Antivirus
Release notes
Version 3.0.0 - Early deployment
- Improvement: Upgraded to ClamAV version 0.98.7 (M11166)
- Dependency:
Version 2.1.1 - Early deployment
- Bugfix: Installation on baseline >= 2.4.0 was failing (M8114)
Version 2.1.0 - Early deployment
- Feature: ClamAV updated to version 0.98 (M7277)
Version 2.0.5 - General deployment
- Bugfix: Handle correctly the error when the virus signatures update fails
- Bugfix: Corrected permissions not being applied correclty because of too many transaction
Version 2.0.4 - Early deployment
- Feature: Display the SOPkey in the report sent by mail (M0005328)
Version 2.0.3 - Early deployment
- Feature: Support for baseline 2.1 (M0004457)
Version 2.0.2 - General deployment
- Feature: Support for baseline 2.1 (M0004457)
Version 2.0.1 - Deprecated
- Bugfix: Entirely remove F-secure (M0004457)
- Deprecated: Not supported on baseline 2.1
Version 2.0.0 - General deployment
- Feature: Migration from F-Secure to ClamAV (M0004457)
Version 1.3.0 - Deprecated
- Improvement: The scheduled scan supports an exclude list which can be used to stop certain directories from being scanned and generating false warnings.
- Deprecated: This version is end-of-life. It is recommended to upgrade to version 2.x.x or higher
Version 1.2.0 - Deprecated
- Bugfix: Fixed bugs in the module installation procedure
- Deprecated: This version is end-of-life. It is recommended to upgrade to version 2.x.x or higher
Version 1.1.0 - Deprecated
- Feature: Possibility to schedule, un-schedule and interrupt a full anti-virus scan
- Feature: Possibility to activate or deactivate the on-access anti-virus scanning
- Improvement: Upgraded F-secure software to version 7.02
- Improvement: Improved compatibility with latest SOP baseline
- Improvement: By default on-access scanner is disabled but can be enabled manually via the SOP shell
- Deprecated: This version is end-of-life. It is recommended to upgrade to version 2.x.x or higher
Version 1.0.0 - Deprecated
- Feature: Added SOPSshell plugin to schedule antivirus scan
- Deprecated: This version is end-of-life. It is recommended to upgrade to version 2.x.x or higher
Version 0.0.0 - Deprecated
Module configuration interface
create_resource_form: .:/usr/share/escaux/glue/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib:/usr/share/escaux/glue/bin/gen_wiki_documentation/src/lib/
Module configuration parameters for ClamAV
- Comma separated list of paths to exclude from the scheduled scan : An optional comma separated list of paths or filenames can be specified to be excluded from the scheduled scan. The following list of default paths and filenames is already included in the module and doesn't need to be added manually:
- /proc
- /sys
- /tftpboot
- /var
- /data
- /etc
- /.sopsync
- /tmp
- /opt/f-secure/
- /usr/share
- /standby
- /usr/src
- /var/lib/clamav
- Report send to (mail address): Mail address the report of the scan will be sent to.
- Scanning frequency :
- Daily : Performed every day between 0:00 and 4:00.
- Weekly: Performed every sunday between 0:00 and 4:00.
- Monthly: Performed every first sunday of the month between 0:00 and 4:00
- Proxy Server : hostname or ip adress of the proxy server
- Poxy Port : port of the proxy server
- Poxy username : username to authenticate to the proxy
- Proxy password : password to authenticate to the proxy
There will be an update of the virus definition before every scheduled scan.
The proxy server is usefull in order to fetch the virus definitions update.
Module configuration parameters for F-Secure (deprecated : it is using ClamAV now)
- Comma separated list of paths to exclude from the scheduled scan : An optional comma separated list of paths or filenames can be specified to be excluded from the scheduled scan. The following list of default paths and filenames is already included in the module and doesn't need to be added manually:
- /proc
- /sys
- /tftpboot
- /var
- /data
- /etc
- /.sopsync
- /tmp
- /opt/f-secure/
- /usr/share
- /standby
- /usr/src
- /var/opt/f-secure
Configuration through the local SOP
By default the F-Secure web based management interface is disabled. It can be enabled manually via the SOP shell:
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: enable'
The F-Secure management interface can be reached through an HTTP(S) session. To do so, you must first establish a SSH port forward to the SOP. Discussing how a port forward is realized is beyond the scope of this document. If you need more information, use a public search engine and use the keywords 'putty port forward'. Putty is a SSH application for the Microsoft Windows platform, others can be used too.
- Hostname/IP to connect to: the hostname or IP of the SOP.
- Port forward destination: localhost:28080 .
- Local port: We recommend port 80 .
This way, when you point your browser to
http://localhost:80, you'll be in fact connecting the port 28080 of the SOP through the SSH tunnel.
Point your browser to
http://localhost:80 and log in using the following credentials:
- Login: admin
- Password: admin
- You are strongly advised to change the default password
For more information on the usage of F-Secure, please consult the
F-Secure documentation.
Although F-Secure can be used to perform integrity checking and firewalling, we currently only use it as anti-virus tool.
Therefor in the web interface:
- Disable 'Firewall'
- Disable 'Integrity Protection'
When the configuration phase has passed, the management interface and on-access scanner should be deactivated again.
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: disable'
Mode of operation
The F-Secure module can run in two modes:
- On-access virus scanning: each new file will be scanned in realtime. This provides a higher level of virus protection but can lead to unpredictable CPU load on the SOP server. As a result less resources are available to provide realtime unified communication services. This mode is not recommended.
- Scheduled scanning: a full scan can be scheduled each night. During this scan the complete file system is analyzed for viruses. The advantage of this scanning method is that during office hours, the performance impact of the F-Secure application on the realtime communication processes is reduced to a bare minimum. The only process running is the Automatic Update Agent which checks every hour for a new virus signature file. This mode is recommended.
On-access antivirus scanning
Activation:
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: enable'
Verification:
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: process status'
Configuration:
Real-time antivirus scanning (on-access scanning) on real-time machines can have an impact on performance. Escaux advises to restrict the real-time scanning scope:
Navigate to: !F-Secure web interface
- Leave 'virus protection' enabled
Navigate to: !F-Secure web interface > Advanced Mode > Adapt 'Virus Protection' > 'Real-time Scanning'
- Add these paths to "Directories excluded from scanning":
- /proc
- /sys
- /tftpboot
- /var
- /data
- /etc
- /.sopsync
- /tmp
- /usr/src
- /usr/share/ibm-java2-i386-50/jre/lib
- /standby
- /data/log/
- /var/opt/f-secure/fssp/update/avpe/
- /opt/f-secure
- Disable 'Scan when opening a file'
- Disable 'Scan when closing a file'
- Leave 'Scan when running an executable' enabled
- Disable 'Scan inside archives'
- Disable 'Scan for Riskware'
Full scheduled antivirus scanning
Requires module version 1.1 or higher
Schedule a full scan: Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'Full scan: schedule'
Disable the on-access scanning: Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: disable'
Uninstallation
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'Uninstall F-Secure application'
Known issues
The F-Secure web interface does not work
Solution: Stop/start the F-secure On-access scanning:
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: disable'
Navigate to: !SopShell > Subsystems > F-SECURE antivirus > 'On-access scanning: enable'
The scanning report contains warnings such as "Could not read from file" , "Could not open the file", "Scan task timeout"
The scanning report might contain a few files which could not be read, opened or scanned (
.jar files frequently appear). This however is no source for concern and should be disregarded.