For improved legibility and clear marking, the following types of emphasis are also used in the text: Emphasis in text Ctrl+Alt /usr/lib/AntiVir/guard/avscan ls /usr/lib/AntiVir/guard http://www.avira.com Signs and Symbols Page 4 Explanation Key or key combination Path and filename User entries URLs Cross-reference within the document

Abbreviations

The manual uses the following abbreviations: Abbreviation CLS FAQ GUI SMTP VDF Meaning Command Line Scanner Frequently Asked Question Graphical User Interface Simple Mail Transfer Protocol Virus Definition File

Product Information

UNIX computers are more often used as file servers or email gateway servers. Thus they transfer and store files that have no connection to UNIX, e.g. Office documents and email attachments. So, viruses can access a server through a Windows Client and freely cause damage.
Avira AntiVir Personal is a comprehensive and flexible tool for confronting viruses and unwanted programs and for reliable protection of your systems. Losing valuable files usually has dramatic consequences. Not even the best antivirus software can fully protect you against data loss. Ensure that you make regular backups of your files. An antivirus program can be reliable and effective only if kept up to date. Ensure that you keep your AntiVir programs up to date using automatic updates as described in this user guide.

Features

Avira AntiVir Personal offers you extensive configuration possibilities to keep control of your computer. The current features of Avira AntiVir Personal are: Easy installation, using the installation script. Command Line Scanner (on demand): Configurable on-demand search for all known malware types (viruses, Trojans, backdoor programs, hoaxes, worms etc.) Resident guard (on-access): Configurable reactions when detecting viruses or unwanted programs: repair, move, rename programs or files; automatically remove viruses or unwanted programs. Heuristic detection of macroviruses. Detection of all common archive types with certain recursion level in the case of nested archives. Automatic Internet Updates for product, scan engine and VDF. Comprehensive functions for logging, warnings and messages for the administrator. Self-Integrity Program Check, which ensures the antivirus system is operating correctly at all times.

Licensing Concept

Avira AntiVir Personal - Free Antivirus is free for personal use. For more details, please visit www.free-av.com Self-Integrity Check Each AntiVir executable binary is signed and performs a self-integrity check during startup. The self-integrity check cannot protect against forgery (e.g. to check if the complete package is faked) or crafted attacks (e.g. the function call that performs the self-integrity check is bypassed). Such a verification has to be performed from outside the package.

Downloading the Installation Files from the Internet Download the current version of Avira AntiVir Personal - Free antivirus, from www.free-av.com to your local computer. Save the file in the temporary folder (/tmp) on the computer on which you want to run Avira AntiVir Personal. The file name is antivir-workstation-pers.tar.gz Unpacking Program Files Go to the temporary directory: cd /tmp Unpack the archive containing the AntiVir kit: tar -tar -xzvf antivir-workstation-pers.tar.gz In the temporary directory will then appear: antivir-workstation-pers-<version>

Licensing

Avira AntiVir Personal - Free Antivirus is free for personal use. If the initial license expires, you can extend it without reinstalling the product, by downloading the current license file from www.free-av.com. Copying the License File Copy the license file hbedv.key to the installation directory on your system, if the license in your Avira AntiVir Personal has expired /tmp/antivir-workstation-pers-<version>

Installing AntiVir

AntiVir is automatically installed using a script. This script performs the following tasks: Checks integrity of the installation files.
Checks for the required permissions for the installation. Checks for an existing version of AntiVir on the computer. Copies the program files. Overwrites existing obsolete files. Copies AntiVir configuration files. Existing AntiVir configuration files are inherited. Optional: it creates a link in /usr/bin, so that AntiVir can be called from any folder without needing a given path. Optional: it installs the resident scanner AntiVir Guard and the dazuko module. Optional: it installs a Gnome plug-in. Optional: it installs Avira Updater. Optional: it configures an automatic start for Avira Updater and AntiVir Guard on system start-up.
Preparing Installation Login as root. Otherwise you do not have the required authorization for installation and the script returns an error message. Go to the directory in which you unpacked AntiVir: cd /tmp/antivir-workstation-pers-<version> Installing AntiVir For using Avira AntiVir Personal v.3 with AntiVir Guard, we recommend and support dazuko3/dazukofs. The installation script will also install dazuko3, if it detects the needed build components on your system. If the installation script cannot detect a supported linux kernel version, you can only install Avira AntiVir without AntiVir Guard. AntiVir Guard can be easily installed later. For more details, see The Dazuko Kernel Module Page 33. Type the command:./install Please note the dot and slash in the command syntax. Typing the command without this path specification, leads to another command, which is not related to AntiVir installation process and this would result in error messages and unwanted actions. Press q to close the license text view. The installation script starts. After you agree with the license terms, it will copy the program files. Do you agree to the license terms? [n] y copying install_list_guard to /usr/lib/AntiVir/guard/. done copying AV_WKS_PERS to /usr/lib/AntiVir/guard/. done copying LICENSE to /usr/lib/AntiVir/guard/LICENSE-workstation. done 1) installing AntiVir Core Components (Engine, Savapi and Avupdate) copying uninstall to /usr/lib/AntiVir/guard. done copying etc/file_list to /usr/lib/AntiVir/guard. done.. installation of AntiVir Core Components (Engine, Savapi and Avupdate) complete

uninstall [--product=productname] [--inf=inf-file] [--force] [--version] [--help]
where productname is Guard. Open the AntiVir directory: cd /usr/lib/AntiVir/guard Type:./uninstall --product=Guard The script starts uninstalling the product, asking you step by step, if you want to keep backups for the license file, for the configuration files and logfiles; it can also remove the cronjobs you made for Guard and Scanner. Answer the questions with y or n and press Enter. Avira AntiVir Personal is removed from your system.

Configuration

You can adjust Avira AntiVir Personal for optimum performance. You can make the main adjustments immediately after installation. The most common settings are suggested. You can modify these settings anytime, to adjust the product to your requirements. After a short overview, you will be guided step by step through the configuration process: Description of the configuration files: - Configuration of AntiVir Guard in avguard.conf Page 14 - Configuration of the Command Line Scanner in avscan.conf Page 19 - Scanner specific configuration in avguard-scanner.conf Page 22 - Configuration of Avira Updater in avupdate-guard.conf Page 22 Testing AntiVir Personal - Page 33, after completing the configuration.

Configuration Files

The configuration is defined in four files: /etc/avira/avguard.conf configures the on-access scanner. /etc/avira/avscan.conf configures the on-demand scanner. /etc/avira/avguard-scanner.conf configures Savapi3. /etc/avira/avupdate-guard.conf defines the automatic updates. The settings can be made directly in the configuration files or as parameters when using the Command Line Scanner. The parameters given in command lines take precedence of those saved in configuration files. This part describes the structure of Avira AntiVir Personal configuration files. Avira AntiVir Personal reads these files on program start-up. It ignores empty lines and commented lines beginning with #. The program is provided with default values, which are important for many procedures. Some options can be deactivated with a # at the beginning of the line (commented) or can be set with default values. These can be activated by removing the # character or by changing the values. You must restart the AntiVir Guard if you modify any values manually in the configuration files. The changes only take effect after a restart. Type: /usr/lib/AntiVir/guard/avguard restart

Configuration of AntiVir Guard in avguard.conf
This section provides a short description of the entries in avguard.conf. The settings affect only the behavior of Avira AntiVir Personal and no other AntiVir programs.

OnAccess Management

Enable/ Disable on-access protection: This option allows you to explicitly enable/ disable on-access protection of specified directories provided by Guard using dazukofs/dazuko kernel module.
When set to auto Guard will determine if the system has dazuko/dazukofs support at startup and use it to provide on-access protection automatically. If you set it to no or the system has no dazuko/dazukofs support, Guard will not provide any on-access protection. In this case only the on-demand scanner (avscan) can be used. All on-access options will be inactive if you disable the Guard. For setting on-demand scanner options check the avscan.conf file.

OnAccessManagement auto

Num Daemons
Number of daemons: The number of simultaneous AntiVir Guard daemons can be set between 3 and 20. The default is 3 and it is appropriate for smaller standard computers. For servers with high traffic, a larger number would be necessary: NumDaemons 3 If the value is 0, AntiVir Guard is deactivated.

Repair Concerning Files

Repairing files: If RepairConcerningFiles is set AntiVir Guard will try to remove any alert by repairing the infected file. If the repair has been carried out successfully, access is granted and no further action besides logging is taken. If the repair fails, access is blocked and the AlertAction, if you have selected one, is carried out. The following option must be active: RepairConcerningFiles It is not activated by default.

AlertAction

Action when detecting viruses or unwanted programs: If RepairConcerningFiles is not set or if repair is not possible, the access to the file is blocked and the action is logged. The following options define the actions of AntiVir Guard: none or ignore: no further action rename or ren: renaming the file by adding the.XXX extension. delete or del: delete the concerning file. quarantine: move the concerning file into quarantine, if you defined one (see below). You can select only one of these options. If more than one is activated, AntiVir applies the last one selected in the configuration file. Default: AlertAction none

Quarantine Directory

You have to define the quarantine directory, if you want to use the quarantine option for AlertAction (see above). Note: If you fail to specify a quarantine directory, the following directory is created by default and the infected files are moved into it: QuarantineDirectory /home/quarantine

AccessMask

Access mask (only for dazuko2): This option sets the access type of AntiVir Guard, when scanning files for viruses or unwanted programs:

ArchiveMax Size

ArchiveMax Recursion

Archive MaxRatio

Archive MaxCount

Archive Actions

Alert actions based on archive scanning settings:Based on the specific action, the alert is treated as follows: ignore - the alert is ignored. warn - the condition is logged as a warning; access is not blocked by the guard. block - access is blocked. alert - access is blocked; the alert action is performed (highest priority). Each of the following conditions can be set to: ignore, warn, block or alert. Default settings:ArchiveMaxSizeAction block ArchiveMaxRecursionAction block ArchiveMaxRatioAction block ArchiveMaxCountAction block

MaxReports PerFile

Limit the number of scanner alert messages: The upper limit of messages that are issued per scanned file. Usually this only affects archive scanning. This option can be used to prevent the scanner from Denial Of Service
attacks generated by crafted archives that otherwise would provoke millions of alerts. A value of 0 means no limit is set. MaxReportsPerFile 100

LogFile

Logfile: AntiVir logs all important operations via the syslog daemon. It can also create an additional logfile. There is no default setting. You must enter the full path to the logfile in order to use this option: LogFile /var/log/avguard.log Syslog settings: Avira AntiVir Personal sends messages for all important operations to the syslog daemon. You may specify the facility and priority for these messages. Default is: SyslogFacility user SyslogPriority notice Setting the SyslogPriority determines that all those messages which are equal or higher than the priority specified are logged. Consequently you receive with the Priority Warning all those messages labelled Alert, Error or Warning. Since Info has a lower priority than Warning you will not receive any Info messages. These values apply even if the LogFile option is not active.

Syslog.

DetectPrefixes
Detection of other types of unwanted programs: Besides viruses, there are other types of harmful or unwanted software. You can activate their detection using the following options. The virus detection is not optional and you can not deactivate it. The available categories are: adspy - software that displays advertising pop-ups or software that very often without the user's consent sends user specific data to third parties and might therefore be unwanted. appl - an application of dubious origin or which might be hazardous to use. bdc - the Control software for backdoors. BDCs are generally harmless. dial - a Dial-Up program for connections that charge a fee. Its use might lead to huge costs for the user. game - a game, that causes no damage on your computer. hiddenext - a file with an executable extension, hidden behind a harmless one. joke - a harmless joke program, present as file. pck- a file compressed with an unusual runtime compression tool. phish - faked emails that are supposed to prompt the victim to reveal confidential information such as user accounts, passwords or online-banking data on certain websites. spr - software that may compromise the security of your system, initiate unwanted program activities, damage your privacy or spy out your user behavior and might therefore be unwanted. alltypes - option to detect all supported malware types. Syntax: list of types, separated by whitespace or colon. DetectPrefixes <type>[=<bool>] <type>[=<bool>]. Example: DetectPrefixes adspy=yes appl=no bdc=yes dial=yes game=no hiddenext=no joke=no pck=no phish=yes spr=no

Syslog Facility

Facility used when logging. SyslogFacility user The scanner can be set to log on different levels: 0 - Log errors 1 - Log errors and alerts 2 - Log errors, alerts and warnings 3 - Log errors, alerts, warnings and debug messages "alerts" means information about potential malicious code. Default: ReportLevel 0

ReportLevel

LogFileName
Path to the scanner logfile. LogFileName NONE You can use this option to retrieve information about virus alerts via Internet. Currently supported URLs: English: http://www.avira.com/en/threats?q=%1 German: http://www.avira.com/de/threats?q=%1 AlertURL=<URL>

AlertURL

Configuration of Avira Updater in avupdate-guard.conf
This section provides a short description of the settings in avupdate-guard.conf. The settings affect the Avira Updater. Updates ensure that Avira AntiVir Personal components (Guard, Scanner, VDF and Engine), which provide security against viruses or unwanted programs, are always kept up to date. With Avira Updater you can update Avira software on your computers, using Avira update servers. To configure the update process, use the options in /etc/avira/avupdate-guard.conf described below. All parameters from avupdate-guard.conf can be passed to the Updater via command line. For example: - parameter in avupdate-guard.conf: temp-dir=/tmp - command line: /usr/lib/AntiVir/guard/avupdate-guard --temp-dir=/tmp

internet-srvs

The list of Internet update servers. internet-srvs=http://dl1.pro.antivir.de, http:// dl2.pro.antivir.de, http://dl3.pro.antivir.de

master-file

Specifies the master.idx file. Avira AntiVir Personal (UNIX)
master-file=/idx/master.idx

install-dir

Specifies the installation directory for updated product files. install-dir=/usr/lib/AntiVir/guard

temp-dir

Temporary directory for downloading update files. temp-dir=/tmp/avira_update/guard

HTTP proxy settings

proxy.
If you use an http proxy server for Internet updates, you have to provide the following data: proxy-host= proxy-port= proxy-username= proxy-password=
Setting update email reports All reports on AntiVir updates are sent to the email address given in avupdate-guard.conf:

Authentication for smtp connection. Activate the auth-method option and then provide the smtp server, port, user and password. mailer=[smtp | sendmail] auth-method=password smtp-user=<your_username> smtp-password=<your_password> smtp-server=<servername> smtp-port=<port>

notify-when

There are three situations to set for email notifications: 0 - no email notifications are sent, 1 - email notifications are sent in case of "successful update", "unsuccessful update", or "up to date". 2 - email notification only in case of "unsuccessful update".
3 - email notification only in case of "successful update".

notify-when=3

email-to
The recipient of notification emails. email-to=root@localhost

Logfile settings

Specify a full path with a filename to which AntiVir Updater will write its log messages. log=/var/log/avupdate.log

log-rotate log-append

By default, the logfile is overwritten (log-rotate). You can use this option to append the logfile: log-append

Testing AntiVir Personal

After completing the installation and configuration, you can test the functionality of AntiVir Personal using a test virus. This will not cause any damage, but it will force the security program to react when the computer is scanned. Testing AntiVir Guard with a Test-Virus Go to http://www.eicar.org. Read the information about the test virus eicar.com. Download the test virus to your computer (for exp, in a directory named /TEST). On dazuko3 systems, mount the directory in which you downloaded eicar.com mount -t dazukofs /TEST /TEST Try to access the file, via the shell command less: AntiVir Guard will deny the access. Testing AntiVir Command Line Scanner with a Test-Virus Go to http://www.eicar.org. Read the information about the test virus eicar.com. Download the test virus to your computer (for exp, in a directory named /TEST). Execute the command: avscan /TEST AntiVir will notify you about malware detection and will ask you to select an action. Scanning for Possible Errors If you notice that AntiVir Guard does not display the expected messages or does not take the relevant action, you have to check the configuration. Check whether AntiVir Guard is running. Type: /usr/lib/AntiVir/guard/avguard status Start AntiVir Guard if necessary. If you use AntiVir Guard in conjunction with dazukofs ensure that the file system location for which you want to enable OnAccess protection, is mounted with dazukofs. Use the mount command to see a list of all mounted file systems/partitions. If you use AntiVir Guard in conjunction with dazuko2 make sure that the file system location you want to protect is specified by means of the IncludePath option. Also ensure that the AccessMask is set to a value different from 0, since AntiVir Guard will otherwise fail to start. Check the messages in the logfile of AntiVir Guard or in syslog in order to isolate errors.

--detectprefixes='adspy=yes:joke=no:spr: bdc'
--archive-max-ratio=<spec>
--archive-max-ratio-action=
--archive-max-recursion=<spec>
--archive-max-recursion-action=
--archive-max-size=<spec>
--archive-max-size-action=
--config -C <configuration-file> --detect-prefixes=<spec>
To scan for all types of malware:
--detect-prefixes=alltypes
See the list of accepted types at DetectPrefixes Page 18.
--help --heur-level=<int>
Prints usage information about avguard.bin Specifies the Win32 file heuristics level. Available values are 0 (off), 1 (low), 2 (medium) and 3 (high - could result in false alerts!). Not activated by default. Enables or disables macro heuristics. Enables or disables recursion into archive containers. By default on.
--heur-macro[=<bool>] --scan-in-archive[=<bool>]

--scan-mode=<spec>

Instructs the scanner how a sample should be scanned.

ScanMode {all|smart|ext}

--temp-dir=<dir> --version
Defines the absolute path of the temporary directory Prints version information.
Scanning on-demand with AntiVir Command Line Scanner
Syntax To scan on-demand, using certain parameters: avscan [option] [directory [.]] If you have not specified any directory, it scans only the current directory. If you want to scan certain files in a directory, the syntax is: avscan [option] [directory][filename] Options You can use the following options for the Command Line Scanner, in various combinations. All non-option strings are considered files or directories to be scanned (by default, no recursion beyond the first level of the directory structure). Option
--archive-max-count=<N>
Sets a limit to the number of files in an archive or mailbox that will be scanned by the Guard. Guard will stop scanning at the set number of files. Limits the archive or mailbox ratio. The CLS does not scan beyond the configured limits. Limits the archive or mailbox recursion. The CLS does not scan beyond the configured limits. Limits the archive or mailbox size. The CLS does not scan beyond the configured limits.

--archive-max-ratio=<N>
--archive-max-recursion=<N>
--archive-max-size=<N>

--batch

Enables "batch mode": If you enable this option avscan will enter the noninteractive batch mode. In this mode all decisions are carried out based on the given configuration file and command-line settings. The user will not be asked to make or confirm any decisions. Note: If you had set the alert action to delete the alert action for files which are only considered suspicious is automatically reset by avscan to quarantine when operating in batch mode.
Prints a sample configuration. Use a specific configuration file instead of the default one. Specifies which kind of malware or unwanted software should get detected. (Virus detection is always active.) Accepts whitespace or colon separated list of "<type>[=<bool>]".
-e --follow-symlink[=yes|no] --help --heur-level=<int>
Repair concerning files if possible. Follows symbolic links. Default: yes. Prints usage information about avscan (abbreviation: -h or -?) Specifies the Win32 file heuristics level. Available values are 0 (off), 1 (low), 2 (medium) and 3 (high - could result in false alerts!). Not activated by default. Enables or disables macro heuristics. Specifies the file for log messages. This option can be invoked for normal or scheduled scanning. It defines a soft overall time limit. If the time limit is exceeded, the job will stop after completing the currently pending subtask (scan/ database action). Specifies the quarantine directory for infected files.
--heur-macro[=<yes|no>] --log-file=<filename> --max-runtime=<seconds>
--quarantine-dir=<dir>
-s --scan-in-archive[=<yes|no>] --scan-mode=<spec>
This option enables recursive scanning of all subdirectories within a specified path. Enables or disables recursion into archive containers. By default on. Instructs the scanner how a sample should be scanned
ScanMode {all|smart|extlist}

--temp=<dir>

Defines the absolute path of the directory for temporary files. Set verbose mode on. This option should be used in exceptional cases only, as for example after a virus detection/removal. Prints version information.

-v --verbose

--version
Exit Codes AntiVir Command Line Scanner issues exit codes after operation. UNIX users can include them in scripts. Exit Code 255 Meaning Normal program termination, nothing found, no error. Found concerning file. Suspicious file found. Warnings were issued. Scan process not completed. Cannot initialize scan process. The avguard daemon is not accessible. The avguard daemon is not running. Error while preparing on-demand scan. Configuration error (invalid parameter in command-line or configuration file). Internal error.

Example: Performing Complete Scan After installation, it is important to perform a complete scan of the system. The following parameters should be used: --scan-mode=all
--detectprefixes=alltypes
Scans all files. Scans for all types of malware.

-s --scan-in-archive

Scans all subfolders. Scans packed files, too.
The command is: avscan --scan-mode=all --detect-prefixes=alltypes -s --scanin-archive / Example: Performing Partial Scan Usually, scanning the directories that contain incoming and outgoing data (mailbox, Internet, text folders) may be sufficient. These files are usually in /var. If you have any DOS partitions on your UNIX system, you also have to scan them. You can use the following parameters: --scan-mode=all -s --scan-in-archive Scans all files. Scans all subfolders. Scans packed files, too.
If your DOS partitions are in /mnt and the incoming and outgoing files are in /var: Use the command: avscan --scan-mode=all -s --scan-in-archive /var /mnt Example: Deleting Infected Files Avira AntiVir Personal can delete files which contain viruses or unwanted programs. Optionally, AntiVir can first try to repair these files. Otherwise, the program will delete them completely; i.e. repairing tools will not recover them. You can use the following options: --scan-mode=all --alertaction=delete -e --alertaction=delete Scans all files. Deletes infected files. Tries to repair the infected files and deletes the ones it could not repair.
In the following examples, files are transformed or deleted. Therefore important data may be lost! If you want to delete all infected files from /home/myhome (Check user permissions!): Type the command: avscan --scan-mode=all --alert-action=delete /home/myhome If you want to repair infected files from /home/myhome and to delete the files that could not be repaired: Type the command: avscan --scan-mode=all -e --alert-action=delete /home/ myhome
Reaction to Detecting Viruses/ Unwanted Programs
If correctly configured, Avira AntiVir Personal is set to deal automatically with all the tasks on your computer: The infected file is repaired or at least deleted. If it could not be repaired, access to the file is blocked and, according to the configuration, the file is renamed or moved. This eliminates all virus actions. You should do the following: Try to detect the way the virus/ unwanted program infiltrated your system. Perform targeted scanning on the data storage supports you used. Inform your team, superiors or partners. Inform your system administrator and security provider. Submit Infected Files to Avira GmbH Please send us the viruses, unwanted programs and suspicious files that our product does not yet recognize or detect and also any suspicious files. Send us the virus or unwanted program packed in a password-protected archive (PGP, gzip, WinZIP, PKZip, Arj) attached to an email message to virus@avira.com. When packing, use the password virus. This way the file will not be deleted by virus scanners on the email gateway.

The installation pack for SunOS (Sparc and i386) contains a binary module and you do not have to install it on this platform yourself. The procedure is described, so that you do not need expert knowledge to perform it. Nevertheless, knowledge of UNIX kernel compilation is needed, especially when errors are encountered. Further information on this can be found at: http://www.tldp.org/HOWTO/Kernel-HOWTO.html
Compiling Dazuko on your own
Make sure that the source code for UNIX kernel is in /usr/src/linux. If not, install or link it there. Information on this subject can be found in your UNIX provider documentation. Check if you have on your computer the kernel compiling programs (for example gcc). This also applies to UNIX standard installations. If not, install the required packages. Information on this subject can be found in your UNIX provider documentation. Your UNIX kernel must be based on the source code from /usr/src/linux, as in most cases, especially in a UNIX reinstallation. You can only be absolutely certain by recompiling the installed kernel using exactly these sources. If you are not certain about your UNIX kernel status, you should proceed with the installation. In the worst case, Dazuko will not be integrated into your UNIX kernel and the AntiVir Guard will not start. A message will be displayed and you can solve the situation afterwards. Go to the temporary directory where you unpacked Dazuko, for example:
cd /tmp/antivir-workstation-pers-<version>/contrib/dazuko/ dazuko-<version> Check the configuration of your computer with the configure script. This information will provide appropriate guidance for further installation of the software:./configure Compile Dazuko: make Optionally: verify if the newly installed module works with the computer's running kernel: make test Depending on your operating system, you will receive the file dazuko.o or dazuko.ko in the temporary directory. AntiVir installation script will ask for the path to this file

later.

Further information on Dazuko can be found on the website: http://www.dazuko.org. You may find distribution-specific details already documented in the FAQ section.
Known Issues with dazukofs
Mounting dazukofs It is highly recommended to mount dazukofs very early during system startup, via /etc/fstab, for optimum functionality and protection. It is not recommended to unmount dazukofs, once loaded. For more details, please refer to the dazukofs documentation: http://dazuko.dnsalias.org/files/README-dazukofs Mounting removable media Removable media such as USB-sticks and CD-ROMs should be automatically mounted. Else: - If the media is not mounted via dazukofs, it is not protected; - If it is mounted via dazukofs, you cannot unmount the media without unmounting dazukofs first (which can break some applications). Scanning on-access: symlinks Please note how dazukofs handles symlinks: In case a folder is mounted as dazukofs and a file (file.a) within that folder is a symbolic link to another file (which is not in a folder mounted as dazukofs, for example file.b), access to file.a is always granted, while file.b is not scanned, since it is not accessed through dazukofs. Unsupported system calls Dazukofs currently does not support the sendfile() system call. This may lead to problems if you want to use dazukofs in conjunction with applications that rely on sendfile(), as for example apache servers. If you want to use dazukofs to protect the document root dir of an apache server, add the following line to the httpd.conf: <Directory "/var/www"> EnableSendfile Off </Directory>

Backdoor (BDC)

cron (daemon) Daemon

dazuko Dialer

Engine Heuristic

Kernel Logfile Malware

Quarantine directory root SAVAPI Script Signature SMP (Symmetric Multi Processing) Avira GmbH

Item SMTP syslog daemon

Meaning Simple Mail Transfer Protocol: protocol for email transmission on the Internet. A daemon used by programs for logging various information. These reports are written in different logfiles. The syslog daemon configuration is in /etc/syslog.conf. The name for programs that do not directly harm the computer but are not wanted by the user or administrator. These can be backdoors, dialers, jokes and games. AntiVir detects various types of unwanted programs. A file with known signatures for viruses and unwanted programs. In many cases it is enough for an update to load the most recent version of this file. Virtual File System

Unwanted programs

VDF (Virus Definition File) VFS

Further Information

You can find further information on viruses, worms, macro viruses and other unwanted programs at http://www.avira.com/en/threats/index.html. AntiVir Guard is based on DazukoFS (http://www.dazuko.org), an open source software project. DazukoFS is a kernel module which allows the AntiVir Guard daemon to access the files.
Golden Rules for Protection Against Viruses
Always keep boot floppy-disks for your network server and for your workstations. Always remove floppy disks from the drive after finishing the work. Even if they have no executable programs, disks can contain program code in the boot sector and these can serve to carry boot sector viruses. Regularly back up your files. Limit program exchange: particularly with other networks, mailboxes, Internet and acquaintances. Scan new programs before installation and the disk after this. If the program is archived, you can detect a virus only after unpacking and during installation. If there are other users connected to your computer, you should set the following rules for protection against viruses: Use a test computer for controlling downloads of new software, demo versions or virus suspicious media (floppies, CD-R, CD-RW, removable drives). Disconnect the test computer from the network! Appoint a person responsible for virus infection operations and define all steps for virus elimination. Organize an emergency plan as a precaution for avoiding damage due to destruction, theft, failure or loss/change due to incompatibility. You can replace programs and storage devices but not your vital business data. Set up a plan for data protection and recovery. Your network must be correctly configured and the access rights must be wisely assigned. This is good protection against viruses.

www.avira.com

Lindauer Str. Tettnang Germany Telephone: +49 (0) 7542-Fax: +49 (0) 7542-Internet: http://www.avira.com
AntiVir is a registered trademark of the Avira GmbH. All other brand and product names are trademarks or registered trademarks of their respective owners. Protected trademarks are not marked as such in this manual. However, this does not mean that they may be used freely. Avira GmbH. All rights reserved. This manual was created with great care. However, errors in design and contents cannot be excluded. The reproduction of this publi ation c or parts thereof in any form is prohibited without previous written consent from Avira GmbH. Errors and technical subject to change. Issued Q1-2010