Linux Security 64 more documentation?

Aspirant

Linux Security 64 more documentation?

We want to switch to Linux Security 64 on rhel 7.

But please provide some extended documentation.

Wich service is responsbile for what?

How to invoke manual configuration update?

How to check proper functioning of the antivirus?

Eicar test file is not working with full real time scanning on / enable, /opt/f-secure/linuxsecurity/bin/fsanalyze  EICAR_Test_File_Not_A_Virus is working ok.

Do we need only to configure "Linux security 64" or is the "Real-time scanning" also involved.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Moderator

Re: Linux Security 64 more documentation?

Hi Donovan,

 

I hope the below finds you well, but please do let me know if you have further concerns or questions.

 

  1. Which service is responsible for what?
      • Currently, we have the following services for the Linux Security 64 but it could change at any moment through a routine channel update without a notice or advance warning.
      •  
    * f-secure-baseguard-accd.service is responsible for receiving access permission requests from the kernel through the fanotify API. It can grant access autonomously, but for malware analysis, it uses f-secure-baseguard-icap.service.
    * f-secure-baseguard-as.service is a BaseGuard facility for email spam scanning. In LS64, the service is inactive.
    * f-secure-baseguard-av.service is a relic from the early days of BaseGuard. For full backward-compatibility reasons, the service cannot be removed, but it serves no purpose in any product.
    * f-secure-baseguard-cleanup.service makes sure channel updates don't accumulate on the disk without limit.
    * f-secure-baseguard-icap.service is the malware analysis service used for realtime, scheduled and manual scanning.
    * f-secure-baseguard-orspgw.service is a local proxy for F-Secure's Online Reputation Service. It is used by f-secure-baseguard-icap.service.
    * f-secure-baseguard-update.service monitors F-Secure's GUTS2 service for channel updates and sends notifications to fsbg-updated.service.
    * f-secure-linuxsecurity-fsicd.service maintains the file integrity checker baseline.
    * f-secure-linuxsecurity-lspmd.service locally distributes policy settings to LS64 services.
    * f-secure-linuxsecurity-scand.service manages manual and scheduled scans.
    * f-secure-linuxsecurity-statusd.service collects status and statistics information from LS64 services and relays them to the policy agent (fsma2)
    * fsbg-statusd.service collects status and statistics information from BaseGuard services and relays them to the policy agent (fsma2)
    * fsbg-updated.service schedules the installation of online channel updates.
    * fsbg.service locally distributes policy settings to BaseGuard services.
  2. How to invoke manual configuration update?
    • All configurations related to Linux Security 64 needs to be done via Policy Manager. Currently, it is not possible to do a manual update etc
  3. How to check proper functioning of the antivirus?
    • The only way to check that the antivirus is functioning properly is by scanning an eicar file. Alternatively, you  could also check the status of LS64 services and make sure that they are up and running.
  4. Eicar test file is not working with full real time scanning on / enable, /opt/f-secure/linuxsecurity/bin/fsanalyze  , but EICAR_Test_File_Not_A_Virus is working ok.
    • By default, “Files and folders to scan” setting for real time scanning is empty in Policy Manager that customer has to specify which file/directory to be scanned by the real time scanning after the product installation. If they want all files to be scanned, they can consider to add root directory (/) to that setting as below.
    • Capture.JPG
  5. Do we need only to configure "Linux security 64" or is the "Real-time scanning" also involved ?
    • You  only need to configure “Linux security 64” for this LS64 product as shown on the screenshot above
6 REPLIES 6
Moderator

Re: Linux Security 64 more documentation?

Hi Donovan,

 

Can you please share what is the output for the EICAR test file that did not work ? 

 

Regarding your other inquiries, I will check with the relevant team, and update you accordingly.

Scholar

Re: Linux Security 64 more documentation?

Hello,

 

Indeed, the current state of the Linux Security 64 documentation does not really allow anyone to understand how does it work, and master its deployment/use.

 

We encounter the same issue (on CentOS), a manual scanning detects our EICAR test file, whereas the real-time scanning does not detect anything, and therefore does not prevent a user/a process to access this "malicious" file.

 

Even if it is documented, we are still waiting for the fix of "CSLP-3319: Manual scanning cannot be invoked from Policy Manager Console.". It is not OK, not to be able to launch a global scan of our machines from the Policy Manager.

 

M.

 

Aspirant

Re: Linux Security 64 more documentation?


@jamesch wrote:

Hi Donovan,

 

Can you please share what is the output for the EICAR test file that did not work ? 

 

Regarding your other inquiries, I will check with the relevant team, and update you accordingly.


#wget https://secure.eicar.org/eicar.com.txt

#cat eicar.com.txt

 

real time scanner does not nothing

 

 

 

Moderator

Re: Linux Security 64 more documentation?

Hi Donovan,

 

I hope the below finds you well, but please do let me know if you have further concerns or questions.

 

  1. Which service is responsible for what?
      • Currently, we have the following services for the Linux Security 64 but it could change at any moment through a routine channel update without a notice or advance warning.
      •  
    * f-secure-baseguard-accd.service is responsible for receiving access permission requests from the kernel through the fanotify API. It can grant access autonomously, but for malware analysis, it uses f-secure-baseguard-icap.service.
    * f-secure-baseguard-as.service is a BaseGuard facility for email spam scanning. In LS64, the service is inactive.
    * f-secure-baseguard-av.service is a relic from the early days of BaseGuard. For full backward-compatibility reasons, the service cannot be removed, but it serves no purpose in any product.
    * f-secure-baseguard-cleanup.service makes sure channel updates don't accumulate on the disk without limit.
    * f-secure-baseguard-icap.service is the malware analysis service used for realtime, scheduled and manual scanning.
    * f-secure-baseguard-orspgw.service is a local proxy for F-Secure's Online Reputation Service. It is used by f-secure-baseguard-icap.service.
    * f-secure-baseguard-update.service monitors F-Secure's GUTS2 service for channel updates and sends notifications to fsbg-updated.service.
    * f-secure-linuxsecurity-fsicd.service maintains the file integrity checker baseline.
    * f-secure-linuxsecurity-lspmd.service locally distributes policy settings to LS64 services.
    * f-secure-linuxsecurity-scand.service manages manual and scheduled scans.
    * f-secure-linuxsecurity-statusd.service collects status and statistics information from LS64 services and relays them to the policy agent (fsma2)
    * fsbg-statusd.service collects status and statistics information from BaseGuard services and relays them to the policy agent (fsma2)
    * fsbg-updated.service schedules the installation of online channel updates.
    * fsbg.service locally distributes policy settings to BaseGuard services.
  2. How to invoke manual configuration update?
    • All configurations related to Linux Security 64 needs to be done via Policy Manager. Currently, it is not possible to do a manual update etc
  3. How to check proper functioning of the antivirus?
    • The only way to check that the antivirus is functioning properly is by scanning an eicar file. Alternatively, you  could also check the status of LS64 services and make sure that they are up and running.
  4. Eicar test file is not working with full real time scanning on / enable, /opt/f-secure/linuxsecurity/bin/fsanalyze  , but EICAR_Test_File_Not_A_Virus is working ok.
    • By default, “Files and folders to scan” setting for real time scanning is empty in Policy Manager that customer has to specify which file/directory to be scanned by the real time scanning after the product installation. If they want all files to be scanned, they can consider to add root directory (/) to that setting as below.
    • Capture.JPG
  5. Do we need only to configure "Linux security 64" or is the "Real-time scanning" also involved ?
    • You  only need to configure “Linux security 64” for this LS64 product as shown on the screenshot above
Aspirant

Re: Linux Security 64 more documentation?

Thanks for the additional info, this is very usefull.

4.Eicar test file is not working with full real time scanning on / enable, /opt/f-secure

/linuxsecurity/bin/fsanalyze  , but EICAR_Test_File_Not_A_Virus is working ok.

  - The root directory ('/') was provided by default, after remove -> distrubute and adding back the root directory and distributing the policy, it worked!

 

 

 

Highlighted
Moderator

Re: Linux Security 64 more documentation?

Hi M


Can you please advise if Step 4) from my latest post helped with the EICAR scanning ?

 

Regarding CSLP-3319, I have checked with the relevant team. They advised global scan can already be launched using the scheduled scan feature, and estimates the feature will be dealt with during September, 2019.