avsvc command

Name

avsvc - Server to monitor file systems for viruses and malicious code.

Synopsys

avsvc [-h] [-V] [-D] [-d] [-c command]

Description

The avsvc server provides on-access scanning for viruses and malicious code.

The server should not be started directly, use the avsvcctl command to control the service.

Options

-h Show this manual page.

-V Parse configuration files to produce a validation report. The program will subsequently exit.

-D Do not daemonize the server. The default is to daemonize.

-d Run in foreground debug mode. Log messages at INFO level and higher are shown in the terminal screen. DEBUG level is enabled, and all log messages are sent to the log file: log/avsvc.log. This option should only be used if directed by a support representative.

-c command

Ask that a running server perform an operation. See Commands below.

Server Configuration

The server takes configuration from the file config.ini which can be found in the product install directory. The configuration options are contained in the [avsvc] group.

Configuration will be re-read if the service is sent a SIGHUP signal.

Service Settings

These settings are in the [avsvc] group. The avconfig command can be used to manipulate this file.

access

On-access scanning type. Valid values are open, which will result in files being scanned when users attempt to open the file, opnclo, which will result in files being scanned when users attempt to open or close the file, or none, which will disable on-access scanning. The default is open.

include

A colon-delimited list of path names to be included for on-access scanning. A file that exists below any of those path names will be subject to scanning unless the file path name is covered by an exclude path.

exclude

A colon-delimited list of path names to be excluded from on-access scanning. The exclude paths take precedence over include paths. A file that exists below any of those path names will not be subject to scanning.

NOTE: Exclude does not support wildcard characters.
threads

The number of threads to be allocated for use by the on-access scanner. This can be an integer value between 2 and 32. The default is 6. The service must be restarted to change this value.

maxwait

The maximum amount of time in seconds the scanner should spend scanning a single file or archive before timing out. After the specified number of seconds, the file is allowed to be opened and the file's scan status remains unchanged. This can be an integer value between 0 and 3600. A value of 0 disables the timeout. The default is 300 seconds.

delay

The amount of time in microseconds the scanner should pause with each progress beat from a scanning operation. This can be used as a simple CPU limiting technique for certain use cases. It should not be enabled when operating system files are included in the monitoring paths. This can be an integer value between 0 and 999999. The default value of 0 disables the feature.

nice

Sets the runtime scheduling priority of the service. This can be a value between -20 (highest priority) and 19 (lowest priority). The default is 0 (no change in priority). The service must be restarted to change this value.

clean

Specifies if the engine should attempt to remove the virus from the file. If the file cannot be cleaned, the cleanfail option provides a secondary choice. Set to yes to enable, or no to disable. The default is yes.

cleanfail

Action if not cleaned. Valid values are quarantine, delete, none. The default is quarantine. Quarantined files are stored under /Quarantined.

heuristic

Include heuristic analysis to find new viruses. When you use heuristic analysis the scanning engine employs heuristic technology to detect potentially unknown viruses in executable files (programs). Without this option, the engine can only find viruses that are already known and identified in the current virus definition files. Valid values are yes, no. The default is yes.

macro

Specifies if you want to treat embedded macros that have code resembling a virus as if they were viruses. This parameter is similar to Heuristic analysis but scans for new viruses in compound document formats; for example, Microsoft OLE formats such as Word documents. Valid values are yes, no. The default is yes.

programs

Specifies if you want scanning activities to include detection of some widely available applications, such as password crackers or remote access utilities that can be used maliciously or pose a security threat. Valid values are yes, no. The default is no.

archives

Specifies if you want scanning activities to include archive files. Archive files contain embedded files and usually end with one of the following extensions: .ZIP, .TAR, .CAB, .LZH, .JAR and .UUE. This option will also permit scanning of MSCompress files. Valid values are yes, no. The default is yes.

files

Specifies the type of files to include in scanning activities. Valid values are dft, all, allmacro. The default is dft which means to scan only the file types that are most susceptible to virus infection. The value all will scan all files, the slowest option but which provides the best protection, and allmacro which will expand scanning activities to include an examination of files to determine if they contain known macro viruses, faster than the all option.

mime

Specifies if you want scan inside MIME-encoded files, UU-encoded files, XX-encoded files and BinHex files. Valid values are yes, no. The default is no. Note that to enable this option, the files option must be set to all.

mount

[Linux only] A colon-delimited list of mount points for filesystems that are to be monitored for on-access scanning. This option is for Linux only. It provides the means to explicitly set which filesystems will be monitored by fanotify(7). The default is an empty list. Note that filesystems will only be monitored if their type does not appear in the internal list of known unsupported filesystem types and is not part of fsexcl configuration. Note also that the decision to scan a file will still be subject to include and exclude criteria.

fsexcl

A colon-delimited list of filesystem type names that are to be excluded from monitoring. The default is an empty list. Note that the decision to scan a file will still be subject to include and exclude criteria.

On Linux, this is used to limit which filesystems will be monitored by fanotify(7), and complements the internal list of filesystem types that we know cannot be monitored. The names are those from the third column of /proc/mounts, see proc(5).

On AIX, the names are those from the first column of /etc/vfs, see vfs(4). The name remote can be used to select all names in /etc/vfs that are marked as remote.

On Solaris, see the third column of /etc/mnttab.

notify

A comma-delimited list of notifier names to be used to report events. See the avconfig page for more information on notifiers.

Filesystem Cache Configuration

The filesystem cache is used to increase performance by reducing the need to repeatedly scan files that have not changed since the last time they were scanned. The options for this feature are set using these values: fscache, fscacheage, fscacheidle, and fscachesize.

Note that expiry of cache data occurs hourly. The procedure prunes the cache using one or more of fscacheage, fscacheidle, and fscachesize parameters, if enabled, and in that order.

fscache

Set to yes to enable, or no to disable the cache. The default is yes.

fscacheage

A time to live for an unchanged object in the cache. If the object record has not been re-scanned in that time, it will be removed from the cache. This is expressed in minutes, and can be an integer value between 0 and 999999. The default is 0, which disables the feature.

fscacheidle

A time to live for a cache object that has not been re-scanned (changed) or queried (hit). This is expressed in minutes, and can be an integer value between 0 and 999999. The default is 0, which disables the feature.

fscachesize

A maximum size for a single filesystem cache. There is one cache per filesystem.The cache expiry operation will reduce the cache to this maximum size, expelling oldest unchanged objects first. This is expressed as the number of files in the cache, and can be an integer value between 0 and 999999999. The default is 0, which disables the feature.

Example Server Configuration

[avsvc]

access=open

include=/

exclude=/dev:/run

threads=8

maxwait=300

clean=yes

cleanfail=quarantine

programs=yes

archives=no

fscache=yes

fscachesize=1000000

Logging Configuration

Logging is controlled through the file zlog-avsvc.conf in the product directory.

The config rules are used when the server is run with the -V option.

The debug rules are used when the server is run with the -d option.

Otherwise the avsvc rules are used.

For more information on zlog, visit https://hardysimpson.github.io/zlog/UsersGuide-EN.html.

Commands

The avsvc executable can also be used to request information or operations from a running server, through use of the -c option. The following commands are available:

status

Show the status of the server: running or inactive. The exit code will be 0 for a running server, or 1 if it is inactive.

info

Show versions, virus handling counts and internal server statistics.

Performance Considerations

When applications open files that require scanning, there is a delay while the system completes the scan. For most files, the scanning takes only a fraction of a second. However, large files, archive files, and compressed files can take several seconds or minutes.

Once a file has been scanned by the on-access service, the scan result is stored in a cache for the file system if the file system cache has been enabled for the service. The cache is consulted the next time the file is accessed, and if it has not been modified, it will not require scanning again and access will be faster. The cache is cleared completely upon on-access service exit, update of virus definitions, or significant changes to service configuration. Individual items in the cache are also subject to size and time-to-live constraints and are configured in the service configuration.

Archive scanning takes additional CPU resources, and can be disabled. Please note many viruses come in the form of .zip archive files.

Troubleshooting

If a virus was not detected in a particular file, verify your virus definitions ‘know’ about the suspected virus. Check the McAfee virus information library at https://home.mcafee.com/virusinfo.

Recommendations

  • Virus definitions are released daily. Be sure to keep the database up-to-date using the avupdate tool (see Updating Virus Definitions).
  • Java runtimes contain many .jar files that can take a long time to scan. This can cause a noticeable delay when starting Java applications. Consider running a simple file access command to pre-load scan results for these files into the service cache after a virus database update, service restart, or other live configuration change. For example:
    find /usr -type f -name \*.jar -exec file {} \; >/dev/null

Example Messages

The following log messages are from the on-access service log (avsvc.log).

  1. Example of an infected file being detected, unable to be cleaned, and quarantined (clean=yes, cleanfail=quarantine): 
    2018-04-20 15:21:19 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'
2018-04-20 15:21:19 WARN [39998:avsutil.c:369] quarantined file /mnt/extra/testing/eicar.com
  2. Example of an infected file being detected, unable to be cleaned, and removed (clean=yes, cleanfail=delete): 
    2018-04-20 15:17:29 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'
2018-04-20 15:17:29 INFO [39998:avsutil.c:382] file /mnt/extra/testing/eicar.com deleted
  3. Example of an infected file being detected twice in report-only mode (clean=no). The second message indicates it was not scanned on the second file access, the cached value was used: 
    2018-04-20 15:19:42 WARN [39998:avsutil.c:640] VIRUS: '/mnt/extra/testing/eicar.com' is INFECTED with 'EICAR test file'