[Avcheck] README.AVP

Michael Tokarev mjt@tls.msk.ru
Sun, 11 Nov 2001 22:37:09 +0300 

Len Conrad wrote:
[]
> setting up server version of kav for freebsd + postfix (+ avcheck) is hard
> when the only doc is what's in the kasp .tgz files.

It shouldn't be difficult either - you need only the executable,
the virus/pattern bases, and two ini files from kav.

> >See for example notes from Michael Kubecka, or from Piotr Klaban
> >(he uses avcheck on Solaris).
> 
> where are these notes? I can't find them on avcheck website, nor in the
> avcheck-0.6 file.

I assumed you're subscribed to avcheck mailinglist.  Look into
archives at www.corpit.ru/pipermail/avcheck/, and for october's
threads in particular.  Well, not that *great* information, but
the setup procedure isn't very difficult either.

> -----------------------------
> 
> in your README.AVP, you mods to defUnix.prf don't match the defUnix.prf
> delivered in the file:
> 
> kav-WorkStationSuit-3.0.136-FreeBSD-4.x.tgz
> 
> which is inclued in the file:
> 
> kav-ServerSuit-3.0.136-FreeBSD-4.x.tgz

So them again changed things.

> [Location]
> List=/tst
> ...doesn't exist

In README.AVP, there are comments around every option.  For
example this one tells kavdaemon where it should be allowed to
look for files.  The same can be specified in command line too,
but I prefer to list things here.  You can search ini files
you have (defUnix.prf and AvpUnix.ini if memory serves me
correctly) and find the key.  And -- your best "friend" here
is, unfortunately, comments in their files.  The options
listed here shows what should be done, but in fact not exactly
*how* that needs to be done.  It is difficult to follow kaspersky
modifications.  Well, 3.0.136 should be more-or-less old (not
to say that more recent version exists, I don't know).

> [Actions]
> InfectedAction=0
> # This one is important.
> .... but it doesn't exist.

Again, search for InfectedAction.  This is essential to set it
to 0, or else kavdaemon will ask avcheck if it want the file to
be desinfected (btw, kavdaemon is not able to desinfect mail
archives anyway).

> [Options]
> ShowOk=No
> ShowPack=No
> Report=No
> UseSysLog=No
> 
> ... these 4 are in the [Report] section, not the [Options] section

Grr.   That *was* in [Report], but moved into [Options] at some time.
So this is again in [Report].  That's funny.  When I installed DrWeb,
I was confused by all those sections and the like and (while DrWeb
uses more "native" sections) finally just put all into one unnamed
section, to stop confusion.  BTW, it seems kavdaemon will find those
options in any section -- when I last tried to start kavdaemon, it
was happily accepted AvpDaemon's configs -- but I can't say this
for shure.

> -----------------------
> 
> "Next, you will need to place avcheck, it's `infected' helper and
> uchroot somewhere."
> 
> in the avcheck directory, I have
> 
> -rwxr-xr-x  1 root  wheel   3581 Oct 26 14:20 infected.ex1
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:35 infected.ex2.cs
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:53 infected.ex2.de
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:53 infected.ex2.en
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:53 infected.ex2.pl
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:53 infected.ex2.ru
> -rwxr-xr-x  1 root  wheel      0 Nov 10 23:53 infected.ex2.sk
>
> Which one is your "helper" file?  Are the above 0-byte files correct, or is
> something screwed up?

As you can guess, them are examples.  And in reality them are screwed
up -- due to failure to make.  Please do

  make clean
  make SHELL=/bin/sh

to recreate the infected.ex2.* files.  BTW, may be you can provide
French translation too? ;)  And one more note -- do not build things
as root, this is too dangerous.  Avcheck build will not do any evil
thing, but you can't know for shure about any other package.
For you, it is best to start with infected.ex2.en file and go from
there (copy it into the same directory as avcheck and name it `infected').
You may want to customize it a bit -- f.e. change admin email or
hostname.  The files are zero-length due to make failure, that, in
turn, is due to unexpected shell (you use csh, and a command to
generate the infected.ex2.* files should run by Bourne Shell -- cured
by adding "SHELL=/bin/sh" into Makefile or into make's commandline).
 
> Finallly, when I try to start up with
> 
> #/usr/bin/env - HOME=/ \
>  >   /usr/bin/nice \
>  >   /var/spool/avp/uchroot -u avdaemon /var/spool/avp \
>  >   /kavdaemon -dl -f=/ctl /tst
> /usr/libexec/ld-elf.so.1: Shared object "libintl.so.1" not found
> 
> but:
> 
> # ls -alR /var/spool/avp/usr
> total 4
> drwxr-xr-x   4 avclient  avgroup  512 Nov 11 03:01 .
> drwxr-xr-x  10 root      wheel    512 Nov 11 02:58 ..
> drwxr-xr-x   2 avclient  avgroup  512 Nov 11 02:59 libexec
> drwxr-xr-x   3 avclient  avgroup  512 Nov 11 03:01 local
> 
> usr/libexec:
> total 76
> drwxr-xr-x  2 avclient  avgroup    512 Nov 11 02:59 .
> drwxr-xr-x  4 avclient  avgroup    512 Nov 11 03:01 ..
> -r-xr-xr-x  1 avclient  avgroup  75472 Nov 11 02:59 ld-elf.so.1
> 
> usr/local:
> total 3
> drwxr-xr-x  3 avclient  avgroup  512 Nov 11 03:01 .
> drwxr-xr-x  4 avclient  avgroup  512 Nov 11 03:01 ..
> drwxr-xr-x  2 avclient  avgroup  512 Nov 11 03:01 lib
> 
> usr/local/lib:
> total 21
> drwxr-xr-x  2 avclient  avgroup    512 Nov 11 03:01 .
> drwxr-xr-x  3 avclient  avgroup    512 Nov 11 03:01 ..
> -rwxr-xr-x  1 avclient  avgroup  18488 Nov 11 03:01 libintl.so.1

I suggest you to place all libs into /lib -- without /usr,
/usr/local and the like.  Look into ldd output and then
copy all listed libs into
 /var/spool/avp/lib/
directory -- just like README.AVP says.  About libintl -- it is
in /usr/local/lib, I guess it is not a standard lib in FreeBSD
and it is not searched by default.
 
> thanks,
> Len

Regards,
 Michael.