SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide
"AntiVirus? I don't need any AntiVirus, I'm running Linux!"
Sound familiar? That's what Mac users used to say, before the emergence of FakeAV targetting Macs, OSX.Macontrol, OSX.Flashback, OSX.Sabpab and the rest. AntiVirus software- like Symantec AntiVirus for Linux- is necessary on a Linux computer, too. There are more than one hundred threats that target Linux specifically as well as threats that can affect specifc software components regardless of what platfrom they are running on.
And, of course a Linux file server can host infected files or threats that target Windows or Macintosh computers. Running AV on the Linux file server can stop those before they spread.
More info can be found in the article:
The Importance of Auto-Protect
My first and best piece of advice: consider Auto-Protect vital! Real-time AV protection (as opposed to relying upon manual or scheduled scans) can detect threats and block them when first they try to get onto a Linux box.
SAV for Linux's Auto-Protect is enabled for many popular kernals immediately upon install. For other kernels, it is necessary to compile your own AP modules. The benefit is definitely worth the trouble. Here are a couple articles on how to build your own:
Guide to building AutoProtect kernel modules for Symantec AntiVirus for Linux 1.0
Article URL http://www.symantec.com/docs/TECH132773Symantec AntiVirus for Linux: How to Compile Auto-Protect Kernel Modules under Ubuntu
Article URL http://www.symantec.com/docs/TECH95496How to Compile and Install Auto-Protect Kernel Modules for use in your local SUSE Linux environment
Article URL http://www.symantec.com/docs/TECH97037
How to check if AutoProtect is enabled?
Here is the command line to run from /opt/Symantec/symantec_antivirus
sudo ./sav info -a
to enable it:
sudo ./sav autoprotect -e
to disable it:
sudo ./sav autoprotect -d
OK! I have installed SAV for Linux. What should be scanned?
SAV for Linux (commonly abbreviated SAVFL) is configured by default for highest security- not performance. Creating certain exclusions will allow SAVFL to perform more efficiently and shorten the amount of time it takes to complete a scheduled scan or manual scan. (Using default settings, a full scheduled scan of the whole volume structure with SAVFL can require a day or more to complete, even for a small hard drive.)
One of Symantec's Linux experts shares this advice:
"A big performance hit can be AutoProtect's scanning of compressed files; disable that feature as a first step when troubleshooting performance problems. If scanning of compressed files is required by your security profile, do it selectively via manual or scheduled scans during off-peak hours."
"As with our other AV products, you should exclude other large archival formats: mail stores, databases, et al… these can be proprietary and in some case may be more suitably handled by a different security product, i.e. mail security for a mail server."
It is also recommended to exclude the following directories from scanning:
- /sys
- /proc
How to create exclusions?
The following articles contain all the necessary steps:
How to configure scanning of compressed files in Symantec AntiVirus for Linux
Article URL http://www.symantec.com/docs/TECH102882Symantec AntiVirus for Linux: How to Configure Scan Exclusions from the Command Line Interface
Article URL http://www.symantec.com/docs/TECH95274How to add Folder Exclusion for autoprotect, manual and weekly scans in Symantec Antivirus for Linux.
Article URL http://www.symantec.com/docs/TECH123497
How to test if SAVFL is Scanning what I want it to Scan?
Download the eicar test file! Though it is completely harmless, SAVFL will detect this file and create an entry in the logs (and display a pop-up, for users who have installed SAVFL's GUI).
- disable autoprotect
- download the eicar.com file into the desired directory
- then re-enable autoprotect or initiate a scan.
Try to copy that eicar file and SAVFL should either detect it or (if there is an exclusion created successfully) not.
To initiate a manual scan of the home directory from /opt/Symantec/symantec_antivirus, here's the correct command line:
sudo ./sav manualscan -s /home
Hey! I excluded that directory, and SAVFL is still scanning it-?
In SAVFL, exclusions are set up in different places for manual scans, scheduled scans and AutoProtect. Creating one exclusion will not automatically cover all types of scan.
If this is an Illustrated Guide, where are all the illustrations-?
Why not start up your own SAVFL and see how it looks on your Linux machine? &: )
If there is sufficient interest, I will create a Part 2 with detailed command-lines and examples.
Many thanks for reading! Please do leave comments, below, if you find this article helpful or unhelpful.
Comments 17 Comments • Jump to latest comment
Great resume Mick, very helpful.
Thumbs up !
Readers of this article may also be interested in its follow-up:
With thanks and best regards,
Mick
Amazing Artical.......Mick2009
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Really helpfull
Thanks and Regards,
Mohammad zafar
Please Mark as solution if this comment solved your Issue....
I confirm that SAV for Linux is able to detect Microsoft Windows-specific viruses/malware/trojans. I tested it today against a few files containing known Windows-specific malware/viruses/trojans.
However I am unable to test whether SAV for Linux is able to detect and remove Linux-specific viruses/malware/trojans as I am unable to get hold of the latter for testing.
P.S.: I am using Ubuntu 12.10, kernel 3.5.0.21,64 bit, US English with SAV for Linux version 1.0.14.13. You will have to generate your own "Autoprotect" kernel modules.
For Debian and Ubuntu users, if you are in the home directory and the file that you wish to manually scan is located in the same directory, the command that you need to enter after a terminal window is opened is:
sudo /opt/Symantec/symantec_antivirus/sav manualscan -s filename
On the other hand if you are in the /opt/Symantec/symantec_antivirus directory and you wish to manually scan a file located in the home director, the command is the following:
sudo ./sav manualscan -s /home/username/filename
Readers of this artiocle may also be interested in....
With thanks and best regards,
Mick
Thumbs up for this and the whole series...good job, thanks.
Good work Mick..all 3 articles you've posted will be handy for anyone working on SAVFL..worth bookmarking.
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Many thanks, Vikram! &: )
Your own articles are also much recommended to all admins relying upon Symantec tools to help keep their networks secure, particularly:
With thanks and best regards,
Mick
Thanks for putting all this info here! It really helps!
-KG
thank you for your efforts Mick !
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Nice one!!! thumps up....
Thank& Regards,
Ambesh
Please mark your thread as 'SOLVED' with the answer that helps you.
Part 4 is now available...
With thanks and best regards,
Mick
Addign a link to an overview of SAVFL in Japanese:
With thanks and best regards,
Mick
lol, did you wrote that article Mick :-)
Kind regards,
John Santana
Graduate IT Professional
--------------------------------------------------
Please be nice to me as I'm newbie in this forum.
Would you like to reply?
Login or Register to post your comment.