Doctor Web, Ltd. Dr.Web(R) Daemon for Linux Administrator Manual Version 6.0.2.9 ==================================================================== All the materials published herein are the property of Doctor Web, Ltd. and may not be reproduced in any form without written permission of Doctor Web, Ltd. and proper attribution. Dr.Web is a registered trademark of Doctor Web, Ltd. Other product names mentioned herein are trademarks or registered trademarks of their respective companies. There might be further improvements and changes in the software not described in this manual. The revised and amended versions of this manual are available at www.drweb.com. ==================================================================== (C) 2003-2012 Doctor Web, Ltd. Russia, Moscow - Saint Petersburg http://www.drweb.com/ CONTENTS 1. INTRODUCTION 1.1. What is this manual about? 1.2 What is the Dr.Web(R) Daemon for Unix? 1.3. Dr.Web(R) reqirements to OS and hardware 2. Dr.Web(R) Daemon 2.1. Location of package files 2.2. Command line parameters 2.3. Configuring Dr.Web Daemon 2.4. Starting Dr.Web Daemon 2.5. Verifying availability of Dr.Web Daemon 2.6. Scan modes of Dr.Web Daemon 2.7. Package registration. License key file 2.8. Updating programs and virus bases 3. CONTACTS 1. INTRODUCTION 1.1. What is this manual about The present manual describes the antivirus module Dr.Web Daemon for UNIX-based systems - Linux, FreeBSD, SunOS Solaris and OpenBSD. This manual is designed for the system administrator, responsible for antivirus security and network settings (hereinafter "administrator"). Antivirus protection of UNIX-based operating systems has two aspects: - protection of local system and user data from the destructive activity of viruses; - diagnostics and neutralization of viruses when using UNIX-systems as platforms for communication services: mail servers, file servers of local networks, etc. Viruses can be (and in most cases, they are) designed not directly for UNIX-systems. Through local networks and mail services ordinary Windows viruses are distributed, including macro-viruses for Word, Excel and other office applications. Dr.Web antivirus package for UNIX-systems consists of two major components and performs two functions. Scanning module Dr.Web Scanner detects and cures viruses on the local computer. GUI module for Scanner makes setup process and operation management much easier. Antivirus resident module Dr.Web Daemon can be used almost in any data processing scheme as an external antivirus filter plug-in. For example, mail systems (such as Communigate Pro, Sendmail, Postfix, Exim, QMail, ZMailer and other) can be easily adjusted to use Dr.Web Daemon for checking e-mail messages, transmitted by the mail server. In the present manual basic steps of setup (chapter 2.1), adjustment (chapters 2.2 and 2.3) and launch (chapters 2.4, 2.5, 2.6) procedures of Dr.Web Daemon will be discussed. Information on setup, adjustment and launch of Dr.Web Scanner is available in the corresponding manual (readme.scanner file). Dr.Web products are developing permanently. Add-ons to virus databases are released daily or even several times a day. New versions of programs appear. Diagnostics techniques and methods of antivirus protection, as well as integration with other applications of UNIX-systems are improved regularly. Besides that, the list of applications compatible with Dr.Web is constantly expanding, therefore some settings and functions of any new version may differ from those described in this manual. 1.2. What is the Dr.Web(R) Daemon for Unix? Dr.Web Daemon is a permanently loaded Dr.Web Antivirus module that can scan for viruses files on disk or data, transferred through socket on request from filtering programs. Requests are made using special protocol via unix-sockets or TCP sockets. Dr.Web Daemon: - uses the same antivirus engine and virus databases as Scanner; - detects and cures all known viruses; - checks packed files and archives. Besides, Dr.Web Daemon has option to filter mail messages based on e-mail headers analysis results. Dr.Web Daemon is always running and has clear and easy protocol for sending scanning requests, which make it a perfect solution as antivirus filter for mail transfer systems and file servers. Dr.Web developers offer ready-made solutions for Dr.Web Daemon integration with CommuniGate Pro, Courier-MTA, Exim, Postfix, QMail, Sendmail and ZMailer MTAs, as well as with Samba file servers and applications using ICAP protocol (Squid and Shweby proxy-servers). You can also use Dr.Web Daemon for any other tasks. Dr.Web Daemon installation is described in chapter 2 together with program and virus databases update process. 1.3. Dr.Web(R) requirements to OS and Computer Components of Dr.Web package for Linux are compatible with Linux distributions based on glibc version 2.2 or higher. libstdc++ and libgcc_s libraries must be installed and available for the linker by default. Regarding the hardware, the Dr.Web requirements are similar to those of the console (text) mode for Linux. For installation of the Dr.Web package approximately 50 Mb of the disk space are required. 2. USING Dr.Web(R) DAEMON In this section location of Dr.Web package files, command line parameters for Dr.Web Daemon, configuration file structure and parameter values, module setup and updating are described. 2.1. Location of package files The Dr.Web package is installed by default to the directories /opt/drweb, /etc/drweb and /var/drweb. The subdirectories structure created in these directories is described below. /opt/drweb - executable program modules of the Scanner (drweb) and the Daemon (drwebd). /opt/drweb/lib/ - antivirus Engine in form of the loadable library (drweb32.dll). /var/drweb/bases/*.vdb - database of known viruses. /etc/drweb/drweb32.ini - configuration file. /opt/drweb/lib/ru_daemon.dwl - language resource file. /opt/drweb/doc/ - documentation. All the manuals are released as ordinary text files in English and Russian (KOI8-R encoding) languages. /opt/drweb - updating module (a perl script "update.pl"). /opt/drweb/agent/ - meta-configuration files, necessagry for Agent operation. /var/drweb/infected/ - quarantine directory for moving there infected files, if the corresponding reaction is set in configuration file for infected or suspicious files detected. 2.2. Dr.Web(R) Daemon command line parameters As every UNIX program Dr.Web Daemon supports command line parameters. They are separated from specified path by white space and are prefixed by hyphen ("-") symbol. To get complete list of parameters, launch Daemon with -?, -h or -help parameters. -ini= - use of alternative configuration file; -lng= - use of alternative language file. If English interface has been chosen during installation, specify ru_daemon.dwl to display program messages in Russian language. --foreground= - setting up Daemon operation mode at launch. If "Yes" value is specified, Daemon will work in foregroung; with "No" value specified, Daemon will operate in daemon mode. --check-only - checking validity of Daemon's configuration at start. If some command line parameters are also specified, their validity will be checked as well. -a= - running Daemon in central protection mode. --only-key - nothing but key file is received from the Control Agent at start. 2.3. Configuring Dr.Web(R) Daemon Daemon can be used with default settings, but it is much more convenient to set it up according to your requirements and situations. Daemon settings are stored in configuration file (drweb32.ini by default) which is located in /etc/drweb directory. To use another configuration file specify its full path using command line parameter, e.g. > $ /opt/drweb/drwebd -ini=/usr/local/drweb/drwebd.ini Configuration file is a text file, therefore it can be edited by any text editor. It has the following structure: --- Beginning of file --- [Name of section 1] Parameter1 = value1, ..., valueK ..... ParameterM = value1, ..., valueK ...... [Name of section X] Parameter1 = value1, ..., valueK ..... ParameterY = value1, ..., valueK --- end of file --- If the line begins with ";" or "#" symbols, it is considered to be the line of comments. These lines are skipped when reading parameters from the configuration file. If any parameter is commented out or not specified, it does not mean that this parameter has no value. In this case the hardcoded default value will be used. Only some parameters are optional or do not have default values. Every such case will be described separatedly. Parameter values can be included in brackets (and must be included in brackets when contain white spaces). Some parameters can have several values, with comma used as delimiter. If values are included in {}, then the parameter may take only one value from the specified. Settings for Dr.Web Daemon module can be found in [Daemon] section of the main configuration file. Parameters will be described as follows: ParameterName = ParameterPseudoValue Parameter description {May have or not several values} Default value: {value | unspecified} Parameters are described in the order they are presented in main configuration file. EnginePath = {path to file, usual extensions is *.dll} Location of drweb32.dll module (Engine). This parameter is also used by update utility. Default value: /opt/drweb/lib/drweb32.dll VirusBase = {list of paths (masks) to files, usual extension is *.vdb} Masks for loading virus databases. This parameter is also used by update utility. Several masks can be listed. Default value: /var/drweb/bases/*.vdb,/var/drweb/bases/*.VDB UpdatePath = {path to directory} This parameter is used by update utility (update.pl) and is mandatory. Default value: /var/drweb/updates TempPath = {path to directory} Directory for Engine to create temporary files. Usually it is not used but sometimes is needed to unpack certain archives or when system is short of memory resources. Default value: /var/drweb/spool Key = {path to file, usual extension is *.key} Key file location (license or demo). Default value: /opt/drweb/drweb32.key PleskPublicKey = {path to file} Path to file with public RSA key for Plesk Software (this parameter is required only when using this software). It is recommended to use absolute paths; still, the relative paths are acceptable too. Default value: /etc/drweb/plesk.key OutputMode = {Terminal | Quiet} Information output mode at launch: Terminal outputs to console, Quiet disables output. Default value: Terminal RunForeground = {Yes | No} Disables/enables daemon mode for Dr.Web Daemon. With Yes value it can no longer act in the background without controlling terminal. This option can be used by certain monitoring utilities (i.e., daemontools). Default value: No User = {user name} User account with appropriate rights to be used by Daemon. It is strongly recommended to create a separate "drweb" user account, which will be used by Daemon and filters. It is not recommended to run Daemon with root privileges, although it may take less time to set it up (especially with Samba servers). This parameter value cannot be changed when reloading configuration using SIGHUP. Default value: drweb PidFile = {path to a file} Specified file contains Daemon pid and Unix-socket (if Socket parameter enables usage of unix-socket) or port number (if Socket parameter enables usage of TCP socket). If more than one Socket parameter is specified, this file will contain information on all the sockets (one per line). This file is created every time Daemon starts. Default value: /var/drweb/run/drwebd.pid BusyFile = {path to a file} File where Daemon execution flag is stored. This file is created by a Daemon's child process upon a receipt of the corresponding command and removed after successful execution of this command. Filenames created by each Daemon child process are appended by a point and ASCIIZ representation of pid (e.g., /var/run/drwebd.bsy.123456). Default value: /var/drweb/run/drwebd.bsy ControlAgent = {socket address} Agent address. If the value of OnlyKey parameter is set to No, then Daemon receives both key file and configuration file from Agent. Default value: local:/var/drweb/ipc/.agent OnlyKey = {Yes | No} When enabled, only key file will be requested from Agent. Local configuration file will be used. Default value: No ProcessesPool = {string} Process pool settings. At first, number of processes in a pool is defined: * auto - number of processes in a pool is automatically detected, depending on the current system load; * N - non-negative integer. At least N processes in a pool will be active, and new processes will be created as required; * N-M - positive integers, and M>=N. At least N processes in a pool will be active, and new processes will be created as required until the number of processes reaches M value. Further the following additional parameters can be specified: * timeout = {time in seconds} - if a process does not become active during the specified period of time, it is closed. This parameter does not affect the first N processes, which are waiting for requests infinitely. Default value: 120 * stat = {yes|no} - statistics for processes in a process pool. If specified value is yes, pool statistics will be output to the log file. Default value: no * stop_timeout = {time in seconds} - maximum time for a working process to stop. Default value: 1 MailCommand = {command} Command used by Daemon and update utility for sending out notifications and information bulletins on new updates to user (administrator) via e-mail. If less than two weeks left until the key file (or one of the key files) expires, Daemon starts sending out notifications every time system launches, restarts or reboots. Default value: /usr/sbin/sendmail -i -bm -f drweb -- root NotifyPeriod = {numeric value} This parameter value specifies the length of a period (in days) before the license expiration date, from the beginning of which Daemon starts sending out notifications of license renewal. When parameter value is set to 0 Daemon starts sending out notifications immediately after the key file expires. Default value: 14 NotifyFile = {path to file} File with a timestamp of last notification of license renewal. It is send out to administrator after the key file expires. Default value: /var/drweb/.notify NotifyType = {Once | Everyday | Ever} Frequency of dispatch of notifications about license expiration. Once - notification is sent only once. Everyday - notification is sent daily. Ever - notification is sent every time Daemon restarts or every time bases update. Default value: Ever FileTimeout = {value in seconds} Maximum time for Daemon to perform a scan of one file. Default value: 30 StopOnFirstInfected = {Yes | No} Enables/disables termination of the process of message scan after the detection of first virus. Yes value may considerably reduce mail-server load and message scan time. Default value: No ScanPriority = {value} Daemon process priority. Value must be within –20 (highest priority) to 20 (lowest priority) range. Please note that lowest priority value for Linux is 19. Default value: 0 FilesTypes = {extension list} File types to be checked «by type», i.e. when ScanFiles parameter (explained below) has ByType value. «*» and «?» symbols are allowed. This parameter can be multi-string (specified lists are summed up). Default value: ïóñòî FilesTypesWarnings = { Yes | No } Enables/disables warning for unknown file types. Default value: Yes ScanFiles = {All | ByType } Files to be checked after extraction from archive. ByType value enables scan of files with extensions specified either by default or in FilesTypes parameter (or parameters). Mode All is always enabled for mail messages. ByType value can be used only in local scan mode. Default value: All CheckArchives = {Yes | No} Enables/disables extracting of files archived with ZIP (WinZip, InfoZIP, etc.), RAR, ARJ, TAR, GZIP, CAB and other archivers. Default value: Yes CheckEMailFiles = {Yes | No} Enables/disables scanning mail messages. Default value: Yes ExcludePaths = {list of paths (masks) to be excluded from scan} Masks for files which should not be checked. Default value: /proc,/sys,/dev FollowLinks = {Yes | No} Enables/disables following symbolic links. Default value: No RenameFilesTo = {mask} Mask for renaming infected or suspicious files using custom file extensions if action Rename is specified. Default value: "#??" first character of file extension will be replaced by "#" symbol, two subsequent characters will be preserved. If file has no extension, it will consist only of "#" symbol. MoveFilesTo = {path to directory} Quarantine directory for transfer of infected files. This parameter is used only when Daemon is integrated with on-access scanner for Samba. Default value: /var/drweb/infected BackupFilesTo = {path to directory} Directory for backup copies of infected files if requested action was Cure. Default value: /var/drweb/infected LogFileName = {path to log file} Log file location. You can specify syslog as parameter value and logging will be carried out by syslogd system service. In this case SyslogFacility and SyslogPriority parameters (explained below) must be also specified. As syslog uses several files for logging various events of different importance, these two parameters and syslog configuration file (usually /etc/syslogd.conf) determine location where information is logged to. Default value: /var/drweb/log/drwebd.log SyslogFacility = {Daemon | Local0 .. Local7 | Kern | User | Mail} Log type when syslogd system service is used. Default value: Daemon SyslogPriority = {Alert | Warning | Notice | Info | Error} Log priority when syslogd system service is used. Default value: Info LimitLog = {Yes | No} Enables/disables limit for log file size. Parameter is ignored when LogFileName = syslog. When current log file size exceeds MaxLogSize parameter value, log file is erased and started from scratch. Default value: No MaxLogSize = {value in Kbytes} Maximum log file size. Can be used with LimitLog = Yes only. Default value: 512 LogScanned = {Yes | No} Enables/disables logging of information about all scanned objects (infected, suspicious and clean). Yes LogPacked = {Yes | No} Enables/disables logging of additional information about files packed with DIET, PKLITE and other utilities. Default value: Yes LogArchived = {Yes | No} Enables/disables logging of additional information about files archived with various archiving utilities. Default value: Yes LogTime = {Yes | No} Enables/disables logging of timestamp for each record. Parameter is not used if LogFileName = syslog. Default value: Yes LogProcessInfo = {Yes | No} Enable/disable logging of every scanning process pid and filter address (host name or IP) from which scanning has been activated. This data is placed before each record. Default value: Yes RecodeNonprintable = {Yes | No} Nonprintable characters output mode for given terminal. Default value: Yes RecodeMode = {Replace | QuotedPrintable} Decoding mode for nonprintable characters if RecodeNonprintable = Yes. Replace parameter value substitutes all nonprintable characters by RecodeChar parameter value (see below). QuotedPrintable parameter value converts all nonprintable characters to Quoted Printable format. Default value: QuotedPrintable RecodeChar = {"?" | "_" | ...} Symbol to replace nonprintable characters if RecodeMode = Replace. Default value: "?" Socket = {PORT [interfaces] | FILE [access]} Description of a socket used for communication with Daemon. Sockets can be specified in several ways. If it is necessary to specify several socket addresses in one string, you should use TYPE:ADDRESS format, where TYPE is the type of socket: inet - TCP socket, local or unix - UNIX socket. Example: Socket = inet:3000@127.0.0.1,local:%var_dir/.drwebd Also you can specify socket address in PORT [interfaces] | FILE [access] format. For a TCP socket, specify decimal port number (PORT) and the list of interface names or IP addresses for incoming requests (interfaces). Example: Socket = 3000 127.0.0.1, 192.168.0.100 For UNIX sockets, specify socket name (FILE) and access permissions in octal form (access). Example: Socket = %var_dir/.drwebd 0660 Default value: 3000, localhost /var/drweb/run/.daemon. SocketTimeout = {value in seconds} Maximum time for data transfer via socket (file scanning time is not included). Default value: 10 The following parameters can be used to reduce archive scan time (some objects in archives will not be checked). If object falls under restrictions set by these parameters, ArchiveRestriction procedure is applied. ArchiveRestriction parameter value is specified in configuration files of various filters. MaxCompressionRatio = {value} Maximum compression ratio, i.e. ratio of unpacked file size to packed file size (inside archive). If the ratio exceeds specified value, file will not be extracted and therefore will not be checked. Messages with such file will be treated as mail bomb. Default value: 500 CompressionCheckThreshold = {value in Kbytes} Minimum size of the file inside archive, beginning from which maximum compression ratio check will be performed (if it is specified by MaxCompressionRatio parameter value). Default value: 1024 MaxFileSizeToExtract = {value in Kbytes} Maximum unpacked size for the file in an archive. If unpacked size exceeds specified value the archive will not be scanned. Default value: 40960 MaxArchiveLevel = {value} Maximum archive nesting level. If archive nesting level exceeds specified value, the archive will not be scanned. If value is set to 0, nesting level will not be limited. Default value: 8 ClientsLogs = {list} Splitting the log files.If after communicating with Daemon client uses the option to transfer its ID, log file will be substituted with the file specified in this parameter. The log files are defined in the following way: :, : Client name may be one of the following web - Dr.Web Icap smb_spider - Dr.Web Samba SpIDer mail - Dr.Web MailD drwebdc - console client for Dr.Web Daemon Log files definitions are delimited by commo or whitespace. No more than 4 definitions can be specified. Example: drwebdc:/var/drweb/log/drwebdc.log,smb_spider:syslog,mail:/var/drweb/log/drwebmail.log Also if client uses the option to transfer its ID, scanning result will begin with prefix defined by the client ID. Following prefixes are possible: - Dr.Wen Icap - Dr.Web Samba SpIDer - Dr.Web MailD - console client for Dr.Web Daemon Default value: MaxBasesObsolescencePeriod = {time} A maximum period of time (in hours) since the last update to consider virus databases up-to-date. After this period expires, a notification about obsolete virus databases is output to console. If the value of this parameter is set to 0, then update status of virus bases is not checked, and no notification is output. Default value: 24 MessagePatternFileName = {path to file} Path to template for message about license expiration. You can define expiration message according to your requirements. You can use variables that will be substituted for the following values: $EXPIRATIONDAYS — number of day left until the license would expire; $KEYFILENAME — path to license key file; $KEYNUMBER - license number; $KEYACTIVATES — license activation date; $KEYEXPIRES — license expiration date. If there is no user-defined template, standard message in English will be used. Default value: /etc/drweb/msg.tmpl 2.4. Starting Dr.Web(R) Daemon When Daemon is launched (with default settings) the following actions are taken: - configuration file is located and loaded. If configuration file is not found, loading process terminates. Path to configuration file can be specified at startup, by the command line parameter -ini: {path/to/your/drweb32.ini}, or default value (etc/drweb/drweb32.ini) can be used. At start several parameters get validated, and if parameter value is not allowable default value is applied; - language file is loaded from the location specified in configuration file. If language file is not found, all messages are displayed in English; - log file is created. User account used by Daemon must have appropriate privileges to write to the directory where log file is situated. Please note that users have no write access to the default /var/log/ directory. If User parameter is specified, you must also redefine LogFileName parameter and provide alternative location; - key file is loaded from the location specified in configuration file. If the key file is not found, loading process terminates; - if User parameter is specified, Daemon will offer to create an appropriate user account (default value: drweb) and to use it with the rights provided; - Engine (drweb32.dll) is loaded. If Engine is damaged or not found (errors in configuration file), loading process terminates; - virus databases are loaded in arbitrary sequence from the location specified in configuration file. If virus databases are damaged or absent, loading process proceeds; - Daemon enters daemon mode, so all information about loading problems can not be output to console and is written to log file; - socket for interaction between Daemon and other Dr.Web Antivirus modules is created. When TCP-sockets are used, there can be several connections (loading continues if at least one connection is established). When unix-socket is used, Daemon's user account must have appropriate privileges to read from the directory containing this socket and write to it. User accounts for e-mail plugins must have execution access to the directory itself and write and read access to the socket file. Please note that users have no write or execution access to the default /var/run/ directory. If User parameter is specified, you must also redefine Socket parameter and provide alternative location. If socket can not be created, Daemon loading stops; - pid-file with Daemon PID information and transport addresses is created. User account used by Daemon must have appropriate privileges to write to the directory containing pid-file. Please note that users have no write access to the default /var/run/ directory. If User parameter is specified, you must also redefine PidFile parameter and provide alternative location. If pid-file is not created, loading process terminates. 2.5. Verifying availability of Dr.Web(R) Daemon If no evident problems have occurred during load, Daemon is ready to work. To make sure Daemon was loaded correctly, run netstat -a to check whether all necessary sockets were created. If TCP sockets are used: --- cut --- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:3000 *:* LISTEN raw 0 0 *:icmp *:* 7 raw 0 0 *:tcp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 384 /dev/gpmctl unix 0 [ ] STREAM CONNECTED 190 @0000001b unix 1 [ ] STREAM CONNECTED 1091 @00000031 unix 0 [ ACC ] STREAM LISTENING 403 /tmp/.font-unix/fs7100 unix 4 [ ] DGRAM 293 /dev/log unix 1 [ ] STREAM CONNECTED 1092 /dev/gpmctl unix 0 [ ] DGRAM 450 unix 0 [ ] DGRAM 433 unix 0 [ ] DGRAM 416 unix 0 [ ] DGRAM 308 --- cut --- If unix-sockets are used: --- cut --- Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State raw 0 0 *:icmp *:* 7 raw 0 0 *:tcp *:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 0 [ ACC ] STREAM LISTENING 384 /dev/gpmctl unix 0 [ ] STREAM CONNECTED 190 @0000001b unix 1 [ ] STREAM CONNECTED 1091 @00000031 unix 0 [ ACC ] STREAM LISTENING 1127 /opt/drweb/run/drwebd.skt unix 0 [ ACC ] STREAM LISTENING 403 /tmp/.font-unix/fs7100 unix 4 [ ] DGRAM 293 /dev/log unix 1 [ ] STREAM CONNECTED 1092 /dev/gpmctl unix 0 [ ] DGRAM 450 unix 0 [ ] DGRAM 433 unix 0 [ ] DGRAM 416 unix 0 [ ] DGRAM 308 --- cut --- If output to console differs from the result given above and any of the sockets from the list is missing, some errors have occurred during load. To run functional test and obtain service information use console client for Daemon (drwebdc). If TCP sockets are used: $ drwebdc -nHOSTNAME -pPORTNUM -sv -sb If unix-socket is used: $ drwebdc -uSOCKETFILE -sv -sb Client's output to console must contain all the parameters supported. The following information must appear: --- cut --- - Version: DrWeb Daemon 6.02 - Loaded bases: Base /var/drweb/bases/drwtoday.vdb contains 5 records. Base /var/drweb/bases/drw50003.vdb contains 409 records. Base /var/drweb/bases/drw50002.vdb contains 543 records. Base /var/drweb/bases/drwebase.vdb contains 51982 records. Base /var/drweb/bases/drw50001.vdb contains 364 records. Total 53303 virus-finding records. --- cut --- If output to console differs from the result given above, try to run drwebdc in enhanced diagnostic mode. If TCP sockets are used: $ drwebdc -nHOSTNAME -pPORTNUM -sv -sb -v If unix-socket is used: $ drwebdc -uSOCKETFILE -sv -sb -v More detailed output may clarify the situation: --- cut --- dwlib: fd: connect() failed - Connection refused dwlib: tcp: connecting to 127.0.0.1:3300 - failed dwlib: cannot create connection with a DrWeb daemon ERROR: cannot retrieve daemon version Error -12 --- cut --- Open readme.eicar.rus test file from distribution package and follow instructions to make eicar.com program in text editor. Then try to scan it with Daemon. If you have license for mail servers with 50 and more addresses: For TCP sockets: $ drwebdc -nHOSTNAME -pPORTNUM -e eicar.com For unix-socket: $ drwebdc -uSOCKETFILE -e eicar.com If you have license for mail servers with 15 or 30 addresses: For TCP sockets: $ drwebdc -nHOSTNAME -pPORTNUM -e -FEMAIL_ADDRESS -REMAIL_ADDRESS eicar.com For unix-socket: $ drwebdc -uSOCKETFILE -e -FEMAIL_ADDRESS -REMAIL_ADDRESS eicar.com where EMAIL_ADDRESS is one of addresses from email.ini. If you have license for file servers or internet-gateways: For TCP sockets: $ drwebdc -nHOSTNAME -pPORTNUM eicar.com For unix-socket: $ drwebdc -uSOCKETFILE eicar.com Output to console must contain the following information: --- cut --- Results: daemon return code 0x20 (known virus is found) --- cut --- If diagnostics failed and no output appeared, check Daemon log file for the record on the event. If there is no record, try to run drwebdc in enhanced diagnostic mode. If you receive the same output that is given above, Daemon is ready to work. 2.6. Check modes of the Dr.Web(R) Daemon Dr.Web Daemon has two major scanning modes: - scanning chunks of data received from socket; - scanning files on disk (local scan). In the first mode Daemon receives from socket chunks of data for scan. They can be named or anonymous (this will affect only the way records are made in Daemon log file). Daemon can perform scan of any chunk of data received from socket, even a file. In the second mode Daemon performs scan of the selected file on disk. Two major advantages of local scan mode are increased productivity and simplicity. Local scan mode is much more efficient. Console client or mail filter sends Daemon only a path to file, not the whole file. Since clients can be located on different computers, the path must be specified with regard to the actual location of Daemon. Besides that, usage of this mode simplifies creation and deployment of reliable solutions for content scan and curing of infected files (e.g. on file servers). Please note that local scan mode requires more accurate adjustment of user rights. Daemon must have read access to each file specified. If you run Daemon on mail server with Cure and Delete options enabled, you must allow write access either. Usage of Daemon with mail servers requires special attention because mail filters usually act on behalf of the mail system and use its rights. In local scan mode mail filter usually creates a file with the message received from the mail system and provides Daemon a path to it. At this point you must carefully specify access rights to the directory where filters create appropriate files. We recommend either to include user whose rights are used by Daemon into the mail subsystem group, or to run Daemon with the rights of the mail system user. Properly adjusted system doesn't require Daemon to use root privileges. 2.7. Package registration. License key file User rights for using Dr.Web products are controlled by special file called license key file. License key file contains the following information: - list of Dr.Web components licensed to user; - licensed versions of Dr.Web products; - license expiration date; - other restrictions (for example, number of protected PCs). License key file has *.key extension and by default must be placed in directory for Dr.Web executable files. License key file is digitally signed to prevent its editing. Edited license key file becomes invalid. It is not recommended to open your license key file in text editor to avoid its accidental corruption. Users who have purchased Dr.Web products from Dr. Web certified partners obtain the license key file. The parameters of the key file are specified according to the license user has paid for. The license key file contains the name of the user (or a company name), and the name of the selling company. For evaluation purposes users may also obtain demo key file. It allows user to enjoy full full functionality of the Dr.Web products, but has a limited term of use, and no technical support is provided. License key file may be supplied as a file with *.key extension, or as a zip archive containing license key file. License key file may be received using one of the following ways: - Sent by e-mail as a zip archive containing license key file with *.key extension (usually after registration on the web site). Extract license key file using the appropriate archiving utility and place it to /opt/drweb directory. - Included into the distribution package. - Supplied on a separate media as a file with *.key extension. In this case user must copy it manually to /opt/drweb directory. License key file is sent to user via e-mail usually after registration on the web site (web site location is specified in registration card accompanying the product). Visit the site, fill in the web form with your customer data and submit your registration serial number (printed on the registration card). License key file will be sent to the e-mail address specified. It is recommended to keep license key file until it expires, and use it when reinstalling or repairing Dr.Web product installation. If the license key file is lost, it can be recovered by re-registration at the web site. In this case you must use the same product serial number and customer data that you have used during the first registration, only e-mail address can be changed (in this case license key file will be sent to the new e-mail address). Registration with the same product serial number can be performed up to 25 times. If you need to recover lost license key file after 25th registration, you must make a request for license key file recovery on http://support.drweb.com/request/, and also specify all data used during previous registrations, valid e-mail address and detailed description of the situation. License key file will be sent to you by technical support service using e-mail address specified. Path to license key files must be specified in Key parameter value in corresponding section of configuration file (drweb32.ini). For example, Key = /opt/drweb/drweb32.key If license key file specified in Key parameter value in [Daemon] section failed to read (wrong path, permission denied), expired, blocked or invalid, Daemon tries to find installed Plesk Software. In this case it works in trial mode and protects only 15 (or less) e-mail addresses received from Plesk. Othewise Daemon will return DERR_LICENSE_ERROR error code when trying to scan files. Daemon terminates. When less than two weeks is left until license expiration, Daemon notifies user via e-mail. Messages are sent at Daemon startup, restart or reload for every license key file installed. To enable this option you must set up MailCommand parameter in [Daemon] section of drweb32.ini file. Daemon can use several license key files simultaneously. For each of them Key parameter value in [Daemon] section of drweb32.ini file must be specified. For example, Key = /opt/drweb/drwebFS.key Key = /opt/drweb/drwebMS.key Key = /opt/drweb/drwebGW.key In this case Daemon merges if possible all license rights from all available license key files. Please note that it is impossible to use license key files for address and traffic licenses simultaneously. 2.8. Updating programs and virus bases Dr.Web program components require regular updating. For successful operation of antivirus and traffic filtering modules, virus bases of the known viruses and content-specific black and white lists must be updated regularly. For automatic receipt and installation of the virus bases, add-ons, content-specific black and white lists an updating module Dr.Web Updater must be used, from the directory containing package executable files: > /opt/drweb/update.pl For details on setup and configuration of this module, please, refer to the corresponding documentation (readme.updater). 3. CONTACTS Dr.Web program is developing permanently. To get news and new information about updates, please visit our web-site: http://www.drweb.com Marketing dept.: http://buy.drweb.com e-mail: sales@drweb.com Support: http://support.drweb.com E-Mail: support@drweb.com Please include the following information into your problem report: - full name and version of your UNIX distribution; - Dr.Web version that is logged during program start; - versions of applications and filters the Dr.Web Daemon is integrated with; - configuration files of the daemon and the applications the Dr.Web Daemon is integrated with; - log files of the daemon, filters and other applications the Dr.Web Daemon is integrated with.