Antivirus support

The SURFnet IDS system uses ClamAV for it's main binary scanning. Additional scanners can be installed to generate a more accurate view of the viri. Here are some examples of viri scanners that work on linux.

Avira Antivir notes

  • Use the default key file.
  • Do not install the internet update daemon. (The scanbinaries.pl script handles the updates)
  • Do not install Avguard.
  • Do not install the GUI.
  • No need to configure the Antivir updater (since we didn't install the updater daemon).

AVAST! notes

  • Make sure you register and retrieve the key that you need to activate your AVAST! scanner.
  • After receiving the key, run AVAST! once and enter the key.

BitDefender notes

BDC/Linux-Console v7.1 (build 2559) (i386) (Jul  6 2005 16:28:53)
Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.

Error: can't find update dll

On a Debian Etch system this error was caused by a missing libstdc++5 library. Libstdc++6 was installed, 5 was needed. A simple

apt-get install libstdc++5

fixed the issue.

F-Prot notes

  • The installer as well as the updater of F-Prot expects the libwww-perl module (or HTTP::Request perl library) to be installed.
  • Also needed is the unzip program.
apt-get install unzip libwww-perl

Kaspersky

  • The key needed to activate your Kaspersky scanner is included with the scanner.
  • The kavmonitor is not needed. If you haven't compiled it at the installation change the following option in the kav config:

/etc/kav/5.5/kav4unix/kav4unix.conf

PostUpdateCmd=/etc/init.d/kavmonitor reload_avbase

Change into:

PostUpdateCmd=

SURFids 3.0

SURFids 3.0 has a new way of retrieving the results of virus scans mainly to improve performance on scanning. There are 4 database fields that need to be configured for each scanner to work. The examples in this document are based on AVAST v1.0.8. Here's an example of the output of the AVAST virus scanner:

/opt/surfnetids/binaries/7b035236f806a143bcba3ac0e2ebc7a6	[OK]
/opt/surfnetids/binaries/ad7713b7b99380a5935b9a8f1ad1ecf9	[OK]
/opt/surfnetids/binaries/12d4e29a18205e80c32a916da53fc4d0	[infected by: Win32:SdBot-4142 [Trj]]
/opt/surfnetids/binaries/e878909206769c2ecb1c23342917ebce	[OK]

getvirus
The regular expression to extract the virus name. Everything between () will be the virus name.
Example:

.*\[infected by: *(.*) *\[.*\]\]$

In this case, the regular expression should return “Win32:SdBot-4142”.

matchvirus
The regular expression to match a line of output with a malicious binary. This regular expression needs to make sure that we ignore the binaries that are not detected as malicious ([OK]).
Example:

.*\[infected by:.*

getbin
The regexp to extract the binary which has been scanned. Everything between () will be the binary name.
Example:

.*\/([0-9A-Za-z]*).*\[.*\]$

In this case, the regular expression should return “12d4e29a18205e80c32a916da53fc4d0”.

matchclean
The regexp to match a line with a clean binary. This regular expression needs to make sure it catches only the clean binaries.
Example:

.*\[OK\]$

Setting up new scanners

If you have a new virus scanner you want to add to the SURFids you can test out your regular expressions with a few tools delivered with the SURFids.

First of all we need to make sure the scan script will know there are more scanners. Open up the scan script /opt/surfnetids/scripts/scanbinaries.pl and find the following section:

####################
# Define scanners
####################
$scanners->{"F-Prot"} = {
            'cmd' => "/opt/f-prot/fpscan -v 2 --report --adware",
            'update' => "/opt/f-prot/fpupdate",
            'version' => "/opt/f-prot/fpscan --version | grep \"F-PROT Antivirus version\" | awk -F'(' '{print $1}' | awk '{print $NF}'",
            'batchmode' => 0,
};
$scanners->{"AVAST"} = {
            'cmd' => "/opt/avast4workstation-1.0.8/bin/avast -n",
            'update' => "/opt/avast4workstation-1.0.8/bin/avast-update",
            'version' => "/opt/avast4workstation-1.0.8/bin/avast --version | head -n1 | awk -F\"avast \" '{print $2}'",
            'batchmode' => 1,
};

Here you can see 2 scanners defined so far. Adding a new scanner will mean you have to add a scanner according to the following template:

$scanners->{"scanner_name"} = {
            'cmd' => "command to scan all binaries",
            'update' => "command to update the virus definitions",
            'version' => "command to extract the version info",
            'batchmode' => 0,
};


The scanner determines a set of binaries to be scanned by a few different values (new binaries, unknown binaries, etc). After having determined the set of binaries to be scanned it supplies this set to the virus scanners on the command line. Some scanners don't accept that many arguments. For these scanners you can turn on batchmode (batchmode ⇒ 1). This will make sure the scanbinaries script will scann the full set in batches of a given size (configurable in /etc/surfnetids/surfnetids-tn.conf).

# The amount of files that will be scanned in a single batch
# for the scanners with batch mode = 1
# Batch mode is required for scanners that don't accept
# a large amount of files as arguments to the scanner (example: AVAST)
$c_scan_batch_max = 50;

In the default settings the scanners with batchmode enabled will receive their binaries in batches of 50.

After adding the new scanner here, you will need to add/edit the database record.

name 		character varying	scanner_name
status 		integer			status (1 = active, 0 = inactive)
version 	character varying	leave this blank
getvirus 	character varying 	regular expression
matchvirus 	character varying 	regular expression
getbin 		character varying 	regular expression
matchclean 	character varying	regular expression


To test out regular expressions, scan your binaries with your scanner and save the textual output in /opt/surfnetids/tntools/source.txt.

/opt/avast4workstation-1.0.8/bin/avast -n /opt/surfnetids/binaries/ > /opt/surfnetids/tntools/source.txt

Go to the tntools directory:

cd /opt/surfnetids/tntools/

Here we have the testscan.pl script which is intended for testing out your regular expressions. Open up the testscan.pl script and find the following section:

########################################################################
# Regular expressions
########################################################################

$getvirus = '';
$matchvirus = '';
$getbin = '';
$matchclean = '';

########################################################################

Edit your regular expressions in between the '' for each of the variables. Now run ./testscan.pl and see if you get the result you wanted. This is trial and error, so keep it going until you have found the best regular expression. After that, add it to the database.

 
kb/antivirus_support.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki