FireBreak 4 70

8/3/2019 FireBreak 4 70

1/135

Norman Virus Controlfor NetWare

Version 4.70

Administrators Guide

8/3/2019 FireBreak 4 70

2/135

iiNorman Virus Control for NetWare - Administrators Guide

Copyright 1990-2004 Norman

Limited warranty

Norman guarantees that the enclosed diskette/CD-ROM and documentation do not have

production flaws. If you report a flaw within 30 days of purchase, Norman will replace

the defective diskette/CD-ROM and/or documentation at no charge. Proof of purchase

must be enclosed with any claim.

This warranty is limited to replacement of the product. Norman is not liable for any other

form of loss or damage arising from use of the software or documentation or from errors

or deficiencies therein, including but not limited to loss of earnings.

With regard to defects or flaws in the diskette/CD-ROM or documentation, or this

licensing agreement, this warranty supersedes any other warranties, expressed or implied,

including but not limited to the implied warranties of merchantability and fitness for a

particular purpose.

In particular, and without the limitations imposed by the licensing agreement with regard

to any special use or purpose, Norman will in no event be liable for loss of profits or other

commercial damage including but not limited to incidental or consequential damages.

This warranty expires 30 days after purchase.

The information in this document as well as the functionality of the software is subject to

change without notice. The software may be used in accordance with the terms of the

license agreement. The purchaser may make one copy of the software for backuppurposes. No part of this documentation may be reproduced or transmitted in any form or

by any means, electronic or mechanical, including photocopying, recording or

information storage and retrieval systems, for any purpose other than the purchaser's

personal use, without the explicit written permission of Norman.

The Norman logo is a registered trademark of Norman ASA.

Names of products mentioned in this documentation are either trademarks or registered

trademarks of their respective owners. They are mentioned for identification purposes

only.

NVC documentation and software are

Copyright 1990-2004 Norman ASA.

All rights reserved.

Last revised on 5 July 2004.

8/3/2019 FireBreak 4 70

3/135

iii


Norman Offices

Norman Data Defense Systems AS

Blangstedgrdsvej 1, DK-5220Odense S, Denmark

Tel. +45 6311 0508 Fax: +45 6590 5102

E-mail: [email protected] Web: http://www.norman.com/dk

Norman Ibas OY

Lkkisepntie 11, 00620 Helsinki, Finland.

Tel: +358 9 2727 210 Fax: +358 92727 2121

E-mail: [email protected] Web: http://www.norman-ibas.fi

Norman Data Defense Systems GmbH

Kieler Str. 15, D-42697 Solingen, Germany.

Tel: +49 212 267 180 Fax: +49 212 267 1815

E-mail: [email protected] Web: http://www.norman.de

Norman/SHARK BV

Postbus 159, 2130 AD, Hoofddorp, The Netherlands.

Tel: +31 23 789 02 22 Fax: +31 23 561 3165

E-mail: [email protected] Web: http://www.norman.nl

Norman ASA

Mailing address: P.O. Box 43, N-1324, Lysaker, Norway.

Physical address: Strandveien 37, Lysaker, N-1324 Norway.

Tel: +47 67 10 97 00 Fax: +47 67 58 99 40

E-mail: [email protected] Web: http://www.norman.no/no

Norman Data Defense Systems AB

Vstgtegatan 7, SE-602 21 Norrkping, Sweden

Tel. +46 11 230 330 Fax: +4611 125 126

E-mail: [email protected] Web: http://www.norman.com/se

Norman Data Defense Systems AG

Postfach CH-4015, Basel, Switzerland.

Tel: +41 61 487 2500 Fax: +41 61 487 2501

E-mail: [email protected] Web: http://www.norman.ch

Norman Data Defense Systems (UK) Ltd

PO Box 5517, Milton Keynes MK5 6XJ, United Kingdom.

Tel: +44 08707 448044 Fax: +44 08717 176999

E-mail: [email protected] Web: http://www.normanuk.com

Norman Data Defense Systems Inc.

9302 Lee Highway, Suite 950A, Fairfax, VA 22031, USA

Tel: +1 703 267 6109, Fax: +1 703 934 6367

E-mail: [email protected] Web: http://www.norman.com

Training and Technical Support

For training or technical support, please contact your local dealer

or Norman ASA.
http://www.norman.com/dkhttp://www.norman-ibas.fi/http://www.norman.de/http://www.norman.nl/http://www.norman.no/nohttp://www.norman.com/sehttp://www.norman.ch/http://www.norman.ch/http://www.norman.ch/http://www.normanuk.com/http://www.normanuk.com/http://www.normanuk.com/http://www.norman.com/http://www.norman.com/http://www.normanuk.com/http://www.normanuk.com/http://www.normanuk.com/http://www.norman.ch/http://www.norman.ch/http://www.norman.ch/http://www.norman.com/sehttp://www.norman.no/nohttp://www.norman.nl/http://www.norman.de/http://www.norman-ibas.fi/http://www.norman.com/dk

8/3/2019 FireBreak 4 70

4/135

ivNorman Virus Control for NetWare - Administrators Guide


System requirements

For server operating system:

NetWare versions 4.11 or later

For NetWare 4, support pack 9 is required

For NetWare 5 and 6 the latest support packs are

recommended

For NetWare 5.0, support pack 6 is required

On NetWare 5.1 we strongly recommend support pack 6,

and on NetWare 6.0 we strongly recommend supportpack 3. See note below.

Note: With the release of support pack 6 for NetWare 5.1 and

support pack 3 for NetWare 6.0, Novell fixed a set of

bugs that influenced FireBreaks performance. The apis

needed to detect if a file residing on a NSS volume had

changed or not have been broken until the release of

these support packs. Servers running older SPs onNetWare 5.1/6.0 or NetWare 5.0 with NSS volumes are

subject to this error. On these servers we scan files on

close if they were opened for write, regardless of

whether they were changed or not, as we have no choice

in the matter.

NetWare support packs are available from Novell at

http://support.novell.com

The servers SYS volume must have LONG name space

installed.

NDS v6 or later including eDirectory

Disk space required on server: approximately 10 Mb.

Memory required on server: approximately 5 Mb.

For installation and administration:

A workstation with Windows 98/ME with Novell client,

or

Windows NT/2000/XP with Novell client

ConsoleOne v1.3 or later running on a workstation or on

the servers graphical console.
http://support.novell.com/http://support.novell.com/

8/3/2019 FireBreak 4 70

5/135

v


See also System requirements - NIU on page 97 andPreparing FireBreak for NIU downloads on page 98,

as well as the Readme file for other details.

Who should read this manual?

This manual is intended for system administrators with an

overall responsibility for maintenance of the network, including

installation and distribution of software to the workstations.

About this manualThe general outline of this manual is based on the logical

sequence the average user will approach the product, i.e. a brief

introduction to FireBreak followed by installation, configuration,

administration, and troubleshooting-related topics. As you will

see, each module has its own configuration section, starting with

two screen dumpsone for the NDS object and one for the

Console menu. In other words, when we describe configurationoptions in this document, the corresponding NDS object GUI

and the console menu will be displayed. Whenever the rare

occasion occurs that an option is available from the console

menu only, the option is duly marked:

Operate as communications hub(Console menu only.)See also the section Considerations before you start on page 23,

which addresses the NDS object vs. the Console menu matter.

Any references to NDS in this manual also include eDirectory,

i.e. the newer version of NDS.

Technical supportNorman provides technical support and consultancy services for

NVC and security issues in general. Technical support also

comprises quality assurance of your anti-virus installation,

including assistance in tailoring NVC to match your exact needs.

Note that the number of services available will vary between the

different countries.

8/3/2019 FireBreak 4 70

6/135

viNorman Virus Control for NetWare - Administrators Guide


Check Normans web site for more information:

www.norman.com.

PrerequisitesWe assume, in this documentation, that you are familiar with

LAN terminology in general and NetWare terminology in

particular. We further assume that you are familiar with the tasks

involved in administrating a NetWare-based LAN. Within this

manual, we sometimes refer you to the NetWare manuals since

explaining NetWare utilities is beyond the scope of this

documentation.

For more information about NetWare see

http://www.novell.com/documentation
http://www.norman.com/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.norman.com/

8/3/2019 FireBreak 4 70

7/135

vii


Contents

System requirements ................................................................................iv

Who should read this manual? ..................................................................v

About this manual .....................................................................................v

Technical support ......................................................................................v

Prerequisites .............................................................................................vi

About NVC for NetWare ..........................................................................11

What is NVC for NetWare? ....................................................................11

Components in NVC for NetWare ..........................................................12

Scanning modes ......................................................................................12

What is protected? ...................................................................................12

Before you install .......................................................................................13

Directory structure ..................................................................................14

FireBreak files.................................................................................... 15

FireBreak log files.............................................................................. 16

Installing FireBreak ..................................................................................18

Installing on a single server ....................................................................18

Installing on multiple servers ..................................................................18

Why do I need a configuration object in my NDS?........................... 19

Where do I place the configuration object? ....................................... 19

How do I insert the configuration object?.......................................... 20

Multi-server environment and configuration object .......................... 20

Real-time configuration change detection vs. polled checks ............. 21

What if the object cant be read? ............................................................21

A special user group ......................................................................22

Configure FireBreak .................................................................................23

Considerations before you start ..............................................................23

Basic options ...........................................................................................24

8/3/2019 FireBreak 4 70

8/135

viiiNorman Virus Control for NetWare - Administrators Guide


Common scanning options ......................................................................27

Real-time scanning options .....................................................................31

Include list for server-based processes............................................... 33

Server scanning options ..........................................................................35Virus detected options .............................................................................38

Messaging options ...................................................................................43

The Inter-server tab ............................................................................ 44

The NetWare tab ................................................................................ 45

The Printing tab.................................................................................. 50

The SNMP tab.................................................................................... 53

The e-mail tab..................................................................................... 56Test alerts ........................................................................................... 59

NDS options ............................................................................................60

Auto update options ................................................................................63

Loading and unloading ..............................................................................68

Loading FireBreak ..................................................................................68Unloading FireBreak ...............................................................................69

Command line switches ..........................................................................70

Specifying a configuration object on the command line.................... 70

Specifying a configuration file on the command line ........................ 70

Forcing polled checks for changes to the configuration object.......... 70

FireBreak Administration .........................................................................71

The FireBreak console menus .................................................................71

The ConsoleOne snap-in .........................................................................72

Password protection of configuration and unload.............................. 72

The Main menu .......................................................................................73

Scan server ......................................................................................... 73

The keys used ..................................................................................... 74The information displayed ................................................................. 74

Administer FireBreak......................................................................... 77

Display monitor.................................................................................. 78

Display virus library........................................................................... 79

Virus characteristics ......................................................................79

The keys used ..................................................................................... 80

Find virus............................................................................................ 81

8/3/2019 FireBreak 4 70

9/135

ix


Information on each virus .................................................................. 81

Exit FireBreak .........................................................................................82

Monitor screen ........................................................................................83

The keys used..................................................................................... 84The information displayed ................................................................. 84

Monitor menu..................................................................................... 90

List alert group members ...............................................................91

Display statistical information .......................................................92

List the five files with the longest scan time .................................94

Display NDS related information ..................................................94

Norman Internet Update ...........................................................................97

System requirements - NIU................................................................ 97

Preparing FireBreak for NIU downloads ........................................... 98

Installation ...............................................................................................98

Directory structure ..................................................................................99

Loading NIU on NetWare .....................................................................100Configure and use NIU on NetWare ................................................ 100

From the server console ................................................................... 100

The keys used................................................................................... 101

Update now! ..................................................................................... 102

Configure NIU ................................................................................. 103

Products............................................................................................ 104

Languages ........................................................................................ 105Platforms .......................................................................................... 106

Authentication key ........................................................................... 107

Exit ................................................................................................... 107

Scheduler.......................................................................................... 108

Exit ................................................................................................... 108

Other issues related to updating and NIU .............................................109

Updating the ConsoleOne snap-in ........................................................109

Changing update paths ..........................................................................109

Updating FireBreak on servers that are not connected to the Internet ..110

Alternative A ...............................................................................110

Alternative B ...............................................................................111

Testing new updates before large scale distribution .............................111

8/3/2019 FireBreak 4 70

10/135

xNorman Virus Control for NetWare - Administrators Guide


Setting up multiple NIU servers in your network .................................112

Using NetWare and NIU as distribution central for workstations with-

out NetWare Client installed .......................................................113

Advanced FireBreak ................................................................................114

Virus alerts and messaging structure ....................................................114

Understanding how messaging works with FireBreak..................... 114

Using SNMP to centralize monitoring of infections .............................114

Setting up a FireBreak messaging hierarchy in your network ..............115

Using FireBreak messaging in a multi-tree environment................. 119

How FireBreak finds the communication hub address .................... 119

Using different NDS configuration objects for a single server or group of

servers............................................................................................... 120

Special issues ............................................................................................122

iFolder, viruses, and FireBreak .............................................................122

Using FireBreak with Novells Native File Access Protocols ..............122CIFS users and FireBreak message handling ........................................123

Using FireBreak with IPX and protocol routers............................... 124

Using a FireBreak communication hub in an IP/IPX bridged network

125

Troubleshooting .......................................................................................126

Missing ConsoleOne FireBreak snap-in .......................................... 126

ClibAux.NLM is a library ................................................................ 126

Norman eLogger .............................................................................. 127

Appendix A - Sandbox .............................................................................128

Background ...................................................................................... 128What is a sandbox?........................................................................... 128

Sandboxing techniques..................................................................... 129

How does sandboxing affect the user?............................................. 129

Index ..........................................................................................................131

8/3/2019 FireBreak 4 70

11/135

About NVC for NetWare11


About NVC for NetWare

What is NVC for NetWare?

Note: FireBreak v4.70 supports NetWare version 4.11 Support

Pack 9 and higher.Norman Virus Control for NetWarealso known as FireBreak

is a server-based anti-virus program that monitors your server for

malicious software, also referred to as malware. Malware is

viruses, worms, and other varieties of destructive code.

FireBreak can detect and remove known and unknown viruses

from your NetWare server.

FireBreak checks files when they are accessed, and possible

viruses are removed automatically.

The primary strength of FireBreak is in providing real-time

scanningcontinuous scanning of files accessed on the server.

This means that if a user tries to copy an infected file to or from

your server, or run an infected file from the server, FireBreak

will detect the file and move, delete, or clean it. These actions areall configurable.

Another feature of FireBreak is its on-demand scanning. In

addition to real-time scanning, you can at any time scan the

server for possible viruses.

We have not overlooked the possibility that your NetWare

servers might be operating in a multi-server environment.

Enterprise-wide functioning is yet another strength of FireBreak.

If you have two or more NetWare servers running FireBreak, you

may configure some of them to be a communications hub. The

hub can then operate as a central monitoring station, enabling

you to better administer your servers efficiently.

8/3/2019 FireBreak 4 70

12/135

12Norman Virus Control for NetWare - Administrators Guide


FireBreak creates a configuration object in your NDS /

eDirectory. Then you can use this object to configure all your

FireBreak objects from one central location.

Components in NVC for NetWareNVC for NetWare is made up from three main components:

1. The server-based modules running on the NetWare server as

NetWare Loadable Modules.

2. The snap-in configuration object module for ConsoleOne.

With this module you can configure and control FireBreakfrom a central location.

3. Norman Internet Update (NIU), which is the mechanism for

updating all parts of the product.

Why do I need a configuration object in my NDS? on page19.

Scanning modesFireBreak has two different scanning methods. The first, and

most important, is real-time scanning.

The second mode is the on-demand, manual scanning. This is

performed at your discretion.

What is protected?

Even though FireBreak communicates with Norman anti-virus

software running on workstations, FireBreak is a network

product. This means that it does not take any action on infected

files that are manipulated on local hard drives or floppies. This

job is the responsibility of the workstation software. If those

infected files are transferred to the server, however, FireBreakwill take action in accordance with its configuration.

8/3/2019 FireBreak 4 70

13/135

Before you install13


Before you installBefore you install FireBreak on your server you should decide if

you want to:

1. Administer FireBreak configuration from an NDS object,

facilitating a central configuration environment, or

2. Administer each of your FireBreak server(s) from the

NetWare console.

It is highly recommended that you choose the NDS object

configuration method. This will reduce your administrationtime and provide a consistent configuration for all your

FireBreak servers.

3. Install Internet Update on one server.

If you install this component, you can update both your

FireBreak servers and other NVC platforms in your network.

For more information about the update functionality, seeNorman Internet Update on page 97.

Note: If you intend to install the ConsoleOne snap-in, make

sure that you close this application to avoid a restart of

the server.

8/3/2019 FireBreak 4 70

14/135



Directory structure

The installation routine will create the directory structure that

FireBreak requires. The following tree will be created on theSYS volume.

Directory: Description:

SYS:FIREBRK FireBreaks home directory.

SYS:FIREBRK\LOG This is where FireBreak places log

files as they are created. All

members of the FireBreak usergroup should haveReadandFile

Scan rights in this directory.

f i ll

8/3/2019 FireBreak 4 70

15/135



FireBreak files

During installation, the following files from the FireBreak

distribution are copied to the SYS:FIREBRK directory:

SYS:FIREBRK\VIRUS This directory is used as a virus

container. Infected files are

moved here, provided the system is

configured to do so. Werecommend that only the Admin

user have rights in this directory.

SYS:FIREBRK\DOWNLOAD Where the ZIP files fetched by

NIU are placed. Make sure that

Enable auto update of local

server (seepage 63) is on for

FireBreak to check this directoryfor updates.

FIREBRK.NLM The programs executable file.

NVCMACRO.DEF FireBreaks macro virus

information database.

NVCBIN.DEF FireBreaks binary virus

information database.

NVCINCR.DEF Contains updates to the other .def

files.

FB400.CFG FireBreaks configuration file.

NSENW.NLM The scanner engine is implemented

as a support NLM, keeping

FireBreak at the same level as the

workstation products with regard

to virus detection.NRELOAD.NLM This is a helper NLM exclusively

for FireBreak. Part of the

automatic update feature.

ELOGGER.NLM This is a troubleshooting tool.

ELOGWS32.NLM Support NLM forELOGGER.NLM.

16 N Vi C t l f N tW Ad i i t t G id

8/3/2019 FireBreak 4 70

16/135



During installation, the following file is copied to the

SYS:SYSTEM directory.

For the sake of simplicity, FB.NCF is automatically copied tothe SYS:SYSTEM directory. This makes it available through theservers standard search path. Alternatively, you may add

FireBreaks home directory to the servers search path by typing

the command:

SEARCH ADD SYS:FIREBRK [Enter]

from the system console. Or add the command to the

AUTOEXEC.NCF file on a line prior to that which loadsFireBreak.

Refer topage 68 for instructions on Loading FireBreak.

FireBreak log filesFireBreaks log files are all stored in the SYS:FIREBRK\LOGdirectory. They are created automatically when, and if they are

needed. There are five (5) different log files:

FB.NCF This .NCF eases loading of

FireBreak.

FBERROR.LOG This file holds error messages.

FBREALTI.LOG The file logs virus incidents thatare detected by the real-time

scanner and incidents

communicated by Norman anti-

virus software running on

workstations that are connected to

the server.

FBSCAN.LOG The results of manual/scheduledscanning are placed in this file.

Before you install 17

8/3/2019 FireBreak 4 70

17/135



FBVIRUS.LOG This log holds the name of each

infected file that has been moved

to the SYS:FIREBRK\VIRUS

directory, the files original pathand file name, and the name of the

virus.

FBEVENTS.LOG This log holds information about

file updates performed by the auto

update function (see pagepage 63).

18 Norman Virus Control for NetWare - Administrators Guide

8/3/2019 FireBreak 4 70

18/135

18Norman Virus Control for NetWare - Administrator s Guide


Installing FireBreak

Installing on a single server

1. Log in to your desired tree as Admin or an equivalent user.

2. Ensure that you have a drive mapped to the root of theservers SYS volume.

3. Start the installation program and work your way through

the dialogs.

4. Start FireBreak on the server by typing FB and pressing[Enter] on the servers console screen. If FireBreakduring load cant find an object or the schema has not been

extended, a warning message is issued. Operation will

continue with configuration data stored on the server. On the

monitor screen you can check the name of the object used.

You can also see the change detection mechanism used (see

below).

Installing on multiple serversIf you wish to install FireBreak on other servers in the same tree,

you do not necessarily need to repeat all the previous steps for

each server. Just make sure that you have a drive mapped to the

root of the SYS volume to each of the desired servers as

illustrated below.

Then just follow the normal setup.

Installing FireBreak19

8/3/2019 FireBreak 4 70

19/135

g


Note: If you load FireBreak from AUTOEXEC.NCF during theservers startup, please note that it should be loaded

towards the end of the file to ensure that NDS is fully

operational.

Why do I need a configuration object in my NDS?

The FireBreak NDS configuration object controls the behavior of

the FireBreak NLM. You can set all FireBreak configuration

options in this object. This object can configure all servers in

your tree running FireBreak.

Where do I place the configuration object?

Normally the configuration object resides in the organization

container of the user you installed FireBreak with. If you have

several servers in multiple containers, the optimal solution is to

put the configuration object either in root, or in the servers

parent container(s).


8/3/2019 FireBreak 4 70

20/135


Administrators or users that need to change the FireBreak

configuration object will need Write privileges to the objects

properties.

Note: A FireBreak configuration object can reside in an

Organizational container (O), Organizational Unit (OU),

or in a Country container (C).

Note well: When FireBreak is loaded it will search the container

where the server object resides for a configuration

object. If no object is found, FireBreak will start a

reverse tree-walk, looking for a configuration object in

the parent container, searching upwards to the root untilit finds a configuration object, or it reaches the root of

the tree. FireBreak uses the first configuration object that

is found. Note that FireBreak does not search down into

existing containers, only up towards the root.

How do I insert the configuration object?

Select New|Norman FireBreak config or click the Norman N-button on the tool bar. This is a limitation in ConsoleOne.

You can no longer press [Ins] to create the FireBreak object as

you could in NWAdmin. To run the proper object creator code,

ConsoleOne requires that you to use the menu or the popup

menu.

Multi-server environment and configuration object

If you are managing a multi-server environment you can place

the configuration object in a container where it can be accessed

by all servers. By providing access to the configuration object all

servers will use the same configuration.

If you want to provide different configuration for a specific

server, simply put a configuration object in this serverscontainer. The server will then find this object first, and

consequently use it. You can apply the same principle for a group

of servers.

See Advanced FireBreak on page 114.

Installing FireBreak21

8/3/2019 FireBreak 4 70

21/135


Real-time configuration change detection vs. polled checks

When you have applied changes to a configuration object,

FireBreak in turn can apply these to all servers that use this

specific object.Real-time scanning and detection is the default mode, provided

that it can be implemented on your system. This relies on the

event mechanism being built into NDS (DSEvents). Once the

object is changed, FireBreak is informed of the event and the

new configuration is read and made the active one. The time

delayif any may vary from the time the change is saved by

the configuration utility to when it is picked up by FireBreakrunning on a server. Even if the real-time change detection is

used, there may be a delay. A delay depends on when NDS

synchronizes the changes to the partition between the servers in

the tree.

Polled checks for changes are another mode. Once every x

minutes (the default value is 240), the object is checked for

changes by reading the objects version number. If it haschanged, the new configuration is read and made the active one.

Polled checks are always used if the server does not hold a local

replica of the NDS partition where the configuration object is

stored.

What if the object cant be read?There may be several reasons why a configuration object cannot

be found: broken server links, the server holding the object may

be temporarily unavailableor the administrator may have

failed to create one. Regardless of the reason, FireBreak loads

and works. Whenever a configuration is read from NDS, its

saved in a local file, FB400.CFG. This file is used as a fallback

in such situations as described above.

FB400.CFG is located in the root of the serversSYS:FIREBRK directory. This is a binary file and cannot beedited.


8/3/2019 FireBreak 4 70

22/135


A special user group

An important feature of FireBreak is the messaging functionality.

When a virus is detected, FireBreak can send alerts to the

offending user, to the server console, and to a pre-defined usergroup.

Note: The Admin will only be notified of virus events if this

user is a member of FireBreaks special user group. Use

NetWares workstation-based administration utility,

ConsoleOne, to create the group and add the appropriate

members (see your NetWare Utilities Reference for

further details). If you want to use a group that alreadyexists, change the name of the group that FireBreak

should use. Make these changes from the appropriate

menu (see Configure FireBreak on page 23).

Once you have decided upon a user group, make sure that all

members of the group haveReadandFile Scan rights to the

SYS:FIREBRK\LOG

directory. A simple way to do this is to use NetWaresConsoleOne to add the group as a trustee in the

SYS:FIREBRK\LOGdirectory.

Configure FireBreak23

8/3/2019 FireBreak 4 70

23/135


Configure FireBreak

When you configure FireBreak you have a number of possible

options available. Most of the options are enabled or disabled

from this menus submenus.

FireBreak is shipped with many preselected options.Thesedefault options are identified by a marker in the check box, like

this:

Scan incoming files

You can always click on the Default button to view the default

settings in a dialog. (Only the snap-in.)

Note:If you dont use the NDS object you can reset all options to their

default values this way:

1. Unload FireBreak

2. Delete SYS:FIREBRK/FB400.CFG

3. Load FireBreak

Considerations before you start

Before you start your configuring FireBreak you should consider

the structure of your network, how you want your server(s)

running FireBreak to act, and how you would like to manage

them.

There are two principal approaches for configuring and

administering FireBreak:

1. Use NDS / eDirectory to configure all FireBreak servers in

your tree. You can also have several FireBreak NDS objects

in your tree, facilitating different configurations for different

FireBreak servers.


8/3/2019 FireBreak 4 70

24/135


2. Use the console menus to configure each server

individually.

Note: When we describe configuration options in this

document, the corresponding NDS object GUI and the

console menu will be displayed.

Clicking the Default button, present in all GUIs, restores

the original, default values for that dialog.

Basic options


8/3/2019 FireBreak 4 70

25/135


Display messages on system console

Instructs FireBreak to display important virus detection

messages on the servers console screen as follows:

Note: In NetWare 6 all virus detection messages are displayed

in the server console Logger screen.

FB :Virus detected by real-time

scanner

Time :Mon 2003/06/23 11:34:36

InfoServer :LANCELOT.roundtable

In tree :EXCALIBUR

Virus name :VW/SHowOffD

Infected file :DATA:USERS/FRED/LETTER2.DOC

File was :created

File accessed by :fred.roundtable

From :172.17.7.34

Action taken :quarantined


8/3/2019 FireBreak 4 70

26/135


Display monitor-screen upon loadFireBreak can open a monitor screen at startup displaying

information about real-time scanning and available

options.Various informative submenus are available.

Monitor screen on page 83.

Save infection information across loads

FireBreak can save information across loads about the last

detected virus and the total number of infected files detected by

both the real-time scanner and any Norman anti-virus products

running on connected workstations. FireBreak displays this

information in its Monitor window (seepage 83). If the

information has been saved, it will be restored when FireBreak is

loaded. The saved information is updated automatically when

FireBreak exits or is unloaded by the server.

Password protected configuration

This option allows you to edit an existing password or create a

new one. If you have specified a password, FireBreak promptsyou for this password when you enter the Configure FireBreak

menu or attempt to exit FireBreak.

The minimum password length is 4 characters, while 15 is

maximum. You can use the ASCII characters 1 through 255. The

password is notcase sensitive for the characters A through Z,

and is case sensitive for the remaining valid characters. Password

protection is optional.

To remove a password, delete all characters and press [Enter].Click on Change password to change an existing password.

The password is only visible when you edit it. At all other times,

the characters are echoed as *.

Note: By default, a password is not assigned. If you forget a

specified password, you can change this in the FireBreakConsoleOne snap-in. FireBreak assumes that if you have

modify rights to the FireBreak configuration object, you

are the Admin or equivalent in the network.

Note well: If you have chosen to run FireBreak without an NDS

object, you must delete the FB400.CFG file from theSYS:FIREBRK directory, then restart the server. You will not be


8/3/2019 FireBreak 4 70

27/135


able to unload FireBreak before restarting the server. To restore

FB400.CFG run the install program to replace it. If you do this,however, remember that all configuration settings are restored to

default values.

Common scanning options

Scanning options are specified separately for real-time scanning

and on-demand scanning (see Server scanning options on page

35). Options that apply to both scanning methods are located in

this dialog.


8/3/2019 FireBreak 4 70

28/135


Scan inside compressed program filesWhen this option is enabled, FireBreak can scan for possible

infections inside executable files compressed by utilities such as

PKLite and Diet.

Scan for security risks

This option instructs FireBreak to scan for objects that represent

a possible security risk. Some administrators have installedprograms like password crackers and remote administrative tools

that are perfectly legal and probably useful too. However, the

lack of security features in some of these tools can expose

machines to unauthorized users and crackers. FireBreak detects

the activity of such tools and will warn against potential security

risks. Warnings will report the name of the program, and you can

therefore decide if it is a legitimate program or cracker activitythat triggers the alarm.

Scan for aggressive commercials

Sometimes unwanted programs are attached to programs that

you download from the Internet for evaluation purposes, for

example. They do not inform you about their presence, and if

you uninstall the original program, the hidden program may still


b hi It i h d t fi d d h i t ll

8/3/2019 FireBreak 4 70

29/135


be on your machine. It is hard to find and has no uninstall

procedure. At odd intervals these programs will log on to the

Internet and download commercials all by themselves. They are

not harmful like a traditional virus, but it is annoying and creates

unnecessary network traffic. FireBreak can detect and removesuch programs. Note that free software that you have installed

may not work when this option is selected.

Exclude files of indeterminate formatSelect this option to instruct FireBreak to skip files of

indeterminate format. Such files may be damaged files, or files

with an unknown format.

Exclude list(Console menu only.)

Specify files, directories, or entire volumes that you want to

exclude from real-time and server scanning.

Use the [Insert] and [Delete] keys to add or remove entries in the

list. You can browse to directories and even select a specific file

name to include. Remember that if you select a directory,

possible subdirectories are included.


When specifying a file you can choose to exclude the specific

8/3/2019 FireBreak 4 70

30/135


When specifying a file, you can choose to exclude the specific

file only, or to exclude all files of same type.

Note well:

Exclude lists should be handled with great care, as they representa potential security risk.


Real time scanning options

8/3/2019 FireBreak 4 70

31/135


Real-time scanning options

These options allow the administrator to tailor FireBreak to

better meet the organizations needs. You can select scanning of

incoming and/or outgoing files.


8/3/2019 FireBreak 4 70

32/135


Scan incoming files

FireBreak considers the following types of files as incoming

files:

New files created on the server.

Existing files that have been changed.

Scan outgoing filesFireBreak considers the following types of files as outgoing

files:

Files residing on the server that are read by a

workstation, for example when a program installed on

the server is executed from the workstation. Another

example is when a file on the server is copied to the

workstation.

Scan outgoing files opened for write

An alternative to the previous option is to instruct FireBreak to

scan files on open, provided they are opened in a way that they

may be changed (open for write). This means that programs


executed from the server are not scanned before access is granted

8/3/2019 FireBreak 4 70

33/135


g

to the file, as the execute opens the file only for read. If a user

opens a file on the server in a word processor, for example, this

file will be opened forwrite. If this option is enabled, FireBreak

scans the file before the word processor is granted access to thefile. As this option is a variant of the Scan outgoing files option,

it is flagged as not applicable (N/A) ifScan outgoing files is

selected.

Scan for new, unknown viruses using sandboxSelect this option if you want FireBreak to look out for new virus

variants. The sandbox is particularly tuned to find new email-,

network- and peer-to-peer worms and file viruses, and will also

react to unknown security threats. When a new piece of

malicious code is detected, the system administrator receives a

message through FireBreaks messaging system listing the vital

facts.

When this option is selected, scanning time will increase.

Note well:

Files copiedfrom the server to a workstation are not opened

for write. To scan files on copy,Scan outgoing files must be

enabled.

Include list for server-based processes

Include list for server-based processes(Console menu only.)

By design, FireBreak will not scan files that are created or

changed by server-based processes. By excluding such scans,

FireBreak will not interfere with server-based processes, thus

avoiding potential performance and time-out problems affecting

the server.

You may be running services on your server where the default

exclusion represents a security risk. This option allows you to

select directories that these services use for file operations, and

make sure that all files that pass through them are scanned by

FireBreaks real-time scanner. Typical examples are CIFS (part

of Native File Access Protocols) where users can access files on


the server without a Novell client as well as FTP and web servers

8/3/2019 FireBreak 4 70

34/135


that allow connected users to upload files.

For more information, see Using FireBreak with IPX andprotocol routers on page 124.

Entries in FireBreaks Exclude list have higher priority and are

checked after the Include list.

Consequently, if a directory, file or a specific file type is listed in

the Exclude list, these will not be scanned even if they reside in a

directory on the Include list.

Note: Be careful to select the correct directory you want

FireBreak to scan.

Be aware that FireBreak scans all files in the selected directory

and its subdirectories regardless of which server-based process

they belong to. Hence the number of directories in the list should

be kept at a minimum.

Note well:With this option you can choose an entire volume. We

strongly recommend NOT doing this. Including an entire


volume can seriously slow down and destabilize your

8/3/2019 FireBreak 4 70

35/135


server.

Server scanning options

These options allow the Administrator to configure FireBreaks

behavior during manual server scans. You can set the priority for

allocation of resources, in addition to what FireBreak should log.


8/3/2019 FireBreak 4 70

36/135


Scanning priorityScanning priority decides how FireBreak should operate when

the system is busy. If you set the priority to Low, FireBreak will

give way for other tasks and wait for a suitable occasion to

proceed. If the priority is set to High, FireBreak will acquire the

necessary resources to complete its task. You can choose

between High, Medium, and Low, where High is the default

setting.

Scan for new, unknown viruses using sandboxFireBreak employs its sandbox functionality to detect new,

unknown viruses. Select this option if you want FireBreak to

look out for new virus variants. The sandbox is particularly tuned

to find new email-, network- and peer-to-peer worms and file

viruses, and will also react to unknown security threats. When anew piece of malicious code is detected, the system

administrator receives a message through FireBreaks messaging

system listing the vital facts.

When this option is selected, scanning time will increase, but it is

not likely to affect the performance considerably.


See also Scanning priority onpage 36 andA di A S db 128

8/3/2019 FireBreak 4 70

37/135


Appendix A - Sandbox on page 128.

Logging

Log results to fileAs the manual scan progresses, information is logged to

SYS:FIREBRK\LOG\FBSCAN.LOG.

Append to existing file

When selected, FireBreak appends the information from each

scan to the existing log file. If this option is disabled, FireBreak

deletes a possible old log file before the scan is started. AHeader and Footer is included in each scan.

Log infected files

Include names and location of all infected files that are detected.

Scanned directories

Include names of all scanned directories.

Scanned files

Include names of all scanned files.


Virus detected options

8/3/2019 FireBreak 4 70

38/135


Use these options to configure how FireBreak should behave

when a virus is found. By default, FireBreak will clean viruses

when found, and move infected files that cannot be cleaned, off-line.


8/3/2019 FireBreak 4 70

39/135


From this dialog you determine how FireBreak should handleinfected files.

Clean viruses if possible

FireBreak has the ability to clean infected files on-the-fly. This

functionality has been implemented for the on-demand scanner

for incoming and outgoing files.

On the monitor screen and in the log files, the Action taken fieldwill read The file was cleaned.

Log incidents to file

Tells FireBreak to add entries in the log whenever a virus is

detected by the real-time scanner or any NVC software running

on a workstation in the network. The log file is created only if

necessary and is named

SYS:FIREBRK\LOG\FBREALTI.LOG.

Log workstation virus alertsIf you enable this option, the individual NVC workstations must

be configured correctly with the server address specified. Please

refer to NVCsReference Guide for more information on NVCs

messaging system. In addition, the communication hub must be

on. See The Inter-server tab on page 44.


Note that the log files grow faster in size when this option is

enabled

8/3/2019 FireBreak 4 70

40/135


enabled.

When cleaning is not possible

In some situations, FireBreak cannot clean infected files. For

example, FireBreak cannot clean files that are in use or reside on

a write-protected floppy, or if there is no repair script for the

virus in the virus definition files. Use this section to determine

how FireBreak should handle files that cannot be cleaned.

Purge infected files

If you select this option, FireBreak purges infected files, making

them unrecoverable.

When you select this option, FireBreak uses NetWares inherent

PURGE capability to permanently remove an infected file.

There may be more than one retrievable file in one directory with

the same file name as the infected one, and FireBreak will purge

them all when you use this option.

Move infected files off-line

When you select this option, FireBreak moves all infected files

to the SYS:FIREBRK\VIRUS directory. FireBreak uses this asa quarantine. Since it contains infected files, we recommend

that only Admins and possibly the members of the FireBreak

user group have rights in this directory.

Note: As long as FireBreak is running and the real-timescanner is checking outgoing files, ALL userseven

Admin and members of FireBreaks special user group,

are denied access to the files in this directory.

Several infected files may happen to have identical names. If a

file exists in the SYS:FIREBRK\VIRUS directory with thesame name as that of a new file being moved there, FireBreak

will change the name of the newest file until it is unique.

The technique increments the first eight characters of the files

name onlyextensions are left untouched. First, if the name is

less than eight characters, it is padded with @ to achieve full

length. Then characters are incremented until they reach Z,

starting with the last going forward.

For example:


COMMAND.COM

COMMAND@ COM

8/3/2019 FireBreak 4 70

41/135


[email protected]

COMMANDA.COM

COMMANDB.COM:

CZZZZZZZ.COM

Whenever an infected file is moved off-line, the event is logged

in FBVIRUS.LOG along with the virus name, the name of theinfected file as it now appears in the SYS:FIREBRK\VIRUS

directory, and the full path and name of the infected file as itappeared in its original location.

Note: When files in long (OS/2) name space is moved off-line,

some of the extended directory information is lost. The

file owner information is part of the information that is

lost. This limitation will be addressed in future versions

of FireBreak.

If files are moved from a volume that has LONG (OS/2) name

space to a SYS: volume that does not, file names are converted to

comply with the FAT 8+3 specification. An example of a

converted name is: THIS IS A LONG DOCUMENTNAME.DOC changes to THIS~IS~.DOC.

This is done only ifUse numeric names for moved files is

deselected and the name is not FAT compliant. Use numeric names for moved files

To speed up naming infected files that are moved to

SYS:FIREBRK\VIRUS, this is an alternative naming method.It involves creating unique names for the infected files using a

numeric value rather than the incremental names described

below.

Here is a sample from FBVIRUS.LOG, which displays the nameof the virus that infected the file, the name of the infected file in

SYS:FIREBRK\VIRUS, and the full path and name of theoriginal file, respectively.

UNIX/Svat.B S08830E8.H4

8/3/2019 FireBreak 4 70

42/135


You can see that there were four infections in different

directories. They were all infected by different viruses, and they

now reside in the SYS:FIREBRK\VIRUS directory withslightly different names.

W32/Klez.H@mm SF0CF0BD.PIF < SYS:/INFECTED/SLUTTEN.PIF


Messaging options

8/3/2019 FireBreak 4 70

43/135


FireBreaks messaging system is extremely powerfulit can

send messages to and receive messages from workstations and

other servers running FireBreak, and print messages to a queue.Choose between FireBreaks messaging system or SNMP traps,

or both. You can configure all of these features from the four

tabbed dialogs:


8/3/2019 FireBreak 4 70

44/135


The Inter-server tab Send messages to communication hubTells FireBreak to send a message to the server running as

Communication Hub (see below) if a virus is detected by

FireBreaks real-time scanner.

Note: You can set up a hierarchy of communication hubs. See

Advanced FireBreak on page 114.

Server to use as communication hub:

Enter the server name, or click browse to view available servers.

The selected server will operate as a communications hub for a

network with multiple servers running FireBreak. The NDS

object must be configured to Send messages to

communications hub (see above).As a message is received, it is broadcast to all connected

members of this servers FireBreak user group. If logging is

enabled, the event is logged in the systems log file.

Note: The selected communications hub must be enabled at the

FireBreak console menu. See Operate as

communication hub below.


Note well:

The FireBreak messaging hierarchy limits the number of servers

8/3/2019 FireBreak 4 70

45/135


g g y

a message can be relayed to. In this version the number of levels

is limited to 16.

In addition, messages that are routed back to the originating

server are removed to avoid packet storms in your network.

For more detailed information on how FireBreak is finding the

address of the communication hub, see Special issues on page

122.

Operate as communications hub(Console menu only.)

On the server targeted as the communications hub this option

must be enabled. If NetWare is bound to both IP and IPX, then IP

will be the preferred protocol for messaging.

Setting up a FireBreak messaging hierarchy in yournetwork on page 115.

Advertise communications hub using SAP(Console menu only.)

This option is valid only when running an IPX network. SAP is

short for Service Advertising Protocol and provides

information about services and network addresses to client and

servers in an IPX network.

Note: Only one server per network can operate as a hub if you

are using the SAP option above. The first server to load

FireBreak configured as a hub operates as one.

Subsequent attempts with other servers loading as hubs

will fail with a non-fatal error message.

The NetWare tab

The NetWare options allow you to include a group of users to

be alerted when a virus is found. You can also choose to enable/

disable broadcast virus infections both from the servers and

workstations real-time scan.


8/3/2019 FireBreak 4 70

46/135


Group to notify

In addition to the offending user, all members in a configured

user group can be notified of a virus detection. FireBreak will

send the message to all group members who are connected to the

server at the time of detection. And if a member is connected to

two workstations with a single user ID, for example, this userwill receive the message at both workstations.

To locate the desired group for FireBreak alerts, click the browse

button, and add the group object.

If no existing group is appropriate, create a new group using

NetWares administration tool ConsoleOne.

There is no default name for this group.


Note: There are no limitations for the location of the group to

be alerted. It can reside anywhere in the directory, but in

the same tree

8/3/2019 FireBreak 4 70

47/135


the same tree.

.

Notify offending user

By default, the infected user is notified about the infection. Use

the field Message to be broadcast to edit the message.

Broadcast when a virus is detectedBy default, all members in the specified group(s) are informed

about the virus incident.

Broadcast when unable to clean

Select this option if you to want to inform the selected group(s)

of viruses that couldnt be removed.

Message to be broadcast, real-time scan

The default message that is broadcast when the real-time scanner

detects an infected file is:

FB: @U may be infected with @V

You can edit the message to suit your needs with tokens, which

are shorthand placeholders. When messages are created and sent,


FireBreak replaces the tokens with the appropriate information.

The following table lists the available tokens and what they

represent:

8/3/2019 FireBreak 4 70

48/135


represent:

The tokens are case sensitivethe second character must be in

upper case for FireBreak to recognize it.

When an actual message is created, FireBreak will truncate the

result so that it will fit within NetWares limit of 250 characters.

Below are two examples of possible messages in the form they

would be entered and how they would look when sent:

FB: Server @S infected with '@V' - check log

file!

FB: Server SIRIUS infected with W32/Klez.H-check log file! Broadcast alerts from workstationFor this option to work, the individual NVC workstations must


refer to NVCsReference Guide andAdministrators Guide for

more information on NVCs messaging system.

If you select this option, enter the message in the box below.

FireBreaks default message is:FB: @U received a virus alert on workstation

When used in conjunction with other Norman products,

FireBreak allows you to monitor virus infections both on local

hard drives and server drives.

As with the real-time scan broadcast message above, you can

edit this message to suit your needs. This message appears when

Token Representation@F The full path of the infected file.

@D The distinguished name of server.

@P The offending users physical IP or

IPX address.

@S The server's common name

@U The offending users login name.@V The name of the detected virus.


any NVC workstation software sends an alert to FireBreak. For

example, if a machine logged into a server running FireBreak

runs NVC and finds a virus on C:, NVC sends this message to

8/3/2019 FireBreak 4 70

49/135


, g

the members of the FireBreak user group.

In the event that the offending user is in the network but notlogged in, FireBreak cannot establish the users name, and the

token @U will be replaced with the word unknown.


The Printing tab

Not only can FireBreak alert members of a special user group, it

l i i i i Th i d

8/3/2019 FireBreak 4 70

50/135


can also print messages to an existing print queue. The printed

information is the same as that logged in FBREALTI.LOG, and

the report is printed when either the FireBreak real-time scanneror any Norman anti-virus workstation product in the network

detects a virus.

You may specify which print queue to use, whether or not a

banner is to be printed, and whether or not a form feed command

is issued after each alert.


8/3/2019 FireBreak 4 70

51/135


Print queue to use for alerts

Click on the browse button to view and select a print queue. If

you wish to print out each virus event, select the name of an

existing print queue in this field.

If you enter a print queue that does not exist, FireBreak will not

accept the entry. Either change the entry to a print queue that

does exist, create a new print queue, or click on the browse

button to select an existing queue.

Note: NDPSand iPrintare not supported in this version. Only

queue-based printing is supported.

Print banner

If no print queue is specified (see section above), this option is

not applicable. If you did specify a print queue, however,

FireBreak will print a NetWare banner page as a cover page foreach virus alert when this option is selected.

The options Print banner and Form feed after each alert (see

below) work together: ifForm feed is selected, then a banner is

printed for each alert. IfForm feed is not selected, then a banner

is printed only the first time per session that an alert is printed.


Session is defined as the time between loading and unloading

FireBreak or between loading FireBreak and downing the server.

Form feed after each alert

8/3/2019 FireBreak 4 70

52/135


Form feed after each alert

If no print queue is specified, then this option is not applicable. If

you did specify a print queue, however, FireBreak will issue

form feed after each printed alert.

The Print banner and Form feed after each alert (see above)

options work together: ifForm feed is selected, then a banner is

printed for each alert. IfForm feed is not selected, then a banner

is printed only the first time per session that an alert is printed.

Session is defined as the time between loading and unloadingFireBreak or between loading FireBreak and downing the server.


The SNMP tab

SNMP (Simple Network Management Protocol) is a protocol

governing network management and the monitoring of network

8/3/2019 FireBreak 4 70

53/135


governing network management and the monitoring of network

devices and their functions. Typical solutions that use SNMP for

network management are CA Unicenter, IBMs Tivoli, and HPOpen View. SNMP can provide central monitoring of all servers

and workstations running NVC.

For more details on SNMP, please refer topage 114.

Note: Only the trap portion of SNMP is used. Management

and configuration through SNMP is not supported.


8/3/2019 FireBreak 4 70

54/135


Enable SNMPYou must select this option to activate the different trap types.

Note that all the following options are automatically selected

(default) when SNMP is enabled:

Real-time scanning traps:

On all virus detections

Send SNMP trap whenever the real-time scanner finds aninfected file.

When unable to clean

Send SNMP trap whenever the real-time scanner cannot clean an

infected file.

Server scanning traps:

On all virus detectionsSend SNMP trap whenever the on-demand scanner finds an

infected file.

When unable to clean

Send SNMP trap whenever the on-demand scanner cannot clean

an infected file.


In addition to the real-time and server scanning traps, these two

options are available when SNMP is activated:

Send general information traps

8/3/2019 FireBreak 4 70

55/135


When selected, FireBreak sends SNMP traps on other incidents

than virus attacks, such as load and unload of FireBreak, update

of virus definition files and update of scanner engine.

The SNMP tab on page 53.

Forward workstation alerts

Workstation alerts (see The NetWare tab on page 45) are sent as

SNMP traps. If you select this option, you must have enabled the

Broadcast alerts from workstation option in the NetWare tab.

For this option to work, the individual NVC workstations must


refer to NVCsReference Guide andAdministrators Guide for

more information on NVCs messaging system.

Alternate community name

If you dont want to use the default community name which is

public, you can enter the alternate community name here.


The e-mail tab

8/3/2019 FireBreak 4 70

56/135



8/3/2019 FireBreak 4 70

57/135


Enable e-mail messagingYou must select this option to activate the other options. Note

that when you select this option, a check is performed to see that

the required information is available forSMTP server, Mail

recipients, Reply to, and Port.

When a virus is detected

By default, all members defined in the Mail recipients field are

informed that a virus was found.

When a virus is detected, but could not be cleanedAll members defined in the Mail recipients field are informed

that a detected virus could not be cleaned.

General information and alerts

Sends e-mails on other incidents than virus attacks, such as loadand unload of FireBreak, update of virus definition files and

update of scanner engine.

SMTP server

The host name or IP address of the SMTP server you want

FireBreak to send messages through.


Mail recipients

All names on this list receive e-mails. ClickAdd to enter a new

recipient. Highlight an existing name and clickEdit to change

the entry Highlight one or more recipients and click Remove to

8/3/2019 FireBreak 4 70

58/135


the entry. Highlight one or more recipients and clickRemove to

delete them from the list. You can also double-click on anexisting entry to edit it, and on an empty area to add new a new

recipient.

Reply to

The e-mail address of the system administrator, for example.

Port

Enter the port number to be used. The default is 25.

Mail message body

You can enter a permanent Subject for the e-mails, as well as a

Common appended text. Edit these fields as you like.

In addition to the permanent subject you may enter the system

appends the common name of the server sending the e-mail to

the subject line. The e-mails are labelled with tags to simplifythe rating and sorting based on the mails importance. The e-

mails are made up like this: first the text entered in the Subject

field. Then the Event: followed by the event in question.

Finally the name of the server that originated the mail. For

example:

Norman message - Event: Server scan - On: FS1

The different events are:

Start Start of FireBreak.

Stop Stop/unload of FireBreak.

NSE updated New search engine or definition files.

Virus alert Virus detected by the real-time scanner.

General General messages, including updatedmodules which are downloaded/unpacked.

May require Admin intervention.

Multi-partmessage

A number of e-mail, possibly of different

types, were queued up to be sent. These

were merged into one long message.


Messages that cannot be sent, can be kept in a queue for up to

eight hours. When an error during send occurs, an error message

is logged to FBERROR.LOG, sent to the console screen or

communicated as an SNMP trap, depending on your

8/3/2019 FireBreak 4 70

59/135


configuration.

Test alerts

The purpose for this function is to test that the protocols you

have set up works and messages are transmitted as intended.

If you have established a message hierarchy (see The Inter-

server tab on page 44), messages are not issued.

When a test alert is generated, test data is used to simulate a virus

detected by the real-time scanner. The data is as follows:

Server name: : The servers real name.

NDS tree : The tree the server is in.

Time : The actual time when the alert

was issued.

User :testuser.department.organization

Workstation IP

address

: 10.10.10.10


Infected file :SYS:/TESTDIRCTORY/TESTFILE.XXX

Detected virus :########

File scanned

during : create

8/3/2019 FireBreak 4 70

60/135


The test alert is issued using live configuration and sent via the

protocols you have enabled. Test alerts are not shown on

FireBreaks monitor screen.

NDS options

Action taken on

the file : None, it was left alone.


8/3/2019 FireBreak 4 70

61/135


Minutes between DS polls when controlled from an object

outside the local replica

This option relates to changes made to the NDS FireBreak

configuration object. The change detection mechanism used,

depends on whether the server FireBreak is running on has a

replica of the NDS partition that holds the configuration object or

not. If the object is available locally, changes are detected at once

using the event services in NDS. Note that at once may be after

a period of time. The delay depends on how often NDSsynchronizes the replicas of the partition that holds the object

and whether the change was made to the local object or to one in

another replica.

If the object is stored in a partition that does not have a local

replica (i.e. resides on another server), the system will poll for

changes regularly. The default interval is once every 4 hours

(240 minutes), and it is configurable. You can see which

mechanism is in use by checking FireBreaks monitor screen.

Monitor screen on page 83.

Changes made to an alert group is detected the same way.

Information cannot be inherited from one object higher up in the

tree by one below it. Each object is a separate entity.


Use typeful name for FireBreakTypeful name is the NDS object name that includes the name

type (OU, O, and so forth) of each object when identifying the

distinguished name of that object.

8/3/2019 FireBreak 4 70

62/135


Poll NDS for changes every x minutes(Console menu only).

If the server is in polled mode, use this option to check for NDS

changes at regular intervals. The default number of minutes

between each poll is 240, i.e. 4 hours.

Re-read FireBreaks configuration from the NDS

(Console menu only).

If the server is in polled mode, use this option to re-read the

configuration from NDS after changes have been applied to the

object. See the previous page for more explanatory information.

Re-scan NDS for a configuration object

(Console menu only)If the NDS FireBreak object has not been replicated at the time

of load you can use this option to find the object. If an object is

unavailable at the time of load, you can use this option to scan

for a valid object.


Auto update options

This feature allows you to fully automate the process of keeping

FireBreak updated. All parts of FireBreak can be updated.

8/3/2019 FireBreak 4 70

63/135


Enable auto update of local server

This feature allows you to fully automate the process of keeping

all FireBreak elements updated. When this option is enabled(default), FireBreak will check the Download directoryregularly for updated files. The files in this directory

(NVCxxxx7.ZIP) will be supplied by Norman Internet Update(NIU) directly or replicated from a central server in your tree

running NIU. See Fetch updates from distribution server on

page 65) and Norman Internet Update on page 97.


New files are extracted to SYS:\FIREBRK or its subdirectoriesand appropriate action is taken. This action depends on the

content of the file. If a new FIREBRK.NLM is extracted, thesystem reloads itself. If new .DEF files are detected or a new

NSENW.NLM is found NSENW.NLM is unloaded and re-loaded

8/3/2019 FireBreak 4 70

64/135


NSENW.NLM is found, NSENW.NLM is unloaded and re loaded

to activate the update.

Some files may not be consumable directly. These will be

extracted to their appropriate subdirectories and the

administrator is notified of the updates via entries in

FBEVENTS.LOG as well as via e-mail. One example of anupdate that cannot be consumed directly is a new release of the

ConsoleOne snap-in. When the update is received, FireBreak

cannot predict where ConsoleOne is installed or if it is running

and the files are locked. The ZIP file is therefore extracted to the

appropriate subdirectory underSYS:\FIREBRK and you arenotified as described above. To update your ConsoleOne

installation(s), simply replace the existing files with the new

ones after ensuring that no one is running ConsoleOne from the

location(s) you wish to update.

Note: For e-mail messaging to work, the SMTP server and

mail recipients settings must be properly configured.

Also remember to enable the General information and

alerts option (seepage 57).


8/3/2019 FireBreak 4 70

65/135


Fetch updates from distribution serverEnabling this option allows FireBreak to check a server in the

network for updated files. The name of the server is taken from

distribution server in the configuration. FireBreak logs on to

this server using the user name and optional password specified

in the fields Remote users name and Remote users password(see below) and checks for new files. FireBreak checks the

directory on the distribution server that is specified in the

Distribution folder field on the Auto update options tab.

If new or changed files are detected, they are replicated to the

local servers SYS:\FIREBRK\DOWNLOAD directory. Thelocal update process will take care of them from there.

Note well:If this option is selected you must configure the server

running as distribution server properly:

You must make sure that the path specified in the

Distribution folder field exists.

You must make sure that the user specified in the

Remote users name field is granted the appropriate


access rights to the distribution folder on the distribution

sever. You can select an existing user or create a new

one. The minimum access rights that must be granted to

this user isReadandFile Scan.

8/3/2019 FireBreak 4 70

66/135


We strongly recommend that you run Norman Internet Update(NIU) on the distribution server to ensure that you keep your

servers completely up to date with the latest released files. You

must make sure that NIU is configured to place the downloaded

files that FireBreak applies in the distribution folder. Please refer

to Norman Internet Update on page 97 for details.

The files handled by this feature are the same as forAuto update

of local server.Activity is logged in FBEVENTS.LOG.

Auto update of local server must be enabled to activate this

feature. By default this feature is not enabled.

Check more than once during intervalSelect this option if you want FireBreak to look for updates

several times in the interval specified below. If you select this

option, FireBreak will check for updates approximately every

30-35 minutes.

Remote fetch interval (local time)

Select the time intervals during which you wish to activate the

remote update feature. You can select several, or even all, time

slots. The checks for new files are performed regularly duringthe selected time slots. By default it is set to be active from 21:00

to 23:00.

Note: In large networks with a high number of servers, you

should consider the start-up time carefully for the

different servers to avoid choking the distribution server.

Remote users name

Enter or browse for the login name of the user you want

FireBreak to use in order to log into the server operating as

distribution hub to fetch updated files, or click on the browse

button and select an user from the list. The usermustbe granted

ReadandFile Scan rights to


SYS:\NORMAN\DISTRIB\DOWNLOAD on the distributionserver.

Remote users password

Enter the password the remote user should use to log into the

8/3/2019 FireBreak 4 70

67/135


server where FireBreak is operating as a distribution hub. For thedefault user no password is established. Click on the Change

password button to assign a password or change an existing one.

Distribution server

Enter the server where NIU has been installed.

Distribution folder

Enter the folder where the servers fetch the updates.

For more information about distribution of updates, pleaserefer to Norman Internet Update on page 97.


Loading and unloading

8/3/2019 FireBreak 4 70

68/135


Loading FireBreak

Generally, we recommend that FireBreak is loaded in your

servers AUTOEXEC.NCF file. This will ensure that FireBreak is

up and running as soon as the server has finished its boot andload sequence.

The following command is used either in the AUTOEXEC.NCFfile or directly from the servers console screen:

LOAD SYS:FIREBRK/FIREBRK [Enter]

To ease loading from the console, we have included a file called

FB.NCF. This is copied to the SYS:SYSTEM directory duringinstallation, and it enables you to load FireBreak by simplytyping:

FB [Enter]

from the servers console. You can also use the FB command in

AUTOEXEC.NCF.

Note:It is recommended to put the FB command late in theAUTOEXEC.NCF file to ensure that all the servicesrunning on the server are properly loaded and initialized.

Loading and unloading69

8/3/2019 FireBreak 4 70

69/135


On load, the system certifies that the operating environment is

okay.

Unloading FireBreak

Unloading FireBreak can be done in two different ways:

1. Select Exit from the Main Menu. (see Exit FireBreak on

page 82). The unload command will fail if the configuration

is protected by a password, or if a server scan is in progress.

Refer topage 26 for more details on the password function.

2. From the console screen, enter:

UNLOAD FIREBRK

As the system can be unloaded using the UNLOAD command

from the servers console. Use the password option to prevent thesystem from being unloaded by unauthorized personnel.


Command line switches

Command line switches are primarily used to override the

default startup configuration. If you are not familiar with the

command line switches, do not use these.

8/3/2019 FireBreak 4 70

70/135


Specifying a configuration object on the command line

To specify a given NDS object, enter the objects full

distinguished name on the command line, including the leading

dot ..

load sys:/firebrk/firebrk

.fbconfig.a

FireBreak 4 70

Documents

Transcript of FireBreak 4 70