User manual F-SECURE ANTI-VIRUS LINUX CLIENT SECURITY ADMINISTRATOR GUIDE

[. . . ] F-Secure Anti-Virus Linux Client Security Administrator's Guide "F-Secure" and the triangle symbol are registered trademarks of F-Secure Corporation and F-Secure product names and symbols/logos are either trademarks or registered trademarks of F-Secure Corporation. All product names referenced herein are trademarks or registered trademarks of their respective companies. F-Secure Corporation disclaims proprietary interest in the marks and names of others. Although F-Secure Corporation makes every effort to ensure that this information is accurate, F-Secure Corporation will not be liable for any errors or omission of facts contained herein. [. . . ] If you want to scan the network file system, run fsav / on the server. If you cannot run fsav on the server, you can scan the network file system from the client workstation by explicitly specifying mounted network file system directories on the fsav command line. For example, if an NFS file system is mounted in /mnt/server1, scan it with the following command: fsav /mnt/server1 72 For more information on command line options, see the fsav man pages or type fsav --help. 7. 2. 2 dbupdate Before you can update virus definition databases manually, you have to disable the periodic database update. Add # to the beginning of the following line to comment it out: */1 * * * * /opt/f-secure/fsav/bin/fsavpmd --dbupdate-only >/dev/null 2>&1 Follow these instructions to update virus definition databases manually from the command line: 1. Download the fsdbupdate. run file from: http://download. f-secure. com/latest/fsdbupdate. run fsdbupdate. run is a self-extracting file that stops the automatic update agent daemon, updates databases and restarts the automatic update agent. Run dbupdate as root user. 7. 3 Firewall Protection You can use the fsfwc command line tool to view and change the current security profile. CHAPTER 7 Command Line Tools 73 7. 3. 1 fsfwc Use the following command to change the current security profile: /opt/f-secure/fsav/bin/fsfwc --mode {block, mobile, home, office, strict, normal, bypass} For more information about security profiles, see "Security Profiles", 50. 7. 4 Integrity Checking You can use the fsic command line tool to check the system integrity and fsims to use the Software Installation Mode from the shell. 7. 4. 1 fsic You can create the baseline, add files to the baseline and verify the baseline with the fsic command line tool. Creating the Baseline Follow these instructions to create the baseline from the command line: 1. If you want to add all files in the directory in the Known Files List in the baseline, type A in the prompt. Enter a passphrase to create the signature. Adding Files to the Baseline Follow these instructions to add files to the baseline from the command line. In this example, the product is also configured to send an alert about unauthorized modification attempts of the protected files. Run the fsic tool with the --add, --alert and --protect options: /opt/f-secure/fsav/bin/fsic --add --alert=yes --protect=yes /etc/passwd /etc/shadow 74 2. The baseline update progress is displayed during the process, and you are prompted to select whether to include the new files in the baseline: /opt/f-secure/fsav/bin/fsic --baseline 3. Enter a passphrase to create the signature. Verifying the Baseline Follow these instructions to verify the baseline from the command line: 1. The product validates files and displays whether the files are intact. 7. 4. 2 fsims Use the following command to enable Software Installation Mode: /opt/f-secure/fsav/bin/fsims on After you have installed the new software, disable the Software Installation Mode to restore the normal protection level: /opt/f-secure/fsav/bin/fsims off For more information about the Software Installation Mode, see "Software Installation Mode", 60. 7. 5 General Command Line Tools You can use the fssetlanguage command line tool to set the language used in the web user interface. 7. 5. 1 fssetlanguage Use the following command to set the language: /opt/f-secure/fsav/bin/fssetlanguage <language> CHAPTER 7 Command Line Tools Where language is: en - english ja - japanese de - german 75 7. 5. 2 fsma Use the following command to check the status of the product modules: /etc/init. d/fsma status The following table lists all product modules: Module F-Secure Alert Database Handler Daemon F-Secure FSAV Policy Manager Daemon F-Secure Firewall Daemon F-Secure FSAV License Alerter F-Secure FSAV On-Access Scanner Daemon Process Description /opt/f-secure/fsav/sbin/fsadhd Stores alerts to a local database. /opt/f-secure/fsav/bin/fsavpmd Handles all F-Secure Policy Manager Console operations (for example, Scan all hard disks now, Update database now, Reset statistics) /opt/f-secure/fsav/bin/ fsfwd. run /opt/f-secure/fsav/libexec/ fslmalerter /opt/f-secure/fsav/sbin/fsoasd The interface between F-Secure Management Agent and the iptables/netfilter firewall. Checks and informs how many days are left in the evaluation period when the product is installed in the evaluation mode. Provides all real-time protection features: real-time virus scanning, real-time integrity checking and rootkit protection. 76 Module F-Secure FSAV Status Daemon Process Description /opt/f-secure/fsav/bin/fstatusd Checks the current status of every component keeps desktop panel applications and web user interface up-to-date. Stores alerts that can be viewed with the web user interface. F-Secure FSAV Web /opt/f-secure/fsav/tomcat/bin/ UI catalina. sh start F-Secure FSAV /opt/f-secure/common/ PostgreSQL daemon postgresql/bin/startup. sh 7. 5. 3 fsav-config If you install the product using RPM packages, you have to use the following command to fsav-config command line tool to create the initial product configuration: /opt/f-secure/fsav/fsav-config A Installation Prerequisites All 64-bit Distributions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Red Hat Enterprise Linux 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Debian 3. 1 and Ubuntu 5. 04, 5. 10, 6. 06. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 SuSE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Turbolinux 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 77 78 A. 1 All 64-bit Distributions Some 64-bit distributions do not install 32-bit compatibility libraries by default. [. . . ] '. ' on either P or R column means that Protection or Reporting respectively is not enabled. If a change is detected against the baseline, it is reported as follows [Note] . RA /bin/ls Hash does not match baselined hash [Note] . RA /bin/ls inode information does not match baselined data CHAPTER E 161 So even if inode data is changed Hash might be same (touch on a file will change inode data) however IF hash is changed and inode data is still same then file contents has been modified and it's mtime set back to what it was with utime() (man 2 utime). If --show-details is specified, then deviations against baseline are reported as follows [Note] ( RA) /bin/ls Hash does not match baselined hash [Note] ( RA) /bin/ls inode information does not match baselined data mode:uid:gid:len:mtime hash Old 81ed:0:0:31936:1096007887 e2c2f03d5460690211fa497592543371 Now 81ed:0:0:31940:1096388689 08c4eae2cf02c4214ba48cb89197aa66 If no deviations are found and --show-all is also specified then following will be reported [ OK ] ( RA) (81ed:0:0:620676:1077202297) baseline action reports When --baseline is specified the integrity checker will recalcu/bin/ls 162 late hash and inode information for all files known to the integrity checker. (Yes, No, All yes, Disregard new entries) If file has been modified fsic will ask [Note] /bin/ls seems to differ from baselined entry. [. . . ]