Dr.Web for Novell Storage Services

Dr.Web for NSS File Servers

Interacting Modules

Dr.Web for Novell Storage Services provides anti-virus protection for NSS file system using the following interacting modules:

•NSS Daemon – resident module used for integration with NSS file system

•Dr.Web Daemon – resident module used for checking files for viruses and other threats

•Dr.Web Monitor – utility module used for starting, restarting, and terminating Dr.Web modules in the specified order and monitoring their operation

•Dr.Web Agent - module that allows integration with Dr.Web Enterprise Security Suite and gathers statistics on module operation.

Operation principle

NSS Daemon monitors selected NSS volumes and processes modified files according to the settings. You can specify NSS volumes to be monitored in the [NSS] section in the drweb-nss.conf configuration file:

•if the ProtectedVolumes parameter value is set, NSS Daemon monitors the volumes listed in this parameter;

•if the ProtectedVolumes parameter value is not set, NSS Daemon monitors all volumes mounted in the directory listed in the NSSVolumesMountDir parameter value.

Before files are sent for scanning, they are prefiltered. Thus, those that satisfy at least one of the following criteria are not scanned:

•zero file size

•file size is greater than the MaxFileSizeToScan parameter value in the [NSS] section (only if that value is not zero)

•file path is both specified as the ExcludedPaths parameter value in the [NSS] section and NOT specified as the IncludedPaths parameter value.

Files that do not satisfy the criteria mentioned above are added to the internal queue for scanning. Upon the receipt of SIGHUP signal, NSS Daemon outputs the list of queued tasks if the logging verbosity level is set to INFO. Scanning tasks are processed by the thread pool which can be configured with the CheckPoolOptions parameter in the [NSS] section: for example, enable gathering of internal statistics on NSS Daemon thread pool.

Files that must be scanned are sent to Dr.Web Daemon. You can configure interaction with Dr.Web Daemon in the [DaemonCommunication] section. NSS Daemon can simultaneously operate with Dr.Web Daemon running on the local machine and with Dr.Web Daemons running on remote machines. In the latter case, the components communicate via sockets. You can specify socket addresses and their weights in the Address parameter in the [DaemonCommunication] configuration file section. Weights are used to distribute load on the socket when NSS Daemon operates with several Dr.Web Daemons: addresses with higher weights receive more scanning requests.

On threat detection, Dr.Web Daemon processes files according to the settings specified for the threat type in the [Actions] section: for example, removes an object that can compromise the system security, moves the object to Quarantine (you can configure Quarantine settings in the [Quarantine] section). When a threat is detected, notifications can be sent (you can configure notification settings in the [Notifications] section). Information on file processing is logged (you can configure logging in the [Logging] section).

Moreover, statistics on processed files is sent to Dr.Web Agent. You can configure statistics gathering in the [Stat] section. Information on a threat is sent immediately after it was detected; general statidstics is sent at intervals specified in the SendPeriod parameter.

If an error occurs during processing of a file, NSS Daemon applies a certain action to it; the action must be specified in the ProcessingError parameter in the [Actions] section.