Kaspersky 8.0 for Linux File Server antivirus security software Administrator's Guide
Below you will find brief information for antivirus security software 8.0 for Linux File Server. Kaspersky Anti-Virus 8.0 for Linux File Server protects servers running under Linux operating systems against malware that can infiltrate them via file exchange. It scans the server disks and other mounted devices. It can scan individual directories accessible over SMB/CIFS and NFS as well as remote directories mounted on the server using the SMB/CIFS and NFS protocols.
Advertisement
Advertisement
Kaspersky Anti-Virus 8.0 for Linux File Server
Administrator’s Guide
P R O G R A M V E R S I O N : 8 . 0 M P 2 C F 2
Dear User!
Thank you for choosing our product. We hope that this documentation will help you in your work and will provide answers regarding this software product.
Attention! This document is the property of Kaspersky Lab ZAO (herein also referred to as Kaspersky Lab): all rights to this document are reserved by the copyright laws of the Russian Federation, and by international treaties. Illegal reproduction and distribution of this document or parts hereof result in civil, administrative or criminal liability by applicable law.
All materials may only be duplicated, regardless of form, or distributed, including in translation, with the written permission of Kaspersky Lab.
This document and graphic images related to it may be used exclusively for informational, non-commercial, and personal purposes.
The document can be modified without prior notification. For the latest version of this document, refer to the Kaspersky
Lab website at http://www.kaspersky.com/docs .
Kaspersky Lab assumes no liability for the content, quality, relevance, or accuracy of any materials used in this document for which the rights are held by third parties, or for any potential damages associated with the use of such documents.
Revision date: 8/05/2014
© 2014 Kaspersky Lab ZAO. All Rights Reserved. http://www.kaspersky.com
http://support.kaspersky.com
2
CONTENTS
3
A
D M I N I S T R A T O R
'
S
G
U I D E
4
C
O N T E N T S
5
A
D M I N I S T R A T O R
'
S
G
U I D E
6
C
O N T E N T S
7
INTRODUCTION
Kaspersky Anti-
Virus 8.0 for Linux® File Server (hereinafter also Kaspersky Anti-Virus) protects servers running under
Linux operating systems against malware that can infiltrate them via file exchange.
Kaspersky Anti-Virus scans the server disks and other mounted devices. It can scan individual directories accessible over SMB/CIFS and NFS as well as remote directories mounted on the server using the SMB/CIFS and NFS protocols.
All command examples listed in this document are valid for Linux operating systems.
I
N THIS SECTION
G
ENERAL INFORMATION ON
K
ASPERSKY
A
NTI
-V
IRUS
Kaspersky Anti-Virus provides protection for servers running under Linux operating systems against malware that infiltrates the file system through a network connection or a removable device.
The application can:
Scan file system objects located on the server's local drives, as well as shared and distributed resources accessed via the SMB/CIFS and NFS protocols.
File system objects can be scanned both in real-time or on demand.
Detect infected and suspicious objects.
If an object is found to contain code from a known threat, Kaspersky Anti-Virus assigns it the infected status. If it is not possible to determine for sure whether or not an object is infected, it is classified as suspicious.
Neutralize threats detected in files.
Depending on the type of threat, the application automatically selects the action required to neutralize it: disinfect infected object, move suspicious object to Quarantine, delete object or skip, i.e. leave object unchanged.
Move suspicious objects to Quarantine.
Kaspersky Anti-Virus isolates objects, which it recognizes as suspicious. The application places such objects to quarantine, i.e., it moves them from their original location into a special storage. After every database update,
Kaspersky Anti-Virus automatically runs a scan of objects in Quarantine. Some of them can be considered not infected and restored from Quarantine.
Save backup copies of files before they are processed. Restore files from backup copies.
Manage tasks and their settings.
The application provides four types of user-controllable tasks: real-time protection, on-demand scan, scan of objects in Quarantine, and update. The tasks of other types are system tasks and are not intended to be managed by the user.
8
I
N T R O D U C T I O N
Notifies the administrator about events due to a change in the anti-virus protection status of the server and the general status of Kaspersky Anti-Virus.
Uses Shell scripts to configure actions to be executed automatically as a result of certain events.
Generate statistics and reports about operational results.
Monitor the server's protection status through the SNMP protocol.
Update Kaspersky Anti-Virus databases from Kaspersky Lab's update servers or from a user-specified source by schedule or on demand.
The databases are used to find and treat infected files. Based on the records they contain, each file is scanned for threats: the code of the file is matched against code that resembles a particular threat.
Configure settings and control tasks both locally through the computer's standard operating system, or remotely from any computer in a local network or across the Internet.
Kaspersky Anti-Virus can be managed in several ways:
through the command bar;
by modifying the application's configuration file;
through the Web Management Console;
Using Kaspersky Security Center.
R
EAL
-
TIME PROTECTION AND ON
-
DEMAND SCAN
The following functions can be used to ensure server protection: real-time protection and on-demand scan.
Real-time protection
By default, the real-time protection task starts automatically along with Kaspersky Anti-Virus at the server startup and keeps on running continuously in the background mode. Kaspersky Anti-Virus scans files when they are accessed.
Kaspersky Anti-Virus scans files for malware of various types. When any application accesses a file on the server (for example, reads or writes it), Kaspersky Anti-Virus intercepts the operation on the file. It checks the file for the presence of
it, for example, it may attempt to disinfect the file or simply delete it. The program attempting to access the file may only do so if this file is not infected or has been successfully disinfected.
On-demand scan
On-demand scan involves one-time complete or selective scan of files on the server for the presence of threats.
S
PECIFICS OF SCANNING SYMBOLIC AND HARD LINKS
The following specifics of scanning symbolic and hard links apply during a Kaspersky Anti-Virus scan.
Scanning symbolic links
Kaspersky Anti-Virus' Real time protection and on-demand scans only check symbolic links if the file that the symbolic link goes to is included in the scanned area.
9
A
D M I N I S T R A T O R
'
S
G
U I D E
If the file, which is accessed using a symbolic link, is not included in the protection area of the task, it will not be scanned by the application trying to access this file. If such file contains malicious code, server security will be at risk!
Scanning hard links
When Kaspersky Anti-Virus processes file which has more than one hard link, there are the following scenarios available depending on the action selected:
If Quarantine (move to quarantine) is selected, the processed hard link will be moved to quarantine, and other hard links will not be processed;
if the Remove action is selected, the processed hard link is removed, other hard links is processed;
if the Cure action is selected
– Kaspersky Anti-Virus either will disinfect the source file or it will replace the processed hard link by the clean copy of the source file. The created copy will have the name of the processed hard link.
When restoring the file from quarantine or backup, a copy of the source file is created with the name of the quarantined hard link (backup). Connections to other hard links are not restored.
A
BOUT INFECTED
,
SUSPICIOUS OBJECTS AND OBJECTS WITH THE
STATUS
"W
ARNING
"
Kaspersky Anti-Virus contains a set of databases. Databases are files containing records that are used to detect the malicious code of hundreds of thousands of known potential threats in objects being scanned. These records contain information about the control sections of the threats' code and algorithms used for disinfecting objects in which these threats are contained.
If Kaspersky Anti-Virus detects (in an object being scanned) sections of code that fully match the control code sections of a threat based on the information provided in the databases, it will consider such object infected.
Kaspersky Anti-Virus will assign the status "Warning" to the detected object if it contains a section of code that partially coincides with a control code section from a known threat (in accordance with certain conditions). At the same time, a false alarm may occur.
Kaspersky Anti-Virus assigns the status suspicious to objects detected by its Heuristic Analyzer. The Heuristic Analyzer detects malicious objects based on their behavior. The code in such an object cannot be said to partially or completely match the code of a known threat, but it does contain instructions or sequences of instructions that are peculiar to threats.
A
BOUT BACKUP AND QUARANTINE
Kaspersky Anti-Virus isolates found infected and suspicious objects to secure the protected server from their potential harmful effect.
Moving objects to quarantine
Kaspersky Anti-Virus quarantines detected infected and suspicious objects by moving them from the original location to the quarantine or backup storage directory. Kaspersky Anti-Virus rescans quarantined objects after each update of
Kaspersky Anti-Virus databases. Having scanned quarantined objects, Kaspersky Anti-Virus may recognize some of the objects as not infected. Other objects can be found infected by Kaspersky Anti-Virus.
If you suspect that a certain file may contain a threat while Kaspersky Anti-Virus recognizes it as clean, you can manually place such object in quarantine to check it later using updated databases.
10
I
N T R O D U C T I O N
Backup copying of objects before disinfection or deletion
Kaspersky Anti-Virus places in the quarantine or backup directory copies of infected and suspicious objects prior to disinfecting or deleting them. Such objects may be missing in the original location if they were deleted, or they may be stored in a modified form if Kaspersky Anti-Virus disinfected them.
You can restore an object from the quarantine or backup directory at any moment to its original location or to any other directory specified on the server. You may need to restore an object, for example, if the original infected file contained valuable data but Kaspersky Anti-Virus could not preserve its integrity during disinfection and the information inside became unavailable.
Restoring infected or suspicious objects may lead to server infection.
O
BTAINING INFORMATION ABOUT
K
ASPERSKY
A
NTI
-
V
IRUS
Kaspersky Lab provides various sources of information about Kaspersky Anti-Virus. Select a source most convenient for you depending on the importance and urgency of your question.
If you have already purchased Kaspersky Anti-Virus, you can contact the Technical Support service. If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab experts and other users in our forum at http://forum.kaspersky.com
.
S
OURCES OF INFORMATION FOR FURTHER RESEARCH
The following sources of information about Kaspersky Anti-Virus are available:
Kaspersky Anti-Virus page at the Kaspersky Lab website;
documentation;
manual pages.
Page at the Kaspersky Lab website
http://www.kaspersky.com/business-security/linux-file-server-antivirus
This page contains general information about the application, its functionality and peculiarities. You can purchase
Kaspersky Anti-Virus or extend the period of its use in our online store.
Documentation
Installation Guide describes the purpose of Kaspersky Anti-Virus, requirements to the hardware and software for the installation and operation of Kaspersky Anti-Virus, instructions for its installation, verification of its operability and initial setup.
Administrator's Guide contains information about how to manage Kaspersky Anti-Virus using the command line utility, Kaspersky Web Management Console and Kaspersky Security Center.
These documents are supplied in PDF format in Kaspersky Anti-Virus distribution package. Alternatively, you can download the documentation files from the Kaspersky Anti-Virus page at Kaspersky Lab's website.
11
A
D M I N I S T R A T O R
'
S
G
U I D E
Manual pages
You can review the following manual pages files to obtain information about Kaspersky Anti-Virus:
managing Kaspersky Anti-Virus from the command line:
/opt/kaspersky/kav4fs/share/man/man1/kav4fs-control.1.gz;
configuring general settings for Kaspersky Anti-Virus:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs.conf.5.gz;
configuring the real-time protection task:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-oas.conf.5.gz;
configuring on-demand scan tasks:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-ods.conf.5.gz;
configuring update tasks:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-update.conf.5.gz;
configuring the storage of quarantined objects and the storage of objects backed up before disinfection or removal:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-quarantine.conf.5.gz;
configuring notifications:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-notifier.conf.5.gz;
configuring SNMP-Agent:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-snmp.conf.5.gz;
configuring the event repository:
/opt/kaspersky/kav4fs/share/man/man5/kav4fs-events.conf.5.gz;
description of utility which changes the Web Management Console’s user password:
/opt/kaspersky/kav4fs/share/man/man1/kav4fs-wmconsole-passwd.1.gz;
description of utility which changes settings for connection with the Kaspersky Security Center Administration
Server:
/opt/kaspersky/klnagent/share/man/man1/klmover.1.gz;
description of utility which checks settings for connection with the Kaspersky Security Center Administration
Server:
/opt/kaspersky/klnagent/share/man/man1/klnagchk.1.gz.
12
I
N T R O D U C T I O N
C
ONTACTING THE
T
ECHNICAL
S
UPPORT SERVICE
If you have already purchased Kaspersky Anti-Virus, you can obtain information about it from the Technical Support
Service by telephone or online.
Before contacting the Technical Support service, please read the
Support rules for Kaspersky Lab’s products
( http://support.kaspersky.com/support/rules ).
Email request to the Technical Support Service
You can ask your question to the Technical Support Service specialists by filling out the web form of Request to
Kaspersky Lab Technical Support at http://support.kaspersky.com/helpdesk.html
.
You can send your inquiry in Russian, English, German, French or Spanish.
In order to send an email message with your question, you must indicate the client number obtained from the
Technical Support website during registration along with your password.
If you are not yet a registered user of Kaspersky Lab applications, you can fill out a registration form
( https://support.kaspersky.com/personalcabinet/Registration/Form/?LANG=en ). During registration, specify the key file name.
The Technical Support service will reply to your request in your Personal Cabinet
( https://support.kaspersky.com/PersonalCabinet ) and to the email address you have specified in your request.
Describe the problem you have encountered in the request web form providing as much detail as possible. Specify the following information in the mandatory fields:
Request type. Select the topic, which is the closest to the problem you have encountered, e.g.: "Product installation / removal problem", or "Virus scan / removal problem".
Kaspersky Anti-Virus version name and number.
Request text. Describe the problem encountered in detail.
Customer ID and password. Enter the customer ID and password received during registration at the Technical
Support Service website.
Email address. The Technical Support service will send their answer to this email address.
Technical support by phone
If an urgent issue arises, you can call specialists from Russian-speaking or international Technical Support http://support.kaspersky.com/support/contacts by phone.
Before contacting Technical Support, please read the support rules http://support.kaspersky.com/support/rules . This will allow our specialists to help you more quickly.
D
ISCUSSION OF
K
ASPERSKY
L
AB
'
S APPLICATIONS IN WEB FORUM
If your question does not require an immediate answer, you can discuss it with the Kaspersky Lab experts and other users in our forum at http://forum.kaspersky.com
.
In this forum you can view existing topics, leave your comments, create new topics and use the search engine.
13
WORKING WITH KASPERSKY WEB
MANAGEMENT CONSOLE
Kaspersky Web Management Console (hereinafter also referred to as the Web Management Console) is a tool for managing Kaspersky Anti-Virus using a web browser.
You can perform the following actions through the Web Management Console:
display the operational and protection status of the server running Kaspersky Anti-Virus, and generate corresponding reports;
manage and configure Kaspersky Anti-Virus.
The Web Management Console is included in the distribution package of Kaspersky Anti-Virus. For more details about starting and configuring the Web Management Console see Kaspersky Anti-Virus 8.0 for Linux File Server. Installation
Guide.
The admin account is used for access to the Kaspersky Anti-Virus Web Management Console. The password for this account is defined during initial configuration of Kaspersky Anti-Virus. This account may be used for simultaneous access to the Web Management Console from multiple computers.
If two users open the web console window on different computers at the same time and modify the same parameter of
Kaspersky Anti-Virus, the product will apply the parameter value saved last.
I
N THIS SECTION
L
AUNCHING THE
W
EB
M
ANAGEMENT
C
ONSOLE
You can launch the Web Management Console in the browser on a protected computer or another computer located in the same network segment with the server and compliant with the hardware and software requirements.
To open the Kaspersky Anti-Virus web console, perform the following steps:
1. Enter the following address in the address line of the web browser: http://<IP address or domain name of the protected server>:9080
2. On the Logon page enter the Web Management Console user password and press Log on.
At the first Web Management Console logon you should enter the user password defined during initial configuration of Kaspersky Anti-Virus.
If you have not specified a password for access to the Web Management Console during the Kaspersky Anti-Virus initial configuration, you can do it using the /opt/kaspersky/kav4fs/bin/kav4fs-wmconsole-passwd utility.
14
W
O R K I N G W I T H
K
A S P E R S K Y
W
E B
M
A N A G E M E N T
C
O N S O L E
C
HANGING THE USER PASSWORD FOR THE
W
EB
M
ANAGEMENT
C
ONSOLE
Default settings of the account used to access the Web Management Console are as follows:
User name
– admin.
Password for this account is specified during initial configuration of Kaspersky Anti-Virus.
You can change the user password, if necessary.
To edit the Web Management Console user password, perform the following steps:
1. In the left part of Kaspersky Web Management Console, select the General settings section.
2. In the Current password field enter the user password used at present.
3. In the New password field define the new user password and re-enter it in the Confirm new password field.
4. Click the Change password button.
15
STARTING AND STOPPING KASPERSKY
ANTI-VIRUS
Before taking the actions or using the commands described above, make sure that the kav4fs-supervisor service is running on the computer!
By default, Kaspersky Anti-Virus starts automatically at the operating system startup (on default runlevels for each operating system). Kaspersky Anti-Virus runs all predefined and custom tasks whose schedule settings (see section
"Schedule settings" on page 151 ) are configured for PS run mode.
If you stop the Kaspersky Anti-Virus, execution of all tasks will be interrupted. After Kaspersky Anti-Virus restart, interrupted custom tasks will not be resumed automatically. Only those custom tasks whose schedule settings (see
section "Schedule settings" on page 151 ) are configured for PS run mode will be launched again.
To start Kaspersky Anti-Virus, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-app
To stop Kaspersky Anti-Virus, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --stop-app
To restart Kaspersky Anti-Virus, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --restart-app
16
MANAGING THE TASKS IN KASPERSKY
ANTI-VIRUS
Task is a Kaspersky Anti-Virus component implementing a specific part of application functionality. For example, the realtime protection task implements protection of the server files in real time, the update task downloads and installs
Kaspersky Anti-Virus database updates, etc.
To list Kaspersky Anti-Virus tasks, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-task-list
The user can manage the following types of tasks (see page 18 ):
OAS, real-time protection tasks;
ODS, on-demand scan tasks;
QS, tasks which scan quarantined objects;
Update, update tasks.
The tasks of other types are system tasks and are not intended to be managed by the user. You can only modify their operation settings.
I
N THIS SECTION
C
REATING AN ON
-
DEMAND SCAN OR UPDATE TASK
The Kaspersky Anti-Virus installation creates one task of each type. You can create custom on-demand scan and update
tasks (see section "Creating a task" on page 99 ).
To create an on-demand scan task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--create-task <task name> --use-task-type=ODS \
[--file=<configuration file name>] [--file-format=<INI|XML>]
The settings for the created task are as follows:
all local and mounted objects will be scanned;
scan will be done with default settings.
17
A
D M I N I S T R A T O R
'
S
G
U I D E
You can create an on-demand scan task with the required set of parameters. To do that, specify the full path to the file containing the task settings, using the --file key of the --create-task command.
To create an update task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--create-task <task name> --use-task-type=Update \
--file=<path to the file containing the task settings>
D
ELETING AN ON
-
DEMAND SCAN OR UPDATE TASK
You can delete update tasks and on-demand scan tasks (except Quarantine scan (ID=10) and On-Demand Scan
(ID=9) tasks).
You cannot delete the real-time protection task.
To delete the task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --delete-task <task ID>
M
ANUAL TASK MANAGEMENT
The actions described in this section are available for the OAS, ODS, QS, and Update task types.
You can pause and resume any task except for update tasks.
You can run several on-demand scan tasks simultaneously.
To start a task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task <update task ID>
To stop a task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --stop-task <task ID>
To pause a task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --suspend-task <task ID>
To resume a task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --resume-task <task ID>
A
UTOMATIC TASK MANAGEMENT
In addition to managing Kaspersky Anti-Virus tasks manually, you can use automatic task management. To do so, create a task schedule.
Task schedule is a set of rules that define the task start time and duration of task execution.
Automatic management is supported for the following types of tasks:
real-time protection;
on-demand scan;
databases update.
18
M
A N A G I N G T H E T A S K S I N
K
A S P E R S K Y
A
N T I
- V
I R U S
To schedule a task using a configuration file, perform the following steps:
1. Save task schedule settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-schedule <task ID> \
--file=<full path to the file>
2. Configure the schedule settings (see page 151 ).
3. Import the schedule settings into the task:
/opt/kaspersky/kav4fs/bin/kav4fs-control --set-schedule <task ID> \
--file=<full path to the file>
V
IEWING TASK STATE
One of the aspects of task management is monitoring the task state.
Kaspersky Anti-Virus tasks may have one of the following states:
Started
– the task is in progress;
Starting
– the task is starting;
Stopped
– the task is stopped;
Stopping
– the task is stopping;
Suspended
– the task is suspended;
Suspending
– the task is suspending;
Resumed
– the task has been resumed;
Resuming
– the task is resuming;
Failed
– the task has terminated with an error;
Interrupted by user
– the task execution was interrupted by the user.
To view the task state, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-task-state <task ID>
The following example displays the command output:
Example:
Name: On-demand scan
Id: 9
Class: ODS
State: Stopped
19
A
D M I N I S T R A T O R
'
S
G
U I D E
V
IEWING TASK STATISTICS
You can obtain the operating statistics for Kaspersky Anti-Virus tasks. Viewing statistics is available for the following task types:
Application
– general operating statistics for Kaspersky Anti-Virus;
Quarantine
– quarantine statistics;
OAS
– statistics for the real-time protection task;
ODS
– statistics for the on-demand scan tasks;
Backup
– backup storage statistics;
Update
– statistics for update tasks.
For the ODS and Update task types, it is necessary to specify the task ID. If the task ID is not specified, general statistics for the selected task type will be provided.
To view task statistics, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-stat <task type> [--task-id <task ID>]
You can specify the period, for which statistics is displayed.
The date and time of the beginning and end of the period are specified in format [YYYY-MM-DD] [HH24:MI:SS].
To obtain statistics for a specific period, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-stat <task type> --from=<beginning of period> --to=<end of period>
If the value of the <beginning of period> setting is not specified, statistics will be collected since the task start. If the value of the <end of period> setting is not specified, statistics will be collected until the present moment.
You can save task statistics to files in two formats: HTML and CSV. By default, the file format is set by the file extension.
To save statistics to a file, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-stat <task type> [--task-id <task ID>] --export-report=<full path to the file>
20
UPDATING KASPERSKY ANTI-VIRUS
During the license period you can download updates for the databases of Kaspersky Anti-Virus.
Databases are files containing records that are used to detect the malicious code of known threats in scanned objects.
These records contain information about the control sections of the threats' code and algorithms used for disinfecting objects in which these threats are contained.
Virus analysts at Kaspersky Lab detect hundreds of new threats daily, create records to identify them, and include them in database updates. Database updates are one or several files that contain records identifying threats detected since the previous update has been released. To minimize the risk of server infection, we recommend downloading database updates regularly.
Kaspersky Lab can release Kaspersky Anti-Virus module update packages. Update packages are classified as urgent (or critical) or routine. Urgent update packages remove vulnerabilities and fix errors; routine updates add new functions or improve existing ones.
During license validity period you can download updates from the web site of Kaspersky Lab and install them manually.
You can also automatically install module updates for other Kaspersky Lab applications.
Database updates
During installation the Anti-Virus has retrieved the current databases from an Kaspersky Lab's HTTP server; if you have configured automatic database update, Kaspersky Anti-Virus starts the update according to the schedule (once every 30 minutes) using the predefined update task (ID=6).
You can configure the preinstalled update task and create user-defined update tasks.
If update downloading is interrupted or terminates with an error, Kaspersky Anti-Virus automatically switches to using databases with previously installed update. If Kaspersky Anti-Virus databases get corrupted, you can roll them back to the previously installed updates.
By default, if Kaspersky Anti-Virus databases have not been updated for a week since the time when Kaspersky Lab had released the last installed updates, Kaspersky Anti-Virus logs the Databases are outdated event
(AVBasesAreOutOfDate). If the databases have not been updated within two weeks, it registers the event Databases are
obsolete (AVBasesAreTotallyOutOfDate).
Copying database and module updates. Distributing updates
You can download updates to each protected computer or use one computer as an intermediary by copying all updates onto it and then distributing them to the computers. And if you use Kaspersky Security Center for the centralized administration of computer protection in an enterprise, you can use the Kaspersky Security Center Administration Server as an intermediary for distributing updates.
To save database updates on an intermediary computer without applying them, configure updates distribution in the update task.
I
N THIS SECTION
21
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ELECTING AN UPDATE SOURCE
or FTP servers, or local or network folders.
The main update source is Kaspersky Lab's update servers. These are special Internet sites which contain updates for databases and application modules for all Kaspersky Lab products.
To select Kaspersky Lab's update servers as an update source, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
CommonSettings.SourceType=KLServers
To select the Kaspersky Security Center server as an update source, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
CommonSettings.SourceType=AKServer
U
PDATING FROM LOCAL OR NETWORK FOLDER
The procedure of retrieving updates from a local folder is arranged as follows:
1. One of the computers on the network retrieves a Kaspersky Anti-Virus update package from Kaspersky Lab's update servers, or from a mirror server hosting the current set of updates.
2. The retrieved updates are placed in a shared folder.
3. Other computers on the network access the shared folder to retrieve Anti-Virus database updates.
To download updates for Kaspersky Anti-Virus databases to a shared folder on one of the network computers, perform the following steps:
1. Create a folder for storing Kaspersky Anti-Virus database updates.
2. Provide shared access to the created folder.
3. Create a configuration file that contains the following setting values:
UpdateType="RetranslateProductComponents"
[CommonSettings]
SourceType="KLServers"
UseKLServersWhenUnavailable=yes
UseProxyForKLServers=no
UseProxyForCustomSources=no
PreferredCountry=""
ProxyServer=""
ProxyPort=3128
ProxyBypassLocalAddresses=yes
ProxyAuthType="NotRequired"
ProxyAuthUser=""
ProxyAuthPassword=""
22
U
P D A T I N G
K
A S P E R S K Y
A
N T I
UseFtpPassiveMode=yes
ConnectionTimeout=10
[UpdateComponentsSettings]
Action="DownloadAndApply"
[RetranslateUpdatesSettings]
RetranslationFolder="<full path to the created directory>"
4. Import the settings from configuration file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
--file=<full path to the file>
5. Start the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task <update task ID>
Kaspersky Anti-Virus databases will be downloaded to the shared folder.
To specify the shared folder as an update source for other network computers, perform the following steps:
1. Create a configuration file that contains the following setting values:
UpdateType="AllBases"
[CommonSettings]
SourceType="Custom"
UseKLServersWhenUnavailable=yes
UseProxyForKLServers=no
UseProxyForCustomSources=no
PreferredCountry=""
ProxyServer=""
ProxyPort=3128
ProxyBypassLocalAddresses=yes
ProxyAuthType="NotRequired"
ProxyAuthUser=""
ProxyAuthPassword=""
UseFtpPassiveMode=yes
ConnectionTimeout=10
[CommonSettings:CustomSources]
Url="/home/bases"
Enabled=yes
[UpdateComponentsSettings]
Action="DownloadAndApply"
[RetranslateUpdatesSettings]
RetranslationFolder="<full path to the created directory>"
2. Import the settings from configuration file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
--file=<full path to the file>
- V
I R U S
23
A
D M I N I S T R A T O R
'
S
G
U I D E
U
SING A PROXY SERVER
If you use a proxy server to connect to the Internet, you must configure its settings.
To enable the use of a proxy server for accessing Kaspersky Lab's update servers, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
CommonSettings.UseProxyForKLServers=yes \
CommonSettings.ProxyBypassLocalAddresses=yes \
CommonSettings.ProxyServer=proxy.company.com \
CommonSettings.ProxyPort=3128
To enable using a proxy server to access custom update sources, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
CommonSettings.UseProxyForCustomSources=yes \
CommonSettings.ProxyBypassLocalAddresses=yes \
CommonSettings.ProxyServer=proxy.company.com \
CommonSettings.ProxyPort=3128
To specify authentication settings for connection to the proxy server, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <update task ID> \
CommonSettings.ProxyAuthType=Plain \
CommonSettings.ProxyAuthUser=user \
CommonSettings.ProxyAuthPassword=password
L
AST DATABASE UPDATE ROLLBACK
The Kaspersky Anti-Virus creates backup copies of the original databases before it applies updates. If an update procedure gets interrupted or fails, the Kaspersky Anti-Virus automatically reverts to the previous database version containing updates installed earlier.
If you encounter problems after database update, you can roll back the databases to the previous version. To do this, use the roll back to the previous databases task.
To roll back to the previous databases, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task 14
24
REAL-TIME PROTECTION
The real-time protection task prevents infection of the server file system. By default, the real-time protection task runs automatically at the start of Kaspersky Anti-Virus. The task runs in the server's RAM, scanning all files that are opened, saved, or executed. You can stop, start, pause and resume it.
You cannot create custom real-time protection tasks.
I
N THIS SECTION
T
HE STRUCTURE OF PREDEFINED SECURITY LEVELS IN
THE REAL
-
TIME PROTECTION TASK
Kaspersky Lab specialists distinguish three security levels. The decision of which level to select must be taken on your own based on the operation conditions and the current situation. You will be invited to select one of the following security levels:
Low
The Low security level can be selected on a server if the network has other computer security tools besides
Kaspersky Anti-Virus on servers and workstations, for example, firewalls are configured and security policies are established for the network users.
The following settings will be applied at the Low security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=no
25
A
D M I N I S T R A T O R
'
S
G
U I D E
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=yes
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Cure"
InfectedSecondAction="Remove"
SuspiciousFirstAction="Quarantine"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
Recommended
The Recommended security level is set by default. Experts of Kaspersky Lab deem it sufficient for protection of file servers in most networks. The level provides an optimal combination of protection and the load on protected servers.
The following settings will be applied at the Recommended security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=no
ScanMailBases=no
26
R
E A L
-
T I M E P R O T E C T I O N
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=no
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Recommended"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Recommended"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
High
Use the High security level if you have high requirements to the security of your computer network.
The following settings will be applied at the High security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=yes
ScanMailBases=no
ScanPlainMail=no
27
A
D M I N I S T R A T O R
'
S
G
U I D E
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=no
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Cure"
InfectedSecondAction="Remove"
SuspiciousFirstAction="Quarantine"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
C
REATING A PROTECTION SCOPE
Note the specifics of scanning of symbolic and hard links (see page 9 ).
By default, the real-time protection task scans all files that are opened, modified, and saved within the local server file system.
You can extend or narrow down the protection area by adding or removing objects to be scanned, or by changing the
type of files to be scanned (see page 30 ).
Kaspersky Anti-Virus will scan objects in the specified areas in the order, in which they are listed in the configuration file or in its Web Management Console. If you wish to specify the security settings of the subdirectory to be different from the security settings of the parent directory, place the subdirectory in the list higher, than its parent directory.
28
R
E A L
-
T I M E P R O T E C T I O N
To extend a protected area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Add the following sections to the created file:
[ScanScope] which contains the following settings:
UseScanArea, enabling / disabling new scan area;
AreaMask which defines the name mask of objects to be scanned;
UseAccessUser which enables the scan mode depending on user and group accounts accessing the
AreaDesc which defines the name of protection area.
[ScanScope:AreaPath] which contains the Path setting.
[ScanScope:AccessUser] which contains settings that define accounts whose file operations will be intercepted by the real-time protection task.
[ScanScope:ScanSettings] which contains scan settings for the area to be added.
All settings must be assigned in the [ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
To narrow down a protected area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Delete from the created file the following sections, defining protection area:
[ScanScope];
[ScanScope:AreaPath];
[ScanScope:AccessUser];
[ScanScope:ScanSettings].
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
29
A
D M I N I S T R A T O R
'
S
G
U I D E
R
ESTRICTING A PROTECTION AREA USING MASKS AND
REGULAR EXPRESSIONS
By default, Kaspersky Anti-Virus scans all objects within the scan or protection area.
You can specify templates for the names or paths of the files to scan. In this case, Kaspersky Anti-Virus will only scan files or directories from the protected area that are specified using Shell masks or ECMA-262 regular expressions.
Using Shell masks, you can specify the file name template to scan by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template to scan by Kaspersky Anti-Virus. A regular expression cannot contain the name of the folder which defines the scan or protection area.
To specify file name or path templates for the files to be scanned, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Specify the value of the AreaMask setting in the [ScanScope] section which defines the protection area.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
E
XCLUSION OF OBJECTS FROM A PROTECTION AREA
By default, the real-time protection task scans all objects that are included in protection areas defined for this task.
You can exclude several objects from the scan. To do that, you can create four types of exclusions:
exclusion of objects from a protection area: in this case the specified objects will only be excluded from the selected protected area;
global exclusion of objects: in this case the specified objects will be excluded from all protection areas defined for the task;
exclusion of objects depending on user and group accounts accessing the objects: in this case the objects will be excluded from the protection area when they are accessed by specific accounts;
exclusion of objects by the name of the threat detected in them.
I
N THIS SECTION
30
R
E A L
-
T I M E P R O T E C T I O N
C
REATING A GLOBAL EXCLUSION AREA
You can create a global exclusion area. Objects included in this area will be excluded from all areas defined for the realtime protection task.
To create a global exclusion area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Add the following sections to the created file:
[ExcludedFromScanScope], which contains the following settings:
UseScanArea, enabling / disabling exclusion area during scan;
AreaMask, which defines templates of object names to be excluded from the scan;
UseAccessUser, which enables the exclusion mode depending on user and group accounts accessing the objects;
AreaDesc, which defines a unique name for exclusion area;
[ExcludedFromScanScope:AreaPath], which contains the Path setting that defines the path to the objects to be excluded from the scan.
[ExcludedFromScanScope:AccessUser], which contains settings that define accounts whose file operations will be excluded from the scan.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
E
XCLUDING OBJECTS FROM A PROTECTION AREA
By default, Kaspersky Anti-Virus scans all objects within the scan or protection area.
You can specify the name and path templates to be excluded from the scan or protection area. In this case, Kaspersky
Anti-Virus will not scan files or folders in the scan or protection area that are specified using Shell masks or ECMA-262 regular expressions.
Using Shell masks, you can specify the file name template excluded from scanning by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template exluded from the scan by Kaspersky Anti-Virus. The regular expression should not contain the name of the directory containing excluded object.
To exclude objects from the protection area, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeMasks setting in the [ScanScope:ScanSettings] section.
31
A
D M I N I S T R A T O R
'
S
G
U I D E
4. Specify file name or path templates using the ExcludeMasks setting in the [ScanScope:ScanSettings] section.
To specify several file name or path templates, repeat the ExcludeMasks setting value the required number of times.
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
E
XCLUDING OBJECTS DEPENDING ON USER AND GROUP ACCOUNTS
ACCESSING THE OBJECTS
Kaspersky Anti-Virus allows excluding of objects from the protection area if they are accessed by applications running under the specified user or group accounts.
To exclude objects from the protection area depending on user and group accounts accessing the objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAccessUser setting in the [ExcludedFromScanScope] section;
4. Specify the user name, under which file operations will not be scanned, using the UserName setting in the
[ExcludedFromScanScope:AccessUser] section;
5. Specify the group name, under which file operations will not be scanned, using the UserGroup setting in the
[ExcludedFromScanScope:AccessUser] section.
If you wish to specify several user names or group names, specify values for the UserName and UserGroup settings the required number of times in one section.
6. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
E
XCLUDING OBJECTS BY NAMES OF THE THREATS DETECTED IN
THEM
If Kaspersky Anti-Virus considers a scanned object to be infected or potentially infected, it performs the action on this object specified in the task. If you consider this object to be harmless for the protected server, you can exclude it from the scan area by the type of object detected in it. In this case, Kaspersky Anti-Virus will treat such objects as clean and skip them.
The full name of the object detected in the file can contain the following information:
<object class>:<object type>.<brief name of the operating system>.<object name>.<object modification code>.
For example, not-a-virus:NetTool.Linux.SynScan.a.
32
R
E A L
-
T I M E P R O T E C T I O N
You can find the full name of the object detected in the file in the Kaspersky Anti-Virus log.
You can also find the full name of the object detected in a file at the Virus Encyclopedia website (see the Virus
Encyclopedia section at http://www.viruslist.com
).
When specifying object type name templates, you can use Shell masks and ECMA-262 regular expressions.
To exclude objects by the name of detected threat, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeThreats setting in the [ScanScope:ScanSettings] section.
4. Specify the threat name template using the ExcludeThreats setting in the [ScanScope:ScanSettings] section.
To specify several threat name templates, repeat the ExcludeThreats setting value the required number of times.
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
S
ELECTING INTERCEPTION MODE
Kaspersky Anti-Virus includes two components intercepting attempts to access files and scanning those files. They are
Samba interceptor (used to scan objects on server accessed from remote computers via the SMB / CIFS protocol) and the kernel level interceptor (scanning objects accessed using other methods).
The Samba interceptor provides, as additional object information, the IP address of the remote computer on which an application attempted to access an object when it was intercepted by Kaspersky Anti-Virus.
To enable the kernel level interceptor, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 ProtectionType=KernelOnly
To enable a Samba interceptor, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 ProtectionType=SambaOnly
To enable both interceptors, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 ProtectionType=Full
If the Samba interceptor is enabled, Kaspersky Anti-Virus will not scan objects that are not accessed using SMB / CIFS.
33
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ELECTING PROTECTION MODE
Virus uses smart mode, which determines whether the object is to be scanned based on the actions performed on it. For example, when working with a Microsoft® Office document, Kaspersky Anti-Virus scans the file when it is first opened and last closed. All intermediate file overwrite operations are excluded from scanning.
To change the object protection mode, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign one of the following values to the ScanByAccessType setting in the [ScanScope:ScanSettings] section:
SmartCheck, to enable the Smart mode;
Open, to enable protection mode at an attempt to access the file;
OpenAndModify, to enable protection mode at an attempt to open and modify the file.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
U
SING HEURISTIC ANALYSIS
Objects are scanned using databases containing descriptions of known threats and ways to neutralize them. Kaspersky
Internet Security compares each scanned object with the database's records to determine firmly if the object is malicious, and if so, into which class of malware it falls. This approach is called signature analysis and is always used by default.
Since new malicious objects appear daily, there is always some malware which is not described in the databases, and which can only be detected using heuristic analysis. This method presumes the analysis of the actions an object performs within the system. If such activity is typical of malicious objects, the object is likely to be labeled as malicious or potentially infected. As a result, new threats are identified before they become known to virus analysts.
Additionally you can set the detail level for scans. It sets the balance between the thoroughness of searches for new threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the more resources the scan will require, and the longer it will take.
To use the heuristic analysis and set the detail level for scans:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAnalyzer setting in the [ScanScope:ScanSettings] section;
one of the values: Light, Medium, Deep or Recommended for the HeuristicLevel setting in the
[ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
34
R
E A L
-
T I M E P R O T E C T I O N
--set-settings 8 --file=<full path to the file>
U
SING SCAN MODE DEPENDING ON USER AND GROUP
ACCOUNTS ACCESSING THE OBJECTS
Kaspersky Anti-Virus offers an opportunity to scan objects if they are accessed by applications running with the permissions of the specified users or specified groups.
To enable the object scan mode depending on user and group accounts accessing the objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAccessUser setting in the [ScanScope] section;
user account, under which file operations will be scanned to the UserName setting in the
[ScanScope:AccessUser] section;
group account, under which file operations will be scanned to the UserGroup setting in the
[ScanScope:AccessUser] section.
If you wish to specify several user names or group names, specify values for the UserName and UserGroup settings the required number of times in one section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
S
ELECTING ACTIONS TO PERFORM ON DETECTED
OBJECTS
As a result of the scan, Kaspersky Anti-Virus assigns one of the following statuses to the object:
infected, if code of a known virus is detected in the object;
suspicious, if the scan cannot determine whether the object is infected or not. This means that the application has detected a sequence of code in the file from an unknown virus, or modified code from a known virus.
You can specify two actions to be performed on objects with each status. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
You can specify the following actions to be performed on the detected objects:
Recommended. Kaspersky Anti-Virus automatically selects and performs actions on the object based on data about the threat detected in the object and about the possibility of disinfecting it. For example, Kaspersky Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
35
A
D M I N I S T R A T O R
'
S
G
U I D E
Cure. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Remove. Kaspersky Anti-Virus deletes the object after making a backup copy.
Skip. Kaspersky Anti-Virus leaves the object unchanged.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to be performed on infected objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
InfectedFirstAction in the [ScanScope:ScanSettings] section;
InfectedSecondAction in the [ScanScope:ScanSettings] section;
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
To specify actions to be performed on suspicious objects, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
SuspiciousFirstAction in the [ScanScope:ScanSettings] section;
SuspiciousSecondAction in the [ScanScope:ScanSettings] section;
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
S
ELECTING ACTIONS DEPENDING ON THE THREAT TYPE
You can specify operations for the following types of threats:
Virware
– viruses;
36
R
E A L
-
T I M E P R O T E C T I O N
Trojware
– Trojans;
Malware
– programs which cannot harm your computer directly, but can be used by developers of malicious code or various malicious programs;
Adware
– advertising software;
Pornware
– programs which download pornographic material or pornography sites without the user's permission;
Riskware
– harmless programs which could be used for malicious purposes. An example of such software is
Remote Administrator utility.
You can specify two actions for each threat type. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
You can specify the following actions:
Recommended. Kaspersky Anti-Virus automatically selects and performs actions on the object based on data about the threat detected in the object and about the possibility of disinfecting it. For example, Kaspersky Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Remove. Kaspersky Anti-Virus deletes the object after making a backup copy.
Skip. Kaspersky Anti-Virus leaves the object unchanged.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to be performed on threats of a specific type:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAdvancedActions setting in the [ScanScope:ScanSettings] section.
4. Add the [ScanScope:ScanSettings:AdvancedActions] section to the configuration file.
5. Specify the threat type using the Verdict setting in the [ScanScope:ScanSettings:AdvancedActions] section.
6. Specify actions to be performed on the threat of selected type using the FirstAction and SecondAction settings in the [ScanScope:ScanSettings:AdvancedActions] section.
7. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
37
A
D M I N I S T R A T O R
'
S
G
U I D E
38
R
E A L
-
T I M E P R O T E C T I O N
S
CAN OPTIMIZATION
You can reduce the scan time and speed up Kaspersky Anti-Virus. To do so, you can specify two types of restrictions:
restriction on the scan duration: once the specified time period elapses, the object scan will be stopped;
restriction on the maximum size of the object to scan: objects larger than the specified limit will be skipped during the scan.
To impose a time restriction on the scan duration, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseTimeLimit setting in the [ScanScope:ScanSettings] section;
maximum object scan time (in seconds)
– to the TimeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
To enable restriction on the maximum size of the object to scan, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseSizeLimit setting in the [ScanScope:ScanSettings] section;
maximum object size (in bytes)
– to the SizeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
39
A
D M I N I S T R A T O R
'
S
G
U I D E
C
OMPATIBILITY WITH OTHER
K
ASPERSKY
L
AB
APPLICATIONS
To ensure compatibility of the Kaspersky Anti-Virus 8.0 with Kaspersky Anti-Virus for Linux Mail Server, Kaspersky Anti-
Spam, and Kaspersky Mail Gateway, you should exclude support directories of these programs from being scanned in the real-time protection task.
To configure simultaneous operation of the Kaspersky Anti-Virus 8.0 and Kaspersky Anti-Virus for Linux Mail Server, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Add the following section to the created file:
[ExcludedFromScanScope]
UseScanArea=yes
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path=<path to directory of the mail queue of mail agent integrated with Kaspersky
Anti-Virus for Linux Mail Server>
[ExcludedFromScanScope:AccessUser]
UserName=<name of user who is the owner of the mail queue>
3. Repeat the section specified above for all mail agents integrated with Kaspersky Anti-Virus for Linux Mail
Server.
4. To exclude from the scan the temporary directory for Kaspersky Anti-Virus for Linux Mail Server filter and services, add the following section to the created file:
[ExcludedFromScanScope]
UseScanArea=yes
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path="/var/tmp"
[ExcludedFromScanScope:AccessUser]
UserName="kluser"
5. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
40
R
E A L
-
T I M E P R O T E C T I O N
To configure simultaneous operation of Kaspersky Anti-Virus 8.0 with Kaspersky Anti-Spam, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. Add the following section to the created file:
[ExcludedFromScanScope]
UseScanArea=yes
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path=<path to directory of the mail queue of mail agent integrated with Kaspersky
Anti-Spam>
[ExcludedFromScanScope:AccessUser]
UserName=<name of user who is the owner of the mail queue>
3. Repeat the section specified above for all mail agents integrated with Kaspersky Anti-Spam.
4. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
To configure simultaneous operation of Kaspersky Anti-Virus 8.0 with Kaspersky Mail Gateway, perform the following steps:
1. Save the real-time protection task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 8 --file=<full path to the file>
2. To exclude from the scan the Kaspersky Mail Gateway queue directory, add the following section to the created file:
[ExcludedFromScanScope]
UseScanArea=yes
AreaMask="*"
UseAccessUser=yes
[ExcludedFromScanScope:AreaPath]
Path="/var/spool/kaspersky/mailgw"
[ExcludedFromScanScope:AccessUser]
UserName="kluser"
3. Import settings from file to the real-time protection task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 8 --file=<full path to the file>
41
ON-DEMAND SCAN
An on-demand scan involves one-time complete or selective scan for the malicious programs on the server. Kaspersky
Anti-Virus may run several on-demand scan tasks at the same time.
Kaspersky Anti-Virus includes two predefined on-demand scan tasks:
On-demand scan. Scans all local objects on the server with the recommended security settings and all the shared objects, regardless of access protocol.
Scanning quarantined objects. Scans quarantined objects. By default, this task starts automatically after each database update.
You can create on-demand scan tasks.
I
N THIS SECTION
T
HE STRUCTURE OF PREDEFINED SECURITY LEVELS IN
ON
-
DEMAND SCAN TASKS
Kaspersky Lab specialists distinguish three security levels. The decision of which level to select must be taken on your own based on the operation conditions and the current situation. You will be invited to select one of the following security levels:
Low
The Low security level can be selected on a server if the network has other computer security tools besides
Kaspersky Anti-Virus on servers and workstations, for example, firewalls are configured and security policies are established for the network users.
42
O
N
-
D E M A N D S C A N
The following settings will be applied at the Low security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=no
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=yes
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Cure"
InfectedSecondAction="Remove"
SuspiciousFirstAction="Quarantine"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
Recommended
The Recommended security level is set by default. Experts of Kaspersky Lab deem it sufficient for protection of file servers in most networks. The level provides an optimal combination of protection and the load on protected servers.
43
A
D M I N I S T R A T O R
'
S
G
U I D E
The following settings will be applied at the Recommended security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=no
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=no
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Recommended"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Recommended"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
High
Use the High security level if you have high requirements to the security of your computer network.
44
The following settings will be applied at the High security level during the scan:
[ScanScope:ScanSettings]
ScanArchived=no
ScanSfxArchived=yes
ScanMailBases=no
ScanPlainMail=no
ScanPacked=yes
UseTimeLimit=yes
TimeLimit=60
UseSizeLimit=no
SizeLimit=8388608
ScanByAccessType="SmartCheck"
InfectedFirstAction="Cure"
InfectedSecondAction="Remove"
SuspiciousFirstAction="Quarantine"
SuspiciousSecondAction="Skip"
UseAdvancedActions=yes
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
HeuristicLevel="Recommended"
KeepLastAccess=no
[ScanScope:ScanSettings:AdvancedActions]
Verdict="Riskware"
FirstAction="Skip"
SecondAction="Skip"
O
N
-
D E M A N D S C A N
45
A
D M I N I S T R A T O R
'
S
G
U I D E
Q
UICK SCAN OF FILES AND DIRECTORIES
Kaspersky Anti-Virus can perform a quick scan of files and directories without the need to configure a scan area. You can define name templates for files and directories being scanned or their paths using Shell masks.
Shell masks can be used to define a name template for a file or directory to be scanned by Kaspersky Anti-Virus.
To scan file or directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control --scan-file <path to file or directory>
To scan several files or directories:
/opt/kaspersky/kav4fs/bin/kav4fs-control --scan-file <path to file or directory>
<path to file or directory> etc.
Configuration for running files and directories default scan using the --scan-file command:
ScanPriority="System"
[ScanScope]
UseScanArea=yes
AreaMask="*"
AreaDesc="Scan one file"
[ScanScope:AreaPath]
Path="<path to scanned files and directories>"
[ScanScope:ScanSettings]
ScanArchived=yes
ScanSfxArchived=yes
ScanMailBases=yes
ScanPlainMail=yes
ScanPacked=yes
UseTimeLimit=no
TimeLimit=120
UseSizeLimit=no
SizeLimit=0
InfectedFirstAction="Skip"
InfectedSecondAction="Skip"
SuspiciousFirstAction="Skip"
SuspiciousSecondAction="Skip"
46
O
N
-
D E M A N D S C A N
UseAdvancedActions=no
UseExcludeMasks=no
UseExcludeThreats=no
ReportCleanObjects=no
ReportPackedObjects=no
UseAnalyzer=yes
KeepLastAccess=no
HeuristicLevel="Recommended"
By default, all detected objects will be skipped and the corresponding data will be recorded in the report. You can specify one of the following actions performed on detected objects: Recommended, Cure, Quarantine, Remove, Skip.
To specify actions on detected objects:
/opt/kaspersky/kav4fs/bin/kav4fs-control --action <action> --scan-file <path to file or directory>
C
REATING A SCAN AREA
Note the specifics of scanning of symbolic and hard links (see page 9 ).
The on-demand scan task scans objects within the server file system that are included in the scan area. You can extend or narrow down the scan area by adding or removing objects to be scanned, or by changing the type of files to be
Kaspersky Anti-Virus will scan objects in the specified areas in the order, in which they are listed in the configuration file or in its Web Management Console. If you wish to specify the security settings of the subdirectory to be different from the security settings of the parent directory, place the subdirectory in the list higher, than its parent directory.
To extend a scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Add the following sections to the created file:
[ScanScope] which contains the following settings:
UseScanArea which enables / disables the new scan area;
AreaMask which defines the name mask of objects to be scanned;
AreaDesc which defines the name of protection area.
[ScanScope:AreaPath] which contains the Path setting.
[ScanScope:ScanSettings] which contains scan settings for the area to be added.
All settings must be assigned in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
47
A
D M I N I S T R A T O R
'
S
G
U I D E
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
To narrow down a scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Delete from the created file the following sections, defining protection area:
[ScanScope];
[ScanScope:AreaPath];
[ScanScope:ScanSettings].
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
R
ESTRICTING A SCAN AREA USING MASKS AND REGULAR
EXPRESSIONS
By default, Kaspersky Anti-Virus scans all objects within the scan or protection area.
You can specify templates for the names or paths of the files to scan. In this case, Kaspersky Anti-Virus will only scan files or directories from the protected area that are specified using Shell masks or ECMA-262 regular expressions.
Using Shell masks, you can specify the file name template to scan by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template to scan by Kaspersky Anti-Virus. A regular expression cannot contain the name of the folder which defines the scan or protection area.
To specify file name or path templates for the files to be scanned, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Specify the value of the AreaMask setting in the [ScanScope] section which defines the protection area.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
48
O
N
-
D E M A N D S C A N
E
XCLUDING OBJECTS FROM THE SCAN AREA
By default, the on-demand scan task scans all objects included in the scan areas defined for this task.
You can exclude several objects from the scan. To do that, you can create three types of exclusions:
exclusion of objects from a scan area: in this case the specified objects will only be excluded from the selected scan area;
global exclusion of objects: in this case the specified objects will be excluded from all scan areas defined for the task;
exclusion of objects by the name of the threat detected in them.
I
N THIS SECTION
C
REATING A GLOBAL EXCLUSION AREA
You can create a global exclusion area. Objects included in this area will be excluded from all areas defined for the ondemand scan task.
To create a global exclusion area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Add the following sections to the created file:
[ExcludedFromScanScope], which contains the following settings:
UseScanArea which enables / disables the new exclusion area;
AreaMask, which defines templates of object names to be excluded from the scan;
AreaDesc, which defines a unique name for exclusion area.
[ExcludedFromScanScope:AreaPath], which contains the Path setting that defines the path to the objects to be excluded from the scan.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
49
A
D M I N I S T R A T O R
'
S
G
U I D E
E
XCLUDING OBJECTS FROM THE SCAN AREA
By default, Kaspersky Anti-Virus scans all objects within the scan or protection area.
You can specify the name and path templates to be excluded from the scan or protection area. In this case, Kaspersky
Anti-Virus will not scan files or folders in the scan or protection area that are specified using Shell masks or ECMA-262 regular expressions.
Using Shell masks, you can specify the file name template excluded from scanning by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template exluded from the scan by Kaspersky Anti-Virus. The regular expression should not contain the name of the directory containing excluded object.
To exclude objects from the scan area, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeMasks setting in the [ScanScope:ScanSettings] section.
4. Specify file name or path templates using the ExcludeMasks setting in the [ScanScope:ScanSettings] section.
To specify several file name or path templates, repeat the ExcludeMasks setting value the required number of times.
5. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
E
XCLUDING OBJECTS BY NAMES OF THE THREATS DETECTED IN
THEM
If Kaspersky Anti-Virus considers a scanned object to be infected or potentially infected, it performs the action on this object specified in the task. If you consider this object to be harmless for the protected server, you can exclude it from the scan area by the type of object detected in it. In this case, Kaspersky Anti-Virus will treat such objects as clean and skip them.
The full name of the object detected in the file can contain the following information:
<object class>:<object type>.<brief name of the operating system>.<object name>.<object modification code>.
For example, not-a-virus:NetTool.Linux.SynScan.a.
You can find the full name of the object detected in the file in the Kaspersky Anti-Virus log.
You can also find the full name of the object detected in a file at the Virus Encyclopedia website (see the Virus
Encyclopedia section at http://www.viruslist.com
).
When specifying object type name templates, you can use Shell masks and ECMA-262 regular expressions.
50
O
N
-
D E M A N D S C A N
To exclude objects by the name of detected threat, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseExcludeThreats setting in the [ScanScope:ScanSettings] section.
4. Specify the threat name template using the ExcludeThreats setting in the [ScanScope:ScanSettings] section.
To specify several threat name templates, repeat the ExcludeThreats setting value the required number of times.
5. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
U
SING HEURISTIC ANALYSIS
Objects are scanned using databases containing descriptions of known threats and ways to neutralize them. Kaspersky
Internet Security compares each scanned object with the database's records to determine firmly if the object is malicious, and if so, into which class of malware it falls. This approach is called signature analysis and is always used by default.
Since new malicious objects appear daily, there is always some malware which is not described in the databases, and which can only be detected using heuristic analysis. This method presumes the analysis of the actions an object performs within the system. If such activity is typical of malicious objects, the object is likely to be labeled as malicious or potentially infected. As a result, new threats are identified before they become known to virus analysts.
Additionally you can set the detail level for scans. It sets the balance between the thoroughness of searches for new threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the more resources the scan will require, and the longer it will take.
To use the heuristic analysis and set the detail level for scans:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseAnalyzer setting in the [ScanScope:ScanSettings] section;
one of the values: Light, Medium, Deep or Recommended for the HeuristicLevel setting in the
[ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
51
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ELECTING ACTIONS TO BE PERFORMED ON DETECTED
OBJECTS
As a result of the scan, Kaspersky Anti-Virus assigns one of the following statuses to the object:
infected, if code of a known virus is detected in the object;
suspicious, if the scan cannot determine whether the object is infected or not. This means that the application has detected a sequence of code in the file from an unknown virus, or modified code from a known virus.
You can specify two actions to be performed on objects with each status. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
You can specify the following actions to be performed on the detected objects:
Recommended. Kaspersky Anti-Virus automatically selects and performs actions on the object based on data about the threat detected in the object and about the possibility of disinfecting it. For example, Kaspersky Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Remove. Kaspersky Anti-Virus deletes the object after making a backup copy.
Skip. Kaspersky Anti-Virus leaves the object unchanged.
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to be performed on infected objects, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
InfectedFirstAction in the [ScanScope:ScanSettings] section;
InfectedSecondAction in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
To specify actions to be performed on suspicious objects, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
52
O
N
-
D E M A N D S C A N
2. Open the created file for editing and assign values to the following settings:
SuspiciousFirstAction in the [ScanScope:ScanSettings] section;
SuspiciousSecondAction in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
S
ELECTING ACTIONS DEPENDING ON THE THREAT TYPE
You can specify operations for the following types of threats:
Virware
– viruses;
Trojware
– Trojans;
Malware
– programs which cannot harm your computer directly, but can be used by developers of malicious code or various malicious programs;
Adware
– advertising software;
Pornware
– programs which download pornographic material or pornography sites without the user's permission;
Riskware
– harmless programs which could be used for malicious purposes. An example of such software is
Remote Administrator utility.
You can specify two actions for each threat type. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
You can specify the following actions:
Recommended. Kaspersky Anti-Virus automatically selects and performs actions on the object based on data about the threat detected in the object and about the possibility of disinfecting it. For example, Kaspersky Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
Cure. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Remove. Kaspersky Anti-Virus deletes the object after making a backup copy.
Skip. Kaspersky Anti-Virus leaves the object unchanged.
53
A
D M I N I S T R A T O R
'
S
G
U I D E
The Recommended action can be selected only as the first action.
If Skip was selected as the first action, the second action can be Skip only.
If Recommended or Remove was selected as the first action, Quarantine cannot be selected as the second action.
To specify actions to be performed on threats of a specific type:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing.
3. Assign the value yes to the UseAdvancedActions setting in the [ScanScope:ScanSettings] section.
4. Add the [ScanScope:ScanSettings:AdvancedActions] section to the configuration file.
5. Specify the threat type using the Verdict setting in the [ScanScope:ScanSettings:AdvancedActions] section.
6. Specify actions to be performed on the threat of selected type using the FirstAction and SecondAction settings in the [ScanScope:ScanSettings:AdvancedActions] section.
7. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
S
CAN OPTIMIZATION
You can reduce the scan time and speed up Kaspersky Anti-Virus. To do so, you can specify two types of restrictions:
restriction on the scan duration: once the specified time period elapses, the object scan will be stopped;
restriction on the maximum size of the object to scan: objects larger than the specified limit will be skipped during the scan.
To impose a time restriction on the scan duration, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseTimeLimit setting in the [ScanScope:ScanSettings] section;
maximum object scan time (in seconds)
– to the TimeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
54
O
N
-
D E M A N D S C A N
To enable restriction on the maximum size of the object to scan, perform the following steps:
1. Save the on-demand scan task settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings <task ID> --file=<full path to the file>
2. Open the created file for editing and assign values to the following settings:
the value yes to the UseSizeLimit setting in the [ScanScope:ScanSettings] section;
maximum object size (in bytes)
– to the SizeLimit setting in the [ScanScope:ScanSettings] section.
3. Import settings from file to the on-demand scan task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> --file=<full path to the file>
S
ELECTING TASK PRIORITY
By default, all on-demand scan tasks are executed with the priority defined by the system when the task is launched. You can assign one of the following priorities to the task:
System. Priority of the process is defined by the operating system.
High. Decreases the duration of task execution, but it can also affect negatively the performance of processes belonging to other active applications.
Select this option if the task should be performed as soon as possible, despite the possible load on the protected server.
Medium. Priority of the process changes from System to the value recommended by Kaspersky Lab.
Low. Increases the duration of task execution, but it can also affect negatively the performance of processes belonging to other active applications.
Select this option if the load on the protected server should be decreased during task execution.
To change the priority of the on-demand scan task, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings <task ID> ScanPriority=<priority>
55
ISOLATING SUSPICIOUS OBJECTS. DATA
BACKUP
Kaspersky Anti-Virus isolates objects that it considers suspicious. The application places such objects to quarantine, i.e., it moves them from their original location into a special storage.
The default storage volume is 1 GB. Once the limit is exceeded, objects will not be added to the storage.
After each database update Kaspersky Anti-Virus automatically scans all quarantined objects. Some of them can be considered not infected and restored from Quarantine. Besides, you can restore objects from Quarantine manually.
Restoring infected or suspicious objects may lead to computer infection.
Kaspersky Anti-Virus saves to a storage copies of objects before disinfecting or deleting them.
If an object is a part of a compound object, Kaspersky Anti-Virus will save such compound object entirely in the backup storage. For example, if the Anti-Virus has found one of the objects in a mail database to be infected, the entire mail database is backed up.
An object placed in Quarantine or Backup is described using a number of settings (see page 118 ).
I
N THIS SECTION
V
IEWING STATISTICS OF QUARANTINED OBJECTS
You can obtain brief and detailed statistics of quarantined objects.
To view brief statistics, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --get-stat --query
"(OrigType!=s'Backup')"
The command returns the number of objects stored in quarantine at the moment and total disk space, which they occupy.
To view detailed statistics, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -S --get-stat Quarantine
Kaspersky Anti-Virus was installed.
56
I
S O L A T I N G S U S P I C I O U S O B J E C T S
.
D
A T A B A C K U P
Table 1. Statistics fields of quarantined objects
F
IELD
D
ESCRIPTION
Quarantined objects
The total number of quarantined objects.
Auto saved objects The number of objects quarantined by Kaspersky Anti-Virus.
Manually saved objects
The number of objects quarantined by user.
Restored objects Number of objects restored from the quarantine.
Removed objects Number of objects deleted from the quarantine.
Infected objects
object was scanned, and b) that Kaspersky Anti-Virus moved to Quarantine based on the value of the Action to perform depending on threat type setting.
Suspicious objects
Curable objects The number of objects in the storage that Kaspersky Anti-Virus considers infected and curable.
Password protected objects
Number of password-protected objects.
Corrupted objects The number of corrupted objects.
False detected objects
The number of objects that were assigned the False alarm status, because after scanning using updated databases, quarantined objects were acknowledged to be not infected.
S
CANNING QUARANTINED OBJECTS
By default, Kaspersky Anti-Virus executes the Quarantine scan task after each database update. Task settings are described in the table below. You cannot modify them.
Having scanned quarantined objects after database update, Kaspersky Anti-Virus may recognize some of the objects as
infected by Kaspersky Anti-Virus.
You may start the Quarantine scan task manually.
To start the Quarantine scan tast, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task 10
Table 2.
Q
UARANTINE SCAN TASK SETTINGS
V
ALUE
ID
Scan area
Default schedule
Security settings
10
Quarantined objects
After databases update
The Quarantine scan task settings
Common for the entire scan area. You cannot modify them. The table below contains setting values.
57
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ECURITY SETTINGS
Action to perform on infected objects
Action to be performed on suspicious objects
Excluding objects by name
Excluding objects by threat name
Maximum object scan time
Maximum size of a scanned object
Scan of compound files
Table 3.
V
ALUE
Skip
Skip
No
No
600 sec
Not specified
Archives
SFX-archives
Packed objects
Security settings in the Quarantine scan task
P
LACING FILES TO QUARANTINE MANUALLY
If you suspect that a file is infected, it can be placed to quarantine manually.
To place a file to quarantine manually, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--add-object <full path to the file>
V
IEWING OBJECT
ID
S
Using the -Q modifier in commands described in this section is mandatory.
When the object is placed in the storage, Kaspersky Anti-Virus assigns a numeric identifier to it. This identifier is used to perform actions on quarantined and backed up objects.
To obtain identifiers of quarantined objects, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --query "(OrigType!=s'Backup')"
The following example displays the command output:
Example:
Objects returned: 1
Object ID: 1
Filename: /home/corr/eicar.com
Object type: UserAdded
Compound object: no
UID: 0
GID: 0
58
I
S O L A T I N G S U S P I C I O U S O B J E C T S
.
D
A T A B A C K U P
Mode: 644
AddTime: 2009-03-29 09:20 PM:32
Size: 73
To obtain identifiers of backed up objects, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --query "(OrigType==s'Backup')"
The following example displays the command output:
Example:
Objects returned: 2
Object ID: 1
Filename: /home/cur/eicar.com
Object type: Backup
Compound object: no
UID: 0
GID: 0
Mode: 644
AddTime: 2009-03-29 10:24 PM:50
Size: 73
To perform actions on objects, use the value of the Object ID field.
R
ESTORING OBJECTS
Restoring infected or suspicious objects may lead to server infection.
You can restore any object from the quarantine / backup. This may be required in the following cases:
If the original file that appeared to be infected contained important information and during disinfection Kaspersky
Anti-Virus was unable to preserve its integrity and the information in the file became unavailable.
If, having scanning the quarantined objects after database update, Kaspersky Anti-Virus recognizes the object
as not infected (the value of the Type field (see page 118 ) for such objects will change to Clean).
If you consider the object harmless for the server and wish to use it. To prevent Kaspersky Anti-Virus from isolating this object during subsequent scans, you can exclude the object from being scanned in the real-time protection and on-demand scan tasks. To do so, specify the object as a value for the Exclude objects by file
name security setting (see page 179
) or Exclude objects by threat name (see page 180 ) in these tasks.
You can select where to save the restored object: in its original location or in a directory you specify.
During restoration you can save the object under a different name.
59
A
D M I N I S T R A T O R
'
S
G
U I D E
Date and time when the file restored from quarantine was created differs from the date and time of the original file.
To restore an object from quarantine or backup to the original location, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --restore <object ID>
To restore an object from quarantine or backup to the specified folder, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--restore <object ID> -F <file name and path>
D
ELETING OBJECTS
Using the -Q modifier in commands described in this section is mandatory.
If you are sure that a quarantined or backed up object is harmless for the server, you can delete it from quarantine or backup.
To delete an object from quarantine or backup, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--remove <object ID>
Besides, you can delete all objects from quarantine or backup.
To delete all objects from quarantine, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--mass-remove --query "(OrigType!=s'Backup')"
To delete all objects from backup, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--mass-remove --query "(OrigType==s'Backup')"
You can empty the quarantine or backup partially using the special command arguments -Q --mass-remove (see page
MANAGING LICENSES
Within the context of Kaspersky Lab application licensing, the following concepts should be considered:
License Agreement;
license;
key file;
activation code;
application activation.
These concepts are indissolubly interconnected and form a single licensing scheme.
Provided below is the detailed description of each concept.
60
M
A N A G I N G L I C E N S E S
A
BOUT THE
L
ICENSE
A
GREEMENT
The License Agreement is a contract between Kaspersky Lab ZAO and an individual or legal entity that holds a legal copy of Kaspersky Anti-Virus. The License Agreement is included in each Kaspersky Lab application kit. It contains detailed information about the rights and limitations to use Kaspersky Anti-Virus.
According to the License Agreement, when you purchase and install a Kaspersky Lab application, you acquire the right to use your copy indefinitely.
Kaspersky Lab is delighted to offer you additional services:
technical support;
Kaspersky Anti-Virus database update;
Anti-Virus program modules update.
A
BOUT LICENSES FOR
K
ASPERSKY
A
NTI
-V
IRUS
License is the right to use Kaspersky Anti-Virus and related additional services provided by Kaspersky Lab and its partners.
Each license is characterized by license period and type.
The following types of licenses are provided:
Trial - a free license with a limited validity period, for example, 30 days, intended to acquaint users with
Kaspersky Anti-Virus.
The trial license can only be used once!
It is supplied with the trial version of the application. You cannot contact Technical Support if you only have a trial license. On expiry of the validity period, Kaspersky Anti-Virus ceases all its functions.
Commercial - a paid license with a validity period of, for example, one year, issued when you purchase
Kaspersky Anti-Virus. This license comes with certain restrictions, for example, on the number of computers it can be used for or the amount of daily traffic that can be scanned.
Under clause 3.6 of the License Agreement, if Kaspersky Anti-Virus is purchased for use on more than one computer, the validity period of the license shall begin when the application is activated on the first computer.
All functions and additional services are available during the validity period of a commercial license.
When the commercial license expires, Kaspersky Anti-Virus continues to perform all of its functions; additional services, however, are not provided. As before, you will be able to scan your computer for viruses and use the protection components, but using only the anti-virus databases you had when the license expired.
Consequently, Kaspersky Lab does not guarantee 100% protection for your computer against new viruses after expiry of the license validity period.
61
A
D M I N I S T R A T O R
'
S
G
U I D E
To use the application and its additional services, you should purchase a commercial license and activate it.
with the license.
A
BOUT
K
ASPERSKY
A
NTI
-V
IRUS KEY FILES
Key file
The key file is supplied with the application if you purchase it from a Kaspersky Lab distributor, or is sent by email if you purchase it from Kaspersky Lab's eStore.
The key file contains the following information:
Period of license validity.
License type (trial or commercial).
License restrictions (for example, the number of hosts for which the license is valid, or the volume of protected mail traffic).
Technical Support Service contact information.
Validity period.
The key file validity period is the key file "shelf life", assigned to the key file when it is created. It is a time period after which the key file becomes invalid, and activation of the associated license is unavailable.
Let us examine, how the key file validity period and the license period are connected as an example.
Example:
License period: 300 days
The key write date is 9/1/2010.
Validity period of the key file: 300 days
The key file installation date (license activation date) is 9/10/2010, which is 9 days after the key write date.
Result:
The calculated license validity period is 300 days-9 days = 291days.
I
NSTALLING THE KEY FILE
effective as soon as it is added. The additional key becomes effective automatically as soon as the active key expires.
If you add a key as an active key when Kaspersky Anti-Virus already has an active key, the new key replaces the previously added key. The previously added key is removed.
If you add a key as an additional key when Kaspersky Anti-Virus already has an additional key, the new key replaces the previously added key. The previously added key is removed.
To install a key file as an active key, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
62
M
A N A G I N G L I C E N S E S
--install-active-key <key filename>
To install a key file as a supplementary key, execute the command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--install-suppl-key <key filename>
V
IEWING INFORMATION ABOUT A LICENSE PRIOR TO THE
KEY FILE INSTALLATION
You can view license information stored in the key file before its installation.
To view information about the license, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--show-license-info <full path to the file>
This command outputs the following license information (see the table below).
Table 4. License information
F
IELD
D
ESCRIPTION
Application
name
The name of the application for which the key file was written.
Key file creation
date
Key file write date (see page 62 ).
Key file
expiration date
License expiration date.
License number
License serial number.
License type
License type: trial or commercial.
Usage restriction The number of objects defined in the restriction. Restriction to use Kaspersky Anti-Virus provided for by the license.
License period
License validity period (see page 61 ).
Example of command output:
License info:
Application name: Kaspersky BusinessSpace Security International Edition.
10-14 User 1 year NFR License: Kaspersky Anti-Virus Suite for WS and FS
Key file creation date: 2009-05-28
Key file expiration date: 2010-08-27
License number: 0038-000451-05B74DD4
License type: Commercial
Usage restriction: 10
License period: 365
63
A
D M I N I S T R A T O R
'
S
G
U I D E
K
EY FILE REMOVAL
You can remove the key file. If you remove the active key file, the supplementary key file will automatically become active.
To remove the active key file, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--revoke-active-key
To remove a supplementary key file, execute the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--revoke-suppl-key
R
EVIEWING THE
L
ICENSE
A
GREEMENT
The License Agreement is a contract between Kaspersky Lab ZAO and an individual or legal entity that holds a legal copy of Kaspersky Anti-Virus. The License Agreement is included in each Kaspersky Lab application kit. It contains detailed information about the rights and limitations to use Kaspersky Anti-Virus.
According to the license agreement, when you purchase and install a Kaspersky Lab application, you have the right to use your copy indefinitely.
To view the provision of the License Agreement,
Use a text editor to view the file /opt/kaspersky/kav4fs/share/doc/LICENSE.
64
ADMINISTRATOR NOTIFICATIONS. EVENT-
BASED ACTIONS
of anti-virus protection of the server and Kaspersky Anti-Virus in general. You can configure administrator notifications about those events by email.
You may also use Shell scripts to configure actions that will be performed when certain events occur.
Notifications delivery and performance of actions are available for the following events:
ApplicationStarted, which occurs when Kaspersky Anti-Virus is started;
ApplicationShutdown, which occurs when Kaspersky Anti-Virus is stopped;
ThreatDetected, which occurs when a malicious object is detected;
LicenseExpired, which occurs upon license expiration;
LicenseExpiresSoon, which occurs at the approach of license expiration;
LicenseError, which occurs when the licensing subsystem reports an error;
AVBasesAttached, which occurs upon successful Kaspersky Anti-Virus database update;
AVBasesAreOutOfDate, which occurs if Kaspersky Anti-Virus database is outdated;
AVBasesAreTotallyOutOfDate, which occurs if Kaspersky Anti-Virus database is totally outdated;
UpdateError, which occurs when Kaspersky Anti-Virus database update reports an error;
RetranslationError, which occurs when Kaspersky Anti-Virus database update copying reports an error;
LicenseInstalled, which occurs upon successful key file installation;
LicenseRevoked, which occurs upon key file removal;
AVBasesIntegrityCheckFailed, which occurs when integrity check of Kaspersky Anti-Virus database reports an error;
ObjectNotProcessed, which occurs if the object was not processed;
ObjectProcessingError, which occurs when object processing reports an error;
ObjectDisinfected, which occurs if the object was successfully disinfected;
ObjectDeleted, which occurs if the object was successfully deleted;
QuarantineSizeLimitReached, which occurs when the maximum allowed size of quarantine or backup is reached;
QuarantineSoftSizeLimitExceeded, which occurs when the recommended size of quarantine or backup is reached;
ObjectAddToQuarantineFailed, which occurs when placing the object to quarantine reports an error;
ObjectSavedToQuarantine, which occurs when the object is successfully placed to quarantine;
65
A
D M I N I S T R A T O R
'
S
G
U I D E
ObjectRemovedFromQuarantine, which occurs when the object is successfully removed from quarantine;
QuarantineObjectRestored, which occurs when the object is successfully restored from quarantine;
QuarantineThreatDetected, which occurs when a malicious object is detected in a quarantined object;
QuarantineObjectProcessingError, which occurs when processing of a quarantined object reports an error;
QuarantineObjectCurable, which occurs if a quarantined object can be disinfected;
QuarantineObjectFalseDetect, which occurs if a previously quarantined object was considered not infected as
a result of a Quarantine scan (see page 57 ).
OASTaskError, which occurs if the real-time protection task failed to start.
I
N THIS SECTION
U
SING THE INTERNAL MAILER OF
K
ASPERSKY
A
NTI
-
V
IRUS
Kaspersky Anti-Virus provides an in-built mail program for sending notifications.
To use an in-built mail program for sending notifications, perform the following steps:
1. Save notification settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 7 --file=<path to the file>
2. Open the created file for editing and make the following changes in it:
Assign the value yes to the EnableSmtp setting.
Assign the value Internal to the Mailer setting in the [CommonSmtpSettings] section.
Specify the default recipients' addresses using the DefaultRecipients setting in the
[CommonSmtpSettings] section.
Specify the SMTP-server address using the SmtpServer setting in the
[CommonSmtpSettings:InternalMailerSettings] section.
3. Import the settings from the file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 7 --file=<path to the file>
66
A
D M I N I S T R A T O R N O T I F I C A T I O N S
.
E
V E N T
-
B A S E D A C T I O N S
For a detailed description of the notification settings please refer to the "Settings of notifications and event-based
actions" section (see page 159 ).
U
SING
S
ENDMAIL
If Sendmail® is used on your server to send email, you can also use it for Kaspersky Anti-Virus notifications.
For successful delivery of notifications, Sendmail should be configured correctly.
To use Sendmail for delivery of notifications, perform the following steps:
1. Save notification settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 7 --file=<path to the file>
2. Open the created file for editing and make the following changes in it:
Assign the value yes to the EnableSmtp setting.
Assign the value Sendmail to the Mailer setting in the [CommonSmtpSettings] section.
Specify the default recipients' addresses using the DefaultRecipients setting in the
[CommonSmtpSettings] section.
Specify the path to the Sendmail executable file using the SendmailPath setting in the
[CommonSmtpSettings] section.
3. Import the settings from the file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 7 --file=<path to the file>
For a detailed description of the notification settings please refer to the "Settings of notifications and event-based
actions" section (see page 159 ).
G
ENERATION OF NOTIFICATIONS
To send notifications, you have to create the message text and specify the email addresses of its recipients. You can use
macros in the message text (see page 69 ).
To generate notifications, perform the following steps:
1. Save notification settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 7 --file=<path to the file>
2. Open the created file for editing and make the following changes in it: a. Add to the file the [SmtpNotifies] section, which contains the following settings:
Recipients, which defines notification recipients if a local list of recipients is used. Repeat the setting value the required number of times to create a list of recipients;
UseRecipientList, which defines the list of notification recipients;
67
A
D M I N I S T R A T O R
'
S
G
U I D E
Subject, which defines the Subject field of notification;
68
A
D M I N I S T R A T O R N O T I F I C A T I O N S
.
E
V E N T
-
B A S E D A C T I O N S
Body, which defines the text of notification;
EventName, which defines the name of event that will trigger notification;
Enable, which enables / disables notification. b. Repeat the [SmtpNotifies] section for all events, notifications about which will be sent.
3. Save changes.
4. Import the settings from the file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 7 --file=<path to the file>
C
ONFIGURING ACTIONS
You can create Shell scripts for execution of operations in case of a specified event. You can use macros in the script
To create a script, which is triggered by an event, perform the following steps:
1. Save notification settings to a file using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 7 --file=<path to the file>
2. Open the created file for editing and make the following changes in it: a. Assign the value yes to the EnableActions parameter. b. Add to the file the [Actions] section, which contains the following settings:
Command, which defines the script text;
EventName, which defines the name of event that will trigger the script;
Enableyes, which enables (yes value) or disables (no value) execution of the action. c. Repeat the [Actions] section for all events, which will trigger execution of scripts.
3. Save changes.
4. Import the settings from the file into the task using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-settings 7 --file=<path to the file>
U
SING MACROS
The following macros described in the table below can be used in message and script texts.
69
A
D M I N I S T R A T O R
'
S
G
U I D E
Table 5. Macros
M
ACRO
D
ESCRIPTION
E
VENT
%NOW% Time when event has occurred
%HOST_NAME% Name of the server where an event has occurred
%OBJECT% Name of infected object
%SOURCE%
%VERDICT%
%THREAT_NAME% Name of threat
%DANGER% Danger level
The macro is used for all events
The macro is used for all events
Name of computer - source of infected object
Threat found, Object not processed, Error processing object, Object disinfected, Object deleted
Status of detected object
Threat found, Object not processed, Error processing object, Object disinfected, Object deleted, Quarantine and backup maximum size reached, Error processing quarantined object, Object quarantined, Object deleted from quarantine/backup, Object restored from quarantine/backup, Threat found in quarantined object,
Error processing quarantined object, Quarantined object rendered curable, False detection: quarantined object non-infected
Threat found, Object quarantined, Threat found in quarantined object
Threat found, Threat found in quarantined object
%RECORDS%
Threat found, Object quarantined, Threat found in quarantined object
Databases updated
%DAYS_LEFT%
%REASON%
Number of records in the product databases
Days remaining until the license expires
Error cause
License expires soon
%DAYS_PASSED% Days passed since the last database update
License error, Update error, Error copying updates,
Databases integrity check failed, Object not processed,
Error processing object, Error processing quarantined object
Databases are outdated, Databases are obsolete
%SERIAL% License serial number
%OBJECT_SIZE% Object size
License installed, License deleted
Quarantine and backup maximum size reached, Object quarantined, Object deleted from quarantine/backup,
Object restored from quarantine/backup
%SIZE_LIMIT% Maximum size of quarantine and backup storage
%ACTUAL_SIZE% Current size of quarantine and backup storage
%DESCRIPTION% Description
Quarantine and backup recommended size reached
Quarantine and backup recommended size reached
Error processing quarantined object
%OBJECT_TYPE% Object type Object quarantined, Object deleted from quarantine/backup, Object restored from quarantine/backup
70
GENERATING REPORTS
You can generate the following reports:
about the number of malicious objects detected in the largest number of objects on the computers (see
reports on the activity of Kaspersky Anti-Virus components (see page 85 ).
You can use the command line to obtain reports on the activity of any individual product component. The Web
Management Console allows you to produce reports containing summarized information about the Real-time
protection and On-demand scan components.
You can perform the following operations:
generate reports for the specified time intervals;
view reports in separate Web Management Console windows;
save created reports to files in the following formats:
in the command line
– to HTML or CSV;
in the Web Management Console
– to PDF or XLS.
71
VIEWING THE PROTECTION STATUS VIA
SNMP
SNMP protocol provides access to the following categories of information about Kaspersky Anti-Virus:
general Information;
activity statistics collected since the time of Kaspersky Anti-Virus installation;
information about events occurring while Kaspersky Anti-Virus is running.
Access to the information is provided for reading only.
Interaction via SNMP is implemented in Kaspersky Anti-Virus using SNMP-Agent. The product allows using as SNMP manager any SNMP agent that supports the AgentX protocol.
Kaspersky Anti-Virus can interact with SNMP managers supporting SNMP v2, v2c, v3. SNMP agent implemented in the application supports AgentX version 1.
If you plan to read counters using utilities from Net-SNMP package, update Kaspersky Anti-Virus to latest version.
I
N THIS SECTION
C
ONFIGURING INTERACTION VIA
SNMP
To enable data exchange over SNMP, perform the following steps:
1. Specify the address of server, on which SNMP manager is running, by using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --set-settings 12 \
MasterAgentXAddress=tcp:<SNMP_manager_IP_address_or_DNS_name>:705
This address can be obtained from the configuration file of the SNMP-manager.
2. Start the SNMP plugin task (ID=12) of Kaspersky Anti-Virus if it is not running, using the following command:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task 12
Then you will be able to access MIB objects of Kaspersky Anti-Virus and obtain information over SNMP using OID objects. Kaspersky Anti-Virus package includes MIB files containing symbolic names of objects, events and their settings. After Kaspersky Anti-Virus installation MIB files can be found in the /opt/kaspersky/kav4fs/share/snmp-mibs directory.
72
V
I E W I N G T H E P R O T E C T I O N S T A T U S V I A
S N M P
To use symbolic names for access to the MIB objects of Kaspersky Anti-Virus,
provide to the SNMP master agent access to the MIB files of Kaspersky Anti-Virus.
To view the structure of Kaspersky Anti-Virus MIB using the snmpwalk command, add the following line to the configuration file snmpd.conf: view systemview included .1.3.6.1.4.1.23668.1046
SNMP allows access to the activity statistics and traps for the events occurring during operation of Kaspersky Anti-Virus.
You can enable or disable traps in Kaspersky Anti-Virus.
To enable or disable event traps in Kaspersky Anti-Virus,
assign the value yes/no to the TrapsEnable setting.
S
TRUCTURE OF THE
K
ASPERSKY
A
NTI
-V
IRUS
MIB
KAV4LinuxFS
Events
ApplicationStartedEvent
ApplicationSettingsChangedEvent
LicenseInstalledEvent
LicenseNotInstalledEvent
LicenseRevokedEvent
LicenseNotRevokedEvent
LicenseExpiredEvent
LicenseExpiresSoonEvent
LicenseErrorEvent
AVBasesAttachedEvent
AVBasesAppliedEvent
AVBasesAreOutOfDateEvent
AVBasesAreTotallyOutOfDateEvent
AVBasesIntegrityCheckFailedEvent
AVBasesRollbackCompletedEvent
AVBasesRollbackErrorEvent
NothingToUpdateEvent
ModuleNotDownloadedEvent
RetranslationErrorEvent
ThreatDetectedEvent
ObjectDisinfectedEvent
ObjectDeletedEvent
TaskStateChangedEvent
ObjectMovedToQuarantineEvent
UpdateErrorEvent
Statistics
AVBackupStatistics
AVOASTasksStatistics
ObjectsInBackup
RestoredObjects
RemovedObjects
InfectedObjects
SuspiciousObjects
ScannedObjects
InfectedObjects
SuspiciousObjects
ThreatsFound
CuredObjects
NotCuredObjects
PasswordProtectedObjects
CorruptedObjects
73
A
D M I N I S T R A T O R
'
S
G
U I D E
MovedToQuarantine
RemovedObjects
ScanErrors
AVODSTasksStatistics
ScannedObjects
InfectedObjects
SuspiciousObjects
ThreatsFound
AVProductInfo
RemovedObjects
ScanErrors
CuredObjects
NotCuredObjects
PasswordProtectedObjects
CorruptedObjects
MovedToQuarantine
Name
Version
InstallationDate
AVProductStatisticss
LicenseState
LicenseExpireDate
ScannedObjects
InfectedObjects
SuspiciousObjects
ThreatsFound
CuredObjects
NotCuredObjects
PasswordProtectedObjects
CorruptedObjects
MovedToQuarantine
RemovedObjects
ScanErrors
AVQuarantineStatistics
ObjectsInQuarantine
AutoSavedObjects
AVUpdateStatistics
AVVirusesStatistics
ManuallySavedObjects
RestoredObjects
RemovedObjects
InfectedObjects
SuspiciousObjects
CurableObjects
PasswordProtectedObjects
CorruptedObjects
CurrentAVBasesDate
LastUpdateAVBasesDate
CurrentBasesState
CurrentBasesRecords
UpdateAttempts
SuccessfulUpdates
FailedUpdates
AVVirusesStatisticsTable VirusName
InfectedObjects
D
ESCRIPTION OF
K
ASPERSKY
A
NTI
-V
IRUS
MIB
OBJECTS
The database of Kaspersky Anti-Virus objects in the SNMP tree has been assigned the following character name:
iso.org.dod.internet.private.enterprises.kaspersky.kav4LinuxFS. Character names of Kaspersky Anti-Virus MIB objects are shown in the tables below.
74
V
I E W I N G T H E P R O T E C T I O N S T A T U S V I A
S N M P
Character names are specified in relation to the Kaspersky Anti-Virus identifier.
Kaspersky Anti-Virus events
C
HARACTER NAME
Events.ApplicationStartedEvent
Events.ApplicationSettingsChangedEvent
Events.LicenseInstalledEvent
Events.LicenseNotInstalledEvent
Events.LicenseRevokedEvent
Events.LicenseNotRevokedEvent
Events.LicenseExpiredEvent
Events.LicenseExpiresSoonEvent
Events.LicenseErrorEvent
Events.AVBasesAttachedEvent
Events.AVBasesAppliedEvent
Events.AVBasesAreOutOfDateEvent
Events.AVBasesAreTotallyOutOfDateEvent
Events.AVBasesIntegrityCheckFailedEvent
Events.AVBasesRollbackCompletedEvent
Events.AVBasesRollbackErrorEvent
Events.NothingToUpdateEvent
Events.UpdateErrorEvent
Events.ModuleNotDownloadedEvent
Events.RetranslationErrorEvent
Events.TaskStateChangedEvent
Events.ThreatDetectedEvent
Events.ObjectDeletedEvent
Events.ObjectDisinfectedEvent
Events.ObjectMovedToQuarantineEvent
All statistics is collected since the Kaspersky Anti-Virus installation.
Table 6. Kaspersky Anti-Virus events
D
ESCRIPTION
Kaspersky Anti-Virus is running; this event occurs after all services necessary for the Anti-Virus operation are started.
General settings of Kaspersky Anti-Virus have been changed.
The key file has been installed.
The key file has not been installed.
The key file has been successfully deleted.
The key file has not been deleted.
The license period has expired.
The license period will soon expire.
A licensing system error has occurred.
Kaspersky Anti-Virus databases have been successfully downloaded to the server.
Kaspersky Anti-Virus databases have been successfully connected and are being used.
Kaspersky Anti-Virus databases are outdated.
Kaspersky Anti-Virus databases are obsolete.
Kaspersky Anti-Virus databases are damaged.
Rollback to the previous version of Kaspersky Anti-Virus database completed successfully.
Error while rolling back to the previous version of Kaspersky Anti-
Virus database.
No update required.
An error occurred while updating.
An error occurred while downloading an updated program module.
Distribution error.
Task status has changed.
A threat has been detected.
The object has been deleted.
The object has been disinfected.
Object quarantined.
75
A
D M I N I S T R A T O R
'
S
G
U I D E
Backup storage statistics
C
HARACTER NAME
Statistics.AVBackupStatistics.ObjectsInBackup
Statistics.AVBackupStatistics.RestoredObjects
Statistics.AVBackupStatistics.RemovedObjects
Statistics.AVBackupStatistics.InfectedObjects
Statistics.AVBackupStatistics.SuspiciousObjects
D
ESCRIPTION
Table 7.
Number of objects in the storage.
Number of objects restored from the storage.
Number of objects deleted from the storage.
Number of infected objects in the storage.
Backup storage statistics
Number of suspicious objects in the storage.
The number of objects in the storage refers not to the number of objects located in it, deleted or restored from it at the given moment, but to the number of objects placed in it, deleted and restored from it during the period of gathering statistics.
Statistics of the real-time protection task
D
Table 8.
ESCRIPTION
Statistics of the real-time protection task operation
C
HARACTER NAME
Statistics.AVOASTasksStatistics.ScannedObjects
Statistics.AVOASTasksStatistics.ThreatsFound
Statistics.AVOASTasksStatistics.InfectedObjects
Statistics.AVOASTasksStatistics.SuspiciousObjects
Statistics.AVOASTasksStatistics.CuredObjects
Statistics.AVOASTasksStatistics.MovedToQuarantine
The number of scanned objects.
The number of malicious programs detected.
The number of infected objects.
The number of suspicious objects.
The number of objects cured.
The number of objects transferred to quarantine.
Statistics.AVOASTasksStatistics.RemovedObjects
Statistics.AVOASTasksStatistics.NotCuredObjects
Statistics.AVOASTasksStatistics.ScanErrors
The number of deleted objects.
The number of objects that could not be cured.
The number of errors that have occurred during the scan.
Statistics.AVOASTasksStatistics.PasswordProtectedObjects Number of password-protected objects.
Statistics.AVOASTasksStatistics.CorruptedObjects The number of corrupted objects
On-demand scan tasks statistics
Statistics of the on-demand scan tasks is collected for all tasks.
76
V
I E W I N G T H E P R O T E C T I O N S T A T U S V I A
S N M P
C
HARACTER NAME
D
Table 9.
ESCRIPTION
Statistics of the on-demand scan tasks
Statistics.AVODSTasksStatistics.ScannedObjects
Statistics.AVODSTasksStatistics.ThreatsFound
Statistics.AVODSTasksStatistics.InfectedObjects
Statistics.AVODSTasksStatistics.SuspiciousObjects
Statistics.AVODSTasksStatistics.CuredObjects
Statistics.AVODSTasksStatistics.MovedToQuarantine
The number of scanned objects.
The number of malicious programs detected.
The number of infected objects.
The number of suspicious objects.
The number of objects cured.
The number of objects transferred to quarantine.
Statistics.AVODSTasksStatistics.RemovedObjects
Statistics.AVODSTasksStatistics.NotCuredObjects
Statistics.AVODSTasksStatistics.ScanErrors
The number of deleted objects.
The number of objects that could not be cured.
The number of errors that have occurred during the scan.
Statistics.AVODSTasksStatistics.PasswordProtectedObjects Number of password-protected objects.
Statistics.AVODSTasksStatistics.CorruptedObjects The number of corrupted objects
Kaspersky Anti-Virus statistics
C
HARACTER NAME
Statistics.AVProductInfo.Name
Statistics.AVProductInfo.Version
Statistics.AVProductInfo.InstallDate
Statistics.AVProductInfo.LicenseState
Statistics.AVProductInfo.LicenseExpireDate
Table 10.
D
ESCRIPTION
Application name.
Program version.
Application installation date.
The license state.
License expiration date.
General information about the application
Statistics of the Kaspersky Anti-Virus operation
Table 11. Statistics of the application operation
C
HARACTER NAME
D
ESCRIPTION
Statistics.AVProductStatistics.ScannedObjects
Statistics.AVProductStatistics.ThreatsFound
Statistics.AVProductStatistics.InfectedObjects
Statistics.AVProductStatistics.SuspiciousObjects
Statistics.AVProductStatistics.CuredObjects
Statistics.AVProductStatistics.MovedToQuarantine
Statistics.AVProductStatistics.RemovedObjects
The number of scanned objects.
The number of malicious programs detected.
The number of infected objects.
The number of suspicious objects.
The number of objects cured.
The number of objects transferred to quarantine.
The number of deleted objects.
Statistics.AVProductStatistics.NotCuredObjects
Statistics.AVProductStatistics.ScanErrors
The number of objects that could not be cured.
The number of errors that have occurred during the scan.
Statistics.AVProductStatistics.PasswordProtectedObjects Number of password-protected objects.
Statistics.AVProductStatistics.CorruptedObjects The number of corrupted objects
77
A
D M I N I S T R A T O R
'
S
G
U I D E
Quarantine statistics
Table 12. Quarantine statistics
C
HARACTER NAME
D
ESCRIPTION
Statistics.AVQuarantineStatistics.ObjectsInQuarantine
Statistics.AVQuarantineStatistics.AutoSavedObjects
Statistics.AVQuarantineStatistics.ManuallySavedObjects
Statistics.AVQuarantineStatistics.RestoredObjects
Statistics.AVQuarantineStatistics.RemovedObjects
The number of objects in quarantine.
The number of automatically quarantined objects.
The number of manually quarantined objects.
Number of objects restored from the quarantine.
Number of objects deleted from the quarantine.
Statistics.AVQuarantineStatistics.InfectedObjects
Statistics.AVQuarantineStatistics.SuspiciousObjects
The number of infected objects in quarantine.
The number of suspicious objects in quarantine.
Statistics.AVQuarantineStatistics.CuredObjects The number of cured objects in quarantine.
Statistics.AVQuarantineStatistics.PasswordProtectedObjects The number of password-protected objects in quarantine.
Statistics.AVQuarantineStatistics.CorruptedObjects
Statistics.AVQuarantineStatistics.FalseDetectedObjects
The number of corrupted objects in quarantine.
The number of falsely recognized objects in quarantine.
The number of objects in quarantine refers not to the number of objects located in it, deleted or restored from it at the given moment, but to the number of objects placed in it, deleted and restored from it during the period of gathering statistics.
Update statistics
Table 13. Update statistics
C
HARACTER NAME
D
ESCRIPTION
Statistics.AVUpdateStatistics.CurrentAVBasesDate Issue date of the current Kaspersky Anti-Virus database.
Statistics.AVUpdateStatistics.LastUpdateAVBasesDate Date of the most recent update of the Kaspersky Anti-Virus database.
Statistics.AVUpdateStatistics.CurrentBasesState Kaspersky Anti-Virus database state.
Statistics.AVUpdateStatistics.CurrentBasesRecords
Statistics.AVUpdateStatistics.UpdateAttempts
Statistics.AVUpdateStatistics.SuccessfulUpdates
Statistics.AVUpdateStatistics.UpdateManualStops
Statistics.AVUpdateStatistics.FailedUpdates
Number of records in the Kaspersky Anti-Virus databases.
Number of update attempts.
Number of successful update attempts.
Number of manual update stops.
Number of incomplete updates due to errors.
Virus activity statistics
Table 14. Virus activity statistics
C
HARACTER NAME
D
ESCRIPTION
Statistics.AVVirusesStatistics.AVVirusesStatisticsTable.AVVirusName Name of a virus.
Statistics.AVVirusesStatistics.LastUpdateAVBasesDate Number of objects, in which a virus was detected.
78
MANAGING KASPERSKY ANTI-VIRUS FROM
THE COMMAND LINE
Apply the following rules when entering the Anti-Virus commands:
Please remember that commands are case-sensitive.
Delimit the keys with the space character.
Using brief (literal) command or key name, enter the value immediately following the command or a space.
Using full command or key name, enter the value separated with the equal sign (=) or a space.
The list of Anti-Virus commands is provided in the table below.
Table 15. List of Kaspersky Anti-Virus commands
C
OMMANDS
D
ESCRIPTION
Displays Kaspersky Anti-Virus command help.
Kaspersky Anti-Virus management commands
Starts Kaspersky Anti-Virus.
Restarts Kaspersky Anti-Virus.
Stops Kaspersky Anti-Virus.
Scans files or directories.
Rolls back to previous databases.
Commands for obtaining Anti-Virus statistics
-S
This prefix indicates that the command is one of a group of commands for obtaining statistics (optional).
-S --top-viruses (see page 88 )
-S --clean-stat
Outputs information about Kaspersky Anti-Virus.
Creates reports about the operation of Kaspersky Anti-Virus and its components.
Creates reports on threats that are most commonly encountered on the server.
Deletes statistics about Kaspersky Anti-Virus operation.
Kaspersky Anti-Virus event display commands
Enables output of Kaspersky Anti-Virus events.
Commands for managing the Anti-Virus settings and tasks
79
A
D M I N I S T R A T O R
'
S
G
U I D E
C
OMMANDS
D
ESCRIPTION
-T This prefix indicates that the command is one of a group of commands for managing the Kaspersky Anti-Virus settings and tasks (optional).
Outputs general Kaspersky Anti-Virus settings. -T --get-app-settings (see page
-T --set-app-settings (see page
-T --get-task-list
-T --get-task-state
-T --start-task (see page 95 )
Defines general Kaspersky Anti-Virus settings.
Returns the list of existing Kaspersky Anti-Virus tasks.
Outputs the state of selected task (for example, In progress, Stopped, or Paused).
Starts the task.
Stops the task.
-T --suspend-task (see page 96 )
Pauses the task.
-T --resume-task (see page 97 )
Resumes the task.
-T --get-settings (see page 97 )
Outputs task settings.
Defines task settings.
Creates a task of specified type; imports task settings from the specified configuration file.
-T --delete-task (see page 100 )
Deletes the task.
-T --get-schedule (see page 101 ) Outputs task scheduling settings.
-T --del-schedule (see page 102 ) Sets task scheduling settings, specified by default.
-T --show-schedule (see
Searches for past scheduled events.
Licenses management commands
80
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
C
OMMANDS
D
ESCRIPTION
-L This prefix indicates that the command is one of a group of commands for managing licenses (optional).
-L --validate-key (see page 105 )
Authenticates the license using the Kaspersky Lab database and outputs information from a key file to the console without installing the license.
Outputs information about the license from the key file without installing the license. -L --show-license-info (see
section "Viewing information about a license prior to the key file installation" on page 106 )
-L --get-installed-keys (see
Outputs information about installed licenses.
-L --query-status (see page 105 )
Outputs the status of installed licenses.
-L --install-active-key (see
Installs an active license.
-L --install-suppl-key (see
-L --revoke-active-key (see page
Installs a supplementary license.
Deletes an active license.
-L --revoke-suppl-key (see
Deletes a supplementary license.
Quarantine and backup storage management commands
-Q
This prefix indicates that the command is one of a group of commands for managing the quarantine and backup storage (optional).
Outputs brief storage statistics.
Displays information about storages objects.
Displays information about one object in the storage.
Restores an object from the storage.
-Q --add-object (see page 111 )
Places a copy of the object to quarantine.
Deletes the object from storage.
Exports objects from storage into a specified directory.
Imports objects into the storage from a specified directory, into which they were previously exported.
Removes some or all objects from the storage. -Q --mass-remove (see page
Logs management commands
-E
This prefix indicates that the command is one of a group of commands for managing logs (optional).
Outputs the number of events matching the filter defined in the event log or specified rotation file.
Outputs information about events matching the filter defined in the event log or specified rotation file.
Outputs to the console the time interval, during which events will occur that are stored in the event log or the specified rotation file.
Rotates the event log.
Removes events from the log or the specified rotation file.
81
A
D M I N I S T R A T O R
'
S
G
U I D E
I
N THIS SECTION
D
ISPLAYING
K
ASPERSKY
A
NTI
-V
IRUS COMMAND HELP
The kav4fs-control --help command displays Kaspersky Anti-Virus command help.
Command syntax
kav4fs-control --help [<set of Anti-Virus commands>]
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<set of Kaspersky Anti-Virus commands>
Specify the set of Anti-Virus commands about which you want to receive information.
Possible values include:
-T [--task-and-settings]
– commands managing the tasks and general settings of
Kaspersky Anti-Virus;
-L [--licenser]
– license management commands;
-Q [--quarantine-and-backup] are quarantine and backup storage management commands;
-S [--statistics]
– commands managing the Anti-Virus statistics;
-E [--event-log] are application event management commands.
82
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
S
TARTING
K
ASPERSKY
A
NTI
-V
IRUS
Before taking the actions or using the commands described above, make sure that the kav4fs-supervisor service is running on the computer!
The kav4fs-control --start-app command starts Kaspersky Anti-Virus.
Command syntax
kav4fs-control --start-app
S
TOPPING
K
ASPERSKY
A
NTI
-V
IRUS
Before taking the actions or using the commands described above, make sure that the kav4fs-supervisor service is running on the computer!
The kav4fs-control --stop-app command stops Kaspersky Anti-Virus.
Command syntax
kav4fs-control --stop-app
R
ESTARTING
K
ASPERSKY
A
NTI
-V
IRUS
Before taking the actions or using the commands described above, make sure that the kav4fs-supervisor service is running on the computer!
The kav4fs-control --restart-app command starts Kaspersky Anti-Virus.
Command syntax
kav4fs-control --restart-app
E
NABLING EVENTS OUTPUT
The -W command enables output of Kaspersky Anti-Virus events. You can use this command either by itself, to output all
Event name and additional event information will be returned.
Command syntax
kav4fs-control -W [--file=<file name>]
Examples:
Enable output of Kaspersky Anti-Virus events:
/opt/kaspersky/kav4fs/bin/kav4fs-control -W
83
A
D M I N I S T R A T O R
'
S
G
U I D E
Enable saving of the Anti-Virus events to a file, for example, save events in a file named 081808.xml in the current directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
-W --file 081808.xml
K
EY
--file <file name>
D
ESCRIPTION AND POSSIBLE VALUES
The log file name in which the information about Anti-Virus events will be stored. The saved log file has XML format.
Q
UICK SCAN OF FILES AND DIRECTORIES
The command kav4fs-control with the key --scan-file performs a quick scan of files and directories.
Command syntax
kav4fs-control --action <action> --scan-file <path to the file or directory>[ <path to the file or directory> ...]
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
--scan-file <path to file or directory>
--action <action>
Names of files and directories that will be quickly scanned by Kaspersky Anti-Virus.
Optional key.
Available values:
Recommended
– perform recommended action.
Cure.
Quarantine.
Remove.
Skip.
Default value: Skip.
R
OLLBACK OF
K
ASPERSKY
A
NTI
-V
IRUS DATABASES
The Kaspersky Anti-Virus creates backup copies of the original databases before it applies updates. If an update procedure gets interrupted or fails, the Kaspersky Anti-Virus automatically reverts to the previous database version containing updates installed earlier.
If you encounter problems after database update, you can roll back the databases to the previous version. To do this, use the roll back to the previous databases task.
Task start syntax
/opt/kaspersky/kav4fs/bin/kav4fs-control -R
84
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
C
OMMANDS FOR OBTAINING REPORTS AND STATISTICS
I
N THIS SECTION
V
IEWING APPLICATION INFORMATION
The --app-info command displays information about Kaspersky Anti-Virus.
Command syntax
kav4fs-control [-S] --app-info [--export-report=<file name>] \
[--report-type=<report file format>]
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
--export-report=<report filename>
--report-type=<report file format>
Optional key. The file name in which the obtained information will be stored. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the file will not be created.
You can save the file in HTML or CSV format and assign it the HTML or CSV extension. If you additionally describe the file format using the --report-type key, you can assign the file any extension.
Optional key. By default, the format of the file specified by the --export-report key will be determined by its extension. Specify this key if you specified any file extension other than
HTML or CSV. Possible key values: HTML, CSV.
This command outputs the following information:
F
IELD
Name
Version
Install date
License state
License expire date
D
ESCRIPTION
Kaspersky Anti-Virus name
Kaspersky Anti-Virus version
Date and time of the last Anti-Virus installation
The license state
License expiration date
85
A
D M I N I S T R A T O R
'
S
G
U I D E
V
IEWING
A
NTI
-V
IRUS ACTIVITY REPORTS
The --get-stat command displays Anti-Virus operating statistics to the console, permits generation of reports on the operation of individual Anti-Virus components over a specified time period, and allows reports to be saved in a file.
Command syntax
kav4fs-control [-S] --get-stat <Kaspersky Anti-Virus component> \
[--from=<start date>][--to=<end date>] \
[--task-id=<ID task (only for on-demand scan and update)>] \
[--export-report=<report filename>] [--report-type=<report file format>] [--use-name]
Examples:
View statistics of the Kaspersky Anti-Virus operation:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-stat Application
To view real-time protection statistics for January 2009:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-stat OAS --from=2009-01-01 --to=2009-01-31
86
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
RGUMENT
,
KEYS
<Kaspersky Anti-Virus component>
--from=<start date>
--to=<end date>
D
ESCRIPTION AND POSSIBLE VALUES
Specify the Anti-Virus component that you want to obtain statistics for. Possible values include:
Application
– an application;
OAS
– real-time protection;
ODS
– on-demand scan;
Quarantine
– quarantine;
Backup
– backup storage;
Update
– update.
The report starting date. You can assign the following values:
a date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information starting at midnight (00:00) of the specified date;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information starting at the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
a time, formatted as HH:MM:SS, to obtain information starting at the specified time of the current day.
If you do not specify the --from=<start date> argument, the report will collect information from the time the Anti-Virus was installed.
The report ending date. You can assign the following values:
a date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information until the specified date, inclusive;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information before the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
--task-id=<task ID (only for on-demand scan and update tasks)>
a time, formatted as HH:MM:SS, to obtain information up to the specified time of the current day.
If you do not specify the --to=<end date> argument, the report will collect information up to the current time.
The identification number of the Kaspersky Anti-Virus on-demand scan task.
The report will include statistics from the on-demand scan or update task having the specified ID number for the period since the most recent start of the task.
This argument is not used together with --from=<start date> and --to=<end date> keys.
--export-report=<report filename>
Optional key. The file name in which the obtained report will be stored. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the file will not be created.
You can save the report file in HTML or CSV format and assign it the HTML or CSV extension. If you additionally describe the file format using the --report-type key, you can assign the file any extension.
--report-type=<report file Optional key. By default, the format of the file specified by the --export-report key will be determined by its extension. Specify this key if you specified any file extension other than
87
A
D M I N I S T R A T O R
'
S
G
U I D E
A
RGUMENT
,
KEYS
<Kaspersky Anti-Virus component> format>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the Anti-Virus component that you want to obtain statistics for. Possible values include:
Application
– an application;
OAS
– real-time protection;
ODS
– on-demand scan;
Quarantine
– quarantine;
Backup
– backup storage;
Update
– update.
HTML or CSV. Possible key values: HTML, CSV.
Task name.
V
IEWING REPORTS ON THE MOST COMMONLY ENCOUNTERED
THREATS
The --top-viruses command displays information about which malicious programs were found in greatest numbers on the server during the specified time interval. This information is displayed on the console and may be saved in a report file.
Command syntax
kav4fs-control [-S] --top-viruses <the number of malicious programs> \
[--from=<start date>][--to=<end date>][--export-report=<file name>] \
[--report-type=<report file format>]
Examples:
To obtain information on the five most commonly encountered malicious programs found on the server in January
2009, and save a report in the /home/kavreports/2009_01_top_viruses.html file:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--top-viruses 5 --from=2009-01-01 --to=2009-01-31 \
--export-report=/home/kavreports/2009_01_top_viruses.html
88
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<the number of malicious programs>
The number of malicious programs. The report will include information only on the specified number of malicious programs most commonly encountered on the server.
--from=<start date> The report starting date. You can assign the following values:
a date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information starting at midnight (00:00) of the specified date;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information starting at the specified time on the specified date;
--to=<end date>
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
a time, formatted as HH:MM:SS, to obtain information starting at the specified time of the current day.
If you do not specify the --from=<start date> argument, the report will collect information from the time the Anti-Virus was installed.
The report ending date. You can assign the following values:
a date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information until the specified date, inclusive;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information before the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
--export-report=<report filename>
--report-type=<report file format>
a time, formatted as HH:MM:SS, to obtain information up to the specified time of the current day.
If you do not specify the --to=<end date> argument, the report will collect information up to the current time.
Optional key. The file name in which the obtained report will be stored. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the report file will not be created.
You can save the report file in HTML or CSV format and assign it the HTML or CSV extension. If you additionally describe the file format using the --report-type key, you can assign the file any extension.
Optional key. By default, the format of the file specified by the --export-report key will be determined by its extension. Specify this key if you specified any file extension other than
HTML or CSV. Possible key values: HTML, CSV.
89
A
D M I N I S T R A T O R
'
S
G
U I D E
C
OMMANDS FOR MANAGING THE
A
NTI
-V
IRUS SETTINGS
AND TASKS
I
N THIS SECTION
V
IEWING GENERAL SETTINGS OF
K
ASPERSKY
A
NTI
-V
IRUS
you can also obtain the general settings of Kaspersky Anti-Virus that are defined using command-line arguments.
You can use this command to modify general settings of Kaspersky Anti-Virus installed on the server:
1. Save general Anti-Virus settings to a configuration file using the --get-app-settings command.
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Anti-Virus using the --set-app-settings command
using the --stop-app and --start-app commands.
You can use the configuration file created to import the settings into Kaspersky Anti-Virus installed on another server.
90
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Command syntax
kav4fs-control [-T] \
--get-app-settings [--file=<configuration file name>] [--file-format=<INI|XML>] kav4fs-control [-T] --get-app-settings [<setting name>]
Examples:
Export general Anti-Virus settings into the file with kav_config.xml name. Save the file created in the current directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-app-settings -F kav_config.xml
Output the TraceLevel setting value:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-app-settings TraceLevel
K
EYS
D
ESCRIPTION AND POSSIBLE VALUES
--file=<configuration file name>
-F <configuration file name>
Name of the configuration file in which the Anti-Virus settings will be saved. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the configuration file will not be created.
--file-format=<INI|XML>
You can save the configuration file in XML or INI format. You can assign to the file XML or INI extension or, if you provide an additional description of the file format using the -file-format key, you can assign any extension to the file.
Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify this key if the configuration file's extension will be different from its format. Possible values: XML, INI.
E
DITING THE GENERAL SETTINGS OF
K
ASPERSKY
A
NTI
-V
IRUS
The --set-app-settings command modifies general Anti-Virus settings using command-line arguments or imports them
from a specified configuration file (see page 154 ).
You can use this command to modify the general settings of Kaspersky Anti-Virus:
1. Save the general settings of Kaspersky Anti-Virus to a configuration file using the --get-app-settings command
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from a configuration file into the Anti-Virus using the --set-app-settings command. Kaspersky
Anti-Virus will apply new configuration settings after you stop and then start it again using the --stop-app and -start-app commands or with the help of the --restart-app command.
91
A
D M I N I S T R A T O R
'
S
G
U I D E
Command syntax
kav4fs-control [-T] --set-app-settings \
--file=<configuration file name> [--file-format=<INI|XML>] kav4fs-control [-T] \
--set-app-settings <setting name>=<setting value> \
<setting name>=<setting value>
Examples:
Import the general settings into the Anti-Virus from the configuration file with the /home/test/kav_config.xml name:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-app-settings -F /home/test/kav_config.xml
Set the level of detail in the "Important events" trace log:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--set-app-settings TraceLevel=Warning
K
EYS
D
ESCRIPTION AND POSSIBLE VALUES
--file=<configuration file name> Name of the source configuration file, which will be imported into the Anti-Virus; it includes full path to the file.
-F <configuration file name>
--file-format=<INI|XML> Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify the key if the format of the configuration file does not match its extension. Possible values: XML, INI.
V
IEWING THE LIST OF
K
ASPERSKY
A
NTI
-V
IRUS TASKS
The --get-task-list command returns the list of existing Kaspersky Anti-Virus tasks.
Command syntax
kav4fs-control [-T] --get-task-list
The following information about Kaspersky Anti-Virus tasks will be displayed:
92
F
IELD
Name
Id
Class
State
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
D
ESCRIPTION
Task name; the user defines the name of a custom task when it is created (names of system tasks are assigned by the Anti-Virus).
Task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created).
Type of a Kaspersky Anti-Virus task. The setting can assume the following values:
tasks, which users can manage:
Update
– predefined update task (ID=6);
OAS
– real-time protection task (ID=8);
ODS
– predefined on-demand scan task (ID=9);
QS
– task for scanning of quarantined objects (ID=10);
service tasks:
EventManager
– implements message exchange within the program (ID=1);
AVS
– anti-virus scan service task (ID=2);
Quarantine
– manages quarantine and backup (ID=3);
Statistics
– collects statistics (ID=4);
License
– implements the license server (ID=5);
Notifier
– controls delivery of notifications and performance of configured actions upon specified events (ID=7);
EventStorage
– implements the events log service (ID=11);
Snmp plugin
– provides for delivery of information about the program via SNMP (ID=12).
Task status. Available values:
Stopped
– the task is stopped;
Stopping
– the task is stopping;
Started
– the task is in progress;
Starting
– the task is starting;
Suspended
– the task is suspended;
Suspending
– the task is suspending;
Resumed
– the task has been resumed;
Resuming
– the task is resuming;
Failed
– the task has terminated with an error.
93
A
D M I N I S T R A T O R
'
S
G
U I D E
V
IEWING TASK STATE
The --get-task-state command returns the status of the specified task (for example, Running, Stopped and Paused).
Command syntax
kav4fs-control [-T] --get-task-state <task ID> [--use-name]
Command example
To obtain the status of the task with ID=9:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-task-state 9
A
RGUMENT
D
ESCRIPTION AND POSSIBLE VALUES
<task ID> Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created). To view the Kaspersky Anti-Virus task ID numbers, use the kav4fs-
control --get-task-list command (see page 92 ).
Task name. --use-name
-N
The following information about the task will be displayed:
94
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
F
IELD
Name
Id
Class
State
D
ESCRIPTION
Task name; the user defines the name of a custom task when it is created (names of system tasks are assigned by the Anti-Virus).
Task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created).
Type of a Kaspersky Anti-Virus task. The setting can assume the following values:
tasks, which users can manage:
Update
– predefined update task (ID=6);
OAS
– real-time protection task (ID=8);
ODS
– predefined on-demand scan task (ID=9);
QS
– task for scanning of quarantined objects (ID=10);
service tasks:
EventManager
– implements message exchange within the program (ID=1);
AVS
– anti-virus scan service task (ID=2);
Quarantine
– manages quarantine and backup (ID=3);
Statistics
– collects statistics (ID=4);
License
– implements the license server (ID=5);
Notifier
– controls delivery of notifications and performance of configured actions upon specified events (ID=7);
EventStorage
– implements the events log service (ID=11);
Snmp plugin
– provides for delivery of information about the program via SNMP (ID=12).
Task status. Available values:
Complete
– the task is completed successfully;
Stopping
– the task is stopping;
Started
– the task is in progress;
Starting
– the task is starting;
Suspended
– the task is suspended;
Suspending
– the task is suspending;
Resuming
– the task is resuming;
Failed
– the task has terminated with an error;
Interrupted by user
– the task execution was interrupted by the user.
S
TARTING THE TASK
The --start-task command launches the task with specified ID number. This command can be used with the command-
Command syntax
kav4fs-control --start-task <task ID> --[progress] [--use-name]
95
A
D M I N I S T R A T O R
'
S
G
U I D E
Example:
Start the task with ID=6:
/opt/kaspersky/kav4fs/bin/kav4fs-control --start-task 6
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<task ID>
--progress
--use-name
-N
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created). To view Kaspersky Anti-Virus task ID numbers, use the -T --get-task-list
Displays task progress.
Task name.
S
TOPPING THE TASK
The --stop-task command stops the task with specified ID number.
Command syntax
kav4fs-control [-T] --stop-task <task ID> [--use-name]
Example:
Stop the task with ID=6:
/opt/kaspersky/kav4fs/bin/kav4fs-control --stop-task 6
A
RGUMENT
<task ID>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task). To view Kaspersky Anti-Virus task ID numbers, use the kav4fs-control -T--get-task-list
Task name.
P
AUSING THE TASK
The --suspend-task command pauses the task with specified ID number. You can pause real-time protection and ondemand scan tasks. You cannot pause update tasks.
Command syntax
kav4fs-control [-T] --suspend-task <task ID> [--use-name]
Example:
Pause the task with ID=9:
/opt/kaspersky/kav4fs/bin/kav4fs-control --suspend-task 9
96
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
RGUMENT
<task ID>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task). To view Kaspersky Anti-Virus task ID numbers, use the kav4fs-control -T --get-task-list
Task name.
R
ESUMING THE TASK
The --resume-task command resumes the task having the specified identification number that had been suspended
using the --suspend-task command (see page 96 ).
Command syntax
kav4fs-control [-T] --resume-task <task ID> [--use-name]
Example:
Resume the task with ID=9:
/opt/kaspersky/kav4fs/bin/kav4fs-control --resume-task 9
A
RGUMENT
<task ID>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task). To view Kaspersky Anti-Virus task ID numbers, use the -T --get-task-list command (see
Task name.
O
BTAINING TASK SETTINGS
The --get-settings command outputs all settings for a specified task or its settings defined in the command line options.
Command syntax
kav4fs-control [-T] --get-settings <task ID> \
[--file=<configuration file name>] -- [--use-name] [--use-name] kav4fs-control [-T] --get-settings <task ID> \
<INI file section name>.<setting value> [--use-name]
Examples:
Export the settings of the task with ID=9 into the /home/test/configkavscanner.xml file:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 9 -F /home/test/configkavscanner.xml
Export the settings of the task with ID=9 into the configkavscanner.xml file, located in the current directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 9 --file=configkavscanner.xml
97
A
D M I N I S T R A T O R
'
S
G
U I D E
Output to the console the value of the Path setting from the AreaPath subsection of the ScanScope section, defined in the on-demand scan task:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-settings 9 ScanScope.AreaPath.Path
A
RGUMENT
,
KEYS
--get-settings <task ID>
--file=<configuration file name>
-F <configuration file name>
--file-format=<INI|XML>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created). To view Kaspersky Anti-Virus task ID numbers, use the -T --get-task-list
The name of the configuration file in which the task settings will be saved. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist, the configuration file will not be created.
You can save the configuration file in XML or INI format. You can assign to the file XML or
INI extension or, if you provide an additional description of the file format using the --fileformat key, you can assign any extension to the file.
Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify this key if you specified any file extension other than
XML or INI. Possible key values: XML, INI.
Task name.
M
ODIFYING TASK SETTINGS
The --set-settings command defines the configuration file task settings using command-line arguments or imports them from the specified configuration file.
You can import the settings from the configuration file into the task being executed. Kaspersky Anti-Virus will apply new configuration settings immediately in the real-time protection task and at the next task launch in the tasks of all other types.
Command syntax
kav4fs-control [-T] --set-settings <task ID> \
--file=<configuration file name> [--file-format=<INI|XML>] [--use-name] kav4fs-control [-T] --set-settings <task ID> \
<setting name>=<setting value> <setting name>=<setting value> \
[--use-name]
Example:
Import the settings from the /home/test/config_fridayscan.xml configuration file into the task with ID=9:
/opt/kaspersky/kav4fs/bin/kav4fs-control --set-settings 9 \
--file=/home/test/config_fridayscan.xml
98
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
RGUMENT
,
KEYS
--set-settings <task ID>
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task).
To view Kaspersky Anti-Virus task ID numbers, use the -T --get-task-list command (see
The name of the configuration file settings of which will be imported into the task; it includes full path to the file.
--file=<configuration file name>
-F <configuration file name>
--file-format=<INI|XML>
--use-name
-N
Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify the key if the extension of the specified file does not match its format. Possible values: XML, INI.
Task name.
C
REATING A TASK
The --create-task command creates a Kaspersky Anti-Virus task for the specified component; imports the settings from the specified configuration files into the task. The command returns an ID number of the task created.
You can create new on-demand scan and update tasks.
Command syntax
kav4fs-control [-T] --create-task <task name> \
--use-task-type=<task type> [--file=<configuration file name>] \
[--file-format=<INI|XML>]
Example:
Create an on-demand scan task with the Fridayscan name; import settings from the
/home/test/config_kavscanner.xml configuration file into the task:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--create-task Fridayscan --use-task-type=ODS \
--file=/home/test/config_kavscanner.xml
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
--create-task <task name> Assign a name to the task. The name may contain any number of ASCII characters.
-C <task name>
--use-task-type=<task type>
Mandatory key. Specify the type of the task being created. Available values:
ODS
– on-demand scan task;
Update
– update task.
Optional key. Specify a full path to the existing configuration file. Anti-Virus imports the settings described in this file into the task.
--file=<configuration file name>
-F <configuration file name>
--file-format=<INI|XML> Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify the key if the extension of the specified configuration file does not match its format. Possible values: XML, INI.
99
A
D M I N I S T R A T O R
'
S
G
U I D E
D
ELETING TASKS
The --delete-task command deletes the Kaspersky Anti-Virus task with the specified ID number. You can delete ondemand scan tasks (except for the Quarantine scan task) and update tasks.
You cannot delete the real-time protection task.
Command syntax
kav4fs-control [-T] --delete-task <task ID> [--use-name]
Example:
Delete the task with ID=20:
/opt/kaspersky/kav4fs/bin/kav4fs-control --delete-task 20
A
RGUMENT
--delete-task <task ID>
-D <task ID>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Specify the task ID number (ID, alternative name, which Kaspersky Anti-Virus assigns to a task being created). To view Kaspersky Anti-Virus task ID numbers, use the -T --get-task-list
Task name.
O
BTAINING TASK SCHEDULE SETTINGS
obtain the task schedule settings that are defined using command-line arguments.
You can use this command to modify task schedule:
1. Save the schedule settings to a configuration file using the -T --get-schedule command.
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into Kaspersky Anti-Virus using the --set-schedule command (see
settings immediately.
Command syntax
kav4fs-control [-T] --get-schedule <task ID> \
[--file=<configuration file name>] -- [--use-name] [--use-name] kav4fs-control [-T] --get-schedule <task ID> <parameter name> [--use-name]
Examples:
Save Kaspersky Anti-Virus settings into the file with on_demand_schedule.xml name. Save the file created in the current directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-schedule 9 -F on_demand_schedule.xml
Output RuleType setting value in the real-time protection task schedule:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--get-schedule 9 RuleType
100
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<task ID> Identification number of a Kaspersky Anti-Virus task.
--file=<configuration file name>
-F <configuration file name>
The name of the configuration file in which the schedule settings will be saved. If you specify only a file name without specifying a path to it, then the configuration file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the configuration file will not be created.
You can save the configuration file in XML or INI format. You can assign to the file XML or INI extension or, if you provide an additional description of the file format using the -file-format key, you can assign any extension to the file.
--file-format=<INI|XML>
--use-name
-N
Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify this key if the configuration file's extension will be different from its format. Possible values: XML, INI.
Task name.
M
ODIFYING TASK SCHEDULE SETTINGS
The -T --set-schedule command modifies task schedule settings using command-line arguments or imports them from a
specified configuration file (see page 151 ).
You can use this command to modify the Anti-Virus settings:
2. Open the configuration file created, modify the required settings and save the changes made.
3. Import the settings from the configuration file into the Anti-Virus using the -T --set-schedule command.
Kaspersky Anti-Virus will apply the new schedule settings immediately.
Command syntax
kav4fs-control -T --set-schedule <task ID> --file=<configuration file name> \
[--file-format=<INI|XML>] [--use-name] kav4fs-control -T --set-schedule <task ID> \
<setting name>=<setting value> <setting name>=<setting value> \
[--use-name]
Example:
Import the schedule settings from configuration file named /home/test/on_demand_schedule.xml into the task with
ID=9:
/opt/kaspersky/kav4fs/bin/kav4fs-control -T \
--set-schedule 9 -F /home/test/on_demand_schedule.xml
101
A
D M I N I S T R A T O R
'
S
G
U I D E
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<task ID> Identification number of a Kaspersky Anti-Virus task.
--file=<configuration file name> Name of the configuration file, from which the schedule parameters will be imported into the task. The file name includes its full path.
-F <configuration file name>
--file-format=<INI|XML> Optional key. By default, the format of the configuration file specified by the -F key will be determined by its extension. Specify this key if the configuration file's extension will be different from its format. Possible values: XML, INI.
--use-name
-N
Task name.
D
ELETING THE TASK SCHEDULE
The -T --del-schedule command sets task scheduling settings, specified by default during the initial configuration of
Kaspersky Anti-Virus (see Guide of Kaspersky Anti-Virus 8 for Linux).
Command syntax
kav4fs-control -T --del-schedule <task ID> [--use-name]
Example:
Set scheduling settings for task with ID=15, specified by default:
/opt/kaspersky/kav4fs/bin/kav4fs-control -T --del-schedule 15
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<task ID>
--use-name
-N
Identification number of a Kaspersky Anti-Virus task.
Task name.
S
EARCHING FOR SCHEDULED EVENTS
The -T --show-schedule command searches for scheduled events.
Command syntax
kav4fs-control -T --show-schedule <rule type> --from=<start date> \
--to=<end date> --task-id=<task ID> [--use-name]
Command examples
The following example displays the command to search for events in the specified time interval and the command output.
102
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Example:
Find events which are scheduled for precise time of the first start within the range from 3/28/11 to 4/1/11:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--show-schedule Time --from=2011-03-28 --to=2011-04-01
The command output:
Events number: 2
TaskId #9, Event: Start, Date: 2011-04-05 02:00 PM:00, Start Rule: [Daily, 02:00 PM:00;;
1] TaskId #16, Event: Start, Date: 2011-04-06 12:00 AM:00, Start Rule: [Once, 2011-04-06
12:00 AM:00]
The following example displays the output of the command to search for events and the command output.
Example:
Search the following scheduled events for the specified task:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--show-schedule Time --task-id="On-demand scan" --use-name
The command output:
Events number: 1
TaskId #9, Event: Start, Date: 2011-04-25 04:30 PM:00, Start Rule: [Monthly, 04:30 PM:00;
25]
103
A
D M I N I S T R A T O R
'
S
G
U I D E
A
RGUMENT
,
KEYS
<rule type>
--from=<start date>
--to=<end date>
--task-id=<task ID>
--use-name
-N
D
ESCRIPTION AND POSSIBLE VALUES
Schedule rule type.
Available values:
Time
– rules containing the time for the task start.
StartUp
– rules containing a PS condition (at Kaspersky Anti-Virus start).
Basereload
– rules containing a BR condition (upon database update).
The report starting date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information starting at midnight (00:00) of the specified date;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information starting at the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
a time, formatted as HH:MM:SS, to obtain information starting at the specified time of the current day.
If you skip the option --from=<start date>, search will begin with the command execution time.
The report ending date. You can assign the following values:
date, formatted as YYYY-MM-DD (or YYYY/MM/DD or YYYY.MM.DD), to obtain information until the specified date, inclusive;
date and time in YYYY-MM-DD HH:MM:SS format, to obtain information before the specified time on the specified date;
When specifying the date and time should enclose all the expression in quotation marks, and between the date and time to put a space.
time, formatted as HH:MM:SS, to obtain information up to the specified time of the current day.
If you skip the option --to=<end date>, search will cover a week period since the command execution.
Identification number of the task, for which schedule search is performed.
Task name.
104
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
L
ICENSES MANAGEMENT COMMANDS
I
N THIS SECTION
V
ALIDATING A KEY FILE PRIOR TO INSTALLATION
The kav4fs-control --validate-key command uses Kaspersky Lab's database to verify if a key file is genuine and is issued for Kaspersky Anti-Virus. This command outputs information about the key file to the console, without installing it.
Command syntax
kav4fs-control [-L] --validate-key <path to key file>
Example:
Validate the license in file /home/test/00000001.key:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
--validate-key /home/test/00000001.key
A
RGUMENT
<path to key file>
D
ESCRIPTION AND POSSIBLE VALUES
Path to the key file; if the key file is located in the current directory. It will be enough to specify the name of the file.
This command outputs the following license information.
105
A
D M I N I S T R A T O R
'
S
G
U I D E
F
IELD
D
ESCRIPTION
Application name Kaspersky Anti-Virus name.
Key file creation date License creation date.
License expiration date Date when the license validity period completes calculated by Kaspersky Anti-Virus; it is the date when the license validity period will expire if you activate it at the moment, but not later than the date after which the key file becomes invalid.
License number
License type
Usage restriction
License period
License number.
License type: trial or commercial.
Usage restriction. If any; the number of objects defined in the restriction.
License validity period (in days) since the moment of the license release.
V
IEWING INFORMATION ABOUT A LICENSE PRIOR TO THE KEY FILE
INSTALLATION
The --show-license-info command outputs license information to the console without installing the key file.
Command syntax
kav4fs-control [-L] --show-license-info <path to key file>
Example:
Output license information from the /home/test/00000001.key file:
/opt/kaspersky/kav4fs/bin/kav4fs-control --show-license-info /home/test/00000001.key
A
RGUMENT
<path to key file>
D
ESCRIPTION AND POSSIBLE VALUES
Path to the key file; if the key file is located in the current directory. It will be enough to specify the name of the file.
This command outputs the following license information.
F
IELD
Application name
Key file creation date
Key file expiration date
License number
License type
Usage restriction
License period
D
ESCRIPTION
Kaspersky Anti-Virus name.
License creation date.
This date denotes the end of the key file "shelf life", i.e. the date on which the key file becomes invalid. This date is specified when the license is issued.
License number.
License type: trial or commercial.
Usage restriction. If any; the number of objects defined in the restriction.
License validity period (in days) since the moment of the license release.
V
IEWING INFORMATION ABOUT THE INSTALLED KEY FILES
The kav4fs-control --get-installed-keys command outputs information about the installed key files to the console.
106
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Command syntax
kav4fs-control [-L] --get-installed-keys
The command displays the following information about the installed key files.
F
IELD
D
ESCRIPTION
Activation date
Expiration date
License activation date.
The date, on which the license expires, calculated by Kaspersky Anti-Virus when the license is installed. This date occurs at the end of the license validity period after the license becomes active, but not later than the key file expiration date.
The end date of the combined active and supplementary license validity period. Aggregate expiration date
Days remaining until aggregate expiration
License status
Functionality
The number of days remaining until the end of the combined active and supplementary license validity period.
The license status; may have one of the following values:
Valid
– the license is valid;
Expired
– the license has expired;
Blacklisted
– the license has been blacklisted;
Trial period is over
– the license trial period has expired.
Anti-Virus functionality; may have one of the following values:
Full functionality
– the application is fully functional;
Functioning without updates
– the application is functioning without updates, this mode is activated upon expiration of a commercial license;
No features
– Anti-Virus performs none of its functions. This mode is activated upon expiration of a trial license.
Detailed license information:
Application name Kaspersky Anti-Virus name.
Key file creation date Date when the key file was issued.
Key file expiration date This date denotes the end of the key file "shelf life", i.e. the date on which the key file becomes invalid. This date is specified when the license is issued.
License number License number.
License type
Usage restriction
License period
License type: trial or commercial.
Usage restriction. If any; the number of objects defined in the restriction.
License validity period (in days) since the moment of the license release.
V
IEWING THE STATUS OF INSTALLED LICENSES
The --query-status command outputs the status of installed licenses to the console.
Command syntax
kav4fs-control [-L] --query-status
A
CTIVE KEY FILE INSTALLATION
The --install-active-key command installs the active key file. For details on key files please refer to the "About Kaspersky
Anti-Virus key files" section (see page 61 ).
107
A
D M I N I S T R A T O R
'
S
G
U I D E
Command syntax
kav4fs-control [-L] --install-active-key <path to key file>
Example:
Install a license as an active license from the /home/test/00000001.key file:
/opt/kaspersky/kav4fs/bin/kav4fs-control --install-active-key /home/test/00000001.key
A
RGUMENT
<path to key file>
D
ESCRIPTION AND POSSIBLE VALUES
Path to the key file; if the key file is located in the current directory. It will be enough to specify the name of the file.
S
UPPLEMENTARY KEY FILE INSTALLATION
The --install-suppl-key command installs a supplementary key file. For details on key files please refer to the "About
Kaspersky Anti-Virus key files" section (see page 61 ).
If the active key file is not installed, a supplementary key file will be installed as the active key file.
Command syntax
kav4fs-control [-L] --install-suppl-key <path to key file>
Example:
Install a supplementary license from the /home/test/00000002.key file:
/opt/kaspersky/kav4fs/bin/kav4fs-control --install-suppl-key /home/test/00000002.key
A
RGUMENT
<path to key file>
D
ESCRIPTION AND POSSIBLE VALUES
Path to the key file; if the key file is located in the current directory. It will be enough to specify the name of the file.
A
CTIVE KEY FILE REMOVAL
The --revoke-active-key command removes the installed active key file.
Command syntax
kav4fs-control [-L] --revoke-active-key
S
UPPLEMENTARY KEY FILE REMOVAL
The --revoke-suppl-key command removes the installed supplementary key file.
Command syntax
kav4fs-control [-L] --revoke-suppl-key
108
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Q
UARANTINE AND BACKUP STORAGE MANAGEMENT
COMMANDS
I
N THIS SECTION
O
BTAINING BRIEF QUARANTINE OR BACKUP STORAGE STATISTICS
The --get-stat command displays the number of objects and the overall volume of data currently in the storage.
Command syntax
kav4fs-control [-Q] --get-stat [--query "<logical expression>"]
Examples:
To view brief quarantine statistics:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--get-stat --query "(OrigType!=s'Backup')"
To view brief backup storage statistics:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--get-stat --query "(OrigType==s'Backup')"
O
BTAINING INFORMATION ABOUT STORAGE OBJECTS
The --query command displays information about objects currently in the storage. You can use filters.
Command syntax
kav4fs-control [-Q] --query "<logical expression>" \
[--limit=<maximum number of records>] \
[--offset=<offset from the query beginning>][--detailed]
109
A
D M I N I S T R A T O R
'
S
G
U I D E
Examples:
To displays information about storages objects.
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --query ""
To view information about objects in quarantine and display 51 entries starting with the 50th entry:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --query "(OrigType!=s'Backup')" \
--limit=50 --offset=50
To displays information about objects from the backup storage:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --query "(OrigType==s'Backup')"
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 117 ).
--limit=<maximum number of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the query beginning>
--detailed
Sets a filter: maximum number of records from query, which should be skipped from the query beginning.
Displays additional service information about objects in the repository.
O
BTAINING INFORMATION ABOUT ONE OBJECT IN THE STORAGE
The --get-one command displays information about the storage object having the specified identification number.
Command syntax
kav4fs-control [-Q] --get-one <object ID> [--detailed]
Example:
To obtain information about the object with ID=1:
/opt/kaspersky/kav4fs/bin/kav4fs-control --get-one 1
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<object ID>
--detailed
To obtain the object identification number, you can use the -Q --query command (see page
Displays additional service information about object in the repository.
R
ESTORING OBJECTS FROM THE STORAGE
The --restore command restores the object having the specified identification number from the storage.
Date and time when the file recovered from quarantine was created differs from the date and time of the original file.
Command syntax
kav4fs-control [-Q] --restore <identification number of storage object> \
[--file=<file name and path to file>]
110
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Examples:
To restore the object with ID=1 to its original location:
/opt/kaspersky/kav4fs/bin/kav4fs-control --restore 1
To restore the object with ID=1 to the current directory, in a file named restored.exe:
/opt/kaspersky/kav4fs/bin/kav4fs-control --restore 1 -F restored.exe
A
RGUMENT
,
KEYS
<object ID>
--file=<file name>
-F <file name>
D
ESCRIPTION AND POSSIBLE VALUES
To obtain the object identification number, you can use the -Q --query command (see page
Name of the file in which Kaspersky Anti-Virus will save the object during restoration, it includes the file path.
If you do not specify a file path, Anti-Virus will save the file in the current directory.
If you omit this argument, Anti-Virus will save the object in its original location under its original name.
P
LACING AN OBJECT IN QUARANTINE MANUALLY
The --add-object command places a copy of the object to quarantine.
Command syntax
kav4fs-control [-Q] --add-object <file name>
Example:
To place a copy of the /home/sample.exe file to quarantine:
/opt/kaspersky/kav4fs/bin/kav4fs-control --add-object /home/sample.exe
A
RGUMENT
D
ESCRIPTION AND POSSIBLE VALUES
<file name> The name of the file, a copy of which you want to place to quarantine, includes the file path.
D
ELETING ONE OBJECT FROM THE STORAGE
The --remove command deletes the object having the specified identification number from the storage.
Command syntax
kav4fs-control [-Q] --remove <object ID>
Example:
To delete the object with ID=1:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --remove 1
A
RGUMENT
D
ESCRIPTION AND POSSIBLE VALUES
<object ID> To obtain the object identification number, you can use the -Q --query command (see page
111
A
D M I N I S T R A T O R
'
S
G
U I D E
E
XPORTING OBJECTS FROM THE STORAGE INTO A SPECIFIED
DIRECTORY
The --export command exports objects from the storage to a specified directory. You may need to export objects from the storage to free space on the server. The location of the storage directory on the server is specified in the quarantine and
backup storage configuration file (see page 156 ).
You can use filters to export only selected objects, for example, only quarantined objects.
Command syntax
kav4fs-control [-Q] --export <destination directory> \
[--query "<logical expression>"] \
[--limit=<maximum number of records>] \
[--offset=<offset from the query beginning>]
Examples:
To export all objects from the storage to the /media/flash128/avpstorage directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q\
--export /media/flash128/avpstorage
To export 50 quarantined objects to the /media/flash128/avpstorage directory, starting with the 51st entry:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--export /media/flash128/avpstorage --query "(OrigType!=s'Backup')" \
--limit=50 --offset=50
To export all backed-up objects to the /media/flash128/avpstorage directory:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--export /media/flash128/avpstorage --query "(OrigType==s'Backup')"
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
<destination directory> The directory where Anti-Virus will save objects from the storage. If the directory does not exist, it will be created. You can specify a directory for remote resources mounted on the server using SMB/CIFS and NFS.
Creates a filter consisting of a logical expression (see page 117 ).
--query="<logical expression>"
--limit=<maximum number of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the query beginning.
I
MPORTING PREVIOUSLY EXPORTED OBJECTS INTO THE STORAGE
The --import command imports previously exported objects into the storage.
The location of the storage directory on the server is specified in the quarantine and backup storage configuration file
112
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Command syntax
kav4fs-control [-Q] --import <directory containing exported objects>
Example:
To import objects from the /media/flash128/avpstorage directory into the storage:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q\
--import /media/flash128/avpstorage
C
LEARING THE STORAGE
The --mass-remove command clears the storage, deleting either all or part of the contents.
Before executing this command, stop the real-time protection task and any on-demand scan tasks.
Command syntax
kav4fs-control [-Q] --mass-remove [--query="<logical expression>"] \
[--limit=<maximum number of records>] [--offset=<offset from the query beginning>]
Examples:
To delete all objects from the storage:
/opt/kaspersky/kav4fs/bin/kav4fs-control --mass-remove
To delete quarantined objects only, 50 entries, starting with the 51st entry:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q --mass-remove \
--query "(OrigType!=s'Backup')" --limit=50 --offset=50
To delete objects from the backup storage:
/opt/kaspersky/kav4fs/bin/kav4fs-control -Q \
--mass-remove --query "(OrigType==s'Backup')"
K
EYS
D
ESCRIPTION AND POSSIBLE VALUES
--query="<logical expression>"
Creates a filter consisting of a logical expression (see page 117 ).
--limit=<maximum number of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the query beginning>
Sets a filter: maximum number of records from query, which should be skipped from the query beginning.
113
A
D M I N I S T R A T O R
'
S
G
U I D E
L
OGS MANAGEMENT COMMANDS
I
N THIS SECTION
O
BTAINING THE NUMBER OF
A
NTI
-V
IRUS EVENTS
,
USING A FILTER
The --count command outputs to the console the number of events that are stored in the event log or in the specified rotation file, using filters. This command allows estimating the data volume to be output if you enter the -E --query
Command syntax
kav4fs-control [-E] --count "<logical expression>" [--db=<rotation file>]
Examples:
To obtain the number of Kaspersky Anti-Virus events stored in the event log:
/opt/kaspersky/kav4fs/bin/kav4fs-control --count ""
To obtain the number of Kaspersky Anti-Virus events stored in the rotation file EventStorage-2009-12-01-23-57-
23.db:
/opt/kaspersky/kav4fs/bin/kav4fs-control --count "" \
--db=EventStorage-2009-12-01-23-57-23.db
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
--db=<rotation file>
Creates a filter consisting of a logical expression (see page 117 ).
The rotation file, information in which you wish to view (this file has the extension .db).
If you do not provide this modifier, Kaspersky Anti-Virus will display the number of events in the log at the moment.
O
BTAINING INFORMATION ABOUT
K
ASPERSKY
A
NTI
-V
IRUS EVENTS
The --query command allows obtaining information about Kaspersky Anti-Virus events from the Kaspersky Anti-Virus event log or from the rotation file; and it allows saving the obtained information in a file.
Command syntax
kav4fs-control -E --query "<logical expression>" \
[--db=<rotation file name>][--limit=<maximum number of records>] \
[--offset=<offset from the query beginning>][--file=<log filename>]\
[--file-format=<log file format>]
114
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
Example:
To view information on the most recent 50 quarantine events:
/opt/kaspersky/kav4fs/bin/kav4fs-control \
-E --query "(TaskType == s'Quarantine')" --limit=50
A
RGUMENT
,
KEYS
D
ESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
Creates a filter consisting of a logical expression (see page 117 ).
--db=<rotation file name> The rotation file, information about events in which you wish to obtain (this file has the extension .db).
If you do not provide this modifier, Kaspersky Anti-Virus will display the information from the event log.
--limit=<maximum number of records>
Sets a filter: maximum number of records from query, which should be displayed.
--offset=<offset from the query beginning>
--file=<log filename>
-F <log filename>
--file-format=<log file format>
Sets a filter: maximum number of records from query, which should be skipped from the query beginning.
Optional key. The file name in which the Anti-Virus events will be saved. If you specify only a file name without specifying a path to it, then the log file will be created in the current directory. If the file with the name specified already exists at the location pointed at the specified path, such file will be overwritten. If the directory specified does not exist on this drive, the log file will not be created.
You can save log file in XML or INI format. You can assign to the log file XML or INI extension or, if you provide an additional description of the log file format using the --fileformat key, you can assign any extension to the log file.
Optional key. By default, the format of the log file specified by the -F key will be determined by its extension. Specify this key if the log file extension will be different from its format.
Possible values: XML, INI.
V
IEWING THE TIME INTERVAL
,
DURING WHICH THE EVENTS WILL
OCCUR THAT ARE REGISTERED IN THE LOG
This command allows you to know the time interval during which the events occur that are stored in the event log or in the specified rotation file.
Command syntax
kav4fs-control [-E] --period [--db=<rotation file>]
Examples:
To view the time interval during which the events occur that are stored in the event log or in the specified rotation file:
/opt/kaspersky/kav4fs/bin/kav4fs-control --period
To view the time interval during which the events occur that are stored in the event log or in the specified rotation file
EventStorage-2009-12-01-23-57-23.db:
/opt/kaspersky/kav4fs/bin/kav4fs-control --period \
--db=EventStorage-2009-12-01-23-57-23.db
115
A
D M I N I S T R A T O R
'
S
G
U I D E
A
RGUMENT AND KEYS
--db=<rotation file>
D
ESCRIPTION AND POSSIBLE VALUES
The rotation file (this file has the extension .db), information about which you wish to obtain.
If you do not provide this modifier, Kaspersky Anti-Virus will display the information about the event log.
E
VENT LOG ROTATION
The --rotate command performs forced rotation of events in the log in accordance with the RotateMethod and
RotateMoveFolder settings configured in the event log configuration file (see page 157 ).
If the RotateMethod setting has the Erase value, Kaspersky Anti-Virus deletes information about events from the log.
If the RotateMethod setting has the Move value, Kaspersky Anti-Virus transfers information about events from the log into the RotateMoveFolder directory and saves it in the rotation file.
Command syntax
kav4fs-control [-E] --rotate
R
EMOVING OBJECTS FROM THE EVENT LOG
The --remove command deletes records about events from Kaspersky Anti-Virus log or from the specified rotation file.
You can delete all records, or just several records, by using filters.
Command syntax
kav4fs-control [-E] --remove "<logical expression>" \
[--db=<rotation file>]
Example:
To delete from the event log only records about the events that involve labeling detected objects as clean (the
ReportCleanObjects setting was enabled):
/opt/kaspersky/kav4fs/bin/kav4fs-control -E \
--remove "((EventType==s'ObjectProcessed') and (ObjectReason==s'ObjectClean'))"
A
RGUMENT AND KEYS
D
ESCRIPTION AND POSSIBLE VALUES
"<logical expression>"
--db=<rotation file>
Creates a filter consisting of a logical expression (see page 117 ).
Rotation file, the records from which you wish to delete (this file has the extension .db).
If you do not provide this modifier, Kaspersky Anti-Virus will delete records from Kaspersky
Anti-Virus event log.
116
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
L
IMITING SELECTIONS USING FILTERS
I
N THIS SECTION
L
OGICAL EXPRESSIONS
You can use logical expressions as an argument or a --query parameter in the following commands, in order to limit the information selected by the command:
obtaining information about the number of Kaspersky Anti-Virus events: -E --count "<logical expression>" (see
obtaining information about objects in quarantine or in the backup storage: -Q --query "<logical expression>"
obtaining concise statistical information about objects in quarantine or in the backup storage: -Q --get-stat --
query "<logical expression>" (see page 109 );
selective export of objects from quarantine or from the backup storage: -Q --export --query "<logical
You can specify several filters, combining their effect using logical "AND" or "OR" operators. Enclose each filter in parenthesis and enclose each logical expression in quotes.
You can sort event (object) information by any field in ascending or descending order.
Syntax
"(<field> <comparison operator> <type>'<value>'){<field> <order>}"
"((<field> <comparison operator> <type>'<value>') <logical operator> (<field> <comparison operator> <type>'<value>')){<field> <order>}"
Example:
Obtain information about quarantined objects having the danger level High:
-Q --query "(DangerLevel == s'High')"
117
A
D M I N I S T R A T O R
'
S
G
U I D E
E
LEMENTS
<comparison operator>
<logical operator>
{<field><order>}
<type>
D
ESCRIPTION AND POSSIBLE VALUES
> is greater than
< is less than like matches the specified pattern
== is equal to
!= is not equal to
>= is greater than or equal to
<= is less than or equal to and logical "AND" or logical "OR"
Event output order. The option is not used with the -E --query command.
You can sort events on any field in ascending or descending order.
For the -Q --query, -Q --get-stat and -Q --mass-remove commands you can specify as fields
the parameters of objects in storage (see page 118 ).
The order can assume the following values: a d ascending descending
i s numerical line-oriented (string)
O
BJECT PARAMETERS IN QUARANTINE
/
BACKUP STORAGE
You can filter objects in the quarantine / backup storage by the fields described in the following table.
118
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
F
IELD
Filename
OrigType
Type
OrigVerdict
Verdict
OrigDangerLevel
DangerLevel
OrigDetectCertainty s
DetectCertainty
Table 16.
T
YPE
D
ESCRIPTION AND POSSIBLE VALUES
s s s s
Object parameters in quarantine/backup storage
The file name and a full path to the file. You can use masks with the aid of the 'like' comparison operator.
OrigType
– the state of the object, assigned when the object is placed in the storage.
Type
– the state of an object in quarantine after it has been scanned using updated databases.
Possible values include:
Clean
– not infected;
Backup
– is a backup copy;
Infected
– infected;
UserAdded
– added by a user;
Error
– an error has occurred while scanning the object;
PasswordProtected
– is password-protected;
Corrupted
– is corrupted;
Curable
– the object may be disinfected.
OrigVerdict
– type of threat detected in the object when the object was placed in the storage.
Verdict
– type of threat detected in the quarantined object after scanning with updated databases.
Possible values include:
Virware
– classic viruses and network worms;
Trojware
– Trojan programs;
Malware
– other malicious programs;
Adware
– advertising software;
Pornware
– pornographic software;
Riskware
– potentially dangerous software.
OrigDangerLevel
– danger level of the threat detected in an object when the object was placed in the storage.
DangerLevel
– danger level of the threat in the quarantined object after scanning with updated databases.
The object danger level depends on the type of threat contained in the object. The danger level may assume the following values:
High. The object may contain a threat of the network worm, classical virus, or Trojan type.
Medium. The object may contain some other malicious program, adware, or a program with pornographic content.
Low. The object may contain a threat of riskware type.
Info. The object is quarantined by the user.
OrigDetectCertainty
– the state of a detected object upon its placement in the storage.
DetectCertainty
– the state Anti-Virus assigns to an object in quarantine after scanning it using updated databases.
Possible values include:
119
A
D M I N I S T R A T O R
'
S
G
U I D E
F
IELD
UID
GID
Mode
AddTime
Size
OrigThreatName
ThreatName
Compound i s i i
T
YPE
D
ESCRIPTION AND POSSIBLE VALUES
s i
Sure
– object is classified as infected;
Suspicion
– object is classified as suspicious (the object has been found using the
Heuristic Analyzer);
Warning
– object has the status "Warning" (the object code partly coincides with the code of a known threat; a false alarm may occur).
OrigThreatName
– the name of the threat, based on the Kaspersky Lab classification, found in the object when the object is placed in the storage.
ThreatName
– the name of the threat detected in a quarantined object after scanning with updated databases.
You can use masks with the aid of the 'like' comparison operator.
Indicates, whether the object is a compound object.
Possible values include: yes
– the object is a compound object; no
– the object is not compound.
The ID (UID) of the user that created the object.
The ID (GID) of the group to which the user who created the object belongs.
Access permissions.
The date and time the object was placed in storage in "YYYY-MM-DD HH:MM:SS" format.
If you specify the date but not the time, the time will be specified as 00:00:00.
If you specify the time but not the date, the current date will be specified. i
If you specify the date and time as follows:
(AddTime== s''), then the current date and time will be specified.
Original size of the object, in bytes.
120
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
A
NTI
-V
IRUS EVENTS AND THEIR DATA
You can filter Anti-Virus events based on their settings. The following table describes Anti-Virus events, event settings are described in the next table below.
# E
1
2
3
4
5
6
7
8
9
VENT NAME
ApplicationStarted
ApplicationSettingsChanged
LicenseInstalled
LicenseNotInstalled
LicenseRevoked
LicenseNotRevoked
LicenseExpired
LicenseExpiresSoon
LicenseError
10 AVBasesAttached
11 AVBasesAreOutOfDate
12 AVBasesAreTotallyOutOfDate
13 AVBasesIntegrityCheckOK
14 AVBasesIntegrityCheckFailed
15 AVBasesApplied
16 UpdateSourceSelected
Table 17. Events
D
ESCRIPTION
S
ETTINGS
Kaspersky Anti-Virus is running; the event occurs after all tasks necessary for the Anti-Virus are started.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
General settings of Kaspersky Anti-
Virus have been changed.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
The license is installed.
A license installation error has occurred.
The license has been successfully revoked.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, KeySerial,
TaskName, TaskType
Date, EventId, EventType,
RuntimeTaskID, KeySerial,
TaskName, TaskType
A license revocation error has occurred.
The license period has expired.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskName, TaskType
The license period will soon expire. Date, EventId, EventType,
RuntimeTaskID, DaysLeft, TaskName,
TaskType
Licensing subsystem internal error. Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Kaspersky Anti-Virus databases have been installed successfully after an update.
Date, EventId, EventType,
RuntimeTaskID, AVBasesDate,
TaskId, TaskName, TaskType
Kaspersky Anti-Virus databases are outdated.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Kaspersky Anti-Virus databases are obsolete.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Integrity check of Kaspersky Anti-
Virus databases completed successfully.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Kaspersky Anti-Virus databases are damaged.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Kaspersky Anti-Virus databases applied.
An update source has been
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
121
A
D M I N I S T R A T O R
'
S
G
U I D E
# E
VENT NAME
17 UpdateSourceNotSelected
18 NothingToUpdate
19 UpdateError
20 ModuleDownloaded
21 ModuleNotDownloaded
22 ModuleRetranslated
23 ModuleNotRetranslated
24 TaskStateChanged
25 TaskSettingsChanged
26 PackedObjectDetected
27 ThreatDetected
28 ObjectProcessed
29 ObjectNotProcessed
D
ESCRIPTION
S
ETTINGS
selected.
An update source connection error has occurred.
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
No update is required. This event occurs if the version of the database updates installed on the computer corresponds to or is newer than the version of the database updates on the update source.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
An error occurred while updating. Date, EventId, EventType,
ModuleName, RuntimeTaskID, TaskId,
TaskName, TaskType
A program module has been downloaded.
A program module downloading error has occurred.
Program module has been successfully copied for distribution.
Date, EventId, EventType,
ModuleName, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType,
ModuleName, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType,
ModuleName, RuntimeTaskID, TaskId,
TaskName, TaskType
A program module copying error has occurred.
Date, EventId, EventType,
ModuleName, RuntimeTaskID, TaskId,
TaskName, TaskType
The task state has changed.
The task settings have changed.
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskState, TaskType
Date, EventId, EventType,
RuntimeTaskID, PersistentTaskId,
TaskName, TaskType
A packed object has been detected. Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, PackerName,
FileName, FileOwner, FileOwnerId,
ObjectName, ObjectSource,
RuntimeTaskID, TaskId, TaskName,
TaskType
A threat has been detected.
The object has been processed.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, DetectCertainty,
FileName, FileOwner, FileOwnerId,
ObjectName, RuntimeTaskID, TaskId,
TaskName, TaskType, ThreatName,
VerdictType
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectName,
ProcessResult, RuntimeTaskID,
TaskId, TaskName, TaskType
The object has not been processed. Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectName,
RuntimeTaskID, SkipReason, TaskId,
122
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
# E
VENT NAME
30 ObjectProcessingError
31 ObjectDisinfected
32 ObjectNotDisinfected
33 ObjectDeleted
34 ObjectBlocked
35 ObjectActionsCompleted
36 ObjectSavedToQuarantine
37 ObjectSavedToBackup
38 ObjectRemovedFromQuarantine
39 ObjectRemovedFromBackup
D
ESCRIPTION
S
ETTINGS
A processing error has occurred.
The object has been disinfected.
TaskName, TaskType
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectName,
ObjectProcessError, RuntimeTaskID,
TaskId, TaskName, TaskType
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectName,
RuntimeTaskID, TaskId, TaskName,
TaskType
The object has not been disinfected. Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId,
ObjectNotDisinfectedReason,
RuntimeTaskID, TaskId, TaskName,
TaskType
The object has been deleted.
The real-time protection task has denied object access to an accessing application.
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, RuntimeTaskID, TaskId,
TaskName, TaskType
Action on infected object completed. Date, EventId, EventType,
AccessHost, AccessUser,
AccessUserId, FileName, FileOwner,
FileOwnerId, ObjectReason,
ObjectActionsCompletedReason,
ObjectSource, RuntimeTaskID,
TaskId, TaskName, TaskType
Object quarantined. Date, EventId, EventType,
DangerLevel, DetectCertainty,
FileName, QuarantineId,
QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType, VerdictType
The object was placed in Backup. Date, EventId, EventType,
DangerLevel, DetectCertainty,
FileName, QuarantineId,
QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType, VerdictType
Object was deleted from quarantine. Date, EventId, EventType, FileName,
QuarantineId, QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType
The object has been removed from backup.
Date, EventId, EventType, FileName,
QuarantineId, QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType
123
A
D M I N I S T R A T O R
'
S
G
U I D E
# E
VENT NAME
D
ESCRIPTION
S
ETTINGS
40 ObjectRestoredFromQuarantine
41 ObjectRestoredFromBackup
42 QuarantineSizeLimitReached
43 QuarantineSoftSizeLimitExceeded
44 QuarantineObjectCorrupted
45 QuarantineObjectCurable
46 QuarantineObjectFalseDetect
47 QuarantineObjectPasswordProtected Quarantined object password
48 QuarantineObjectProcessingError
49 QuarantineThreatDetected
Object restored from Quarantine.
Object has been restored from backup.
Date, EventId, EventType, FileName,
QuarantineId, QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType, FileName,
QuarantineId, QuarantineObjectType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Quarantine and backup maximum size reached.
Quarantine size defined by the
QuarantineSoftSizeLimit setting has been reached.
Date, EventId, EventType, FileName,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Object in Quarantine is corrupted. Date, EventId, EventType, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType
Quarantined object can be disinfected.
Date, EventId, EventType, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType
After scanning of quarantined object
Kaspersky Anti-Virus has recognized a suspicious or infected object as clean.
Date, EventId, EventType, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType protected.
Error while processing quarantined object.
Quarantined object infected.
Date, EventId, EventType, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType,
DetectCertainty, FileName,
QuarantineId, RuntimeTaskID, TaskId,
TaskName, TaskType, VerdictType
50 ObjectAddToQuarantineFailed
Error adding object to quarantine.
51 ObjectAddToBackupFailed
52 RetranslationError
53 AVBasesRollbackCompleted
54 AVBasesRollbackError
55 OASTaskError
56 ODSTaskError
Error while adding an object to storage.
Error while copying updates.
Rollback of Kaspersky Anti-Virus databases completed successfully.
Error while rolling back the databases of Kaspersky Anti-Virus.
Real time protection error.
Creating an on-demand scan.
Date, EventId, EventType, Description,
FileName, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType, Description,
FileName, RuntimeTaskID, TaskId,
TaskName, TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, EventId, EventType,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, Error, EventId, EventType, Info,
RuntimeTaskID, TaskId, TaskName,
TaskType
Date, Error, EventId, EventType, Info,
RuntimeTaskID, TaskId, TaskName,
124
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
# E
VENT NAME
57 EventsErased
58 EventsMoved
S
ETTING
AccessHost
AccessUser
AccessUserId
AVBasesDate
BeginDate
DangerLevel
Date
DetectCertainty
(OrigDetectCertainty)
EndDate
Error.
D
ESCRIPTION
Events erased.
Events moved.
S
ETTINGS
TaskType
Date, BeginDate, EndDate, EventId,
EventType, Reason, RuntimeTaskID,
TaskId, TaskName, TaskType
Date, BeginDate, EndDate, EventId,
EventType, Path, Reason,
RuntimeTaskID, TaskId, TaskName,
TaskType
Table 18. Events settings
s s s s
T
YPE
D
ESCRIPTION
s s i s s s
Name of remote computer if file is accessed by SMB/CIFS protocol.
Name of user initiating access to file.
ID of the user initiating access to file.
Release date of the latest installed database updates.
Date from when events are deleted or moved.
DangerLevel
– danger level of the threat detected in an object when the object was placed in the storage.
OrigDangerLevel
– danger level of the threat in the quarantined object after scanning with updated databases.
The object danger level depends on the type of threat contained in the object. The danger level may assume the following values:
High. The object may contain a threat of the network worm, classical virus, or
Trojan type.
Medium. The object may contain some other malicious program, adware, or a program with pornographic content.
Low. The object may contain a threat of riskware type.
Info. The object is quarantined by the user.
Date and time of the event.
OrigDetectCertainty
– the state of a detected object upon its placement in the storage.
DetectCertainty
– the state Anti-Virus assigns to an object in quarantine after scanning it using updated databases.
The state of the detected object:
Sure
– object is classified as infected;
Suspicion
– object is classified as suspicious (the object has been found using the Heuristic Analyzer);
Warning
– object has the status "Warning" (the object code partly coincides with the code of a known threat; a false alarm may occur).
Date before which events are deleted or moved.
Type of error. Possible values include:
IncorrectUser
– non existent user given in the task settings, his/her name is found in the Info field;
IncorrectGroup
– non existent group given in the task settings, group name is found in the Info field;
125
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
Filename
FileOwner
FileOwnerId
Host
Info
ModuleName
ObjectName s
ObjectNotDisinfectedReason s s s
ObjectProcessError
ObjectReason
ObjectSource s s i s
T
YPE
D
ESCRIPTION
s s s
IncorrectPath
– incorrect scan path given in task settings, path is found in the
Info field;
InterceptorNotFound
– on launch of the task, the interceptor module cannot be loaded.
Full file name.
Name of user who is the owner of the file.
ID of the user who owns the file.
The network name of the remote computer (mounted via SMB/CIFS) that accessed the object when Anti-Virus interception occurred.
Additional information about the error.
Name of Kaspersky Anti-Virus module that has generated the event.
The name of the object related to an event.
The reason why an object was not disinfected:
Unknown
– the reason is unknown;
InternalError
– the task experienced an internal error;
ObjectNotCurable
– an object of this type cannot be disinfected;
ObjectNotFound
– the object was not found;
ObjectReadOnly
– the Anti-Virus only has read access rights to the object.
The type of error that occurred during object scanning:
Unknown
InternalError
ObjectNotCurable
ObjectNoRights
ObjectIOError
OutOfSpace
ObjectNotFound
ObjectReadOnly
SystemError
Result of activities on the object. Possible values include:
Cured
– object disinfected;
Removed
– object deleted;
Quarantined
– object moved to quarantine;
Skipped
– object skipped;
AllActionsFailed
– all actions on the object ended with an error.
Source of the infected file:
LocalFile
– local file system;
RemoteNfsFile
– remote resource accessed by NFS protocol;
RemoteSambaFile
– remote resource accessed by SMB/CIFS protocol.
126
S
ETTING
Path
QuarantineId
Reason
RuntimeTaskId
TaskName
TaskState
TaskType
ThreatName
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S F R O M T H E C O M M A N D L I N E
s s
T
YPE
D
ESCRIPTION
s i s i s s
Path to file where events have been moved.
The identifier assigned by Anti-Virus to an object in the storage.
Reason why events are moved or deleted:
Date
– move or deletion made by date;
Manual
– move or deletion made by user command;
Size
– move or deletion made by size of database.
Unique identifier of a task session during which the event occurred. It is refreshed at every task launch.
Name of the task during which the event occurred.
Task state:
Stopped
– the task is stopped;
Stopping
– the task is stopping;
Started
– the task is in progress;
Starting
– the task is starting;
Suspended
– the task is suspended;
Suspending
– the task is suspending;
Resumed
– the task has been resumed;
Resuming
– the task is resuming;
Failed
– the task has terminated with an error.
Type of a Kaspersky Anti-Virus task. The setting can assume the following values:
tasks, which users can manage:
Update
– predefined update task (ID=6);
OAS
– real-time protection task (ID=8);
ODS
– predefined on-demand scan task (ID=9);
QS
– task for scanning of quarantined objects (ID=10);
service tasks:
EventManager
– implements message exchange within the program (ID=1);
AVS
– anti-virus scan service task (ID=2);
Quarantine
– manages quarantine and backup (ID=3);
Statistics
– collects statistics (ID=4);
License
– implements the license server (ID=5);
Notifier
– controls delivery of notifications and performance of configured actions upon specified events (ID=7);
EventStorage
– implements the events log service (ID=11);
Snmp plugin
– provides for delivery of information about the program via SNMP
(ID=12).
The name of the threat detected in the object related to the event.
127
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
Type (OrigType)
T
YPE
D
ESCRIPTION
s OrigType
– the state of the object, assigned when the object is placed in the storage.
Type
– the state of an object in quarantine after it has been scanned using updated databases.
Possible values include:
Clean
– not infected;
Backup
– is a backup copy;
Infected
– infected;
UserAdded
– added by a user;
Error
– an error has occurred while scanning the object;
PasswordProtected
– is password-protected;
Corrupted
– is corrupted;
Curable
– the object may be disinfected.
128
ANTI-VIRUS CONFIGURATION FILE
SETTINGS
You can create Anti-Virus configuration files either in INI or in XML format.
This section describes the structure and settings of Anti-Virus INI configuration files.
I
N THIS SECTION
R
ULES FOR EDITING
K
ASPERSKY
A
NTI
-V
IRUS
INI
CONFIGURATION FILES
The following rules must be observed when editing the configuration file:
If a setting belongs to a section, place it in this section only. Preserve the order and nesting of sections. You can place the settings in any order within one section.
If you omit any setting, Kaspersky Anti-Virus will apply the default value if any.
Place section names in rectangular brackets [ ].
Enter parameter values in the parameter name=value format (spaces between parameter name and its value are not processed).
Example:
[ScanScope]
AreaDesc="Scan sdc"
AreaMask=re:\.exe
Some parameters can take only one value while others can take several values. If you need to specify several values, repeat the setting as many times as many values you wish to specify.
129
A
D M I N I S T R A T O R
'
S
G
U I D E
Example:
AreaMask=re:home/.*/Documents/
AreaMask=re:.*\.doc
Settings names are not case sensitive.
Values for settings of the following types are case sensitive:
names (masks, regular expressions) of scanned objects and exclusion objects;
names (masks, regular expressions) of threats;
user names;
user group names.
Other setting values are not case sensitive.
You can assign Boolean setting values as follows: yes
– no, true – false or 1 – 0.
Put in quotes the text values containing spaces (for example, names of files, directories and their paths; expressions containing date and time, formatted as YYYY-MM-DD HH:MM:SS).
Example:
AreaDesc="Scan mail databases"
Other values can be entered either with or without quotes.
Example:
AreaMask="re:home/.*/Documents/"
AreaMask=re:home/.*/Documents/
A single quote at the beginning or at the end of line will be considered an error.
If the text value is in quotes, any printable characters within this value, including quotes, the space and tab characters, are part of this value.
Example:
AreaDesc="Scanning "useless" documents"
The space and tab characters will be ignored in the following cases:
before the first quote and after the last quote of the text value;
at the beginning and at the end of text value, which is not in quotes.
You can use comments. A comment is a line starting with the character ; or #. While importing task settings (see
130
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
R
EAL
-
TIME PROTECTION AND ON
-
DEMAND SCAN TASKS
SETTINGS
This section describes the settings that you can import into real-time protection and on-demand scan tasks.
You can use a configuration file with the described settings to change the settings of an existing real-time protection (ondemand scan) task, or to create a new task.
any text editor, modify the settings as required, save the file, and then import the settings from the file into the task (see
Structure of the real-time protection (on-demand scan) task INI configuration file
The real-time protection (on-demand scan) task configuration file consists of a set of sections. The file sections describe one or several scan areas and the security settings used by the Anti-Virus when scanning the specified areas.
The [ScanScope] section contains the name of the scan area and limits the scan area.
The [ScanScope:AreaPath] section describes the path to the directory being scanned. Its format differs from the format of other sections of the INI configuration file. You must specify at least one scan area to start the task.
The [ScanScope:ScanSettings] section and its [ScanScope:ScanSettings:AdvancedActions] subsection describe the security settings that Kaspersky Anti-Virus will use for the scan area specified in the [ScanScope:AreaPath] section. If you do not define settings of these sections, Kaspersky Anti-Virus will scan the specified area using default settings.
If you want to specify several scan areas, first specify section settings for [ScanScope], [ScanScope:AreaPath],
[ScanScope:AccessUser] (only for real-time protection) and [ScanScope:ScanSettings] for one area, then repeat this step for each additional area:
[ScanScope]
area 1
...
[ScanScope:AreaPath] the path to the directory specified in area 1
...
[ScanScope:AccessUser]
(only for real-time protection tasks) list of area 1 users
...
[ScanScope:ScanSettings] security settings for area 1
...
[ScanScope:ScanSettings:AdvancedActions] additional security settings for area 1
...
131
A
D M I N I S T R A T O R
'
S
G
U I D E
[ScanScope]
area 2
...
[ScanScope:AreaPath] area 2: the path to the directory specified in area 2
...
[ScanScope:AccessUser]
(only for real-time protection tasks) list of area 2 users
...
[ScanScope:ScanSettings] security settings for area 2
...
[ScanScope:ScanSettings:AdvancedActions] additional security settings for area 2
...
Anti-Virus scans areas in the order specified in the configuration file.
Note that if a file is part of several specified scan areas, Kaspersky Anti-Virus will scan it only once, using the security settings specified in the first scan area in which this file appears.
You may need to configure the security settings of the subdirectory which may be different from the security settings of the parent directory. For example, you want to scan the /home/ directory using the regular expression re:.*\.doc and delete infected objects found there, and scan objects in the /home/dir1/ subdirectory using the regular expression re:.*\.doc and disinfect infected objects found there.
The scan areas should be specified in the configuration file as follows:
[ScanScope]
Subdirectory
AreaMask="re:.*\.doc"
[ScanScope:AreaPath]
/home/dir1/
[ScanScope:ScanSettings]
InfectedFirstAction=Cure
...
132
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
[ScanScope]
Parent directory
AreaMask="re:.*\.doc"
[ScanScope:AreaPath]
/home/
[ScanScope:ScanSettings]
InfectedFirstAction=Remove
...
Anti-Virus will attempt to cure the infected re:.*\.doc files in the /home/dir1/ directory and will delete remaining infected re:.*\.doc files in the /home/ directory.
A description of configuration file settings, their possible values, and their default values are shown in the table below.
S
ETTING
ScanPriority
Table 19.
D
ESCRIPTION AND POSSIBLE VALUES
Real-time protection and on-demand scan tasks settings
Task priority.
This setting is used only in the on-demand scan tasks and is not used in the real-time protection tasks.
You can set one of the predefined task priorities in accordance with process priorities in
Linux.
Possible values include:
System (system). Priority of the process running a task is defined by the operating system.
High (high). Priority of the process running a task is increased.
Medium (medium). Priority of the process running a task remains unchanged.
Low (low). Priority of the process running a task is decreased.
Lower process priority increases the duration of task execution, but it can also affect positively the performance of processes belonging to other active applications.
Higher process priority decreases the duration of task execution, but it can also affect negatively the performance of processes belonging to other active applications.
Default value: System.
133
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
ProtectionType
D
ESCRIPTION AND POSSIBLE VALUES
Protection mode. Use of a SAMBA interceptor to scan objects accessed using
SMB/CIFS. Use of a kernel level interceptor to scan objects accessed using other protocols (NFS, FTP, etc.).
This setting is used only in the real-time protection task and is not used in on-demand scan tasks.
Kaspersky Anti-Virus includes two components intercepting attempts to access files and scanning those files. They are Samba interceptor (used to scan objects on server accessed from remote computers via the SMB / CIFS protocol) and the kernel level interceptor (scanning objects accessed using other methods).
The Samba interceptor provides, as additional object information, the IP address of the remote computer on which an application attempted to access an object when it was intercepted by Kaspersky Anti-Virus.
If you use the protected server only as a Samba server, you can specify the value
SambaOnly. In this case, Kaspersky Anti-Virus will not scan objects that are not accessed via SMB/CIFS.
Possible values include:
Full. Kaspersky Anti-Virus scans server objects with the SAMBA interceptor when they are accessed via SMB/CIFS. Kaspersky Anti-Virus uses the kernel level interceptor to intercept all other operations on files that are accessible on the protected server
(including files on remote computers).
SambaOnly. Kaspersky Anti-Virus scans objects with the SAMBA interceptor only when they are accessed via SMB/CIFS.
Make sure that you have specified the SAMBA VFS password during the initial configuration of Kaspersky Anti-Virus (see Installation Guide of Kaspersky Anti-Virus 8 for Linux).
KernelOnly. Kaspersky Anti-Virus scans server objects only using the file interceptor.
Make sure that you have specified the kernel interceptor during the initial configuration of Kaspersky Anti-Virus (see Installation Guide of Kaspersky Anti-Virus 8 for Linux).
Default value: the operation shall be selected during Kaspersky Anti-Virus installation.
[ScanScope]
Scan area.
UseScanArea
AreaDesc
Enables / disables the scan area defined by the parameters in the [ScanScope] section.
Possible values include:
yes
– enables the scan area defined by the parameters in the [ScanScope] section;
no
– disables the scan area defined by the parameters in the [ScanScope] section.
Default values: yes.
Description of scan area containing additional information about the scan area. The maximum length of the line, defined by this setting, is equal to 4096 characters.
Example:
AreaDesc="Scan mail databases"
Default value: All objects.
134
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
AreaMask
D
ESCRIPTION AND POSSIBLE VALUES
UseAccessUser
Using this setting you can limit the scan area specified in the [ScanScope:AreaPath] section. The maximum length of the line, defined by this setting, is equal to 4096 characters.
Within the scan area, Anti-Virus will scan only those files or directories specified using
Shell masks or ECMA-262 regular expressions. Use the re: prefix in regular expressions.
If you do not specify this setting, Anti-Virus will scan all objects in the scan area.
You can specify several values for this setting.
Example:
AreaMask=re:.*/Documents/
AreaMask=re:.*\.doc
AreaMask=re:\.exe
Default value: *.
This setting determines whether or not to use the settings in the
[ScanScope:AccessUser] section (scanning upon access using the permissions of specified users).
The setting of this section is applied only in real-time protection tasks. It is not used for on-demand scan tasks.
Possible values include:
yes
– exclude objects only if they are accessed by applications running with the permissions of users, specified by the settings in the [ScanScope:AccessUser] section;
no
– scan objects when they are accessed with any permissions.
Default value: no.
[ScanScope:AreaPath]
Scan scope, path to the directory to scan. You must specify at least one scan area to start the real-time protection task.
135
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
Path
D
ESCRIPTION AND POSSIBLE VALUES
The setting value consists of three elements:
<file system type>:<access protocol>:<path to the directory being scanned>, where:
<file system type>. Possible values include:
Mounted. Remote directories mounted on the server. Using the <access protocol> setting, specify the protocol that provides remote access to the directories.
Shared. Server file system resources shared by the SMB/CIFS or NFS protocol.
AllRemotelyMounted. All remote directories mounted on the server using SMB/CIFS and NFS protocols.
AllShared. Server file system resources shared by the SMB/CIFS and NFS protocols.
<access protocol>.Protocol that provides remote access to the specified resources. This setting is used only when <file system type> has the Mounted or Shared value. Possible values include:
SMB. The SMB/CIFS protocol.
NFS. The NFS protocol.
<path to the directory being scanned>. Full path to the directory being scanned.
For specifics of scanning symbolic and hard links, please refer to the section Specifics of
scanning symbolic and hard links (see page 9 ).
Examples:
Path=/
– scan all local server directories; scan directories mounted using SMB/CIFS
and NFS.
Path=/home/ivanov
– scan the /home/ivanov directory.
Path=Mounted:SMB
– scan all remote directories mounted using SMB/CIFS.
Path=Mounted:NFS
– scan all remote directories mounted using NFS.
Path=Mounted:SMB:/remote-resources/ivanov-windows
– scan the /remote-
resources/ivanov-windows directory, which has been mounted using SMB/CIFS.
Path=Mounted:NFS:/remote-resources/ivanov-linux
– scan the /remote-
resources/ivanov-windows directory, which has been mounted using NFS.
Path=Shared:SMB
– scan all directories in the server's file system shared by
SMB/CIFS.
Path=Shared:SMB:my_samba_share
– scan the resource with the name
my_samba_share shared by SMB/CIFS.
Path=Shared:NFS
– scan all server directories that are accessible via NFS.
Path=Shared:NFS:/nfs_shares/my_share
– scan the resource with the name
/nfs_shares/my_share shared by NFS.
Default value: /.
136
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
[ScanScope:AccessUser]
Scan upon access using the permissions of specified users.
Anti-Virus scans objects only if they are accessed by applications running with the permissions of users and groups, specified by the settings in this section. If section settings are not specified, Anti-Virus scans objects when they are accessed with any rights.
The settings of this section are applied only in real-time protection tasks. They are not used for on-demand scan tasks.
If the settings in this section point to a non-existent user or group, the real-time protection task scans objects when an attempt to access them is made by any user or group.
UserName
Anti-Virus scans objects only if they are accessed by applications running with the permissions of specified users. You can specify several values for this setting, for example:
UserName=usr1
UserName=usr2
Default value: not configured.
UserGroup
Group name. Anti-Virus scans objects only if they are accessed by applications running with the permissions of specified groups. You can specify several values for this setting, for example:
UserGroup=group1
UserGroup=group2
Default value: not configured.
[ScanScope:ScanSettings]
Security settings that Anti-Virus applies when scanning the area specified by the [ScanScope:AreaPath] setting.
ScanByAccessType
Anti-Virus scans objects for the following type of access to them (used only in the realtime protection task and not in on-demand scan tasks):
SmartCheck (smart mode). Kaspersky Anti-Virus scans a file when an attempt is made to open it, and rescans it when an attempt is made to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and changes it, Kaspersky Anti-Virus scans the object a second time only when the process closes it for the last time.
Open (at an access attempt). Kaspersky Anti-Virus scans the object when an attempt is made to open for reading or for execution or modification.
OpenAndModify (at an attempt to access or modify). Kaspersky Anti-Virus scans a file when an attempt is made to open it, and rescans it when an attempt is made to close it if the file has been modified.
Default value: SmartCheck.
ScanArchived
Kaspersky Anti-Virus scans file archives (including SFX self-extracting archives). Please note that Kaspersky Anti-Virus identifies threats in archives, but does not disinfect them.
yes
– scan archives;
no
– do not scan archives.
Default values: real-time protection task
– no; on-demand scan task
– yes.
137
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
ScanSfxArchived
ScanMailBases
ScanPlainMail
ScanPacked
D
ESCRIPTION AND POSSIBLE VALUES
Anti-Virus scans self-extracting archives (archives that contain an executable extraction module).
yes
– scan SFX archives;
no
– do no scan SFX archives.
Default values: real-time protection task
– no; on-demand scan task
– yes.
Anti-
Virus scans email databases of Microsoft Outlook®, Outlook Express, The Bat! and other email clients.
yes
– scan email database files;
no
– do not scan email database files.
Default value: no.
Kaspersky Anti-Virus scans the files of plain text email messages.
yes
– scan plain text email messages;
no
– do not scan plain text email messages.
Default value: no.
Kaspersky Anti-Virus scans executable files packed by binary code packers, such as
UPX or ASPack. This type of composite object contains threats more often than others.
yes
– scan packed files;
no
– do not scan packed files.
Default value: yes.
138
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
InfectedFirstAction
D
ESCRIPTION AND POSSIBLE VALUES
First action to be performed on infected objects.
In real-time protection tasks, before performing the action specified by you on an infected object, Kaspersky Anti-Virus blocks access to the object by applications that attempt to do so.
Possible values include:
Cure. Anti-Virus attempts to disinfect an object after it saves a copy of the object in the backup storage. If disinfection is not possible, for example, if the type of object or the type of threat in the object cannot be disinfected, Kaspersky Anti-Virus will leave the object unchanged.
Remove. Kaspersky Anti-Virus removes the infected object having first created a backup copy.
Recommended (perform recommended action). Kaspersky Anti-Virus automatically selects and performs the action on the object based on the data about the threat detected in the object and about the possibility of disinfecting it, for example, the Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Skip. The object will remain intact. Anti-Virus does not attempt to cure or delete the object, but does log information about the object.
Default value: Recommended.
InfectedSecondAction
Second action to be performed on infected objects.
The values are the same as for the InfectedFirstAction setting.
If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
If you select Skip or Remove as a first action, then you need not specify a second action.
We recommend specifying two actions as other values.
If you do not specify a second action, Anti-Virus will use Skip as the second action.
Default value: Skip.
139
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
SuspiciousFirstAction First action to be performed on suspicious objects.
In real-time protection tasks, before performing the action specified by you on an object,
Anti-Virus moves the object to Quarantine blocks access to the object by applications that attempt to do so.
Possible values include:
SizeLimit
Cure. Anti-Virus attempts to disinfect an object after it saves a copy of the object in the backup storage. If disinfection is not possible, for example, if the type of object or the type of threat in the object cannot be disinfected, Kaspersky Anti-Virus will leave the object unchanged.
Quarantine. Kaspersky Anti-Virus moves the object to quarantine.
Remove. Kaspersky Anti-Virus deletes the object after making a backup copy.
Recommended (perform recommended action). Kaspersky Anti-Virus automatically selects and performs the action on the object based on the data about the threat detected in the object and about the possibility of disinfecting it, for example, the Anti-
Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected.
Skip. The object will remain intact. Anti-Virus does not attempt to cure or delete the object, but does log information about the object.
Default value: Recommended.
SuspiciousSecondAction The values are the same as for the SuspiciousFirstAction setting.
If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
If you select Skip or Remove as a first action, then you need not specify a second action.
We recommend specifying two actions as other values.
If you do not specify a second action, Anti-Virus will use Skip as the second action.
Default value: Skip.
UseSizeLimit
Determines whether or not to apply the SizeLimit setting (which specifies the maximum size of a scanned object).
yes
– use the SizeLimit setting;
no
– do not use the SizeLimit setting.
Default value: no.
The maximum size of the objects being scanned (in bytes). If an object to be scanned is larger than the specified value, the Anti-Virus will skip the object.
This setting is used together with the UseSizeLimit setting.
Specify the maximum object size (in bytes). Possible values: 0
– 2147483647
(approximately 2 GB).
0
– Anti-Virus scans objects of any size.
Default value: 0.
140
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
UseTimeLimit
TimeLimit
UseExcludeMasks
ExcludeMasks
UseExcludeThreats
D
ESCRIPTION AND POSSIBLE VALUES
Determines whether the TimeLimit setting (which specifies the maximum duration of an object scan) applies.
yes
– use the TimeLimit setting;
no
– do not use the TimeLimit setting.
Default values: real-time protection task
– yes; on-demand scan task
– no.
Maximum object scan time (sec). The Anti-Virus stops scanning an object if it takes longer than the number of seconds specified by this setting value.
This setting is used together with the UseTimeLimit setting.
Specify the maximum scan duration for an object in seconds.
0
– the object scan duration is unlimited.
Default values: real-time protection task
– 60; on-demand scan task
– 120.
Enables / disables exclusion of objects specified by the ExcludeMasks setting.
yes
– exclude objects specified by the ExcludeMasks setting.
no
– do not exclude objects specified by the ExcludeMasks setting.
Default value: no.
Exclude objects by name, mask, or regular expression. You can use this parameter to exclude individual files from being scanned in a given area, or exclude several files at one time using Shell masks and ECMA-262 regular expressions. Use the re: prefix in regular expressions.
Example:
ExcludeMasks=re:.*\.tar\.gz
ExcludeMasks=re:.*\.avi
ExcludeMasks=re:/.*\.avi$
ExcludeMasks=*.doc
Default value: not configured.
Enables / disables exclusion of objects containing the threats, specified by the
ExcludeThreats setting.
yes
– exclude objects containing the threats, specified by the ExcludeMasks setting.
no
– do not exclude objects containing the threats, specified by the ExcludeMasks setting.
Default value: no.
141
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
ExcludeThreats
UseAdvancedActions
D
ESCRIPTION AND POSSIBLE VALUES
Exclude objects by the name of the threats detected in them. Before specifying a value for this setting, make sure that the UseExcludeThreats setting is active.
E.g., you may be using a utility to collect information about your network. Most Kaspersky
Anti-Virus programs refer such utility code to the Riskware threats type. To keep
Kaspersky Anti-Virus from blocking it, add the full name of the threat contained in the application to the list of excluded threats.
In order to exclude a single object from the scan, specify the full name of the threat in this object - the Anti-Virus line with a conclusion that the object is infected or suspicious.
You can find full name of the threat identified in an object in the Kaspersky Anti-Virus log.
You can also find the full name of the threat detected in a software product at the Virus
Encyclopedia website at Viruslist.com (see the Virus Encyclopedia section at http://www.viruslist.com
). To find the name of a threat, enter the name of the product in the Search field.
The setting value is case-sensitive.
Example:
Perform no actions on files in which the Anti-Virus identifies the threats named
NetTool.Linux.SynScan.a and Monitor.Linux.Keylogger.a:
ExcludeThreats=not-a-virus:NetTool.Linux.SynScan.a
ExcludeThreats=not-a-virus:Monitor.Linux.Keylogger.a
You can use Shell masks and extended ECMA-262 regular expressions to specify threat names. Add the re: prefix to regular expressions.
Perform no actions on files in which the Anti-Virus identifies any threats for Linux
belonging to the not-a-virus category:
ExcludeThreats=re:not-a-virus:.*\.Linux\..*
Default value: not configured.
Enables / disables actions to be performed on an object, depending on the type of threat found in the object.
If you enable the option, Kaspersky Anti-Virus will apply actions which you will specify in the [ScanScope:ScanSettings:AdvancedActions] section instead of actions specified by
InfectedFirstAction, InfectedSecondAction, SuspiciousFirstAction and
SuspiciousSecondAction settings.
Available values:
yes
– perform the action to be performed on objects, depending on the type of threat;
no
– do not perform the action to be performed on objects, depending on the type of threat.
Default value: yes.
142
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
ReportCleanObjects
D
ESCRIPTION AND POSSIBLE VALUES
Enables / disables logging of the information about scanned objects, which Kaspersky
Anti-Virus recognizes as clean.
You can enable the option, for example, to make sure that an object has been scanned by Kaspersky Anti-Virus.
Enabling the option for a long time is not recommended because recording of big data volumes to the log can decrease the operating system performance.
ReportPackedObjects
Available values:
yes
– log information about clean objects;
no
– do not log information about clean objects.
Default value: no.
Enables / disables logging of the information about scanned objects that make up a part of compound objects.
You can enable the option, for example, to make sure that an object within an archive has been scanned by Kaspersky Anti-Virus.
Enabling the option for a long time is not recommended because recording of big data volumes to the log can decrease the operating system performance.
UseAnalyzer
HeuristicLevel
Available values:
yes
– log information about objects scanned within archives;
no
– do not log information about objects scanned within archives.
Default value: no.
Enable / disable Heuristic Analyzer.
The Heuristic Analyzer scans the standard sequence of operations allowing the nature of the file to be determined with a reasonable degree of certainty. The advantage of using this method is that new threats are detected before virus analysts have encountered them.
Available values:
yes
– enable Heuristic Analyzer;
no
– disable Heuristic Analyzer.
Default value: yes.
The level of detail of the heuristic analysis.
This level sets the balance between the thoroughness of searches for new threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the more resources it will require and the longer it will take.
Available values:
Light
– least detailed scan, minimum system load;
Medium
– medium scan, balanced system load;
Deep
– most detailed scan, maximum system load;
Recommended
– recommended value.
Default value: Recommended.
143
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
KeepLastAccess
Enables / disables the option that saves the time when a file was accessed last. This parameter applies to real-time protection and on-demand scan tasks.
Available values:
yes
– do not change file access time after scanning; save previous file access time.
no
– change last file access time to the current file scan time.
Default value: no.
[ScanScope:ScanSettings:AdvancedActions]
A response depending on the type of threat.
Using the settings in this section, you can customize a particular reaction of Kaspersky Anti-Virus to objects that contain specified threats.
Verdict
FirstAction
SecondAction
Prior to specifying the settings in this section, make sure that the UseAdvancedActions setting is active.
For the threats specified in the Verdict setting, specify two actions (FirstAction and
SecondAction). Anti-Virus will attempt to perform these actions on the object if it identifies the specified threat in the object.
If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
If you select Skip or Remove as a first action, then you need not specify a second action.
We recommend specifying two actions as other values.
If you do not specify a second action, Anti-Virus will use Skip as the second action.
See the values for the FirstAction and SecondAction settings in the descriptions of these sections.
Possible values for the Verdict setting (type of threat) are:
Virware
– viruses and worms;
Trojware
– Trojans;
Malware
– other malicious software;
Pornware
– pornographic software;
Adware
– advertising software;
Riskware
– potentially dangerous software.
For more information on the types of threats, refer to the section "Programs detectable by
Kaspersky Anti-Virus".
Example:
UseAdvancedActions=yes
[ScanScope:ScanSettings:AdvancedActions]
Verdict=Adware
FirstAction=Cure
SecondAction=Skip
[ScanScope:ScanSettings:AdvancedActions]
Verdict=Pornware
FirstAction=Cure
SecondAction=Skip
Default value: not configured.
144
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
[ExcludedFromScanScope]
Exclusion area.
UseScanArea
Enables / disables the scan area defined by the parameters in the
[ExcludedFromScanScope] section.
AreaDesc
Possible values include:
yes
– enables the scan area defined by the parameters in the
[ExcludedFromScanScope] section;
no
– disables the scan area defined by the parameters in the
[ExcludedFromScanScope] section.
Default values: yes.
Description of the exclusion area, containing additional information about the exclusion area.
Example:
AreaMask
UseAccessUser
AreaDesc="Exclude separate SAMBA"
Default value: not configured.
You can use this setting to limit the exclusion area specified in the
[ExcludedFromScanScope:AreaPath] section.
Kaspersky Anti-Virus will only exclude those objects that you specify using Shell masks or ECMA-262 regular expressions. Use the re: prefix in regular expressions.
AreaMask=re:.*\.tar\.gz
Default value: not configured.
This setting enables and disables the use of settings in the
[ExcludedFromScanScope:AccessUser] section (exclusion when attempting access using the rights of specified users).
The setting of this section is applied only in real-time protection tasks. It is not used for on-demand scan tasks.
Possible values include:
yes
– exclude objects only if they are accessed by applications running with the permissions of users, specified by the settings in the
[ExcludedFromScanScope:AccessUser] section;
no
– exclude objects when they are accessed with any rights.
Default value: not configured.
[ExcludedFromScanScope:AreaPath]
Exclusion area. Path to the excluded directory.
145
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
Path
D
ESCRIPTION AND POSSIBLE VALUES
The setting value consists of three elements:
<file system type>:<access protocol>:<path to the excluded directory>, where:
<file system type>. Possible values include:
Mounted. Remote directories mounted on the server. Using the <access protocol> setting, specify the protocol that provides remote access to the directories.
Shared. Server file system resources shared by the SMB/CIFS or NFS protocol.
AllRemotelyMounted. All remote directories mounted on the server using SMB/CIFS and NFS protocols.
AllShared. Server file system resources shared by the SMB/CIFS and NFS protocols.
<access protocol>.Protocol that provides remote access to the specified resources. This setting is used only when <file system type> has the Mounted or Shared value. Possible values include:
SMB. The SMB/CIFS protocol.
NFS. The NFS protocol.
<path to the excluded directory>. The full path to the excluded directory.
Examples:
Path=Mounted:NFS
– exclude all remote directories mounted using NFS.
Default value: not configured.
[ExcludedFromScanScope:AccessUser]
Scanning exclusion when attempting access using the rights of specified users.
Kaspersky Anti-Virus will exclude objects from scanning only if they are accessed by applications with the user and group rights specified by the settings in this section. If section settings are not specified, Anti-Virus scans objects when they are accessed with any rights.
The settings of this section are applied only in real-time protection tasks. They are not used for on-demand scan tasks.
UserName
Anti-Virus scans objects only if they are accessed by applications running with the permissions of specified users. You can specify several values for this setting, for example:
UserName=usr1
UserName=usr2
Default value: not configured.
UserGroup
Group name. Anti-Virus excludes objects only if they are accessed by applications running with the permissions of specified users. You can specify several values for this setting, for example:
UserGroup=group1
UserGroup=group2
Default value: not configured.
146
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
U
PDATE TASKS SETTINGS
This section describes the settings of the update task configuration file. You can review it to create new update tasks and modify settings in the existing tasks.
any text editor, modify the settings as required, save the file, and then import the settings from the file into the task (see
The structure of the INI configuration file of the update tasks
Configuration file of the update tasks consists of the set of settings and sections. File sections describe the function performed by the update task, update source and settings used to connect to it.
Using the UpdateType setting, select the function which will be performed by the update task. This is a mandatory setting.
In the [UpdateComponentsSettings] section specify whether you wish to download the updates specified by the
UpdateType setting or only receive information about their availability. This is a mandatory setting.
The [CommonSettings] section defines the type of the update source and the settings used to connect to it. Using settings in this section specify whether you wish Anti-Virus to use the proxy server when it connects to various types of update sources and specify the proxy server settings.
The [CommonSettings:CustomSources] section is required if you have selected user-defined sources as the update source. Here you should specify the address of the user-defined update source. If you wish to specify several userdefined update sources, define each source in a separate [CommonSettings:CustomSources] section. Kaspersky Anti-
Virus will connect to the user-defined update sources using the connection settings described in the [CommonSettings] section.
The [RetranslateUpdatesSettings] section is required if you have selected downloading of updates without their installation using the UpdateType setting. Using this section specify the directory into which Anti-Virus will save the specified updates. If you selected copying only specified updates, also specify the names of the databases and modules whose updates you want the update task to obtain.
The table below contains a description of the configuration file settings, possible and default values of these settings.
147
A
D M I N I S T R A T O R
'
S
G
U I D E
Table 20. Update tasks settings
S
ETTING
UpdateType
D
ESCRIPTION AND POSSIBLE VALUES
Specify the function to be performed by the update task:
AllBases. Update the databases of Kaspersky Anti-Virus.
RetranslateProductComponents (Copy all accessible Anti-Virus updates).
Kaspersky Anti-Virus will save the downloaded updates in the directory specified by the RetranslationFolder setting, without installing them.
RetranslateComponentsList (Copy only specified updates). Kaspersky Anti-
Virus will download only the updates whose names have been specified in the settings of the [RetranslateUpdatesSettings] section. It will save the downloaded updates in the directory specified by the RetranslationFolder setting, without installing them.
Using the RetranslateComponentsList setting you can download updates of other Kaspersky Lab applications if you wish to use the protected server as an intermediary for distributing updates.
You can review the names of update on the Kaspersky Lab Technical Support web site.
Critical updates for Kaspersky Anti-Virus modules are not installed automatically.
Default value: AllBases.
[CommonSettings]
Update source and settings used to connect to it.
SourceType
Specify an update source for Kaspersky Anti-Virus:
KLServers. Kaspersky Anti-Virus will receive updates from one of the
Kaspersky Lab update servers. Updates are downloaded via HTTP or FTP protocols.
AKServer. Kaspersky Anti-Virus will download updates to the protected server from Kaspersky Security Center Administration Server installed on the LAN.
You can select this update source if you use Kaspersky Security Center application for centralized administration of Kaspersky Endpoint Security protection of computers in your organization.
Custom. Kaspersky Anti-Virus will download updates from the user-defined source, specified in the [CommonSettings:CustomSources] section. You can specify directories on FTP or HTTP servers or directories on any device mounted on the server, including directories on remote computers mounted using SMB/CIFS or NFS.
Default value: KLServers.
UseKLServersWhenUnavailable
You can configure Kaspersky Anti-Virus to access the Kaspersky Lab update servers if all user-defined sources are unavailable.
yes
– connect to Kaspersky Lab update servers if all user-defined sources are unavailable;
no
– do not connect to Kaspersky Lab update servers if all user-defined sources are unavailable.
Default value: yes.
UseProxyForKLServers
The option to use a proxy server for connection to the update servers of Kaspersky
Lab.
yes
– use proxy server to connect to the Kaspersky Lab update servers;
no
– do not use proxy server to connect to the Kaspersky Lab update servers.
148
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
UseProxyForCustomSources
Default value: no.
Using a proxy server when connecting to user-defined update sources. Enable this setting if you need access to the proxy server to connect to any of the user-defined
FTP or HTTP servers.
ProxyPort
ProxyServer
yes - use proxy server to connect to the user-defined update servers;
no - do not use proxy server to connect to the user-defined update servers.
Default value: no.
Proxy server settings: port.
Default value: 3128.
Proxy server settings: network name or IP address.
Default value: not configured.
ProxyBypassLocalAddresses
Using a proxy server when connecting to local update servers. By default, the proxy server is not used for connections to local update servers. Disable this option to implement a connection to a local update servers via a proxy server specified in the ProxyServer parameter.
yes
– not use proxy server to connect to local update servers;
no
– use proxy server to connect to local update servers.
Default value: yes.
ProxyAuthType
This setting controls authentication when accessing a proxy server being used for connections to FTP or HTTP update source servers.
ProxyAuthUser
ProxyAuthPassword
UseFtpPassiveMode
ConnectionTimeout
NotRequired (no authentication). Select if authentication is not required to access the proxy server.
Plain (authentication by login name and password, i.e. basic authentication).
Specify the user name and password using ProxyAuthUser and
ProxyAuthPassword settings.
Default value: NotRequired.
If you enable authentication, specify the name of the user whose rights will be used by Anti-Virus for proxy server access.
Default value: not configured.
If you enable authentication, specify the password of the user whose rights will be used by Anti-Virus for proxy server access.
Default value: not configured.
By default, to connect to update servers using FTP, the Anti-Virus uses the passive FTP server mode: it is assumed that a network firewall is used in the enterprise LAN.
Available values:
yes
– use passive FTP server mode;
no
– use active FTP server mode.
Default value: yes.
This setting specifies the time to wait for a response from an update source, i.e.
FTP server or HTTP server, while attempting to connect to it. If response from the update source is not received within the specified interval, Kaspersky Anti-Virus will connect to another specified update source, for example, to another Kaspersky
Lab update server if you configured updating from Kaspersky Lab update servers.
149
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
Specify the response wait time in seconds. Only integers within the range from 0 to
120 can be entered as parameter values.
Default value: 10.
[CommonSettings:CustomSources]
If you selected SourceType=Custom, specify the user-defined update type using the settings of this section. You can specify several user-defined update sources. Define each source in a separate section. Kaspersky Anti-Virus will always try the next specified source if the previous source is unavailable.
You can configure Kaspersky Anti-Virus to access the Kaspersky Lab update servers if all user-defined sources are unavailable using the UseKLServersWhenUnavailable setting.
Url
Specify the user-defined update source: LAN or WAN directory.
Example:
Url=http: //primer.ru/bases/
– the address of HTTP or FTP server on which the directory containing updates is located.
Url= /home/bases/ – a directory on the protected server.
Default value: not configured.
Enabled
Using this setting you can enable or disable the use of the source specified by
URL setting in the current section.
yes
– use the update source;
no
– do not use the update source.
Default value: not configured.
[UpdateComponentsSettings]
Updates download.
Action
The setting is mandatory, its value is DownloadAndApply:
Kaspersky Anti-Virus downloads updates if UpdateType is set to
RetranslateProductComponents or RetranslateComponentsList;
Kaspersky Anti-Virus downloads and installs updates if UpdateType is set to
AllBases.
Default value: DownloadAndApply.
[RetranslateUpdatesSettings]
Downloading updates from the update source without applying them. Specify the settings of this section if you have selected to download updates without applying them: specified the RetranslateComponentsList value for the UpdateType setting.
RetranslationFolder
Specify the directory into which the Anti-Virus will save the downloaded updates.
Default value: not configured.
RetranslationComponents
Specify the name of the update you would like to receive if you specified
RetranslateComponentsList as your UpdateType setting.
You can review the names of update on the Kaspersky Lab Technical Support web site.
Example:
To copy updates for version 6.0.2.551 of Kaspersky Anti-
Virus 6.0 for Windows®
Server® Enterprise Edition:
RetranslationComponents=UPDATER
150
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
RetranslationComponents=AVS
RetranslationComponents=BLST
RetranslationComponents=KAV6WSEE
RetranslationComponents=RT
RetranslationComponents=AK6
RetranslationComponents=INDEX60
Default value: not configured.
S
CHEDULE SETTINGS
This section describes configuration file settings that you can use to schedule the task start.
Structure of the schedule INI configuration file
RuleType=Once|Monthly|Weekly|Daily|Hourly|Minutely|Manual|PS|BR
[StartTime=<date time>; <day of the month|day of the week>; <run period>]
[RandomInterval=<minutes>]
[ExecuteTimeLimit=<minutes>]
[RunMissedStartRules=yes|no]
151
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
RuleType
Table 21. Schedule settings
D
ESCRIPTION AND POSSIBLE VALUES
The Starting a scheduled task mode.
Possible values include:
Once
– once;
Monthly
– monthly;
Weekly
– weekly;
Daily
– every N day;
Hourly
– every N hour;
Minutely
– every N minutes;
Manual
– manually;
BR
– after databases update. The task will be started after each successful Kaspersky
Anti-Virus database update (this alternative is not used in update tasks).
PS
– at application start. The task will be launched at every Anti-Virus startup.
For the real-time protection task is only available values of the Manual and PS.
StartTime
Start time. If you specify a start time, by default, the current system date and / or time is set. The format of this parameter depends on the parameter RuleType, see the table below.
RandomInterval
Distribute a task to start at random in the interval (in minutes) to equalize the load on the server while running to schedule multiple tasks. Format
– [0;999].
ExecuteTimeLimit
Limit the duration of the task interval (in minutes). Format
– [0;999].
RunMissedStartRules
Run the missed tasks.
Possible values include:
yes
– run missed tasks the next time the application is started;
no
– run only scheduled tasks.
T
HE
R
ULE
T
YPE SETTING VALUE
Table 22. Parameters of the mode for task launch and start time
T
HE
S
TART
T
IME SETTING VALUE FORMAT
Once
Monthly
Weekly
Daily
Hourly
Minutely
Manual
BR
PS
<date time>
<time>; <day of month>
<time>; <day of week>
<time>;;<start period>
<date time>;;<start period>
<time>;;<start period>
Not used
Not used
Not used
The <start time> setting has the following format.
[<year>/][<month>/][<day of month>] [hh]:[mm]:[ss]; [<day of month>|<day of week>];
[<start period>]
152
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
F
IELD
<year>
<month>
<day of the month> hh mm ss
<day of the week>
<start period>
Table 23. Field values of the start time parameter
T
HE
S
TART
T
IME SETTING VALUE
[present year -1present year +10]
JAN | FEB | MAR | APR | MAY | JUN | JUL | AUG | SEP | OCT | NOV | DEC
[1;31] hour [00;23] minutes [00;59] seconds [00;59]
MON | TUE | WED | THU | FRI | SAT | SUN
[0-999], where 0
– start period is not set
Examples
The following example displays a task start in the "Once" mode.
Example:
Start the task March 30, 2011 at 10:00 am:
RuleType="Once"
StartTime="2011/Mar/30 10:00 AM:00"
The following example displays a task start in the "Monthly" mode.
Example:
Start the task every month 115 th day at 12:00 am:
RuleType=Monthly
StartTime=12:00 AM:00; 15
The following example displays a task start in the "Weekly" mode.
Example:
Start task every week on Monday at 00:00:
RuleType=Weekly
StartTime=00:00:00; Mon
The following example displays a task start in the "Every N day" mode.
Example:
Start a task in a day at 12:30 am:
RuleType=Daily
StartTime=12:30:00;; 2
153
A
D M I N I S T R A T O R
'
S
G
U I D E
The following example displays a task start in the "Every N hour" mode.
Example:
Start task every 3 hours, starting at the specified time:
RuleType=Hourly
StartTime=2011/Apr/01 12:00 AM:00;; 3
The following example displays a task start in the "Every N minutes" mode.
Example:
Start task every 10 minutes, starting at the specified time:
RuleType=Minutely
StartTime=2:30:00 PM;; 10
The following example displays a task start after databases update.
Example:
Start task after databases update:
RuleType=BR
The following example displays a task start at the program starts.
Example:
To start a task at Kaspersky Anti-Virus startup:
RuleType=PS
G
ENERAL SETTINGS OF
K
ASPERSKY
A
NTI
-V
IRUS
The table below contains a description of the configuration file settings, possible and default values of these settings.
Once the general settings of Kaspersky Anti-Virus are changed, restart the Kaspersky Lab Framework service using the
/opt/kaspersky/kav4fs/bin/kav4fs-control --restart-app command.
154
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
StartWithUser
StartWithGroup
UpdateFolder
AVBasesFolderName
AVBasesBackupFolderName
SambaConfigPath
NfsExportPath
TempFolder
TraceEnable
TraceFolder
Table 24.
D
ESCRIPTION AND POSSIBLE VALUES
General settings of Kaspersky Anti-Virus
Account under which the processes of Kaspersky Anti-Virus are running.
You cannot modify this setting.
Default value: root.
Account under which the processes of Kaspersky Anti-Virus are running.
You cannot modify this setting.
Default value: default.
Path to a directory on protected server containing the updates directories specified by the AVBasesFolderName and AVBasesBackupFolderName settings.
Default value: /var/opt/kaspersky/kav4fs/update.
Directory in which Kaspersky Anti-Virus stores database updates.
Default value: avbases.
Name of the directory which Anti-Virus uses as a service directory when it updates the databases.
If you specify a different directory, make sure that it allows reading and writing for the account under which the Anti-Virus runs.
Default value: avbases-backup.
Directory in which the SAMBA configuration file is stored.
By default, a standard path to the directory of the SAMBA configuration file on the server is specified.
You must specify this setting if the Samba configuration file is stored in the location different from the standard location.
Default value: /etc/samba/smb.conf.
Directory in which the NFS configuration file is stored.
By default, a standard path to the directory of the NFS configuration file on the server is specified.
You must specify this setting if the NFS configuration file is stored in the location different from the standard location.
Default value: /etc/exports.
Full path to the directory in which the Anti-Virus saves temporary files it creates.
If you specify a different directory, make sure that it allows reading and writing for the account under which Kaspersky Anti-Virus runs.
Default value: /var/run/kav4fs.
Maintaining a trace log.
Kaspersky Anti-Virus records all events into the trace log. Trace log files are stored in the directory specified by the TraceFolder setting.
Possible values include:
yes
– maintain a trace log;
no
– do not maintain a trace log.
Default value: yes.
Directory in which Kaspersky Anti-Virus stores trace log files.
If you specify a different directory, make sure that it allows reading and writing for the account under which Kaspersky Anti-Virus runs.
Default value: /var/log/kaspersky/kav4fs.
155
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
TraceLevel
D
ESCRIPTION AND POSSIBLE VALUES
Trace log detail level
Possible values include:
Fatal. Critical events.
Error. Errors.
Warning. Important events.
TraceDestination
Info. Information events.
Debug. Debug information.
The most detailed level is Debug information which writes all events to the log, and the least detailed is Critical events level, which only writes critical events to the log.
Please note that the trace file can take up a large amount of disk space.
If you enable the trace file and do not modify the settings, Kaspersky Anti-Virus traces the Kaspersky Anti-Virus subsystem with the Debug information level of detail.
Default value: Error.
Trace log destination.
Possible values include:
Product. Information is stored in the directory specified by the TraceFolder parameter.
Syslog. Information is stored in the syslog.
Default value: Product.
MaxFilenameLength
The maximum length of the full path to the scanned file, in bytes.
If the length of the file being scanned exceeds this value, the scan task will skip such file and if the BlockFilesGreaterMaxFilename setting is assigned to the
yes value, the real-time protection task will block the access to such file.
Possible values: 4096
– 33554432.
Default value: 16384.
BlockFilesGreaterMaxFilename Blocks access to files in which the full path name exceeds the
MaxFilenameLength value.
The on-demand scan task skips such files regardless of the
BlockFilesGreaterMaxFilename value.
Possible values include:
yes
– the real-time protection task blocks access to such files;
no
– the access is not blocked.
Default value: yes.
Q
UARANTINE AND BACKUP STORAGE SETTINGS
This section describes the configuration file settings that you can use to customize the settings of the quarantine and the backup storage.
A description of configuration file settings, their possible values, and their default values are shown in the table below.
156
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
QuarantineFolder
QuarantineSizeLimit
D
ESCRIPTION AND POSSIBLE VALUES
Table 25. Quarantine and backup storage settings
Directory containing the quarantined and backed up objects.
You can specify a storage directory that is different from the default directory.
You can use any directory on any server device as the storage. Specifying directories located on remote computers, for example, those mounted via SMB/CIFS or NFS, is not recommended.
Kaspersky Anti-Virus will start to place objects into the directory specified in this setting both after you have imported the file settings into Anti-Virus using the -T --set-settings command, and after the Anti-Virus has been stopped and restarted.
If the specified directory does not exist or is not accessible, the Anti-Virus will start to use the storage directory set by default.
Default value: /var/opt/kaspersky/kav4fs/quarantine/.
Maximum storage size.
The value of this setting specifies the maximum data volume in the storage.
Note that after the maximum storage size has been exhausted, Kaspersky Anti-Virus will stop placing objects to quarantine and will stop backing up objects prior to disinfection and deletion. A QuarantineSizeLimitReached event will be logged, indicating that the maximum storage size has been reached.
If the value of this setting is set to 0, the maximum storage size is not defined.
Specify a value in bytes.
Possible values: 0
– 1,8*10
19
Default value: 1073741824.
QuarantineSoftSizeLimit Recommended storage size.
The value of this setting specifies the recommended general data volume in the storage.
This is an information setting. It does not limit the storage size, but allows the administrator to track the status of the storage.
After the recommended storage size has been reached, the Anti-Virus will continue to place objects in quarantine and will continue to back up objects prior to disinfection and deletion. A QuarantineSoftSizeLimitExceeded event will be logged, indicating that the recommended storage size has been reached.
If the value of this setting is set to 0, the recommended maximum storage size is not defined.
Specify a value in bytes.
Possible values: 0
– 1,8*10
19
Default value: 858993459.
157
A
D M I N I S T R A T O R
'
S
G
U I D E
E
VENT LOG SETTINGS
This section contains a description of the settings in the configuration file for Kaspersky Anti-Virus event log.
Table 26. Event log settings
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
EventStorageFolder
Event log directory. Kaspersky Anti-Virus saves information about events and service files of its event log to this directory.
You can view information about events stored in these files, using the -E --query command
You cannot modify this setting.
Default value: /var/opt/kaspersky/kav4fs/db/event_storage.
RotateMethod
Kaspersky Anti-Virus rotates events partially deleting (moving) event information from the
EventStorageFolder directory. The RotateMethod setting can take the following values:
RotateMoveFolder
RotatePeriod
Erase. Kaspersky Anti-Virus deletes information about events from the log when the
RotatePeriod elapses or when the data volume exceeds the maximum value defined by the EventStorageMaxSize setting.
Move. When the RotatePeriod elapses or when the data volume exceeds the maximum value defined by the EventStorageMaxSize setting, Kaspersky Anti-Virus transfers information about events from the log into the RotateMoveFolder directory and saves it in the rotation file.
The rotation file name contains the earliest time of event registered in the file; its format is
EventStorage-YYYY-MM-DD-hh-mm-ss.db.
During each rotation Kaspersky Anti-Virus saves information about events in a separate file.
Created files may differ in size if rotation uses both the RotatePeriod and the
EventStorageMaxSize settings or if it is performed by the user manually. A single file size may be up to half of the value defined by EventStorageMaxSize or less (deviations range within 100 KB).
You can delete the rotation files or create their backup copies on removable media.
Default value: Erase.
Directory where Kaspersky Anti-Virus moves information about events if the Move method of events rotation has been selected.
The directory must be located on the same hard drive partition and have the same mount point with the EventStorageFolder directory. It must exist and be accessible for writing. If these conditions are not met, Kaspersky Anti-Virus does not move information about events deleting it instead from the EventStorageFolder directory.
Default value: not configured.
Rotation interval, it can take the following values:
Daily. Kaspersky Anti-Virus rotates events every day at 00:00.
Weekly. Kaspersky Anti-Virus rotates events every Monday at 00:00.
Monthly. Kaspersky Anti-Virus rotates events on the 1st day of each month at 00:00.
Never. The interval for events rotation is not defined.
Default value: Never.
158
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
EventStorageMaxSize
Maximum size of the events log directory.
When information about events in the EventStorageFolder directory exceeds the size defined by the setting, Kaspersky Anti-Virus rotates events. The setting can be used in combination with the RotatePeriod setting to restrict additionally the size of the event log directory.
Specify a value in bytes.
0
– maximum size of the events log directory is not defined.
Setting the value to zero or too high is not recommended because large data volume in the
EventStorageFolder directory can slow down Kaspersky Anti-Virus.
Default value: 1073741824.
S
ETTINGS OF NOTIFICATIONS AND EVENT
-
BASED
ACTIONS
This section contains a description of the settings in the configuration file for notifications and event-based actions.
S
ETTING
EnableSmtp
Table 27.
D
ESCRIPTION AND POSSIBLE VALUES
Settings of notifications and event-based actions
EnableActions
Enables/disables delivery of notifications by email.
yes
– email delivery of notifications is enabled.
no
– email delivery of notifications is disabled.
Default value: no.
Enables/disables execution of event-based actions.
yes
– execution of event-based actions is enabled.
no
– execution of event-based actions is disabled.
Default value: no.
[CommonSmtpSettings]
General notification settings
Sender
DefaultRecipients
The email address of the sender.
Default value: not configured.
Recipient address from the global list. The product can send to the recipients from the list any notifications about events described in a file.
You can specify several recipients: repeat the setting the number of times corresponding to the number of addresses that you wish to add.
Example:
You can enable or disable the list individually for every notification using the
UseRecipientList setting.
Default value: not configured.
159
A
D M I N I S T R A T O R
'
S
G
U I D E
S
ETTING
Mailer
D
ESCRIPTION AND POSSIBLE VALUES
Email program used to send notifications. The setting can assume the following values:
Internal. Internal mailer of Kaspersky Anti-Virus. Kaspersky Anti-Virus features an internal mail program for delivery of notifications via SMTP. You can select it if authentication is not required to send email. Define the mailer settings in the
[CommonSmtpSettings:InternalMailerSettings] section.
Sendmail. The Sendmail application. You can select it if Sendmail is installed and configured on the protected server. Define additionally the SendmailPath setting.
Default value: Internal.
SendmailPath
Path to the Sendmail executable file, it includes the following Sendmail settings:
-t
– mandatory argument (instruction to use the list of recipients from message);
-i
– optional argument (instruction to disable interpreting a single dot (.) in a line as a message end character).
Default value: /usr/sbin/sendmail -t -i.
[CommonSmtpSettings:InternalMailerSettings]
Settings of the internal Kaspersky Anti-Virus mailer.
SmtpServer
SMTP server address.
SmtpPort
Default value: not configured.
SMTP server port.
SmtpQueueFolder
Default value: 25.
Directory where the queue of outgoing messages will be stored.
Default value: /var/opt/kaspersky/kav4fs/db/notifier.
ConnectionTimeout
Time during which server response will be expected (seconds).
Default value: 10.
[SmtpNotification]
Settings for event notifications, message text. Create a separate [SmtpNotification] section for each event, for which you wish to configure notifications.
Recipients
"Local" list of recipients: they will only receive the message described in the current [SmtpNotification] section.
You can specify several recipients: repeat the setting the number of times corresponding to the number of addresses that you wish to add.
Example:
You can enable or disable the list individually for every notification using the
UseRecipientList setting.
Default value: not configured.
UseRecipientList
The recipients list rule sets from what list the recipients will receive the message.
Local. Message will be sent to recipients from the local list;
Global. Message will be sent to recipients from the global list.
Both. Messages will be sent to recipients from both lists;
160
A
N T I
- V
I R U S C O N F I G U R A T I O N F I L E S E T T I N G S
S
ETTING
D
ESCRIPTION AND POSSIBLE VALUES
Subject
Body
EventName
Default value: Global.
The message "Subject" field.
If you skip the setting, the "Subject" field will contain the event.
Default value: not configured.
Message body. You can add macros (see section "Using macros" on page 69 ).
Default value: not configured.
Event that will be reported in notification.
Default value: not configured.
Enable
Enables/disables notification delivery:
yes
– notification delivery is enabled.
no
– notification delivery is disabled.
Default value: no.
[Actions]
Settings for event-based actions. Create a separate [Actions] section for each event, for which you wish to configure an action.
Command
Shell script with the corresponding instructions executed when an event occurs.
E.g., you can configure delivery of SMS notifications or instant messaging notifications (such as jabber), integrate Kaspersky Anti-Virus with various monitoring systems. You can modify the firewall settings or even disable Samba server in case of a virus outbreak (multiple "Threat found" events).
You can add macros to the scripts (see section "Using macros" on page 69 ).
Default value: not configured.
EventName
Event that will trigger the specified action.
Default value: not configured.
Enable
Enables/disables execution of the action described in the current [Actions] section:
yes
– action execution is enabled.
no
– action execution is disabled.
Default value: no.
161
MANAGING KASPERSKY ANTI-VIRUS VIA
KASPERSKY SECURITY CENTER
If your organization uses Kaspersky Security Center for centralized management of the anti-virus applications, you can control Kaspersky Anti-Virus on the protected servers and configure it using Administration Console of Kaspersky
Security Center.
The Administration Console allows you to examine the computer's protection status and edit the computer's general protection settings. You can also create tasks for on-demand scans, for updating the application, and for installing key files.
I
N THIS SECTION
V
IEWING THE SERVER PROTECTION STATUS
The Administration Console lets you view the protection status of a selected server and the overall server status from the point of view of Anti-Virus security and its accessibility.
To view protection status of a server:
1. In the Administration Console tree, expand the Managed computers node and select the group to which the protected server belongs.
2. Right-click the line with the information about the protected server in the results pane and select the Properties command.
3. In the <Computer name> Properties dialog box open the Protection tab.
The Protection tab displays the following information about the protected server:
162
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
Table 28. Information on server protection status in the dialog box
F
IELD
D
ESCRIPTION
Computer status
Real-time protection status Displays the real-time protection status, for example, Started, Stopped, Paused.
Last full scan date
Date and time of the last execution of an on-demand scan task.
Viruses found
Status of the protected server from the point of view of anti-virus security. For more details about statuses refer to the Kaspersky Lab Technical Support website, Article code
987.
The total number of malicious programs (names of threats) detected on the protected server (counter of detected threats) since the moment when Kaspersky Anti-Virus was installed or since the moment the counter was last reset. In order to reset a counter, click the Reset button.
"A
PPLICATION
S
ETTINGS
"
DIALOG BOX
Using the Application settings dialog box you can perform remote management of Kaspersky Anti-Virus or configure it on the selected protected server.
To open the Application settings dialog:
1. In the Administration Console tree expand the Managed computers node.
2. Expand the group containing the protected server and select the Client computers folder.
3. Right-click the line with the information about the protected server in the results pane and select the Properties command.
4. In the <Computer name> Properties dialog box, on the Applications tab select Kaspersky Anti-Virus 8.0 for
Linux File Server in the list of installed applications and click the Properties button.
C
REATING AND CONFIGURING TASKS
You can create local tasks, tasks for several selected computers and group tasks of the following types:
update;
databases update rollback;
on-demand scan;
key file installation.
You create local tasks for a selected protected server on the Tasks tab. Group tasks should be created on the selected group's Group tasks folder, tasks for selected hosts should be created in the Tasks for specific computers folder.
General information about tasks in Kaspersky Security Center can be found in the Kaspersky Security Center
Administrator's Guide.
163
A
D M I N I S T R A T O R
'
S
G
U I D E
C
REATING A TASK
When configuring Kaspersky Anti-Virus via Kaspersky Security Center, you can create tasks of the following types:
local tasks, for an individual client computer;
group tasks, for client computers of specified administration groups;
tasks for specific computers, which may include computers from one or more groups;
Kaspersky Security Center tasks
– specific tasks of the Update server: tasks downloading updates, backup copying tasks and reporting tasks.
Tasks for specific computers are only performed by a set of computers. For example, if you add new client computers to a group for which a remote deployment task has been created, the task will not run on those new machines. You have either to create a new task or modify the existing task's settings.
You can perform the following operations with tasks:
configure tasks;
monitor a task's performance;
copy or move a task from one group to another, or delete it, using the standard context menu commands Copy /
Paste, Cut / Paste and Delete, or the corresponding items from the Action menu.
import and export tasks.
Detailed information about using tasks can be found in the Kaspersky Security Center Guide.
To create a local task:
1. Open the properties window of the required client computer on the Tasks tab.
2. Click the Add button.
3. The New task wizard will start (see page 165 ). Follow its instructions.
To create a group task, perform the following actions:
1. Open the Administration Console of Kaspersky Security Center.
2. In the Managed computers folder, open the required group, which is represented by a subfolder.
3. In the selected group, open the Group tasks subfolder which lists the group's existing tasks.
4. Click the Create a task link in the task pane to start the New task wizard. Information about specifics of creating group tasks is available in the Kaspersky Security Center Guide.
To create a task for specific computers (Kaspersky Security Center task):
1. Open the Administration Console of Kaspersky Security Center.
2. Select the required folder: Tasks for specific computers, or Kaspersky Security Center tasks.
3. Click the Create a task link in the task pane to start the New task wizard. Further information about creating
Kaspersky Security Center tasks and tasks for specific computers is available in the Kaspersky Security Center
Guide.
164
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
T
HE
L
OCAL TASK CREATION WIZARD
The Local task creation wizard can be started from the context menu of a managed computer, or in its properties window.
The wizard consists of a series of screens (steps) navigated using buttons Back and Next; to close the wizard once it completed its work, use the Finish button. To cancel the application at any stage, use the Cancel button.
S
TEP
1.
E
NTERING GENERAL TASK SETTINGS
At the first stage, specify the task name's in the Name field.
S
TEP
2.
S
ELECTING AN APPLICATION AND DEFINING TASK TYPE
During this stage, you should specify the task's type, and which program will perform the task. Kaspersky Anti-Virus 8.0 for Linux Workstation, or Network Agent.
For Kaspersky Anti-Virus 8.0 the following tasks can be created:
Virus scan
– checks user-defined areas for the presence of viruses.
Update
– downloads and applies a package containing program updates.
Update rollback
– rolls back the last program update.
Key file installation
– installs a new license key file, required to enable the program's full functionality.
S
TEP
3.
C
ONFIGURING TASK SETTINGS
The appearance of the wizard's window at this stage will depend on the task type selected during the previous stage.
The following settings are required for an on-demand scan task:
specify the scan scope (see page 166
) and the scan settings(see page 167 );
specify any exclusion areas (see page 167 ).
The following settings are required for a task which updates the database and program modules:
to the source;
select the type of updates (see page 169 ).
The task to roll-back updates has no specific settings.
The license key file installation task requires a path to the key file.
To do so, perform the following:
1. Click the Browse button in the Task Wizard window.
2. Select the license key file (with a .key extension) which you received when purchasing Kaspersky Anti-Virus.
165
A
D M I N I S T R A T O R
'
S
G
U I D E
S
TEP
4.
S
CHEDULING THE TASK
task types except license installation tasks.
S
TEP
5.
C
OMPLETING THE WIZARD
The last screen of the wizard will inform you that the task creation wizard has completed successfully.
U
PDATING TASKS SETTINGS
After you have created a task you can:
modify the task settings;
modify the task schedule, enable or disable scheduled task launches.
To modify the task settings:
1. In the Administration Console tree, expand the Managed computers node and select the group to which the protected server belongs.
2. Right-click the line with the information about the protected server in the results pane and select the Properties command.
3. In the Computer properties dialog box, on the Tasks tab, open the context menu for the task you want to configure, and select the Properties command.
4. Make the required changes to the settings in the Task properties window.
5. Click OK to save the changes.
C
REATING A SCAN AREA
The term scan area refers to the set of objects which will be scanned, such as file system objects. All scan tasks, whether real-time protection tasks or on-demand scan tasks, have a specified scan area.
To define a scan area:
1. Open the Task properties window.
2. Select the Settings tab, and click the Add button in the Scan areas section.
3. In the <New scan area> dialog box which will open: a. In the Area name field, assign a name to the new area. The name will appear in the list of areas for scanning, within the Scan areas window. b. Select the resource type in the dropdown list to the left.
If you selected a Shared or Remote resource, you must specify in the right dropdown list the protocol used to remotely access to that resource, whether SMB/CIFS or NFS. c. In the path entry field enter the path to the scanned directory.
166
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
If you selected a Shared or Remote resource type, you may specify the path to the directory or the name of the resource, for example, MySamba. If you selected All shared or All remote, leave the path entry field blank. d. In the Masks section, click the Add button and in the displayed Object mask window, define the file name templates, or path templates, for the objects to be scanned.
Using Shell masks, you can specify the file name template to scan by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template to scan by Kaspersky Anti-Virus. A regular expression cannot contain the name of the folder which defines the scan or protection area.
Add the re: prefix to regular expressions. e. Click OK to save the changes.
4. Click the OK button in the Task settings window to save the changes.
Kaspersky Anti-Virus will scan objects in the scan areas in the order in which the areas are listed. If you wish to configure different security settings for child and parent directories, place the subdirectory in the list higher, than its parent directory.
Use the Move Up and Move Down buttons to move lines in which paths are specified to the top or bottom of the list.
C
ONFIGURING SECURITY SETTINGS
The default scan settings used by Kaspersky Anti-Virus for all scan tasks are those recommended by Kaspersky Lab.
You can reconfigure the security settings as you require.
To configure the security settings for a scan area:
1. Open the Task properties window.
2. Select the scan area on the Settings tab, and click the Properties button in the Scan areas section.
3. In the window that will open, select the Settings tab. In the Scan of compound objects section, check the
4. In the Scan optimization section of the Settings tab, specify the maximum scanning duration for an individual
object (see page 181 ) and the maximum size of objects to scan (see page 181 ).
objects to be excluded from scanning by the name of the detected threat (see page 180 ).
The excluded area specified for a particular scan area will only apply to that scope.
7. Click OK to save the changes.
C
REATING AN EXCLUDED AREA
By default, Kaspersky Anti-Virus scans all objects within a scan area.
You can define name and path templates that are excluded from the scan area. In this case, Kaspersky Anti-Virus will not scan files or directories from the scan area that are specified using Shell masks or ECMA-262 regular expressions.
167
A
D M I N I S T R A T O R
'
S
G
U I D E
Using Shell masks, you can specify the file name template excluded from scanning by Kaspersky Anti-Virus.
Using regular expressions, you can specify the file path template exluded from the scan by Kaspersky Anti-Virus. The regular expression should not contain the name of the directory containing excluded object.
To define an excluded area:
1. Open the Task properties window.
2. Click the Add button on the Exclusion areas tab.
3. In the <New exclusion area> dialog box which will open: a. In the Area name field, assign a name to the new area. The name will appear in the list of areas for scanning within the Exclusion areas window. b. Select the resource type in the dropdown list to the left.
If you selected a Shared or Remote resource, you must specify in the right dropdown list the protocol used to remotely access to that resource, whether SMB/CIFS or NFS. c. In the path entry field enter the path to the excluded directory.
If you selected a Shared or Remote resource type, you may specify the path to the directory or the name of the resource, for example, MySamba. If you selected All shared or All remote, leave the path entry field blank. d. In the Masks section, click the Add button and in the displayed Object mask window, define the file name templates, or path templates, for the objects to exclude from scanning. e. Click OK to save the changes.
4. Click the OK button in the Task settings window to save the changes.
S
ELECTING AN UPDATE SOURCE
Updates source is a resource containing updates for Kaspersky Anti-Virus database. Update sources can be HTTP or
FTP servers, or local or network folders.
The main update source is Kaspersky Lab's update servers. These are special Internet sites which contain updates for databases and application modules for all Kaspersky Lab products.
To choose an update source:
1. Open the Task properties window.
2. Use the Updates sources tab to select a source of updates (see page 181 ).
3. Click OK to save the changes.
To add a custom update source:
1. Open the Task properties window.
2. On the Updates sources tab, select Other directories on the local network or the Web, and click the
Customize button.
3. In the Updates sources window that will open, click the Add button and enter either the path to a directory which contains the updates, or the address of a FTP or HTTP update server.
4. Click OK to save the changes.
168
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
To configure the connection to an update source:
1. Open the Task properties window.
2. On the Updates sources tab, press the Connection settings button.
3. Configure the following settings in the window that will open:
a. FTP server mode (see page 181 )
b. time to wait for a response from the update source while attempting a connection (see page 182 )
c.
f. location of protected computer
4. Click OK to save the changes.
S
ELECTING THE TYPE OF UPDATES
A Kaspersky Anti-Virus update task performs one of the following operations:
1. Downloads and installs databases.
2. Downloads updates to Kaspersky Anti-Virus' program modules. The updated modules are only copied to the specified directory; no actual installation of the files is performed.
3. Copy updates for selected modules. The task will only retrieve updates specified in the list. No actual installation of the modules will be performed.
To choose an update type:
1. Open the Task properties window.
2. On the Updates type tab, select the type of updates (see page 183 ) from the dropdown list.
3. If you selected Copy all updates available for the application, specify the directory where the updates will be
stored (see page 183 ) in the Target directory.
4. If you selected Copy updates for selected modules according to a list: a. Click the Add button in the Updates components list. b. Enter the required update name in the displayed window.
You can review the names of update on the Kaspersky Lab Technical Support web site. c. Click OK to save the changes. d. Repeat the a-c cycle as many times as necessary.
5. Click OK to save the changes.
169
A
D M I N I S T R A T O R
'
S
G
U I D E
S
CHEDULING A TASK VIA
K
ASPERSKY
S
ECURITY
C
ENTER
You can specify the schedule of a task when you create the task in the task creation wizard or later, using the Task
properties dialog box.
This section describes how to specify a schedule in the Task properties dialog box. Task scheduling is performed similarly in the task creation wizard.
I
N THIS SECTION
C
REATING A TASK START RULE
You can create task start rules: a one-off task launch at a specified time on a certain day; a regular task launch with a specified frequency, such as weekly or monthly; launching a task after every database update, or every time Kaspersky
Anti-Virus starts.
To create a task start rule:
1. In the Administration Console tree expand the Managed computers node.
2. Expand the group containing the protected server and select the Client computers folder.
3. Right-click the line with the information about the protected server in the results pane and select the Properties command.
4. In the Computer properties dialog box open the Tasks tab. Open the context menu of the task you want to configure and select the Properties command.
5. In the Task properties dialog box open the Schedule tab.
6. Configure the task schedule (see section "Scheduling a task" on page 170 ).
7. Click OK to save the changes.
S
CHEDULING A TASK
In the Scheduled start drop-down list, select the necessary mode for task launch:
Every N hours.
Every N minutes.
Every N day.
Weekly.
Monthly.
Once.
Manually
– launch will be performed manually from the main application window of Kaspersky Anti-Virus using the Start command from the context menu or the analogous point in the Action menu.
170
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
After application update
– launch will performed after each databases update.
At application start.
When new updates are downloaded to the repository
– launch will be performed automatically after the
Administration Server obtains updates.
On virus outbreak.
On completing another task.
All modes used in Kaspersky Security Center tasks are listed here. Depending on the type of selected task, some of specified options may be missing. Detailed information about tasks in Kaspersky Security Center can be found in the
Kaspersky Security Center Administrator's Guide.
After selecting the task start mode you should specify the frequency of its run in the fields block corresponding to the selected mode. Depending on the selected mode the following values are specified:
When selecting the Every N hour scheduling option, the task start frequency in hours is specified in the Every field, and the date and time of the first start is indicated in the Plan for field.
For example, if you specify the 2 value in the Every field, and in the Plan for field
– April 3, 2011 . 03:00
PM:00, then the task will run every two hours starting at 03:00 PM April 3, 2011.
The default frequency value is set to 6, and the default start date and time for the task is automatically set to the current system date and time of your computer.
When selecting the Every N minutes scheduling option, the task start frequency in minutes is specified in the
Every field, and the date and time of the first start is indicated in the Plan for field.
For example, if you entered value 30 in the Every minutes field and entered 03:00 PM:00 in the Plan for field, the task will start every half an hour starting at 3 p.m. of the current day.
The default value for the field is 30, and the current system time is automatically set as the default task start time.
For the Every N day task start mode you must specify frequency in days in the Every field, and in the Start
time
– time when the task should run on the specified dates.
For example, if the value of the Every field is 2 and the value of the Start time field is 3:00:00 p.m., the task will start once every two days (through day) at 3 p.m.
The default value for the field is 1, and the current system time is automatically set as the default task start time.
For the Weekly scheduling mode, the week day when the task should start is specified in the Every field, and the time of task launch on the specified date is indicated in the Start time field.
For example, if you specify the Monday value in the Every field, and in the Start time field
– 03:00 PM:00, task will be run every Monday in 03:00 PM.
By default, the Every field is set to Sunday, as well as start time is automatically put down the current system time of your computer.
For the Monthly scheduling mode, the month when the task should start is specified in the Every field, and the time of task launch on the specified date is indicated in the Start time field.
For example, if the value in the Every field is 20 and the value in the Start time field is 3:00:00 p.m., the task will start on the 20th day of every month at 3 p.m.
The default value in the Every field is 1, and the current system time is set in the Start time field.
171
A
D M I N I S T R A T O R
'
S
G
U I D E
For the Once scheduling mode, the week day when the task should start is specified in the Start date field, and the time of task launch on the specified day is indicated Start time field.
The values of these fields are set automatically and correspond to the current system date and time, but you can change them.
For the On virus outbreak mode you must specify the types of programs, for which the Virus attack event should be taken into account at task start. To do this, check the boxes by the selected types of programs.
If the task will start after the completion of another task, in the Task name field you must specify, what the task is to be completed, by clicking the Select button. In the Execution result field specify the mode to complete task.
You can also configure additional task start settings (they depend upon the selected scheduling mode):
Define the procedure for the task startup if the client computer is unavailable (turned off, disconnected from the network, etc.) or if the application is not running at the time specified by the schedule.
If the Run the missed tasks box is checked, the system attempt to start the task the next time the application is started on this client computer. The tasks will be started immediately following a host's registering on the network if the task scheduling mode is set to Manually and Once.
If this box is not checked, only scheduled tasks will be started on the client computers, and for Manually, Once
– on hosts visible on the network only. By default, the box is unchecked.
Define deviation from the scheduled time, during which the task will be run on client computers. This feature is provided in order to solve the problem of simultaneous access to a large number of client computers to the
Administration Server at task start.
You must select the Distribute a task to start at random in the interval (in minutes) check box and specify time interval in minutes, during which Server is attempted to access that the client computers attempts not to simultaneous access Administration Server at task start. By default, this box is unchecked.
C
REATING AND CONFIGURING POLICIES
You can create global Kaspersky Security Center policies for managing protection on several servers where Kaspersky
Anti-Virus is installed.
A policy applies all specified settings to all protected servers in one administration group.
You can create several policies for one administration group and enforce them in turns. The Administration Console assigns the active status to the policy in effect for a group at any given time.
While the policy is active, Kaspersky Anti-Virus applies the configuration values that you have set to in the policy's properties instead of the values that were active for these settings before the policy took effect. Kaspersky Anti-Virus does not apply configuration values that you have not set to in the policy's properties. When the effect of the policy is terminated, the settings whose values were modified by the policy retain the values they had while the policy was active.
Using policies, you can configure the real-time protection task settings for Kaspersky Anti-Virus.
I
N THIS SECTION
172
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
C
REATING A POLICY
To create a policy for a group of servers on which Kaspersky Anti-Virus is installed:
1. In the Administration Console tree, expand the Managed computers node; expand the administration group for whose computers you want to create the policies for.
2. In the context menu of the Policies subnode, select the Create
→ Policy command.
This will open a policy creation wizard window.
3. In the Policy name window, enter the name of the policy being created in the input field (the name may not contain the characters " * < : > ? \/ |).
4. In the Application window, select Kaspersky Anti-Virus 8.0 for Linux File Server in the dropdown list.
5. In the Creating a policy window, select one of the following policy statuses:
Active policy, if you want the policy to become active immediately upon creation. If an active policy already exists in the group, this policy will become inactive and the policy you are creating will be activated.
Inactive policy, if you do not want the created policy to be activated immediately. In this case you will be able to activate the policy at a later time.
In the following policy creation wizard windows, specify the real-time protection task settings you require.
6. Use the Protection areas window to add one or several protection areas and select the interception method
7. If necessary, use the Exclusion areas window to add one or several areas that do not need protection.
8. Click the Finish button in the Completing the New Policy Wizard window.
C
ONFIGURING A POLICY
You can use the Properties dialog window of an existing policy to configure the real-time protection task settings for
Kaspersky Anti-Virus.
To configure policy settings in the Policy properties dialog:
1. In the Administration Console tree, expand the Managed computers node, expand the administration group whose policy settings you want to configure, and then expand the included Policies node.
2. In the result pane, open the context menu of the policy whose settings you want to configure and select the
Properties command.
3. In the <Policy Name> Properties dialog box configure the required policy settings and click the OK button.
C
HECKING CONNECTION WITH
A
DMINISTRATION
S
ERVER
MANUALLY
.
T
HE KLNAGCHK UTILITY
The Network Agent distribution kit includes the klnagchk utility to check the connection with the Administration Server.
173
A
D M I N I S T R A T O R
'
S
G
U I D E
Following installation of the Network Agent, the utility is located in the /opt/kaspersky/klnagent/bin directory and, when launched, performs the following actions in accordance with the keys in use:
outputs to the screen or records in the log file the connection parameters used by the Network Agent installed on the client computer to connect to the Administration Server;
outputs to the screen or in the log file the statistics about operation of the Network Agent, since its last launch, and the results of this utility operation;
attempts to connect the Network Agent to the Administration Server;
if the connection could not be established, sends an ICMP packet to verify the status of the computer on which the Administration Server is installed.
Utility command line syntax: klnagchk [-logfile <file name>] [-sp] [-savecert <path to the certificate file>] [restart]
The command line parameters are as follows:
-logfile <filename>
– log the connection parameters used by Network Agent to connect to the
Administration Server and the results of the utility operation. By default the information will be stored in the stdout.tx. file. If the modifier is not used, the parameters, results and error messages will be printed to the screen.
-sp
– display the password used to authenticate the user on the proxy server. This parameter is used if connection to the Administration Server is performed using a proxy server.
-savecert <filename>
– save the certificate used to access the Administration Server in the specified file.
-restart
– restart the Network Agent after the utility has completed.
C
ONNECTING TO
A
DMINISTRATION
S
ERVER MANUALLY
.
T
HE KLMOVER UTILITY
The Network Agent distribution kit includes the klmover utility to manage the connection to the Administration Server.
Following installation of the Network Agent, the utility is located in the /opt/kaspersky/klnagent/bin directory and, when launched, performs the following actions in accordance with the keys in use:
connects the Network Agent to the Administration Server using the parameters supplied;
logs the results of the operation in the events log file, or displays them on the screen.
Utility command line syntax: klmover [-logfile <file name>] {-address <server address>} [-pn <port number>] [-ps
<SSL port number>] [-nossl] [-cert <path to certificate file>] [-silent] [-dupfix]
The command line parameters are as follows:
-logfile <file name>
– log the results of the utility operation to the specified file; if the key is not used, the results and error messages are output to stdout.
-address <server address>
– the address of the Administration Server for connection. The address can be represented by IP address, NetBIOS or DNS name of the server.
174
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
-pn <port number>
– number of the port that will be used for an unsecured connection to the Administration
Server. The default value is 14000.
-ps <SSL port number>
– number of the port that will be used for a secured connection to the
Administration Server using the Secure Sockets Layer (SSL) protocol. By default, port 13000 will be used.
-nossl
– use an unsecured connection to the Administration Server; if no modifier is used, a secure connection between the Network Agent and Administration Server will be established using the SSL protocol.
-cert <full path to the certificate file>
– use the specified certificate file for authentication when accessing the new Administration Server. If no modifier is used, the Network Agent will receive the certificate on its first connection to the Administration Server.
-silent
– launch the utility in non-interactive mode. This modifier can be useful, for instance, when launching the utility from the startup script when registering the user.
-dupfix
– this modifier is used if the Network Agent was installed using a method other than the regular installation from a distribution package. For example, it could have been restored from a drive image.
175
A
D M I N I S T R A T O R
'
S
G
U I D E
T
ASKS SETTINGS
I
N THIS SECTION
I
NTERCEPTION METHOD
The Scan on file access type security setting is used only in real-time protection task.
Kaspersky Anti-Virus includes two components intercepting attempts to access files and scanning those files. They are
Samba interceptor (used to scan objects on server accessed from remote computers via the SMB / CIFS protocol) and the kernel level interceptor (scanning objects accessed using other methods).
The Samba interceptor provides, as additional object information, the IP address of the remote computer on which an application attempted to access an object when it was intercepted by Kaspersky Anti-Virus.
If you use the protected computer only as a Samba server, you can set the SAMBA only value. In this case, Kaspersky
Anti-Virus will not scan objects that are not accessed via SMB/CIFS.
176
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
Possible values include:
All operations. Kaspersky Anti-Virus scans server objects with the SAMBA interceptor when they are accessed via SMB/CIFS. Kaspersky Anti-Virus uses the kernel level interceptor to intercept all other operations on files that are accessible on the protected server (including files on remote computers).
SAMBA only. Kaspersky Anti-Virus scans objects with the SAMBA interceptor only when they are accessed via
SMB / CIFS.
Make sure that you have specified the SAMBA VFS password during the initial configuration of Kaspersky Anti-
Virus (see Installation Guide of Kaspersky Anti-Virus 8 for Linux).
File system only. Kaspersky Anti-Virus scans server objects without using the SAMBA interceptor.
Make sure that you have specified the kernel interceptor during the initial configuration of Kaspersky Anti-Virus
(see Installation Guide of Kaspersky Anti-Virus 8 for Linux).
P
ROTECTION MODE
The Protection mode security setting is used only in the real-time protection task. It determines the type of access to the objects that ensures that Kaspersky Anti-Virus scans such objects.
Select one of the protection modes depending on your requirements to the server security, on which files are stored on the server, on the format of the files are stored in and on the information they contain:
Smart check. Kaspersky Anti-Virus scans a file when an attempt is made to open it, and rescans it when an attempt is made to close it if the file has been modified. If a process accesses an object multiple times in the course of its operation and changes it, Kaspersky Anti-Virus scans the object a second time only when the process closes it for the last time.
When opened and modified. Kaspersky Anti-Virus scans a file when an attempt is made to open it, and rescans it when an attempt is made to close it if the file has been modified.
When opened. Kaspersky Anti-Virus scans the object when an attempt is made to open for reading or for execution or modification.
The default value is Smart check.
H
EURISTIC ANALYSIS
The Heuristic analysis security setting is applied to real-time protection tasks and on-demand scan tasks.
Objects are scanned using databases containing descriptions of known threats and ways to neutralize them. Kaspersky
Internet Security compares each scanned object with the database's records to determine firmly if the object is malicious, and if so, into which class of malware it falls. This approach is called signature analysis and is always used by default.
Since new malicious objects appear daily, there is always some malware which is not described in the databases, and which can only be detected using heuristic analysis. This method presumes the analysis of the actions an object performs within the system. If such activity is typical of malicious objects, the object is likely to be labeled as malicious or potentially infected. As a result, new threats are identified before they become known to virus analysts.
Additionally you can set the detail level for scans. It sets the balance between the thoroughness of searches for new threats, the load on the operating system's resources and the time required for scanning. The higher the detail level, the more resources the scan will require, and the longer it will take.
Select the Heuristic analysis check box to enable heuristic analysis.
Select one of the following values in accordance with your security requirements and the speed of the server's file exchange system:
Light scan;
177
A
D M I N I S T R A T O R
'
S
G
U I D E
Medium;
Deep scan;
Recommended.
Default value: Recommended.
A
CTION TO PERFORM ON INFECTED OBJECTS
The Action on infected object security setting is used in real-time protection and on-demand scan tasks.
When Kaspersky Anti-Virus finds an object infected, it performs on it the action you have selected.
Select one of the following values:
Disinfect. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Delete. Kaspersky Anti-Virus deletes the object.
Perform recommended action. Kaspersky Anti-Virus automatically selects and performs the action on the object based on the data about the threat detected in the object and about the possibility of disinfecting it, for example, Anti-Virus will immediately remove Trojans since they do not incorporate themselves into other files and do not infect them; therefore they do not need to be disinfected. This action can only be specified as the initial action to be taken on infected objects.
Skip. The object remains intact: Kaspersky Anti-Virus does not attempt to disinfect or delete it. Information about the identified object will be recorded in the log.
Quarantine. The object will be moved to a quarantine.
Before modifying an object (through disinfection or removal), Kaspersky Anti-Virus saves a copy of the original object in the Backup storage area. If a copy of the object cannot be made, no attempt is made to disinfect or delete the object, which remains unchanged. Information concerning why Kaspersky Anti-Virus was not able to disinfect or delete the object will be recorded in the log.
Select from the list two actions which Kaspersky Anti-Virus will perform on the object. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
During real-time protection, Kaspersky Anti-Virus blocks access to an object for any application that attempts to access it, before actual operations with that object.
A
CTION TO BE PERFORMED ON SUSPICIOUS OBJECTS
The Action on suspicious object security setting is used in real-time protection and on-demand scan tasks.
When Kaspersky Anti-Virus finds an object suspicious, it performs with it the action you have selected.
Select one of the following values:
Quarantine. The object will be moved to a quarantine.
Disinfect. Kaspersky Anti-Virus attempts to disinfect the object, and if disinfection is not possible, it leaves the object intact.
Delete. Kaspersky Anti-Virus removes a suspicious object from the server.
178
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
Before deleting the object Kaspersky Anti-Virus places a copy of such object into backup storage. Kaspersky
Anti-Virus does not delete an object if it cannot first create a copy of the object in Backup. The object will remain intact. Information concerning why Kaspersky Anti-Virus was not able to remove the object will be recorded in the log.
Perform recommended action. Kaspersky Anti-Virus selects and performs the action with the object based on the data about how dangerous the threat detected in the object is.
Skip. The object is not altered: Kaspersky Anti-Virus does not attempt to disinfect or delete it, but logs relevant information about the object, including what malware it is suspected to contain.
Select from the list two actions which Kaspersky Anti-Virus will perform on the object. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
During real-time protection, Kaspersky Anti-Virus blocks access to an object for any application that attempts to access it, before actual operations with that object.
A
CTIONS TO BE PERFORMED ON OBJECTS DEPENDING ON THE
THREAT TYPE
The Actions by threat type security setting is used in the real-time protection and on-demand scan tasks.
Threats of some types (classes) are more dangerous for the computer than others. For example, Trojans can do much more damage than adware. Using this setting, you can configure different actions to be taken by Kaspersky Anti-Virus with objects found to contain specified threats.
If you specify values for this setting, Kaspersky Anti-Virus will use them instead of the values of the Action on infected
object setting (see page 178 ) and the Action on suspicious object setting (see page 178 ).
For each type of threat, select from the list two actions which Kaspersky Anti-Virus will perform on each object which presents that threat. If Kaspersky Anti-Virus fails to perform the first action, it will perform the second action.
If possible, Kaspersky Anti-Virus will apply selected actions both to infected and to suspicious objects.
If you select Skip as the first action, the second action will not be available.
If Kaspersky Anti-Virus fails to move an object to backup storage or quarantine, it will not take the next step on the object
(for example, disinfecting or deleting it). The object will be considered skipped. You can review the reason for skipping the object in the log.
In the list of threat types, the Network worms and Classical viruses types are combined under the single name of
Viruses.
E
XCLUDING OBJECTS BY NAME
The Exclude objects by name or regular expression security setting is used in real-time protection and on-demand scan tasks.
By default, Kaspersky Anti-Virus scans all objects within the scan or protection area.
You can specify the name and path templates to be excluded from the scan or protection area. In this case, Kaspersky
Anti-Virus will not scan files or folders in the scan or protection area that are specified using Shell masks or ECMA-262 regular expressions.
Using Shell masks, you can specify the file name template excluded from scanning by Kaspersky Anti-Virus.
179
A
D M I N I S T R A T O R
'
S
G
U I D E
Using regular expressions, you can specify the file path template exluded from the scan by Kaspersky Anti-Virus. The regular expression should not contain the name of the directory containing excluded object.
Information on an object's exclusion from scanning is saved in the log.
E
XCLUDING OBJECTS BY THREAT NAME
The Exclude objects by threat name security setting is used in real-time protection and on-demand scan tasks.
If Kaspersky Anti-Virus considers a scanned object to be infected or potentially infected, it performs the action on this object specified in the task. If you consider this object to be harmless for the protected server, you can exclude it from the scan area by the type of object detected in it. In this case, Kaspersky Anti-Virus will treat such objects as clean and skip them.
The full name of the object detected in the file can contain the following information:
<object class>:<object type>.<brief name of the operating system>.<object name>.<object modification code>.
For example, not-a-virus:NetTool.Linux.SynScan.a.
You can find the full name of the object detected in the file in the Kaspersky Anti-Virus log.
You can also find the full name of the object detected in a file at the Virus Encyclopedia website (see the Virus
Encyclopedia section at http://www.viruslist.com
).
When specifying object type name templates, you can use Shell masks and ECMA-262 regular expressions.
To exclude objects infected by a specific threat from scanning, specify either the threat's full name or a threat name template.
For example, you use a network information utility; Kaspersky Anti-Virus blocks it, classifying its code as a Riskware type of threat. You can add the complete name of a threat posed by a program to the list of excluded threats, for example, not-a-virus:NetTool.Linux.SynScan.a.
You can specify threat names using Shell masks or ECMA-262 regular expressions. Regular ECMA-262 expressions should be identified by the re: prefix.
For example, to skip files containing any threats to Linux which belong to the not-a-virus class, enter: re:not-a-
virus:.*\.Linux\..*.
S
CAN OF COMPOUND FILES
The Check compound objects security setting is used in real-time protection and on-demand scan tasks.
Processing composite objects is very time consuming. By default, Kaspersky Anti-Virus scans only composite objects of the types that are most susceptible to infection and that, when infected, are most harmful for the computer. Composite objects of other types are not scanned.
This setting allows the user, depending on the user's security requirements, to select the types of composite objects that
Kaspersky Anti-Virus will scan.
Select one or several values:
Scan archives. Kaspersky Anti-Virus scans file archives (including SFX self-extracting archives). Please note that Kaspersky Anti-Virus identifies threats in archives, but does not disinfect them.
Scan SFX archives. Anti-Virus scans self-extracting archives (archives that contain an extraction module).
180
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
Scan mail databases. Kaspersky Anti-Virus scans Microsoft Office Outlook and Microsoft Outlook Express mail database files.
Scan packed objects. Kaspersky Anti-Virus scans executable files packed by binary code packers, such as
UPX or ASPack. This type of composite object contains threats more often than others.
Scan mail formats. Kaspersky Anti-Virus scans the files of plain text email messages.
M
AXIMUM OBJECT SCAN TIME
The Skip object if scan takes longer than security level is applied to real-time protection tasks and on-demand scan tasks.
Kaspersky Anti-Virus stops scanning an object if the procedure takes longer than a specified time (in seconds).
Information on an object's exclusion from scanning is saved in the log.
M
AXIMUM SIZE OF A SCANNED OBJECT
The Skip objects larger than setting is used in real-time protection and on-demand scan tasks.
Kaspersky Anti-Virus skips an object if its size exceeds the specified value (in bytes). Information about skipped objects is stored in the log.
Possible values: 0-2147483647 (around 2 GB).
U
PDATES SOURCE
You can select the source that Kaspersky Anti-Virus will use to obtain updates, depending on the update plan in effect at your company.
You can specify one of the following as the update source:
Kaspersky Lab update servers. Kaspersky Anti-Virus will download updates from one of the Kaspersky Lab update servers. Updates are downloaded via HTTP or FTP protocols.
Kaspersky Security Center Administration Server. You can select this update source if Kaspersky Security
Center is used to centrally manage anti-virus protection in your organization. Kaspersky Anti-Virus will download updates to the protected server from Kaspersky Security Center Administration Server installed on the LAN.
Other directories on the local network or the Web. Kaspersky Anti-Virus will download updates from the source you have specified. You can specify directories on FTP or HTTP servers or directories on any device mounted on the server, including directories on remote computers mounted using SMB/CIFS or NFS protocols.
You can specify one or several user-defined update sources. Kaspersky Anti-Virus will always try the next specified source if the previous source is unavailable.
You can change the order in which Kaspersky Anti-Virus polls custom sources, and also configure it only to connect to selected sources on the list.
You can configure the Kaspersky Anti-Virus to access the Kaspersky Lab's update servers if all user-defined sources are unavailable.
Default value: Kaspersky Lab update servers.
FTP
SERVER MODE
By default, to connect to update servers using FTP, the Anti-Virus uses the passive FTP server mode: it is assumed that a network firewall is used in the enterprise LAN.
181
A
D M I N I S T R A T O R
'
S
G
U I D E
Default value: use passive FTP mode.
FTP
OR
HTTP
SERVER RESPONSE WAIT TIME
This setting specifies the time to wait for a response from an update source FTP server or HTTP server while attempting to connect to it. If an update source does not respond within the specified time interval, Kaspersky Anti-Virus contacts the next update source on the list. For example, it will contact another Kaspersky Lab update server, if you have configured it to update from the servers of Kaspersky Lab.
Specify the response wait time in seconds. You can only use integers as the value for this setting.
Default value: 10 sec.
U
SING A PROXY SERVER TO CONNECT TO UPDATE SOURCES
This parameter enables or disables the option to use a proxy server to connect to update sources.
If you have specified Kaspersky Lab's update servers as the source of updates, you should select the option Use proxy
server to connect to Kaspersky Lab's update servers if you access the Internet via a proxy server.
If you use a proxy server to connect to a custom FTP or HTTP server, select the option Use proxy server to connect to
custom update sources.
Default values:
Kaspersky Anti-Virus accesses a proxy server when connecting to Kaspersky Lab's update servers.
Kaspersky Anti-Virus does not use a proxy server when connecting to user-defined update sources (either
HTTP or FTP servers or user-specified computers). It is assumed that these sources are located on the local network.
P
ROXY SERVER AUTHENTICATION
This setting enables authentication when accessing a proxy server being used for connections to FTP or HTTP update source servers.
Enable the Use authentication mode and specify Name and Password.
Default value: no authentication required to connect to a proxy server.
182
M
A N A G I N G
K
A S P E R S K Y
A
N T I
- V
I R U S V I A
K
A S P E R S K Y
S
E C U R I T Y
C
E N T E R
P
ROXY SERVER SETTINGS
If you have enabled the use of a proxy server to connect to an update source, specify the proxy server settings.
Specify the IP address or the server’s DNS name (for example, proxy.mycompany.com) and the port.
Default value: not configured.
D
IRECTORY FOR SAVING UPDATES
This setting is used if the update process uses either of these options: Copy all updates available for the application or Copy updates for selected modules. Using this setting specify the directory into which the update files will be saved.
You can specify a directory on any disk mounted on the server.
Default value: not configured.
U
PDATES TYPE
You can use this setting to select a function to be performed by the update task.
Select one of the following values:
Update databases only. Kaspersky Anti-Virus will download and install database updates.
Copy all updates available for the application. Select this value to download and save all accessible
Kaspersky Anti-Virus updates in a directory without applying them.
Copy updates for selected modules. Select this option to download selected updates only. Kaspersky Anti-
Virus will save the downloaded updates in the specified directory without applying them.
You can download updates for other Kaspersky Lab applications if you wish to use the protected computer as an intermediary for distributing updates. You can review the names of update on the Kaspersky Lab Technical
Support web site.
Critical updates for Kaspersky Anti-Virus modules are not installed automatically.
Default value: Update databases only.
183
KASPERSKY LAB ZAO
Kaspersky Lab software is internationally renowned for its protection against viruses, malware, spam, network and hacker attacks, and other threats.
In 2008, Kaspersky Lab was rated among t he world’s top four leading vendors of information security software solutions for end users (IDC Worldwide Endpoint Security Revenue by Vendor). Kaspersky Lab is the preferred developer of computer protection systems among home users in Russia, according to the COMCON survey "TGI-Russia 2009".
Kaspersky Lab was founded in Russia in 1997. Today, it is an international group of companies headquartered in
Moscow with five regional divisions that manage the company's activity in Russia, Western and Eastern Europe, the
Middle East, Africa, North and South America, Japan, China, and other countries in the Asia-Pacific region. The company employs more than 2000 qualified specialists.
Products
. Kaspersky Lab’s products provide protection for all systems—from home computers to large corporate networks.
The personal product range includes anti-virus applications for desktop, laptop, and pocket computers, and for smartphones and other mobile devices.
Kaspersky Lab delivers applications and services to protect workstations, file and web servers, mail gateways, and firewalls. Used in conjunction with Kaspersky Lab’s centralized management system, these solutions ensure effective automated protection for companies and organizations against computer threats. Kaspersky Lab's products are certified by the major test laboratories, are compatible with the software of many suppliers of computer applications, and are optimized to run on many hardware platforms.
Kaspersky Lab’s virus analysts work around the clock. Every day they uncover hundreds of new computer threats, create tools to detect and disinfect them, and include them in the databases used by Kaspersky Lab applications. Kaspersky
Lab's Anti-Virus database is updated hourly; and the Anti-Spam database every five minutes.
Technologies. Many technologies that are now part and parcel of modern anti-virus tools were originally developed by
Kaspersky Lab. It is no coincidence that many other developers use the Kaspersky Anti-Virus kernel in their products, including: SafeNet (USA), Alt-N Technologies (USA), Blue Coat Systems (USA), Check Point Software Technologies
(Israel), Clearswift (UK), CommuniGate Systems (USA), Critical Path (Ireland), D-Link (Taiwan), M86 Security (USA),
GFI (Malta), IBM (USA), Juniper Networks (USA), LANDesk (USA), Microsoft (USA), NETASQ (France), NETGEAR
(USA), Parallels (Russia), SonicWALL (USA), WatchGuard Technologies (USA), ZyXEL Communications (Taiwan).
Many of the company’s innovative technologies are patented.
Achievements. Over the years, Kaspersky Lab has won hundreds of awards for its services in combating computer threats. For example, in 2010 Kaspersky Anti-Virus received several top Advanced+ awards in a test administered by
AV-Comparatives, a respected Austrian anti-virus laboratory. But Kaspersky Lab's main achievement is the loyalty of its users worldwide. The company’s products and technologies protect more than 300 million users, and its corporate clients number more than 200,000.
Kaspersky Lab’s website: http://www.kaspersky.com
Virus Encyclopedia:
Virus Lab: http://www.securelist.com [email protected] (only for sending probably infected files in archive format) http://support.kaspersky.ru/virlab/helpdesk.html?LANG=en
Kaspersky Lab’s web forum:
(for queries to virus analysts) http://forum.kaspersky.com
184
INFORMATION ABOUT THIRD-PARTY CODE
The legal_notices.txt file contains the information about third-party code, located in the application setup folder.
185
TRADEMARK NOTICES
Registered trademarks and service marks are the property of their respective owners.
Linux is a trademark owned by Linus Torvalds and registered in the United States of America and other countries.
Microsoft, Outlook, Windows and Windows Server are registered trademarks of Microsoft Corporation in the United
States and other countries.
Sendmail and other names and product names are trademarks or registered trademarks of Sendmail, Inc.
186
Advertisement
Key features
- Real-time protection
- On-demand scan
- Quarantine
- Backup
- Task management
- Notification
- Reporting
- SNMP monitoring
- Database updates
- Command line management