Antivirus: Difference between revisions
(Copy from old) |
mNo edit summary |
||
Line 6: | Line 6: | ||
'''Clam''': I haven't used it, but it has a command line scanner and a manual updater. Go to [http://www.slackbuilds.org] and search for clamav. Follow the instructions. | '''Clam''': I haven't used it, but it has a command line scanner and a manual updater. Go to [http://www.slackbuilds.org] and search for clamav. Follow the instructions. | ||
'''Antivir''': The good: updates virus definitions automatically, and scans files in realtime on open/close (can also scan on execute). You can run scans manually from the command line, and there's a GUI if you want to use it. The bad: complicated setup, I don't think the free version scans samba shares, has spyware protection, and it won't automatically scan archive files until you extract them. | '''Antivir''': The good: updates virus definitions automatically, and scans files in realtime on open/close (can also scan on execute). You can run scans manually from the command line, and there's a GUI if you want to use it. The bad: complicated setup, I don't think the free version scans samba shares, has spyware protection, and it won't automatically scan archive files until you extract them. **Update** [http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/1491 Ending Support] | ||
The rest of this tutorial helps you setup Antivir for Slackware 12.1 and Slackware 12.0. This is a compilation of information from dazuko.org, the Antivir user manual, and my own personal experience. | The rest of this tutorial helps you setup Antivir for Slackware 12.1 and Slackware 12.0. This is a compilation of information from dazuko.org, the Antivir user manual, and my own personal experience. |
Latest revision as of 15:49, 4 July 2014
Antivirus
Why would you want antivirus software on a Linux box, when there are so few Linux viruses out there? Maybe you don't want to spread them to Windows boxes, or maybe you're worried about getting windows viruses via Windows emulation software, or maybe you want a little extra insurance. The next question is which one? Depends on what you're looking for. A good thread on this is [1]. I'll talk about installing 2 antivirus programs, Clam and Antivir.
Clam: I haven't used it, but it has a command line scanner and a manual updater. Go to [2] and search for clamav. Follow the instructions.
Antivir: The good: updates virus definitions automatically, and scans files in realtime on open/close (can also scan on execute). You can run scans manually from the command line, and there's a GUI if you want to use it. The bad: complicated setup, I don't think the free version scans samba shares, has spyware protection, and it won't automatically scan archive files until you extract them. **Update** Ending Support
The rest of this tutorial helps you setup Antivir for Slackware 12.1 and Slackware 12.0. This is a compilation of information from dazuko.org, the Antivir user manual, and my own personal experience.
You need:
Slackware 12.1
Dazuko
- Extract dazuko somewhere:
tar xzvf dazuko-2.3.4.tar.gz
. There are 2 ways to install the kernel module, either via LSM or syscall hooks. The recommended way is via LSM, but I wasn't able to configure the Slackware 2.6.24.5 kernel to compile capabilities as a module (make menuconfig->Security Options->Default Linux Capabilities). I was able to do this with the old kernel in Slackware 12.0, but not the new one. View the FAQ at dazuko.org for more info. Also view <dazuko_dir>/README.linux26 for info on using syscall hooks.
- Recompile the kernel (Tested). You only need to do this if you're using an SMP (multi-processor capable) kernel. I won't go into detail on how to recompile the kernel, as that's covered here [5]. Anyway, before you make the kernel,
cd /usr/src/linux
, and patch the kernel like this:patch fs/dcache.c <dazuko_dir>/patch_dpath.diff
- Finish recompiling the kernel, make sure everything boots up OK.
cd <dazuko_dir>
./configure --enable-syscalls --mapfile=/boot/System.map --disable-local-dpath
- if you don't need to recompile the kernel (non-SMP), do this:
./configure --enable-syscalls --mapfile=/boot/System.map
- Don't recompile the kernel, and pass in different flags to
./configure
(Untested). I'm not totally sure if you lose any functionality by doing this, but up to you.cd <dazuko_dir>
./configure --enable-syscalls --mapfile=/boot/System.map --disable-chroot-support
make
cd example_c
make
example /tmp
- in another terminal, create a test file in your /tmp directory. if you see output from example, dazuko is working correctly.
cd ..
make test
make install
Antivir
- Extract antivir somewhere. There is documentation under
<antivir_dir>/doc/avserver_en.pdf
, along with some readmes. - Install with
./install
. Make sure that you specify to let antivir load the dazuko module (easier). The path to it is/lib/modules/`uname -r`/extra/dazuko.ko
. You probably want the default options, including the 2 hr updates. - add users to the antivir group.
vim /etc/group
, and add usernames to the antivir group. - my personal preference is to move infected files to /home/quarantine. here's how you set it up:
mkdir /home/quarantine
chown nobody:antivir /home/quarantine
chmod 775 /home/quarantine
- under
/etc/avguard.conf
, add/edit these lines:MoveConcerningFilesTo /home/quarantine
IncludePath /opt/downloads
(where I put all my downloads, /home already scanned by default)
- restart avguard with
/usr/sbin/avguard restart
- test that it works by going to [6]. There's a link for downloading sample viruses. If everything works, the file should be moved immediately to
/home/quarantine
. For archive files (.zip, .tar, etc.), you will have to extract them before antivir will catch them. Lame free restriction. - files to remember:
/etc/avguard.conf
/etc/avupdater.conf
/var/log/avguard.log
/var/log/avupdater.log
/usr/bin/antivir
/usr/bin/antivir-gui
/usr/sbin/avguard
/usr/sbin/avupdater
- commands to remember
- to do a manual update
antivir --update
- to scan a directory manually, and all subdirectories, extracting archive files
antivir --allfiles -s -z --moveto=/home/quarantine <directory_to_scan>
- to do a manual update
Slackware 12.0
Dazuko
- Extract dazuko somewhere: tar xzvf dazuko-2.3.4.tar.gz. We can install this the recommended way, via LSM. You shouldn't need to recompile the kernel, as capabilities should be a module. To check, do this:
lsmod | grep capab
- If you see it there, you're in luck. Otherwise you need to recompile the kernel with this option:
- make menuconfig->Security Options-><M>Default Linux Capabilities.
cd <dazuko_dir>
./configure
make
(probably need to be root)rmmod capability
(unload this for a second so we can try out dazuko).make test
cd example_c
make
example /tmp
- in another terminal, create a test file in your /tmp directory. if you see output from example, dazuko is working correctly.
cd ..
make install
modprobe capability
(reload into memory)- edit
/etc/rc.d/rc.modules
, and add this line before the capability module is loaded:/sbin/modprobe dazuko
- There is an issue when the capability module is loaded first. The steps above load the dazuko module first, which should fix the problem.
Antivir
- Same as above, except tell antivir that the kernel will load the module. This is so that you can load dazuko before capabilities in
/etc/rc.d/rc.modules
.