VirusScan Enterprise for Linux 1.9 Standalone ... -...
Transcript of VirusScan Enterprise for Linux 1.9 Standalone ... -...
Standalone Configuration Guide
McAfee VirusScan Enterprise for Linux 1.9.0
2 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
COPYRIGHT
Copyright © 2013 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee AppPrism, McAfee Artemis, McAfee CleanBoot, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Enterprise Mobility Management, Foundscore, Foundstone, McAfee NetPrism, McAfee Policy Enforcer, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, SmartFilter, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure, WormTraq are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others.
LICENSE INFORMATION License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS
AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER
RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE
PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 3
Contents
Preface 5 About this guide ................................................................................................................ 5
Audience .................................................................................................................... 5 Conventions ................................................................................................................ 6
Find product documentation ................................................................................................ 6
1 General settings 7 Browser interface............................................................................................................... 7 Logging ............................................................................................................................ 8
2 Notification settings 11 Item detected ................................................................................................................. 11 Out-of-date ..................................................................................................................... 12 Configuration change ....................................................................................................... 14 System events ................................................................................................................ 15 SMTP settings ................................................................................................................. 16 Substituting variables in notification templates .................................................................... 17
3 On-Access scanner settings 19 Anti-virus scanning options ............................................................................................... 19 Extension-based scanning ................................................................................................. 21 Handling exclusions ......................................................................................................... 22 Anti-virus actions ............................................................................................................. 24
4 On-Demand scanner settings 27 Anti-virus scanning options ............................................................................................... 27 Extension-based scanning ................................................................................................. 29 Handling exclusions ......................................................................................................... 30 Anti-virus actions ............................................................................................................. 31
4 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 5
Preface
This guide provides you with simple and fast access to modify the configuration settings, such as on-
access scanning, on-demand scanning, general settings, notifications, and exclusion settings.
Use this guide as an alternative method for configuring the VirusScan Enterprise for Linux software.
You can use this when no browser is available or you prefer to use a Linux command line interface to
access the VirusScan Enterprise for Linux software and perform configuration tasks.
To view a list commands that you can execute from the command line:
1 From the Linux server, open the terminal window.
2 Go to the directory /opt/NAI/LinuxShield/bin.
3 Specify the command: nails --help
4 Press Enter.
For more information on … See …
How to install, upgrade, or manage
the product on a standalone Linux server
McAfee VirusScan Enterprise for Linux 1.9.0 Software – Installation Guide
How to deploy, upgrade, or manage
the product using McAfee ePolicy Orchestrator
McAfee VirusScan Enterprise for Linux 1.9.0 Software – Configuration Guide
How to configure, use, and maintain the product
McAfee VirusScan Enterprise for Linux 1.9.0 Software – Product Guide
About this guide This information describes the guide's target audience, the typographical conventions and icons used
in this guide, and how the guide is organized.
Audience McAfee documentation is carefully researched and written for the target audience.
The information in this guide is intended primarily for:
Administrators — People who implement and enforce the company's security program.
General settings
Find product documentation
6 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Users — People who are responsible for configuring the product options on their systems, or
for updating their systems.
Conventions This guide uses the following typographical conventions and icons.
Book title or Emphasis
Title of a book, chapter, or topic; introduction of a new term; emphasis.
Bold Text that is strongly emphasized.
User input, Path, or Code
Commands and other text that the user types; the path of a folder or program; a code sample.
Hypertext A live link to a topic or to a website.
Note: Additional information, like an alternate method of accessing an option.
Tip: Suggestions and recommendations.
Important/Caution: Valuable advice to protect your computer system, software installation, network, business, or data.
Warning/Danger: Critical advice to prevent bodily harm when using a hardware product.
Find product documentation McAfee provides the information you need during each phase of product implementation, from
installation to daily use and troubleshooting. After a product is released, information about the product
is entered into the McAfee online KnowledgeBase.
5 Go to the McAfee Technical Support ServicePortal at http://mysupport.mcafee.com.
6 Under Self Service, access the type of information you need:
To access… Do this…
User documentation 1 Click Product Documentation.
2 Select a Product, then select a Version.
3 Select a product document.
KnowledgeBase Click Search the KnowledgeBase for answers to your product
questions.
Click Browse the KnowledgeBase for articles listed by product and version.
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 7
1 General settings
Configure the browser interface options and logging behavior from the command prompt.
Note The default path for <RUNTIMEDIR> is: /var/opt/NAI/LinuxShield
Contents
Browser interface
Logging
Browser interface Configure browser interface settings such as the refresh interval, UTC offset, quick help and results per
page.
Configuration file: monitor.cfg
Default location: <RUNTIMEDIR>/etc
Browser interface options
Option Definition Parameter
Refresh interval (seconds)
The browser automatically
updates the contents of pages such as the Scanning Summary page. By default, the page refreshes every 10 seconds, but
you can adjust the interval between 5 and 600 seconds.
browser.refreshInterval:10
Results per page Number of rows of information
shown in certain pages under Results, namely in the Detected Items, Scheduled Tasks, and System Events pages.
By default, 10 rows are displayed at a time, but you can adjust the number between 1 and 50 rows.
browser.resultsPerPage:10
Display time UTC offset
Wherever time values are
displayed — as in scheduled
browser.displayUtcOffset:true
General settings
Logging
8 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
tasks and detections — an offset value is displayed in UTC form to help you understand any time‑
zone differences.
Use attributes:
true – To display time in UTC
form
false – To hide the UTC offset
value
Hide quick help on startup
To disable the Quick Help pane when logging on to the browser
interface.
Use attributes:
true – To show quick help
false – To hide quick help
browser.showQuickHelp:true
Logging Configure logging settings such as the level of detail that you require.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
Logging options
Option Definition Parameter
Detail level Level of logging information that
VirusScan Enterprise for Linux records in its database. A high level can affect performance and the database. By default, the level is Normal. You can use
attributes low, normal or high.
log.detailLevel:normal
Additionally log to SYSLOG
Indicates if information logged
to the VirusScan Enterprise for Linux database is also logged to
SYSLOG. By default, this is not required.
log.useSyslog:false
Detail level for SYSLOG
(This field is only available if Additionally log to SYSLOG is selected.)
log.syslogDetailLevel:low
General settings
Logging
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 9
Option Definition Parameter
Level of detail of the information to be logged to SYSLOG. disabled if logging to SYSLOG is checked. By default, the level is Low. You can use attributes low,
normal or high.
Limit age of log entries
Indicates if information in the
log will be automatically removed later, based on the age of the log entries.
Use attributes:
true – To enable this option
false – To disable this option
log.limitLogAge:true
Maximum age of log entries
(This field is only available if Limit
age of log entries is selected.)
Limits to the age of entries in the VirusScan Enterprise for Linux database to the specified days.
After the specified number of days, old entries are automatically removed. This
helps to limit the size of the database. Maximum age of log entries (days) ‑ By default, the
limit is 28 days, but you can
adjust the limit between 1 and
999 days.
log.maxLogAge:28
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 11
2 Notification settings
Specify who will receive email notification of events such as virus detection and changes to the
scanning options. VirusScan Enterprise for Linux sends the email messages using the SMTP email
protocol.
Note The default path for <RUNTIMEDIR> is: /var/opt/NAI/LinuxShield
Contents
Item detected
Out-of-date
Configuration change
System events
SMTP settings
Substituting variables in notification templates
Item detected Configure notification settings in case of detection such as virus or other potentially unwanted
software.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
Detected items notification options
Option Definition Parameter
Item detected Configure
notifications based on the detection of a
virus or other
potentially unwanted software.
Use attributes:
true – To
enable
notifications in case of detection.
notifications.virusDetected.active:true
Notification settings
Out-of-date
12 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
false – To
notifications in case of detection.
Use these parameters if you want to configure alerts or notifcations for a
specific detection:
Viruses Use attributes:
true – To
enable alerts for a detection type.
false – To
alerts for a detection type.
notifications.virusDetected.virusesAlert:true
Trojans notifications.virusDetected.trojansAlert:true
Test Viruses notifications.virusDetected.testVirusesAlert:true
Programs notifications.virusDetected.programsAlert:true
Jokes notifications.virusDetected.jokesAlert:true
Include alerts for on-demand tasks
notifications.virusDetected.includeOdsTasks:true
Subject Specify the
subject line you want in the notification email.
defaultNotifications.virusDetected.subject:Detection
Alert from McAfee VirusScan Enterprise for Linux on
%hostname%
Message Specify a
custom
message that you want to appear in the notification email, in case of detection.
defaultNotifications.virusDetected.message: The file
%path% is infected with the %detectedas%
%detectedtype%.\nThe result is %result%.\n\nDetected
on %hostname% by %detectedby% at %detectedutc% using
Scan engine version %engineversion% DAT version
%datversion%. Extra DAT in use - %extradatflag%.
Note The values specified within the ―%‖ symbol are substitution variables. For more information on the available variables, see the Substituting variables in notification templates section.
Out-of-date Configure notification settings based on the age of the DAT files.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
DAT notification options
Option Definition Parameter
Notification settings
Out-of-date
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 13
Option Definition Parameter
Out of date Configure
notifications for out-of-date DAT files. You can use this to send a notification if
the DAT file is older than the specified date.
Use attributes:
true – To
enable
notifications in case of an older DAT.
false – To
disable notifications in case of an older DAT.
defaultNotifications.outOfDate.active:true
Alert for older DATs
Specify a value
based on the age of the DATs after which
notifications
are sent. By default, notifications are sent if the DAT age is more than 10.
defaultNotifications.outOfDate.datFilesAge:10
Subject Specify the
subject line you want in the notification email.
defaultNotifications.outOfDate.subject: Out of Date
Alert from McAfee VirusScan Enterprise for Linux on
%hostname%
Message Specify a custom
message that you want to appear in the notification email.
defaultNotifications.outOfDate.message: The DAT files
%datversion% is %datage% days old. Please update
software to ensure that your system is protected.
Note The values specified within the ―%‖ symbol are substitution variables. For more information on the available variables, see the Substituting variables in notification templates section.
Notification settings
Configuration change
14 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Configuration change Configure notification settings based on any changes to scanner settings such as on-access,
notifications and general. Please note that you cannot configure notifications for on-demand settings.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
Configuration change notification options
Option Definition Parameter
Configuration change
Configure
notifications for any
changes to the on-
access, general or notification settings.
Use attributes:
true – To
enable notifications in case of a configuration change.
false – To
disable notifications for configuration changes.
defaultNotifications.configurationChange.active:true
Subject Specify the subject line
you want in the notification email.
defaultNotifications.configurationChange.subject:Configurati
on Alert from McAfee VirusScan Enterprise for Linux on
%hostname%
Message Specify a
custom
message that you want to appear in the notification
email, when there is a change in configuration settings.
defaultNotifications.configurationChange.message:%configchan
ge% on %hostname%.
Notification settings
System events
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 15
Note The values specified within the ―%‖ symbol are substitution variables. For more information on the available variables, see the Substituting variables in notification templates section.
System events Configure notification settings for any important system event such as error or information.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
System events notification options
Option Definition Parameter
System events
Configure notifications based
on the system events generated.
Use attributes:
true – To enable notifications
when a system event is triggerred.
false – To disable
notifications when a system event is triggerred.
defaultNotifications.critical.active:true
Use these parameters if you want to configure alerts or notifcations for specific
system events:
Error Code Use attributes:
true – To enable the alerts
based on error types.
false – To disable alerts
based on error types.
defaultNotifications.critical.codeAlert:true
Enable alerts defaultNotifications.critical.typeAlert:true
Error Code range
Specify the range, based on which a notification is sent.
defaultNotifications.critical.code:3000-3999
Error types Configure notification based
on the error type such as ―error‖ or ―information.
defaultNotifications.critical.type:error
Note The values specified within the ―%‖ symbol are substitution variables. For more information on the available variables, see the Substituting variables in notification templates section.
Notification settings
SMTP settings
16 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
SMTP settings Configure notification settings for any change in the SMTP settings.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
SMTP notification options
Option Definition Parameter
Server name
Specify the IP
address of the system that you want to
use as an
SMTP server from which notifications are sent.
defaultNotifications.smtp.host:192.168.200.10
Port Specify the
SMTP port number that you want to use to send the
notifications. The default port number is 25.
defaultNotifications.smtp.port:25
Sender Specify an
email address which will appear in the ―From‖ field as a default
sender in email notifications.
defaultNotifications.smtp.sender:McAfeeVSEforLinux@
hostname.com
Recipient Specify email
address of the recipient to deliver the notification.
To deliver notifications to multiple users, separate email
addresses with a comma.
defaultNotifications.smtp.recipients:[email protected]
notifications.smtp.recipients:[email protected],[email protected]
Notification settings
Substituting variables in notification templates
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 17
Substituting variables in notification templates VirusScan Enterprise for Linux substitutes these variables in notification messages when sending a
message to the user.
For example, the template message ―File, %filename% is infected on %hostname%‖ becomes
―File, example.exe is infected on computer1‖ in the notification email, when it reaches the end-
user.
Substitution variables
Variable Valid for Equivalent field in the user interface
Description
%hostname% All alerts <none> Name of the host on which VirusScan
enterprise for Linux is installed
%hostip% All alerts <none> IP address of host on
which VirusScan enterprise for Linux is installed
%productversion% All alerts Host Summary Page –Product Version
Version of the product
%detectedas% Item detected Detected Items page - Detected As
Name of the virus
%detectedby% Item detected Detected Items page - Task
"On-Access" if detected
by the on-access scanner
or name of the ―On-
Demand‖ scan task that detected the infection
%detectedtime% Item detected Detected Items page - Time
Date and time of the local host for the detected item
%detectedtype% Item detected Detected Items page — Detected Type
Type of the virus
%detectedutc% Item detected Detected Items page — Time
Date and time on the
local host, with UTC offset shown in brackets.
For example: June 26
2013 12:30:12 (+5:30 UTC)
%engineversion% Item detected Host Summary page — Engine Version
Version number of the scanning engine
%extradatcount% Item detected Host Summary page — Extra DAT
Number of signatures in the extra.dat file
%extradatflag% Item detected Host Summary page — Extra DAT
Yes or No to indicate if
an extra.dat file is present
Notification settings
Substituting variables in notification templates
18 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Variable Valid for Equivalent field in the user interface
Description
%filename% Item detected Detected Items page — File Name
Name of the file which
was scanned (excluding path)
%path% Item detected Detected Items page — Path
Name of the file which
was scanned (including path)
%process% Item detected Detected Items page — Process
Name of process resulting in the scan
%result% Item detected Detected Items page — Result
Result of any action
taken for the detected infection
%user% Item detected Detected Items page — Result
Name of user who caused the scan
%datage% Out of date item detected
<none> Age of the DAT files in
days, based on the VirusScan Enterprise for
Linux host system’s date and time
%datdate% Out of date item detected
Host Summary page — DAT Date
Date when the current DAT files were created
%datversion% Out of date item
detected
Host Summary page —
DAT Version
Version of the DAT files
%configchange% Configuration Change <none> Configuration change
made — modified, on-access detection enabled, or on-access detection disabled
%eventcode% System events System Events page — Code
Error code for the event
%eventdescription% System events System Events page — Description
Error description for the event
%eventtime% System events System Events page —
Time
Date and time on the
local host for event
%eventtype% System events System Events page — Type
Error type for the event
%eventutc% System events System Events page — Time
Date and time for the
event on the local host, with UTC offset shown in brackets. For example: June 26 2013 12:30:12 (-5:00 UTC)
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 19
3 On-Access scanner settings
Specify On-Access settings on how VirusScan Enterprise for Linux will respond when it detects a virus or
other potentially unwanted software, whenever the files are accessed.
Note The default path for <RUNTIMEDIR> is: /var/opt/NAI/LinuxShield
Contents
Anti-virus scanning options
Extension-based scanning
Handling exclusions
Anti-virus actions
Anti-virus scanning options Configure on-access scanning options to determine which file types VirusScan Enterprise for Linux will
scan. By default, all scanning options are available, unless stated.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
On-Access Scanning options
Option Definition Parameter
Enable On‑Access Scanning
Use attributes:
true – To enable on-access
scanning.
false – To disable on-access
scanning.
nailsd.oasEnabled:true
Decompress archives
Configure to scan inside file archives such as .tar or .tgz files.
The decompression can reduce performance; any virus‑infected
file inside an archive cannot become active unless extracted.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.OAS.decompArchive:true
On-Access scanner settings
Anti-virus scanning options
20 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
Find unknown program viruses
Configure to use heuristic analysis
to identify potential new file viruses.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.OAS.heuristicAnalysis:true
Find unknown macro viruses
Configure to use heuristic analysis
to identify any potential new macro viruses in files created by Microsoft Office products.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.OAS.macroAnalysis:true
Decode MIME encoded files
Email messages are typically encoded in MIME format.
Use attributes:
true – To enable this option
Enabling this option can affect performance.
false –If your network has other
anti‑virus software for handling
emails, specify this attribute to
disable this option
nailsd.profile.OAS.mime:false
Find potentially unwanted programs
These programs might be dangerous but they are not viruses. They include programs such as spyware, remote‑access
utilities, and password crackers.
Use attributes:
true – To enable this option and
detect potentially unwanted programs
false – To disable this option
nailsd.profile.OAS.program:true
Find joke programs
Joke programs are not harmful.
They play tricks such as displaying a hoax message. This feature only becomes available if you have enabled Find potentially unwanted programs.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.OAS.noJokes:true
Scan files when writing
Scan the contents of each file nailsd.profile.OAS.scanOnWrite:true
On-Access scanner settings
Extension-based scanning
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 21
Option Definition Parameter
to disk when it is closed.
Use attributes:
true – To enable this option
false – To disable this option
Scan files when reading from disk
Scan the contents of each file when it is opened.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.OAS.scanOnRead: true
Scan files on network mounted volumes
Scan the network mounted files on /mnt or any mounted folder.
Use attributes:
true – To enable this option
false – To disable this option
Disabling this option will not scan the network mounted volume, even if it contains infected files.
nailsd.profile.OAS.scanNWFiles:true
Maximum scan time (seconds)
Specify the number of seconds
after which scanning will stop. This feature prevents scanning of large files that reduce overall performance, and protects against corrupted files and denial‑of‑
service attacks.
The default value is 45 seconds, but you can specify between 10 and 300.
nailsd.profile.OAS.scanMaxTmo:45
Extension-based scanning VirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virus
definition files include a comprehensive list of file name extensions that are susceptible to attack. The
list includes popular extensions such as .doc and .exe, and it is referred to here as the default list. The
extension name is not case‑sensitive.
If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by Microsoft
Windows users, it might be useful to specify the types of files to scan according to their file name
extension. However, we recommend that all files are scanned where possible.
You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you can
specify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans those
in the default list. You cannot remove any extension names from the default list, although you can
build your own list of extension names based on those in the current default list.
Configuration file: nailsd.cfg
On-Access scanner settings
Handling exclusions
22 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Default location: <RUNTIMEDIR>/etc
Extension Based Scanning options
Option Definition Parameter
Scan all files Specify the parameter to
scan all files regardless of file name extension.
nailsd.profile.OAS.filter.extensions.mode:all
Default + specified
Use these parameters to
scan default and specified files.
Specify the file types in the first parameter and execute the next parameter to add the file types to the list.
nailsd.profile.OAS.filter.extensions.list:bin|dat|
data|exe
nailsd.profile.OAS.filter.extensions.mode:add
Specified Use this option to scan specific files. When there
is a new file type, which is not included in the virus definition files, the new file type will not be scanned. In order to resolve this issue,
VirusScan Enterprise for
Linux allows you to specify these new file types and scan based on the extension.
For example, to scan specific file types such as 00?, 386, 3GR, ??_, ACE, ACM, and ADE, use these parameters.
nailsd.profile.OAS.filter.extensions.list:00?|386|
3GR|??_|ACE|ACM|ADE|ADP
nailsd.profile.OAS.filter.extensions.mode:replace
Handling exclusions VirusScan Enterprise for Linux supports excluding specific paths/files (either path or regular expression
format) from being scanned.
Some shares/paths might not require scanning or you might prefer not to scan them frequently, such
as:
Only plain text files or other file types which are not prone to infection
Executable files that have file permissions that prevent them being modified
On-Access scanner settings
Handling exclusions
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 23
Large archive files and compressed files
Files already known to be infected (quarantined)
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
Exclusion options
Option Definition Parameter
Exclude Folder path
Specify the folder path to exclude.
nailsd.profile.OAS.filter.<number>.path:/var/log
Exclude Sub-directory
Specify true or false
on whether to exclude files in the the sub-directory.
nailsd.profile.OAS.filter.<number>.subdir:true
Exclusion type
Specify the
exclusion type as: exclude-path
nailsd.profile.OAS.filter.<number>.type: exclude-path
Note The <number> attribute denotes the priority in which VirusScan Enterprise for Linux considers the exclusion.
Here is an example of, how you could add exclusion entries in the nails.cfg file:
Specifying on-access exclusion options-Example
nailsd.profile.OAS.filter.0.path:/var/log
nailsd.profile.OAS.filter.0.subdir:true
nailsd.profile.OAS.filter.0.type:exclude-path
nailsd.profile.OAS.filter.1.path:.*.jar
nailsd.profile.OAS.filter.1.subdir:false
nailsd.profile.OAS.filter.1.type:exclude-path
nailsd.profile.OAS.filter.2.path:/root
nailsd.profile.OAS.filter.2.subdir:true
nailsd.profile.OAS.filter.2.type:exclude-path
nailsd.profile.OAS.filter.3.path:/tmp
nailsd.profile.OAS.filter.3.subdir:true
nailsd.profile.OAS.filter.3.type:exclude-path
nailsd.profile.OAS.filter.4.path:.*.mdb
nailsd.profile.OAS.filter.4.subdir:false
nailsd.profile.OAS.filter.4.type:exclude-path
nailsd.profile.OAS.filter.5.path:.*.dbm
nailsd.profile.OAS.filter.5.subdir:false
nailsd.profile.OAS.filter.5.type:exclude-path
On-Access scanner settings
Anti-virus actions
24 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Anti-virus actions Configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus or other
potentially unwanted software.
The actions are:
clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux
cannot repair any damage that has occurred to the file. For example, some viruses can
modify or erase data in spreadsheets.
continue — Reports the detection and continues scanning. This action is only available for on
‑demand scanning.
delete — Deletes the infected file.
deny access — Prevents further access to the infected file. This action is only available for on
‑access scanning.
quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent
the spread of infected files, VirusScan Enterprise for Linux will not move a file from a
remote file system into this area.
rename — Renames the extension of the infected file, to prevents its accidental use.
Renaming is useful in cases where the file extension (such as .exe or .txt) determines the
application that will open the file.
If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that action
fails, VirusScan Enterprise for Linux uses its fallback action. For on‑access scanning, VirusScan
Enterprise for Linux blocks access to the infected file.
Configuration file: nailsd.cfg
Default location: <RUNTIMEDIR>/etc
On-access Anti-virus action options
Option Definition Parameter
Action for viruses and Trojan horses
Specify actions to
take when a virus or Trojan‑horse
program is detected.
Your second choice of action is limited by your first choice. You
cannot specify the same action for both choices.
nailsd.profile.OAS.action.App.primary:clean
nailsd.profile.OAS.action.App.secondary:quarantine
Action for applications and joke programs
Specify actions to
take when a potentially unwanted application or joke
nailsd.profile.OAS.action.Default.primary:clean
nailsd.profile.OAS.action.Default.secondary:quarantine
On-Access scanner settings
Anti-virus actions
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 25
Option Definition Parameter
program is detected.
Your second choice of action is limited by your first choice. You cannot specify the same action for both choices.
Action on time out
Specify an action to
take when the scanning takes too long to complete.
The scanner takes an
action if it fails to scan the file within the seconds mentioned under ―Maximum scan time‖.
Use attributes:
block – To deny
access to the suspected file
pass – To allow the
suspected file
nailsd.profile.OAS.action.timeout:pass
Action if an error occurs during scanning
Specify an action to
take if a fault occurs
such as an internal fault in VirusScan Enterprise for Linux or the scanning engine, or a failure to
complete the second choice of action.
Use attributes:
block – To deny
access to the suspected file
pass – To allow the
suspected file
nailsd.profile.OAS.action.error:block
Quarantine directory
Specify the
quarantine folder location to store quarantined items. By default, the
quarantine directory is /quarantine.
Make sure that the directory is on the
local system and does not include
nailsd.profile.OAS.quarantineDirectory:/quarantine
On-Access scanner settings
Anti-virus actions
26 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
symbolic links.
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 27
4 On-Demand scanner settings
Specify On-Demand settings on how VirusScan Enterprise for Linux will respond when it detects a virus or
other potentially unwanted software, during an on-demand scan.
Note The default path for <RUNTIMEDIR> is: /var/opt/NAI/LinuxShield
Contents
Anti-virus scanning options
Extension-based scanning
Handling exclusions
Anti-virus actions
Anti-virus scanning options Configure on-demand scanning options to determine which file types VirusScan Enterprise for Linux
will scan. By default, all scanning options are available, unless stated.
Configuration file: ods.cfg
Default location: <RUNTIMEDIR>/etc
On-Demand Scanning options
Option Definition Parameter
Decompress archives
Configure to scan inside file
archives such as .tar or .tgz files. The decompression can reduce performance; any virus‑infected
file inside an archive cannot become active unless extracted.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.ODS.decompArchive:true
Find unknown program viruses
Configure to use heuristic analysis
to identify potential new file viruses.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.ODS.heuristicAnalysis:true
On-Demand scanner settings
Anti-virus scanning options
28 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
Find unknown macro viruses
Configure to use heuristic analysis
to identify any potential new macro viruses in files created by Microsoft Office products.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.ODS.macroAnalysis:true
Decode MIME encoded files
Email messages are typically encoded in MIME format.
Use attributes:
true – To enable this option
Enabling this option can affect performance.
false –If your network has other
anti‑virus software for handling
emails, specify this attribute to disable this option
nailsd.profile.ODS.mime:false
Find potentially unwanted programs
These programs might be dangerous but they are not
viruses. They include programs such as spyware, remote‑access
utilities, and password crackers.
Use attributes:
true – To enable this option and
detect potentially unwanted programs
false – To disable this option
nailsd.profile.ODS.program:true
Find joke programs
Joke programs are not harmful.
They play tricks such as displaying a hoax message. This feature only becomes available if you have
enabled Find potentially unwanted programs.
Use attributes:
true – To enable this option
false – To disable this option
nailsd.profile.ODS.noJokes:true
Maximum scan time (seconds)
Specify the number of seconds after which scanning will stop.
This feature prevents scanning of large files that reduce overall performance, and protects against corrupted files and denial‑of‑
service attacks.
The default value is 300 seconds, but you can specify between 10
nailsd.profile.ODS.scanMaxTmo:300
On-Demand scanner settings
Extension-based scanning
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 29
Option Definition Parameter
and 9999.
Extension-based scanning VirusScan Enterprise for Linux normally scans all files regardless of the file name extension. The virus
definition files include a comprehensive list of file name extensions that are susceptible to attack. The
list includes popular extensions such as .doc and .exe, and it is referred to here as the default list. The
extension name is not case‑sensitive.
If VirusScan Enterprise for Linux is running on a Samba file server that is accessed by Microsoft
Windows users, it might be useful to specify the types of files to scan according to their file name
extension. However, we recommend that all files are scanned where possible.
You can specify extension names that you want VirusScan Enterprise for Linux to scan, or you can
specify extension names for VirusScan Enterprise for Linux to scan at the same time as it scans those
in the default list. You cannot remove any extension names from the default list, although you can
build your own list of extension names based on those in the current default list.
Configuration file: ods.cfg
Default location: <RUNTIMEDIR>/etc
Extension Based Scanning options
Option Definition Parameter
Scan all files Specify the parameter to
scan all files regardless of file name extension.
nailsd.profile.ODS.filter.extensions.mode:all
Default + specified
Use these parameters to
scan default and specified files.
Specify the file types in the first parameter and execute the next parameter to add the file types to the list.
nailsd.profile.ODS.filter.extensions.list:bin|exe|
tar|zip
nailsd.profile.ODS.filter.extensions.mode:add
Specified Use this option to scan
specific files. When there is a new file type, which
is not included in the virus definition files, the new file type will not be scanned. In order to resolve this issue, VirusScan Enterprise for Linux allows you to
specify these new file types and scan based on
nailsd.profile.ODS.filter.extensions.list:00?|386|
3GR|??_|ACE|ACM|ADE|ADP
nailsd.profile.ODS.filter.extensions.mode:replace
On-Demand scanner settings
Handling exclusions
30 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
the extension.
For example, to scan specific file types such as 00?, 386, 3GR, ??_, ACE, ACM, and ADE, use these parameters.
Handling exclusions VirusScan Enterprise for Linux supports excluding specific paths/files (either path or regular expression
format) from being scanned.
Some shares/paths might not require scanning or you might prefer not to scan them frequently, such
as:
Only plain text files or other file types which are not prone to infection
Executable files that have file permissions that prevent them being modified
Large archive files and compressed files
Files already known to be infected (quarantined)
Configuration file: ods.cfg
Default location: <RUNTIMEDIR>/etc
Exclusion options
Option Definition Parameter
Exclude Folder path
Specify the folder path to exclude.
nailsd.profile.ODS.filter.<number>.path:/var/log
Exclude Sub-directory
Specify true or false
on whether to exclude files in the the sub-directory.
nailsd.profile.ODS.filter.<number>.subdir:true
Exclusion type
Specify the
exclusion type as: exclude-path
nailsd.profile.ODS.filter.<number>.type:exclude-path
Note The <number> attribute denotes the priority in which VirusScan Enterprise for Linux considers the exclusion.
Here is an example of, how you could add exclusion entries in the nails.cfg file:
On-Demand scanner settings
Anti-virus actions
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 31
Specifying on-demand exclusion options-Example
nailsd.profile.ODS.filter.0.path:/proc
nailsd.profile.ODS.filter.0.subdir:true
nailsd.profile.ODS.filter.0.type:exclude-path
nailsd.profile.ODS.filter.1.path:.*.jar
nailsd.profile.ODS.filter.1.subdir:false
nailsd.profile.ODS.filter.1.type:exclude-path
nailsd.profile.ODS.filter.2.path:/tmp
nailsd.profile.ODS.filter.2.subdir:false
nailsd.profile.ODS.filter.2.type:exclude-path
Anti-virus actions Configure VirusScan Enterprise for Linux to take a variety of actions when it detects a virus or other
potentially unwanted software.
The actions are:
clean — Cleans the infected file by removing the virus code. VirusScan Enterprise for Linux
cannot repair any damage that has occurred to the file. For example, some viruses can
modify or erase data in spreadsheets.
continue — Reports the detection and continues scanning. This action is only available for on
‑demand scanning.
delete — Deletes the infected file.
deny access — Prevents further access to the infected file. This action is only available for on
‑access scanning.
quarantine — Moves the infected file to the area specified in Quarantine directory. To prevent
the spread of infected files, VirusScan Enterprise for Linux will not move a file from a
remote file system into this area.
rename — Renames the extension of the infected file, to prevents its accidental use.
Renaming is useful in cases where the file extension (such as .exe or .txt) determines the
application that will open the file.
If any action fails to work, VirusScan Enterprise for Linux uses any secondary action. If that action
fails, VirusScan Enterprise for Linux uses its fallback action. For on‑demand scanning, VirusScan
Enterprise for Linux reports that the file is infected.
Configuration file: ods.cfg
Default location: <RUNTIMEDIR>/etc
On-demand Anti-virus action options
Option Definition Parameter
Action for viruses and
Specify actions to
take when a virus or
nailsd.profile.ODS.action.App.primary:clean
nailsd.profile.ODS.action.App.secondary:quarantine
On-Demand scanner settings
Anti-virus actions
32 McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide
Option Definition Parameter
Trojan horses Trojan‑horse
program is detected.
Your second choice of action is limited by your first choice. You cannot specify the same action for both choices.
Action for applications and joke programs
Specify actions to take when a
potentially unwanted application or joke program is detected.
Your second choice of action is limited by your first choice. You cannot specify the same action for both choices.
nailsd.profile.ODS.action.Default.primary:clean
nailsd.profile.ODS.action.Default.secondary:quarantine
Action on time out
Specify an action to
take when the scanning takes too
long to complete. The scanner takes an action if it fails to scan the file within
the seconds mentioned under ―Maximum scan time‖.
Use attributes:
block – To deny
access to the suspected file
pass – To allow the
suspected file
nailsd.profile.ODS.action.timeout:pass
Action if an error occurs during scanning
Specify an action to
take if a fault occurs such as an internal fault in VirusScan
Enterprise for Linux or the scanning engine, or a failure to
complete the second choice of action.
Use attributes:
block – To deny
access to the suspected file
pass – To allow the
nailsd.profile.ODS.action.error:block
On-Demand scanner settings
Anti-virus actions
McAfee VirusScan Enterprise for Linux 1.9.0 Standalone Configuration Guide 33
Option Definition Parameter
suspected file
Quarantine directory
Specify the
quarantine folder location to store quarantined items. By default, the quarantine directory
is /quarantine.
Make sure that the directory is on the local system and
does not include symbolic links.
nailsd.profile.ODS.quarantineDirectory:/quarantine