In this section
•Customizing Monitoring Settings
The component uses configuration parameters specified in the [SMBSpider] section of the unified Appendix D. Dr.Web for UNIX File Servers Configuration File of Dr.Web for UNIX File Servers.
The section contains the following parameters:
Parameter |
Description |
|||
|---|---|---|---|---|
LogLevel {logging level} |
Logging level of the component. If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used. Default value: Notice |
|||
Log {log type} |
Logging method of the component. Default value: Auto |
|||
ExePath {path to file} |
Component executable path. Default value: <opt_dir>/bin/drweb-smbspider-daemon. •For GNU/Linux: /opt/drweb.com/bin/drweb-smbspider-daemon. •For FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-smbspider-daemon |
|||
Start {logical} |
The component must be started by the Dr.Web ConfigD configuration daemon. Setting the value of this parameter to Yes instructs the configuration daemon to start the component immediately, and setting the value of this parameter to No—to terminate the component immediately. Default value: No |
|||
SambaChrootDir {path to directory} |
Path to the root directory of the SMB file storage (can be redefined by the file server with the help of the chroot restriction). Used as a prefix inserted at the beginning of all paths to files and directories residing in the file server storage and describes the path relative to the root of the local file system. If not specified, the / path to the file system root is used. Default value: (not specified) |
|||
SmbSocketPath {path to file} |
Path to the socket file which enables interaction between SpIDer Guard for SMB and VFS SMB modules. The path is always relative and is a supplement for the path specified as the SambaChrootDir parameter value (if the SambaChrootDir parameter is empty, than the / path to the file system root is supplemented). Default value: var/run/.com.drweb.smb_spider_vfs |
|||
ActionDelay {time interval} |
Delay time between the moment when a threat is detected and the moment when SpIDer Guard for SMB applies the action specified for this threat type. The file is blocked during this time period. Default value: 24h |
|||
MaxCacheSize {size} |
Size of cache used by VFS SMB modules to store information about scanned files in monitored SMB directories. If 0 is specified, the cache is not used. Default value: 10mb |
|||
[*] ExcludedPath {path to file or directory} |
Path to the shared directory object which must be skipped during scanning together with all nested directories and files. You can specify a directory or file path. It is also possible to use file masks (which contain the characters ? and *, as well as character classes [ ], [! ], and [^ ]). Accepts a list of values. The values in the list must be comma-separated (with each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list). Example: add the /etc/file1 file and /usr/bin directory to the list. 1.Adding values to the configuration file. •Two values per string:
•Two strings (one value per string):
2.Adding values with the drweb-ctl cfset command:
If a directory is specified, all directory content will be skipped. Default value: (not specified) |
|||
[*] IncludedPath {path to file or directory} |
Path to the shared directory object, which must be scanned. You can specify a directory or file path. It is also possible to use file masks (that contain characters ? and *, as well as character classes [ ], [! ], and [^ ]). Accepts a list of values. The values in the list must be comma-separated (with each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list). Example: add the /etc/file1 file and /usr/bin directory to the list. 1.Adding values to the configuration file. •Two values per string:
•Two strings (one value per string):
2.Adding values with the drweb-ctl cfset command:
If a directory is specified, all directory contents including nested files and directories will be scanned. Note that this parameter has higher priority than the ExcludedPath parameter (see above); that is, if the same object (a file or directory) is specified in both parameter values, this object will be scanned. Default value: (not specified) |
|||
[*] AlertFiles {logical} |
Create or do not create a text file with the explanation of the reason for blocking for each blocked object. The created file will be named as <name of the blocked file>.drweb.alert.txt. Allowed values: •Yes—create files describing the reasons why the object was blocked; •No—do not create files. Default value: Yes |
|||
[*] OnKnownVirus {action} |
Action to be applied on detection of a known threat. Allowed values: Block, Cure, Quarantine, Delete. Default value: Cure |
|||
[*] OnIncurable {action} |
Action to be applied on detection of an incurable threat. Allowed values: Block, Quarantine, Delete. Default value: Quarantine |
|||
[*] OnSuspicious {action} |
Action to be applied on detection of a suspicious object. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Quarantine |
|||
[*] OnAdware {action} |
Action to be applied upon detection of adware. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Pass |
|||
[*] OnDialers {action} |
Action to be applied upon detection of a dialer. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Pass |
|||
[*] OnJokes {action} |
Action to be applied upon detection of a joke program. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Pass |
|||
[*] OnRiskware {action} |
Action to be applied upon detection of riskware. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Pass |
|||
[*] OnHacktools {action} |
Action to be applied upon detection of a hacktool. Allowed values: Pass, Report, Block, Quarantine, Delete. Default value: Pass |
|||
[*] BlockOnError {logical} |
Block or do not block access to a file if an attempt to scan it has failed or a license allowing to scan files with SpIDer Guard for SMB is absent.
Allowed values: •Yes—block access to the file; •No—do not block. Default value: Yes |
|||
[*] ScanTimeout {time interval} |
Timeout for scanning one file. Allowed values: from 1 second (1s) to 1 hour (1h). Default value: 30s |
|||
[*] HeuristicAnalysis {On | Off} |
Enable or disable the heuristic analysis for detection of unknown threats. The heuristic analysis provides higher detection reliability but increases the duration of scanning. Action applied to threats detected by the heuristic analyzer is specified as the OnSuspicious parameter value. Allowed values: •On—enable the heuristic analysis while scanning; •Off—disable the heuristic analysis. Default value: On |
|||
[*] PackerMaxLevel {integer} |
Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned. All objects at a deeper nesting level are skipped during the scanning initiated by SpIDer Guard for SMB. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||
[*] ArchiveMaxLevel {integer} |
Maximum nesting level for archives (.zip, .rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 0 |
|||
[*] MailMaxLevel {integer} |
Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||
[*] ContainerMaxLevel {integer} |
Maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned. The nesting level is not limited. If the value is set to 0, nested objects are not scanned. Default value: 8 |
|||
[*] MaxCompressionRatio {integer} |
Maximum compression ratio of scanned objects (ratio between the compressed size and uncompressed size). If the ratio of an object exceeds the limit, this object is skipped during the scanning initiated by SpIDer Guard for SMB. The compression ratio must be no less than 2. Default value: 500 |
Customizing Monitoring Settings
You can specify a different tag for each VFS SMB module which monitors each shared directory (file storage). You can do that in the configuration file of the Samba SMB server (typically, this is the smb.conf file). Unique tags for VFS SMB modules in the smb.conf file are specified as follows:
smb_spider:tag = <name> |
where <name> is a unique tag assigned to a VFS SMB module, which controls some shared directory, by the Samba server.
If a VFS SMB module has a unique tag <name>, you can create a separate section in the configuration file of Dr.Web for UNIX File Servers in addition to the [SMBSpider] section storing all SMB parameters. The created section will cover only parameters for scanning a particular file storage protected by the VFS SMB module to which the tag was assigned. This section should be named as follows: [SMBSpider.Share.<name>].
Invididual sections for VFS SMB modules can contain parameters indicated with the character [*] in the table above. Other parameters cannot be specified in individual sections because these parameters are defined simultaneously for all VFS SMB modules operating with SMB directory monitor SpIDer Guard for SMB.
A VFS SMB module using an individual section [SMBSpider.Share.<name>] gets the values of all parameters not provided in this section from the general section [SMBSpider]. Thus, if there are no tagged individual sections, all VFS SMB modules will use the same parameters for protection of shared directories being monitored. If you delete some parameter from the [SMBSpider.Share.<name>] section, the parameter value for this section (and for the corresponding shared directory with the <name> tag) will be inherited from the corresponding “parent” parameter with the same name from the general [SMBSpider] section rather than from the default parameter.
To add a new section for the shared Samba directory with the <name> tag using the Dr.Web Ctl command-line tool for Dr.Web for UNIX File Servers management (run with the drweb-ctl command), use the following command:
# drweb-ctl cfset SmbSpider.Share -a <name> |
Example:
# drweb-ctl cfset SmbSpider.Share -a AccountingFiles |
The first command adds the [SMBSpider.Share.AccountingFiles] section to the configuration file, and the second command changes the OnAdware parameter value in this section. Thus, the added section will contain all parameters marked with the [*] character in the table above, moreover, the values of all parameters except for the OnAdware parameter specified in the command will coincide with the parameter values from the [SMBSpider] general section.