Kaspersky ultrasonic scanner for Linux. percent of web servers run on Linux. Friendly or enemy detection. Antiviruses for Linux systems & kaspersky, clamav Detailed installation of Kaspersky on Linux

29.11.2021 Medicines

September 21, 2012 at 6:21 pm

Installing Kaspersky Anti-Virus for Linux File Server

Antivirus protection

Tutorial

In recent months I have been plagued by problems with viruses on my file servers. Either Nod32 blocks subdomains, or Kaspersky blacklists the site. This does not make me happy and I decided to set up some kind of antivirus.

Clam AntiVirus is already installed and configured on all servers. I used it several years ago, but unfortunately it does not always find viruses of the Trojan-SMS.J2ME class.

After examining the Google results, I really couldn’t find anything.

Once again contacting Kaspersky support with a request to remove the site from the list of suspicious ones, I came across a fad kaspersky for linux file server. So I decided to test it.

A trip to Google for help in installing and configuring this antivirus also did not yield results. All results lead to the Kaspersky support site.

Has no one installed their distribution on their file servers? Maybe there are some other solutions?

The answers to these questions will remain a mystery to me. I settled on the above product and decided to test it.

We request a test license file on the technical support website. The answer comes in a few hours.

Let's start installation

# dpkg -i kav4fs_8.0.1-145_i386.deb dpkg: error processing kav4fs_8.0.1-145_i386.deb (--install): package architecture (i386) does not match system (amd64) Errors were encountered while processing: kav4fs_8.0.1- 145_i386.deb

Oops. We have amd64. But Kaspersky doesn’t have any other distributions. Google doesn't respond either.

#dpkg -i --force-architecture kav4fs_8.0.1-145_i386.deb (Reading database ... 38907 files and directories currently installed.) Unpacking kav4fs (from kav4fs_8.0.1-145_i386.deb) ... Setting up kav4fs (8.0 .1-145) ... Starting Kaspersky Lab Framework Supervisor: kav4fs-supervisor. Kaspersky Anti-Virus for Linux File Server has been installed successfully, but it must be properly configured before using. Please run /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl script manually to configure it.

It's a blast :). Let's try to configure it.

# /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl Kaspersky Anti-Virus for Linux File Server version 8.0.1.145/RELEASE Installing the license The key file (a file with the .key extension) contains information about your license. You need to install it to use the application. To install it now, enter the path to your key file (or enter an empty string to continue without installing the key file): /xxx/xxx.key The license from /xxx/xxx.key has been installed. Configuring the proxy settings to connect to the updates source If you use an HTTP proxy server to access the Internet, you need to specify its address to allow the application to connect to the updates source. Please enter the address of your HTTP proxy server in one of the following formats: proxyIP:port or user:pass@proxyIP:port. If you don"t have or need a proxy server to access the Internet, enter "no" here, or enter "skip" to use current settings without changes. : Downloading the latest application databases The latest databases are an essential part of your server protection. Would you like to download the latest databases now? (If you answer "yes", make sure you are connected to the Internet): : nabling scheduled updates of the application databases Would you like to enable scheduled updates [N]: Setting up the kernel-level real-time protection Would you like to compile the kernel-level real-time protection module? : no Would you like to disable the real-time protection? : yes Warning: The real-time protection is DISABLED. Error: The kernel-level real-time protection module is not compiled. To manually recompile the kernel-level real-time protection module, start /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --build[=PATH] . Setting up the Samba server real-time protection Error: The installer couldn't find a Samba server on your computer. Either it is not installed, or is installed to an unknown location. If the Samba server is installed, specify the server installation details and enter "yes". Otherwise, enter "no" (the Samba server configuration step will be interrupted): : You can configure Samba server protection later by running the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl -- samba The real-time protection of Samba server was not setup. You can run the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --samba Setting up the Web Management Console Warning: Password file not found, Kaspersky Web Management Console will not be started until correct password is set! Would you like to set password for Kaspersky Web Management Console? : Starting Kaspersky Web Management Console: kav4fs-wmconsole: password file not found! failed! You can change password for Kaspersky Web Management Console by executing /opt/kaspersky/kav4fs/bin/kav4fs-wmconsole-passwd Starting the real-time protection task The task has been started, runtime ID: 1341314367.

Real-time protection doesn't seem to interest me at all. I only need to check the specified file and get the result of the check.

Trying a test virus

Create a virus test file with the contents

X5O!P%@AP: Setting up the kernel-level real-time protection Would you like to compile the kernel-level real-time protection module? : no Would you like to disable the real-time protection? : yes Warning: The real-time protection is DISABLED. Error: The kernel-level real-time protection module is not compiled. To manually recompile the kernel-level real-time protection module, start /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --build[=PATH]. Setting up the Samba server real-time protection Error: The installer couldn't find a Samba server on your computer. Either it is not installed, or is installed to an unknown location. If the Samba server is installed, specify the server installation details and enter "yes". Otherwise, enter "no" (the Samba server configuration step will be interrupted): : You can configure Samba server protection later by running the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs -setup.pl --samba The real-time protection of Samba server was not setup. You can run the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --samba Setting up the Web Management Console Warning: Password file not found, Kaspersky Web Management Console will not be started until correct password is set! Would you like to set password for Kaspersky Web Management Console : Starting Kaspersky Web Management Console: kav4fs-wmconsole: password file not found? ! failed! You can change password for Kaspersky Web Management Console by executing /opt/kaspersky/kav4fs/bin/kav4fs-wmconsole-passwd Starting the real-time protection task The task has been started, runtime ID: 1341314367.

Real-time protection doesn't seem to interest me at all. I only need to check the specified file and get the result of the check.

Trying a test virus

Create a virus test file with the contents

X5O!P%@AP. In addition, Linux has a very small desktop market share, which is often the main motivation for hackers. All this gives rise to a completely reasonable question: how can penetration into Linux be useful to an attacker?

Contrary to myths, Linux's immunity to viruses is great, but not immeasurable. Exploits for cross-platform technologies such as Java and Flash are as applicable to Linux as they are to other operating systems. And since Linux has penetrated the industrial market and web servers, intrusions are becoming much more profitable than before. Data can be stolen and sold to “identity thieves” or used to create botnets and other illegal activities.

If there are Windows (or dual-boot) computers on the network, Linux can become a safe haven for Windows malware that can spread across local Windows drives or multiply throughout the network. Although commercial desktop firewalls contain some of this threat, client computers that receive malicious packets from a trusted LAN device will be at risk. The statement is controversial, why not exclude Linux computers from the list of “trusted” ones if there is a suspicion that they may contain viruses

But before you write off all your previous opinions about the security of a Linux environment, let's look at some numbers.

According to estimates from various sources, the number of exploits for Windows is several thousand times higher than that of our favorite free software. operating system, and thanks to the open nature of Linux, most vulnerabilities are fixed as soon as they are discovered. And if we are to be more precise and operate with approximate figures, then the number of threats (potential and real viruses) in Linux goes into the tens, while the number of real viruses for Windows is estimated in the hundreds of thousands. Thus, a simple calculation gives a figure for the ratio of viruses to be more than 10,000 times.
Community Safety

However, the reason why Windows has the most vulnerabilities is mainly due to its dominance in the market. This is one of the reasons, and yet, given the number of commercial servers running Linux, where Windows is no longer so dominant, it cannot be said that this is the main reason. But unlike Windows, you can rest easy knowing that if your computer gets infected, utilities like SELinux (which we talked about last month), as well as file permissions for user, group, and others, will limit the damage that could inflict any malware on the system.

However, for mission-critical systems and business solutions that must comply with federal data protection laws, there are thousands of available security tools, from intrusion detectors (IDS), antivirus and firewalls to strong data encryption.

All of this provides more than enough protection for a Linux system, and as a regular user, you get far more benefits from sharing these utilities with the community than any Windows user could ever dream of. Plus, in most cases, you don't have to pay for an annual subscription or deal with a cumbersome application that interferes with your daily activities.

ClamAV: Install antivirus

Continuing the topic of security, Bob Moss will tell you how to protect your system from viruses and malware.

Last month, we learned how to install and configure Linux in a way that reduces the damage that malware can do to our beloved Linux system. This time we'll take it a step further and learn how to find and isolate viruses on a computer network before turning to Linux or AppArmor in hopes that they'll save the day. We'll also touch on an important question: is Linux as secure as its reputation suggests?

Gnome users will likely find ClamAV under the alias 'Virus Scanner': the ClamTK project offers a user-friendly interface for the program based on the gtk2-perl library. When installing the ClamTk package from your distribution's repository, you may notice that this shell is not the most latest version, but fortunately packages for any Red Hat or Debian based system can be downloaded from the site, and users of other distributions can build from source in the usual way. KDE users may also want to check out KlamAV or its replacement clamav-kde, available in the repositories of most distributions.

However, although these interfaces are well thought out and intuitive, their functionality is only sufficient to perform the most common tasks; and if you choose this path, the shells will have to be started manually. Much more power and flexibility is hidden inside.

ClamAV is available in most package managers, but the version on your distribution is likely not the latest, and you may not get the latest features or higher levels of security. Ubuntu users can simply go to System > Administration > Software Sources and select the "Third Party Repository" tab to add the PPA there. Our regular readers will remember that we covered Ubuntu PPAs back in LXF124, but Ubuntu Karmic users can use the following handy shortcut:

ppa:ubuntu-clamav/ppa

On older versions of Ubuntu, type this:

Opening the shell
Now that the repositories or source packages are ready, it's time to install ClamAV. You can choose how it will run - as a separate application or as a background daemon (then you will need to add the clamav-daemon package). In both cases, clamav-freshclam will be installed, which will keep virus signatures (and even ClamAV itself) up to date.

The ClamAV application is launched from the command line, manually or from a script, and the daemon constantly runs in the background. Both can be implemented later, but now you just need to decide how you want to maintain antivirus protection on your Linux system.

After installing the selected package, update the virus signatures before scanning your computer for the first time. This can be done through the GUI or simply with the command from the terminal:

Regular readers will recall that we briefly mentioned how to filter incoming packets from a proxy using ClamAV in a tutorial about parental controls in LXF128. Setting up ClamAV to work with a given proxy server couldn't be easier. Just open the /etc/clamav/freshconf.conf file and add the following lines to the end:

HTTPProxyServer server ip-address
HTTPProxyPort port_number

Replace server_ip_address and port_number with the appropriate values. If you preferred to run ClamAV as a daemon, restart it for the changes to take effect.

Demonisms
If you're running ClamAV as a daemon, it's a good idea to make sure it's actually running. This is checked by the command
ps ax | grep clamd

2075? Ssl 0:00 /usr/sbin/clamd
14569 pts/0 S+ 0:00 grep clamd

On most systems you will see three lines of output. If the daemon is not running, run this command in a terminal:

The daemon version can be checked using the command:

Automatic scanning

Let's configure ClamAV to update virus signatures and scan the system.

So, ClamAV is installed. Through a convenient graphical interface, you can view quarantined files, run virus signature updates, and scan small directories. But how long will you be able to do this regularly? We are all human, and we are easily distracted from our daily routine, leaving the system vulnerable. It will be safer to get under the hood of ClamAV and configure it to scan and update virus signatures automatically - then the system itself will protect itself in a timely manner from any troubles that you may have the misfortune of running into while surfing the Internet.

Ambulance

If you are getting "Oversized Zip" errors, change the Archive-MaxCompression-Ratio setting in /etc/clamd.conf after trying a couple of values with clamscan --max-ratio=400 example.zip

Let's try the simplest commands in the terminal. If ClamAV is running as a daemon, simply replace all occurrences of clamscan with clamdscan, and you will get almost the same functionality. Our first command will recursively check the files in a given directory for the presence of any virus from the virus signature database:

Clamscan -r /path/to/directory

The command can be improved - let it display its output on the screen, and at the end of the test it emits a signal (bell):

Clamscan -r --bell -i /path/to/directory

You can also redirect the output to other commands or to a text file for later viewing:

Clamscan -r -i /path/to/directory > results.txt
clamscan -r -i /path/to/directory | mail This email address is being protected from spambots. You must have JavaScript enabled to view it.

In the first case, the results of the recursive check are placed in a text file, in the second they are transferred to the mail program for subsequent sending to the specified address. The latter option is especially convenient when ClamAV is running in daemon mode: you will receive results in real time. Finally, you can add the --remove switch before specifying the path so that infected files are automatically removed from the system instead of being quarantined. But be careful with this, since in case of false positives you can lose the necessary files.

Including ClamAV checking in the system scheduler is very simple. Just enter

At 3.00 tomorrow
at>clamscan -i ~ > ~/test.txt

Submit the assignment by pressing Ctrl+D (there is no need to type at> in the second line). The command will schedule an antivirus scan for 3 am tomorrow and save the result in the file test.txt in the home directory. What if you need daily scanning?

It can be done in different ways. If you are a desktop user, run a shell script every time you log in, or configure your scheduler to call it.

In the first case, simply copy the second line of the previous example and paste it as a new startup application through System> Preferences> Startup Applications (System> Settings> Startup Applications). KDE users need to save this line in a shell script and copy it to the /home/user/.kde/AutoStart directory and then assign execution rights to it.

Regular checks

In the second case, you can set up periodic checks using Cron. You will need to copy the line from the previous code snippet into a file and name it scanscript.sh. First, make sure that the instructions in the cron.allow or cron.deny files give you access to Cron. If neither file exists, only root will have access, but if both exist, make sure your username is in the first file, but not the last.

Before adding an entry to crontab, set your favorite text editor in the $EDITOR variable. In other words, type:
export EDITOR=nano

Then you can add the following code to the end of the file:

0 * * * * sh /path/to/scanscript.sh

If you selected Nano as your editor, press Ctrl+X to exit and save. Now Cron will run the antivirus from the script file hourly, every hour every day.

To understand how this line works, take a look at the table. Day number 0 from Cron's point of view is Sunday. An asterisk * means that the script will run at every mark on this timeline. By consulting the table, you can set any desired launch interval.

Finally, if you do not want to receive emails from the system with the results of the task, change the previous line as follows:

0 * * * * sh /path/to/scanscript.sh > /dev/null 2>&1

Planning virus signature updates is not much different from planning a scan run. However, the frequency of updates requires some thought. It is better to run anti-virus scans more often to ensure cleanliness, but signature updates are usually made no more than once a day. Therefore, executing them every time you log in is a waste of system resources.

Fresh signatures

On modern desktop systems, the overhead is not excessive, but it is worth considering when dealing with low-performance always-on network devices or file servers. On the desktop, you can run the update manually through the ClamTK GUI, but there is always the danger of forgetting about it.

Therefore, we recommend that you update your virus signatures at least once a day to ensure protection against the latest threats without unnecessary steps. The best solution to this problem is to add the following line to crontab:

0 3 * * * sh /path/to/scanscript.sh

It ensures that virus updates occur every day, or at least not at times when system resource consumption increases dramatically.
Crontab Numeric Ranges

Timeline Minutes Hours Days Months Days of the week
Range 0–59 0–23 1–31 1–12 0–6

Other antivirus products

Although ClamAV is easy to install, configure, and manage, you may prefer a turnkey solution for protecting your desktop system against Linux and Windows viruses. There are several commercial alternatives to ClamAV.

They are aimed mainly at finding Windows viruses that have found refuge in Linux, but are very useful if you have dual boot or Windows computers on a local network.

Kaspersky Anti-Virus 5.6 for Linux Mail Server

Kaspersky Anti-Virus® 5.6 for Linux Mail Server (hereinafter referred to as Kaspersky Anti-Virus or the application) provides anti-virus protection for mail traffic and file systems of servers running the Linux or FreeBSD operating systems and using the Sendmail, Postfix, qmail or Exim mail systems.

The application allows you to:
Scan server file systems, incoming and outgoing email messages for threats.
Detect infected, suspicious, password-protected and unscannable objects.
Neutralize threats detected in files and email messages. Treat infected objects.
Save backup copies of messages before anti-virus processing and filtering; restore messages from backups.
Process email messages according to the rules specified for groups of senders and recipients.
Filter email messages by name, attachment type, and attachment size.
Notify the sender, recipients and administrator about the detection of messages containing infected, suspicious,
password-protected and inaccessible objects for inspection.
Generate statistics and reports on work results.
Update antivirus databases from Kaspersky Lab update servers according to schedule and on demand. The databases are used in the process of searching and treating infected files. Based on the records contained in them, each file is analyzed during scanning for the presence of threats: the file code is compared with the code characteristic of a particular threat.
Configure parameters and manage the operation of the application as locally (standard operating system tools using command line parameters, signals and modification
application configuration file) and remotely via the Webmin program web interface.
Receive configuration information and application operation statistics via the SNMP protocol, and also configure the application to send SNMP traps when certain events occur

Hardware and software system requirements

The system requirements of Kaspersky Anti-Virus are as follows:
Hardware requirements for a mail server supporting about 200 MB of traffic per day:
Intel processor Pentium IV, 3 GHz or higher;
1 GB random access memory;
200 MB of free hard drive space (this does not include the space required to store message backups).
Software requirements:
for a 32-bit platform one of the following operating systems:

o openSUSE 11.0;
o Debian GNU/Linux 4.0 r4;
o Mandriva Corporate Server 4.0;
o Ubuntu 8.04.1 Server Edition;
o FreeBSD 6.3, 7.0.
for a 64-bit platform one of the following operating systems:
o Red Hat Enterprise Linux Server 5.2;
o Fedora 9;
o SUSE Linux Enterprise Server 10 SP2;
o openSUSE Linux 11.0.
One of the following mail systems: Sendmail 8.12.x or higher, qmail 1.03, Postfix 2.x, Exim 4.x.
Webmin program (http://www.webmin.com), if you plan to remotely manage Kaspersky Anti-Virus.
Perl version 5.0 or higher (http://www.perl.org).

Installing the application on a server running Linux

The deb package will download... after that we will execute

dpkg -i kav4lms_5.6-48_i386.deb

Post-installation setup

When installing Kaspersky Anti-Virus, after copying the distribution files to the server, the system is configured. Depending on the package manager, the configuration step will be launched automatically or (if the package manager does not allow the use of interactive scripts, such as rpm) it will need to be launched manually.

To start the application setup process manually on the command line
enter:

# /opt/kaspersky/kav4lms/lib/bin/setup/postinstall.pl

As a result, you will be prompted to do the following:
If the application detects configuration files of Kaspersky Anti-Virus 5.5 for Linux Mail Server or Kaspersky Anti-Virus 5.6 for Sendmail with Milter API on the computer, at this step you will be asked to choose which of the files to convert and save in the format of the current version of the application, and, if you select one of files, you will be prompted to replace the application configuration file included in the distribution with the restored and converted file.
To replace the application configuration file included in the distribution with the restored file, enter yes as the answer. To refuse the replacement, enter no.
By default, converted configuration files are saved in the following directories:
kav4mailservers -

/etc/opt/kaspersky/kav4lms/profiles/kav4mailservers5.5-converted

/etc/opt/kaspersky/kav4lms/profiles/kavmilter5.6-converted

Specify the path to the key file.
Please note that if the key is not installed, the anti-virus databases are not updated and the list of protected domains is not generated as part of the installation process. In this case, you must perform these steps yourself after installing the key.

Update the antivirus database. To do this, enter yes as the answer. If you want to stop copying updates now, enter no. You can update later using the kav4lms-keepup2date component (for more details, see section 7.2 on page 83).

Configure automatic updating of antivirus databases. To do this, enter yes as the answer. To opt out of setting automatic updates now, enter no. You can perform this setup later using the kav4lmskeepup2date component (for more details, see section 7.1 on page 82) or using the application configuration script (for details, see section 10.2 on page 103).

6. Install the webmin module to manage Kaspersky Anti-Virus through the web interface of the Webmin program. The remote control module will only be installed if the Webmin program is located in the standard directory. After installing the module, appropriate recommendations will be given on how to configure it to work together with the application. Enter yes as the answer to install the webmin module or no to refuse installation.

7. Determine the list of domains whose mail traffic will be protected from viruses. The default value is localhost, localhost.localdomain. To use it, press the Enter key.
To manually list domains, list them on the command line. You can specify multiple values, separated by commas; masks and regular expressions are allowed. Dots in domain names must be "escaped" using the "\" character.
For example:

re:.*\.example\.com

8. Integrate Kaspersky Anti-Virus into the mail system. You can accept the default option for integration with the mail system detected on your computer, or refuse the integration and perform it later. Detailed description integration with the mail system contains Chapter 4 on page 30.
By default, post-queue integration is used for the Exim and Postfix mail systems (see section 4.1.1 on page 31 and section 4.2.1 on page 37).

Installing the webmin module for managing Kaspersky Anti-Virus

The operation of Kaspersky Anti-Virus can also be controlled remotely via a web browser using the Webmin program.
Webmin is a program that simplifies the process of managing a Linux/Unix system. The program uses a modular structure with the ability to connect new ones and develop your own modules. You can get additional information about the program and its installation, as well as download documentation and the Webmin distribution kit on the program’s official website:
http://www.webmin.com.
The Kaspersky Anti-Virus distribution kit includes a webmin module, which can either be installed during the post-installation setup of the application (see section 3.4 on page 21), if the Webmin program is already installed on the system, or at any other time after installing the Webmin program.

The following describes in detail the process of connecting the webmin module to manage Kaspersky Anti-Virus. If the default settings were used when installing Webmin, then after installation is complete, you can access the program using a browser by connecting via HTTP/HTTPS to port 10000.
In order to install the webmin module for managing Kaspersky Anti-Virus, you must:
Gain access through a web browser to the Webmin program with administrator rights for this program.
1. In the Webmin menu, select the Webmin Configuration tab and then the Webmin Modules section.
2. In the Install Module section, select From Local File and click the button (see Fig. 1).

3. Specify the path to the webmin application module and click the OK button.

Note
The Webmin module is a mailgw.wbm file and is installed by default in the /opt/kaspersky/kav4lms/share/webmin/ directory (for Linux distributions)

If the webmin module is installed successfully, a corresponding message will be displayed on the screen.

You can access the Kaspersky Anti-Virus settings by going to the Others tab and then clicking on the Kaspersky Anti-Virus icon (see Figure 2).

Deleting an application is done like this:

Next, let’s run our filter:

/etc/init.d/kas3 start && /etc/init.d/kas3-control-center start && /etc/init.d/kas3-milter start

Updating anti-virus databases

Let's run one command:

/opt/kaspersky/kav4lms/bin/kav4lms-keepup2date -s

You can also configure Automatic update

set the antivirus database to be automatically updated every hour.
Only errors during application operation are recorded in the system log. Keep a general log of all task launches, do not output any information to the console.

To accomplish this task, perform the following steps:
1. In the application configuration file, set the appropriate values for the parameters, for example:

KeepSilent=yes

Append=yes
ReportLevel=1

2. Edit the file that defines the rules for the cron process (crontab -e) by entering the following line:

0 0-23/1 * * * /opt/kaspersky/kav4lms/bin/kav4lmskeepup2date -e

At any time, you can start updating the anti-virus databases from the command line using the command:

# /opt/kaspersky/kav4lms/bin/kav4lms-keepup2date

Example: start updating the anti-virus databases, saving the results in the /tmp/updatesreport.log file.
To implement the task at the command line, enter:

# /opt/kaspersky/kav4lms/bin/kav4lms-keepup2date -l \
/tmp/updatesreport.log

CHECKING THE CORRECT OPERATION OF THE APPLICATION

Note
Before downloading, you must disable anti-virus protection, since the anti_virus_test_file.htm file will be identified and processed by the anti-virus installed on the computer as an infected object transported via the HTTP protocol.
Do not forget to enable anti-virus protection immediately after downloading the test “virus”.

Another small range of antiviruses for Debian

This hidden gem is designed to run on Linux servers to find DOS/Windows vulnerabilities, but works just as well on dual-boot systems and ensures that Windows malware doesn't copy itself onto Windows partitions from Linux. It is completely unclear what the author wrote here; viruses for Windows will never be able to work on Linux, even if they are written in scripting languages. One can only imagine a situation where the virus will contain special Linux code in order to be able to infect a parallel Windows installation. The product is less advanced than others mentioned here, but this lightweight app does its job well.
Avast Linux Home Edition
Website: http://www.avast.com/linux-home-edition

Avast has the same features as AVG; its key difference is the ability to control scanning from the command line, like ClamAV, and it can be called from shell scripts. The interface is based on the native GTK libraries, and among the ported programs, this one feels most at home on Linux.

Have you ever wondered whether you need an antivirus for Linux? Quite a few copies
was broken in endless disputes, and now, the answer seems to be obvious - of course
Well, we need it! But only if you need to look for Windows viruses.

It would seem that one can take it as an axiom that if there are viruses on the platform, then
You also need an antivirus. But with Linux it's not that simple. Yes, there are viruses for Linux, but
99% of cases are worms that can exploit one single vulnerability in
specific service and, as a rule, a specific distribution (since the version
service, settings, and compilation parameters change from distribution to
distribution). A good proof of this fact can be, for example,
Linux.Ramen (exploiting vulnerabilities in wu-ftpd on Red Hat 6.2 and 7.0), macro worm
Badbunny for OpenOffice or the same Morris worm.

However, almost every antivirus manufacturer has a version for Linux.
True, most often this is a version for a mail server, gateway or general
file storage to protect Windows clients. But Lately started to grow
number of antiviruses for Linux desktop. And manufacturers of the corresponding
products are frightened by the "exponentially increasing amount of malware"
under Linux". Whether or not to use an antivirus on a Linux desktop is a personal matter.
everyone. For me, the popularity of Linux on desktops has not yet exceeded 1-2%, and
Manufacturers of popular distributions release security updates in a timely manner –
there is nothing to be afraid of. But there are situations when you need to check the Windows screw for viruses
or a flash drive before giving it to someone. In such cases it may
antivirus for Linux will come in handy.

In general, testing antiviruses is a thankless task, since some
There is no objective test, and everything very much depends on the test set
viruses (which manufacturers successfully use, periodically bringing to court
public tests that indisputably prove that their antivirus is “the best”).
Since in all Linux antiviruses the base and kernel are identical to the Windows version,
you can safely evaluate the effectiveness of antiviruses for Linux using Windows tests
versions.

Paid

Manufacturers ask for money for most of these antiviruses. If
the antivirus was made with corporate clients in mind, and that’s what it will cost
good money. But if you need antivirus “for a couple of times,” then you can get by
trial license (fortunately, most manufacturers provide it).

I'll start the review with Dr.Web for Linux, since the “revolutionary” one came out in April
version number 6 with new interesting features and graphics
interface. There is support for both 32- and 64-bit distributions. Installation
is elementary - a .run file is downloaded from the official website, when launched
The graphical installer appears. After a couple of clicks of the "Next" button, the product
will be installed. If you don’t have a license key yet, during installation you can
request a demo key from the company server for 30 days (a demo key can be requested
no more than once every 4 months). After installation, the "DrWeb" item will appear in the Gnome menu
(with two sub-items: launching the antivirus and deleting it), and in the tray it will appear
a nice icon, but not very suitable for the default Ubuntu theme,
symbolizing the work of the file monitor.

There is also a CLI scanner; to scan the current directory, launch it like this:

$ /opt/drweb/drweb ./

If it complains about the absence of a file with a key, then run it with the indication
ini file, for example:

$ /opt/drweb/drweb -ini=/home/adept/.drweb/drweb32.ini ./

Total, for 799 rubles per year the user will receive an antivirus with graphical (GTK)
and CLI interface, integration with DE, anti-virus scanner and monitor,
checking files when accessing them. Considering the common kernel with the Windows version and
bases is a pretty good offer for those who need good sleep needed
paid antivirus for Linux desktop.

Unlike Dr.Web, Kaspersky Lab believes that home
A Linux user does not need an antivirus at all. But in the corporate sector
might come in handy. That's why Kaspersky Anti-Virus for Linux Workstation
cannot be purchased separately, only as part of Kaspersky Total Space Security,
Kaspersky Enterprise Space Security, Kaspersky Business Space Security or
Kaspersky Work Space Security (that is, from 7,700 rubles per year). Updated
the version for Linux is not very active - the last release (5.7.26) was already in October
2008. Deb and rpm are available on the site, support for both 32- and 64-bit is stated. At
installation immediately requires you to give it a file with a license key (which can be
request on the website for testing), suggests setting up a proxy and downloading
latest versions of databases, and can also install a special module for webim and
compile the kavmonitor kernel module (allows you to intercept kernel calls to
accessing files and checking these files for viruses). Unfortunately, kavmonitor does not
supports kernels newer than 2.6.21 (for 32-bit systems) and 2.6.18 (for 64-bit systems),
therefore, all more or less new distributions will have to do without it.
The antivirus does not have a graphical interface, only a CLI. Launched next
way:

$ sudo /opt/kaspersky/kav4ws/bin/kav4ws-kavscanner /tmp

You can update the database like this:

$ sudo /opt/kaspersky/kav4ws/bin/kav4ws-keepup2date

Basic antivirus settings are stored in the /etc/opt/kaspersky/kav4ws.conf config.

Another popular antivirus manufacturer in our homeland, ESET, also
has a version for Linux desktops ( ESET NOD32 Antivirus 4 for Linux Desktop),
which, however, still has the status of a beta version. But the beta version is absolutely possible
free to use until a certain date. After the release, most likely
Only the trial version can be used for free. Supported
x86 and x86-64 architectures, installation occurs using a graphical
installer. By default, the antivirus is installed in /opt/eset. After installing us
welcomes the laconic interface on GTK and the icon in the system tray,
symbolizing the work of the file monitor. The interface can be switched to "mode
expert", which will add a couple of items: Setup (to configure the scanner and
monitor) and Tools (for viewing logs and quarantined files). Eat
also CLI scanner, scanning the current directory:

$ /opt/eset/esets/sbin/esets_scan ./

The '-h' option will show the possible scanning options.

Another fairly large manufacturer of antivirus solutions with
Linux versions of their antiviruses - McAfee. In general, if we evaluate only them
Linux products, then the vendor is quite strange (by the way, the only one who has
the website runs on IIS - nothing personal, just statistics :)). Instead of
All-in-one solutions in their product line there are several separate solutions for
Linux: LinuxShield(a monitor that checks files as they are accessed) and
VirusScan Command Line Scanner for Linux. LinuxShield costs approximately
2 times more expensive. But Command Line Scanner is available not only for Linux (x86 and
x86-64), but also for almost every conceivable OS: Windows, FreeBSD, Solaris, HP-UX
and AIX. McAfee positions its products as solutions only for large
companies, so you can buy at least 11 licenses of each from partners
product name, and before downloading the trial version, you need to fill out the
a large registration form in which you can tell in detail about your company.

Command Line Scanner is installed using the install-uvscan script from the downloaded
archive. During installation, the script will ask a couple of questions (where to install and whether to
symlinks) and will offer to immediately check the entire FS. The scanner is not designed to work with
new distributions, so it didn’t start without dancing with a tambourine on Ubuntu 10.04,
cursed at the lack of libstdc++.so.5. I had to put it out

Debiana. This is the only antivirus scanner that does not have any utility
for update. New databases are proposed to be downloaded independently and stored in
installation directory. To scan the current directory, type:

The "man uvscan" command will tell you about a large number of possible options for different
degree of usefulness.

LinuxShield officially only supports RHEL and SLED, for others
distributions (and, accordingly, other kernels), it is necessary to rebuild the kernel with
antivirus modules. It's a dubious pleasure to rebuild the kernel every time
update because of the antivirus modules alone. Moreover, it is not a fact that the modules
will be built with kernels newer than 2.6.18.

Freebie

Some manufacturers, to attract attention to their products, issue
free keys for home use (including Linux versions).

This is what BitDefender does, for example. Her product BitDefender Antivirus
Scanner for Unices You can use it completely free for personal purposes.
After filling out a short registration form on the website, you will receive an email
a letter with a key for a year and a reminder that the key is “for personal usage only”.
Another plus for BitDefender is the number of versions: available for download
deb and rpm packages, ipk (universal installer) and tbz for FreeBSD. And all this
for both 32- and 64-bit OS. The manual for 128 also inspires respect.
pages. The antivirus contains only a scanner, no monitor. The scanner is possible
run both through the GUI (there is integration with DE) and through the CLI. Scanning
current directory:

Database update:

$ sudo bdscan --update

As usual, "man bdscan" will show you many interesting options.

Another free antivirus for personal use is AVG.
There are versions for Linux (deb, rpm, sh and just an archive with binaries. However, only
32-bit) and FreeBSD (also only for x86). Version 9 is available for Windows, and for
nix - only 8.5 so far (released in January 2010), but a beta version of the upcoming
nines can be downloaded after registration. In addition to the scanner there is a monitor for
scanning on the fly. But enabling this function is not trivial: you need
special modules for the kernel (RedirFS or Dazuko). Graphical interface
There is no antivirus, only CLI. Scan the current directory:

Database update:

$sudo avgupdate

The next contender - avast. You can get a free annual
license for personal use after registration. There is deb, rpm and archive
with binaries. True, again only for 32-bit. There is also no integration with
D.E. The antivirus is launched using the avastgui command.

When you first start it will ask for a registration key or offer to go through
link and get it on the website (however, don’t be fooled: the cunning antivirus sends
incorrect link; correct link:

www.avast.com/registration-free-antivirus.php).

In addition to the GUI, there is also a CLI interface. Scan the current directory:

Database update:

$sudo avast-update

The next vendor offering free home use of its
product – F-PROT. Linux version: F-PROT Antivirus for Linux Workstations.
There are versions for Linux (i386, x86-64 and PowerPC), FreeBSD, Solaris (for SPARC and
Intel) and even AIX. The latest version for Linux (6.0.3) was released in December 2009.
Installation is carried out using the install-f-prot.pl script. The script is simple
creates symlinks in /usr/local/bin (or any other specified directory on
downloaded binaries, so it’s better not to install F-Prot, say, from a desktop
table, but first move it somewhere, for example, to /opt).
The last stage of installation is downloading updates and setting tasks for
hourly downloading of updates to cron. Launch:

You can set many things with parameters: for example, recursion depth (by
default 30), scanning levels and heuristic operating level, etc. (more details
read "man fpsan"). A forced database update can be started with the command
fpupdate (located in the installation directory).

Liberty

The most famous (and also the only normal) OpenSource
antivirus – clamav. There is a console scanner and several GUIs for it (clamtk
for GTK and klamav for kde). Can also work as a monitor via
DazukoFS. True, in most tests it does not show the most brilliant results.
But it is in the repository of any distribution, for any architecture, and not
no licensing restrictions. Just the thing for undemanding users!

DazukoFS

DazukoFS (from Dateizugriffskontrolle, from German - access control to
files) is a special file system that provides applications with mechanisms to control
access to files. Since DazukoFS is not included in the vanilla kernel, in order to
To use it, you will have to patch and rebuild the kernel. DazukoFS
used by many antiviruses to implement the monitor function.

The first two versions of Dazuko were developed and released under the GPL license
by Avira GmbH. The third version, called DazukoFS, was
completely rewritten by the community.

Live antivirus

LiveCD with antivirus has helped me out more than once in situations where I needed to quickly
restore at least some functionality of Windows, which is under the weight of its
I didn’t want to load any viruses into it. Unfortunately, the choice among similar
tools are not very large - not every vendor offers their own LiveCD, yes
also for free.

Perhaps the most famous representative is Dr.Web LiveCD. Current version
(5.02) came out quite a while ago, and there are no public beta versions yet (although
a build with updated databases is released every day). But there is hope that, after
release of version 6 for Linux LiveCD will finally be updated. Although the assembly
based on not quite old components (kernel, for example, version 2.6.30), branch
about LiveCD on the official drweb forum is full of messages that the OS is in
graphical mode does not load on this or that hardware. For such a case there is
SafeMode with bare console and console scanner.

Unlike Dr.Web, Kaspersky does not particularly advertise its LiveCD, but
There is not even a mention of it on the official website. But you can’t hide anything from Google! 🙂 Live CD
can be downloaded freely

From here. The LiveCD loads quite quickly. You just have time to notice that he
built on Gentoo and kernel 2.6.31 as the license agreement pops up.
After accepting the terms of use, the GUI (looks similar to kav) starts
2010) with the ability to scan and update databases.

U AVG I also have my own LiveCD. When you start you are greeted with a licensed message
agreement, which, of course, after carefully reading, must be accepted (otherwise -
reboot). The only LiveCD with a pseudo-graphical interface. While loading
automatically mounts Windows partitions, including partitions with a file system other than FAT
or NTFS, refuses to mount. But from the pseudo-graphical interface you can
exit (and, if necessary, run the arl command again), mount manually and
run the scan from the console. Among the usefulness, you can also note the tool for
editing the registry (Windows Registry Editor).

There are times when the results of a scan with one antivirus are not enough.
Apparently, the creators of the distribution thought so ViAvRe (Virtual Antivirus
Rechecker), containing a whole bunch of different antiviruses: Avg, Avast,
Doctor Web (CureIt), McAfee, BitDefender, F-Prot. The project is still very young, but
already showing great promise. The latest version at the time of writing (04.10,
released in April of this year) was created based on OpenSuse 11.2 using SuSeStudio.
Another feature of the distribution is the viavre-update command, which allows you to update the databases
immediately for all installed antiviruses. LiveCD is available in two editions:
full version with KDE (and minimum requirements of 768 MB RAM) and light version with
LXDE (comes without mcafee, avg, firefox, virtualbox and k3b antivirus;
capable of running on 256 MB of RAM).

Conclusion

Unfortunately, we were not able to review all antiviruses for Linux, but only
the most famous. For example, Panda DesktopSecure for Linux www.avast.com/linux-home-edition – avast! Linux Home Edition
www.clamav.net – ClamAV

Code.google.com/p/viavre/ – ViAvRe

WARNING

Remember that treating Windows with LiveCD is not always safe. The forums are full
the fact that after such treatment, Windows did not boot.

Tutorial

Clam AntiVirus is already installed and configured on all servers. I used it several years ago, but unfortunately it does not always find viruses of the Trojan-SMS.J2ME class.

After examining the Google results, I really couldn’t find anything.

Once again contacting Kaspersky support with a request to remove the site from the list of suspicious ones, I came across a fad kaspersky for linux file server. So I decided to test it.

A trip to Google for help in installing and configuring this antivirus also did not yield results. All results lead to the Kaspersky support site.

Has no one installed their distribution on their file servers? Maybe there are some other solutions?

The answers to these questions will remain a mystery to me. I settled on the above product and decided to test it.

We request a test license file on the technical support website. The answer comes in a few hours.

Let's start installation

Oops. We have amd64. But Kaspersky doesn’t have any other distributions. Google doesn't respond either.

It's a blast :). Let's try to configure it.

# /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl Kaspersky Anti-Virus for Linux File Server version 8.0.1.145/RELEASE Installing the license The key file (a file with the .key extension) contains information about your license. You need to install it to use the application. To install it now, enter the path to your key file (or enter an empty string to continue without installing the key file): /xxx/xxx.key The license from /xxx/xxx.key has been installed. Configuring the proxy settings to connect to the updates source If you use an HTTP proxy server to access the Internet, you need to specify its address to allow the application to connect to the updates source. Please enter the address of your HTTP proxy server in one of the following formats: proxyIP:port or user: :port. If you don"t have or need a proxy server to access the Internet, enter "no" here, or enter "skip" to use current settings without changes. : Downloading the latest application databases The latest databases are an essential part of your server protection. Would you like to download the latest databases now? (If you answer "yes", make sure you are connected to the Internet): : nabling scheduled updates of the application databases Would you like to enable scheduled updates [N]: Setting up the kernel-level real-time protection Would you like to compile the kernel-level real-time protection module? : no Would you like to disable the real-time protection? : yes Warning: The real-time protection is DISABLED. Error: The kernel-level real-time protection module is not compiled. To manually recompile the kernel-level real-time protection module, start /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --build[=PATH] . Setting up the Samba server real-time protection Error: The installer couldn't find a Samba server on your computer. Either it is not installed, or is installed to an unknown location. If the Samba server is installed, specify the server installation details and enter "yes". Otherwise, enter "no" (the Samba server configuration step will be interrupted): : You can configure Samba server protection later by running the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl -- samba The real-time protection of Samba server was not setup. You can run the initial configuration script again by executing /opt/kaspersky/kav4fs/bin/kav4fs-setup.pl --samba Setting up the Web Management Console Warning: Password file not found, Kaspersky Web Management Console will not be started until correct password is set! Would you like to set password for Kaspersky Web Management Console? : Starting Kaspersky Web Management Console: kav4fs-wmconsole: password file not found! failed! You can change password for Kaspersky Web Management Console by executing /opt/kaspersky/kav4fs/bin/kav4fs-wmconsole-passwd Starting the real-time protection task The task has been started, runtime ID: 1341314367.

Real-time protection doesn't seem to interest me at all. I only need to check the specified file and get the result of the check.

Anti-virus engine version 8.0
The new anti-virus engine provides effective protection against malware and other computer threats. The application prevents virus outbreaks and effectively protects information without preventing users from accessing it.
Real-time verification
Files are scanned in real time as they are opened, copied, executed, and saved. The application ensures that IT threats are detected and neutralized every time the file system is accessed.
On-demand scan
Kaspersky Endpoint Security for Linux allows you to perform anti-virus scanning of specified areas of the system on demand and on a schedule. Other scanning methods include an enhanced heuristic analyzer that improves malware detection rates by proactively detecting previously unknown threats.
Frequent updates of anti-virus databases
Both regular and emergency updates of anti-virus databases are carried out automatically. This allows you to maintain a high level of malware detection and provide high-quality protection not only for workstations, but also for the corporate IT infrastructure as a whole.

Performance optimization

High performance with minimal impact on system operation
The new anti-virus engine allows not only to increase the level of threat detection, but also to significantly increase the speed of scanning and optimize resource consumption. As a result, the application has minimal impact on the operation of other programs and overall system performance.
New application architecture
Kaspersky Endpoint Security for Linux uses a completely new component architecture that ensures application stability and high performance.
Optimizing CPU Resource Usage
The latest version of the application has significantly reduced the consumption of system resources (processor power and disk space), and also reduced the frequency of access to the hard drive.

Centralized management

Remote Deployment
The centralized management tool Kaspersky Administration Kit allows you to install applications to protect network nodes and manage their operation both locally and remotely.
Workstation protection management
Different policies and tasks can be applied to any group of workstations. This allows system administrators to flexibly configure the operation of Kaspersky Endpoint Security for Linux at the level of groups of computers or individual machines.
Automatic update
Anti-virus databases and software modules can be updated on demand or automatically according to a schedule. The application implements new feature, which allows you to use the Administration Server as a source of updates, and the Network Agent as a means of distributing them.
Support for centralized quarantine and backup storage
Kaspersky Endpoint Security for Linux not only places infected and suspicious files in quarantine and backup storage, but also provides information about this to the Administration Server. This allows the security system administrator to use Kaspersky Administration Kit to take the necessary measures in the event of incidents.