For improved legibility and clear marking, the following types of emphasis are also used in the text: Emphasis in text Ctrl+Alt /usr/lib/AntiVir/guard/avscan ls /usr/lib/AntiVir/guard http://www.avira.com Signs and Symbols Page 4 Explanation Key or key combination Path and filename User entries URLs Cross-reference within the document

Abbreviations

The manual uses the following abbreviations: Abbreviation CLS FAQ GUI SMTP SNMP VDF Meaning Command Line Scanner Frequently Asked Question Graphical User Interface Simple Mail Transfer Protocol Simple Network Management Protocol Virus Definition File

Product Information

You are responsible for numerous workstations and servers in your network but you are only human. The servers are the heart of the network. So if viruses can freely penetrate and spread on your servers, your network is only a step away from breakdown. This is where AntiVir products for servers come in. UNIX computers are more often used as file servers or email gateway servers. Thus they transfer and store files that have no connection to UNIX, e.g. Office documents and email attachments. So, viruses can access a server through a Windows Client and freely cause damage.
Avira AntiVir Server/ Professional is a comprehensive and flexible tool for confronting viruses and unwanted programs and for reliable protection of your systems. Losing valuable files usually has dramatic consequences. Not even the best antivirus software can fully protect you against data loss. Ensure that you make regular backups of your files. An antivirus program can be reliable and effective only if kept up to date. Ensure that you keep your AntiVir programs up to date using automatic updates as described in this user guide.

Features

AntiVir Server/ Professional offers you extensive configuration possibilities to keep control of your network. The current features of AntiVir Server/ Professional are: Easy installation, using the installation script. Command Line Scanner (on demand): Configurable on-demand search for all known malware types (viruses, Trojans, backdoor programs, hoaxes, worms etc.) Resident guard (on-access): Configurable reactions when detecting viruses or unwanted programs: repair, move, rename programs or files; automatically remove viruses or unwanted programs. Heuristic detection of macroviruses. Detection of all common archive types with certain recursion level in the case of nested archives. Simple integration with automatic jobs, such as scanning at a set time. Automatic Internet Updates for product, scan engine and VDF. Comprehensive functions for logging, warnings and messages for the administrator; sending email warnings (SMTP). Self-Integrity Program Check, which ensures the antivirus system is operating correctly at all times.

System Requirements

Avira AntiVir Server asks for the following minimum system requirements on your server: i386 (Linux) or Sparc (SunOS) processor; 200 MB free hard disk space; 40 MB temporary disk space; 256 MB (512 MB on SunOS) free memory space; Linux with glibc; SunOS. Officially supported distributions for Avira AntiVir Server:
- Red Hat Enterprise Linux 5 Server - Red Hat Enterprise Linux 4 Server - Novell SUSE Linux Enterprise Server 10 - 10.2 - Novell SUSE Linux Enterprise Server 9 - Debian GNU/Linux 4 (stable), Debian etch - Ubuntu Server Edition 8 - Sun Solaris 9 (SPARC) - Sun Solaris 10 (SPARC) - Novell Open Enterprise Server Avira AntiVir Professional asks for the following minimum system requirements on your server: i386 (Linux) or Sparc (SunOS) processor; 100 MB free hard disk space; 20 MB temporary disk space 192 MB (512 MB on SunOS) free memory space; Linux with glibc; SunOS. You need sufficient disk space on your hard drive to save the temporary guard files. We therefore recommend that there are at least 4GB available for the temporary directory. Officially supported distributions for Avira AntiVir Professional: - Red Hat Enterprise Linux 5 Desktop - Red Hat Enterprise Linux 4 Desktop - Novell SUSE Linux Enterprise Desktop 10 - 10.2 - Novell SUSE Linux Enterprise Desktop 9 - Debian GNU/Linux 4 (stable) - Ubuntu Desktop Edition 8 - Sun Solaris 9 (SPARC) - Sun Solaris 10 (SPARC)

Technical Information

AntiVir Guard is based on DazukoFS (http://www.dazuko.org), an open source software project. DazukoFS is a kernel module which allows the AntiVir Guard daemon to access the files.

Installation

You can find the current version of Avira AntiVir Server/ Professional on our website www.avira.com. AntiVir is supplied as a packed archive. It contains AntiVir Engine, Guard, Command Line Scanner and the Avira Updater. You will be guided step by step throughout the installation procedure. This Chapter is divided into the following sections: Getting the Installation Files Page 9 Licensing Page 9 Installing AntiVir Page 10 Reinstalling and Uninstalling AntiVir Page 14 Integration in AMaViS Page 16

Getting the Installation Files
Downloading the Installation Files from the Internet Download the current version of Avira AntiVir Server/ Professional from our website http://www.avira.com to your local computer. Save the file in the temporary folder (/tmp) on the computer on which you want to run Avira AntiVir Server/ Professional. The file name is antivir-server-prof-<version>.tar.gz or: antivir-workstation-prof-<version>.tar.gz
Unpacking Program Files Go to the temporary directory: cd /tmp Unpack the archive containing the AntiVir kit: tar -xzvf antivir-server-prof-<version>.tar.gz or: tar -xzvf antivir-workstation-prof-<version>.tar.gz In the temporary directory will then appear: antivir-server-prof-<version> or antivir-workstation-prof-<version>

Licensing

You must have an AntiVir license in order to use the product (see Licensing Concept Page 6). The license comes in a file named hbedv.key. This license file contains information regarding the scope and period of the license. Purchasing the License You may contact us by telephone or by email (sales@avira.com) to acquire a license file for Avira AntiVir Server/ Professional. You will receive the license file by email.
You can easily acquire Avira AntiVir Server/ Professional using our Online Shop (for details, visit http://www.avira.com). Copying the License File Copy the license file hbedv.key to the installation directory on your system./tmp/antivir-server-prof-<version> or in./tmp/antivir-workstation-prof-<version>. You can also perform the installation without having a license key from the beginning. You can copy the license file at any time to the AntiVir program directory /usr/lib/AntiVir/guard.

Installing AntiVir

AntiVir is automatically installed using a script. This script performs the following tasks: Checks integrity of the installation files. Checks for the required permissions for the installation. Checks for an existing version of AntiVir on the computer. Copies the program files. Overwrites existing obsolete files. Copies AntiVir configuration files. Existing AntiVir configuration files are inherited. Optional: it creates a link in /usr/bin, so that AntiVir can be called from any folder without needing a given path. Optional: it installs the resident scanner AntiVir Guard and the dazuko module. Optional: it installs a Gnome plug-in. Optional: it installs Avira Updater. Optional: it configures an automatic start for Avira Updater and AntiVir Guard on system start-up. Optional: it installs the plug-in for Avira Security Management Center. Preparing Installation Login as root. Otherwise you do not have the required authorization for installation and the script returns an error message. Go to the directory in which you unpacked AntiVir: cd /tmp/antivir-server-prof-<version> or cd /tmp/antivir-workstation-prof-<version> Installing AntiVir (example for AntiVir Server) For using Avira AntiVir Server/ Professional v.3 with AntiVir Guard, we recommend and support dazuko3/dazukofs. The installation script will also install dazuko3, if it detects the needed build components on your system. If the installation script cannot detect a supported linux kernel version, you can only install Avira AntiVir without AntiVir Guard. AntiVir Guard can be easily installed later. For more details, see The Dazuko Kernel Module Page 46. Type the command:./install

The installer then reads /etc/fstab, to check the directories to be mounted as dazukofs. If no entry is found, it asks you to enter one directory to be scanned by the Guard: Guard will automatically protect all directories which are mounted upon dazukofs filesystem. Please specify at least one directory to be protected by Guard to add in /etc/fstab: [/home] There are some file systems that should not be overlayed by dazukofs, since no security gain would be achieved, but on the contrary, it could lead to system malfunction. Examples of these file systems are sysfs (/sys), procfs (/proc), usbfs. These file systems do not allow the creation of files anyway, so they do not need to be protected against malware. The special directory "/" (root) should not be mounted with dazukofs, because it may also be the root for other file systems, which likewise should not be mounted with dazukofs. Mounting "/" could also be dangerous due to the fact that there will very likely be processes already working on files under/ before dazukofs is mounted. This might result in undefined file states, if those files are later accessed through the dazukofs layer. Type one directory, which you want to be protected on-access (for example, /home) and press Enter. If you want to modify the list of protected directories, you can add or remove entries later, by editing /etc/fstab file and remounting dazukofs. Then the installer checks if the default quarantine directory exists: /home/quarantine, the AVIRA Guard default quarantine directory, does not exist. INFO: You can change the quarantine directory in /etc/avira/avguard.conf. and /etc/avira/avscan.conf after the installation. Would you like to create /home/quarantine ? [y] Type Enter, to create the directory, if necessary. You can change it later in the configuration files. Then the script can install a GNOME plug-in, which would allow you to add the - Guard is status icon for AntiVir Guard to the panel ( - Guard is active; inactive): Would you like to install the AVIRA Guard GNOME plugin? [n] Type y and press Enter, if you want to install the plug-in, or just press Enter, if you dont. Then you are asked if you want to create a link to avguard and if the Updater should be automatically activated at system start: Would you like to create a link in /usr/sbin for avguard ?[y] linking /usr/sbin/avguard to /usr/lib/AntiVir/guard/avguard. done Please specify if boot scripts should be set up. Set up boot scripts [y]: Confirm with Enter.

The automatic system start is configured: setting up boot script. done installation of AVIRA Guard complete Then the script can install the optional plug-in for Avira Security Management Center: 4) activate SMC support The AntiVir Security Management Center (SMC) requires this feature. Would you like to activate the SMC support? [y] If you are using Avira SMC, type y or confirm with Enter. The plug-in is installed and the installation process is complete. You can start AntiVir Guard, if dazuko is correctly compiled: Would you like to start AVIRA Guard now? [y] Starting Avira AntiVir Server. Starting: avguard.bin You will see a report that indicates the completion of the installation: Installation of the following features complete: AntiVir Core Components (Engine, Savapi and Avupdate) AVIRA Internet Updater AVIRA Guard AntiVir SMC plugin Finally, you can start AntiVir: /usr/lib/AntiVir/guard/avguard start Modified binaries will not run. For example, if binaries are prelinked: Either disable prelinking or add /usr/lib/AntiVir/guard as an excluded prelink path in /etc/prelink.conf
Reinstalling and Uninstalling AntiVir
You can launch the installation script at any time. There are several possible situations, such as: Later installation of some components, e.g. AntiVir Guard or Avira Updater. Activating or deactivating the automatic start of Avira Updater or AntiVir Guard. Reinstalling AntiVir The procedure applies to all above mentioned cases: First of all, you have to make sure that AntiVir Guard is stopped: /usr/lib/AntiVir/guard/avguard stop Open the temporary directory where you unpacked AntiVir Server: cd /tmp/antivir-server-prof-<version>
or, for AntiVir Professional: cd /tmp/antivir-workstation-prof-<version> Type:./install The installation script performs as described in Installing AntiVir Page 10). Make the changes you need during installation procedure. AntiVir is installed with the required features. Uninstalling AntiVir You can use the uninstall script, located in the temporary AntiVir directory, to remove Avira AntiVir Server/ Professional. The syntax is:
uninstall [--product=productname] [--inf=inf-file] [--force] [--version] [--help]
where productname is Guard. Open the AntiVir directory: cd /usr/lib/AntiVir/guard Type:./uninstall --product=Guard The script starts uninstalling the product, asking you step by step, if you want to keep backups for the license file, for the configuration files and logfiles; it can also remove the cronjobs you made for Guard and Scanner. Answer the questions with y or n and press Enter. Avira AntiVir Server/ Professional is removed from your system.

Integration in AMaViS

"A Mail Virus Scanner (AMaViS)" project (http://www.amavis.org/) is already prepared for integration with the AntiVir Scanner. You can either install AMaViS after installing AntiVir, for automatic detection, or explicitly activate AntiVir support during AMaViS installation using the option --enable-all or --enable-hbedv for the command./configure. Please note that AMaViS uses the Command Line Scanner and runs it as a separate process for every message. Unfortunately, this method is not as efficient as a dedicated email scanner. For an environment with higher throughput requirements, you should consider integrating Avira AntiVir MailGate or SAVAPI-based products.

ExcludeExt

Excluded file extensions: This option allows you to specify file extensions that should be excluded from on-access scanning. ExcludeExt [spec] where [spec] is a colon-separated list of file extensions, e.g. exe:bat:com. Default: ExcludeExt NONE

Temporary Directory

Temporary location of Guard files: Temporary files of the Guard are written in this directory. Example: TemporaryDirectory /tmp Note: Please make sure that there is sufficient disk space, i.e. at least 4GB, available at the location of the temporary files directory.

ScanMode

Configuring files to be scanned: This entry sets the procedure to determine whether a file is to be scanned or not. The available methods are: extlist: scan only files with certain extensions; smart: scan files based on both their name and file type; all: always scan files, of all types and names. The default is: ScanMode all

ArchiveScan

Scanning archives on-access: AntiVir Guard scans archives when opened, depending on the setting for ArchiveMaxSize, ArchiveMaxRecursion and ArchiveMaxRatio. This is activated by default in order to maintain the highest security: ArchiveScan yes Scanning mailbox containers on-access: If ArchiveScan is set to yes, AntiVir Guard scans mailboxes on-access, when the following option is active: MailboxScan yes This is active by default.

MailboxScan

ArchiveMax Size
Maximum archive size: This option limits the scanning process to the files with unpacked size smaller than the specified value (in bytes, KB, MB, GB). The zero value means no limit. The default setting is approx. 1 Gigabyte: ArchiveMaxSize 1GB Maximum recursion level: When scanning recursive archives, the level of recursion can be limited. The zero value means all archives are completely unpacked, regardless of their recursion level. Default: ArchiveMaxRecursion 20 Maximum compression rate for archives: This option limits the scanning to files which do not exceed a certain compression level. It ensures protection against so-called "mail bombs", which occupy an unexpectedly large

ArchiveMax Recursion

Archive MaxRatio
amount of memory when decompressed. The zero value means all archives are completely decompressed, regardless of their compression rate. Default: ArchiveMaxRatio 150

Archive MaxCount

Number of files in an archive: The archive scanning is limited to a given number of files within a recursion level. The zero value means no limit is set. Default: ArchiveMaxCount 0 You can speed up the archive scanning process by adjusting the settings manually: ARCHIVE_MAX_RECURSION 1 ARCHIVE_MAX_COUNT 10 ARCHIVE_MAX_SIZE 1000KB The reliability of the scan will not be affected.

MaxReports PerFile

Limit the number of scanner alert messages: The upper limit of messages that are issued per scanned file. Usually this only affects archive scanning. This option can be used to prevent the scanner from Denial Of Service attacks generated by crafted archives that otherwise would provoke millions of alerts. A value of 0 means no limit is set. MaxReportsPerFile 100

SendSNMPTraps

SNMP traps configuration: SNMP traps can be used as a method to monitor the status of system and network services. Both on-demand and on-access scanners support this protocol, sending SNMP traps (simple text messages) to inform system monitoring tools about scanners current status, license issues, virus alerts and update status. These messages are logged. To enable SNMP traps: SendSNMPTraps yes Default: disabled (no).

SNMP VerbosityLevel

To set the verbosity level of SNMP traps:
SNMPVerbosityLevel [notice|information|warning|error|alert|snmp]
Defines for which issues traps should be sent when files are scanned. Default: only snmpspecific alerts and important status information are sent (snmp level): SNMPVerbosityLevel snmp Apart from snmp, it supports syslog levels. For example: SNMPVerbosityLevel information The following messages will be sent via snmp: messages with prio "information", "warning", "error", "alert" PLUS the snmp-specific messages. The SNMPVerbosityLevel does not affect the syslog verbosity and vice versa.

SNMPRecipient

Specify a hostname or an IP address, to configure the recipient of SNMP traps: SNMPRecipient <hostname | IP address> Default: SNMPRecipient localhost

External Program

Please use this feature with extreme caution! Check your external programs for correctness and keep in mind, that an attacker might use crafted file names (containing spaces, commands, etc.) for injecting arguments into your external program. Starting External Programs When Suspicious Files Are Found: AntiVir Guard can start an external program when a virus or an unwanted program is found. This can send a notification or perform an action using AntiVir Guard options. It is possible to send an SMS, to call the appointed responsible person, to show a dialog window on the local screen or on another computer, to save the data in another format or another file. You can use macros (preceded by %) to pass the results as arguments to the external program. Thus the data can be treated differently and adjusted to the local conditions. The following table shows the supported macros and their significance: Option %h %f %p %U %G %s %m %De %DF %Dp %Du %Df %Dm %Sn %Sa %SU Function Path to file (may contain special characters) Filename only (may contain special characters) Full path and filename (such as %h/%f), may contain special characters UID of file (owner identifier ) GID of file (UNIX group identifier) File size File access mode (octal) Event type File system or partition (device) on which the file is located (hexadecimal) PID of the process UID of the process Flag of file operation (hexadecimal) Access mode of file operation (hexadecimal) Name of the detected virus / unwanted program Extra information about the alert (if available) Alert URL.

Some of these parameters are not checked by AntiVir but are taken from the file properties and forwarded to the running process, so they must be checked before further processing.
ExternalProgram /bin/sh /usr/lib/AntiVir/guard/popup_message.sh [%Sn] %p

Default: NONE

There are no status reports on the invocation of external programs.

EmailTo

Email messages: AntiVir Guard can send emails, when it detects viruses or unwanted programs. There is no default setting. You must setup your mail daemon and specify a recipient in order to send emails: EmailTo root@localhost Filtering email notifications as required: This option can exclude certain messages, when notifications are sent, according to their priority level. The recipients will only receive notifications with the selected priority or higher. Syntax: SuppressNotificationBelow scanner <level> The possible priority levels (in ascending order) are notice, information, warning, error and alert. Example: SuppressNotificationBelow scanner warning
Suppress Notification Below

LogFile

Logfile: AntiVir logs all important operations via the syslog daemon. It can also create an additional logfile. There is no default setting. You must enter the full path to the logfile in order to use this option: LogFile /var/log/avguard.log Syslog settings: AntiVir Server/ Professional sends messages for all important operations to the syslog daemon. You may specify the facility and priority for these messages. Default is: SyslogFacility user SyslogPriority notice Setting the SyslogPriority determines that all those messages which are equal or higher than the priority specified are logged. Consequently you receive with the Priority Warning all those messages labelled Alert, Error or Warning. Since Info has a lower priority than Warning you will not receive any Info messages. These values apply even if the LogFile option is not active.

Syslog.

DetectPrefixes
Detection of other types of unwanted programs: Besides viruses, there are other types of harmful or unwanted software. You can activate their detection using the following options. The virus detection is not optional and you can not deactivate it. The available categories are: adspy - software that displays advertising pop-ups or software that very often without the user's consent sends user specific data to third parties and might therefore be unwanted. appl - an application of dubious origin or which might be hazardous to use. bdc - the Control software for backdoors. BDCs are generally harmless. dial - a Dial-Up program for connections that charge a fee. Its use might lead to huge costs for the user. game - a game, that causes no damage on your computer. Avira AntiVir Server/ Professional (UNIX)

Maximum archive size: This option limits the scanning process to the files with unpacked size smaller than the specified value (in bytes, KB, MG, GB). The zero value means no limit. The default setting is 1 Gigabyte: ArchiveMaxSize 1GB Maximum recursion level: When scanning recursive archives, the level of recursion can be limited. The zero value means all archives are completely unpacked, regardless of their recursion level. Default: ArchiveMaxRecursion 20 Maximum compression rate for archives: This option limits the scanning to files which do not exceed a certain compression level. It ensures protection against so-called "mail bombs", which occupy an unexpectedly large amount of memory when decompressed. The zero value means all archives are completely decompressed, regardless of their compression rate. Default: ArchiveMaxRatio 150
SNMP traps configuration: SNMP traps can be used as a method to monitor the status of system and network services. Both on-demand and on-access scanners support this protocol, sending SNMP traps (simple text messages) to inform system monitoring tools about scanners current status, license issues, virus alerts and update status. These messages are then logged. To enable SNMP traps: SendSNMPTraps yes Default: disabled (no).
Please use this feature with extreme caution! Check your external programs for correctness and keep in mind, that an attacker might use crafted file names (containing spaces, commands, etc.) for injecting arguments into your external program. Starting External Programs When Suspicious Files Are Found: The CLS can start an external program when a virus or an unwanted program is found. This can send a notification or perform an action using certain options. It is possible to send an SMS, to call the appointed responsible person, to show a dialog window on the local screen or on another computer, to save the data in another format or another file.
You can use macros (preceded by %) to pass the results as arguments to the external program. Thus the data can be treated differently and adjusted to the local conditions. The following table shows the supported macros and their significance: Option %h %f %p %U %G %s %m %De %DF %Dp %Du %Df %Dm %Sn %Sa %SU Function Path to file (may contain special characters) Filename only (may contain special characters) Full path and filename (such as %h/%f), may contain special characters UID of file (owner identifier ) GID of file (UNIX group identifier) File size File access mode (octal) Event type File system or partition (device) on which the file is located (hexadecimal) PID of the process UID of the process Flag of file operation (hexadecimal) Access mode of file operation (hexadecimal) Name of the detected virus / unwanted program Extra information about the alert (if available) Alert URL.

Scanner specific configuration in avguard-scanner.conf
A new configuration file has been introduced, starting with AntiVir Server/ Professional v3.0.0: avguard-scanner.conf. It contains configuration options specific to the new scanner
backend. Usually, you don't have to change the options in this file, but there might be a few exceptions.
Syslog Facility ReportLevel
Facility used when logging. SyslogFacility user The scanner can be set to log on different levels: 0 - Log errors 1 - Log errors and alerts 2 - Log errors, alerts and warnings 3 - Log errors, alerts, warnings and debug messages "alerts" means information about potential malicious code. Default: ReportLevel 0

LogFileName

Path to the scanner logfile. LogFileName NONE You can use this option to retrieve information about virus alerts via Internet. Currently supported URLs: English: http://www.avira.com/en/threats?q=%1 German: http://www.avira.com/de/threats?q=%1 AlertURL=<URL>

AlertURL

Configuration of Avira Updater in avupdate-guard.conf
This section provides a short description of the settings in avupdate-guard.conf. The settings affect the Avira Updater. Updates ensure that AntiVir Server/ Professional components (Guard, Scanner, VDF and Engine), which provide security against viruses or unwanted programs, are always kept up to date. With Avira Updater you can update Avira software on your computers, using Avira update servers. To configure the update process, use the options in /etc/avira/avupdate-guard.conf described below. All parameters from avupdate-guard.conf can be passed to the Updater via command line. For example: - parameter in avupdate-guard.conf: temp-dir=/tmp - command line: /usr/lib/AntiVir/guard/avupdate-guard --temp-dir=/tmp

internet-srvs

The list of Internet update servers. internet-srvs=http://dl1.pro.antivir.de, http:// dl2.pro.antivir.de, http://dl3.pro.antivir.de

master-file

Specifies the master.idx file. master-file=/idx/master.idx

install-dir

Specifies the installation directory for updated product files. Avira AntiVir Server/ Professional (UNIX)
install-dir=/usr/lib/AntiVir/guard

temp-dir

Temporary directory for downloading update files. temp-dir=/tmp/avira_update/guard

HTTP proxy settings

proxy.
If you use an http proxy server for Internet updates, you have to provide the following data: proxy-host= proxy-port= proxy-username= proxy-password=
Setting update email reports All reports on AntiVir updates are sent to the email address given in avupdate-guard.conf:

--exclude-pattern=<spec>
Specifies what to exclude from scanning (a comma separated list of PCRE- Perlcompatible regular expressions, using absolute paths). Example:
--follow-symlink[=yes|no] --help --heur-level=<int>
Follows symbolic links. Default: yes. Prints usage information about avscan (abbreviation: -h or -?) Specifies the Win32 file heuristics level. Available values are 0 (off), 1 (low), 2 (medium) and 3 (high - could result in false alerts!). Not activated by default. Enables or disables macro heuristics. Specifies the file for log messages. This option can be invoked for normal or scheduled scanning. It defines a soft overall time limit. If the time limit is exceeded, the job will stop after completing the currently pending subtask (scan/ database action). In scheduler mode, avscan will query the database instead of scanning files. Note: Option must not be invoked at the same time as --scan-scheduled-files.
--heur-macro[=<yes|no>] --log-file=<filename> --max-runtime=<seconds>

--query-results

--query-alerts
In scheduler mode, avscan queries the database and shows only files that have triggered an alert. Note: Option must not be invoked at the same time as --scan-scheduled-files.

--query-warnings

In scheduler mode, avscan queries the database and shows only files that have triggered a warning. Note: Option must not be invoked at the same time as --scan-scheduled-files.

--query-statistics

In scheduler mode avscan queries the database and shows statistics about the last scheduled scan and overall scheduled scan results. Note: Option must not be invoked at the same time as --scan-scheduled-files.
--quarantine-dir=<dir> -s --scan-continue-file=<filename> --scan-in-archive[=<yes|no>] --scan-in-mbox[=<yes|no>] --scan-mode=<spec>
Specifies the quarantine directory for infected files. This option enables recursive scanning of all subdirectories within a specified path. In scheduler mode, avscan resumes an aborted scheduled scanning. Enables or disables recursion into archive containers. By default on. Enables or disables recursion into archive mailbox. By default on. Instructs the scanner how a sample should be scanned
ScanMode {all|smart|extlist}

--schedule-scan=yes|no

Enables the scanner scheduler, by updating the database, instead of performing a direct scan. Default: no. Enables or disables SNMP traps. Default: no. Sets the verbosity level of SNMP traps; apart from snmp, it supports syslog levels notice|information|warning| error|alert. Default: only snmpspecific alerts and important status information are sent. The string holds the localhost or IP address, needed to configure the recipient(s) of SNMP traps. Starts the worker process to perform the scheduled scan. Restricted to the root user. Note: Option must not be invoked at the same time as --query-results, --query-alerts, -query-warnings or --query-statistics.

--snmp-recipient=<localhost| ip address> --scan-scheduled-files

--temp=<dir>

Defines the absolute path of the directory for temporary files.

-v --verbose

--version
Set verbose mode on. This option should be used in exceptional cases only, as for example after a virus detection/removal. Prints version information.
Exit Codes AntiVir Command Line Scanner issues exit codes after operation. UNIX users can include them in scripts. Exit Code 255 Meaning Normal program termination, nothing found, no error. Found concerning file. Suspicious file found. Warnings were issued. Scan process not completed. Cannot initialize scan process. The avguard daemon is not accessible. The avguard daemon is not running. Error while preparing on-demand scan. Configuration error (invalid parameter in command-line or configuration file). Internal error.
Example: Performing Complete Scan After installation, it is important to perform a complete scan of the system. The following parameters should be used: --scan-mode=all
--detectprefixes=alltypes
Scans all files. Scans for all types of malware. Scans all subfolders. Scans packed files, too.

-s --scan-in-archive

The command is: avscan --scan-mode=all --detect-prefixes=alltypes -s --scanin-archive / Example: Performing Partial Scan Usually, scanning the directories that contain incoming and outgoing data (mailbox, Internet, text folders) may be sufficient. These files are usually in /var. If you have any DOS partitions on your UNIX system, you also have to scan them. You can use the following parameters:
--scan-mode=all -s --scan-in-archive
Scans all files. Scans all subfolders. Scans packed files, too.
If your DOS partitions are in /mnt and the incoming and outgoing files are in /var: Use the command: avscan --scan-mode=all -s --scan-in-archive /var /mnt Example: Deleting Infected Files Avira AntiVir Server/ Professional can delete files which contain viruses or unwanted programs. Optionally, AntiVir can first try to repair these files. Otherwise, the program will delete them completely; i.e. repairing tools will not recover them. You can use the following options: --scan-mode=all --alertaction=delete -e --alertaction=delete Scans all files. Deletes infected files. Tries to repair the infected files and deletes the ones it could not repair.

Avira GmbH Lindauer Strasse 21 D-88069 Tettnang Germany You can find further information on us and our products by visiting http://www.avira.com.

Internet

Appendix

Glossary

Item Meaning A backdoor is a program infiltrated in order to steal data or to control the computer, without the users knowledge. This program is manipulated by third parties using a backdoor client via the Internet or local network. A daemon which starts other programs at specified times. A background process for administration on UNIX systems. On average, there are about a dozen daemons running on a computer. These processes usually start up and shut down with the computer. See www.dazuko.org: a cross-platform device driver that allows applications to control file access on a system. Paid dialing program. When installed on your computer, this program sets up a premium rate number Internet connection, charging you at high rates. This can lead to huge phone bills. AntiVir detects Dialers. The scanning module of AntiVir software. The systematic process of solving a problem using general and specific rules drawn from previous experience. However, solution is not guaranteed. AntiVir uses a heuristic process to detect unknown macro viruses. When typical virus-like functions are found, the respective macro is classified as "suspicious". The basic component of a UNIX operating system which performs elementary functions (e.g. memory and process administration). also: Report file. A file containing reports generated by the program during run-time when a certain event occurs. Generic term for "foreign bodies" of any type. These can be interferences such as viruses or other software which the user generally considers as unwanted (see also Unwanted Programs). The directory where infected files are stored to block the users access to them. The user with unlimited access rights (such as system administrator on Windows) Secure AntiVirus Application Programming Interface A text file containing commands to be executed by the system (similar to batch files in DOS) A Byte combination used to recognize a virus or unwanted program. UNIX SMP: UNIX version for computers with parallel processors.

Backdoor (BDC)

cron (daemon) Daemon

dazuko Dialer

Engine Heuristic

Kernel Logfile Malware

Quarantine directory root SAVAPI Script Signature SMP (Symmetric Multi Processing) Avira GmbH

Item SMTP SNMP

Meaning Simple Mail Transfer Protocol: protocol for email transmission on the Internet. Simple Network Management Protocol: SNMP is used by network management systems to monitor network-attached devices for events that require administrative attention. A daemon used by programs for logging various information. These reports are written in different logfiles. The syslog daemon configuration is in /etc/syslog.conf. Without a license file, AntiVir Server/ Professional runs as a test version and it only reports the test virus EICAR. It will not block access to infected files. The update function is not available. The name for programs that do not directly harm the computer but are not wanted by the user or administrator. These can be backdoors, dialers, jokes and games. AntiVir detects various types of unwanted programs. A file with known signatures for viruses and unwanted programs. In many cases it is enough for an update to load the most recent version of this file. Virtual File System