SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
"AntiVirus? I don't need any AntiVirus, I'm running Linux!"
Sound familiar? That's what Mac users used to say, before the emergence of FakeAV targetting Macs, OSX.Macontrol, OSX.Flashback, OSX.Sabpab and the rest. AntiVirus software- like Symantec AntiVirus for Linux- is necessary on a Linux computer, too. There are more than one hundred threats that target Linux specifically as well as threats that can affect specifc software components regardless of what platfrom they are running on.
And, of course a Linux file server can host infected files or threats that target Windows or Macintosh computers. Running AV on the Linux file server can stop those before they spread.
More info can be found in the article:
The Importance of Auto-Protect
My first and best piece of advice: consider Auto-Protect vital! Real-time AV protection (as opposed to relying upon manual or scheduled scans) can detect threats and block them when first they try to get onto a Linux box.
SAV for Linux's Auto-Protect is enabled for many popular kernals immediately upon install. For other kernels, it is necessary to compile your own AP modules. The benefit is definitely worth the trouble. Here are a couple articles on how to build your own:
Guide to building AutoProtect kernel modules for Symantec AntiVirus for Linux 1.0
Article URL http://www.symantec.com/docs/TECH132773
Symantec AntiVirus for Linux: How to Compile Auto-Protect Kernel Modules under Ubuntu
Article URL http://www.symantec.com/docs/TECH95496
How to Compile and Install Auto-Protect Kernel Modules for use in your local SUSE Linux environment
Article URL http://www.symantec.com/docs/TECH97037
How to check if AutoProtect is enabled?
Here is the command line to run from /opt/Symantec/symantec_antivirus
sudo ./sav info -a
to enable it:
sudo ./sav autoprotect -e
to disable it:
sudo ./sav autoprotect -d
OK! I have installed SAV for Linux. What should be scanned?
SAV for Linux (commonly abbreviated SAVFL) is configured by default for highest security- not performance. Creating certain exclusions will allow SAVFL to perform more efficiently and shorten the amount of time it takes to complete a scheduled scan or manual scan. (Using default settings, a full scheduled scan of the whole volume structure with SAVFL can require a day or more to complete, even for a small hard drive.)
One of Symantec's Linux experts shares this advice:
"A big performance hit can be AutoProtect's scanning of compressed files; disable that feature as a first step when troubleshooting performance problems. If scanning of compressed files is required by your security profile, do it selectively via manual or scheduled scans during off-peak hours."
"As with our other AV products, you should exclude other large archival formats: mail stores, databases, et al… these can be proprietary and in some case may be more suitably handled by a different security product, i.e. mail security for a mail server."
It is also recommended to exclude the following directories from scanning:
How to create exclusions?
The following articles contain all the necessary steps:
How to configure scanning of compressed files in Symantec AntiVirus for Linux
Article URL http://www.symantec.com/docs/TECH102882
Symantec AntiVirus for Linux: How to Configure Scan Exclusions from the Command Line Interface
Article URL http://www.symantec.com/docs/TECH95274
How to add Folder Exclusion for autoprotect, manual and weekly scans in Symantec Antivirus for Linux.
Article URL http://www.symantec.com/docs/TECH123497
Creating an exclusion for a directory (for instance, /home/mick) will exclude all subdirectories (/home/mick/projects, /home/mick/Desktop and everything else under /home/mick -- be careful not to exclude too much!)
How to test if SAVFL is Scanning what I want it to Scan?
Download the eicar test file! Though it is completely harmless, SAVFL will detect this file and create an entry in the logs (and display a pop-up, for users who have installed SAVFL's GUI).
- disable autoprotect
- download the eicar.com file into the desired directory
- then re-enable autoprotect or initiate a scan.
Try to copy that eicar file and SAVFL should either detect it or (if there is an exclusion created successfully) not.
To initiate a manual scan of the home directory from /opt/Symantec/symantec_antivirus, here's the correct command line:
sudo ./sav manualscan -s /home
Hey! I excluded that directory, and SAVFL is still scanning it-?
In SAVFL, exclusions are set up in different places for manual scans, scheduled scans and AutoProtect. Creating one exclusion will not automatically cover all types of scan.
If this is an Illustrated Guide, where are all the illustrations-?
Why not start up your own SAVFL and see how it looks on your Linux machine? &: )
If there is sufficient interest, I will create a Part 2 with detailed command-lines and examples.
Many thanks for reading! Please do leave comments, below, if you find this article helpful or unhelpful.