General Information
The SpIDer Guard file system monitor, which controls access to files, may use three monitoring modes:
•Regular (set by default)—monitor file access operations (creating, opening, closing and starting). Scanning of a file, access to which has been allowed, is requested. If a threat is detected upon the scan, an action to neutralize the threat can be applied to the file. Applications are allowed to access the file until the file scanning is finished.
•Enhanced control of executable files—monitor files considered non-executable as in regular mode. SpIDer Guard blocks access to an executable file until its scanning is finished.
|
Executable files are binary files of PE and ELF formats, as well as script files containing the #! preamble. |
•“Paranoid” mode—SpIDer Guard blocks access to any file until its scanning is finished.
Scanner stores file scan results in a specialized cache for a certain time, so reaccessing the same file does not lead to rescanning it if there is information in the cache; the result extracted from the cache is therefore used as the scan result. Despite this, the use of the “paranoid” monitoring mode leads to a significant slowdown in accessing files.
Switching Between File Monitoring Modes
|
The modes for enhanced monitoring of files and pre-blocking are only available if SpIDer Guard operates in FANOTIFY mode and the OS kernel is built with the CONFIG_FANOTIFY_ACCESS_PERMISSIONS option enabled.
Switching between the SpIDer Guard monitoring modes is performed using the cfset command of the drweb-ctl utility.
To switch between SpIDer Guard monitoring modes, superuser privileges are required. To obtain them, you can use the su command to switch to a different user or the sudo command to perform the action as a different user. |
•To switch SpIDer Guard to the FANOTIFY mode, use the command:
# drweb-ctl cfset LinuxSpider.Mode FANOTIFY |
•To change the monitoring mode, use the command:
# drweb-ctl cfset LinuxSpider.BlockBeforeScan <mode> |
where <mode> defines the blocking mode:
▫Off—access is not blocked, SpIDer Guard operates in regular (non-blocking) monitoring mode.
▫Executables—access to executable files is blocked, SpIDer Guard performs enhanced monitoring of executable files.
▫All—access to all files is blocked, SpIDer Guard monitors files in “paranoid” mode.
•To change an interval within which scan results cached by Scanner remain relevant, use the command:
# drweb-ctl cfset FileCheck.RescanInterval <interval> |
where <interval> determines the interval during which cached scan results remain relevant. The acceptable value is from 0s to 1m. If you set the interval of less than 1 second, files are scanned upon any request.