Configuration Parameters

The component uses configuration parameters which can be found in the [LinuxSpider] section of the integrated configuration file of Dr.Web for UNIX File Servers.

Component Parameters.

Customizing Protected Space Monitoring Settings.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Path to the executable file of the component.

Default value: <opt_dir>/bin/drweb-spider.

For GNU/Linux: /opt/drweb.com/bin/drweb-spider

Start

{Boolean}

Launch/do not launch the component by the Dr.Web ConfigD configuration daemon.

When you specify the Yes value for this parameter, it the configuration daemon will start the component immediately; and when you specify the No value, the configuration daemon will terminate the component immediately.

Default value: Depends on the product in which Dr.Web component is supplied and operates.

Mode

{LKM | FANOTIFY | AUTO}

Operation mode for SpIDer Guard.

Allowed values:

LKM—use the Dr.Web LKM module installed in the operating system kernel (LKM—Linux kernel module);

FANOTIFY—use the fanotify monitoring interface;

AUTO—select the mode automatically.

Changing of this parameter value should be done with the extreme caution as various GNU/Linux OS kernels support both operating modes in a different way. It is strongly recommended that you set this parameter value to AUTO, as in this case the best mode will be selected for integration with the file system manager on startup. At that, the component will attempt to enable FANOTIFY mode and, on failure—LKM. If none of the modes can be set, the component exits.

 

If necessary, you can build a Dr.Web LKM module from the source codes and install it, following the instructions in the Building kernel module for SpIDer Guard section.

Default value: AUTO

DebugAccess

{Boolean}

Write information on access attempts to files to the log on debug level. level (iwhen LogLevel = DEBUG)

Default value: No

ExcludedProc

{path to file}

Processes excluding from monitoring. The files created or modified by the processes from the list are not scanned.

Multiple processes can be specified as a comma-separated list. The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list of processes wget and curl.

1.Adding values to the configuration file.

Two values in a line:

[LinuxSpider]
ExcludedProc = "/usr/bin/wget", "/usr/bin/curl"

Two lines (a value per line):

[LinuxSpider]
ExcludedProc = /usr/bin/wget
ExcludedProc = /usr/bin/curl

2.Adding values via the command drweb-ctl cfset:

# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/wget
# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/curl

Default value: (not set)

ExcludedFilesystem

{file system name}

Exclude the specified file system from monitoring.

This option is available only in FANOTIFY mode.

Multiple file systems can be specified as a comma-separated list. The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the cifs and the nfs file systems to the list.

1.Adding values to the configuration file.

Two values in a line:

[LinuxSpider]
ExcludedFilesystem = "cifs", "nfs"

Two lines (a value per line):

[LinuxSpider]
ExcludedFilesystem = cifs
ExcludedFilesystem = nfs

2.Adding values via the command drweb-ctl cfset:

# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a cifs
# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a nfs

Default value: cifs

BlockBeforeScan

{Off | Executables | All}

Block files until they are scanned by the monitor (in enhanced or “paranoid” monitoring mode)

Allowed values:

Off—never block access to files even if they are not scanned;

Executables—block access to executable files (PE, ELF files and scripts that contain a preamble #!) not scanned by the monitor;

All—block access to any files not checked by the monitor.

Files are blocked the FANOTIFY mode.

Default value: Off

[*] ExcludedPath

{path to file or directory}

Exclude the object (a file or a directory) on the specified path from monitoring. File masks (which contain the characters '?' and '*' as well as symbol classes '[ ]', '[! ]', '[^ ]') are allowed.

Multiple objects can be specified as a comma-separated list. Each value should be put in quotation marks. The values in the list must be separated with commas (each value in the quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add to the list the files /etc/file1 and directory /usr/bin.

1.Adding of values to the configuration file.

Two values in a line:

[LinuxSpider]
ExcludedPath = "/etc/file1", "/usr/bin"

Two lines (a value per line):

[LinuxSpider]
ExcludedPath = /etc/file1
ExcludedPath = /usr/bin

2.Adding values via the command drweb-ctl cfset:

# drweb-ctl cfset LinuxSpider.ExcludedPath -a /etc/file1
# drweb-ctl cfset LinuxSpider.ExcludedPath -a /usr/bin

Note that symbolic links here have no effect as only the direct path to a file is analyzed when scanning.

Default value: /proc, /sys

[*] OnKnownVirus

{action}

Action to be applied by Dr.Web for UNIX File Servers to a known threat (virus, and so on) detected with signature analysis.

Acceptable values: Cure, Quarantine, Delete.

Default value: Cure

[*] OnIncurable

{action}

Action to be applied by Dr.Web for UNIX File Servers to an incurable threat.

Acceptable values: Quarantine, Delete.

Default value: Quarantine

[*] OnSuspicious

{action}

Action to be applied by Dr.Web for UNIX File Servers to an unknown threat (or suspicious objects) detected by using heuristic analysis.

Acceptable values: Report, Quarantine, Delete.

Default value: Quarantine

[*] OnAdware

{action}

Action to be applied by Dr.Web for UNIX File Servers to adware.

Acceptable values: Report, Quarantine, Delete.

Default value: Quarantine

[*] OnDialers

{action}

Action to be applied by Dr.Web for UNIX File Servers to dialers.

Acceptable values: Report, Quarantine, Delete.

Default value: Quarantine

[*] OnJokes

{action}

Action to be applied by Dr.Web for UNIX File Servers to joke programs.

Acceptable values: Report, Quarantine, Delete.

Default value: Report

[*] OnRiskware

{action}

Action  applied by Dr.Web for UNIX File Servers to riskware detected

Acceptable values: Report, Quarantine, Delete.

Default value: Report

[*] OnHacktools

{action}

Action to be applied by Dr.Web for UNIX File Servers to hacktools.

Acceptable values: Report, Quarantine, Delete.

Default value: Report

[*] ScanTimeout

{time interval}

Timeout for scanning one file initiated by SpIDer Guard.

Acceptable values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

[*] HeuristicAnalysis

{On | Off}

Enable/disable heuristic analysis for detection of unknown threats. Heuristic analysis provides higher detection reliability but increases the duration of scanning.

Action applied to threats detected by heuristic analyzer is specified as the OnSuspicious parameter value.

Allowed values:

On—instructs to use heuristic analysis;

Off—instructs not to use heuristic analysis.

Default value: On

[*] PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morprine and so on). Such objects may include other packed objects which may also include packed objects. etc. he value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] ArchiveMaxLevel

{integer}

Maximum nesting level for archives (zip, rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] MailMaxLevel

{integer}

Maximum nesting level for files of mailers (pst, tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] ContainerMaxLevel

{integer}

Maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, jar-files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] MaxCompressionRatio

{integer}

Maximum compression ratio of scanned objects (ratio between the uncompressed size and compressed size). If the ratio of an object exceeds the limit, this object is skipped during file scanning initiated by SpIDer Guard.

The compression ratio must be at least 2.

Default value: 500

Customizing Protected Space Monitoring Settings

For each protected space of the file system, in the configuration file, together with the [LinuxSpider] section, which stores all the monitor parameters, a separate section containing the path to the monitored file system area (site) and the monitoring parameters is specified. Each section must be named as [LinuxSpider.Space.<space name>], where <space name>—is a unique identifier of the protected space.

The section must contain the parameters absent in the [LinuxSpider] section:

Parameter

Description

Enable

{Boolean}

The contents of the protected space located in the directory specified with Path (see below) must be monitored.

To stop monitoring the contents of this protected space, set the parameter to No.

Default value: Yes

Path

{path to directory}

Path to the system directory with files) to be monitored (including nested directories.

By default, this parameter has an empty value—therefore, you should specify a value when adding a protected space to the monitoring scope.

Default value: (not specified)

If all protected spaces specified in the monitor settings are not monitored or their paths are not specified, SpIDer Guard is running idle because none of the files of the system file tree are monitored. If you want to monitor the file system as a single protected space, remove named space sections from the settings.

Except those mentioned before, separate sections of protected spaces can include a list of parameters from common section of the component settings that are marked with the “[*]“ character in the table above and re-determine a parameter for this protected space (for example, reaction on threat detection, maximum archive check level, and so on.) If a parameter is not specified for a protected space, the monitoring procedure for this space is performed with the corresponding parameters whose values are taken from the [LinuxSpider] section.

To add a new section of parameters for the protected space with a tag <space name> using the Dr.Web Ctl command-line tool for Dr.Web for UNIX File Servers management (it is run by drweb-ctl command), use the command:

# drweb-ctl cfset LinuxSpider.Space -a <space name>

Example:

# drweb-ctl cfset LinuxSpider.Space -a Space1
# drweb-ctl cfset LinuxSpider.Space.Space1.Path /home/user1

The first command adds the [LinuxSpider.Space.Space1] section to the configuration file; the second one sets a value of the Path parameter for the section, specifying the path to the monitored area of the file system. Other parameters of this section will the same as in the [LinuxSpider] section.