[Avcheck] Installing Kaspersky's AVP, AVCheck for FreeBSD 4.x

Michael Tokarev mjt@tls.msk.ru
Tue, 13 Nov 2001 23:30:27 +0300


Michael Kubecka wrote:
> 
> Hopefully this will help Len...
> 
> Please let me know about any corrections or errors...

Wow, what a lenghtly message... :)  It looks awfully long,
especially for a person who want to install things at a
first time... ;))  Well, there are some corrections at least.

[]
> Compile it and install the man page.  Make sure you are running sh or
> bash, not csh.  Otherwise, perform the make command as "make
> SHELL=/bin/sh".

This will be corrected in the next version -- I added necessary
line into the Makefile.

[]
> (The proc directory above is probably not needed, but it's indicated in
> the Linux-slanted README.
/proc used by kavdaemon to find another running copy of itself.
Strange that it not uses /proc on freebsd.

>     Some documentation has suggested changing
> group ownership of dev/console to avgroup.  That does not seem to be
> necessary for FreeBSD.)
This isn't necessary.

> ftp://ftp.kaspersky.com/AvpTest/AvpFreeBSD/4X
> http://http.kaspersky.ru/AvpTest/AvpFreeBSD
> 
> You'll need a login and password, which you can get from Kaspersky.

Is this the same as at
 ftp://ftp.avp.ru/pub/beta/KAVUnix/KAVFreeBSD/4X/ ,
 file kav-ServerSuit-3.0.136-FreeBSD-4.x.tgz ?
 (692767 bytes, Aug 1 12:53)

[]
> Change directory into /var/chroot/AVP and edit kavupdater.sh and change:
[changes for kavupdater]

Maybe it is better and simpler just to use
  wget --mirror -N ftp://ftp.avp.ru/pub/updates/* .
(I'm not shure about options needed, ths above is just an example)
and trash kavupdater the same way as kavkeeper? ;)

[]
> NOTE: Without a key, the anti-virus software will operate in demo mode
> and therefore be unable to look into MIME attachments.  It will, for
> instance, fail to detect a virus in the AVCheck-included eicar.msg test
> message, but will find it in the simple eicar.txt file.

And thus this mode is completely useless for us.

[]
> At the end of the output, you should see "0 - Antiviral bases correctly
> loaded."  That does not mean that no antivirus files were loaded.
> Rather it means that the script exited with error code 0 (no errors),
> and that all the anti-virus databases were correctly loaded.

;))

[]
> Remember that kavdaemon will eventually run chrooted, so it will see
> /var/chroot/AVP as / -- all paths should be modified accordingly.

A good question.  Maybe throw away chroot jail completely for the
first setup at least?  In fact, there is little benefit from it.
It can be used by more advanced users if them prefer this.

[]
> #!/bin/sh
> # This script assumes Postfix is managed under
> # DJ Bernstein's DaemonTools.  Modified from

Wow...  I see you like daemontools... ;)

> # examples provided by Michael Tokarev and
> # Ralf Hildebrandt.
> 
> # defer AVCheck Transport
> ## postconf -e "defer_transports = avcheck"
> svc -d /service/postfix

Is this to stop postfix?!  There is no need to stop or
change anything at a postfix side.

[]
> # start kavdaemon as chroot()'ed as unprivileged user avdaemon
> # The "echo no" line is needed only for the evaluation version,
> # otherwise comment it out.
> # echo no | \   # only needed for the evaluation version!
> /usr/bin/env - HOME=/ \
> /usr/bin/nice \
> /usr/local/sbin/uchroot -u avdaemon /var/chroot/AVP \
> ./kavdaemon -dl -MP -f=/ctl /tst > /dev/null

rc script may be used here as well, and in fact, this is
preferred: one need to have all those setting only at one
place.

> # un-defer avcheck Transport
> ## postconf -e "defer_transports ="
> svc -u /service/postfix
> 
> and…
> 
> # chmod u+x /root/avupdate.sh
> 
> Use crontab -e to create a cron job to update the anti-virus databases
> twice a day.  Since Kaspersky is in Russia, I suggest updating the
> databases at 9 AM and 5 PM Moscow time.
> 
> COPYING SHARED LIBRARIES INTO THE CHROOT JAIL
> The kavdaemon executable is linked dynamically (check with the ldd
> command).  So we need to create a lib directory inside /var/chroot/AVP
> and copy some system libraries to it.  ldd will show what libraries are
> needed.  For example:
> 
> # ldd kavdaemon
> kavdaemon:
>         libintl.so.1 => /usr/local/lib/libintl.so.1 (0x28096000)
>         libm.so.2 => /usr/lib/libm.so.2 (0x2809b000)
>         libc.so.4 => /usr/lib/libc.so.4 (0x280b7000)
> 
> kavdaemon requires the above 3 libraries.  Copy those into the chroot.
> 
> # mkdir -p /var/chroot/AVP/usr/libexec/
> # mkdir /var/chroot/AVP/usr/lib

;)  Why you need libexec there?  And /usr?
Will FreeBSD look into /lib by default, or to /usr/lib only?
If the former, only /var/chroot/AVP/lib directory is needed.

[]
> AVCheck sends mail with a FROM of "Antivirus-Daemon".  You may want to
> add an entry in /etc/aliases or /etc/mail/aliases to drop mail sent to
> this automated account:
> 
> antivirus-daemon:               /dev/null

No, avcheck not sends a mail with this from address (strictly speaking,
it is an infected script who sends any additional mails).  The
"Antivirus-Daemon" is a comment, envelope from address is empty
(<> or "" or MAILER-DAEMON and so on) -- the same address that is used
by almost any MTA as a from address for bounce messages.

What one really need is to specify correct administration address in
infected script (or add an alias for virus-alert).

[]
> OTHER WORK LEFT TO BE DONE
> 
> * Supervise kavdaemon under DJ Bernstein's DaemonTools and the fghack.
> * Make sure that kavdaemon starts first under DaemonTools before Postfix
> starts.

There is no need to enshure this now.  Avcheck handles absence of
a kavdaemon just fine -- mail will be deferred and retried some
time later.  The same is true about stopping/restarting postfix
(see above) when downloading updates.  BTW, -w option was introduced
for this purpose -- when kavdaemon is in process of reloading, it
may pass infected mails (there should be some races there).  Note
that when you stop postfix during the whole update, you will not
be able to use your mailsystem!  The best approach is to specify
a waitfile for avcheck in master.cf, then touch that file before
downloading updates (all mail if any that is in process of checking
will be completed at a time update completes), when restart kavdaemon,
and when remove waitfile.  That's all.

Oh well...

You provided a *good* summary for a howto.  Yet another reason to
start collecing/updating all docs... ;)  Thank you!

Regards,
 Michael.