Antivirus

Release notes

Module configuration interface

Module configuration parameters for ClamAV

• Comma separated list of paths to exclude from the scheduled scan : An optional comma separated list of paths or filenames can be specified to be excluded from the scheduled scan. The following list of default paths and filenames is already included in the module and doesn't need to be added manually:
  • /proc
  • /sys
  • /tftpboot
  • /var
  • /data
  • /etc
  • /.sopsync
  • /tmp
  • /opt/f-secure/
  • /usr/share
  • /standby
  • /usr/src
  • /var/lib/clamav
• Report send to (mail address): Mail address the report of the scan will be sent to.
• Scanning frequency :
  • Daily : Performed every day between 0:00 and 4:00.
  • Weekly: Performed every sunday between 0:00 and 4:00.
  • Monthly: Performed every first sunday of the month between 0:00 and 4:00
• Proxy Server : hostname or ip adress of the proxy server
• Poxy Port : port of the proxy server
• Poxy username : username to authenticate to the proxy
• Proxy password : password to authenticate to the proxy

There will be an update of the virus definition before every scheduled scan.

The proxy server is usefull in order to fetch the virus definitions update.

Module configuration parameters for F-Secure (deprecated : it is using ClamAV now)

• Comma separated list of paths to exclude from the scheduled scan : An optional comma separated list of paths or filenames can be specified to be excluded from the scheduled scan. The following list of default paths and filenames is already included in the module and doesn't need to be added manually:
  • /proc
  • /sys
  • /tftpboot
  • /var
  • /data
  • /etc
  • /.sopsync
  • /tmp
  • /opt/f-secure/
  • /usr/share
  • /standby
  • /usr/src
  • /var/opt/f-secure

Configuration through the local SOP

By default the F-Secure web based management interface is disabled. It can be enabled manually via the SOP shell:

The F-Secure management interface can be reached through an HTTP(S) session. To do so, you must first establish a SSH port forward to the SOP. Discussing how a port forward is realized is beyond the scope of this document. If you need more information, use a public search engine and use the keywords 'putty port forward'. Putty is a SSH application for the Microsoft Windows platform, others can be used too.

• Hostname/IP to connect to: the hostname or IP of the SOP.
• Port forward destination: localhost:28080 .
• Local port: We recommend port 80 .

This way, when you point your browser to http://localhost:80, you'll be in fact connecting the port 28080 of the SOP through the SSH tunnel.

Point your browser to http://localhost:80 and log in using the following credentials:

• Login: admin
• Password: admin
  • You are strongly advised to change the default password

For more information on the usage of F-Secure, please consult the F-Secure documentation.

Although F-Secure can be used to perform integrity checking and firewalling, we currently only use it as anti-virus tool.

Therefor in the web interface:

• Disable 'Firewall'
• Disable 'Integrity Protection'

When the configuration phase has passed, the management interface and on-access scanner should be deactivated again.

• Access the SopShell

Mode of operation

The F-Secure module can run in two modes:

• On-access virus scanning: each new file will be scanned in realtime. This provides a higher level of virus protection but can lead to unpredictable CPU load on the SOP server. As a result less resources are available to provide realtime unified communication services. This mode is not recommended.
• Scheduled scanning: a full scan can be scheduled each night. During this scan the complete file system is analyzed for viruses. The advantage of this scanning method is that during office hours, the performance impact of the F-Secure application on the realtime communication processes is reduced to a bare minimum. The only process running is the Automatic Update Agent which checks every hour for a new virus signature file. This mode is recommended.

On-access antivirus scanning

Activation:

Verification:

Configuration: Real-time antivirus scanning (on-access scanning) on real-time machines can have an impact on performance. Escaux advises to restrict the real-time scanning scope:

• Leave 'virus protection' enabled

• Add these paths to "Directories excluded from scanning":
  • /proc
  • /sys
  • /tftpboot
  • /var
  • /data
  • /etc
  • /.sopsync
  • /tmp
  • /usr/src
  • /usr/share/ibm-java2-i386-50/jre/lib
  • /standby
  • /data/log/
  • /var/opt/f-secure/fssp/update/avpe/
  • /opt/f-secure
• Disable 'Scan when opening a file'
• Disable 'Scan when closing a file'
• Leave 'Scan when running an executable' enabled
• Disable 'Scan inside archives'
• Disable 'Scan for Riskware'

Full scheduled antivirus scanning

Requires module version 1.1 or higher

Schedule a full scan:

Disable the on-access scanning:

Uninstallation

Known issues

The F-Secure web interface does not work

Solution: Stop/start the F-secure On-access scanning:

The scanning report contains warnings such as "Could not read from file" , "Could not open the file", "Scan task timeout"

The scanning report might contain a few files which could not be read, opened or scanned (.jar files frequently appear). This however is no source for concern and should be disregarded.