Sep 6, 2011

Avira AntiVir Personal on Linux (III)

Now we have installed Avira AntiVir Personal on Linux (II), in this article I am going to treat one of its main modules: AntiVir Command Line Scanner (avcan).

This component is launched from the command prompt (on-demand), and it takes care of analyzing files in order to look for possible malware infections. Avscan can delete, repair, isolate or simply warn.

One of the most powerful advantages of this kind of tool is which can be integrated with scripts. In this way, you may use it for example with a web service, where the files are uploaded and it can be neccesary to scan them before storing the files into the hard drive.

Avcan can be configured by means of its own configuration file (/etc/avira/avscan.conf). In this manner, when you run the scanner, this will utilize the options established into the file (by default).

But indeed, the most interesting possibility is to be able to set the scanning options when you execute it (on real-time), because for instance, you might have various scanning tasks with different types of analysis.

Then let's take a look at the principal features of avcan. For this purpose, I will download the EICAR test file (harmless virus used to try out the behaviour of an antivirus).

[root@centos ~]# wget https://secure.eicar.org/eicar.com

[root@centos ~]# avscan -h
syntax: avscan [option ...] [directory] [filename] ...
...

When a virus is detected, you may choose between several actions: ignore the alert (none or ignore), remove the file (delete or del), change the name of the file (rename or ren) or move the file into the quarantine area (quarantine). You can also add the '-e' parameter so that the infected file is repaired whenever possible.

[root@centos ~]# avscan --batch --alert-action=quarantine eicar.com

[root@centos ~]# avscan --batch --alert-action=delete -e eicar.com

By adding the '--batch' parameter, we are avoiding to be asked by avscan during the analysis, and all decisions are performed based on the configuration file and command-line settings.

Other option is to detect certain categories of software which are not considered malware, such as jokes programs (joke), files compressed with an unusual tool (pck), dial-up programs (dial) and so on. With the 'alltypes' option, all available types will be treated.

[root@centos ~]# avscan --batch --alert-action=delete --detect-prefixes="joke=yes phish=yes" eicar.com

[root@centos ~]# avscan --batch --alert-action=delete --detect-prefixes=alltypes eicar.com

Regarding the virus analysis, other important option is to enable the heuristic scanning. Avcan is able to use heuristics to conclude if a certain file is malicious. This allows that new or unknown code can be detected before an update. The level of heuristics increases the intensity of the scanning: 0 (off), 1 (low, by default), 2 (medium) and 3 (high).

[root@centos ~]# avscan --batch --alert-action=delete --heur-level=3 eicar.com

By default, avscan decides what files must be scanned from their name or content (smart). You can force it to scan files according to their filename extensions (extlist) or analyze all files regardless of their name or content (all).

[root@centos ~]# avscan --batch --alert-action=delete --scan-mode=all dir/

With respect to the directories, if you want to enable the recursive scanning of all subdirectories within a specific path, you will have to add the '-s' parameter.

And finally, also point out that avscan returns a code after ending the analysis, and it can be really useful to be managed through scripts.

[root@centos ~]# avscan --help
...
list of return codes:
   0: Normal program termination, nothing found, no error
   1: Found concerning file
   3: Suspicious file found
   4: Warnings were issued
 255: Internal error
 254: Configuration error (invalid parameter in command-line
      or configuration file)
 253: Error while preparing on-demand scan
 252: The avguard daemon is not running
 251: The avguard daemon is not accessible
 250: Cannot initialize scan process
 249: Scan process not completed
 248: No valid license found
 211: Program aborted, because the self check failed

[root@centos ~]# avscan --batch --alert-action=delete eicar.com

[root@centos ~]# echo $?
1

If you want to review the rest of options, you can check the avscan.conf file or run the '--help' parameter.


No comments:

Post a Comment

Post a Comment