Configuration Parameters

In this section

Component Parameters

Customizing Monitoring Settings

The component uses configuration parameters specified in the [SMBSpider] section of the unified configuration file of Dr.Web Server Security Suite.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If a parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Component executable path.

Default value:

for GNU/Linux: /opt/drweb.com/bin/drweb-smbspider-daemon

for FreeBSD: /usr/local/libexec/drweb.com/bin/drweb-smbspider-daemon

Start

{boolean}

The component is started by the Dr.Web ConfigD configuration management daemon.

Setting this parameter to Yes instructs the configuration daemon to start the component immediately, whereas setting this parameter to No instructs the configuration daemon to terminate the component immediately.

Default value: No

SambaChrootDir

{path to directory}

Path to the root directory of the SMB file storage (can be redefined by the file server using chroot).

Used as a prefix inserted at the beginning of all paths to files and directories in the file server storage and describes a path to them relative to the local file system root.

If not specified, the / path to the file system root is used.

Default value: (not specified)

SmbSocketPath

{path to file}

Path to the socket file which enables interaction between SpIDer Guard for SMB and VFS SMB modules.

The path is always relative and supplements the path specified as the SambaChrootDir parameter value (if the value is empty, then the / path to the file system root is supplemented).

Default value: var/run/.com.drweb.smb_spider_vfs

ActionDelay

{time interval}

Delay time between the moment when a threat is detected and the moment when SpIDer Guard for SMB applies the action specified for this threat type. The file is blocked during this time period.

Default value: 24h

MaxCacheSize

{size}

Size of cache used by VFS SMB modules to store information about scanned files in monitored SMB directories.

If 0 is specified, the cache is not used.

Default value: 10mb

[*] ExcludedPath

{path to file or directory}

Path to a shared directory object to be skipped with all nested directories and files. Either an individual file or an entire directory can be specified. You can use file masks containing ? and * characters as well as [ ], [! ] and [^ ] character classes.

Accepts a list of values. The values in the list must be comma-separated (with each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the /etc/file1 file and the /usr/bin directory to the list.

1.Adding values to the configuration file.

Two values per line:

[SMBSpider]
ExcludedPath = "/etc/file1", "/usr/bin"

Two lines (one value per line):

[SMBSpider]
ExcludedPath = /etc/file1
ExcludedPath = /usr/bin

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset SMBSpider.ExcludedPath -a /etc/file1
# drweb-ctl cfset SMBSpider.ExcludedPath -a /usr/bin

If a directory is specified, all directory contents will be skipped.

Default value: (not specified)

[*] IncludedPath

{path to file or directory}

Path to a shared directory object that must be scanned. Either an individual file or an entire directory can be specified. You can use file masks containing ? and * characters as well as [ ], [! ] and [^ ] character classes.

Accepts a list of values. The values in the list must be comma-separated (with each value put in quotation marks). The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the /etc/file1 file and the /usr/bin directory to the list.

1.Adding values to the configuration file.

Two values per line:

[SMBSpider]
IncludedPath = "/etc/file1", "/usr/bin"

Two lines (one value per line):

[SMBSpider]
IncludedPath = /etc/file1
IncludedPath = /usr/bin

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset SMBSpider.IncludedPath -a /etc/file1
# drweb-ctl cfset SMBSpider.IncludedPath -a /usr/bin

If a directory is specified, all directory contents including nested files and directories will be scanned.

This parameter has priority over the ExcludedPath parameter (see above); that is, if the same object (a file or a directory) is specified in both parameter values, this object will be scanned.

Default value: (not specified)

[*] AlertFiles

{boolean}

Create or do not create a text file with the explanation of the reason for blocking for each blocked object. The created file will be named <name of the blocked file>.drweb.alert.txt.

Allowed values:

Yes—create files describing the reasons why the object was blocked;

No—do not create such files.

Default value: Yes

[*] OnKnownVirus

{action}

Action to be applied upon detection of a known threat.

Allowed values: BLOCK, CURE, QUARANTINE, DELETE.

Default value: CURE

[*] OnIncurable

{action}

Action to be applied upon detection of an incurable threat.

Allowed values: BLOCK, QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnSuspicious

{action}

Action to be applied upon detection of a suspicious object.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnAdware

{action}

Action to be applied upon detection of adware.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: PASS

[*] OnDialers

{action}

Action to be applied upon detection of a dialer.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: PASS

[*] OnJokes

{action}

Action to be applied upon detection of a joke program.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: PASS

[*] OnRiskware

{action}

Action to be applied upon detection of riskware.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: PASS

[*] OnHacktools

{action}

Action to be applied upon detection of a hacktool.

Allowed values: PASS, REPORT, BLOCK, QUARANTINE, DELETE.

Default value: PASS

[*] BlockOnError

{boolean}

Block or do not block access to a file if an attempt to scan it has failed or there is no license allowing to scan files with SpIDer Guard for SMB.

If this parameter is set to Yes and there is no valid license, SpIDer Guard for SMB will block all files moved to a shared directory it protects.

Allowed values:

Yes—block access to the file;

No—do not block access to the file.

Default value: Yes

[*] ScanTimeout

{time interval}

Timeout for scanning one file.

Allowed values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

[*] HeuristicAnalysis

{On | Off}

Enable or disable the heuristic analysis for detection of unknown threats. The heuristic analysis provides higher detection reliability but increases the duration of scanning.

OnSuspicious parameter defines an action applied to threats detected by the heuristic analyzer.

Allowed values:

On—enable the heuristic analysis during a scan;

Off—disable the heuristic analysis.

Default value: On

[*] PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects that may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned.

All objects at a deeper nesting level are skipped during the scanning initiated by SpIDer Guard for SMB.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] ArchiveMaxLevel

{integer}

Maximum nesting level for archives (.zip, .rar and so on) in which other archives may be enclosed, whereas these archives may also include other archives and so on. The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] MailMaxLevel

{integer}

Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed, whereas these files may also include other files and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] ContainerMaxLevel

{integer}

Maximum nesting level while scanning other types of objects containing nested objects (HTML pages, .jar files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] MaxCompressionRatio

{integer}

Maximum compression ratio of scanned objects (ratio between the compressed size and uncompressed size). If the ratio of an object exceeds the limit, this object is skipped during the scanning initiated by SpIDer Guard for SMB.

The compression ratio must be no less than 2.

Default value: 500

Customizing Monitoring Settings

You can specify a different tag for each VFS SMB module which monitors each shared directory (file storage). You can do that in the configuration file (typically, smb.conf) of the Samba SMB server. Unique tags for VFS SMB modules in the smb.conf file are specified as follows:

smb_spider:tag = <name>

where <name> is a unique tag assigned to a VFS SMB module, which controls some shared directory, by the Samba server.

If some VFS SMB module has a unique tag <name>, you can create a separate section in the configuration file of Dr.Web Server Security Suite in addition to the [SMBSpider] section storing all SMB parameters. The created section will cover only parameters for scanning a particular file storage protected by the VFS SMB module to which the tag was assigned. This section should be named as follows: [SMBSpider.Share.<name>].

Invididual sections for VFS SMB modules can contain parameters indicated with the character [*] in the table above. Other parameters cannot be specified in individual sections because these parameters are defined simultaneously for all VFS SMB modules operating with SMB directory monitor SpIDer Guard for SMB.

A VFS SMB module using an individual section [SMBSpider.Share.<name>] gets the values of all parameters not provided in this section from the general section [SMBSpider]. Thus, if there are no tagged individual sections, all VFS SMB modules will use the same parameters for protection of shared directories being monitored. If you delete some parameter from the [SMBSpider.Share.<name>] section, the parameter value for this section (and for the corresponding shared directory with the <name> tag) will be inherited from the corresponding “parent” parameter with the same name from the general [SMBSpider] section rather than from the default parameter.

To add a new section for the shared Samba directory with the <name> tag using the Dr.Web Ctl command-line tool for Dr.Web Server Security Suite management (run with the drweb-ctl command), use the following command:

# drweb-ctl cfset SmbSpider.Share -a <name>

Example:

# drweb-ctl cfset SmbSpider.Share -a AccountingFiles
# drweb-ctl cfset SmbSpider.Share.AccountingFiles.OnAdware QUARANTINE

The first command adds the [SMBSpider.Share.AccountingFiles] section to the configuration file, and the second command changes the OnAdware parameter value in this section. Thus, the added section will contain all parameters marked with the [*] character in the table above, moreover, the values of all parameters except for the OnAdware parameter specified in the command will coincide with the parameter values from the [SMBSpider] general section.