User manual KASPERSKY LAB KASPERSKY ANTI-VIRUS 5.5 FOR PROXY SERVER - ADMINISTRATOR GUIDE

KASPERSKY LAB Kaspersky Anti-Virus 5.5 for Proxy Server ADMINISTRATOR'S GUIDE KASPERSKY ANTI-VIRUS 5.5 FOR PROXY SERVER Administrator's Guide © Kaspersky Lab http://www.kaspersky.com Revision date: June 2006 Contents CHAPTER 1. KASPERSKY ANTI-VIRUS FOR PROXY SERVER .............................. 5 1.1. Hardware and software requirements .................................................................. 6 1.2. Licensing policy ..................................................................................................... 7 1.3. Distribution kit ........................................................................................................ 7 1.3.1. License agreement ......................................................................................... 8 1.4. Help desk for registered users .............................................................................. 8 1.5. Conventions........................................................................................................... 9 CHAPTER 2. OPERATION ALGORITHM AND TYPICAL DEPLOYMENT SCENARIOS .............................................................................................................. 10 2.1. The algorithm of application functioning ............................................................. 10 2.2. Typical deployment scenarios............................................................................. 13 2.2.1. Installing the application to the same server with SQUID proxy ................. 13 2.2.2. Installation on a dedicated server................................................................. 14 CHAPTER 3. INSTALLING THE APPLICATION......................................................... 15 3.1. Installing the application on a server running Linux ........................................... 15 3.2. Installing the application on a server running FreeBSD..................................... 16 3.3. Installation procedure .......................................................................................... 16 3.4. Post-install setup ................................................................................................. 17 3.5. Distribution of the application files in directories................................................. 18 CHAPTER 4. USING KASPERSKY ANTI-VIRUS ....................................................... 20 4.1. Updating the anti-virus databases ...................................................................... 20 4.1.1. Automatic updating of the anti-virus databases........................................... 21 4.1.2. Manual updating of the anti-virus databases............................................... 22 4.1.3. Creating a shared directory for storing and sharing database updates...... 23 4.2. Managing license keys........................................................................................ 24 4.2.1. Viewing information about license keys....................................................... 25 4.2.2. Renewing your license ................................................................................. 26 4.2.3. Removing a license key ............................................................................... 27 4.3. Using a control script ........................................................................................... 28 4 Kaspersky Anti-Virus for Proxy Server 4.4. Ensuring anti-virus protection of HTTP traffic..................................................... 29 4.5. Configuring the anti-virus scan parameters for user groups.............................. 30 CHAPTER 5. ADDITIONAL SETTINGS OF KASPERSKY ANTI-VIRUS .................. 34 5.1. Creating groups ................................................................................................... 34 5.2. Anti-virus scan settings........................................................................................ 36 5.3. The choice of actions over scanned objects ...................................................... 36 5.4. Administrator notifications ................................................................................... 38 5.5. Operation modes................................................................................................. 40 5.6. Modes of interaction with proxy via ICAP........................................................... 41 5.7. Application statistics logging ............................................................................... 41 5.8. Application reporting parameters........................................................................ 43 5.9. Memory dump creation for detection of errors ................................................... 45 5.10. Work with Internet broadcasting stations.......................................................... 46 CHAPTER 6. UNINSTALLING THE APPLICATION ................................................... 47 APPENDIX A. APPLICATION REFERENCE............................................................... 48 A.1. kav4proxy.conf application configuration file...................................................... 48 A.2. Macros................................................................................................................. 55 A.3. kavicapserver return codes................................................................................. 56 A.4. Command line options for licensemanager ....................................................... 56 A.5. Licensemanager return codes............................................................................ 57 A.6. Keepup2date command line options.................................................................. 57 A.7. Keepup2date return codes ................................................................................. 59 APPENDIX B. KASPERSKY LAB................................................................................. 60 B.1. Other Kaspersky Lab Products .......................................................................... 61 B.2. Contact Us........................................................................................................... 69 APPENDIX C. LICENSE AGREEMENT ...................................................................... 70 CHAPTER 1. KASPERSKY ANTIVIRUS FOR PROXY SERVER Kaspersky Anti-Virus 5.5 for Proxy Server (hereinafter also referred to as Kaspersky Anti-Virus or the Application) is intended for anti-virus protection of traffic routed via proxy servers based on Squid versions 2.5 and 3.0 with support for the Internet Content Adaptation Protocol (ICAP) in accordance with RFC 3507. The application allows the user to: · · · Perform anti-virus scanning of objects transferred via the proxy server. Cure revealed infected objects and block access to an infected object if disinfection fails. Use group settings to define various filtration parameters applied depending upon the address of the user requesting an object and the object's address (URL). Log activity statistics including, in addition to other data, information about anti-virus scanning and its results, application errors and warnings. Notify administrators about detection of malicious software. Update the anti-virus databases. The application uses update servers of Kaspersky Lab as the source of updates. It can also be configured to update the databases from a local directory. The anti-virus databases are employed for detection of infected objects and their disinfection. The application uses database records to analyze every object checking it for virus presence: its content is compared with code typical for specific viruses. Please keep in mind that new viruses appear every day and therefore we recommend maintaining the anti-virus databases in an up-to-date state. New updates are made available on Kaspersky Lab update servers every hour. · · · 6 Kaspersky Anti-Virus for Proxy Server 1.1. Hardware and software requirements In order to ensure normal functioning of Kaspersky Anti-Virus, the system must meet the following hardware and software requirements: Minimum hardware requirements for product operation: · · · · ® Intel Pentium 133 MHz processor or higher 64 MB RAM 50 MB of disk space for application setup 200 MB of available disk space for temporary files. The configuration is intended to provide for servicing of at least 10 clients sending at least 20 requests per minute with average request size of 15 Kb. Optimal hardware requirements: · for a proxy server servicing requests from 50 clients with average load of 900 requests per minute and daily traffic of 250 MB: · · · · Intel Pentium® II 300 MHz processor. 128 MB RAM. 512 MB of available disk space for temporary files. for a proxy server servicing requests from 250 clients with average load of 1300 requests per minute and daily traffic of 1 GB: · · · ® Intel Pentium 4 processor. 512 MB RAM. 1 GB of available disk space for temporary files. Software requirements: · One of the following operating systems: · · · · · RedHat Linux 9.0. RedHat Fedora Core 5. RedHat Enterprise Linux Advanced Server 4. SuSE Linux Enterprise Server 9.0. SuSE Linux Professional 10.1. Kaspersky Anti-Virus for Proxy Server 7 · · · · · · · · Mandriva 2006. Debian GNU/Linux version 3.1r2. FreeBSD version 4.11. FreeBSD version 5.4 . FreeBSD version 6.1. Squid 2.5 or 3.0 proxy server with ICAP support. Perl 5.0 or higher (www.perl.org). Glibc 2.2.x or higher (for Linux distributions). 1.2. Licensing policy The licensing policy for Kaspersky Anti-Virus includes a system of product use limitations based on the following criteria: · · Number of users protected by the application HTTP traffic processed daily (MB/day). The licensing policy based on processed traffic takes into account the traffic created by scanned objects only, auxiliary service traffic generated by the application is not included into that volume. Each type of licensing is also limited by a certain period (typically one year or two years after the date of purchase). You can purchase a license limited by one of the above criteria (for example, by the daily HTTP traffic volume). 1.3. Distribution kit You can purchase the product either from our dealers (retail box) or at one of our online stores (for example, www.kaspersky.com ­ follow the E-store link). The retail box contains: · · · · sealed envelope containing the installation CD with the product a copy of this Administrator's Guide license key file bundled with the distribution package or recorded to a special floppy disk License Agreement. 8 Kaspersky Anti-Virus for Proxy Server Before you unseal the envelope containing the CD, make sure you have carefully read the License Agreement. If you purchase our application online, you will download it from Kaspersky Lab's website. Your license key is either included in the installation package or will be sent to you by email after payment. 1.3.1. License agreement The license agreement constitutes a legal agreement between you and Kaspersky Lab Ltd containing the terms and conditions subject to which you may use the purchased software. Please read the license agreement carefully! If you do not agree with the terms of the license agreement you may return the box with Kaspersky Anti-Virus to the distributor, where you have purchased it, you will be refunded the amount you've paid for subscription, provided the CD envelope remains sealed. Opening the sealed envelope of the installation CD or installing the product to a computer means your acceptance of all the terms and conditions of the license agreement. 1.4. Help desk for registered users Kaspersky Lab offers an extensive service package enabling registered customers to boost the productivity of Kaspersky Mail Gateway. If you purchase a subscription you will be provided with the following services for the period of your subscription: · · · new versions of this software product provided free of charge phone or email support on matters related to the installation, configuration, and operation of the product you have purchased notifications about new software products from Kaspersky Lab, and about new virus outbreaks. This service is provided to users who have subscribed to the Kaspersky Lab email newsletter service. Kaspersky Anti-Virus for Proxy Server 9 Kaspersky Lab does not give advice on the performance and use of your operating system or other technologies. 1.5. Conventions Various formatting conventions are used throughout the text of this document depending on the purpose of a particular element. Table 1 below lists the formatting conventions used. Table 1. Conventions Style Bold type Meaning Menu titles, menu items, window titles, parts of dialog boxes, etc. Note. Additional information, notes. Attention! In order to perform the action, 1. 2. Step 1. ... Task, example Information requiring special attention. Procedure description for user's steps and possible actions. Statement of a problem, example for using the software features. Solution to a defined problem. Solution [key] ­ key purpose. Text of information messages and the command line Command line keys. Text of configuration files, information messages and the command line. CHAPTER 2. OPERATION ALGORITHM AND TYPICAL DEPLOYMENT SCENARIOS This chapter contains essential information necessary for understanding of application functionality, its configuration and integration with an existing network structure. 2.1. The algorithm of application functioning Kaspersky Anti-Virus scans HTTP traffic using two modes of proxy operation: REQMOD and RESPMOD. In the RESPMOD mode the application checks objects requested by users via a proxy server. In the REQMOD mode it scans objects transmitted from users through the proxy. REQMOD is applied, for instance, for anti-virus scanning of email messages sent by users via a web-based mail server interface. Kaspersky Anti-Virus scans message attachments transferred by users to mail servers. The application performs anti-virus scanning of Internet traffic in the RESPMOD mode in accordance with the following procedure (see Fig. 1): 1. 2. User requests an object through a Squid proxy via HTTP. If the requested object is available within the Squid proxy cache, it will be returned to the user. If the object has not been found in cache, Squid proxy accesses a remote server and downloads the requested object from it. Squid uses ICAP to transfer the retrieved object to Kaspersky AntiVirus for an anti-virus check. Kaspersky Anti-Virus verifies correspondence of request parameters (user IP address, URL of the requested object) to any of its groups (please refer to section 5.1 on p. 34 for details about groups). If it finds such group, then the application scans and processes the object as necessary in accordance with the rules specified for that group. If a request does not match any of the 3. 4. Operation algorithm and typical deployment scenarios 11 existing groups, the application will use the default group rules for anti-virus scanning and processing. 5. The application uses the results of anti-virus scanning to assign to a scanned object a specific status, which is employed to grant users access to that object or block access attempts (please refer to section 5.3 on p. 36 for details about available statuses and actions performed by the application). Access to objects with a specific status is granted or blocked according to the processing group parameters (please refer to section 5.1 on p. 34 for details about groups). If access to an object has been granted, Kaspersky Anti-Virus allows Squid proxy to cache the object and transmit it to users. If access to an object is blocked, Kaspersky Anti-Virus prohibits Squid proxy to cache the object and deliver it to users. Instead of the requested object, the user will receive a notification informing that access to that object has been blocked. 6. Figure 1. Anti-virus scanning of traffic in the RESPMOD mode 12 Kaspersky Anti-Virus for Proxy Server The application performs anti-virus scanning of Internet traffic in the REQMOD mode in accordance with the following procedure (see Fig. 2): 1. 2. 3. User sends an object using HTTP via Squid proxy. Squid proxy uses ICAP to transfer the received object to Kaspersky Anti-Virus for an anti-virus scan. Kaspersky Anti-Virus checks if the request parameters match any of the existing groups (please refer to section 5.1 on p. 34 for details about groups). If it finds such group, then the application scans and processes the object as necessary in accordance with the rules specified for that group. If a request does not match any of the existing groups, the application will use the default group rules for anti-virus scanning and processing. Figure 2. Anti-virus scanning of traffic in the REQMOD mode 4. The application uses the results of anti-virus scanning to assign to a scanned object a specific status, which is employed as a criterion to allow transfer of that object or prohibit it (please refer to section 5.3 on p. 36 for details about available statuses and actions performed by the application). Permission or denial of transfer for objects with a specific Operation algorithm and typical deployment scenarios 13 status defined according to the processing group parameters (please refer to section 5.1 on p. 34 for details about groups). 5. If transfer is allowed, the proxy will transmit the object sent by the user. If transfer is prohibited, Squid will not transmit the object. Instead, it will send to the user a notification informing that the transfer has been blocked. 2.2. Typical deployment scenarios This section contains a description of two main methods available for application deployment: · · Application setup on the same server with Squid proxy Application setup on a dedicated server. General guidelines described in the examples will allow you to configure the application in accordance with your existing network structure. 2.2.1. Installing the application to the same server with SQUID proxy Further in this document we shall use this variant of Kaspersky AntiVirus setup (on the same server with SQUID proxy) to describe its operation and configuration. Application setup on the same server with Squid allows higher speed of processing as data transfers between Squid and Kaspersky Anti-Virus occur locally and do not involve the network. Such deployment scheme is efficient in case of low load on the proxy server. If the proxy is used to serve a large number of user requests, you are advised to install the application to a dedicated server since anti-virus scanning and processing are most resource-intensive procedures, which can therefore influence negatively the general proxy performance. Please refer to section 2.2.2 on p. 14 for application setup on a dedicated server. During application setup the installer automatically configures the following aspects: 1. Kaspersky Anti-Virus will be set up to run automatically at the operating system start and listen for requests from Squid proxy using port 1344 for all network interfaces of the server. 2. The following lines will be added to the ICAP OPTIONS section in the Squid configuration file specified during application setup: 14 Kaspersky Anti-Virus for Proxy Server icap_enable on icap_send_client_ip on icap_service is_kav_resp respmod_precache 0 icap://localhost:1344/av/respmod icap_service is_kav_req reqmod_precache 0 icap://localhost:1344/av/reqmod icap_class ic_kav is_kav_req is_kav_resp icap_access ic_kav allow all They will make the proxy transmit all requested objects to Kaspersky AntiVirus via port 1344 of the local interface. 2.2.2. Installation on a dedicated server Installing the application to a dedicated server is recommended in case of high load on the proxy server and in situations when Kaspersky Anti-Virus is used to process the traffic of several proxy servers. Since such deployment scheme does not allow automatic configuring of the application, you should set it up manually in accordance with the following procedure: 1. After application setup use the ListenAddress parameter in the [icapserver.network] section of the kav4proxy.conf configuration file to specify the IP address of the network interface and port that Kaspersky Anti-Virus will use to wait for proxy requests to process necessary objects. By default Kaspersky Anti-Virus waits for requests to all network interfaces of the server on port 1344. 2. Add the following lines to the ICAP OPTIONS section of the Squid proxy configuration file icap_enable on icap_send_client_ip on icap_service is_kav_resp respmod_precache 0 icap://:/av/respmod icap_service is_kav_req reqmod_precache 0 icap://:/av/reqmod icap_class ic_kav is_kav_req is_kav_resp icap_access ic_kav allow all where stands for the IP address of the server where Kaspersky Anti-Virus is installed; is the port that Kaspersky AntiVirus uses to wait for proxy requests for anti-virus processing. Restart Squid as soon as the changes are entered. CHAPTER 3. INSTALLING THE APPLICATION Before installing Kaspersky Anti-Virus, you are advised to: 1. Make sure that your system meets the hardware and software requirements (see section 1.1 on p. 6). 2. Log on to the system as root. 3. Make sure that your installed Squid proxy server supports ICAP. Unlike Squid 3.0, Squid 2.5 does not support ICAP by default. Please see the README-SQUID.txt file in the /opt/kav/5.5/kav4proxy/share/doc/ directory for information about available Squid distributions, correct compilation and proxy configuration for ICAP support. 3.1. Installing the application on a server running Linux Kaspersky Anti-Virus for servers running the Linux operating system is distributed in two different installation packages: · · .rpm ­ for systems that support RPM Package Manager. .deb ­ for Debian distributions. To initiate installation of Kaspersky Anti-Virus from the rpm package, enter the following in the command line: # rpm ­i kav4proxy-linux-.i386.rpm To initiate installation of Kaspersky Anti-Virus from the deb package, enter the following in the command line: # dpkg ­I kav4proxy-linux-.deb During the setup process you will have to specify additional information necessary for connection to the Internet, downloading of the anti-virus databases 16 Kaspersky Anti-Virus for Proxy Server and the settings for interaction with the proxy server. Please refer to section 3.4 on p. 17 for details. 3.2. Installing the application on a server running FreeBSD The distribution file for installation of Kaspersky Anti-Virus on servers running the FreeBSD operating system is supplied as a .tgz package. To initiate installation of Kaspersky Anti-Virus from a tgz-package enter the following in the command line (depending on the version of FreeBSD distributive): # pkg_add kav4proxy-freebsd4-.tgz or # pkg_add kav4proxy-freebsd5-< distributive version >.tgz or # pkg_add kav4proxy-freebsd6-< distributive version >.tgz During the setup process you will have to specify additional information necessary for connection to the Internet, downloading of the anti-virus databases and the settings for interaction with the proxy server. Please refer to section 3.4 on p. 17 for details. 3.3. Installation procedure Algorithms described in this section and in section 3.4 suggest that the target server already has Squid 2.5 or 3.0 with ICAP support installed. Kaspersky Anti-Virus must be installed in two stages. The first stage will be performed automatically after execution of the commands described in sections 3.1, 3.2, it comprises the following steps: 1. Creation of the klusers group and the kluser account with the necessary privileges that Kaspersky Anti-Virus will use to start and operate. Copying of the files from distribution package to computer. Registration of services necessary for Kaspersky Anti-Virus functioning. 2. 3. Installing the application 17 3.4. Post-install setup Post-install setup of Kaspersky Anti-Virus is the second stage of its installation including configuration of the application and Squid proxy server. To initiate the configuration process, use the postinstall.pl script located in the /opt/kav/5.5/kav4proxy/setup/ directory. After script start you will be offered to perform the following actions: The postinstall.pl script should be launched manually for RPM-based systems. In other systems (for example, such as FreeBSD) the script will run automatically during the installation procedure. 1. 2. Specify the path to the license key file. Configure the parameters of the proxy server used for connection to the Internet in the following format: http://: or http://:@: server IP depending upon the necessity to authenticate users logging on to that proxy. The value will be used by the application updater component (keepup2date) for connection to Kaspersky Lab's servers and downloading of updates to the anti-virus databases. If you are not using a proxy for Internet connection, specify no as the value for that parameter. 3. Download updates to the anti-virus databases from update servers of Kaspersky Lab. Specify yes or no depending upon your wish to update immediately or later. Specify full path to the configuration file of the Squid proxy transferring the HTTP traffic, which Kaspersky Anti-Virus is supposed to scan. The settings necessary to enable interaction via ICAP between the proxy and the application will be added to the configuration file. 4. During the process of post-install configuration the task for hourly updates of the anti-virus databases will be registered with the cron service. If you have not installed a license key during post-install product configuration, then after launch Kaspersky Anti-Virus will start functioning in the unlicensed mode. If you have not downloaded the anti-virus databases during post-install configuration, then after launch Kaspersky Anti-Virus will start functioning 18 Kaspersky Anti-Virus for Proxy Server without the anti-virus databases. Please see section 5.5 on p. 40 for details on the application modes. 3.5. Distribution of the application files in directories After the installation of Kaspersky Anti-Virus on a server running Linux is complete, the application files will be located in the following directories, provided that the default paths have been accepted during the installation: /etc/kav/5.5/kav4proxy/kav4proxy.conf application parameters. ­ configuration file containing /opt/kav/5.5/kav4proxy/bin ­ directory containing executable files of the application components: avbasestest ­ utility validating downloaded updates to the anti-virus databases used by the keepup2date component. kavicapserver ­ executable file of the main application component. keepup2date ­ utility updating the anti-virus databases. licensemanager ­ utility for management of license keys. /opt/kav/5.5/kav4proxy/init.d/kav4proxy ­ service script for application control. /opt/kav/5.5/kav4proxy/contrib/kavproxy.wbm ­ Webmin plug-in module for Kaspersky Anti-Virus management. /opt/kav/5.5/kav4proxy/man ­ directory containing application manual pages. /opt/kav/5.5/kav4proxy/share/doc/kav4proxy.groups.conf.sample ­ sample file containing group-based application configuration. /opt/kav/5.5/kav4proxy/share/doc/README-SQUID.txt ­ file containing information about available Squid distributions, correct compilation and proxy configuration for ICAP support. /opt/kav/5.5/kav4proxy/setup ­ directory containing scripts used for postinstall setup and removal of the application: keepup2date.sh ­ script that configures the keepup2date component. icap_squid_setup.pl ­ script that configures Squid for work with Kaspersky Anti-Virus. postinstall.pl ­ post-install application setup script. Installing the application 19 uninstall.pl ­ application removal script. /var/db/kav/5.5/kav4proxy/ ­ application directory including: backup/ ­ directory where the updater saves backup copies of the antivirus databases and application modules prior to an update. bases/ ­ directory containing the anti-virus databases and core modules. licenses/appinfo.dat ­ file that contains information about the current license. patches/ ­ directory where the updates for the anti-virus core modules are stored. /var/log/kav/5.5/kav4proxy/ ­ directory containing the application log files. CHAPTER 4. USING KASPERSKY ANTI-VIRUS This chapter contains solutions for typical tasks related to work with Kaspersky Anti-Virus, such as application updating, management of license keys, anti-virus protection of HTTP traffic, and configuration of different anti-virus scanning parameters for various user groups. The tasks described in this section reflect basic features of Kaspersky Anti-Virus. Their implementation in a specific configuration will depend upon the organizational peculiarities of your network and the existing security policy. Please refer to Chapter 5 on p. 34 for a detailed explanation of application settings used in description of these tasks. 4.1. Updating the anti-virus databases Kaspersky Anti-Virus uses the anti-virus databases while processing the objects requested by users through Squid proxy. The anti-virus databases are employed during scanning and disinfection of infected objects; they contain descriptions of all currently known viruses and the methods of disinfection for objects affected by those viruses. The keepup2date component is included into the application to provide for software updates. The updates are retrieved from the update servers of Kaspersky Lab, e.g.: http://downloads1.kaspersky-labs.com/ http://downloads2.kaspersky-labs.com/ ftp://downloads1.kaspersky-labs.com/ etc. The updcfg.xml file included in the installation package lists the URLs of all available update servers. The keepup2date component supports Basic authentication for connections through a proxy server. To update the anti-virus databases, the keepup2date component selects an address from the list of update servers and tries to download updates from that server. If the server is currently unavailable, the application connects to another server, trying to download updates.