Sep 21, 2011

Avira AntiVir Personal on Linux (IV)

With this post, I am going to end up the series of articles about Avira Antivir Personal on Linux. So, let's take a look at one of its more important modules: AntiVir Guard.

AntiVir Guard takes care of scanning and protecting a filesystem on real-time, that is to say, a virus will be detected before accessing on it. How does it work? All directories which we want to protect by AntiVir Guard, will be mounted through DazukoFS module, previously compiled and inserted into the kernel.

[root@centos ~]# cat /etc/fstab
...
/home    /home    dazukofs 

AntiVir Guard (avguard) can be handled either by means of the avguard command or as an init daemon. In this article, I am going to focus on the second option, since it's most useful and handy.

Thereby, we have to set it up by editing its configuration file (/etc/avira/avguard.conf). Below I am going to note the most important features.

[root@centos ~]# vi /etc/avira/avguard.conf
...
# It will try to delete the problem from the infected file (by default is disabled).
# If the repair fails, the AlertAction is carried out.
RepairConcerningFiles

# Once a virus is detected, the access to the file is blocked and the action is logged.
# This allows you to specify an additional action to be followed for the concerning file.
# none or ignore: no further action (by default).
# rename or ren: rename the file by adding the .XXX extension.
# delete or del: delete the concerning file.
# quarantine: move the concerning file into quarantine.
AlertAction delete

# If quarantine option is selected, the infected files are moved into it.
QuarantineDirectory /home/quarantine

# Types of files to be scanned.
# extlist: scan only files with certain extensions.
# smart: scan files based on both their name and content.
# all: scan all files (by default).
ScanMode all

# File where all important operations are logged.
LogFile /var/log/avguard.log

# Detection of harmful or unwanted software (dial-up programs, jokes, faked emails, etc.).
# With the 'alltypes' option, all supported malware types will be detected.
DetectPrefixes adspy=yes appl=no bdc=yes dial=yes game=no joke=no pck=no phish=yes spr=no

# Activate the heuristics for macro virus in office documents.
# [yes (by default) | no].
HeuristicsMacro yes

# Set the level of heuristic detection in all types of files.
# Available values are 0 (off), 1 (low - by default), 2 (medium) and 3 (high).
HeuristicsLevel 2


[root@centos home]# /etc/init.d/avguard restart

To check it out, we are going to download the EICAR file into the /home directory and try out to dump it.

[root@centos home]# wget https://secure.eicar.org/eicar.com.txt

[root@centos home]# cat eicar.com.txt 
cat: eicar.com.txt: Operation not supported

[root@centos home]# tail -f /var/log/avguard.log 
2011-09-18 18:52:48 centos.local avguard.bin[1396]: AVGU: ALERT AntiVir ALERT for file "/home/eicar.com.txt": Details:        Eicar-Test-Signature ; virus ; Contains code of the Eicar-Test-Signature virus
2011-09-18 18:52:48 centos.local avguard.bin[1396]: AVGU: INFO The concerning file /home/eicar.com.txt has been removed from disk.
2011-09-18 18:52:48 centos.local avguard.bin[1396]: AVGU: INFO Info: the alert in file /home/eicar.com.txt was handled. Action(s) taken: access denied, condition logged, file deleted

As you have been able to appreciate, the infected file has been removed when we have tried to read it. So imagine the amount of possibilities which turn out from this module, such as to analyze on-real time a file uploaded to a FTP or HTTP (WebDAV) server, or for instance, you might use tools like swatch in order to send an alert or execute a task.


No comments:

Post a Comment