FireBreak 4 70
-
Upload
bharath-moti -
Category
Documents
-
view
217 -
download
0
Transcript of FireBreak 4 70
-
8/3/2019 FireBreak 4 70
1/135
Norman Virus Controlfor NetWare
Version 4.70
Administrators Guide
-
8/3/2019 FireBreak 4 70
2/135
iiNorman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Limited warranty
Norman guarantees that the enclosed diskette/CD-ROM and documentation do not have
production flaws. If you report a flaw within 30 days of purchase, Norman will replace
the defective diskette/CD-ROM and/or documentation at no charge. Proof of purchase
must be enclosed with any claim.
This warranty is limited to replacement of the product. Norman is not liable for any other
form of loss or damage arising from use of the software or documentation or from errors
or deficiencies therein, including but not limited to loss of earnings.
With regard to defects or flaws in the diskette/CD-ROM or documentation, or this
licensing agreement, this warranty supersedes any other warranties, expressed or implied,
including but not limited to the implied warranties of merchantability and fitness for a
particular purpose.
In particular, and without the limitations imposed by the licensing agreement with regard
to any special use or purpose, Norman will in no event be liable for loss of profits or other
commercial damage including but not limited to incidental or consequential damages.
This warranty expires 30 days after purchase.
The information in this document as well as the functionality of the software is subject to
change without notice. The software may be used in accordance with the terms of the
license agreement. The purchaser may make one copy of the software for backuppurposes. No part of this documentation may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, recording or
information storage and retrieval systems, for any purpose other than the purchaser's
personal use, without the explicit written permission of Norman.
The Norman logo is a registered trademark of Norman ASA.
Names of products mentioned in this documentation are either trademarks or registered
trademarks of their respective owners. They are mentioned for identification purposes
only.
NVC documentation and software are
Copyright 1990-2004 Norman ASA.
All rights reserved.
Last revised on 5 July 2004.
-
8/3/2019 FireBreak 4 70
3/135
iii
Copyright 1990-2004 Norman
Norman Offices
Norman Data Defense Systems AS
Blangstedgrdsvej 1, DK-5220Odense S, Denmark
Tel. +45 6311 0508 Fax: +45 6590 5102
E-mail: [email protected] Web: http://www.norman.com/dk
Norman Ibas OY
Lkkisepntie 11, 00620 Helsinki, Finland.
Tel: +358 9 2727 210 Fax: +358 92727 2121
E-mail: [email protected] Web: http://www.norman-ibas.fi
Norman Data Defense Systems GmbH
Kieler Str. 15, D-42697 Solingen, Germany.
Tel: +49 212 267 180 Fax: +49 212 267 1815
E-mail: [email protected] Web: http://www.norman.de
Norman/SHARK BV
Postbus 159, 2130 AD, Hoofddorp, The Netherlands.
Tel: +31 23 789 02 22 Fax: +31 23 561 3165
E-mail: [email protected] Web: http://www.norman.nl
Norman ASA
Mailing address: P.O. Box 43, N-1324, Lysaker, Norway.
Physical address: Strandveien 37, Lysaker, N-1324 Norway.
Tel: +47 67 10 97 00 Fax: +47 67 58 99 40
E-mail: [email protected] Web: http://www.norman.no/no
Norman Data Defense Systems AB
Vstgtegatan 7, SE-602 21 Norrkping, Sweden
Tel. +46 11 230 330 Fax: +4611 125 126
E-mail: [email protected] Web: http://www.norman.com/se
Norman Data Defense Systems AG
Postfach CH-4015, Basel, Switzerland.
Tel: +41 61 487 2500 Fax: +41 61 487 2501
E-mail: [email protected] Web: http://www.norman.ch
Norman Data Defense Systems (UK) Ltd
PO Box 5517, Milton Keynes MK5 6XJ, United Kingdom.
Tel: +44 08707 448044 Fax: +44 08717 176999
E-mail: [email protected] Web: http://www.normanuk.com
Norman Data Defense Systems Inc.
9302 Lee Highway, Suite 950A, Fairfax, VA 22031, USA
Tel: +1 703 267 6109, Fax: +1 703 934 6367
E-mail: [email protected] Web: http://www.norman.com
Training and Technical Support
For training or technical support, please contact your local dealer
or Norman ASA.
http://www.norman.com/dkhttp://www.norman-ibas.fi/http://www.norman.de/http://www.norman.nl/http://www.norman.no/nohttp://www.norman.com/sehttp://www.norman.ch/http://www.norman.ch/http://www.norman.ch/http://www.normanuk.com/http://www.normanuk.com/http://www.normanuk.com/http://www.norman.com/http://www.norman.com/http://www.normanuk.com/http://www.normanuk.com/http://www.normanuk.com/http://www.norman.ch/http://www.norman.ch/http://www.norman.ch/http://www.norman.com/sehttp://www.norman.no/nohttp://www.norman.nl/http://www.norman.de/http://www.norman-ibas.fi/http://www.norman.com/dk -
8/3/2019 FireBreak 4 70
4/135
ivNorman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
System requirements
For server operating system:
NetWare versions 4.11 or later
For NetWare 4, support pack 9 is required
For NetWare 5 and 6 the latest support packs are
recommended
For NetWare 5.0, support pack 6 is required
On NetWare 5.1 we strongly recommend support pack 6,
and on NetWare 6.0 we strongly recommend supportpack 3. See note below.
Note: With the release of support pack 6 for NetWare 5.1 and
support pack 3 for NetWare 6.0, Novell fixed a set of
bugs that influenced FireBreaks performance. The apis
needed to detect if a file residing on a NSS volume had
changed or not have been broken until the release of
these support packs. Servers running older SPs onNetWare 5.1/6.0 or NetWare 5.0 with NSS volumes are
subject to this error. On these servers we scan files on
close if they were opened for write, regardless of
whether they were changed or not, as we have no choice
in the matter.
NetWare support packs are available from Novell at
http://support.novell.com
The servers SYS volume must have LONG name space
installed.
NDS v6 or later including eDirectory
Disk space required on server: approximately 10 Mb.
Memory required on server: approximately 5 Mb.
For installation and administration:
A workstation with Windows 98/ME with Novell client,
or
Windows NT/2000/XP with Novell client
ConsoleOne v1.3 or later running on a workstation or on
the servers graphical console.
http://support.novell.com/http://support.novell.com/ -
8/3/2019 FireBreak 4 70
5/135
v
Copyright 1990-2004 Norman
See also System requirements - NIU on page 97 andPreparing FireBreak for NIU downloads on page 98,
as well as the Readme file for other details.
Who should read this manual?
This manual is intended for system administrators with an
overall responsibility for maintenance of the network, including
installation and distribution of software to the workstations.
About this manualThe general outline of this manual is based on the logical
sequence the average user will approach the product, i.e. a brief
introduction to FireBreak followed by installation, configuration,
administration, and troubleshooting-related topics. As you will
see, each module has its own configuration section, starting with
two screen dumpsone for the NDS object and one for the
Console menu. In other words, when we describe configurationoptions in this document, the corresponding NDS object GUI
and the console menu will be displayed. Whenever the rare
occasion occurs that an option is available from the console
menu only, the option is duly marked:
Operate as communications hub(Console menu only.)See also the section Considerations before you start on page 23,
which addresses the NDS object vs. the Console menu matter.
Any references to NDS in this manual also include eDirectory,
i.e. the newer version of NDS.
Technical supportNorman provides technical support and consultancy services for
NVC and security issues in general. Technical support also
comprises quality assurance of your anti-virus installation,
including assistance in tailoring NVC to match your exact needs.
Note that the number of services available will vary between the
different countries.
-
8/3/2019 FireBreak 4 70
6/135
viNorman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Check Normans web site for more information:
www.norman.com.
PrerequisitesWe assume, in this documentation, that you are familiar with
LAN terminology in general and NetWare terminology in
particular. We further assume that you are familiar with the tasks
involved in administrating a NetWare-based LAN. Within this
manual, we sometimes refer you to the NetWare manuals since
explaining NetWare utilities is beyond the scope of this
documentation.
For more information about NetWare see
http://www.novell.com/documentation
http://www.norman.com/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.norman.com/ -
8/3/2019 FireBreak 4 70
7/135
vii
Copyright 1990-2004 Norman
Contents
System requirements ................................................................................iv
Who should read this manual? ..................................................................v
About this manual .....................................................................................v
Technical support ......................................................................................v
Prerequisites .............................................................................................vi
About NVC for NetWare ..........................................................................11
What is NVC for NetWare? ....................................................................11
Components in NVC for NetWare ..........................................................12
Scanning modes ......................................................................................12
What is protected? ...................................................................................12
Before you install .......................................................................................13
Directory structure ..................................................................................14
FireBreak files.................................................................................... 15
FireBreak log files.............................................................................. 16
Installing FireBreak ..................................................................................18
Installing on a single server ....................................................................18
Installing on multiple servers ..................................................................18
Why do I need a configuration object in my NDS?........................... 19
Where do I place the configuration object? ....................................... 19
How do I insert the configuration object?.......................................... 20
Multi-server environment and configuration object .......................... 20
Real-time configuration change detection vs. polled checks ............. 21
What if the object cant be read? ............................................................21
A special user group ......................................................................22
Configure FireBreak .................................................................................23
Considerations before you start ..............................................................23
Basic options ...........................................................................................24
-
8/3/2019 FireBreak 4 70
8/135
viiiNorman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Common scanning options ......................................................................27
Real-time scanning options .....................................................................31
Include list for server-based processes............................................... 33
Server scanning options ..........................................................................35Virus detected options .............................................................................38
Messaging options ...................................................................................43
The Inter-server tab ............................................................................ 44
The NetWare tab ................................................................................ 45
The Printing tab.................................................................................. 50
The SNMP tab.................................................................................... 53
The e-mail tab..................................................................................... 56Test alerts ........................................................................................... 59
NDS options ............................................................................................60
Auto update options ................................................................................63
Loading and unloading ..............................................................................68
Loading FireBreak ..................................................................................68Unloading FireBreak ...............................................................................69
Command line switches ..........................................................................70
Specifying a configuration object on the command line.................... 70
Specifying a configuration file on the command line ........................ 70
Forcing polled checks for changes to the configuration object.......... 70
FireBreak Administration .........................................................................71
The FireBreak console menus .................................................................71
The ConsoleOne snap-in .........................................................................72
Password protection of configuration and unload.............................. 72
The Main menu .......................................................................................73
Scan server ......................................................................................... 73
The keys used ..................................................................................... 74The information displayed ................................................................. 74
Administer FireBreak......................................................................... 77
Display monitor.................................................................................. 78
Display virus library........................................................................... 79
Virus characteristics ......................................................................79
The keys used ..................................................................................... 80
Find virus............................................................................................ 81
-
8/3/2019 FireBreak 4 70
9/135
ix
Copyright 1990-2004 Norman
Information on each virus .................................................................. 81
Exit FireBreak .........................................................................................82
Monitor screen ........................................................................................83
The keys used..................................................................................... 84The information displayed ................................................................. 84
Monitor menu..................................................................................... 90
List alert group members ...............................................................91
Display statistical information .......................................................92
List the five files with the longest scan time .................................94
Display NDS related information ..................................................94
Norman Internet Update ...........................................................................97
System requirements - NIU................................................................ 97
Preparing FireBreak for NIU downloads ........................................... 98
Installation ...............................................................................................98
Directory structure ..................................................................................99
Loading NIU on NetWare .....................................................................100Configure and use NIU on NetWare ................................................ 100
From the server console ................................................................... 100
The keys used................................................................................... 101
Update now! ..................................................................................... 102
Configure NIU ................................................................................. 103
Products............................................................................................ 104
Languages ........................................................................................ 105Platforms .......................................................................................... 106
Authentication key ........................................................................... 107
Exit ................................................................................................... 107
Scheduler.......................................................................................... 108
Exit ................................................................................................... 108
Other issues related to updating and NIU .............................................109
Updating the ConsoleOne snap-in ........................................................109
Changing update paths ..........................................................................109
Updating FireBreak on servers that are not connected to the Internet ..110
Alternative A ...............................................................................110
Alternative B ...............................................................................111
Testing new updates before large scale distribution .............................111
-
8/3/2019 FireBreak 4 70
10/135
xNorman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Setting up multiple NIU servers in your network .................................112
Using NetWare and NIU as distribution central for workstations with-
out NetWare Client installed .......................................................113
Advanced FireBreak ................................................................................114
Virus alerts and messaging structure ....................................................114
Understanding how messaging works with FireBreak..................... 114
Using SNMP to centralize monitoring of infections .............................114
Setting up a FireBreak messaging hierarchy in your network ..............115
Using FireBreak messaging in a multi-tree environment................. 119
How FireBreak finds the communication hub address .................... 119
Using different NDS configuration objects for a single server or group of
servers............................................................................................... 120
Special issues ............................................................................................122
iFolder, viruses, and FireBreak .............................................................122
Using FireBreak with Novells Native File Access Protocols ..............122CIFS users and FireBreak message handling ........................................123
Using FireBreak with IPX and protocol routers............................... 124
Using a FireBreak communication hub in an IP/IPX bridged network
125
Troubleshooting .......................................................................................126
Missing ConsoleOne FireBreak snap-in .......................................... 126
ClibAux.NLM is a library ................................................................ 126
Norman eLogger .............................................................................. 127
Appendix A - Sandbox .............................................................................128
Background ...................................................................................... 128What is a sandbox?........................................................................... 128
Sandboxing techniques..................................................................... 129
How does sandboxing affect the user?............................................. 129
Index ..........................................................................................................131
-
8/3/2019 FireBreak 4 70
11/135
About NVC for NetWare11
Copyright 1990-2004 Norman
About NVC for NetWare
What is NVC for NetWare?
Note: FireBreak v4.70 supports NetWare version 4.11 Support
Pack 9 and higher.Norman Virus Control for NetWarealso known as FireBreak
is a server-based anti-virus program that monitors your server for
malicious software, also referred to as malware. Malware is
viruses, worms, and other varieties of destructive code.
FireBreak can detect and remove known and unknown viruses
from your NetWare server.
FireBreak checks files when they are accessed, and possible
viruses are removed automatically.
The primary strength of FireBreak is in providing real-time
scanningcontinuous scanning of files accessed on the server.
This means that if a user tries to copy an infected file to or from
your server, or run an infected file from the server, FireBreak
will detect the file and move, delete, or clean it. These actions areall configurable.
Another feature of FireBreak is its on-demand scanning. In
addition to real-time scanning, you can at any time scan the
server for possible viruses.
We have not overlooked the possibility that your NetWare
servers might be operating in a multi-server environment.
Enterprise-wide functioning is yet another strength of FireBreak.
If you have two or more NetWare servers running FireBreak, you
may configure some of them to be a communications hub. The
hub can then operate as a central monitoring station, enabling
you to better administer your servers efficiently.
-
8/3/2019 FireBreak 4 70
12/135
12Norman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
FireBreak creates a configuration object in your NDS /
eDirectory. Then you can use this object to configure all your
FireBreak objects from one central location.
Components in NVC for NetWareNVC for NetWare is made up from three main components:
1. The server-based modules running on the NetWare server as
NetWare Loadable Modules.
2. The snap-in configuration object module for ConsoleOne.
With this module you can configure and control FireBreakfrom a central location.
3. Norman Internet Update (NIU), which is the mechanism for
updating all parts of the product.
Why do I need a configuration object in my NDS? on page19.
Scanning modesFireBreak has two different scanning methods. The first, and
most important, is real-time scanning.
The second mode is the on-demand, manual scanning. This is
performed at your discretion.
What is protected?
Even though FireBreak communicates with Norman anti-virus
software running on workstations, FireBreak is a network
product. This means that it does not take any action on infected
files that are manipulated on local hard drives or floppies. This
job is the responsibility of the workstation software. If those
infected files are transferred to the server, however, FireBreakwill take action in accordance with its configuration.
-
8/3/2019 FireBreak 4 70
13/135
Before you install13
Copyright 1990-2004 Norman
Before you installBefore you install FireBreak on your server you should decide if
you want to:
1. Administer FireBreak configuration from an NDS object,
facilitating a central configuration environment, or
2. Administer each of your FireBreak server(s) from the
NetWare console.
It is highly recommended that you choose the NDS object
configuration method. This will reduce your administrationtime and provide a consistent configuration for all your
FireBreak servers.
3. Install Internet Update on one server.
If you install this component, you can update both your
FireBreak servers and other NVC platforms in your network.
For more information about the update functionality, seeNorman Internet Update on page 97.
Note: If you intend to install the ConsoleOne snap-in, make
sure that you close this application to avoid a restart of
the server.
-
8/3/2019 FireBreak 4 70
14/135
14Norman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Directory structure
The installation routine will create the directory structure that
FireBreak requires. The following tree will be created on theSYS volume.
Directory: Description:
SYS:FIREBRK FireBreaks home directory.
SYS:FIREBRK\LOG This is where FireBreak places log
files as they are created. All
members of the FireBreak usergroup should haveReadandFile
Scan rights in this directory.
f i ll
-
8/3/2019 FireBreak 4 70
15/135
Before you install15
Copyright 1990-2004 Norman
FireBreak files
During installation, the following files from the FireBreak
distribution are copied to the SYS:FIREBRK directory:
SYS:FIREBRK\VIRUS This directory is used as a virus
container. Infected files are
moved here, provided the system is
configured to do so. Werecommend that only the Admin
user have rights in this directory.
SYS:FIREBRK\DOWNLOAD Where the ZIP files fetched by
NIU are placed. Make sure that
Enable auto update of local
server (seepage 63) is on for
FireBreak to check this directoryfor updates.
FIREBRK.NLM The programs executable file.
NVCMACRO.DEF FireBreaks macro virus
information database.
NVCBIN.DEF FireBreaks binary virus
information database.
NVCINCR.DEF Contains updates to the other .def
files.
FB400.CFG FireBreaks configuration file.
NSENW.NLM The scanner engine is implemented
as a support NLM, keeping
FireBreak at the same level as the
workstation products with regard
to virus detection.NRELOAD.NLM This is a helper NLM exclusively
for FireBreak. Part of the
automatic update feature.
ELOGGER.NLM This is a troubleshooting tool.
ELOGWS32.NLM Support NLM forELOGGER.NLM.
16 N Vi C t l f N tW Ad i i t t G id
-
8/3/2019 FireBreak 4 70
16/135
16Norman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
During installation, the following file is copied to the
SYS:SYSTEM directory.
For the sake of simplicity, FB.NCF is automatically copied tothe SYS:SYSTEM directory. This makes it available through theservers standard search path. Alternatively, you may add
FireBreaks home directory to the servers search path by typing
the command:
SEARCH ADD SYS:FIREBRK [Enter]
from the system console. Or add the command to the
AUTOEXEC.NCF file on a line prior to that which loadsFireBreak.
Refer topage 68 for instructions on Loading FireBreak.
FireBreak log filesFireBreaks log files are all stored in the SYS:FIREBRK\LOGdirectory. They are created automatically when, and if they are
needed. There are five (5) different log files:
FB.NCF This .NCF eases loading of
FireBreak.
FBERROR.LOG This file holds error messages.
FBREALTI.LOG The file logs virus incidents thatare detected by the real-time
scanner and incidents
communicated by Norman anti-
virus software running on
workstations that are connected to
the server.
FBSCAN.LOG The results of manual/scheduledscanning are placed in this file.
Before you install 17
-
8/3/2019 FireBreak 4 70
17/135
Before you install17
Copyright 1990-2004 Norman
FBVIRUS.LOG This log holds the name of each
infected file that has been moved
to the SYS:FIREBRK\VIRUS
directory, the files original pathand file name, and the name of the
virus.
FBEVENTS.LOG This log holds information about
file updates performed by the auto
update function (see pagepage 63).
18 Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
18/135
18Norman Virus Control for NetWare - Administrator s Guide
Copyright 1990-2004 Norman
Installing FireBreak
Installing on a single server
1. Log in to your desired tree as Admin or an equivalent user.
2. Ensure that you have a drive mapped to the root of theservers SYS volume.
3. Start the installation program and work your way through
the dialogs.
4. Start FireBreak on the server by typing FB and pressing[Enter] on the servers console screen. If FireBreakduring load cant find an object or the schema has not been
extended, a warning message is issued. Operation will
continue with configuration data stored on the server. On the
monitor screen you can check the name of the object used.
You can also see the change detection mechanism used (see
below).
Installing on multiple serversIf you wish to install FireBreak on other servers in the same tree,
you do not necessarily need to repeat all the previous steps for
each server. Just make sure that you have a drive mapped to the
root of the SYS volume to each of the desired servers as
illustrated below.
Then just follow the normal setup.
Installing FireBreak19
-
8/3/2019 FireBreak 4 70
19/135
g
Copyright 1990-2004 Norman
Note: If you load FireBreak from AUTOEXEC.NCF during theservers startup, please note that it should be loaded
towards the end of the file to ensure that NDS is fully
operational.
Why do I need a configuration object in my NDS?
The FireBreak NDS configuration object controls the behavior of
the FireBreak NLM. You can set all FireBreak configuration
options in this object. This object can configure all servers in
your tree running FireBreak.
Where do I place the configuration object?
Normally the configuration object resides in the organization
container of the user you installed FireBreak with. If you have
several servers in multiple containers, the optimal solution is to
put the configuration object either in root, or in the servers
parent container(s).
20Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
20/135
Copyright 1990-2004 Norman
Administrators or users that need to change the FireBreak
configuration object will need Write privileges to the objects
properties.
Note: A FireBreak configuration object can reside in an
Organizational container (O), Organizational Unit (OU),
or in a Country container (C).
Note well: When FireBreak is loaded it will search the container
where the server object resides for a configuration
object. If no object is found, FireBreak will start a
reverse tree-walk, looking for a configuration object in
the parent container, searching upwards to the root untilit finds a configuration object, or it reaches the root of
the tree. FireBreak uses the first configuration object that
is found. Note that FireBreak does not search down into
existing containers, only up towards the root.
How do I insert the configuration object?
Select New|Norman FireBreak config or click the Norman N-button on the tool bar. This is a limitation in ConsoleOne.
You can no longer press [Ins] to create the FireBreak object as
you could in NWAdmin. To run the proper object creator code,
ConsoleOne requires that you to use the menu or the popup
menu.
Multi-server environment and configuration object
If you are managing a multi-server environment you can place
the configuration object in a container where it can be accessed
by all servers. By providing access to the configuration object all
servers will use the same configuration.
If you want to provide different configuration for a specific
server, simply put a configuration object in this serverscontainer. The server will then find this object first, and
consequently use it. You can apply the same principle for a group
of servers.
See Advanced FireBreak on page 114.
Installing FireBreak21
-
8/3/2019 FireBreak 4 70
21/135
Copyright 1990-2004 Norman
Real-time configuration change detection vs. polled checks
When you have applied changes to a configuration object,
FireBreak in turn can apply these to all servers that use this
specific object.Real-time scanning and detection is the default mode, provided
that it can be implemented on your system. This relies on the
event mechanism being built into NDS (DSEvents). Once the
object is changed, FireBreak is informed of the event and the
new configuration is read and made the active one. The time
delayif any may vary from the time the change is saved by
the configuration utility to when it is picked up by FireBreakrunning on a server. Even if the real-time change detection is
used, there may be a delay. A delay depends on when NDS
synchronizes the changes to the partition between the servers in
the tree.
Polled checks for changes are another mode. Once every x
minutes (the default value is 240), the object is checked for
changes by reading the objects version number. If it haschanged, the new configuration is read and made the active one.
Polled checks are always used if the server does not hold a local
replica of the NDS partition where the configuration object is
stored.
What if the object cant be read?There may be several reasons why a configuration object cannot
be found: broken server links, the server holding the object may
be temporarily unavailableor the administrator may have
failed to create one. Regardless of the reason, FireBreak loads
and works. Whenever a configuration is read from NDS, its
saved in a local file, FB400.CFG. This file is used as a fallback
in such situations as described above.
FB400.CFG is located in the root of the serversSYS:FIREBRK directory. This is a binary file and cannot beedited.
22Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
22/135
Copyright 1990-2004 Norman
A special user group
An important feature of FireBreak is the messaging functionality.
When a virus is detected, FireBreak can send alerts to the
offending user, to the server console, and to a pre-defined usergroup.
Note: The Admin will only be notified of virus events if this
user is a member of FireBreaks special user group. Use
NetWares workstation-based administration utility,
ConsoleOne, to create the group and add the appropriate
members (see your NetWare Utilities Reference for
further details). If you want to use a group that alreadyexists, change the name of the group that FireBreak
should use. Make these changes from the appropriate
menu (see Configure FireBreak on page 23).
Once you have decided upon a user group, make sure that all
members of the group haveReadandFile Scan rights to the
SYS:FIREBRK\LOG
directory. A simple way to do this is to use NetWaresConsoleOne to add the group as a trustee in the
SYS:FIREBRK\LOGdirectory.
Configure FireBreak23
-
8/3/2019 FireBreak 4 70
23/135
Copyright 1990-2004 Norman
Configure FireBreak
When you configure FireBreak you have a number of possible
options available. Most of the options are enabled or disabled
from this menus submenus.
FireBreak is shipped with many preselected options.Thesedefault options are identified by a marker in the check box, like
this:
Scan incoming files
You can always click on the Default button to view the default
settings in a dialog. (Only the snap-in.)
Note:If you dont use the NDS object you can reset all options to their
default values this way:
1. Unload FireBreak
2. Delete SYS:FIREBRK/FB400.CFG
3. Load FireBreak
Considerations before you start
Before you start your configuring FireBreak you should consider
the structure of your network, how you want your server(s)
running FireBreak to act, and how you would like to manage
them.
There are two principal approaches for configuring and
administering FireBreak:
1. Use NDS / eDirectory to configure all FireBreak servers in
your tree. You can also have several FireBreak NDS objects
in your tree, facilitating different configurations for different
FireBreak servers.
24Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
24/135
Copyright 1990-2004 Norman
2. Use the console menus to configure each server
individually.
Note: When we describe configuration options in this
document, the corresponding NDS object GUI and the
console menu will be displayed.
Clicking the Default button, present in all GUIs, restores
the original, default values for that dialog.
Basic options
Configure FireBreak25
-
8/3/2019 FireBreak 4 70
25/135
Copyright 1990-2004 Norman
Display messages on system console
Instructs FireBreak to display important virus detection
messages on the servers console screen as follows:
Note: In NetWare 6 all virus detection messages are displayed
in the server console Logger screen.
FB :Virus detected by real-time
scanner
Time :Mon 2003/06/23 11:34:36
InfoServer :LANCELOT.roundtable
In tree :EXCALIBUR
Virus name :VW/SHowOffD
Infected file :DATA:USERS/FRED/LETTER2.DOC
File was :created
File accessed by :fred.roundtable
From :172.17.7.34
Action taken :quarantined
26Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
26/135
Copyright 1990-2004 Norman
Display monitor-screen upon loadFireBreak can open a monitor screen at startup displaying
information about real-time scanning and available
options.Various informative submenus are available.
Monitor screen on page 83.
Save infection information across loads
FireBreak can save information across loads about the last
detected virus and the total number of infected files detected by
both the real-time scanner and any Norman anti-virus products
running on connected workstations. FireBreak displays this
information in its Monitor window (seepage 83). If the
information has been saved, it will be restored when FireBreak is
loaded. The saved information is updated automatically when
FireBreak exits or is unloaded by the server.
Password protected configuration
This option allows you to edit an existing password or create a
new one. If you have specified a password, FireBreak promptsyou for this password when you enter the Configure FireBreak
menu or attempt to exit FireBreak.
The minimum password length is 4 characters, while 15 is
maximum. You can use the ASCII characters 1 through 255. The
password is notcase sensitive for the characters A through Z,
and is case sensitive for the remaining valid characters. Password
protection is optional.
To remove a password, delete all characters and press [Enter].Click on Change password to change an existing password.
The password is only visible when you edit it. At all other times,
the characters are echoed as *.
Note: By default, a password is not assigned. If you forget a
specified password, you can change this in the FireBreakConsoleOne snap-in. FireBreak assumes that if you have
modify rights to the FireBreak configuration object, you
are the Admin or equivalent in the network.
Note well: If you have chosen to run FireBreak without an NDS
object, you must delete the FB400.CFG file from theSYS:FIREBRK directory, then restart the server. You will not be
Configure FireBreak27
-
8/3/2019 FireBreak 4 70
27/135
Copyright 1990-2004 Norman
able to unload FireBreak before restarting the server. To restore
FB400.CFG run the install program to replace it. If you do this,however, remember that all configuration settings are restored to
default values.
Common scanning options
Scanning options are specified separately for real-time scanning
and on-demand scanning (see Server scanning options on page
35). Options that apply to both scanning methods are located in
this dialog.
28Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
28/135
Copyright 1990-2004 Norman
Scan inside compressed program filesWhen this option is enabled, FireBreak can scan for possible
infections inside executable files compressed by utilities such as
PKLite and Diet.
Scan for security risks
This option instructs FireBreak to scan for objects that represent
a possible security risk. Some administrators have installedprograms like password crackers and remote administrative tools
that are perfectly legal and probably useful too. However, the
lack of security features in some of these tools can expose
machines to unauthorized users and crackers. FireBreak detects
the activity of such tools and will warn against potential security
risks. Warnings will report the name of the program, and you can
therefore decide if it is a legitimate program or cracker activitythat triggers the alarm.
Scan for aggressive commercials
Sometimes unwanted programs are attached to programs that
you download from the Internet for evaluation purposes, for
example. They do not inform you about their presence, and if
you uninstall the original program, the hidden program may still
Configure FireBreak29
b hi It i h d t fi d d h i t ll
-
8/3/2019 FireBreak 4 70
29/135
Copyright 1990-2004 Norman
be on your machine. It is hard to find and has no uninstall
procedure. At odd intervals these programs will log on to the
Internet and download commercials all by themselves. They are
not harmful like a traditional virus, but it is annoying and creates
unnecessary network traffic. FireBreak can detect and removesuch programs. Note that free software that you have installed
may not work when this option is selected.
Exclude files of indeterminate formatSelect this option to instruct FireBreak to skip files of
indeterminate format. Such files may be damaged files, or files
with an unknown format.
Exclude list(Console menu only.)
Specify files, directories, or entire volumes that you want to
exclude from real-time and server scanning.
Use the [Insert] and [Delete] keys to add or remove entries in the
list. You can browse to directories and even select a specific file
name to include. Remember that if you select a directory,
possible subdirectories are included.
30Norman Virus Control for NetWare - Administrators Guide
When specifying a file you can choose to exclude the specific
-
8/3/2019 FireBreak 4 70
30/135
Copyright 1990-2004 Norman
When specifying a file, you can choose to exclude the specific
file only, or to exclude all files of same type.
Note well:
Exclude lists should be handled with great care, as they representa potential security risk.
Configure FireBreak31
Real time scanning options
-
8/3/2019 FireBreak 4 70
31/135
Copyright 1990-2004 Norman
Real-time scanning options
These options allow the administrator to tailor FireBreak to
better meet the organizations needs. You can select scanning of
incoming and/or outgoing files.
32Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
32/135
Copyright 1990-2004 Norman
Scan incoming files
FireBreak considers the following types of files as incoming
files:
New files created on the server.
Existing files that have been changed.
Scan outgoing filesFireBreak considers the following types of files as outgoing
files:
Files residing on the server that are read by a
workstation, for example when a program installed on
the server is executed from the workstation. Another
example is when a file on the server is copied to the
workstation.
Scan outgoing files opened for write
An alternative to the previous option is to instruct FireBreak to
scan files on open, provided they are opened in a way that they
may be changed (open for write). This means that programs
Configure FireBreak33
executed from the server are not scanned before access is granted
-
8/3/2019 FireBreak 4 70
33/135
Copyright 1990-2004 Norman
g
to the file, as the execute opens the file only for read. If a user
opens a file on the server in a word processor, for example, this
file will be opened forwrite. If this option is enabled, FireBreak
scans the file before the word processor is granted access to thefile. As this option is a variant of the Scan outgoing files option,
it is flagged as not applicable (N/A) ifScan outgoing files is
selected.
Scan for new, unknown viruses using sandboxSelect this option if you want FireBreak to look out for new virus
variants. The sandbox is particularly tuned to find new email-,
network- and peer-to-peer worms and file viruses, and will also
react to unknown security threats. When a new piece of
malicious code is detected, the system administrator receives a
message through FireBreaks messaging system listing the vital
facts.
When this option is selected, scanning time will increase.
Note well:
Files copiedfrom the server to a workstation are not opened
for write. To scan files on copy,Scan outgoing files must be
enabled.
Include list for server-based processes
Include list for server-based processes(Console menu only.)
By design, FireBreak will not scan files that are created or
changed by server-based processes. By excluding such scans,
FireBreak will not interfere with server-based processes, thus
avoiding potential performance and time-out problems affecting
the server.
You may be running services on your server where the default
exclusion represents a security risk. This option allows you to
select directories that these services use for file operations, and
make sure that all files that pass through them are scanned by
FireBreaks real-time scanner. Typical examples are CIFS (part
of Native File Access Protocols) where users can access files on
34Norman Virus Control for NetWare - Administrators Guide
the server without a Novell client as well as FTP and web servers
-
8/3/2019 FireBreak 4 70
34/135
Copyright 1990-2004 Norman
that allow connected users to upload files.
For more information, see Using FireBreak with IPX andprotocol routers on page 124.
Entries in FireBreaks Exclude list have higher priority and are
checked after the Include list.
Consequently, if a directory, file or a specific file type is listed in
the Exclude list, these will not be scanned even if they reside in a
directory on the Include list.
Note: Be careful to select the correct directory you want
FireBreak to scan.
Be aware that FireBreak scans all files in the selected directory
and its subdirectories regardless of which server-based process
they belong to. Hence the number of directories in the list should
be kept at a minimum.
Note well:With this option you can choose an entire volume. We
strongly recommend NOT doing this. Including an entire
Configure FireBreak35
volume can seriously slow down and destabilize your
-
8/3/2019 FireBreak 4 70
35/135
Copyright 1990-2004 Norman
server.
Server scanning options
These options allow the Administrator to configure FireBreaks
behavior during manual server scans. You can set the priority for
allocation of resources, in addition to what FireBreak should log.
36Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
36/135
Copyright 1990-2004 Norman
Scanning priorityScanning priority decides how FireBreak should operate when
the system is busy. If you set the priority to Low, FireBreak will
give way for other tasks and wait for a suitable occasion to
proceed. If the priority is set to High, FireBreak will acquire the
necessary resources to complete its task. You can choose
between High, Medium, and Low, where High is the default
setting.
Scan for new, unknown viruses using sandboxFireBreak employs its sandbox functionality to detect new,
unknown viruses. Select this option if you want FireBreak to
look out for new virus variants. The sandbox is particularly tuned
to find new email-, network- and peer-to-peer worms and file
viruses, and will also react to unknown security threats. When anew piece of malicious code is detected, the system
administrator receives a message through FireBreaks messaging
system listing the vital facts.
When this option is selected, scanning time will increase, but it is
not likely to affect the performance considerably.
Configure FireBreak37
See also Scanning priority onpage 36 andA di A S db 128
-
8/3/2019 FireBreak 4 70
37/135
Copyright 1990-2004 Norman
Appendix A - Sandbox on page 128.
Logging
Log results to fileAs the manual scan progresses, information is logged to
SYS:FIREBRK\LOG\FBSCAN.LOG.
Append to existing file
When selected, FireBreak appends the information from each
scan to the existing log file. If this option is disabled, FireBreak
deletes a possible old log file before the scan is started. AHeader and Footer is included in each scan.
Log infected files
Include names and location of all infected files that are detected.
Scanned directories
Include names of all scanned directories.
Scanned files
Include names of all scanned files.
38Norman Virus Control for NetWare - Administrators Guide
Virus detected options
-
8/3/2019 FireBreak 4 70
38/135
Copyright 1990-2004 Norman
Use these options to configure how FireBreak should behave
when a virus is found. By default, FireBreak will clean viruses
when found, and move infected files that cannot be cleaned, off-line.
Configure FireBreak39
-
8/3/2019 FireBreak 4 70
39/135
Copyright 1990-2004 Norman
From this dialog you determine how FireBreak should handleinfected files.
Clean viruses if possible
FireBreak has the ability to clean infected files on-the-fly. This
functionality has been implemented for the on-demand scanner
for incoming and outgoing files.
On the monitor screen and in the log files, the Action taken fieldwill read The file was cleaned.
Log incidents to file
Tells FireBreak to add entries in the log whenever a virus is
detected by the real-time scanner or any NVC software running
on a workstation in the network. The log file is created only if
necessary and is named
SYS:FIREBRK\LOG\FBREALTI.LOG.
Log workstation virus alertsIf you enable this option, the individual NVC workstations must
be configured correctly with the server address specified. Please
refer to NVCsReference Guide for more information on NVCs
messaging system. In addition, the communication hub must be
on. See The Inter-server tab on page 44.
40Norman Virus Control for NetWare - Administrators Guide
Note that the log files grow faster in size when this option is
enabled
-
8/3/2019 FireBreak 4 70
40/135
Copyright 1990-2004 Norman
enabled.
When cleaning is not possible
In some situations, FireBreak cannot clean infected files. For
example, FireBreak cannot clean files that are in use or reside on
a write-protected floppy, or if there is no repair script for the
virus in the virus definition files. Use this section to determine
how FireBreak should handle files that cannot be cleaned.
Purge infected files
If you select this option, FireBreak purges infected files, making
them unrecoverable.
When you select this option, FireBreak uses NetWares inherent
PURGE capability to permanently remove an infected file.
There may be more than one retrievable file in one directory with
the same file name as the infected one, and FireBreak will purge
them all when you use this option.
Move infected files off-line
When you select this option, FireBreak moves all infected files
to the SYS:FIREBRK\VIRUS directory. FireBreak uses this asa quarantine. Since it contains infected files, we recommend
that only Admins and possibly the members of the FireBreak
user group have rights in this directory.
Note: As long as FireBreak is running and the real-timescanner is checking outgoing files, ALL userseven
Admin and members of FireBreaks special user group,
are denied access to the files in this directory.
Several infected files may happen to have identical names. If a
file exists in the SYS:FIREBRK\VIRUS directory with thesame name as that of a new file being moved there, FireBreak
will change the name of the newest file until it is unique.
The technique increments the first eight characters of the files
name onlyextensions are left untouched. First, if the name is
less than eight characters, it is padded with @ to achieve full
length. Then characters are incremented until they reach Z,
starting with the last going forward.
For example:
Configure FireBreak41
COMMAND.COM
COMMAND@ COM
-
8/3/2019 FireBreak 4 70
41/135
Copyright 1990-2004 Norman
COMMANDA.COM
COMMANDB.COM:
CZZZZZZZ.COM
Whenever an infected file is moved off-line, the event is logged
in FBVIRUS.LOG along with the virus name, the name of theinfected file as it now appears in the SYS:FIREBRK\VIRUS
directory, and the full path and name of the infected file as itappeared in its original location.
Note: When files in long (OS/2) name space is moved off-line,
some of the extended directory information is lost. The
file owner information is part of the information that is
lost. This limitation will be addressed in future versions
of FireBreak.
If files are moved from a volume that has LONG (OS/2) name
space to a SYS: volume that does not, file names are converted to
comply with the FAT 8+3 specification. An example of a
converted name is: THIS IS A LONG DOCUMENTNAME.DOC changes to THIS~IS~.DOC.
This is done only ifUse numeric names for moved files is
deselected and the name is not FAT compliant. Use numeric names for moved files
To speed up naming infected files that are moved to
SYS:FIREBRK\VIRUS, this is an alternative naming method.It involves creating unique names for the infected files using a
numeric value rather than the incremental names described
below.
Here is a sample from FBVIRUS.LOG, which displays the nameof the virus that infected the file, the name of the infected file in
SYS:FIREBRK\VIRUS, and the full path and name of theoriginal file, respectively.
UNIX/Svat.B S08830E8.H4
-
8/3/2019 FireBreak 4 70
42/135
Copyright 1990-2004 Norman
You can see that there were four infections in different
directories. They were all infected by different viruses, and they
now reside in the SYS:FIREBRK\VIRUS directory withslightly different names.
W32/Klez.H@mm SF0CF0BD.PIF < SYS:/INFECTED/SLUTTEN.PIF
Configure FireBreak43
Messaging options
-
8/3/2019 FireBreak 4 70
43/135
Copyright 1990-2004 Norman
FireBreaks messaging system is extremely powerfulit can
send messages to and receive messages from workstations and
other servers running FireBreak, and print messages to a queue.Choose between FireBreaks messaging system or SNMP traps,
or both. You can configure all of these features from the four
tabbed dialogs:
44Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
44/135
Copyright 1990-2004 Norman
The Inter-server tab Send messages to communication hubTells FireBreak to send a message to the server running as
Communication Hub (see below) if a virus is detected by
FireBreaks real-time scanner.
Note: You can set up a hierarchy of communication hubs. See
Advanced FireBreak on page 114.
Server to use as communication hub:
Enter the server name, or click browse to view available servers.
The selected server will operate as a communications hub for a
network with multiple servers running FireBreak. The NDS
object must be configured to Send messages to
communications hub (see above).As a message is received, it is broadcast to all connected
members of this servers FireBreak user group. If logging is
enabled, the event is logged in the systems log file.
Note: The selected communications hub must be enabled at the
FireBreak console menu. See Operate as
communication hub below.
Configure FireBreak45
Note well:
The FireBreak messaging hierarchy limits the number of servers
-
8/3/2019 FireBreak 4 70
45/135
Copyright 1990-2004 Norman
g g y
a message can be relayed to. In this version the number of levels
is limited to 16.
In addition, messages that are routed back to the originating
server are removed to avoid packet storms in your network.
For more detailed information on how FireBreak is finding the
address of the communication hub, see Special issues on page
122.
Operate as communications hub(Console menu only.)
On the server targeted as the communications hub this option
must be enabled. If NetWare is bound to both IP and IPX, then IP
will be the preferred protocol for messaging.
Setting up a FireBreak messaging hierarchy in yournetwork on page 115.
Advertise communications hub using SAP(Console menu only.)
This option is valid only when running an IPX network. SAP is
short for Service Advertising Protocol and provides
information about services and network addresses to client and
servers in an IPX network.
Note: Only one server per network can operate as a hub if you
are using the SAP option above. The first server to load
FireBreak configured as a hub operates as one.
Subsequent attempts with other servers loading as hubs
will fail with a non-fatal error message.
The NetWare tab
The NetWare options allow you to include a group of users to
be alerted when a virus is found. You can also choose to enable/
disable broadcast virus infections both from the servers and
workstations real-time scan.
46Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
46/135
Copyright 1990-2004 Norman
Group to notify
In addition to the offending user, all members in a configured
user group can be notified of a virus detection. FireBreak will
send the message to all group members who are connected to the
server at the time of detection. And if a member is connected to
two workstations with a single user ID, for example, this userwill receive the message at both workstations.
To locate the desired group for FireBreak alerts, click the browse
button, and add the group object.
If no existing group is appropriate, create a new group using
NetWares administration tool ConsoleOne.
There is no default name for this group.
Configure FireBreak47
Note: There are no limitations for the location of the group to
be alerted. It can reside anywhere in the directory, but in
the same tree
-
8/3/2019 FireBreak 4 70
47/135
Copyright 1990-2004 Norman
the same tree.
.
Notify offending user
By default, the infected user is notified about the infection. Use
the field Message to be broadcast to edit the message.
Broadcast when a virus is detectedBy default, all members in the specified group(s) are informed
about the virus incident.
Broadcast when unable to clean
Select this option if you to want to inform the selected group(s)
of viruses that couldnt be removed.
Message to be broadcast, real-time scan
The default message that is broadcast when the real-time scanner
detects an infected file is:
FB: @U may be infected with @V
You can edit the message to suit your needs with tokens, which
are shorthand placeholders. When messages are created and sent,
48Norman Virus Control for NetWare - Administrators Guide
FireBreak replaces the tokens with the appropriate information.
The following table lists the available tokens and what they
represent:
-
8/3/2019 FireBreak 4 70
48/135
Copyright 1990-2004 Norman
represent:
The tokens are case sensitivethe second character must be in
upper case for FireBreak to recognize it.
When an actual message is created, FireBreak will truncate the
result so that it will fit within NetWares limit of 250 characters.
Below are two examples of possible messages in the form they
would be entered and how they would look when sent:
FB: Server @S infected with '@V' - check log
file!
FB: Server SIRIUS infected with W32/Klez.H-check log file! Broadcast alerts from workstationFor this option to work, the individual NVC workstations must
be configured correctly with the server address specified. Please
refer to NVCsReference Guide andAdministrators Guide for
more information on NVCs messaging system.
If you select this option, enter the message in the box below.
FireBreaks default message is:FB: @U received a virus alert on workstation
When used in conjunction with other Norman products,
FireBreak allows you to monitor virus infections both on local
hard drives and server drives.
As with the real-time scan broadcast message above, you can
edit this message to suit your needs. This message appears when
Token Representation@F The full path of the infected file.
@D The distinguished name of server.
@P The offending users physical IP or
IPX address.
@S The server's common name
@U The offending users login name.@V The name of the detected virus.
Configure FireBreak49
any NVC workstation software sends an alert to FireBreak. For
example, if a machine logged into a server running FireBreak
runs NVC and finds a virus on C:, NVC sends this message to
-
8/3/2019 FireBreak 4 70
49/135
Copyright 1990-2004 Norman
, g
the members of the FireBreak user group.
In the event that the offending user is in the network but notlogged in, FireBreak cannot establish the users name, and the
token @U will be replaced with the word unknown.
50Norman Virus Control for NetWare - Administrators Guide
The Printing tab
Not only can FireBreak alert members of a special user group, it
l i i i i Th i d
-
8/3/2019 FireBreak 4 70
50/135
Copyright 1990-2004 Norman
can also print messages to an existing print queue. The printed
information is the same as that logged in FBREALTI.LOG, and
the report is printed when either the FireBreak real-time scanneror any Norman anti-virus workstation product in the network
detects a virus.
You may specify which print queue to use, whether or not a
banner is to be printed, and whether or not a form feed command
is issued after each alert.
Configure FireBreak51
-
8/3/2019 FireBreak 4 70
51/135
Copyright 1990-2004 Norman
Print queue to use for alerts
Click on the browse button to view and select a print queue. If
you wish to print out each virus event, select the name of an
existing print queue in this field.
If you enter a print queue that does not exist, FireBreak will not
accept the entry. Either change the entry to a print queue that
does exist, create a new print queue, or click on the browse
button to select an existing queue.
Note: NDPSand iPrintare not supported in this version. Only
queue-based printing is supported.
Print banner
If no print queue is specified (see section above), this option is
not applicable. If you did specify a print queue, however,
FireBreak will print a NetWare banner page as a cover page foreach virus alert when this option is selected.
The options Print banner and Form feed after each alert (see
below) work together: ifForm feed is selected, then a banner is
printed for each alert. IfForm feed is not selected, then a banner
is printed only the first time per session that an alert is printed.
52Norman Virus Control for NetWare - Administrators Guide
Session is defined as the time between loading and unloading
FireBreak or between loading FireBreak and downing the server.
Form feed after each alert
-
8/3/2019 FireBreak 4 70
52/135
Copyright 1990-2004 Norman
Form feed after each alert
If no print queue is specified, then this option is not applicable. If
you did specify a print queue, however, FireBreak will issue
form feed after each printed alert.
The Print banner and Form feed after each alert (see above)
options work together: ifForm feed is selected, then a banner is
printed for each alert. IfForm feed is not selected, then a banner
is printed only the first time per session that an alert is printed.
Session is defined as the time between loading and unloadingFireBreak or between loading FireBreak and downing the server.
Configure FireBreak53
The SNMP tab
SNMP (Simple Network Management Protocol) is a protocol
governing network management and the monitoring of network
-
8/3/2019 FireBreak 4 70
53/135
Copyright 1990-2004 Norman
governing network management and the monitoring of network
devices and their functions. Typical solutions that use SNMP for
network management are CA Unicenter, IBMs Tivoli, and HPOpen View. SNMP can provide central monitoring of all servers
and workstations running NVC.
For more details on SNMP, please refer topage 114.
Note: Only the trap portion of SNMP is used. Management
and configuration through SNMP is not supported.
54Norman Virus Control for NetWare - Administrators Guide
-
8/3/2019 FireBreak 4 70
54/135
Copyright 1990-2004 Norman
Enable SNMPYou must select this option to activate the different trap types.
Note that all the following options are automatically selected
(default) when SNMP is enabled:
Real-time scanning traps:
On all virus detections
Send SNMP trap whenever the real-time scanner finds aninfected file.
When unable to clean
Send SNMP trap whenever the real-time scanner cannot clean an
infected file.
Server scanning traps:
On all virus detectionsSend SNMP trap whenever the on-demand scanner finds an
infected file.
When unable to clean
Send SNMP trap whenever the on-demand scanner cannot clean
an infected file.
Configure FireBreak55
In addition to the real-time and server scanning traps, these two
options are available when SNMP is activated:
Send general information traps
-
8/3/2019 FireBreak 4 70
55/135
Copyright 1990-2004 Norman
When selected, FireBreak sends SNMP traps on other incidents
than virus attacks, such as load and unload of FireBreak, update
of virus definition files and update of scanner engine.
The SNMP tab on page 53.
Forward workstation alerts
Workstation alerts (see The NetWare tab on page 45) are sent as
SNMP traps. If you select this option, you must have enabled the
Broadcast alerts from workstation option in the NetWare tab.
For this option to work, the individual NVC workstations must
be configured correctly with the server address specified. Please
refer to NVCsReference Guide andAdministrators Guide for
more information on NVCs messaging system.
Alternate community name
If you dont want to use the default community name which is
public, you can enter the alternate community name here.
56Norman Virus Control for NetWare - Administrators Guide
The e-mail tab
-
8/3/2019 FireBreak 4 70
56/135
Copyright 1990-2004 Norman
Configure FireBreak57
-
8/3/2019 FireBreak 4 70
57/135
Copyright 1990-2004 Norman
Enable e-mail messagingYou must select this option to activate the other options. Note
that when you select this option, a check is performed to see that
the required information is available forSMTP server, Mail
recipients, Reply to, and Port.
When a virus is detected
By default, all members defined in the Mail recipients field are
informed that a virus was found.
When a virus is detected, but could not be cleanedAll members defined in the Mail recipients field are informed
that a detected virus could not be cleaned.
General information and alerts
Sends e-mails on other incidents than virus attacks, such as loadand unload of FireBreak, update of virus definition files and
update of scanner engine.
SMTP server
The host name or IP address of the SMTP server you want
FireBreak to send messages through.
58Norman Virus Control for NetWare - Administrators Guide
Mail recipients
All names on this list receive e-mails. ClickAdd to enter a new
recipient. Highlight an existing name and clickEdit to change
the entry Highlight one or more recipients and click Remove to
-
8/3/2019 FireBreak 4 70
58/135
Copyright 1990-2004 Norman
the entry. Highlight one or more recipients and clickRemove to
delete them from the list. You can also double-click on anexisting entry to edit it, and on an empty area to add new a new
recipient.
Reply to
The e-mail address of the system administrator, for example.
Port
Enter the port number to be used. The default is 25.
Mail message body
You can enter a permanent Subject for the e-mails, as well as a
Common appended text. Edit these fields as you like.
In addition to the permanent subject you may enter the system
appends the common name of the server sending the e-mail to
the subject line. The e-mails are labelled with tags to simplifythe rating and sorting based on the mails importance. The e-
mails are made up like this: first the text entered in the Subject
field. Then the Event: followed by the event in question.
Finally the name of the server that originated the mail. For
example:
Norman message - Event: Server scan - On: FS1
The different events are:
Start Start of FireBreak.
Stop Stop/unload of FireBreak.
NSE updated New search engine or definition files.
Virus alert Virus detected by the real-time scanner.
General General messages, including updatedmodules which are downloaded/unpacked.
May require Admin intervention.
Multi-partmessage
A number of e-mail, possibly of different
types, were queued up to be sent. These
were merged into one long message.
Configure FireBreak59
Messages that cannot be sent, can be kept in a queue for up to
eight hours. When an error during send occurs, an error message
is logged to FBERROR.LOG, sent to the console screen or
communicated as an SNMP trap, depending on your
-
8/3/2019 FireBreak 4 70
59/135
Copyright 1990-2004 Norman
configuration.
Test alerts
The purpose for this function is to test that the protocols you
have set up works and messages are transmitted as intended.
If you have established a message hierarchy (see The Inter-
server tab on page 44), messages are not issued.
When a test alert is generated, test data is used to simulate a virus
detected by the real-time scanner. The data is as follows:
Server name: : The servers real name.
NDS tree : The tree the server is in.
Time : The actual time when the alert
was issued.
User :testuser.department.organization
Workstation IP
address
: 10.10.10.10
60Norman Virus Control for NetWare - Administrators Guide
Infected file :SYS:/TESTDIRCTORY/TESTFILE.XXX
Detected virus :########
File scanned
during : create
-
8/3/2019 FireBreak 4 70
60/135
Copyright 1990-2004 Norman
The test alert is issued using live configuration and sent via the
protocols you have enabled. Test alerts are not shown on
FireBreaks monitor screen.
NDS options
Action taken on
the file : None, it was left alone.
Configure FireBreak61
-
8/3/2019 FireBreak 4 70
61/135
Copyright 1990-2004 Norman
Minutes between DS polls when controlled from an object
outside the local replica
This option relates to changes made to the NDS FireBreak
configuration object. The change detection mechanism used,
depends on whether the server FireBreak is running on has a
replica of the NDS partition that holds the configuration object or
not. If the object is available locally, changes are detected at once
using the event services in NDS. Note that at once may be after
a period of time. The delay depends on how often NDSsynchronizes the replicas of the partition that holds the object
and whether the change was made to the local object or to one in
another replica.
If the object is stored in a partition that does not have a local
replica (i.e. resides on another server), the system will poll for
changes regularly. The default interval is once every 4 hours
(240 minutes), and it is configurable. You can see which
mechanism is in use by checking FireBreaks monitor screen.
Monitor screen on page 83.
Changes made to an alert group is detected the same way.
Information cannot be inherited from one object higher up in the
tree by one below it. Each object is a separate entity.
62Norman Virus Control for NetWare - Administrators Guide
Use typeful name for FireBreakTypeful name is the NDS object name that includes the name
type (OU, O, and so forth) of each object when identifying the
distinguished name of that object.
-
8/3/2019 FireBreak 4 70
62/135
Copyright 1990-2004 Norman
Poll NDS for changes every x minutes(Console menu only).
If the server is in polled mode, use this option to check for NDS
changes at regular intervals. The default number of minutes
between each poll is 240, i.e. 4 hours.
Re-read FireBreaks configuration from the NDS
(Console menu only).
If the server is in polled mode, use this option to re-read the
configuration from NDS after changes have been applied to the
object. See the previous page for more explanatory information.
Re-scan NDS for a configuration object
(Console menu only)If the NDS FireBreak object has not been replicated at the time
of load you can use this option to find the object. If an object is
unavailable at the time of load, you can use this option to scan
for a valid object.
Configure FireBreak63
Auto update options
This feature allows you to fully automate the process of keeping
FireBreak updated. All parts of FireBreak can be updated.
-
8/3/2019 FireBreak 4 70
63/135
Copyright 1990-2004 Norman
Enable auto update of local server
This feature allows you to fully automate the process of keeping
all FireBreak elements updated. When this option is enabled(default), FireBreak will check the Download directoryregularly for updated files. The files in this directory
(NVCxxxx7.ZIP) will be supplied by Norman Internet Update(NIU) directly or replicated from a central server in your tree
running NIU. See Fetch updates from distribution server on
page 65) and Norman Internet Update on page 97.
64Norman Virus Control for NetWare - Administrators Guide
New files are extracted to SYS:\FIREBRK or its subdirectoriesand appropriate action is taken. This action depends on the
content of the file. If a new FIREBRK.NLM is extracted, thesystem reloads itself. If new .DEF files are detected or a new
NSENW.NLM is found NSENW.NLM is unloaded and re-loaded
-
8/3/2019 FireBreak 4 70
64/135
Copyright 1990-2004 Norman
NSENW.NLM is found, NSENW.NLM is unloaded and re loaded
to activate the update.
Some files may not be consumable directly. These will be
extracted to their appropriate subdirectories and the
administrator is notified of the updates via entries in
FBEVENTS.LOG as well as via e-mail. One example of anupdate that cannot be consumed directly is a new release of the
ConsoleOne snap-in. When the update is received, FireBreak
cannot predict where ConsoleOne is installed or if it is running
and the files are locked. The ZIP file is therefore extracted to the
appropriate subdirectory underSYS:\FIREBRK and you arenotified as described above. To update your ConsoleOne
installation(s), simply replace the existing files with the new
ones after ensuring that no one is running ConsoleOne from the
location(s) you wish to update.
Note: For e-mail messaging to work, the SMTP server and
mail recipients settings must be properly configured.
Also remember to enable the General information and
alerts option (seepage 57).
Configure FireBreak65
-
8/3/2019 FireBreak 4 70
65/135
Copyright 1990-2004 Norman
Fetch updates from distribution serverEnabling this option allows FireBreak to check a server in the
network for updated files. The name of the server is taken from
distribution server in the configuration. FireBreak logs on to
this server using the user name and optional password specified
in the fields Remote users name and Remote users password(see below) and checks for new files. FireBreak checks the
directory on the distribution server that is specified in the
Distribution folder field on the Auto update options tab.
If new or changed files are detected, they are replicated to the
local servers SYS:\FIREBRK\DOWNLOAD directory. Thelocal update process will take care of them from there.
Note well:If this option is selected you must configure the server
running as distribution server properly:
You must make sure that the path specified in the
Distribution folder field exists.
You must make sure that the user specified in the
Remote users name field is granted the appropriate
66Norman Virus Control for NetWare - Administrators Guide
access rights to the distribution folder on the distribution
sever. You can select an existing user or create a new
one. The minimum access rights that must be granted to
this user isReadandFile Scan.
-
8/3/2019 FireBreak 4 70
66/135
Copyright 1990-2004 Norman
We strongly recommend that you run Norman Internet Update(NIU) on the distribution server to ensure that you keep your
servers completely up to date with the latest released files. You
must make sure that NIU is configured to place the downloaded
files that FireBreak applies in the distribution folder. Please refer
to Norman Internet Update on page 97 for details.
The files handled by this feature are the same as forAuto update
of local server.Activity is logged in FBEVENTS.LOG.
Auto update of local server must be enabled to activate this
feature. By default this feature is not enabled.
Check more than once during intervalSelect this option if you want FireBreak to look for updates
several times in the interval specified below. If you select this
option, FireBreak will check for updates approximately every
30-35 minutes.
Remote fetch interval (local time)
Select the time intervals during which you wish to activate the
remote update feature. You can select several, or even all, time
slots. The checks for new files are performed regularly duringthe selected time slots. By default it is set to be active from 21:00
to 23:00.
Note: In large networks with a high number of servers, you
should consider the start-up time carefully for the
different servers to avoid choking the distribution server.
Remote users name
Enter or browse for the login name of the user you want
FireBreak to use in order to log into the server operating as
distribution hub to fetch updated files, or click on the browse
button and select an user from the list. The usermustbe granted
ReadandFile Scan rights to
Configure FireBreak67
SYS:\NORMAN\DISTRIB\DOWNLOAD on the distributionserver.
Remote users password
Enter the password the remote user should use to log into the
-
8/3/2019 FireBreak 4 70
67/135
Copyright 1990-2004 Norman
server where FireBreak is operating as a distribution hub. For thedefault user no password is established. Click on the Change
password button to assign a password or change an existing one.
Distribution server
Enter the server where NIU has been installed.
Distribution folder
Enter the folder where the servers fetch the updates.
For more information about distribution of updates, pleaserefer to Norman Internet Update on page 97.
68Norman Virus Control for NetWare - Administrators Guide
Loading and unloading
-
8/3/2019 FireBreak 4 70
68/135
Copyright 1990-2004 Norman
Loading FireBreak
Generally, we recommend that FireBreak is loaded in your
servers AUTOEXEC.NCF file. This will ensure that FireBreak is
up and running as soon as the server has finished its boot andload sequence.
The following command is used either in the AUTOEXEC.NCFfile or directly from the servers console screen:
LOAD SYS:FIREBRK/FIREBRK [Enter]
To ease loading from the console, we have included a file called
FB.NCF. This is copied to the SYS:SYSTEM directory duringinstallation, and it enables you to load FireBreak by simplytyping:
FB [Enter]
from the servers console. You can also use the FB command in
AUTOEXEC.NCF.
Note:It is recommended to put the FB command late in theAUTOEXEC.NCF file to ensure that all the servicesrunning on the server are properly loaded and initialized.
Loading and unloading69
-
8/3/2019 FireBreak 4 70
69/135
Copyright 1990-2004 Norman
On load, the system certifies that the operating environment is
okay.
Unloading FireBreak
Unloading FireBreak can be done in two different ways:
1. Select Exit from the Main Menu. (see Exit FireBreak on
page 82). The unload command will fail if the configuration
is protected by a password, or if a server scan is in progress.
Refer topage 26 for more details on the password function.
2. From the console screen, enter:
UNLOAD FIREBRK
As the system can be unloaded using the UNLOAD command
from the servers console. Use the password option to prevent thesystem from being unloaded by unauthorized personnel.
70Norman Virus Control for NetWare - Administrators Guide
Command line switches
Command line switches are primarily used to override the
default startup configuration. If you are not familiar with the
command line switches, do not use these.
-
8/3/2019 FireBreak 4 70
70/135
Copyright 1990-2004 Norman
Specifying a configuration object on the command line
To specify a given NDS object, enter the objects full
distinguished name on the command line, including the leading
dot ..
load sys:/firebrk/firebrk
.fbconfig.a