Академический Документы
Профессиональный Документы
Культура Документы
ADMINISTRATOR'S
GUIDE
KASPERSKY ANTI-VIRUS 5.5 FOR PROXY SERVER
Administrator's Guide
© Kaspersky Lab
http://www.kaspersky.com
Please keep in mind that new viruses appear every day and therefore
we recommend maintaining the anti-virus databases in an up-to-date
state. New updates are made available on Kaspersky Lab update
servers every hour.
6 Kaspersky Anti-Virus for Proxy Server
• Mandriva 2006.
• Debian GNU/Linux version 3.1r2.
• FreeBSD version 4.11.
• FreeBSD version 5.4 .
• FreeBSD version 6.1.
• Squid 2.5 or 3.0 proxy server with ICAP support.
• Perl 5.0 or higher (www.perl.org).
• Glibc 2.2.x or higher (for Linux distributions).
Before you unseal the envelope containing the CD, make sure you
have carefully read the License Agreement.
If you purchase our application online, you will download it from Kaspersky Lab's
website. Your license key is either included in the installation package or will be
sent to you by email after payment.
If you do not agree with the terms of the license agreement you may return the
box with Kaspersky Anti-Virus to the distributor, where you have purchased it,
you will be refunded the amount you've paid for subscription, provided the CD
envelope remains sealed.
Opening the sealed envelope of the installation CD or installing the product to a
computer means your acceptance of all the terms and conditions of the license
agreement.
Kaspersky Lab does not give advice on the performance and use of
your operating system or other technologies.
1.5. Conventions
Various formatting conventions are used throughout the text of this document
depending on the purpose of a particular element. Table 1 below lists the
formatting conventions used.
Table 1. Conventions
Style Meaning
existing groups, the application will use the default group rules for
anti-virus scanning and processing.
5. The application uses the results of anti-virus scanning to assign to
a scanned object a specific status, which is employed to grant
users access to that object or block access attempts (please refer
to section 5.3 on p. 36 for details about available statuses and
actions performed by the application). Access to objects with a
specific status is granted or blocked according to the processing
group parameters (please refer to section 5.1 on p. 34 for details
about groups).
6. If access to an object has been granted, Kaspersky Anti-Virus
allows Squid proxy to cache the object and transmit it to users. If
access to an object is blocked, Kaspersky Anti-Virus prohibits
Squid proxy to cache the object and deliver it to users. Instead of
the requested object, the user will receive a notification informing
that access to that object has been blocked.
icap_enable on
icap_send_client_ip on
icap_service is_kav_resp respmod_precache 0
icap://localhost:1344/av/respmod
icap_service is_kav_req reqmod_precache 0
icap://localhost:1344/av/reqmod
icap_class ic_kav is_kav_req is_kav_resp
icap_access ic_kav allow all
They will make the proxy transmit all requested objects to Kaspersky Anti-
Virus via port 1344 of the local interface.
Unlike Squid 3.0, Squid 2.5 does not support ICAP by default.
Please see the README-SQUID.txt file in the
/opt/kav/5.5/kav4proxy/share/doc/ directory for information
about available Squid distributions, correct compilation and
proxy configuration for ICAP support.
# rpm –i kav4proxy-linux-<version_number>.i386.rpm
# dpkg –I kav4proxy-linux-<version_number>.deb
During the setup process you will have to specify additional information
necessary for connection to the Internet, downloading of the anti-virus databases
16 Kaspersky Anti-Virus for Proxy Server
and the settings for interaction with the proxy server. Please refer to section 3.4
on p. 17 for details.
Algorithms described in this section and in section 3.4 suggest that the
target server already has Squid 2.5 or 3.0 with ICAP support installed.
Kaspersky Anti-Virus must be installed in two stages. The first stage will be
performed automatically after execution of the commands described in sections
3.1, 3.2, it comprises the following steps:
1. Creation of the klusers group and the kluser account with the
necessary privileges that Kaspersky Anti-Virus will use to start and
operate.
2. Copying of the files from distribution package to computer.
3. Registration of services necessary for Kaspersky Anti-Virus functioning.
Installing the application 17
without the anti-virus databases. Please see section 5.5 on p. 40 for details on
the application modes.
This chapter contains solutions for typical tasks related to work with Kaspersky
Anti-Virus, such as application updating, management of license keys, anti-virus
protection of HTTP traffic, and configuration of different anti-virus scanning
parameters for various user groups. The tasks described in this section reflect
basic features of Kaspersky Anti-Virus. Their implementation in a specific
configuration will depend upon the organizational peculiarities of your network
and the existing security policy. Please refer to Chapter 5 on p. 34 for a detailed
explanation of application settings used in description of these tasks.
# keepup2date –l
/var/log/kav/5.5/kav4proxy/updatesreport.log
If you need to update the anti-virus databases on several servers, it may be more
convenient to download the updates from an update server once, save them to a
shared directory, and mount the directory within the file system of every server
running Kaspersky Anti-Virus. Then it will be sufficient to launch the update script
having specified first the mounted directory as the source of updates. FTP and
HTTP can also be used for sharing of the anti-virus databases. Please see
section 4.1.3 on p. 23 for details related to creation of a shared directory for
updates.
You can also update the application remotely using the appropriate
Webmin plug-in.
Task: create a shared local directory, which the local computers will use
as the source to update their anti-virus databases.
Solution: to accomplish the task, log in as the root (or any other
privileged user) and do the following:
24 Kaspersky Anti-Virus for Proxy Server
If a license key is not installed or an error has occurred while loading the
information about the current license, the application switches into a special
unlicensed mode of operation. In that mode it does not perform anti-virus
scanning of objects transferred through a proxy server; all objects are treated
using the action specified by the LicenseErrorAction parameter (see section
A.1 on p. 48).
After the license expires, the functionality of the application will still be preserved
except for the possibility to update the anti-virus databases. You will still be able
to perform anti-virus scanning and processing of objects, but you will be unable
to use the databases issued after your license expiration date. Therefore, you
may not be protected against new viruses that have appeared after your license
expired.
In order to protect your computer against new viruses, we recommend that you
renew the license to use Kaspersky Anti-Virus.
The license key entitles you to use the application. It contains all information
related to the license you have purchased, including the type of license, license
expiry date, information about dealers, etc.
In addition to the right to use the application during the license period, you will
have the following benefits:
• twenty-four-hour technical support
• hourly updates of the anti-virus databases
Using Kaspersky Anti-Virus 25
To view information about all installed license keys, enter the following
in the command line:
# licensemanager –s
In the server console, you will see information similar to the following:
Kaspersky license manager for Linux. Version
5.5.0/RELEASE
Copyright (C) Kaspersky Lab, 1997-2006.
Portions Copyright (C) Lan Crypto
License info:
Product name: Kaspersky Anti-Virus for Proxy Server
Expiration date: 14-06-2006, expires in 117 days
Contact the company that sold you the product and renew your license
for Kaspersky Anti-Virus.
or:
Purchase a license extension directly from Kaspersky Lab. Write a letter
of request to the Sales Department of our company at
sales@kaspersky.com or fill in the corresponding form on our website
(www.kaspersky.com), section E-Store Æ Renew Your License. After
your payment is received, we will send a license key to the email
address indicated in the corresponding field of your license renewal
form.
Using Kaspersky Anti-Virus 27
To install a new license key, enter, for example, the following in the
command line:
# licensemanager -a 00053E3D.key
where 00053E3D.key is the name of the license key file.
If the installation is successful, the following (or similar) information will
be displayed on the server console:
Kaspersky license manager. Version 5.5.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2006.
Key file 00053E3D.key is successfully registered
We recommend that you update the anti-virus databases after the installation.
If you want to install a new license key before the current license key expires,
you can add it as a backup license key. The backup key will be activated
immediately after the current one expires. The term of validity for the additional
key starts from the activation date. You can install only one backup key.
If you have installed two keys (the current and an additional one), you can view
information about the installed active and backup keys in the server console.
To remove the current license key, enter the following in the command
line:
# licensemanager –da
If the component removes the license key successfully, the following (or similar)
information will be displayed on the server console:
Kaspersky license manager. Version 5.5.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2006.
Active key was successfully removed
# licensemanager –dr
The server console will display the following (or similar) information:
Kaspersky license manager. Version 5.5.0/RELEASE
28 Kaspersky Anti-Virus for Proxy Server
[icapserver.filter]
ExcludeURL=www.trusted_company.com/.*
[icapserver.engine.options]
30 Kaspersky Anti-Virus for Proxy Server
ScanPacked=yes
ScanArchives=yes
ScanMailBases=no
ScanMailPlain=no
Cure=yes
[icapserver.actions]
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
ErrorAction=skip
ProtectedAction=skip
CorruptedAction=skip
[icapserver.protocol]
AnswerMode=partial
[icapserver.statistics]
AVStatisticsFile=/var/log/kav/5.5/statistic
Task:
Configure the application to perform anti-virus checks of HTTP traffic I
accordance with the following requirements:
• The following anti-virus scanning parameters must be specified
for the managers group that includes computers using the IP
addresses of the 192.168.1.0/255.255.255.0 subnet:
• Scanning of packed, archived files and e-mail
databases must be disabled.
• Disinfection of infected objects must be enabled.
• Access should be granted to clean and disinfected
objects only.
• The following anti-virus scanning parameters must be specified
for the sales group that includes computers using the IP
addresses of the 192.168.2.0/255.255.255.0 subnet:
• Scan all objects.
• Disinfection of infected objects must be enabled.
• Block access to infected, suspicious, damaged objects
and objects containing code that resembles a known
virus.
• The following anti-virus scanning parameters must be specified
for all other users:
• Scanning of e-mail databases must be disabled.
• Disinfection of infected objects must be disabled.
• Access should only be granted to objects that have
been assigned the OK status after a scan (please refer
to section 5.3 on p. 36 for details about statuses).
[icapserver.groups:managers]
Priority=1
32 Kaspersky Anti-Virus for Proxy Server
ClientIP=192.168.1.0/255.255.255.0
URL=.*
[icapserver.engine.options:managers]
ScanPacked=no
ScanArchives=no
ScanMailBases=no
ScanMailPlain=no
Cure=yes
[icapserver.actions:managers]
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
ErrorAction=deny
ProtectedAction=deny
CorruptedAction=deny
[icapserver.groups:managers]
Priority=2
ClientIP=192.168.2.0/255.255.255.0
URL=.*
[icapserver.engine.options:managers]
ScanPacked=yes
ScanArchives=yes
ScanMailBases=yes
ScanMailPlain=yes
Cure=yes
[icapserver.actions:managers]
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
Using Kaspersky Anti-Virus 33
ErrorAction=skip
ProtectedAction=skip
CorruptedAction=deny
[icapserver.engine.options]
ScanPacked=yes
ScanArchives=yes
ScanMailBases=no
ScanMailPlain=no
Cure=no
[icapserver.actions]
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
ErrorAction=deny
ProtectedAction=deny
CorruptedAction=deny
You do not have to specify all group parameters while creating a new one. If
some parameters are missing, the application uses its default settings
(see Appendix A.1 on p. 48).
Example: create the managers group to define the rules for processing
of objects requested by client computers using the
192.168.10.0/255.255.255.0 subnet. Prohibit for the group access to all
objects other than clean, disinfected and password-protected. Set the
group priority to 2. Use default values for all other parameters.
Solution: to accomplish the task, log in as the root (or any other
privileged user) and create the following sections in the kav4proxy.conf
configuration file:
[icapserver.groups:managers]
Priority=2
ClientIP=192.168.10.0/255.255.255.0
URL=.*
[icapserver.engine.options:managers]
Cure=yes
[icapserver.actions:managers]
CuredAction=skip
ErrorAction=deny
ProtectedAction=skip
36 Kaspersky Anti-Virus for Proxy Server
Example: Specify the following actions over scanned objects for the
default group:
• allow transfer of the objects that have been assigned the
CURED and PROTECTED status
• prohibit transfer of all other objects.
Solution: to accomplish the task, log in as the root (or any other
privileged user) and specify the following parameter values in the
[icapserver.actions] section:
[icapserver.actions]
CuredAction=skip
ProtectedAction=skip
InfectedAction=deny
SuspiciousAction=deny
WarningAction=deny
ErrorAction=deny
CorruptedAction=deny
/usr/lib/sendmail -t -i<<EOT
From: Kaspersky Anti-Virus For Proxy Server
<root@$HOSTNAME>
To: $recipients
Subject: %VERDICT% object requested
Found:
Infected: %VIRUS_LIST%
Cured: %CURED_LIST%
Suspicios: %SUSP_LIST%
Warnings: %WARN_LIST%
Alias Meaning
Counter Description
The level of detail is a number that sets the level of verboseness for information
regarding the components’ work. Each subsequent level includes information of
the previous level together with some additional data.
Possible levels of report details are listed in the table 4 below.
Table 4. Levels of report details
Level Level letter
Level symbol Meaning
name
Information about fatal errors is displayed always, regardless of the report detail
level. The optimal level is level 4, which is also the default level.
Information messages may be subdivided into the following types:
• Messages pertaining to anti-virus checks.
• Messages pertaining to the operation of the application.
The output format for each of the detail levels listed above is as follows:
[DD-MM-YY HH:MM:SS L] STRING
where
DD-MM-YY HH:MM:SS stand for the date and time of record creation in the
format defined by the DateFormat and TimeFormat parameters.
L – letter symbol indicating the selected level of details in report.
STRING – test containing information about an event that has occurred.
E.g., information about the results of anti-virus scan for an object will be logged
in the following format:
[DD-MM-YY HH:MM:SS A] CLIENT_IP URL VERDICT [INFO]
where
DD-MM-YY HH:MM:SS stand for the date and time of record creation in the
format defined by the DateFormat and TimeFormat parameters.
А means the Activity level.
CLIENT_IP – IP address of the client that has requested on object.
URL – URL of the requested object.
VERDICT – object status according to the results of its anti-virus scanning.
INFO – additional information, for instance, name of a detected virus.
ExcludeMimeType=^audio/mpeg$
ExcludeMimeType=^application/vnd.ms.wms-hdr.asfv1$
ExcludeMimeType=^application/x-mms-framed$
The settings above will exclude from the scope of anti-virus scanning data
streams in MPEG, ASF and Microsoft Windows Media formats. Add to the
excluded MIME types of data streams the format used by the Internet radio
station that you would like to listen to.
CHAPTER 6. UNINSTALLING
THE APPLICATION
The [path] section contains the parameters that define paths to the directories
essential for the application's functioning:
BasesPath – full path to the directory where the anti-virus databases are
stored.
LicensePath – full path to the directory where the license keys for the
application are stored.
TempPath – full path to the directory where the temporary files of the
application are stored.
The [options] section contains the parameters that define the user and the
group used to run the application:
User – name of the user whose privileges the application uses to run.
Group – name of the group whose privileges the application uses to run.
The [locale] section contains the parameters that define the date and time
format in reports and application statistics:
The [icapserver.actions] section contains the settings for actions over scanned
objects for the default group:
The [updater.path] section contains the paths to directories and files necessary
for the functioning of the keepup2date component:
The [updater.report] section contains the settings for output of reports by the
keepup2date component:
A.2. Macros
Kaspersky Anti-Virus allows using special macros in template-based placeholder
files sent to users instead of blocked objects (see section 5.3 on p. 36) and in the
text of the notification script (the NotifyScript parameter). Table 5 contains a
description of these macros.
Table 5. Macros
64 Licensing error.
Update options
-g <url> Use the server with the specified URL as the source of
updates.
128 + Application has exited upon a signal with the corresponding code.
signal
code
APPENDIX B. KASPERSKY LAB
Founded in 1997, Kaspersky Lab has become a recognized leader in information
security technologies. It produces a wide range of data security software and
delivers high-performance, comprehensive solutions to protect computers and
networks against all types of malicious programs, unsolicited and unwanted e-
mail messages, and hacker attacks.
Kaspersky Lab is an international company. Headquartered in the Russian
Federation, the company has representative offices in the United Kingdom,
France, Germany, Japan, USA (CA), the Benelux countries, China, Poland, and
Romania. A new company department, the European Anti-Virus Research
Centre, has recently been established in France. Kaspersky Lab's partner
network incorporates more than 500 companies worldwide.
Today, Kaspersky Lab employs more than 450 specialists, each of whom is
proficient in anti-virus technologies, with 10 of them holding M.B.A. degrees, 16
holding Ph.Ds, and senior experts holding membership in the Computer Anti-
Virus Researchers Organization (CARO).
Kaspersky Lab offers best-of-breed security solutions, based on its unique
experience and knowledge, gained in over 14 years of fighting computer viruses.
A thorough analysis of computer virus activities enables the company to deliver
comprehensive protection from current and future threats. Resistance to future
attacks is the basic policy implemented in all Kaspersky Lab's products. At all
times, the company’s products remain at least one step ahead of many other
vendors in delivering extensive anti-virus coverage for home users and corporate
customers alike.
Years of hard work have made the company one of the top security software
manufacturers. Kaspersky Lab was one of the first businesses of its kind to
develop the highest standards for anti-virus defense. The company’s flagship
product, Kaspersky Anti-Virus, provides full-scale protection for all tiers of a
network, including workstations, file servers, mail systems, firewalls, Internet
gateways, and hand-held computers. Its convenient and easy-to-use
management tools ensure advanced automation for rapid virus protection across
an enterprise. Many well-known manufacturers use the Kaspersky Anti-Virus
kernel, including Nokia ICG (USA), F-Secure (Finland), Aladdin (Israel), Sybari
(USA), G Data (Germany), Deerfield (USA), Alt-N (USA), Microworld (India) and
BorderWare (Canada).
Kaspersky Lab's customers benefit from a wide range of additional services that
ensure both stable operation of the company's products, and compliance with
specific business requirements. Kaspersky Lab's anti-virus database is updated
every hour. The company provides its customers with a 24-hour technical
support service, which is available in several languages to accommodate its
international clientele.
Appendix B 61
retrieval of daily updates for the anti-virus database and the program modules. A
unique second-generation heuristic analyzer efficiently detects unknown viruses.
A simple and convenient interface allows users to configure the program quickly
making work with it easier than ever.
®
Kaspersky Anti-Virus Personal Pro has the following features:
• On-demand scan of local disks.
• Real-time automatic protection of all accessed files from viruses.
• Mail Filter automatically scans and disinfects all incoming and outgoing
mail for any mail client that uses POP3 and SMTP protocols and
effectively detects viruses in mail databases.
• Behavior blocker that provides maximum protection of MS Office
applications against viruses.
• Archive scanning – Kaspersky Anti-Virus recognizes over 900 formats of
archived and compressed files and ensures automatic anti-virus scanning
of their content and removal of malicious code from files within ZIP, CAB,
RAR, ARJ, LHA and ICE archives.
Kaspersky® Anti-Hacker
®
Kaspersky Anti-Hacker is a personal firewall that is designed to safeguard a
computer running any Microsoft Windows operating system. It protects your
computer against unauthorized access and external hacker attacks from either
the Internet or the local network.
®
Kaspersky Anti-Hacker monitors the TCP/IP network activity of all applications
®
running on your machine. When it detects a suspicious action, Kaspersky Anti-
Hacker blocks the suspicious application from accessing the network. This helps
ensure enhanced privacy and 100% security of confidential data stored on your
computer.
The product’s SmartStealth™ technology prevents hackers from detecting your
computer from the outside. In this stealthy mode, the application works
seamlessly to keep your computer protected while you are on the Web. The
application provides conventional transparency and accessibility of information.
Kaspersky® Anti-Hacker also blocks most common network hacker attacks and
monitors attempts to scan computer ports.
Configuration of the application is simply a matter of choosing one of five security
levels. By default, the application starts in self-learning mode, which will
automatically configure your security system depending on your responses to
various events. This makes your personal guard adjustable to your specific
preferences and your particular needs.
Appendix B 63
computer detection from outside. When you switch into that mode, the system
will block all network activity except for a few transactions allowed in user-
defined rules.
The program employs complex approach to anti-spam filtering of incoming e-mail
messages:
• Verification against black and white lists of recipients (including addresses
of phishing sites).
• Inspection of phrases in message body.
• Analysis of message text using a self-learning algorithm.
• Recognition of spam sent in image files.
1
Depending on the type of distribution kit.
Appendix B 67
Kaspersky® Anti-Spam
Kaspersky® Anti-Spam is a cutting-edge software suite that is designed to help
organizations with small- and medium-sized networks wage war against the
onslaught of unsolicited e-mail messages (spam). The product combines the
revolutionary technology of linguistic analysis with modern methods of e-mail
filtration, including DNS Black Lists and formal letter features. Its unique
combination of services allows users to identify and wipe out up to 95% of
unwanted traffic.
Installed at the entrance to a network, where it monitors incoming e-mail traffic
®
streams for spam, Kaspersky Anti-Spam acts as a barrier to unsolicited e-mail.
The product is compatible with any mail system and can be installed on either an
existing mail server or a dedicated one.
Kaspersky® Anti-Spam’s high performance is ensured by daily updates to the
content filtration database adding samples provided by the Company’s linguistic
laboratory specialists. Databases are updated every 20 minutes.
the presence of viruses and other malware (Spyware, Adware, etc.) and
performs centralized anti-spam filtration of e-mail stream. This solution also
includes some additional mail traffic filtration features.
B.2. Contact Us
If you have any questions, comments, or suggestions, please refer them to one
of our distributors or directly to Kaspersky Lab. We will be glad to assist you in
any matters related to our product by phone or via e-mail. Rest assured that all of
your recommendations and suggestions will be thoroughly reviewed and
considered.