How To AVC
SAMBA+ AVC - AntiVirusCompliance
SAMBA+ AVC is a tool for Linux servers which scans file systems for malware and writes search results into log files, so admins can take action.
Technical base is the SAVAPI engine by AVIRA. The scan service runs in the background in scheduled tasks. Each process can be parallelised.
Supported Operating Systems
SAMBA+ AVC is available for many different GNU/Linux x86 distributions, in 32 and 64 bit.Debian GNU/Linux
- Wheezy (7)
- Jessie (8)
- Precise (12.04)
- Trusty (14.04)
- Xenial (16.04)
- SLES 10
- SLES 11
- SLES 12
- openSUSE 11.1
- openSUSE 12.1
- openSUSE 12.2
- openSUSE 12.3
- openSUSE 13.1
- openSUSE 13.2
- RHEL 6
- RHEL 7
- CentOS 6
- CentOS 7
Minimum system requirements
The system requirements depend on the specific configuration.
|CPU: x86, 32 or 64 bit|
|512 MB RAM (exclusively for SAVAPI service)|
|512 MB HDD space for installation|
|1024 MB HDD space for temporary data|
Get SAMBA+ AVC Packages
After buying your subscription, please create a SAMBA+ OPOSSO account and add your subscriptions. Then set either one global password or one password per subscription. Thereafter, you can use your key and password to log in to the SerNet download server and download files from the protected areas.
Your key and password are also needed for automated updates of the malware detection engine and virus definition files, see Setup AV-Updater for details.
The following form of URLs can be used to automatically retrieve packages and package updates from our repositories with package managers such as apt, yum or zypper. Direct download links to the packages are also available. The packages are signed with SerNet's gpg build key. See below for details.
The repository files can be copied to the following locations depending on the installer used:
|installer||path for repo-file|
Note that the repository files are templates: In the URLs inside the repository files, you need to replace SUBSCRIPTION:PASSWORD with your corresponding subscription key and password.
|Distribution||Version||AVC repository||AVC download|
The SerNet build key
The packages are signed with SerNet's gpg build key to guarantee authenticity.
Install Debian key package:
dpkg -i sernet-samba-keyring_latest_all.deb
Install RPM key package:
rpm -i sernet-build-key-latest.noarch.rpm
After importing the key, please make sure that 'apt-key finger' or 'gpg --quiet --with-fingerprint /usr/lib/rpm/gnupg/sernet-build-key.gpg' shows the following fingerprint:
7975 0C31 87AF 92DD AC46 086F D992 1B1C F442 8B1A
Installation and configuration for initial startup
After you have configured your package manager you can install SAMBA+ AVC, which consists of two packages:
- sernet-savapi: Avira SAVAPI daemon, update service and initial virus definition files.
- sernet-avc: Scan control tools and configuration.
As soon as the packages are installed, the savapi service will be running. You can test the service with the savapicmd check command:
# savapicmd -c OK: Received pong 199
If the service does not reply as expected, please read the error message, check the the sernet-savapi service and the log file /var/log/sernet-savapi/savapi.log for more details.
# service sernet-savapi statusor
# systemctl status sernet-savapi.service
Configuration for initial startup
The following sections describe the steps to put SAMBA+ AVC Scanner into operation. Only a few options need to be adapted before starting.
Please note that this is a guide for the initial setup only. Many parts of SAMBA+ AVC are highly customizable and can be adapted to specific setups and use cases. Many of the default settings lead to fast scan performance. To increase security, depending on use cases, you might wish to enable options such as e.g. "archive scan" to scan the content of archives such as ZIP, TAR, 7Zip, XZ and many otherPlease see the man pages savapicmd.conf(5) savapi.conf(5) and the SAVAPI documentation for more details. The SAVAPI Documentation is stored at /usr/share/doc/packages/sernet-savapi or /usr/share/doc/sernet-savapi/, depending on your operating system.
All essential configuration files are stored at the /etc/sernet-savapi directory. Use your favorite editor to set the desired parameters.
Setup fileserver scanner
The fileserver scanner reads its configuration from /etc/sernet-savapi/savapicmd.conf.
report email address=<address emails will be sent to> (system mailing needs to be configured)
The AV-Updater is used for automated updates of the malware detection engine and virus definition files.
To access the update repository, the updater needs your subscription key and password. These can be set in the avupdate-savapi-engine.conf configuration file.
If needed, specify your proxy server parameters.
The updater runs before each scan process. This can be changed by the "skip avupdate" savapicmd.conf option. You can also use the cron job template /etc/cron.d/sernet-savapi to configure time scheduled updates.
Setup SAVAPI Service
Options for the savapi service can be set in the /etc/sernet-savapi/savapi.conf configuration file.
Different settings that affect the SAVAPI scan process and malware detection can be configured here. For example, whether mailbox files should be scanned, SAVAPI should extract archives or the heuristic level for the malware detection.
Please refer to Avira SAVAPI Documentation "SAVAPI Service 3.3.2 Configuration file options" for a more detailed description and additional parameters.
Some of the savapi service options can be overridden by options set in savapicmd.conf or command line arguments.
Perform malware scans
For automated scheduled malware scans a cron job can be used. A template file for cron is placed at /etc/cron.d/sernet-avc.
To perform a manual malware scan run:
After a successful scan, the scan result will be stored as a CSV file avcscanresult-DATE.csv at the scan result path. The scan result path is /var/log/sernet-savapi by default. If no malware was detected, the file will be empty.
The CSV result file contains three columns:
- Name or identifier of the result
Can be a malware name or one or multiple keywords that describe the result. Keywords often indicate that files could not be scanned for a specific reason. Reporting of results with keywords can be excluded with different savapicmd.conf options. Available options are "accept encrypted files", "accept encrypted mime" and "accepted keywords". With the "accepted keywords" option any keywords can be excluded.
Common keywords are:
- ENCRYPTED: Encrypted file or archive that can not be scanned.
- TIMEOUT;PROGRESS_ABORT: The scan process exceeded the configured maximum scan time limitation and has been aborted. This can occur with large archives. Use the "scan timeout" option to specify a higher limit.
- Result typeDescribes the kind of the result, e.g. "Virus" or "Blacklist match".
- Details about the location of the infected file Files, which are part of archives, are marked with the " --> " pattern.
If the "report email address" is enabled, the defined recipient will receive a mail with detailed scan results. This requires a configured local mail transfer agent such as sendmail, exim4 or postfix.
Please report bugs to firstname.lastname@example.org.