Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide

Created: 02 Jul 2012 • Updated: 22 Sep 2014 | 22 comments
Language Translations
Mick2009's picture
+20 20 Votes
Login to vote

"AntiVirus?  I don't need any AntiVirus, I'm running Linux!"

Sound familiar?  That's what Mac users used to say, before the emergence of  FakeAV targetting Macs, OSX.Macontrol, OSX.Flashback,  OSX.Sabpab and the rest.  AntiVirus software- like Symantec AntiVirus for Linux- is necessary on a Linux computer, too.  There are more than one hundred threats that target Linux specifically as well as threats that can affect specifc software components regardless of what platfrom they are running on.

And, of course a Linux file server can host infected files or threats that target Windows or Macintosh computers.  Running AV on the Linux file server can stop those before they spread.

More info can be found in the article:

Do we really need a Antivirus for Linux
https://www-secure.symantec.com/connect/articles/do-we-really-need-antivirus-linux#comment-7349001

 

SEP 12.1 RU5 introduced a managed SEP for Linux client in September 2014.  Details can be found in New fixes and features in Symantec Endpoint Protection and Network Access Control 12.1.5 and Symantec Endpoint Protection 12.1.5 for Linux Client Guide. The use of this new, managed SEPFL client is highly recommended over the legacy SAVFL client.

 

The Importance of Auto-Protect

My first and best piece of advice: consider Auto-Protect vital!   Real-time AV protection (as opposed to relying upon manual or scheduled scans) can detect threats and block them when first they try to get onto a Linux box.

SAV for Linux's Auto-Protect is enabled for many popular kernals immediately upon install.  For other kernels, it is necessary to compile your own AP modules.  The benefit is definitely worth the trouble.  Here are a couple articles on how to build your own:

Guide to building AutoProtect kernel modules for Symantec AntiVirus for Linux 1.0
Article URL http://www.symantec.com/docs/TECH132773 

Symantec AntiVirus for Linux: How to Compile Auto-Protect Kernel Modules under Ubuntu
Article URL http://www.symantec.com/docs/TECH95496 

How to Compile and Install Auto-Protect Kernel Modules for use in your local SUSE Linux environment
Article URL http://www.symantec.com/docs/TECH97037 
 

How to check if AutoProtect is enabled?

Here is the command line to run from /opt/Symantec/symantec_antivirus

sudo ./sav info -a 

to enable it:

sudo ./sav autoprotect -e

to disable it:

sudo ./sav autoprotect -d

 

OK!  I have installed SAV for Linux.  What should be scanned?

SAV for Linux (commonly abbreviated SAVFL) is configured by default for highest security- not performance. Creating certain exclusions will allow SAVFL to perform more efficiently and shorten the amount of time it takes to complete a scheduled scan or manual scan.  (Using default settings, a full scheduled scan of the whole volume structure with SAVFL can require a day or more to complete, even for a small hard drive.)

One of Symantec's Linux experts shares this advice:

"A big performance hit can be AutoProtect's scanning of compressed files; disable that feature as a first step when troubleshooting performance problems. If scanning of compressed files is required by your security profile, do it selectively via manual or scheduled scans during off-peak hours."

"As with our other AV products, you should exclude other large archival formats: mail stores, databases, et al… these can be proprietary and in some case may be more suitably handled by a different security product, i.e. mail security for a mail server."

It is also recommended to exclude the following directories from scanning:

  • /sys
  • /proc

 

How to create exclusions?

The following articles contain all the necessary steps:

How to configure scanning of compressed files in Symantec AntiVirus for Linux
Article URL http://www.symantec.com/docs/TECH102882

Symantec AntiVirus for Linux: How to Configure Scan Exclusions from the Command Line Interface
Article URL http://www.symantec.com/docs/TECH95274

How to add Folder Exclusion for autoprotect, manual and weekly scans in Symantec Antivirus for Linux.
Article URL http://www.symantec.com/docs/TECH123497 
 

Creating an exclusion for a directory (for instance, /home/mick) will exclude all subdirectories (/home/mick/projects, /home/mick/Desktop and everything else under /home/mick -- be careful not to exclude too much!)

 

How to test if SAVFL is Scanning what I want it to Scan? 

Download the eicar test file!  Though it is completely harmless, SAVFL will detect this file and create an entry in the logs (and display a pop-up, for users who have installed SAVFL's GUI).

  1. disable autoprotect
  2. download the eicar.com file into the desired directory
  3. then re-enable autoprotect or initiate a scan.

Try to copy that eicar file and SAVFL should either detect it or (if there is an exclusion created successfully) not.

To initiate a manual scan of the home directory from /opt/Symantec/symantec_antivirus, here's the correct command line: 
sudo ./sav manualscan -s /home

 

Hey!  I excluded that directory, and SAVFL is still scanning it-?

In SAVFL, exclusions are set up in different places for manual scans, scheduled scans and AutoProtect.  Creating one exclusion will not automatically cover all types of scan.

 

If this is an Illustrated Guide, where are all the illustrations-?

Why not start up your own SAVFL and see how it looks on your Linux machine?  &: )

If there is sufficient interest, I will create a Part 2 with detailed command-lines and examples.

 

Many thanks for reading!  Please do leave comments, below, if you find this article helpful or unhelpful. 
 

Comments 22 CommentsJump to latest comment

MeloSep's picture

Great resume Mick, very helpful.

+1
Login to vote
Mick2009's picture

Readers of this article may also be interested in its follow-up:

SAV for Linux: A (Somewhat) Illustrated Guide Part 2
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-2

With thanks and best regards,

Mick

+2
Login to vote
Ashish-Sharma's picture

Amazing Artical.......Mick2009 wink

yes+1

Thanks In Advance

Ashish Sharma

 

 

+1
Login to vote
zafar1907's picture

Really helpfull

Thanks and Regards,

Mohammad zafar

Please Mark as solution if this comment solved your Issue....

+2
Login to vote
Be Creative. Be IT's picture

I confirm that SAV for Linux is able to detect Microsoft Windows-specific viruses/malware/trojans. I tested it today against a few files containing known Windows-specific malware/viruses/trojans.

However I am unable to test whether SAV for Linux is able to detect and remove Linux-specific viruses/malware/trojans as I am unable to get hold of the latter for testing.

P.S.: I am using Ubuntu 12.10, kernel 3.5.0.21,64 bit, US English with SAV for Linux version 1.0.14.13. You will have to generate your own "Autoprotect" kernel modules.

+1
Login to vote
Be Creative. Be IT's picture

For Debian and Ubuntu users, if you are in the home directory and the file that you wish to manually scan is located in the same directory, the command that you need to enter after a terminal window is opened is:

sudo /opt/Symantec/symantec_antivirus/sav manualscan -s filename

On the other hand if you are in the /opt/Symantec/symantec_antivirus directory and you wish to manually scan a file located in the home director, the command is the following:

sudo ./sav manualscan -s /home/username/filename

+1
Login to vote
Mick2009's picture

Readers of this artiocle may also be interested in....

SAV for Linux: A (Somewhat) Illustrated Guide Part 3
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-3
 

With thanks and best regards,

Mick

+1
Login to vote
SebastianZ's picture

Thumbs up for this and the whole series...good job, thanks.

+1
Login to vote
Vikram Kumar-SAV to SEP's picture

Good work Mick..all 3 articles you've posted will be handy for anyone working on SAVFL..worth bookmarking.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

+1
Login to vote
ragenkagen's picture

Thanks for putting all this info here! It really helps!

-KG

+1
Login to vote
John Santana's picture

thank  you for your efforts Mick !

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Ambesh_444's picture

Nice one!!! thumps up....

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

+1
Login to vote
Mick2009's picture

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter
https://www-secure.symantec.com/connect/articles/sav-linux-somewhat-illustrated-guide-part-4-savfl-reporter

 

With thanks and best regards,

Mick

+2
Login to vote
Mick2009's picture

Addign a link to an overview of SAVFL in Japanese:

Symantec AntiVirus for Linux について
https://www-secure.symantec.com/connect/articles/symantec-antivirus-linux

With thanks and best regards,

Mick

+1
Login to vote
John Santana's picture

lol, did you wrote that article Mick :-)

Kind regards,

John Santana
IT Professional

--------------------------------------------------

Please be nice to me as I'm newbie in this forum.

+1
Login to vote
Mick2009's picture

私はそのスマートでしたい!  &: )

With thanks and best regards,

Mick

0
Login to vote
D@ry1's picture

Awesome pal...

+1
Login to vote
Chetan Savade's picture

Hi,

The enterprise version of Symantec Endpoint Protection now includes the Symantec Endpoint Protection client for Linux. The Symantec Endpoint Protection client for Linux replaces the Symantec AntiVirus client for Linux and supports a greater range of distributions and kernels. Added distributions include Red Hat Enterprise Linux Server (RHEL) 6.5 and CentOS 6.5

SEP for Linux clients can now be managed by an RU5 SEPM, or later. Configuration enhancements have been made to the SEPM to allow policy creation for managed Linux clients. This includes AV policy settings, centralized exceptions, and LiveUpdate settings. The SEPM also features enhanced reporting for Linux clients, including the SEP client version, host OS details, and hardware details.

Can refer this article: https://www-secure.symantec.com/connect/articles/how-install-symantec-endpoint-protection-1215-ru5-linux-operating-system

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

0
Login to vote