttons — Apply and Cancel, and in some cases, Defaults or Reset.

2 To change any settings, update the fields, then click Apply.

3 If while making the changes, you decide not to proceed, click Cancel.

4 To reset the settings on the page to the defaults that were in effect when VirusScan Enterprise forLinux was first installed, click Reset. When you click Cancel or Defaults, you are prompted to confirmthat you want to do this.

Automatically refreshing information on pagesThe information on some pages (such as the Scanning Summary) is automatically refreshed every 10seconds by default.

You can change the refresh interval from the VirusScan Enterprise for Linux interface. See the Generalsettings section.

To manually refresh these pages at any time, click Refresh at the top of the page.

VirusScan Enterprise for Linux interfaceUsing the interface 3


Using wizardsThe VirusScan Enterprise for Linux interface uses a form of wizard to help you complete some complextasks by specifying required settings in a sequence of panes.

Figure 3-2 Typical wizard pane

This example is taken from an option in the Schedule menu. The Next and Back buttons in the top rightcorner enable you to move from pane to pane. You can also move to any pane by clicking the tabslabelled 1. ... and 2. ... and so on.

To close the wizard and complete the task, click Finish.

Understanding error messagesIf a fault occurs with the interface, VirusScan Enterprise for Linux displays a message on the currentpage.

The message typically has the format:

Error Code Description

25 Connection failed to host 192.168.255.200

For more information, click the error code. Other types of errors are logged as system events. See theSystem events section.

Displaying dates and timesDates and times in the interface are expressed as the local time on the host. Time is displayed in24‑hour format, and includes a UTC (Universal Time Co‑ordinates) offset. For example: May 02, 200812:35:00 (‑8:00 UTC)

To prevent the display of the UTC offset, see Display time UTC offset in the General settings section.

3 VirusScan Enterprise for Linux interfaceUsing the interface


4 Viewing VirusScan Enterprise for Linuxinformation

From the View area of the navigation pane you can view the VirusScan Enterprise for Linux information.

You can view the following information about VirusScan Enterprise for Linux:

Contents Host Summary Scanning Summary Detected items System events Scheduled tasks Information about extra DAT files

Host SummaryThe Host Summary page shows information collected from the server running VirusScan Enterprise forLinux. The information includes the number of files that have been scanned and any detections.

To view this page, click Host Summary under View in the navigation pane.

For more information about the scanning activity on the host, click its name in the Host column. Thetable contains the following information:


Option Definition

Host Name of host being monitored. Click this address to view the Scanning Summary page forthat host.

Status Status of the host:• active — The host is being monitored.

• connecting, disconnecting — Brief changes of state.

• disconnected — Typically the host has been switched off, or its services are notrunning.

• on‑access disabled — On‑access scanning has been disabled on the host. See theOn‑access settings section.

Files Scanned Number of items that have been scanned since VirusScan Enterprise for Linux wasinstalled, or since the statistics counters were last reset.

Detected Items Number of detected items since VirusScan Enterprise for Linux was installed or sincethe statistics counters were reset. Click this number to see more details on the DetectedItems page for that host.

DAT Version The 8‑digit (XXXX.YYYY) version number for the detection definition (DAT) files.

4


Table 4-1 Option definitions (continued)

Option Definition

DAT Date Date when these DAT files were created. We regularly provide updated DAT files. If thedate is more than a few days ago, your DAT files are probably out of date.

Extra DAT We occasionally provide an 'extra DAT' file to counter specific threats. If an 'extra DAT'file is available, click Yes to view the details on the Extra DAT page.

Engine Version Version of the scanning engine. Engines are updated less often than DAT files.

Product Version Version of the product.

To reset the Files Scanned and Detected Items to zero, see the General Settings page. See the General settingssection.

Scanning SummaryThe Scanning Summary page shows details of on‑access scanning activity on the host that you selectedfrom the Host Summary page.

See the Host Summary section. Statistics about infections detected during on‑access and on‑demandscans are available from the Detected Items page and the rest will be available from System Events. See theDetected items and System Events section.

To view this page, click Scanning Summary under View in the navigation pane.

Figure 4-1 Scanning Summary page

Scanning statisticsThe statistics are collected from the time when VirusScan Enterprise for Linux was installed, or sincethe statistics counters were last reset on the General Settings page.

The next table explains the information in each column.

4 Viewing VirusScan Enterprise for Linux informationScanning Summary



Option Definition

On‑Access status Indicates whether on‑access scanning is enabled.

Files scanned Number of files scanned since the host started or the counters were reset.

Detected items Number of items detected by on‑access scanning since VirusScan Enterprise forLinux was installed or since the count was last cleared. To see more details, clickthis number to view the Detected Items page.

Actions performed Actions that have been performed on files, in accordance with the settings on theOn‑Access Settings page. For on‑access scans, Access denied means that all actionstaken against the infection failed, or the action was set to deny access.

Files not scanned Numbers of files that were not scanned for various reasons. For example, someitems are excluded because they are on specified excluded paths, or because ofthe file name extension.

Average scan time (ms) Measure of scan performance. Average time in milliseconds taken to scan anitem.

Scanning uptime Time since VirusScan Enterprise for Linux was last started. Statistics aboutaverage scanning time are based on this period.

Host local time Time is expressed in 24‑hour format as local time on the host, and with a UTCoffset. See the Displaying dates and times section.

Recently detected itemsThis information is continuously updated as files are accessed, then scanned and any viruses aredetected.

Although a file name appears in the list, the file itself might no longer exist if VirusScan Enterprise forLinux has deleted the infected file. The following information is displayed under Recently Detected.


Option Description

Time Time when the detection occurred.

File Name Name of the file, excluding its path.

Detected As Name of any virus or other potentially unwanted software. For more information, clickthe name to visit the Virus Information Library.

Detected Type Type of the detected item, such as:• Program — A program (application) such as spyware, remote‑access software, or

password cracker.

• Joke — Joke program.

• Test — Test virus such as EICAR.

• Trojan — Trojan‑horse program.

• Virus — Virus, and other types of infection.

User Name of the user who accessed the file.

Process Process that accessed the file.

Path Name of the file, including its full path. In the case of an archive or other file types thatact as a container, this can include the name of an item within the archive.

Viewing VirusScan Enterprise for Linux informationScanning Summary 4


Recently scanned itemsThis information is continuously updated as files are accessed and scanned. The following informationis displayed under Recently Scanned.


Option Description

Time Time when the scanning occurred.


Detected As This column appears only if a recently scanned file was infected.

Name of any virus or other potentially unwanted software. For more information, clickthe name to visit the Virus Information Library.

Detected Type This column appears only if a recently scanned file was infected.

Type of the detected item, such as:• Program — A program (application) such as spyware, remote‑access software, or

password cracker.

• Joke — Joke program.

• Test — Test virus such as EICAR.

• Trojan — Trojan‑horse program.

• Virus — Virus, and other types of infection.

User Name of the user who accessed the file.

Process Process that accessed the file.

Path Name of the file, including its full path. In the case of an archive or other file types thatact as a container, this can include the name of an item within the archive.

If the path name is very long, move the horizontal scroll bar to see it all clearly.

Obtaining a diagnostic reportA diagnostic report contains detailed information that is useful to our technical support staff if youneed to contact them.

Task1 In the Scanning Summary page, click Diagnostic Report. After a message such as Loading, the console

displays a list of system events, configuration details, and other information.

2 Using the browser, you can copy the information for later analysis. Typically, you select Select Allfrom a right‑click menu (or Ctrl+A), copy then paste the text as required.

Detected itemsThe Detected Items page shows a list of items that have been detected as containing a virus or otherpotentially unwanted software. The range of items that you see can vary because this depends on howyou navigated to this page.

For example, if you navigated directly to this page from the left‑hand navigation pane or you selectedthe count of Detected Items in the Scanning Summary page, you see items detected today by on‑accessscanning.

4 Viewing VirusScan Enterprise for Linux informationDetected items


If you navigated to this page from a task in the Scheduled Tasks page for an on‑demand task, then yousee items detected during the last run of the task.

To view this page, click Detected Items under View in the navigation pane. From this page, you can modifythe view to show information about items detected by on‑access scanning or detected by anon‑demand scan.

Figure 4-2 Detected Items page

The Detected Items page has two areas — Query and Results.

Viewing VirusScan Enterprise for Linux informationDetected items 4


Analyzing the detected itemsUnder Query, you can refine the information that is displayed under Results.

You can examine entries made between, before or after specified dates and times, and you can filterthe information further. For example, you can find all occurrences of a particular virus. This feature isuseful if VirusScan Enterprise for Linux has detected a large number of viruses, and it enables you toanalyze trends.

• To view information about detections during on‑access scanning, select On‑Access, at for.

To view information about detections during an on‑demand scan, select On‑Demand, at for. Then,select the name of the on‑demand task.

• To examine information after a specified date, select from. To examine information before aspecified date, select to. Select the date and time.

To examine information between two dates, select both from and to, then select the dates andtimes.

• Click Find Results.

After a short time, VirusScan Enterprise for Linux updates the information under Results.

Task1 At where, use the checkboxes on the right to select from items such as Path and User. For

descriptions, see the table in Recently detected items section.

2 Enter or select the details to match. Enter any path names in the correct case.

3 Click Find Results. After a short time, VirusScan Enterprise for Linux updates the information underResults.

Viewing the resultsThe Results area of the page, below Query, has a table with several rows and columns. The number ofrow is typically up to 10.

To change the number, see the General settings section. The area contains the following information:


Option Definition

Time Time when the detection occurred.


Result Result of the scan. This is one of the following:• Cleaned, Deleted, Quarantined, or Renamed.

• Clean Failed, Delete Failed, Quarantine Failed, or Rename Failed.

• Access denied — No cleaning occurs but VirusScan Enterprise for Linux denies furtheraccess to the file. This option applies to on‑access scans only.

Detected As Name of any virus or other potentially unwanted software. For more information, click itsname to view its details in our Virus Information Library.

Detected Type Type of infection, such as Joke.

User Name of the user who accessed the file. This field is not available in the results ofon‑demand scans.

4 Viewing VirusScan Enterprise for Linux informationDetected items



Option Definition

Process Process that accessed the file. This field is not available in the results of on‑demandscans.

Path Name of the file, including its full path. This field is not available in the results ofon‑demand scans.

To see more rows of information, use the navigation arrows and numbers below the table, forexample: << 1 2 3 >>. See Navigating through long tables section.

To refine the information, use the Query filter. See Analyzing the detected items section.

If the page is showing on‑access scanning, or if VirusScan Enterprise for Linux is still running ascheduled scan, click Refresh to see the latest detections.

Exporting the results for analysisYou can save all the information under Results as a CSV (Comma‑Separated Values) file, then importthe information into a spreadsheet program, such as Microsoft Excel or Lotus 123, for further analysis.

Task1 Click Export to CSV.

2 In the next dialog box, save the file. The default name is detitems.csv.

Viewing VirusScan Enterprise for Linux informationDetected items 4


System eventsThe System Events page shows details of events such as system errors, updates to DAT files, andchanges in configuration for the host that you selected from the Host Summary page.

To view this page, click System Events under View in the navigation pane.

Figure 4-3 System Events page

The page has two areas — Query and Results.

The table under Results has several rows and columns. The number of rows is typically limited to 10. Tochange the number, see the General settings section. To see the latest events, click Refresh.

The columns contain the following information:


Option Definition

Time Time at which the event occurred. See the Displaying dates and times section.

Code Event code (a number relating to the error or information event).

Type Type of event — Error or Information.

Description Details of the event or error.

Analyzing the system eventsUnder Query you can refine the information that is displayed under Results.

You can examine entries made between, before or after a specified date and time, and you can filterthe information further, for example, you can find all occurrences of a particular error code. Thisfeature is useful if VirusScan Enterprise for Linux has generated a large number of events, and enablesyou to analyze trends.

4 Viewing VirusScan Enterprise for Linux informationSystem events


Task1 To examine information after a specified date, select from. To examine information before a

specified date, select to. Select the date and time. To examine information between two dates,select both from and to, then select the dates and times.

2 Click Find Results. After a short time, VirusScan Enterprise for Linux updates information underResults.

VirusScan Enterprise for Linux uses ranges to categorize events to different parts of the product.For example, all engine‑related errors are in the range 3000‑3999. See the table Error code rangesfor System Events log under Error messages section.

At Code, you can specify a single code or a range of codes, for example:

Code Description

3000 Only the 3000 code event.

3001 Only the 3001 code event.

3000‑ All events above and including code event 3000.

‑3000 All events up to and including code 3000.

1000‑3000 All events between 1000 and 3000, including 1000 and 3000.

Exporting the results for analysisYou can save information under Results as a CSV (Comma‑Separated Values) file, then import theinformation into a spreadsheet program such as Microsoft Excel or Lotus 123, for further analysis.

The System Events page shows only a few rows of information, typically 10 at a time. However the exportwill include all the events that match the query specification. The title line of the Results table showsthe full number, for example: (101 to 110 of 2359). If the full number of rows is large, the export can takesome time, during which the scanning performance is slower, and the host performance might also beaffected.

Task1 Under Query, specify the information you want to see as described in Analyzing the system events

section, and click Find Results.

2 Click Export to CSV.

3 In the next dialog box, save the file. The default name is sysevents.csv.

Scheduled tasksVirusScan Enterprise for Linux uses scheduled tasks to enable you to update the scanning engine andvirus definition (DAT) files, or to run on‑demand scans.

You can choose these tasks to run immediately, to run once, or to run at regular times. To schedule anew task, see the Setting Up Schedules section.

Viewing VirusScan Enterprise for Linux informationScheduled tasks 4


The Scheduled Tasks page shows all tasks that you have scheduled under Task Summaries. To view thispage, click Scheduled Tasks under View in the navigation pane.

Figure 4-4 Scheduled Tasks page

The page has two areas — Task Summaries and Task Details.

Task Summaries has the following information:


Option Definition

Name Name of the task. To see the details for any task, click its name.

Type Type of task — Update or On‑Demand scan.

Status Status of the task, such as Idle, Completed, In Progress or Failed.

Results Result of each task.

To see any more rows of information, use the navigation arrows and numbers, below the table. SeeNavigating through long tables section.

To see extra information about any task, click its name under Task Summaries. The following informationthen appears under Task Details.


Option Definition

Status Status of the task — Idle (not started), Completed, Failed, In Progress, or Stopped (by theuser).(Stopping might appear briefly before Stopped.)

Next Run Scheduling information for the task. This applies to regular tasks only.

Last Run Date and time when the task was last run.

4 Viewing VirusScan Enterprise for Linux informationScheduled tasks



Option Definition

Progress Progress of the task. During an on‑demand scan, this field shows the number of files thathave been scanned, and other information such as the number of files that were excludedfrom scanning.During an update, this field shows text messages about each stage. You can click any bluelink here to see messages about this task in the System Events page.

Duration The time taken for the last task, or the elapsed time on the current task.

Results For an on‑demand scan, a completed scan shows as the number of detected items. For moreinformation, click the number to open the Detected Items page.If an update has completed, click here to open the System Events page and find moreinformation.

If a failure occurred, click here to open the System Events page and find the reason.

The buttons under Task Details enable you to run, stop, modify, or delete the task, as appropriate. To seethe latest status of the tasks, click Refresh.

Running a task immediatelyUse this task to execute a scheduled task immediately.

Task1 Under Task Summaries, click the task name to display its details under Task Details.

2 Under Task Details, click Run Now.

The task runs immediately. The results appear at Results under Task Details.

Modifying an existing scheduled taskUse this task to modify an existing scheduled task. If you no longer need a task but you want to setup a similar task, you can modify the existing task.

Task1 Under Task Summaries, select the existing task.

2 Under Task Details, click Modify.

3 Follow the procedures given in:

• Creating a schedule to update the product section

• Creating a schedule to run an on‑demand scan section

Deleting an existing scheduled taskUse this task to delete an existing scheduled task. If you no longer need a scheduled task, you candelete it.

Task1 Under Task Summaries, select the task name.

2 Under Task Details, click Delete.

Viewing VirusScan Enterprise for Linux informationScheduled tasks 4


Stopping a taskUse this task to stop a scheduled task which is running.

Task1 Click Stop. This will set the status to Stopping.

2 Click Stop again. This will set the status to Stopped.

You may now run or delete the task.

Information about extra DAT filesAn extra.dat is a supplemental virus definition file that we occasionally create in response to anoutbreak of some potentially unwanted software such as a new virus or a new variant of an existingvirus.

The Extra DAT page shows information about any extra.dat file that is in use on the selected host. Theinformation includes the names of viruses and other potentially unwanted software that the extra.dat filecan detect.

To view this page, click on the text — for example Yes(5) — under the Extra DAT column on the HostSummary page. If the column contains No, no extra.dat file is available for the host, and VirusScanEnterprise for Linux does not display the page.

Figure 4-5 Extra DAT page

For information about any virus in the list, click on its name, to link to our Virus Information Library.

4 Viewing VirusScan Enterprise for Linux informationInformation about extra DAT files


5 Setting up schedules

Set up schedules to update the product or run an on‑demand scan.

From the Schedule area of the navigation pane, you can protect your Linux hosts, by running thefollowing tasks on a regular basis:

• Update the product. At least once per day, you must update virus definition (DAT) files to ensurethat VirusScan Enterprise for Linux can recognize new viruses and other potentially unwantedsoftware. See Updating the product section.

• Run an on‑demand scan. VirusScan Enterprise for Linux normally examines files as they areaccessed, but for full security, scan other files occasionally. See Running on‑demand scans section.

Product updating and on‑demand scans are likely to be needed on a regular basis. VirusScanEnterprise for Linux enables you to create multiple schedules, for running these tasks atpredetermined intervals.

You can also use the schedule options to create an immediate scan or update. These can be created inresponse to a suspected virus attack, where you want to use the latest available DAT files to counterany new viruses, then run the anti‑virus software to ensure that your hosts are free from the newviruses.

You can also run these tasks from a command line. This can be useful at times when you do not wantto use the browser interface, such as within a script.

Understanding time differences

It is important to understand how to set up times for scans and updates. Suppose you are in LosAngeles, using a browser to control a host that is running VirusScan Enterprise for Linux in New York.When you schedule the time and date, it will be the local time in New York. The time differencebetween these two locations is typically three hours. Therefore if you set an on‑demand scan to run atmidnight, the scan will run at midnight in New York, and you will see the results of the scan from 9p.m. in Los Angeles.

Contents Using a wizard Updating the product Running on-demand scans

5


Using a wizardEach type of scheduling works in a similar way, using a wizard‑like process to make the task easier.

See the Using wizards section. The process leads you through a few pages where you enter thefollowing information:

• When the scan or update will take place.

• What to scan or update.

• The name of the task.

Updating the productThe VirusScan Enterprise for Linux software depends on information in the virus definition (DAT) filesto identify viruses. Without updated information on the latest virus threats, no anti‑virus software candetect new virus strains or respond to them effectively. Software that is not using current DAT filescan compromise your virus‑protection program.

Hundreds of new viruses appear every month. To meet this challenge, we release new DAT files everyday, incorporating the results of our ongoing research into the characteristics of new viruses and theirvariants. The update task that is provided with the VirusScan Enterprise for Linux software makes iteasy to take advantage of this service.

This feature allows you to download the latest DAT files or a new scanning engine, using an immediateupdate or a scheduled update.

You can also create an unscheduled update. Here, you provide information about an update but do notattach a schedule to it. You can then run the update at any time, or run it from a command line.

Within your network, you need at least one computer that can download the files from our FTP site.See details of the download site in Contact information section. The VirusScan Enterprise for Linuxsoftware can then access the FTP site directly or it can copy files from that computer.

You can also create an unscheduled update. Here, you provide information about an update but do notattach a schedule to it. You can then run the update at any time.

Within your network, you need at least one device that can download the files from our FTP site. Seedetails of the download site in Contact information section. The VirusScan Enterprise for Linuxsoftware can then access the FTP site directly or it can copy files from that system.

5 Setting up schedulesUsing a wizard


To use this feature, click Product Update under Schedule in the navigation pane.

Figure 5-1 Product Update page

Creating a schedule to update the productUse this task to create a schedule to update VirusScan Enterprise for Linux.

To create a schedule to update the virus definition files or the scanning engine, click Product Updateunder Schedule in the navigation pane.

Task1 Choose when to update.

a Select how frequently you want the update to occur.

b If you select any option other than Immediately or Unscheduled, enter further details for the date,day, month and time (as appropriate) for the update to run. See Understanding time differencessection.

c Click Next.

2 Choose what to update.

a Select what you want the update — DAT files or scanning engine.

b Click Next.

Setting up schedulesUpdating the product 5


3 Enter a task name.

a Enter a unique name for the update. This will help you to locate the task later in the list ofscheduled tasks.

b Click Finish.

VirusScan Enterprise for Linux displays the Scheduled Tasks page (see Scheduled tasks section), andthe update runs at the times you defined in the schedule.

Running on-demand scansOn‑demand scanning provides a method for scanning all parts of your host at convenient times or atregular intervals. Use it to supplement the continuous protection that the on‑access scanner offers, orto schedule regular scan operations when they will not interfere with your work.

VirusScan Enterprise for Linux scans files as they are written to or read from disk. During these scans,VirusScan Enterprise for Linux uses the installed virus definition (DAT) files to check for any viruses orpotentially unwanted software within the files.

You can perform a one‑time on‑demand scan when you want to scan a file or location that you believeis vulnerable or you suspect of containing a virus infection, or you can perform scheduled scanningactivities at convenient times or at regular intervals.

You can also create an unscheduled scan. Here, you provide information about a scan but do notattach a schedule to it. You can then choose to run the scan at any time, or run it from a commandline.

To use this feature, click On‑Demand Scan under Schedule in the navigation pane.

Figure 5-2 On‑Demand Scan page

5 Setting up schedulesRunning on-demand scans


Creating a schedule to run an on-demand scanUse this task to create a schedule to run an on‑demand scan.

To create a schedule to run an on‑demand scan, click On‑Demand Scan under Schedule in the navigationpane.

Task1 Choose when to scan.

a Select how frequently you want the scan to run.

b If you select any option other than Immediately or Unscheduled, enter any further details for thedate, day, month and time for the scan to run. See Understanding time differences section.

c Click Next.

2 Choose what to scan.

Here, you can build a list of shares to scan.

a Select a share. Optionally you can enter any path names in the correct case, and that thedirectory already exists.

b To scan its subdirectories, select the checkbox under Scan Sub‑Directories.

c Click Add.

d Add any more directory names. To remove any directory name, click Remove.

e Click Next.

3 Choose scan settings.

Select the settings. They are organized into these main areas:

• Scanning options

• Paths excluded from scanning

• Extension‑based scanning

• Anti‑virus actions

4 Enter a task name.

a Enter a unique name for the on‑demand scan. This enables you to locate the task later in the listof scheduled tasks.

b Click Finish.

VirusScan Enterprise for Linux displays the Scheduled Tasks page, and the scan runs at the times youdefined in the schedule.

Setting up schedulesRunning on-demand scans 5


5 Setting up schedulesRunning on-demand scans


6 Configuring VirusScan Enterprise forLinux

When you first use VirusScan Enterprise for Linux, it provides optimum protection against viruses andother potentially unwanted software. However, you can modify these settings to suit your owncomputing environment.

From the Configure area of the navigation pane, you can configure the following areas within theVirusScan Enterprise for Linux software:

• Configure some general settings.

• Reset all the configuration settings to those at installation time.

• Specify settings for on‑access scanning.

• Specify default settings for new on‑demand tasks.

• Determine how to issue notifications of virus attacks and other events.

Contents General settings On-access settings On-demand settings Notifications

General settingsFrom the General Settings page, you can change the appearance of pages in the browser interface, thebehavior of logging, and the collection of statistics.

To view this page, click General Settings under Configure in the navigation pane.

6


To make any changes to the settings, click Edit. To apply the new settings, click Apply. See Changingthe settings on a page section for more information.

Figure 6-1 General Settings page

The page has two main areas:

• Browser Interface

• Logging

This page also has two important buttons:

• Clear Statistics

• Reset Defaults

Browser interfaceUnder Browser interface, you can view and change settings such as the refresh interval.



Option Definition

Refresh interval(seconds)

The browser automatically updates the contents of pages such as the ScanningSummary page. By default, the page is refreshed every 10 seconds, but you canadjust the interval between 5 and 600 seconds.

Results per page Number of rows of information shown in certain pages under Results, namely inthe Detected Items, Scheduled Tasks, and System Events pages.

By default, 10 rows are displayed at a time, but you can adjust the numberbetween 1 and 50 rows.

Display time UTC offset Wherever time values are displayed — as in scheduled tasks and detections —an offset value is displayed in UTC form to help you understand any time‑zonedifferences.

Hide quick help onstartup

Quick Help pane is not displayed when logging in to the browser interface.

6 Configuring VirusScan Enterprise for LinuxGeneral settings


LoggingUnder Logging, you can view and change settings such as the level of detail that you require.



Option Definition

Detail level Level of logging information that VirusScan Enterprise for Linux records in itsdatabase. A high level can affect performance and the size the database. Bydefault, the level is Normal. Options are Low, Normal, and High.

Additionally log toSYSLOG

Indicates if information logged to the VirusScan Enterprise for Linux database isalso logged to SYSLOG. By default, this is not required.

Detail level for SYSLOG (This field is only available if Additionally log to SYSLOG is selected.)Level of detail of the information to be logged to SYSLOG. disabled if logging toSYSLOG is checked. By default, the level is Low. Options are Low, Normal, andHigh.

Limit age of log entries Indicates if information in the log will be automatically removed later, based onthe age of the log entries.

Maximum age of logentries

(This field is only available if Limit age of log entries is selected.)Limits to the age of entries in the VirusScan Enterprise for Linux database to thespecified days.

After the specified number of days, old entries are automatically removed. Thishelps to limit the size of the database. Maximum age of log entries (days) ‑ Bydefault, the limit is 28 days, but you can adjust the limit between 1 and 999days.

Statistics last cleared Indicates when statistics were removed by clicking Clear statistics.

Clearing statisticsUse this task to clear all the statistics.

To clear all the statistics, click Clear statistics.

The values of Files scanned and Detected items in the Scanning Summary page are reset to zero, and currentinformation in the Recently scanned and Recently detected areas are cleared.

Resetting configuration settingsTo reset all the configuration settings to those at installation time, click Reset Defaults.

The settings include:

• On‑access settings

• On‑demand defaults

• Notification settings

• Settings for the browser interface and logging

On-access settingsThe On‑Access Settings page shows how VirusScan Enterprise for Linux will respond when a virus or otherpotentially unwanted software is detected whenever files are accessed. The available settings for

Configuring VirusScan Enterprise for LinuxOn-access settings 6


on‑access scanning and on‑demand scanning are similar. To view this page, click On‑Access Settings underConfigure in the navigation pane.

To make any changes to the settings, click Edit. To apply the new settings, click Apply. See Changingthe settings section for more information.

The On‑Access Settings page has these main areas:

• Scanning options

• Paths excluded from scanning

• Extension‑based scanning

• Anti‑virus actions

Scanning optionsThe scanning options determine which types of file VirusScan Enterprise for Linux will scan. By default,all these scanning options are available, unless stated.

The next table explains the options.


Option Definition

Enable On‑Access Scanning This item appears for on‑access scanning only.

Decompress archives VirusScan Enterprise for Linux scans inside file archives such as .tar or .tgz files. The decompression can slow performance; any virus‑infected fileinside an archive cannot become active until it has been extracted.

Find unknown program viruses VirusScan Enterprise for Linux uses heuristic analysis to identify potentialnew file viruses.

Find unknown macro viruses VirusScan Enterprise for Linux uses heuristic analysis to identify anypotential new macro viruses in files created by Microsoft Office products.

Decode MIME encoded files Email messages are typically encoded in MIME format.

Use of this option can affect performance. If your network has otheranti‑virus software for handling email, you might not require this option.

Find potentially unwantedprograms

These programs might be dangerous but they are not viruses. They includeprograms such as spyware, remote‑access utilities, and password crackers.

Find joke programs Joke programs are not harmful. They play tricks such as displaying a hoaxmessage. This feature only becomes available if you have selected Findpotentially unwanted programs.

Scan files when writing to disk Scan the contents of each file when it is closed.

Scan files when reading fromdisk

Scan the contents of each file when it is opened.

Scan files on network mountedvolumes

Scan the network mounted files on /mnt or any mounted folder. Disablingthis option will not scan the network mounted volumes, even if it containsinfected files.

6 Configuring VirusScan Enterprise for LinuxOn-access settings



Option Definition

Extension‑based Scanning Indicates how VirusScan Enterprise for Linux will handle files that haveextension names (for example, .txt and .exe). By default, VirusScanEnterprise for Linux scans all files regardless of the file name extension.See the Extension‑based scanning section.

Maximum scan time (seconds) Number of seconds after which scanning will stop. This feature preventslarge files reducing overall performance, and protects against corruptedfiles and denial‑of‑service attacks.By default, this is 45 seconds but may be between 10 and 300 seconds.

On computers with low‑specification hardware, VirusScan Enterprise forLinux might abandon scanning of some large files because of the length oftime taken. In such cases, we recommend that you increase this number.

Paths excluded from scanningVirusScan Enterprise for Linux supports excluding specific paths/files (either path or regularexpression format) from being scanned. You can add exclusions for on‑access scan and on‑demandscan from product user interface.

Some shares (or paths) might not require scanning, or you might prefer not to scan them frequently.For example:

• Directories that contain only plain text files or other file types that are not prone to infection.

• Directories that contain executable files that have file permissions that prevent them beingmodified.

• Directories that contain large archive files and compressed files.

• Directories that contain files already known to be infected (quarantined).

Task1 Click Edit.

2 Under Paths Excluded From Scanning, add the absolute path or regular expression for the file/folder youwant to exclude and click Apply.

For example: directory1 or directory1/subdirectory2

Enter path names in the correct case. Do not use symbolic links. For bind mounts (which appear inmore than one place in the directory), add each path that you want to exclude.

You can use regular expressions to represent the pattern matching within directory name(s) or filename(s). See the Examples for Regular expression based exclusions section.

3 Under Paths Excluded From Scanning, add the path or regular expression for the file/folder you want toexclude and click Apply.

For example: directory1 or directory1/subdirectory2

Enter path names in the correct case.

You can use regular expressions to represent the pattern matching within directory name(s) or filename(s).

4 To exclude the sub‑directories from scanning, select the checkbox in the Exclude All Sub‑Directoriescolumn of that row.

5 From Choose a share from the list below category, select a share.



6 Type the regular expression under Specify sub‑directories (optional) text box. For specific examples, seethe Examples for Regular expression based exclusions section.

7 Click Add in that row. An extra row is added to the table.

To remove any exclusion, click Remove in its row.

Examples for Regular expression based exclusions

Regular expression Example

To exclude all files starting with abc available in Documents/xyz folder

xyz/abc.*

To exclude all files with extensions .jar and .VOB underBackups/demo share

demo/.*\.(jar|VOB)$

To exclude all files with extension .mp3 and .mp4 underMusic share

.*\.(mp3|mp4)$

Regular expression Example

To exclude all files starting with abc available in /media/nss

/media/nss/abc.*

To exclude all files starting with "." under /media/nss /media/nss/\..*To exclude all files with extensions ext and abcunder /media/nss

/media/nss/.*\.(ext|abc)

To exclude all users mail boxes folders /home/.*/mailbox/.*To exclude all files and folders starts with abc in themachine

.*/abc.*

To use the regular expressions from ePolicy Orchestrator:

• You should include "/" as the first character. For example: From ePolicyOrchestrator, to exclude all files and folders starting with abc in the machine usethe regular expression: /.*/abc.*

• Ensure that there are no escape sequences included in the regular expression.For example: From ePolicy Orchestrator, to exclude all files starting with "."under /media/nss use the regular expression: /media/nss/..*

Extension-based scanningVirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virusdefinition files include a comprehensive list of file name extensions that are susceptible to attack. Thelist includes popular extensions such as .doc and .exe, and it is referred to here as the default list. Theextension name is not case‑sensitive.

This table only becomes visible when you click Edit. However, you can see the chosen setting atExtension Based Scanning in the first table.

If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by MicrosoftWindows users, it might be useful to specify the types of files to scan according to their file nameextension. However, we recommend that all files are scanned where possible.

You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you canspecify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans thosein the default list. You cannot remove any extension names from the default list, although you canbuild your own list of extension names based on those in the current default list.



This area of the page allows you to limit scanning to certain types of file.

Figure 6-2 Extension Based Scanning

The choices available in this area are as follows:

Scanning all filesTo scan all files regardless of file name extension, under Extension Based Scanning, select Scan all files.

This is the default setting.

Scanning default files and specific filesUse this task to scan the default files and specific files.

Task1 Under Extension Based Scanning, select Default + specified.

2 At New, type the file name extension, for example AAA or aaa.

3 Click Add to move the name to the Specified list.

To remove names from the Specified list, select each name, then click Remove:

• To select one name, just click the name.

• To select a range of names, click the first, then use Shift+Click to select the last.

• To select several names, use Ctrl+Click.

If a new file name extension is included in later virus definition files, files with that file nameextension will also be scanned.

Scanning specific filesUse this task to scan specific files.

Task1 Under Extension Based Scanning, select Specified.

2 At New, type the file name extension, for example AAA or aaa.

3 Click Add to move the name to the Specified list.



4 To build a list quickly, click Set Defaults to copy all names from the virus definition files into theSpecified list. You can then modify the Specified list.

The file name extensions in the Specified list do not change automatically. Therefore, if a new filename extension is included in later virus definition files, files with that file name extension will notbe scanned.

To remove names from the Specified list, select each name, then click Remove:

• To select one name, just click the name.



If a new file name extension is included in later virus definition files, files with that file nameextension will also be scanned.

Anti-virus actionsYou can configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus orother potentially unwanted software.

This area of the page allows you to choose the actions.

Figure 6-3 Anti‑virus Actions

The actions are:

• clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux cannotrepair any damage that has occurred to the file. For example, some viruses can modify or erasedata in spreadsheets.

• continue — Reports the detection and continues scanning. This action is only available for on‑demandscanning.

• delete — Deletes the infected file.

• deny access — Prevents further access to the infected file. This action is only available for on‑accessscanning.

• quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent the spreadof infected files, VirusScan Enterprise for Linux will not move a file from a remote file system intothis area.

• rename — Renames the extension of the infected file, to prevents its accidental use. Renaming isuseful in cases where the file extension (such as .exe or .txt) determines the application that willopen the file.





Option Definition

Action for viruses and Trojanhorses

Actions to take when a virus or Trojan‑horse program is detected.

Your second choice of action is limited by your first choice. You cannotchoose both actions to be the same.

Action for applications andjoke programs

Actions to take when a potentially unwanted application or joke program isdetected.

Your second choice of action is limited by your first choice. You cannotchoose both actions to be the same.

Action on time out Action to take when the scanning takes too long to complete. You canchoose to allow or deny access to the suspect file.

Action if an error occursduring scanning

Action to take if a fault occurs such as an internal fault in VirusScanEnterprise for Linux or the scanning engine, or a failure to complete thesecond choice of action.

You can choose to allow or deny access to the suspect file.

Quarantine directory Name of the quarantine file, as set up at installation time.

If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that actionfails, VirusScan Enterprise for Linux uses its fallback action. For on‑access scanning, VirusScanEnterprise for Linux blocks access to the infected file. For on‑demand scanning, VirusScan Enterprisefor Linux reports that the file is infected.

On-demand settingsThe On‑Demand Settings page shows how VirusScan Enterprise for Linux will respond when a virus orother potentially unwanted software is detected during an on‑demand scan.

See Running on‑demand scans section. Settings for on‑access scans and on‑demand scans are similar.

This page shows the default settings that will be applied to all new tasks. Any on‑demand scanningtasks that you previously configured retain their own settings. To change any settings in an existingtask, see Modifying an existing scheduled task section.

To view this page, click On‑Demand Settings under Configure in the navigation pane. To change any settings,click Edit. To apply the new settings, click Apply. See Changing the settings on a page section for moreinformation.

Configuring VirusScan Enterprise for LinuxOn-demand settings 6


NotificationsFrom the Notifications page, you can specify who will receive email notification of events such as virusdetection and changes to the scanning options. VirusScan Enterprise for Linux sends the emailmessages using the SMTP email protocol.

To view this page, click Notifications under Configure in the navigation pane. To change any settings, clickEdit. To apply the new settings, click Apply. See Changing the settings on a page section for moreinformation.

Figure 6-4 Notifications page

SMTP notificationsFrom this area, you can define which events will be notified.

The next table explains the available settings.


Option Definition

Item detected Details of a detection of a virus or other potentially unwanted software. Here, forexample, you can decide whether to issue a notification if any joke programs aredetected.

Out of date Details of out‑of‑date DAT files.

Here, for example, you can decide whether to notify if DAT files are more than 10days old.

6 Configuring VirusScan Enterprise for LinuxNotifications



Option Definition

Configuration change Details of changes to the settings for on‑access scanning, notifications and generalsettings. Changes to the settings for on‑demand scans are not notified.

Here, for example, you can decide whether to notify if changes are made to thesettings for on‑access scanning.

System events Details of any important events.

Here, for example, you can specify the range of system events or event types tobe forwarded by SMTP.

To enable any notification feature, select its checkbox in the left column under SMTP Notification.

For each type of notification, VirusScan Enterprise for Linux provides a default subject and a message.You can change these messages to suit your organization. Messages can include substitution variables,such as %hostname% to indicate the host name. To include variables in any message, see Substitutingvariables in notification templates section.

To restore the default message, click Reset.

SMTP settingsFrom this area, you can define who VirusScan Enterprise for Linux will notify about the eventsspecified in SMTP Notifications.

The next table explains the available settings.

Server Name and port of the server that sends the email message. This is set up during installation.

From Name of the sender. By default, this is the address that was given during installation.

To Names of the recipient. For example: [email protected]

To add to the list of recipients:

1 At To, type the email address in New. For example: [email protected].

2 Click Add, to move the name to the Recipient list.

To remove the list of recipients:

To remove names from the Recipient list, select each name, then click Remove:• To select one name, just click the name.



Configuring VirusScan Enterprise for LinuxNotifications 6


6 Configuring VirusScan Enterprise for LinuxNotifications


7 Advanced features

This section describes some advanced features of VirusScan Enterprise for Linux.

Contents Substituting variables in notification templates How the quarantine action works

Substituting variables in notification templatesThis section describes the variable that you can use to substitute in a notification.

The notification messages described in Notifications section can use variables that VirusScanEnterprise for Linux substitutes when sending a message. For example, the template message:

File, %filename% is infected on %hostname%.

becomes

File, example.exe is infected on computer1.

The following table lists all the available variables. Some variables are valid only in particularinstances.

Table 7-1 Substitution variables

Valid for ... Variable Equivalent field inthe interface

Description

All alerts %hostname% <none> Name of the host on whichVirusScan Enterprise for Linux isinstalled.

All alerts %hostip% <none> IP address of host on whichVirusScan Enterprise for Linux isinstalled.

All alerts %productversion% Host Summary page— Product Version

Version of the product.

Item detected %detectedas% Detected Items page— Detected As

Name of the virus.

Item detected %detectedby% Detected Items page— Task

"On‑Access" if detected by theon‑access process, or name ofthe On‑Demand task whichdetected the infection.

Item detected %detectedtime% Detected Items page— Time

Date and time on the local hostfor detected item.

Item detected %detectedtype% Detected Items page— Detected Type

Type of the virus.

7


Table 7-1 Substitution variables (continued)

Valid for ... Variable Equivalent field inthe interface

Description

Item detected %detectedutc% Detected Items page— Time

Date and time on the local host,with UTC offset shown inbrackets. For example: May 022008 12:30:12 (+5:30 UTC).

Item detected %engineversion% Host Summary page— Engine Version

Version number of the scanningengine.

Item detected %extradatcount% Host Summary page— Extra DAT

Number of signatures in theextra.dat file.

Item detected %extradatflag% Host Summary page— Extra DAT

Yes or No to indicate if anextra.dat file is present.

Item detected %filename% Detected Items page— File Name

Name of the file which wasscanned (excluding path).

Item detected %path% Detected Items page— Path

Name of the file which wasscanned (including path).

Item detected %process% Detected Items page— Process

Name of process resulting in thescan.

Item detected %result% Detected Items page— Result

Result of any action taken for thedetected infection.

Item detected %user% Detected Items page— User

Name of user who caused thescan.

Out of date, andItem detected

%datage% <none> Age of the DAT files in days, fromthe VirusScan Enterprise forLinux host date and time.


%datdate% Host Summary page— DAT Date

Date when the current DAT fileswere created.


%datversion% Host Summary page— DAT Version

Version of the DAT files.

Configurationchange

%configchange% <none> Configuration change made —modified, on‑access detectionenabled, or on‑access detectiondisabled.

System events %eventcode% System Events page —Code

Error code for the event.

System events %eventdescription% System Events page —Description

Error description for the event.

System events %eventtime% System Events page —Time

Date and time on the local hostfor event.

System events %eventtype% System Events page —Type

Error type for the event.

System events %eventutc% System Events page —Time

Date and time for the event onthe local host, with UTC offsetshown in brackets. For example:May 02 2008 12:30:12 (‑5:00UTC).

7 Advanced featuresSubstituting variables in notification templates


How the quarantine action worksAs one of the anti‑virus actions, you can configure VirusScan Enterprise for Linux to place infected filesinto a quarantine directory. The processes that VirusScan Enterprise for Linux uses depend on therelative locations of the infected file and the quarantine directory, and on the features of the filesystem.

In some cases, moving the infected file by copying then deleting is not suitable. In every case,VirusScan Enterprise for Linux works to prevent loss of security and the further spread of viruses andother potentially unwanted software. VirusScan Enterprise for Linux uses the following techniques toquarantine infected files:

• If the file system supports hard links and the infected file is on the same file system, VirusScanEnterprise for Linux creates a hard link to the quarantine directory, then unlinks the infected file. Ifthe unlink fails, VirusScan Enterprise for Linux unlinks the copy in the quarantine directory, so thatonly the original infected file remains.

• If the infected file is on a remote file system, VirusScan Enterprise for Linux copies the infected fileinto the quarantine directory only if the quarantine directory is also on that remote file system. Thismethod prevents the spread of infection between hosts.

• VirusScan Enterprise for Linux verifies that it can copy the infected file into quarantine directoryand that it can delete the file from the quarantine directory. This method prevents creation of acopy of an infected file that cannot be deleted.

• If VirusScan Enterprise for Linux cannot delete the original infected file, VirusScan Enterprise forLinux deletes the copy of the file in the quarantine directory so that only the original infected fileremains.

If the quarantine action fails to work, VirusScan Enterprise for Linux uses any secondary action. If thataction fails, VirusScan Enterprise for Linux uses its fallback action. For on‑access scanning, VirusScanEnterprise for Linux blocks access to the infected file. For on‑demand scanning, VirusScan Enterprisefor Linux reports that the file is infected.

Advanced featuresHow the quarantine action works 7


7 Advanced featuresHow the quarantine action works


8 Troubleshooting

This section provides answers to common situations that you might encounter when installing or usingVirusScan Enterprise for Linux.

Contents Frequently asked questions Error messages

Frequently asked questionsContains troubleshooting information in the form of frequently asked questions.

The categories are:

• Installation on page 57

• Runtime kernel module support on page 58

• Scanning on page 59

• Viruses and detection on page 60

• General information on page 61

See also Error messages on page 61

InstallationThis section helps you with the frequently asked questions related to McAfee VirusScan Enterprise forLinux installation.

Where do I find the list of supported browsers?

1From the product's Log on page, click .

2 The supported browsers are listed in the Login Help page.

You can also refer the product's Release Notes — System Requirements section.

When I added a new administrator user account, why was I unable to log on toMcAfee VirusScan using the new credentials?

Whenever you add a new administrator user account, you must stop and start the McAfee VirusScanapplication from Application Manager, to log on using the new credentials.

8


See also Frequently asked questions on page 57

Runtime kernel module support Helps you with the frequently asked questions related to the Runtime kernel module support onMcAfee VirusScan Enterprise for Linux.

Why is Runtime kernel module support required?

Runtime kernel module support (RKMS) is required to automatically support the latest kernels that arenot supported by Mod‑versioning. For example on any supported distribution, if mod‑versioning doesnot enable on‑access scan for a kernel, RKMS will automatically compile the kernel modules andenable on‑access scanning.

How does it work?

You must have have developer utilities (make, gcc) installed on your machine along with kernelheaders package of the current kernel. If mod‑versioning fails during nails service start, the kernelmodules gets compiled dynamically and on‑access scanner gets enabled.

Does McAfee need to certify the kernel on a supported distribution?

You need not wait for McAfee to certify the kernel on a supported distribution. With RKMS, any futurekernel on a supported distribution will be automatically supported by McAfee.

In case of issues using RKMS to generate future kernel modules, please contact McAfee TechnicalSupport.

What should I do when my production servers does not have developer utilitiesinstalled?

You can compile the kernel modules on a staging server and run the export command to archive thekernel modules. Import the kernel modules on to your production server by running the importcommand.

How do I compile the kernel module?

From the terminal window, execute the following command:

/opt/NAI/LinuxShield/bin/khm_setup ‑c

Ensure that the kernel sources/headers and developer tools are installed on the computer. If the kernelsources/headers are installed in a non‑default location, set the KERNEL_HEADER_LOCATION environmentvariable before compilation.

8 TroubleshootingFrequently asked questions


How do I export or import the kernel modules?From the terminal window, execute the following command:

Task Command

Export /opt/NAI/LinuxShield/bin/khm_setup ‑e <file_name>.tar.bz2Import /opt/NAI/LinuxShield/bin/khm_setup ‑i <file_name>.tar.bz2

The import option is useful when you do not want to install developer tools and kernel headersin the production environment. This feature will import all the modules present in the archive(tar.bz2 file).

How do I check if a kernel module is supported?After you compile the kernel module, execute the following command:

/opt/NAI/LinuxShield/bin/khm_setup ‑t

To view the logs, go to: /opt/NAI/LinuxShield/src/log


ScanningThis section helps you with the frequently asked questions related to McAfee VirusScan Enterprise forLinux On‑Access and On‑Demand scanning.

Why are some files being scanned and detected twice since the quarantinedirectory was changed?VirusScan Enterprise for Linux maintains a cache to record details of files that have been scanned.Changing the quarantine directory flushes the cache, so VirusScan Enterprise for Linux must re‑scanthe file to ensure its information is up to date.

Some large files are not being scanned.On servers with low‑specification hardware, VirusScan Enterprise for Linux abandons scanning of somelarge files because of the length of time taken. You can increase the time‑out value at Maximum scan timeon the On‑Access Settings page and the On‑Demand Settings page.

Why does a file disappear or report "access denied" when an operation (such ascat) is performed on it?The file is infected, and has been cleaned (or deleted or quarantined), or denied by the on‑accessscanner. View Detected Items in the browser interface to see if a virus was detected in that file.

How can I release a file where the on‑access scanner has denied access?Add the file to the list of paths excluded (on the On‑Access Settings page), or create a directory on thesame file system, and add that directory to the list. Use mv to move the file to the exclusion directory.Because mv is a meta‑data change, it does not cause any on‑access scanning.

If VirusScan Enterprise for Linux has blocked the file, the file is likely to be infected, and will not bescanned again when in an excluded directory.


TroubleshootingFrequently asked questions 8


Viruses and detection

How can I be sure that the anti‑virus software is working?

You can test the operation of the anti‑virus software by running a test file on any computer where youhave installed the software. The EICAR Standard AntiVirus Test File was developed by the EuropeanInstitute of Computer Anti‑virus Research (EICAR), a coalition of anti‑virus vendors, as a method fortheir customers to test any anti‑virus software.

To test scanning:

1 Open a standard text editor, then type the following character string as one line, with no spaces orline breaks:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR‑STANDARD‑ANTIVIRUS‑TEST‑FILE!$H+H*

The line shown above should appear as one line in your text editor window, so be sure to maximizeyour text editor window and delete any line breaks. Also, be sure to type the letter O, not thenumber 0, in the "X5O..." that begins the test message.

If you are reading this manual on your computer, you can copy the line directly from thefile and paste it into your text editor. If you copy the line, be sure to delete any carriagereturns or spaces.

2 Save the file with the name EICAR.COM. The file size will be between 68 and 70 bytes (dependingon end‑of‑line characters appended by the editor).

3 Upload the EICAR test file to any of the default Shares.

When your software scans this file, it will report finding the EICAR test file.

This file is not a virus — it cannot spread or infect other files, or otherwise harm your computer.Delete the file when you have finished testing your scanner to avoid alarming other users.

How can I find out more about the effect of a virus?

Visit our website. See the Contact information section.

What should I do if I find a new virus?

If you suspect you have a file that contains a virus and the scanning engine does not recognize it,please send us a sample by clicking Submit a Sample on the Links bar.

Where is information about VirusScan Enterprise for Linux recorded?

By default, VirusScan Enterprise for Linux records information about detections, system events, andevents related to tasks. You can view the information at the Detected Items and System Events pages of thebrowser‑based interface. In addition, you can configure logging to SYSLOG from the General Settings page.

What kind of information is recorded?

The recorded information includes the following:

8 TroubleshootingFrequently asked questions


• Detections of viruses and other potentially unwanted software, and the result of any action taken.

• Events such as scanning status and errors.

• Events for specific tasks such as updates to DAT files, and on‑demand scanning tasks.

What happens to the log messages if the system logger is not working?

If SYSLOG logging is enabled (from the General Settings page) and syslogd has stopped due to a fault, alllog messages are printed on the console.


General informationThis section helps you with the frequently asked questions such as general information, contactinformation and so on.

How do I contact Technical Support?

See the Contact information section for the address.

Before speaking to McAfee Technical Support, try to have the following information ready:

• Any additional hardware that is installed.

• The browser being used and its version.

• A diagnostic report. You can produce this:

• In the Scanning Summary page, click Diagnostic Report. You can select all the text, copy it, then pasteit in a text editor.

Where can I obtain the open source code for third‑party components?

Open source code is available on the product’s download site (see the Contact information section).

Server certificate failed the authenticity test

This message appears on Konqueror browsers during log on, because the certificate is self‑signed. Youmay ignore this message and click Continue.


Error messagesThis section describes VirusScan Enterprise for Linux error messages that appear on the browser andsystem events log.

Error messages appear in several forms:

• Messages displayed in the browser, as shown in Understanding error messages section. These arebrowser problems and errors reported by the web server.

• Messages logged in the system events log. For a list of categories of these messages, see the nexttable.

TroubleshootingError messages 8


Table 8-1 Error code ranges for System Events log

Range Error Categories Description

3000 ‑ 3999 Anti‑virus Engine errors Errors which occur during scanning or cleaning reportedby the anti‑virus engine.

5000 ‑ 5999 Scan Manager Errors reported by the nailsd process, which controlsthe scanners.

6000 ‑ 6999 Logging errors Errors reported by the logging subsystem. If the errorlogging system fails, errors will be redirected to syslog.

7000 ‑ 7999 Configuration errors Errors found when parsing values in the configurationfiles.

8000 ‑ 8999 Exclusions and filteringerrors

Errors found when processing the information aboutfiles excluded from scanning, or which extensions toscan.

9000 ‑ 9999 Monitoring errors Errors reported by the monitoring processes thatprovide administration of the product.

11000 ‑ 11999 IPC errors Errors reported during inter‑process communication.

12000 ‑ 12999 On‑Demand scanner errors Errors reported by the on‑demand scanner.

13000 ‑ 13999 Command processor errors Internal errors with respect to the commands usedduring inter‑process communication.

14000 ‑ 14999 Anti‑virus Engine scanerrors

Errors reported by the anti‑virus engine whenprocessing a specific file.

15000 ‑ 15999 Task Scheduler errors Errors reported by the task scheduler.

16000 ‑ 16999 SMTP Alerting errors Errors reported by the SMTP alerting component.

See also Troubleshooting on page 4Frequently asked questions on page 57

8 TroubleshootingError messages


Index

Aabout 9

extra DAT files 34

about this guide 5advanced features

VirusScan Enterprise for Linux 53

analysisexporting the results 29, 31

analyzedetected items 28

system events 30

anti-virus actionsconfigure 48

on-access settings 48

audience 9automatically refresh

page information 21

Bbar

links 19

browser interfaceconfigure 42

general settings 42

Cchanging

page settings 21

clear statisticsconfigure 43

general settings 43

components 10

configureanti-virus actions 48

browser interface 42

clear statistics 43

extension based scanning 46

general settings 41

notifications 50


on-demand settings 49

paths excluded 45

scanning options 44

configure (continued)SMTP notifications 50

SMTP settings 51


configure: logging 43

consoleinterface 19

contact information 13

conventions and icons used in this guide 5create schedule

run on-demand scan 39

update the product 37

customer service 13

DDAT files

scanning 15

dates and timesdisplaying 22

default configurationresetting 43

delete existingscheduled tasks 33

detected itemsanalyze 28

export to csv 29

view 26

view results 28

diagnostic reportobtaining 26

scanning summary 26

displayingdates and times 22

documentationaudience for this guide 5product-specific, finding 7typographical conventions and icons 5

download site 13

Eerror messages

troubleshoot 61

understanding 22


eventstrigger scanning 10

exporting the resultsdetected items 29

for analysis 29, 31

system events 31

extension based scanningconfigure 46


scan all files 47

scan default files 47

scan specific files 47

extra DAT filesview 34

Ffeatures

administration 11

reporting 11

scanning 11

frequently asked questionsgeneral information 61

installation 57

runtime kernel module 58

scanning 59

troubleshoot 57

viruses and detection 60

Ggeneral information

frequently asked questions 61

general settingsbrowser interface 42

clear statistics 43

configure 41

reset defaults 43

general settings: logging 43

Hhost summary

view 23

howquarantine action works 55

scanning works 15

Iinformation

expanding and collapsing tables 20

extra DAT files 34

viewing 23

installationfrequently asked questions 57

interactVirusScan Enterprise for Linux 10

interfaceconsole 18, 19

navigation pane 18

opening 17

quick help pane 18

using 20


introduction 9

Kkernel module compilation

runtime 58

KnowledgeBase 13

Llinks bar 19

Linuxshieldpreviously known as 9

logging onVirusScan Enterprise for Linux interface 17

logging: configure 43

logging: general settings 43

long tablesnavigating through 20

MMcAfee Labs 13

McAfee ServicePortal, accessing 7modify existing

scheduled tasks 33

Nnavigation pane 18

user interface 18

notification templatessubstituting variables 53

notificationsconfigure 50

SMTP notifications 50

SMTP settings 51

substitution variables 53

Oon-access scan 16

on-access settingsanti-virus actions 48

configure 43


paths excluded 45

scanning options 44

on-demand scan 16

Index


on-demand scansrunning 38

schedule 38, 39

on-demand settingsconfigure 49

openinginterface 17

Ppage information

automatically refresh 21

page settingschanging 21

panenavigation 18

paths excludedconfigure 45


processes 10

productconfiguring 41

updating 36

product features 11

product update 36

schedule 37

professional services 13

Qquarantine action

how it works 55

working of 55

quick help pane 19

Rrecently detected items

scanning summary 25

recently scanned itemsscanning summary 26

refreshing informationautomatically 21

regular expression basedscanning 45

releasewhat's new 12

reset defaultsconfigure 43

general settings 43

runon-demand scans 38

run immediatelyscheduled tasks 33

running on-demand scancreating a schedule to 39

runtimekernel module compilation 58

runtime kernel modulefrequently asked questions 58

Sscan all files


scan default filesextension based scanning 47

scan specific filesextension based scanning 47

scan typeson-access 16

on-demand 16

scanningDAT files 15


regular expression based 45

types 16

what and when 15

scanning forpotentially unwanted software 15

viruses 15

scanning optionsconfigure 44


scanning summarydiagnostic report 26

recently detected items 25

recently scanned items 26

statistics 24

view 24

scanning workshow 15

scheduleon-demand scans 38, 39

product update 37

scheduled tasksdelete existing 33

modify existing 33

run immediately 33

stop 34

stopping 34

view 31

schedulessetting up 35

using a wizard 36

ServicePortal, finding product documentation 7setting up

schedules 35

SMTP notificationsconfigure 50

notifications 50

Index


SMTP settingsconfigure 51

notifications 51

sorting tables:VirusScan Enterprise for Linux 20

statisticsscanning summary 24

stopscheduled tasks 34

substitution variablesnotifications 53

supported browsers 57

system eventsanalyze 30

export to csv 31

view 30

Ttable columns

sort 20

tablescollapsing 20

expanding 20

technical support 13

Technical Support, finding product information 7threat center 13

time differencesunderstanding 35

troubleshooterror messages 61



typesscanning 16

Uunderstand

time differences 35

understanding error messages 22

updateVirusScan Enterprise for Linux 36

updating the productcreating a schedule to 37

user interfacenavigation pane 18

user interface (continued)viewing 17

using the interface 20

using wizardsVirusScan Enterprise for Linux 22

Vview

detected items 26

extra DAT files 34

host summary 23

scanning summary 24

scheduled tasks 31

system events 30

user interface 17

VirusScan Enterprise for Linux information 23

view resultsdetected items 28

viruses and detectionfrequently asked questions 60

VirusScan Enterprise for Linuxadvanced features 53

configure 41

contact information 13

interact 10

interface 17

logging on 17

product update 36

sorting tables 20

troubleshoot 57

using the interface 20

view information 23

what is 9wizards 22

WWebImmune 13

what's in this guide 6what's new 12

wizardsusing 22, 36


Index


1.9.0 Software McAfee VirusScan Enterprise for Linux · Linux server can harbor these viruses,...

Documents

Transcript of 1.9.0 Software McAfee VirusScan Enterprise for Linux · Linux server can harbor these viruses,...