Configuration Parameters

The component uses configuration parameters specified in the [LinuxSpider] section of the unified configuration file of Dr.Web Security Space.

Component Parameters.

Customizing Protected Space Individual Monitoring Settings.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If a parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Component executable path.

Default value: /opt/drweb.com/bin/drweb-spider

Start

{boolean}

The component is started by the Dr.Web ConfigD configuration management daemon.

Setting this parameter to Yes instructs the configuration management daemon to start the component immediately, and setting this parameter to No—to shut down the component immediately.

Default value: Depends on the Dr.Web product as part of which the component is supplied.

Mode

{LKM | FANOTIFY | AUTO}

SpIDer Guard operation mode.

Allowed values:

LKM—use the Dr.Web LKM module installed in the operating system kernel (LKM — Loadable Kernel Module);

FANOTIFY—use the fanotify monitoring interface;

AUTO—select an optimal operation mode automatically.

This parameter value should be changed with extreme caution because Linux kernels support both operation modes to a different degree. It is strongly recommended that you set this parameter value to AUTO, as in this case the best mode will be selected for integration with the file system manager at startup. At that, the component will attempt to enable the FANOTIFY mode and, on failure,—LKM. If none of the modes can be set, the component shuts down.

 

If necessary, you can build the Dr.Web LKM module from source code and install this module by following the instructions in the Appendix F. Building Kernel Module for SpIDer Guard section.

 

Default value: AUTO

DebugAccess

{boolean}

Log or do not log detailed information on file access attempts at the debug level (with LogLevel = DEBUG).

Default value: No

ExcludedProc

{path to file or path list}

List of processes which file activity is not monitored. If a file operation was initiated by one of the processes specified in the parameter value, the modified or created file will not be scanned.

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the wget and curl processes to the list.

Adding the values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/wget
# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/curl

Adding values to the configuration file.

oTwo values per line:

[LinuxSpider]
ExcludedProc = "/usr/bin/wget", "/usr/bin/curl"

oTwo lines (one value per line):

[LinuxSpider]
ExcludedProc = /usr/bin/wget
ExcludedProc = /usr/bin/curl

To apply the changes, reload the Dr.Web Security Space configuration using the command:

# drweb-ctl reload

Default value: (not specified)

ExcludedFilesystem

{file system name}

File system accessing the files of which will not be monitored.

This option is available only in FANOTIFY mode.

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the cifs and nfs file systems to the list.

Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a cifs
# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a nfs

Adding values to the configuration file.

oTwo values per line:

[LinuxSpider]
ExcludedFilesystem = "cifs", "nfs"

oTwo lines (one value per line):

[LinuxSpider]
ExcludedFilesystem = cifs
ExcludedFilesystem = nfs

To apply the changes, reload the Dr.Web Security Space configuration using the command:

# drweb-ctl reload

Default value: cifs

BlockBeforeScan

{Off | Executables | All}

Block files while being accessed until they are scanned by the monitor (an enhanced or “paranoid” monitoring mode).

Allowed values:

Off—do not block access to files even if they were not scanned.

Executables—block access to executable files (PE and ELF files and scripts containing the #! preamble) not scanned by the monitor.

All—block access to all files not scanned by the monitor.

Files are blocked only in FANOTIFY mode.

Default value: Off

[*] ExcludedPath

{path to file or directory}

Path to an object (file or directory) to be excluded from file monitoring. Either an individual file or an entire directory can be specified. If a directory is specified, all files and subdirectories (including nested ones) will be skipped. You can use file masks (containing characters ? and * as well as character classes [ ], [! ] and [^ ]).

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the /etc/file1 file and the /usr/bin directory to the list.

Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedPath -a /etc/file1
# drweb-ctl cfset LinuxSpider.ExcludedPath -a /usr/bin

Adding values to the configuration file.

oTwo values per line:

[LinuxSpider]
ExcludedPath = "/etc/file1", "/usr/bin"

oTwo lines (one value per line):

[LinuxSpider]
ExcludedPath = /etc/file1
ExcludedPath = /usr/bin

To apply the changes, reload the Dr.Web Security Space configuration using the command:

# drweb-ctl reload

There is no point in providing paths to symbolic links here as only a direct path to a file is analyzed while scanning it.

Default value: /proc, /sys

[*] OnKnownVirus

{action}

Action to be applied upon detection of a known threat (a virus and so on) in the scanned file.

Allowed values: CURE, QUARANTINE, DELETE.

Default value: CURE

[*] OnIncurable

{action}

Action to be applied upon detection of an incurable threat.

Allowed values: QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnSuspicious

{action}

Action to be applied upon detection of an unknown threat (or a suspicious object) in the scanned file by using heuristic analysis.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnAdware

{action}

Action to be applied upon detection of adware in the scanned file.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnDialers

{action}

Action to be applied upon detection of a dialer in the scanned file.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: QUARANTINE

[*] OnJokes

{action}

Action to be applied upon detection of a joke program in the scanned file.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

[*] OnRiskware

{action}

Action to be applied upon detection of riskware in the scanned file.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

[*] OnHacktools

{action}

Action to be applied upon detection of a hacktool in the scanned file.

Allowed values: REPORT, QUARANTINE, DELETE.

Default value: REPORT

[*] ScanTimeout

{time interval}

Timeout for scanning one file.

Allowed values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

[*] HeuristicAnalysis

{On | Off}

Enable or disable the heuristic analysis for detection of unknown threats. The heuristic analysis provides higher detection reliability but increases the duration of scanning.

Action applied to threats detected by the heuristic analyzer is specified by the OnSuspicious parameter.

Allowed values:

On—enable the heuristic analysis while scanning.

Off—disable the heuristic analysis.

Default value: On

[*] PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects that may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] ArchiveMaxLevel

{integer}

Maximum nesting level for archives (.zip, .rar and so on) in which other archives may be enclosed, whereas these archives may also include other archives and so on. The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] MailMaxLevel

{integer}

Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed, whereas these files may also include other files and so on. The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] ContainerMaxLevel

{integer}

Maximum nesting level while scanning other types of objects containing nested objects (HTML pages, .jar files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] MaxCompressionRatio

{integer}

Maximum compression ratio of scanned objects (a ratio of an uncompressed size to a compressed size). If the ratio of an object exceeds the limit, this object is skipped during the scan.

The compression ratio must be no less than 2.

Default value: 500

Customizing Protected Space Individual Monitoring Settings

For each protected space of a file system, a separate section containing the path to a monitored file system area and monitoring parameters is specified in the configuration file together with the [LinuxSpider] section, which stores all the monitor parameters. Each section must be named as [LinuxSpider.Space.<space name>], where <space name> is a unique identifier of the protected space.

The space individual section must contain the following parameters absent in the [LinuxSpider] general section:

Parameter

Description

Enable

{boolean}

Contents of the protected space located at Path (see below) must be monitored.

To stop monitoring the contents of this protected space, set the parameter to No.

Default value: Yes

Path

{path to directory}

Path to a directory with files to be monitored (including nested directories).

By default, this parameter has an empty value; therefore, you must specify a value when adding the protected space to the monitoring scope.

Default value: (not specified)

If all protected spaces specified in the monitor settings are not monitored or their paths are not specified, SpIDer Guard is running idle because none of the files of the file system tree are monitored. If you want to monitor the file system as a single protected space, remove all named protected space sections from the settings.

Except for those mentioned above, separate sections of protected spaces can include a list of parameters from the general section of the component settings that are marked with the [*] designation in the table above and redefine a parameter specified for the protected space (for example, an action to be applied upon threat detection, the maximum archive nesting level and so on). If the parameter is not specified for the protected space, file monitoring for this space is adjusted with the corresponding parameter values from the [LinuxSpider] section.

To add a new section of parameters for the protected space with the <space name> tag using the Dr.Web Ctl management tool (started with the drweb-ctl command), run the command:

# drweb-ctl cfset LinuxSpider.Space -a <space name>

Example:

# drweb-ctl cfset LinuxSpider.Space -a Space1
# drweb-ctl cfset LinuxSpider.Space.Space1.Path /home/user1

The first command adds the [LinuxSpider.Space.Space1] section to the configuration file; the second one sets a value of the Path parameter for the section by specifying the path to the monitored file system area. Other parameters of this section will be the same as in the [LinuxSpider] general section.