Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Automate your f-prot antivirus
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Tue Aug 31, 2004 1:14 am    Post subject: Automate your f-prot antivirus Reply with quote

Hi folks. I know, not a lot of viruses exist that exploit *nix's, but some of us run SAMBA for Windows networks, email servers ... etc. Hey, me, I just wanna know for sure that I'm not infected, even on my desktop gentoo box. So...here's how I did it.

As root,

    install f-prot AV
    Code:
    emerge f-prot

    make sure that you're updated
    Code:
    /opt/f-prot/check-updates.pl

    download http://www.rexswain.com/eicar.com to your home folder, then make sure that it's working by (as per http://www.rexswain.com/eicar.html )
    Code:
    /opt/f-prot/f-prot -disinf -list ~/

    Now let's script it. Create the file /usr/sbin/fprotscan with the following content:
    Code:

    #Script to automate virus scans and logging
    #
    #Get the system date and store some needed variables
    set `date`
    DAY=`echo $6$2$3`
    LOGDIR=~/f-prot
    #
    #Next, let's make sure that we're up-to-date
    /opt/f-prot/check-updates.pl -cron -quiet
    #
    #Mount /boot so it can be checked as well
    mount /boot
    #
    #Change to a predetermined log directory, create it if need be.
    if [ -d $LOGDIR ]
       then
          echo "Log folder exists.."
          cd $LOGDIR
          echo "Scanning...this may take awhile"
       else
          echo "Creating log folder..."
          mkdir $LOGDIR
          cd $LOGDIR
          echo "Scanning...this may take awhile"
    fi
    #
    #Run the virus scan...and log it.
    #Thanks for the help on this part in particular, guys!
    /opt/f-prot/f-prot -disinf -list -report=$DAY.log -append /
    #
    #Unmount /boot
    umount /boot

    Make it executable
    Code:
    chmod a+x /usr/sbin/fprotscan

    Now, let's automate.
    Code:
    crontab -e

    Insert the following line, save, and exit
    Code:
    30 3 * * * /usr/sbin/fprotscan

    This will run your scan at 3:30 AM (when most people's computer's are otherwise idle) every day. Check here if you want to modify the schedule to run and don't understand cron.

You should be all set now. Happy Gentoo'ing.

Regards,
JoeG
_________________
Linux User#226477


Last edited by JoeG on Thu Jan 20, 2005 10:36 pm; edited 5 times in total
Back to top
View user's profile Send private message
trooper82
n00b
n00b


Joined: 15 Mar 2003
Posts: 57

PostPosted: Tue Aug 31, 2004 2:29 am    Post subject: Reply with quote

Great tip, thanks!
_________________
The band is just fantastic
That's really what I think
Oh, by the way, which one's PINK?
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Tue Aug 31, 2004 2:49 am    Post subject: Reply with quote

null perspiration, chummer :wink:
_________________
Linux User#226477
Back to top
View user's profile Send private message
riksta
n00b
n00b


Joined: 16 Apr 2004
Posts: 73
Location: Manchester, UK

PostPosted: Tue Aug 31, 2004 9:10 am    Post subject: Reply with quote

Hey

slight error

/opt/f-prot-check-updates.pl

is

/opt/f-prot/check-updates.pl


Rick :D
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Tue Aug 31, 2004 11:49 am    Post subject: Reply with quote

Thx, Riksta. Typo demon hell. It's edited now. :lol:
_________________
Linux User#226477
Back to top
View user's profile Send private message
DavidMCS
n00b
n00b


Joined: 08 Feb 2004
Posts: 39
Location: Halifax, NS Canada

PostPosted: Tue Aug 31, 2004 1:37 pm    Post subject: Reply with quote

You may want to consider adding -auto to your command line options if you're going to do this in a cron job as user confirmation is required with -disinf
--
David-
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Tue Aug 31, 2004 10:44 pm    Post subject: Reply with quote

Great idea, David. It's fixed...see above
_________________
Linux User#226477
Back to top
View user's profile Send private message
fourhead
l33t
l33t


Joined: 03 Sep 2003
Posts: 875
Location: Cologne, Germany

PostPosted: Wed Dec 01, 2004 1:20 pm    Post subject: Reply with quote

Hi, great tip. Do you know if there's a way to integrate f-prot with Samba like you can do it with ClamAV (via a vfs module)?

Tom
Back to top
View user's profile Send private message
-Rick-
Tux's lil' helper
Tux's lil' helper


Joined: 29 Aug 2004
Posts: 77
Location: Holland

PostPosted: Wed Dec 01, 2004 2:42 pm    Post subject: Reply with quote

Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....
_________________
Cube bots
Nixstaller - Easy creatable installers for *nix
Back to top
View user's profile Send private message
SaFrOuT
Apprentice
Apprentice


Joined: 08 Jul 2003
Posts: 256
Location: Egypt

PostPosted: Thu Dec 02, 2004 1:26 am    Post subject: Reply with quote

sorry for the question, but do i really need an antivirus for my Gentoo

i don't have except Gentoo on my machine although i have a fat32 partition

do i still need f-prot ???
_________________

[1] DFI NF4-Ultra
[2] Opteron 165 @ 2.5Ghz
[3] Palit X800Pro ( trying to change it for a 7600GT )
[4] G.Skill 2GB ZX @ DDR500 3-3-3-8
[5] SkyHAwk 620watt
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Fri Jan 07, 2005 6:04 pm    Post subject: Reply with quote

-Rick- wrote:
Hey, just a question: is the scanning faster than ClamAV? If I scan everything with ClamAV it takes 6+ hours....

Hard to say. Kinda depends on how many files you have in your filesystems, the size of the files...etc. On my system, f-prot runs in about 80 min's and I've used about 72GB of my space across 5 partitions.

Regards,

JoeG
_________________
Linux User#226477


Last edited by JoeG on Fri Jan 07, 2005 6:09 pm; edited 1 time in total
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Fri Jan 07, 2005 6:08 pm    Post subject: Reply with quote

SaFrOuT wrote:
sorry for the question, but do i really need an antivirus for my Gentoo

i don't have except Gentoo on my machine although i have a fat32 partition

do i still need f-prot ???

Not quite sure what you're asking. IMHO, you always need some type of A/V on a computer. F-Prot isn't the only option, but it's the one I like. ClamAV seems to integrate more tightly into SaMBa.
Just like any OS, as far as A/V goes, get it...update it...run it...constantly.

Regards,

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
bravecobra
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 130
Location: Planet Earth (sometimes)

PostPosted: Mon Jan 10, 2005 1:44 pm    Post subject: Reply with quote

f-prot has a -report=<report_name> option
_________________
Brave Cobra
http://www.bravecobra.com
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Mon Jan 10, 2005 3:15 pm    Post subject: Reply with quote

bravecobra wrote:
f-prot has a -report=<report_name> option

Yup, it sure enough does, but it accomplishes the same thing we're after here...a logfile. One problem that I've found with my approach here, though, is the size of the logfiles. A scan of my home directory alone yields a >9MB text file. If anyone can figure out an easy way to rotate old logfiles out to conserve space, I'll include it in this script, crediting the author ;). Also, I'm working on getting the script to email root with the results only. The logfile itself can be checked later, if a red flag pops up in the tail.

'Gards

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
bravecobra
Tux's lil' helper
Tux's lil' helper


Joined: 26 Dec 2002
Posts: 130
Location: Planet Earth (sometimes)

PostPosted: Tue Jan 11, 2005 8:29 am    Post subject: Reply with quote

Just add it to logrotate.d
Anyway ever tried to run it on a system that has amavis emerged? That comes with sample viruses and mailbombs. Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.
_________________
Brave Cobra
http://www.bravecobra.com
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Tue Jan 11, 2005 9:47 am    Post subject: Reply with quote

bravecobra wrote:
Just add it to logrotate.d
Now for some reason, f-prot fails to recognize the mailbomb and starts unpacking the content which leaves it in a sort or almost endless loop. Kinda deadly when your script is automated.

Fails to recognize any mailbombs? The only shortcoming that I've seen is that it can't disinfect gzipped tarballs...of course, YMMV. Agreed tho, that automating can lead to unexpected results. That's why I'm asking for feedback, to improve my script for everyone's benefit. Thanks for the heads-up!

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
amanoj
n00b
n00b


Joined: 12 Jan 2005
Posts: 3
Location: Irvine, CA

PostPosted: Thu Jan 13, 2005 8:07 am    Post subject: Updated Script Reply with quote

Kudos to JoeG for the script. Just saved me an hour to have to create one myself. Per your request... here is my feedback!

Shell Script works fine for me, but I made a few modifications:

    Changed the check-update.pl command to include the -cron -quiet options. (Which do work outside of CRON.)


Quote:

#Next, let's make sure that we're up-to-date
/opt/f-prot/check-updates.pl -cron -quiet


    Updated the F-Prot command with the -report and -append options. * Removed Tail to STDOUT *


Quote:

/opt/f-prot/f-prot -auto -disinf -list -report=$LOGDIR/$DAY.log -append /


Just my .02! I will work on STDERR outputs from f-prot & the perl script... but the script works great for my laptop & 2 servers. Next project... script to integrate F-prot with Postfix for mail scanning. Good Job!
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Thu Jan 13, 2005 11:11 am    Post subject: Reply with quote

That's what I like! :D Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well! bravecobra recommended the -report option instead of what I was originally doing the other day.


The big thing to watch out for is that the log files can get quite large rather quickly. Gonna hafta take his advice on logrotate. The tail was pretty useless from a cron job as well ;). Losing it is probably a good idea. This is how open source is s'posed to work, Baby!

Thanks for all the advice, guys.

JoeG

P.S. I've been up for over 24 hrs again, the last 18 of it doing an "upgrade" of a network to Windows. As a result, I'm just a bit slap-happy. Not to mention a little balder from the hair yanking.

P.S.S. Oh! Just one thing, amanoj. You're already in $LOGDIR, so maybe
Code:
-report=$DAY.log
instead. I already updated the script at the top of the page, so new folks won't hafta take the original and hack like we did. They just get the end result. 8)
_________________
Linux User#226477
Back to top
View user's profile Send private message
amanoj
n00b
n00b


Joined: 12 Jan 2005
Posts: 3
Location: Irvine, CA

PostPosted: Sat Jan 15, 2005 8:06 am    Post subject: Reply with quote

JoeG wrote:
That's what I like! :D Somone starts a little something nice...people help improve it...next thing ya know, it all works pretty damn well! bravecobra recommended the -report option instead of what I was originally doing the other day.


The big thing to watch out for is that the log files can get quite large rather quickly. Gonna hafta take his advice on logrotate. The tail was pretty useless from a cron job as well ;). Losing it is probably a good idea. This is how open source is s'posed to work, Baby!

Thanks for all the advice, guys.

JoeG

P.S. I've been up for over 24 hrs again, the last 18 of it doing an "upgrade" of a network to Windows. As a result, I'm just a bit slap-happy. Not to mention a little balder from the hair yanking.

P.S.S. Oh! Just one thing, amanoj. You're already in $LOGDIR, so maybe
Code:
-report=$DAY.log
instead. I already updated the script at the top of the page, so new folks won't hafta take the original and hack like we did. They just get the end result. 8)


Sounds Good to Me! We just keep working on the script and make it better! Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!) :lol:

Amanoj
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Sat Jan 15, 2005 8:33 am    Post subject: Reply with quote

amanoj wrote:
Like Hannabal from A-Team said, "I love it when a plan comes together!!" (Showing my Age!) :lol:

Amanoj


Or like B.A. said "I ain't gettin' on no PLANE, Hannabal!" 8) I'm from that era, too.

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Sat Jan 15, 2005 2:06 pm    Post subject: Reply with quote

That f-prot protection sounds interesting, but I am not sure, if I understand the purpose right.

f-prot is scanning for such nasty executeables, which are of no use in the Linux world, and only dangerous for machines running Windows.

Usually it makes more sense to install a good antivirus on all Windows machines or under windows on dualboot (I wouldn't use WinXP without Norton Antivirus at all).

If you have a Linux server, you wouldn't need f-prot, because you surely have no dualboot with Windows on a server. Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.

If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system. And concerning a workstation, most people probably will not have such a machine run 24/7, so using cron would probably not lead to automatic scans at all.

At the moment I have 3 Linux-servers and 1 Linux-notebook (with dualboot) on my local lan (and trying to convert the other 3 Windows-workstations to pure Linux-workstations as well). On all Windows-machines, Norton Antivirus is installed. I am curious now, if I should install f-prot on the 3 servers and the linux-dualboot-notebook (as well as on the other workstations, after they have been converted to Linux).
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Sun Jan 16, 2005 9:05 am    Post subject: Reply with quote

Master One wrote:
Concerning samba and mailserver-protection, you surely would use an antivirus solution, that integrates better with these services.


Exellent point.

Master One wrote:
If you have a Linux workstation, why bother with an antivirus solution, if the usual executable files are of no harm to such a system.


Try this. Besides, I originally posted here to show people an easy way to get AV protection installed, updated, and run on schedule.

Like it or no, viruses do exist for Linux and for services that run on Linux. Granted, the damage can be limited on your workstation or server (i.e. by User or Process priviledge level), but IMHO you have a responsibility to the rest of the Internet community to make sure that you are at least not helping to spread viruses that can infect their Windows machines. If you prefer another AV solution, then by all means, use that. ClamAV is a very nice piece of software, for example. But you really should be running something.

Please, please, don't take this as a flame. I just don't want people to assume that if their computer running Linux is not vulnerable to 99% of viruses in the wild, that they cannot be infected or infect others. It's kinda like keeping a condom on your bits ;).

Regards,

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
Master One
l33t
l33t


Joined: 25 Aug 2003
Posts: 754
Location: Austria

PostPosted: Sun Jan 16, 2005 3:51 pm    Post subject: Reply with quote

Thank's for the feedback, JoeG.

Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?

The cron idea does not fit for such a machine.

What about running the scan on every boot?

I have no idea, how long such a scan needs on a normal Gentoo workstation installation, and what happens, if I shutdown the machine before the scan is completed.
_________________
Las torturas mentales de la CIA
Back to top
View user's profile Send private message
JoeG
Apprentice
Apprentice


Joined: 30 Jul 2003
Posts: 179
Location: Kentucky, USA

PostPosted: Mon Jan 17, 2005 1:05 am    Post subject: Reply with quote

Master One wrote:

Any idea, how to automate the use of f-prot on a normal workstation / notebook, that's not running 24/7?

The cron idea does not fit for such a machine.

What about running the scan on every boot?


Well, it would be easy enough to create an init script and add it to your default runlevel, but then your computer is going to take a long time to boot up. 8O

If you're wanting to scan files as they download, I'm afraid (with f-prot at least) that we're out of luck. We'll have to scan after the download is complete, AFAIK. Anyone who knows differently, PLEASE let us know! :( According to their support page:

BUGS
We have received a request for the ability to scan stdin. This is actually rather difficult, as the engine design requires that the size of any scannable object is known before starting a scan.


I'm considering writing a mini-HOWTO for using ClamAV due to several factors:

    1. I'm trying to be fair :D
    2. ClamAV seems to integrate more smoothly with services
    3. ClamAV can be run as a daemon (Well, so can f-prot, but you need file or mail server version)
    4. ClamAV is GPL. 'Nuff said.

Ideas, Folks?

JoeG
_________________
Linux User#226477
Back to top
View user's profile Send private message
Irvinion
n00b
n00b


Joined: 21 Dec 2004
Posts: 26
Location: Chicago, IL

PostPosted: Thu Jan 20, 2005 8:00 pm    Post subject: Danke Reply with quote

I used your methods because I was looking for an anti-virus for noobs type thingy being new to both linux and gentoo. One small thing I noted that could have come from a version bump of f-prot, for the 4.5.3 version, the check updates file is check-updates.pl so:

Code:

/opt/f-prot/check-updates.pl


Otherwise, thank you very much :wink:
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum