Configuration Parameters

The component uses the configuration parameters specified in the [LinuxSpider] section of the unified configuration file of Dr.Web Industrial for UNIX File Servers.

Component Parameters.

Customizing Protected Space Individual Monitoring Settings.

Component Parameters

The section contains the following parameters:

Parameter

Description

LogLevel

{logging level}

Logging level of the component.

If the parameter value is not specified, the DefaultLogLevel parameter value from the [Root] section is used.

Default value: Notice

Log

{log type}

Logging method of the component.

Default value: Auto

ExePath

{path to file}

Component executable path.

Default value: <opt_dir>/bin/drweb-spider.

For GNU/Linux: /opt/drweb.com/bin/drweb-spider

Start

{logical}

The component must be started by the Dr.Web ConfigD configuration daemon.

Setting this parameter to Yes instructs the configuration daemon to start the component immediately; and setting this parameter to No instructs the configuration daemon to terminate the component immediately.

Default value: Depends on the Dr.Web product in which the component is supplied and operates.

Mode

{FANOTIFY | AUTO}

Defines the SpIDer Guard operation mode.

Allowed values:

FANOTIFY—use the fanotify monitoring interface;

AUTO—select an optimal operation mode automatically.

Default value: AUTO

DebugAccess

{logical}

Log or do not log detailed information on access attempts to files at the debug level (when LogLevel = DEBUG).

Default value: No

ExcludedProc

{path to file}

List of processes that are excluded from file monitoring. If a file operation was initiated by one of the processes specified in the parameter value, the modified or created file will not be scanned.

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the wget and curl processes to the list.

1.Adding values to the configuration file.

Two values per string:

[LinuxSpider]
ExcludedProc = "/usr/bin/wget", "/usr/bin/curl"

Two strings (one value per string):

[LinuxSpider]
ExcludedProc = /usr/bin/wget
ExcludedProc = /usr/bin/curl

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/wget
# drweb-ctl cfset LinuxSpider.ExcludedProc -a /usr/bin/curl

Default value: (not specified)

ExcludedFilesystem

{file system name}

Exclude the specified file system from monitoring.

This option is available only in the FANOTIFY mode.

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the cifs and nfs file systems to the list.

1.Adding values to the configuration file.

Two values per string:

[LinuxSpider]
ExcludedFilesystem = "cifs", "nfs"

Two strings (one value per string):

[LinuxSpider]
ExcludedFilesystem = cifs
ExcludedFilesystem = nfs

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a cifs
# drweb-ctl cfset LinuxSpider.ExcludedFilesystem -a nfs

Default value: cifs

BlockBeforeScan

{Off | Executables | All}

Block files until they are scanned by the monitor (in the enhanced or “paranoid” monitoring mode).

Allowed values:

Off—do not block access to files even if they were not scanned;

Executables—block access to executable files (PE, ELF files and scripts that contain the #! preamble) not scanned by the monitor;

All—block access to any files not scanned by the monitor.

Files are blocked only in the FANOTIFY mode.

Default value: Off

[*] ExcludedPath

{path to file or directory}

A path to an object (file or directory) to be excluded from file monitoring. Either a directory or a certain file can be specified. If a directory is specified, all files and subdirectories (including nested ones) will be skipped. You can use file masks (containing characters ? and *, as well as symbol classes [ ], [! ], [^ ]).

Multiple values can be specified as a list. List values must be comma-separated and put in quotation marks. The parameter can be specified more than once in the section (in this case, all its values are combined into one list).

Example: Add the /etc/file1 file and the /usr/bin directory to the list.

1.Adding values to the configuration file.

Two values per string:

[LinuxSpider]
ExcludedPath = "/etc/file1", "/usr/bin"

Two strings (one value per string):

[LinuxSpider]
ExcludedPath = /etc/file1
ExcludedPath = /usr/bin

2.Adding values with the drweb-ctl cfset command:

# drweb-ctl cfset LinuxSpider.ExcludedPath -a /etc/file1
# drweb-ctl cfset LinuxSpider.ExcludedPath -a /usr/bin

Note that symbolic links here have no effect as only a direct path to a file is analyzed when scanning.

Default value: /proc, /sys

[*] OnKnownVirus

{action}

Action to be applied upon detection of a known threat (a virus and so on) in the scanned file.

Allowed values: Report, Cure, Quarantine, Delete.

Default value: Report

[*] OnIncurable

{action}

Action to be applied upon detection of an incurable threat.

Allowed values: Quarantine, Delete.

Default value: Quarantine

[*] OnSuspicious

{action}

Action to be applied upon detection of an unknown threat (or a suspicious object) in the scanned file by using heuristic analysis.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] OnAdware

{action}

Action to be applied upon detection of adware in the scanned file.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] OnDialers

{action}

Action to be applied upon detection of a dialer in the scanned file.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] OnJokes

{action}

Action to be applied upon detection of a joke program in the scanned file.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] OnRiskware

{action}

Action to be applied upon detection of riskware in the scanned file.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] OnHacktools

{action}

Action to be applied upon detection of a hacktool in the scanned file.

Allowed values: Report, Quarantine, Delete.

Default value: Report

[*] ScanTimeout

{time interval}

Timeout for scanning one file.

Allowed values: from 1 second (1s) to 1 hour (1h).

Default value: 30s

[*] HeuristicAnalysis

{On | Off}

Enable or disable the heuristic analysis for detection of unknown threats. The heuristic analysis provides higher detection reliability but increases the duration of scanning.

Action applied to threats detected by the heuristic analyzer is specified as the OnSuspicious parameter value.

Allowed values:

On—enable the heuristic analysis while scanning;

Off—disable the heuristic analysis.

Default value: On

[*] PackerMaxLevel

{integer}

Maximum nesting level for packed objects. A packed object is executable code compressed with special software (UPX, PELock, PECompact, Petite, ASPack, Morphine and so on). Such objects may include other packed objects which may also include packed objects and so on. The value of this parameter specifies the nesting limit beyond which packed objects inside other packed objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] ArchiveMaxLevel

{integer}

Maximum nesting level for archives (.zip, .rar, and so on) in which other archives may be enclosed (and these archives may also include other archives, and so on). The value of this parameter specifies the nesting limit beyond which archives enclosed in other archives are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] MailMaxLevel

{integer}

Maximum nesting level for files of mailers (.pst, .tbb and so on) in which other files may be enclosed (and these files may also include other files and so on). The value of this parameter specifies the nesting limit beyond which objects inside other objects are not scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 0

[*] ContainerMaxLevel

{integer}

Maximum nesting level when scanning other types objects inside which other objects are enclosed (HTML pages, .jar files, etc.). The value of this parameter specifies the nesting limit beyond which objects inside other objects will not be scanned.

The nesting level is not limited. If the value is set to 0, nested objects are not scanned.

Default value: 8

[*] MaxCompressionRatio

{integer}

Maximum compression ratio of scanned objects (a ratio of an uncompressed size to a compressed size). If the ratio of an object exceeds the limit, this object is skipped while scanning.

The compression ratio must be no less than 2.

Default value: 500

Customizing Protected Space Individual Monitoring Settings

For each protected space of the file system, a separate section containing the path to the monitored file system area and the monitoring parameters is specified in the configuration file, together with the [LinuxSpider] section, which stores all the monitor parameters. Each section must be named as [LinuxSpider.Space.<space name>], where <space name> is a unique identifier of the protected space.

The space individual section must contain the following parameters absent in the [LinuxSpider] general section:

Parameter

Description

Enable

{logical}

The contents of the protected space located at Path (see below) must be monitored.

To stop monitoring the contents of this protected space, set the parameter to No.

Default value: Yes

Path

{path to directory}

Path to the system directory with files) to be monitored (including nested directories.

By default, this parameter has an empty value—therefore, you should specify a value when adding a protected space to the monitoring scope.

Default value: (not specified)

If all protected spaces specified in the monitor settings are not monitored or their paths are not specified, SpIDer Guard is running idle because none of the files of the system file tree are monitored. If you want to monitor the file system as a single protected space, remove all named space sections from the settings.

Except for those mentioned above, separate sections of protected spaces can include a list of parameters from the general section of the component settings that are marked with the “[*]“ character in the table above and re-determine a parameter for this protected space (for example, a reaction on threat detection, the maximum archive check level, and so on). If a parameter is not specified for a protected space, the monitoring procedure for this space is adjusted with the corresponding parameter values taken from the [LinuxSpider] section.

To add a new section of parameters for the protected space with the <space name> tag using the Dr.Web Ctl management tool (started with the drweb-ctl command), run the command:

# drweb-ctl cfset LinuxSpider.Space -a <space name>

Example:

# drweb-ctl cfset LinuxSpider.Space -a Space1
# drweb-ctl cfset LinuxSpider.Space.Space1.Path /home/user1

The first command adds the [LinuxSpider.Space.Space1] section to the configuration file; the second one sets a value of the Path parameter for the section, specifying a path to the monitored file system area. Other parameters of this section will be the same as in the [LinuxSpider] general section.