On-Access Scanning

On-access scanning refers to the process of scanning files as they are accessed by users of the system. Powertech Antivirus includes a service, avsvc, that allows you to do this.

The avsvc server provides on-access scanning for viruses and malicious code. The server is not running after first installation. Server configuration should be decided, and then the server started and (optionally) enabled to start at boot. Use the avsvcctl command to start, stop, and manage the other functions of the service as described below.

Commands to troubleshoot on-access scanning can be found in the avsvccfg Command and avsvcinfo Command.

WARNING: Prior to scanning, ensure you have acquired the latest virus definitions from McAfee (see Updating Virus Definitions). If you attempt to scan without updating to the latest virus definitions, Powertech Antivirus will perform the scan, but without the code required to identify the latest threats.

avsvcctl command

Name

avsvcctl - Powertech Antivirus service helper.

Synopsis

avsvcctl [status | statistics | log | install | uninstall | enable | disable | start | stop | restart | reload | help]

Description

The avsvcctl command can be used to control and monitor the anti-virus service.

Options

-j

Show the output in JSON format, where possible. Currently this is only supported for status and statistics commands.

status

Shows the running status of the anti-virus service.

statistics

Show scanning performance measures for the service.

log

Display the latest entries in the avsvc.log file.

install

Install the anti-virus service control file into the system area. Note that this will overwrite anything already in place. This option can only be run by the root user.

uninstall

Remove the anti-virus service control file from the system area. Note that this will also stop the service and disable it from starting at boot. This option can only be run by the root user.

enable

Set the anti-virus service to start during system boot. Note that this will install the service control file, if necessary. This option can only be run by the root user.

disable

Prevent the anti-virus service from starting during system boot. This option can only be run by the root user.

start

Start the anti-virus service. Note that this will install the anti-virus service control file, if necessary. This option can only be run by the root user.

stop

Stop the anti-virus service. This option can only be run by the root user.

restart

Restart the anti-virus service. Note that this will install the service control file, if necessary. This option can only be run by the root user.

reload

Reload (reconfigure) the anti-virus service. This option can only be run by the root user.

help

Show this manual page.

Exit Status

On success, 0 is returned, a non-zero failure code otherwise.

avsvc command

Use this command to troubleshoot on-access scanning. For more troubleshooting options, see avsvccfg Command and avsvcinfo Command.

Name

avsvc - Server to monitor file systems for viruses and malicious code.

Synopsys

avsvc [-h] [-V] [-D] [-d] [-c command]

Description

The avsvc server provides on-access scanning for viruses and malicious code.

The server should not be started directly, use the avsvcctl command to control the service.

Options

-h Show this manual page.

-V Parse configuration files to produce a validation report. The program will subsequently exit.

-D Do not daemonize the server. The default is to daemonize.

-d Run in foreground debug mode. Log messages at INFO level and higher are shown in the terminal screen. DEBUG level is enabled, and all log messages are sent to the log file: log/avsvc.log. This option should only be used if directed by a support representative.

-c command

Ask that a running server perform an operation. See Commands below.

Server Configuration

The server takes configuration from the file config.ini which can be found in the product install directory. The configuration options are contained in the [avsvc] group.

Configuration will be re-read if the service is sent a SIGHUP signal.

Service Settings

These settings are in the [avsvc] group. The avconfig command can be used to manipulate this file.

access

On-access scanning type. Valid values are open, which will result in files being scanned when users attempt to open the file, opnclo, which will result in files being scanned when users attempt to open or close the file, or none, which will disable on-access scanning. The default is open.

include

A colon-delimited list of path names to be included for on-access scanning. A file that exists below any of those path names will be subject to scanning unless the file path name is covered by an exclude path.

exclude

A colon-delimited list of path names to be excluded from on-access scanning. The exclude paths take precedence over include paths. A file that exists below any of those path names will not be subject to scanning.

threads

The number of threads to be allocated for use by the on-access scanner. This can be an integer value between 2 and 32. The default is 6. The service must be restarted to change this value.

maxwait

The maximum amount of time in seconds the scanner should spend scanning a single file or archive before timing out. After the specified number of seconds, the file is allowed to be opened and the file's scan status remains unchanged. This can be an integer value between 0 and 3600. A value of 0 disables the timeout. The default is 300 seconds.

delay

The amount of time in microseconds the scanner should pause with each progress beat from a scanning operation. This can be used as a simple CPU limiting technique for certain use cases. It should not be enabled when operating system files are included in the monitoring paths. This can be an integer value between 0 and 999999. The default value of 0 disables the feature.

nice

Sets the runtime scheduling priority of the service. This can be a value between -20 (highest priority) and 19 (lowest priority). The default is 0 (no change in priority). The service must be restarted to change this value.

clean

Specifies if the engine should attempt to remove the virus from the file. If the file cannot be cleaned, the cleanfail option provides a secondary choice. Set to yes to enable, or no to disable. The default is yes.

cleanfail

Action if not cleaned. Valid values are quarantine, delete, none. The default is quarantine. Quarantined files are stored under /Quarantined.

heuristic

Include heuristic analysis to find new viruses. When you use heuristic analysis the scanning engine employs heuristic technology to detect potentially unknown viruses in executable files (programs). Without this option, the engine can only find viruses that are already known and identified in the current virus definition files. Valid values are yes, no. The default is yes.

macro

Specifies if you want to treat embedded macros that have code resembling a virus as if they were viruses. This parameter is similar to Heuristic analysis but scans for new viruses in compound document formats; for example, Microsoft OLE formats such as Word documents. Valid values are yes, no. The default is yes.

programs

Specifies if you want scanning activities to include detection of some widely available applications, such as password crackers or remote access utilities that can be used maliciously or pose a security threat. Valid values are yes, no. The default is no.

archives

Specifies if you want scanning activities to include archive files. Archive files contain embedded files and usually end with one of the following extensions: .ZIP, .TAR, .CAB, .LZH, .JAR and .UUE. This option will also permit scanning of MSCompress files. Valid values are yes, no. The default is yes.

files

Specifies the type of files to include in scanning activities. Valid values are dft, all, allmacro. The default is dft which means to scan only the file types that are most susceptible to virus infection. The value all will scan all files, the slowest option but which provides the best protection, and allmacro which will expand scanning activities to include an examination of files to determine if they contain known macro viruses, faster than the all option.

mime

Specifies if you want scan inside MIME-encoded files, UU-encoded files, XX-encoded files and BinHex files. Valid values are yes, no. The default is no. Note that to enable this option, the files option must be set to all.

mount

[Linux only] A colon-delimited list of mount points for filesystems that are to be monitored for on-access scanning. This option is for Linux only. It provides the means to explicitly set which filesystems will be monitored by fanotify(7). The default is an empty list. Note that filesystems will only be monitored if their type does not appear in the internal list of known unsupported filesystem types and is not part of fsexcl configuration. Note also that the decision to scan a file will still be subject to include and exclude criteria.

fsexcl

A colon-delimited list of filesystem type names that are to be excluded from monitoring. The default is an empty list. Note that the decision to scan a file will still be subject to include and exclude criteria.

On Linux, this is used to limit which filesystems will be monitored by fanotify(7), and complements the internal list of filesystem types that we know cannot be monitored. The names are those from the third column of /proc/mounts, see proc(5).

On AIX, the names are those from the first column of /etc/vfs, see vfs(4). The name remote can be used to select all names in /etc/vfs that are marked as remote.

notify

A comma-delimited list of notifier names to be used to report events. See the avconfig page for more information on notifiers.

Filesystem Cache Configuration

The filesystem cache is used to increase performance by reducing the need to repeatedly scan files that have not changed since the last time they were scanned. The options for this feature are set using these values: fscache, fscacheage, fscacheidle, and fscachesize.

Note that expiry of cache data occurs hourly. The procedure prunes the cache using one or more of fscacheage, fscacheidle, and fscachesize parameters, if enabled, and in that order.

fscache

Set to yes to enable, or no to disable the cache. The default is yes.

fscacheage

A time to live for an unchanged object in the cache. If the object record has not been re-scanned in that time, it will be removed from the cache. This is expressed in minutes, and can be an integer value between 0 and 999999. The default is 0, which disables the feature.

fscacheidle

A time to live for a cache object that has not been re-scanned (changed) or queried (hit). This is expressed in minutes, and can be an integer value between 0 and 999999. The default is 0, which disables the feature.

fscachesize

A maximum size for a single filesystem cache. There is one cache per filesystem.The cache expiry operation will reduce the cache to this maximum size, expelling oldest unchanged objects first. This is expressed as the number of files in the cache, and can be an integer value between 0 and 999999999. The default is 0, which disables the feature.

Example Server Configuration

[avsvc]
access=open
include=/
exclude=/dev:/run
threads=8
maxwait=300
clean=yes
cleanfail=quarantine
programs=yes
archives=no
fscache=yes
fscachesize=1000000

Logging Configuration

Logging is controlled through the file zlog-avsvc.conf in the product directory.

The config rules are used when the server is run with the -V option.

The debug rules are used when the server is run with the -d option.

Otherwise the avsvc rules are used.

For more information on zlog, visit https://hardysimpson.github.io/zlog/UsersGuide-EN.html.

Commands

The avsvc executable can also be used to request information or operations from a running server, through use of the -c option. The following commands are available:

status

Show the status of the server: running or inactive. The exit code will be 0 for a running server, or 1 if it is inactive.

info

Show versions, virus handling counts and internal server statistics.

Performance Considerations

When applications open files that require scanning, there is a delay while the system completes the scan. For most files, the scanning takes only a fraction of a second. However, large files, archive files, and compressed files can take several seconds or minutes.

Once a file has been scanned by the on-access service, the scan result is stored in a cache for the file system if the file system cache has been enabled for the service. The cache is consulted the next time the file is accessed, and if it has not been modified, it will not require scanning again and access will be faster. The cache is cleared completely upon on-access service exit, update of virus definitions, or significant changes to service configuration. Individual items in the cache are also subject to size and time-to-live constraints and are configured in the service configuration.

Archive scanning takes additional CPU resources, and can be disabled. Please note many viruses come in the form of .zip archive files.

Troubleshooting

If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspected virus. Check the McAfee virus information library at https://home.mcafee.com/virusinfo.

Recommendations

  • Virus definitions are released daily. Be sure to keep the database up-to-date using the avupdate tool (see Updating Virus Definitions).
  • Java runtimes contain many .jar files that can take a long time to scan. This can cause a noticeable delay when starting Java applications. Consider running a simple file access command to pre-load scan results for these files into the service cache after a virus database update, service restart, or other live configuration change. For example:
    find /usr -type f -name \*.jar -exec file {} \; >/dev/null

Example Messages

The following log messages are from the on-access service log (avsvc.log).

  1. Example of an infected file being detected, unable to be cleaned, and quarantined (clean=yes, cleanfail=quarantine): 
    2018-04-20 15:21:19 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'
2018-04-20 15:21:19 WARN [39998:avsutil.c:369] quarantined file /mnt/extra/testing/eicar.com
  2. Example of an infected file being detected, unable to be cleaned, and removed (clean=yes, cleanfail=delete): 
    2018-04-20 15:17:29 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'
2018-04-20 15:17:29 INFO [39998:avsutil.c:382] file /mnt/extra/testing/eicar.com deleted
  3. Example of an infected file being detected twice in report-only mode (clean=no). The second message indicates it was not scanned on the second file access, the cached value was used: 
    2018-04-20 15:19:42 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'

Exit Status

On success, 0 is returned, a non-zero failure code otherwise.

 

Related Topics

 

 

Copyright © HelpSystems, LLC.
All trademarks and registered trademarks are the property of their respective owners.