User manual ESET FILE SECURITY

[. . . ] we protect digital worlds ESET File Security Installation Manual and User Guide Table of contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Terminology and abbreviations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . [. . . ] CONFIGURATION Proper configuration is the most important aspect of a smooth-running security system­ the remainder of this chapter is dedicated to explaining all related components. A thorough understanding of the esets. cfg file (page 6) is also highly recommended, as this file contains informationessentialtotheconfigurationofESETFileSecurity. Aftertheproductissuccessfullyinstalled, allofitsconfigurationcomponentsarestoredin 12 ESET File Security theESETSconfigurationdirectory. Thisdirectoryconsistsofthefollowingfiles: @ETCDIR@/esets. cfg Thisisthemostimportantconfigurationfile, asitcontrolsallmajoraspectsoftheproduct's functionality. Theesets. cfgfileismadeupofseveralsections, eachsectioncontainingvarious parameters. The file contains one global and several "agent" sections, with all section names enclosedinsquarebrackets. Parametersintheglobalsectionareusedtodefineconfiguration options for the ESETS daemon as well as default values for the ESETS scanning engine configuration. Parametersintheagentsectionsareusedtodefineconfigurationoptionsforall ESET File Security agents and modules. These agents are used to intercept various data types received by the computer and prepare this data for scanning. The On-demand scanner does not require special configuration in order to run. After the ESETS package has been properly installed and a valid license has been moved to the license keys directory (@ETCDIR@/license), the On-demand scanner can be run immediately using the command line interface or scheduler tool. To run the On-demand scanner from the command line, use the following syntax: @SBINDIR@/esets_scan [option(s)] FILES whereFILESisalistofdirectoriesand/orfilestobescanned. Multiple command line options are available using ESETS On-demand scanner. To see the full listofoptions, pleaseseetheesets_scan(8)manpage. 5. 2. On-access scanner powered by Dazuko The On-access scanner is invoked by user(s) access and/or operating system access to file systemobjects. Thisalsoexplainstheterm"On-access";thescannerisinitializedonanyattempt to access a selected file system object. The technique used by ESETS On-access scanner is powered by the Dazuko (da-tzu-ko) kernel module and is based on the interception of kernel calls. The Dazuko project is open source, which means that its source code is freely distributed. This allows users to compile the kernel module for their own custom kernels. Note that the Dazuko kernel module is not a part of any ESETS product and must be compiled and installed into the kernel prior to using the On-access command esets_dac. On the other hand the Dazuko technique makes On-access scanning independent of the file system type used. It is also suitable for controlling file system objects via Network File System (NFS), Nettalk and Samba. IMPORTANT: Before we provide detailed information related to the On-access scanner's configuration and operation, it should be noted that the scanner has been primarily developed andtestedtoprotectfilesystemsmountedexternally. Iftherearemultiplefilesystemswhichare not externally mounted, they will need to be excluded from file access control in order to prevent system hang-up. An example of a typical directory to be excluded is the `/dev' directory and any directories used by ESETS. Operation principle TheOn-accessscanneresets_dac(ESETSDazuko-poweredfileAccessController)isaresident 16 ESET File Security program which provides continuous monitoring and control over the file system. Every file system object is scanned based on customizable file access event types. The following event types are supported by the current version: Open events Thisfileaccesstypeisactivatediftheword'open'ispresentinthe'event_mask`parameterin theeset. cfgfile([dac]section). Inthiscase, theON_OPENbitofDazukoaccessmaskissettoon. Close events Thisfileaccesstypeisactivatediftheword'close'ispresentinthe'event_mask`parameterin theeset. cfgfile([dac]section). Inthiscase, theON_CLOSEbitandON_CLOSE_MODIFIEDbitof Dazuko access mask is set to on. NOTE:SomeOSkernelversionsdonotsupporttheinterceptionofON_CLOSEevents. Inthese cases, closeeventswillnotbemonitoredbyesets_dac. [. . . ] For this reason, we recommend that updates be initiated on a regularbasis. Tospecifytheupdatefrequency, the`av_update_period`optionmustbedefinedin the[global]sectionoftheESETSconfigurationfile. TheESETSdaemonmustbeupandrunning in order to successfully update the virus signature database. 7. 2. ESETS update process description The update process consists of two stages: First, the precompiled update modules are downloaded from the ESET server. If the option`av_mirror_enabled` is present in the [global] sectionoftheESETSconfigurationfile, copies(ormirror)oftheseupdatemodulesarecreated in the following directory: @BASEDIR@/mirror Ifdesired, theMirrordirectorypathcanberedefinedusingthe`av_mirror_dir`optioninthe [update]sectionoftheESETSconfigurationfile. ThenewlycreatedMirrorthusservesasafully functional update server and can be used to create lower (child) Mirrors. However, the following conditionsmustbefulfilled. First, theremustbeanHTTPserverinstalledonthelowercomputer where the modules will be downloaded from. [. . . ]