Important ESET Gateway Security mechanisms. ESET GATEWAY SECURITY
Below you will find brief information for Gateway Security. The Gateway Security is a security system for Linux and FreeBSD. It includes advanced engine algorithms, multi-processing, advanced heuristics, built-in archivers, speed and efficiency, enhanced security, selective configuration, multiple logging levels, web interface, remote administration, and low system requirements. The system is comprised of ESETS daemon, agents, utilities and configuration files.
Advertisement
Advertisement
7. Important ESET Gateway Security mechanisms
7.1 Handle Object Policy
The Handle Object Policy (see figure 6-1) mechanism provides filtering for scanned objects based on their status. This functionality is based on the following configuration options: action_av action_av_infected action_av_notscanned action_av_deleted
For detailed information on these options, please refer to the esets.cfg(5) man page.
Figure 6-1. Scheme of Handle Object Policy mechanism.
Every processed object is first handled according to the configuration of the ‘action_av‘ option. If this option is set to ‘accept’ (or
‘defer’, ‘discard’, ‘reject’) the object is accepted (or deferred, discarded, rejected). If the option is set to ‘scan’ the object is scanned for virus infiltrations, and if the ‘av_clean_mode’ option is set to ‘yes’, the object is also cleaned. In addition, the configuration options ‘action_av_infected’, ‘action_av_notscanned’ and ‘action_av_deleted’ are taken into account to further evaluate object handling. If an ‘accept’ action has been taken as a result of these three action options, the object is accepted. Otherwise, the object is blocked.
7.2 User Specific Configuration
The purpose of the User Specific Configuration mechanism is to provide a higher degree of customization and functionality. It allows the system administrator to define ESETS antivirus scanner parameters based on the user who is accessing file system objects.
A detailed description of this functionality can be found in the esets.cfg(5) man page. In this section we will provide only a short example of a user-specific configuration.
In this example, the esets_http module is used to control HTTP traffic on port 8080 of the gateway server, with a local network IP address of 192.168.1.10. The functionality of esets_http is based on the [http] section of the ESETS configuration file. See the following lines:
[http] agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8080 action_av = "scan"
To provide individual parameter settings, define the ‘user_config’ parameter with the path to the special configuration file where the individual setting will be stored. In the next example, we create a reference to the special configuration file
‘esets_http_spec.cfg’, which is located in the ESETS configuration directory. See below:
[http] agent_enabled = yes listen_addr = "192.168.1.10" listen_port = 8080 action_av = "scan" user_config = "esets_http_spec.cfg"
16
Once the special configuration file is referenced from within the [http] section, create the ‘esets_http_spec.cfg’ file in the ESETS configuration directory and add the appropriate individual settings. The next example shows the individual setting for parameter ‘action_av’, for the client computer with IP address 192.168.1.40. See below:
[|192.168.1.40] action_av = "reject"
Note that the section header identifies the HTTP client for which the individual settings have been created, and the section body contains individual parameters for that HTTP client. With this special configuration, HTTP traffic for all local network clients will be processed normally, i.e. scanned for infiltrations. However, access for the HTTP client with the IP address 192.168.1.40 will be rejected (blocked).
7.3 Blacklist and Whitelist
In the following example, we demonstrate creating a blacklist and whitelist for the esets_http configured as an HTTP proxy scanner. Note that the configuration described in the previous section is used for this purpose.
To create a blacklist used by esets_http, create the following group section within the special configuration file
‘esets_http_spec.cfg’, introduced in the previous section. See below:
[black-list] action_av = "reject"
Next, add the HTTP server to the ‘black-list’ group. To do this, the following special section must be created:
[aaa.bbb.ccc.ddd] parent_id = "black-list"
In the example above, ‘aaa.bbb.ccc.ddd’ is the IP address of the server added to the ‘black-list’. All HTTP traffic related to the specified server will now be rejected, i.e. the server will be blocked.
To create the ‘white-list’ used by esets_http, it is necessary to create the following group section within the special configuration file ‘esets_http_spec.cfg’ which was introduced in the previous section. See below:
[white-list] action_av = "accept"
Adding HTTP servers to the list is self-explanatory.
7.3.1 URL Whitelist
Whitelisting URL's can help you especially when you are experiencing problems with data streaming (e.g. video conferencing delays). To start creating a URL whitelist that will be used by esets_http, add the desired URL address(es) to the whitelist_url configuration file located in the @ETCDIR@/http directory as follows: echo "streaming.address.com:80/*" >> @ETCDIR@/http/whitelist_url
Note: The syntax of the URL Whitelist comprises a list of URL addresses (one per line) as can be seen in the esets_http
ESETS reads the list from the whitelist_url file. After adding or removing URL addresses, please restart the ESETS daemon. For more information please read the esets_http(1) man page.
7.4 Samples Submission System
The Samples submission system is an intelligent ThreatSense.Net technology that collects infected objects that have been detected by advanced heuristics and delivers them to the samples submission system server. All virus samples collected by the sample submission system will be processed by the ESET virus laboratory and if necessary, added to the ESET virus signature database.
Note: According to our license agreement, by enabling the sample submission system you are agreeing to allow the computer and/or platform on which the esets_daemon is installed to collect data (which may include personal information about you and/ or other users of the computer) and samples of newly detected viruses or other threats and send them to ESET virus laboratory.
This feature is disabled by default. All information collected will be used only to analyze new threats and will not be used for any other purpose.
In order to enable sampling, the samples submission system cache must be initialized. This can be achieved by selecting
‘samples_enabled’ in the [global] section of the ESETS configuration file.
For more information on the Samples Submission System and its options, please refer to the esets_daemon(8) mane page.
17
7.5 Scheduler
The Scheduler's functionality includes running scheduled tasks at a specified time or on a specific event, managing and launching tasks with predefined configuration and properties and more. Task configuration and properties can be used to influence launch dates and times, but also to expand the application of tasks by introducing the use of custom profiles during task execution.
The ‘scheduler_tasks’ option is commented by default, causing the default scheduler configuration to be applied. In the ESETS configuration file all parameters and tasks are semicolon-separated. Any other semicolons (and backslashes) must be backslash escaped. Each task has 6 parameters and the syntax is as follows: id – Unique number.
name – Task description.
flags – Special flags to disable the specified scheduler task can be set here.
failstart – Instructs what to do if task could not be run on scheduled date.
datespec – A regular date specification with 6 (crontab like year-extended) fields, recurrent date or an event name option.
command – Can be an absolute path to a command followed by its arguments or a special command name with the ‘@’ prefix
(e.g. anti-virus update: @update).
#scheduler_tasks = "id;name;flags;failstart;datespec;command;id2;name2;...";
The following event names can be used in place of the datespec option: start – Daemon startup.
startonce – Daemon startup but at most once a day.
engine – Successful engine update.
login – Web interface logon startup.
threat – Threat detected.
notscanned – Not scanned email or file.
licexp – 30 days before license expiration.
To display the current scheduler configuration, use the
Web interface or run the following command:
cat @ETCDIR@/esets.cfg | grep scheduler_tasks
For a full description of Scheduler and its parameters refer to the Scheduler section of the esets_daemon(8) man page.
7.6 Web Interface
The web interface allows user-friendly configuration, administration and license management of ESET Security systems. This module is a standalone component and must be enabled before it can be accessed. To quickly configure the web interface, configure the following options in the ESETS configuration file as shown below and restart the ESETS daemon:
[wwwi] agent_enabled = yes listen_addr = address listen_port = port username = name password = pass
Replace the text in italics with your own values and direct your browser to ‘https://address:port’ (note the https). Login with
‘username/password’. Basic usage instructions can be found in the Help section of the web interface and technical details about
esets_wwwi can be found in the esets_wwwi(1) man page.
The web interface allows you to remotely access the ESETS daemon and deploy it easily. This powerful utility makes it easy to read and write configuration values.
18
Figure 6-1. ESET Security for Linux - Home screen.
The web interface window of ESET Gateway Security is divided into two main sections. The primary window, which displays the contents of the selected menu option, and the main menu. A horizontal bar on the top lets you navigate between the following main options:
Home – provides basic system and ESET product information
Licenses – a license management utility, see the
following chapter for mode details
Configuration – you can change the ESET Gateway Security system configuration here
Control – allows you to run simple tasks and view
global statistics about objects processed by esets_daemon
Help – provides detailed usage instructions for the ESET Gateway Security web interface
Logout – use to end your current session
Important: Make sure you click Save changes after making any changes in the Configuration section of the web interface to save your new settings. To apply your settings, restart the ESETS daemon by clicking Apply changes on the left pane.
We recommend that you limit access to this interface for a specific range of IP addresses. This can be done two ways:
1. By adding only one interface under the listen_addr
parameter (not using 0.0.0.0)
2. Using a firewall rule (such as iptables).
7.6.1 License management
You can upload a new license using the web interface, as shown in Figure 6-2.
If you want to display licenses in the console, use the following command:
@SBINDIR@/esets_lic --list
If you want to import new license files, use the following command:
@SBINDIR@/esets_lic --import *.lic
19
Figure 6-2. ESET Licenses.
You can enable the license notification option in the
Scheduler section options. If enabled, this functionality will notify you 30
days prior to your license expiration.
7.6.2 Agent HTTP configuration example
ESETS can be configured in two ways. In this example, we will demonstrate how to use both when configuring the
, leaving you with the choice of your preferred configuration method:
Using the ESETS configuration file:
[http] agent_enabled = yes listen_addr = "0.0.0.0" listen_port = 8080
Using the web interface:
Figure 6-3. ESETS - Configuration > HTTP Proxy.
Always remember to save your new configuration by clicking Save changes. To apply your new changes, click the Apply changes button in the Configuration sections panel.
20
7.6.2.1 HTTP Agent testing with the Mozilla Firefox
To test ESETS HTTP Agent on your local machine, you need to set the local proxy server to ‘localhost:8080’. See the figure below for an example of such configuration in the Mozilla Firefox brower:
Figure 6-4. Mozilla Firefox - Network Settings.
Note: You do not need to configure the local machines connected to the ESETS server in the same manner. However, you will still need to set a transparent http proxy via netfilter (see
If attempting to open an infected file, a warning message similar to the one on the figure below will display in your browser window:
Figure 6-5. ESETS warning message.
21
7.6.3 Scheduler
You can manage the scheduler tasks either via ESET configuration file (see chapter
Scheduler ) or using the web interface.
Figure 6-5. ESETS - Global > Scheduler.
Click the checkbox to enable/disable a scheduled task. By default, the following scheduled tasks are displayed:
Log maintenance – The program automatically deletes older logs in order to save hard disk space. The Scheduler will start defragmenting logs. All empty log entries will be removed during this process. This will improve the speed when working with logs. The improvement will be more noticeable if the logs contain a large number of entries.
Automatic startup file check – Scans memory and running services after a successful update of the virus signature database.
Regular automatic update – Regularly updating ESET Gateway Security's virus signature database and antispam modules is the best method of keeping the maximum level of security on your computer. See
ESETS update utility for more information.
Threat notification – By default, each threat will be logged into syslog. In addition, ESETS can be configured to run an external
(notification) script to notify a system administrator via email about threat detection.
License expiration – If enabled, this functionality will notify you 30 days prior to your license expiration. This task will run the
@ETCDIR@/scripts/license_warning_script
shell script, which sends an email to the email address of the root user account. The script can be customized to reflect specific server needs.
22
7.6.4 Statistics
You can view statistics for all of active ESETS agents here. The Statistics summary refreshes every 10 seconds.
Figure 6-6. ESETS - Control > Statistics.
7.7 Remote Administration
ESETS supports remote administration for server security management in large computer networks. The ESETS Remote
Administration Client (RACL) is part of the main ESETS daemon and performs the following functions:
Communicates with ERA Server and provides you with system information, configuration, protection statuses and several other features
Allows client configurations to be viewed/modified using the ESET Remote Administrator policies and configuration tasks
Can perform Update Now tasks
Performs computer scans as requested, and submits the results back to the ERA Server scan log
Note: For this option to be available you must have a valid license for ESET File Security.
Adds logs of notable scans performed by the ESETS daemon to threat logs
Sends all non-debug messages to event logs
These functionalities are not supported:
Firewall logging
Remote installation
For more specific information, please read the ESET Remote Administrator manual or visit our Online help .
7.7.1 Connecting with ESET Remote Administrator
Before commencing any remote administration process, ensure your system fulfills the three following prerequisites:
Running ERA Server
Running ERA Console
Installed and running ERA Agent (ESET Remote Administrator version 6.x and higher)
Enable RA Client in the ESETS daemon. Ensure that firewall settings do not block traffic to ERA Server or vice versa.
To setup the basics, specify the address of your ERA Server in the ‘racl_server_addr’ parameter first. If you are using a password to access the ERA Console password, you must edit the value of the ‘racl_password’ parameter accordingly. Change the value of the
‘racl_interval’ parameter to adjust the frequency of connections to ERA Server (in minutes).
Note: All applicable ESET Remote Administration Client variables are listed on the esets_daemon(8) man page.
23
7.7.2 ESET Remote Administrator usage example (6.x)
Installing ERA Agent
ERA Agent must be installed to allow communication with the ERA Server. ESET Gateway Security communicates with the ERA Agent through the localhost connection, and then ERA Agent relays information to ESET Remote Administrator via Internet or LAN.
Username/Password data is not required to download the ERA Agent installation package from ESET.com
.
To install ERA Agent please refer to:
Agent installation - Linux (ESET Remote Administrator 6.x manual)
Enabling RACL
You can either use the web interface (see the previous chapter) to apply the new configuration, or you can adjust these parameters in the [global] section of the ESETS configuration file as follows: racl_server_addr = "localhost" racl_server_port = 2225 racl_password = "yourPassword" racl_interval = 1
ERA Web Console
After the ESETS daemon configuration is be reloaded, ERA Agent is installed, and RACL can connect to ERA Server (or ERA Proxy) through ERA Agent, you should see a newly connected client in the Computers > Lost & found section of the ERA Web Console.
Figure 6-7. ERA Web Console.
Using the Web Console, you can create a client task to ESETS daemon by:
24
Clicking the connected client.
Selecting a task from Admin > Client tasks, for example Update virus DB.
Figure 6-8. ERA Client task from ERA Web Console.
An ERA policy can be used to push and enforce specific configurations to ESET Gateway Security. For example, you can enforce detection of potentially unsafe applications so that it cannot be overridden locally on ESET Gateway Security. To do so,
1. From the ERA Web Console navigate to Admin > Policies > New
2. In the Settings section select ESET Mail/File/Gateway Security for Linux (V4)
3. Under Antivirus, select the check box next to Enable detection of potentially unsafe applications and select the check box next to Force
4. Select your ESET Gateway Security server as the policy target and click Finish.
Figure 6-9. Enforcing a policy in ERA Web Console.
25
7.7.3 ESET Remote Administrator usage example (5.x)
You can either use the web interface (see also previous chapter) to apply the new configuration, or you can adjust these parameters in the [global] section of the ESETS configuration file as follows: racl_server_addr = "your_ERA5_Server_IP_Address_or_Hostname" racl_server_port = 2222 racl_password = "yourPassword" racl_interval = 1
After the ESETS daemon configuration will be reloaded and RACL will connect to ERA Server, you will be able to see a newly connected client in your ERA Console. Press the F5 button (or Menu > View > Refresh) to manually refresh the list of connected clients.
Figure 6-10. ERA Console.
By using ERA Console you can create a configuration task to ESETS daemon from ERA Console:
Right-click the connected Client Name
Navigate to New Task > Configuration Task > Create...
Expand the Unix ESET Security tree
For an example of a configuration task by the DAC agent, see below:
Figure 6-11. ERA Configuration Editor.
The New Task context menu contains On-demand scanning options (enabled/disabled cleaning).
You can select the desired product that you wish to set the task for in the On-Demand Scan pop-up window in the Configuration
Section drop-down menu. Make sure that you select the On-demand Scan task for Unix ESET Security Product option (i.e. the
26
product that is installed on your target workstation).
Figure 6-12. ERA On-demand scan.
7.8 Logging
ESETS provides system daemon logging via syslog. Syslog is a standard for logging program messages and can be used to log system events such as network and security events.
Messages refer to a facility: auth, authpriv, daemon, cron, ftp, lpr, kern, mail, ..., local0, ..., local7
Messages are assigned a priority/level by the sender of the message:
Error, Warning, Summall, Summ, Partall, Part, Info, Debug
This section describes how to configure and read the logging output of syslog. The ‘syslog_facility’ option (default value ‘daemon’) defines the syslog facility used for logging. To modify syslog settings edit the ESETS configuration file or use the
.
Modify the value of the ‘syslog_class’ parameter to change the logging class. We recommend you modify these settings only if you are familiar with syslog. For an example syslog configuration, see below: syslog_facility = "daemon" syslog_class = "error:warning:summall"
The name and location of the log file depend on your syslog installation and configuration (e.g. rsyslog, syslog-ng, etc.). Standard filenames for syslog output files are for example ‘syslog’, 'daemon.log', etc. To follow syslog activity, run one of the following commands from the console: tail -f /var/log/syslog tail -100 /var/log/syslog | less cat /var/log/syslog | grep esets | less
Systemd uses a different logging approach. To display activity run one of the following command: journalctl --since today journalctl | grep esets | less
If you enable ESET Remote Administration, ERA log entries older than given days by the option ‘racl_logs_lifetime’ will be automatically deleted.
27
7.9 Command-line programs
ESETS commands can be launched using the command line – manually (@SBINDIR@/esets_*) or with a batch (".sh") script. ESETS command-line usage: esets_daemon esets_inst esets_lic esets_quar esets_scan esets_set esets_setup esets_update
ESET Security Daemon is the main ESET’S system control and scanning Daemon module. It reads all the
ESET’S scanner configuration from the main ESET’S configuration file and provides all the main tasks.
Usage:
@SBINDIR@/esets_daemon [OPTIONS..]
ESET system integrator can be used to display and optionally execute commands that integrate ESET’S with your system. This module features installation for http and ftp.
Usage:
@SBINDIR@/esets_inst [OPTIONS..] [COMMAND]
ESET’S license management utility features management options, which allow you to display information about your licenses, import license files to the license directory or remove expired licenses.
Usage:
@SBINDIR@/esets_lic [OPTIONS..] [COMMAND] [FILES..]
ESET‘S quarantine management utility module allows you to import any file system object into the quarantine storage area.
Usage:
@SBINDIR@/esets_quar ACTIONS [RULES] [OBJECTS..]
ESET Command-line scanner is an on-demand anti-virus scanning module, which provides scanning of the file system objects upon user request using command line interface.
Usage:
@SBINDIR@/esets_scan [OPTIONS..] FILES..
ESETS configuration file SET-up utility allows you to modify the ESET’S configuration file as requested by given command.
Usage:
@SBINDIR@/esets_set [OPTIONS..] [COMMAND]
ESET’S setup utility is an interactive automated install script to help you easily integrate ESET Security with your system.
Usage:
@SBINDIR@/esets_setup [OPTIONS..] [COMMAND]
ESET‘S update utility is a system utility for the creation, update and maintenance of the ESET’S modules storage mirrors as well as for update of ESET’S system.
Usage:
@BINDIR@/esets_update [OPTIONS..]
28
Advertisement
Key features
- Advanced engine algorithms
- Multi-processing
- Advanced Heuristics
- Built-In features
- Speed and efficiency
- Enhanced security
- Selective configuration
- Multiple logging levels
- Web interface
- Remote administration