Antivirus

From SlackWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Antivirus

Why would you want antivirus software on a Linux box, when there are so few Linux viruses out there? Maybe you don't want to spread them to Windows boxes, or maybe you're worried about getting windows viruses via Windows emulation software, or maybe you want a little extra insurance. The next question is which one? Depends on what you're looking for. A good thread on this is [1]. I'll talk about installing 2 antivirus programs, Clam and Antivir.

Clam: I haven't used it, but it has a command line scanner and a manual updater. Go to [2] and search for clamav. Follow the instructions.

Antivir: The good: updates virus definitions automatically, and scans files in realtime on open/close (can also scan on execute). You can run scans manually from the command line, and there's a GUI if you want to use it. The bad: complicated setup, I don't think the free version scans samba shares, has spyware protection, and it won't automatically scan archive files until you extract them. **Update** Ending Support

The rest of this tutorial helps you setup Antivir for Slackware 12.1 and Slackware 12.0. This is a compilation of information from dazuko.org, the Antivir user manual, and my own personal experience.


You need:

  1. latest dazuko kernel module from [3]
  2. antivir from [4]
  3. some time to kill


Slackware 12.1

Dazuko

  • Extract dazuko somewhere: tar xzvf dazuko-2.3.4.tar.gz. There are 2 ways to install the kernel module, either via LSM or syscall hooks. The recommended way is via LSM, but I wasn't able to configure the Slackware 2.6.24.5 kernel to compile capabilities as a module (make menuconfig->Security Options->Default Linux Capabilities). I was able to do this with the old kernel in Slackware 12.0, but not the new one. View the FAQ at dazuko.org for more info. Also view <dazuko_dir>/README.linux26 for info on using syscall hooks.
  • Recompile the kernel (Tested). You only need to do this if you're using an SMP (multi-processor capable) kernel. I won't go into detail on how to recompile the kernel, as that's covered here [5]. Anyway, before you make the kernel, cd /usr/src/linux, and patch the kernel like this:
    • patch fs/dcache.c <dazuko_dir>/patch_dpath.diff
    • Finish recompiling the kernel, make sure everything boots up OK.
    • cd <dazuko_dir>
    • ./configure --enable-syscalls --mapfile=/boot/System.map --disable-local-dpath
  • if you don't need to recompile the kernel (non-SMP), do this:
    • ./configure --enable-syscalls --mapfile=/boot/System.map
  • Don't recompile the kernel, and pass in different flags to ./configure (Untested). I'm not totally sure if you lose any functionality by doing this, but up to you.
    • cd <dazuko_dir>
    • ./configure --enable-syscalls --mapfile=/boot/System.map --disable-chroot-support
  • make
  • cd example_c
  • make
  • example /tmp
  • in another terminal, create a test file in your /tmp directory. if you see output from example, dazuko is working correctly.
  • cd ..
  • make test
  • make install


Antivir

  • Extract antivir somewhere. There is documentation under <antivir_dir>/doc/avserver_en.pdf, along with some readmes.
  • Install with ./install. Make sure that you specify to let antivir load the dazuko module (easier). The path to it is /lib/modules/`uname -r`/extra/dazuko.ko. You probably want the default options, including the 2 hr updates.
  • add users to the antivir group. vim /etc/group, and add usernames to the antivir group.
  • my personal preference is to move infected files to /home/quarantine. here's how you set it up:
    • mkdir /home/quarantine
    • chown nobody:antivir /home/quarantine
    • chmod 775 /home/quarantine
  • under /etc/avguard.conf, add/edit these lines:
    • MoveConcerningFilesTo /home/quarantine
    • IncludePath /opt/downloads (where I put all my downloads, /home already scanned by default)
  • restart avguard with /usr/sbin/avguard restart
  • test that it works by going to [6]. There's a link for downloading sample viruses. If everything works, the file should be moved immediately to /home/quarantine. For archive files (.zip, .tar, etc.), you will have to extract them before antivir will catch them. Lame free restriction.
  • files to remember:
    • /etc/avguard.conf
    • /etc/avupdater.conf
    • /var/log/avguard.log
    • /var/log/avupdater.log
    • /usr/bin/antivir
    • /usr/bin/antivir-gui
    • /usr/sbin/avguard
    • /usr/sbin/avupdater
  • commands to remember
    • to do a manual update
      • antivir --update
    • to scan a directory manually, and all subdirectories, extracting archive files
      • antivir --allfiles -s -z --moveto=/home/quarantine <directory_to_scan>

Slackware 12.0

Dazuko

  • Extract dazuko somewhere: tar xzvf dazuko-2.3.4.tar.gz. We can install this the recommended way, via LSM. You shouldn't need to recompile the kernel, as capabilities should be a module. To check, do this:
    • lsmod | grep capab
    • If you see it there, you're in luck. Otherwise you need to recompile the kernel with this option:
      • make menuconfig->Security Options-><M>Default Linux Capabilities.
  • cd <dazuko_dir>
  • ./configure
  • make (probably need to be root)
  • rmmod capability (unload this for a second so we can try out dazuko).
  • make test
  • cd example_c
  • make
  • example /tmp
  • in another terminal, create a test file in your /tmp directory. if you see output from example, dazuko is working correctly.
  • cd ..
  • make install
  • modprobe capability (reload into memory)
  • edit /etc/rc.d/rc.modules, and add this line before the capability module is loaded:
    • /sbin/modprobe dazuko
  • There is an issue when the capability module is loaded first. The steps above load the dazuko module first, which should fix the problem.


Antivir

  • Same as above, except tell antivir that the kernel will load the module. This is so that you can load dazuko before capabilities in /etc/rc.d/rc.modules.