Topic: Avira antivirus software instructs to get it, install it and run it

[purvis]

How I installed avira virus scanner.

The time for the command line avira virus scanner(scancl) to load up
   and scan one file on my system takes 11 seconds.

Before you copy and paste this code into a file that you create.
Expand your ssh program window to a full window size or some code may not wrap proper.
Be sure to make sure the wget lines are full and not wrapped around like mine did.
I use the nano editor.

WARNING WARNING WARNING
I do not know about dazuko, so i did not install it.
The avira guard program will not run without it as far as i can tell.

The hbedv.key file download is for windows 32 system but it works for linux as well.

Code: [Select]

#!/bin/bash

########## STEP 1
clear
mkdir -p /tmp/avira
chmod 755 /tmp/avira
cd /tmp/avira
rm -f /tmp/avira/*.gz
rm -f /tmp/avira/*.key
clear


########### STEP 2
cd /tmp/avira
wget "http://personal.avira-update.com/package/peclkey/win32/int/hbedv.key"
wget "http://professional.avira-update.com/package/scancl/linux_glibc22/en/scancl-linux_glibc22.tar.gz"
wget "http://premium.avira-update.com/package/wks_avira/unix/en/pers/antivir_workstation-pers.tar.gz"


############ STEP 3

cd /tmp/avira
if [ -f "hbedv.key" ] || \
   [ -f "scancl-linux_glibc22.tar.gz" ] || \
   [ -f "antivir_workstation-pers.tar.gz" ]
   then
   cd /tmp/avira
   tar xvzf antivir_workstation-pers.tar.gz
   tar xvzf scancl-linux_glibc22.tar.gz
fi


cd /tmp/avira
if [ -f "/tmp/avira/antivir-workstation-pers-3.1.3.5-0/install" ]
   then
   cd /tmp/avira/antivir-workstation-pers-3.1.3.5-0
   ./install
fi

cd /tmp/avira
if [ -f "/usr/lib/AntiVir/guard/avira_personal.key" ]
   then
   cd /usr/lib/AntiVir/guard/
   cp /tmp/avira/scancl-1.9.159.0/* \
      /usr/lib/AntiVir/guard/
fi

cd /tmp/avira
if [ -f "/usr/lib/AntiVir/guard/avira_personal.key" ]
   then
   if [ ! -f "/usr/lib/AntiVir/guard/avira_personal.key.new" ]
      then
      cp /usr/lib/AntiVir/guard/avira_personal.key \
      /usr/lib/AntiVir/guard/avira_personal.key.new
   fi
fi

cd /tmp/avira
if [ -f "/tmp/avira/hbedv.key" ]
   then
   cp /tmp/avira/hbedv.key /usr/lib/AntiVir/guard/avira_personal.key
fi


cp /tmp/avira/hbedv.key /usr/lib/AntiVir/guard/avira_personal.key

#THIS UPDATE WILL TAKE A MORE THAN A FEW MINUTES
cd /tmp/avira
if [ -f "/usr/lib/AntiVir/guard/avupdate-guard" ]
   then
   cd /usr/lib/AntiVir/guard/
   /usr/lib/AntiVir/guard/avupdate-guard
   cp /tmp/avira/hbedv.key /usr/lib/AntiVir/guard/avira_personal.key
   /usr/lib/AntiVir/guard/avupdate-guard
   /usr/lib/AntiVir/guard/avupdate-guard --product=Scanner
   /usr/lib/AntiVir/guard/avupdate-guard --product=Guard
fi

cd /tmp/avira
if [ -f "/usr/lib/AntiVir/guard/avupdate-guard" ]
   then
   avguard stop
fi

cd /tmp/avira
if [ -f "/usr/lib/AntiVir/guard/scancl" ]
   then
   /usr/lib/AntiVir/guard/scancl --help
fi

exit 0


THESE ARE SOME OF THE QUESTIONS AND ANSWERS THAT GAVE DURING THE INSTALLATON
I DID NOT INSTALL DAZUKOFS
I DID NOT INSTALL THE GNOME PLUGIN
I DID NOT START GUARD NOW

Would you like to create a link in /usr/sbin for avupdate-guard ? [y] y

Would you like to setup Scanner update as cron task ? [y] y

What time should updates be done [00:15]?    I ACCEPTED THE DEFAULT

Would you like to check for Guard updates once a week ? [n] y

Would you like to install dazukofs now ? [y] n

Would you like to create /home/quarantine ? [y] y

Would you like to install the AVIRA Guard GNOME plugin ? [n] n

Would you like to create a link in /usr/sbin for avguard ? [y] y

Set up boot scripts ? [y] y

Would you like to start AVIRA Guard now? [y] n

manual update

Code: [Select]

/usr/lib/AntiVir/guard/avupdate-guard
/usr/lib/AntiVir/guard/avupdate-guard --product=Scanner
/usr/lib/AntiVir/guard/avupdate-guard --product=Guard

TO SCAN YOUR USERS EMAILS AND NOT DELETE THEM

Code: [Select]

/usr/lib/AntiVir/guard/scancl -a -s -z --temp=/tmp /home/e-smith/files/users/*/Maildir/*/1*

TO TIME YOUR SCAN YOUR USERS EMAILS AND NOT DELETE THEM

Code: [Select]

time /usr/lib/AntiVir/guard/scancl -a -s -z --temp=/tmp /home/e-smith/files/users/*/Maildir/*/1*








######### WARNING WARNING WARNING ##########
#########THIS PROCESS CAN DELETE FILES ########

THIS RUNS IN QUIET MODE, NO OUTPUT
IF YOU WANT TO SEE THE OUTPUT, THEN REMOVE THE "-q" OPTION LOCATED RIGHT AFTER THE "-z" OPTION
TO SCAN YOUR USERS EMAILS AND DELETE ANY THAT ARE DETECTED AS HAVING A VIRUS

Code: [Select]

/usr/lib/AntiVir/guard/scancl -a -s -z -q --defaultaction=delete-archive --temp=/tmp /home/e-smith/files/users/*/Maildir/*/1*


[purvis]

I am in the process of running a avira scan on all files including achieves under the /home/e-smith/files directory.

On a single core single processor.
So far i am pleased with the cpu usage while the scan is running. The cpu usage is high but not as high as other
scanners I have used and I am still able to get to run other processes from my workstation.
When I run another heavy process from a workstaton on a shared directory using samba.
The scancl process cpu usage on the server backs down a whole lot better than Clamav ever did.
The disk are older on this unit as well.

On a single dual core processor, the result in cpu usage is even better.
This disk on this unit are newer about 1 year old.

[purvis]

I am having issues with Avira today.
I will get back with anybody.
I believe at this point it was wrong to let Avira setup any symbolic links, cron jobs, or anything else from the install
I am reinstalling.
If you have not set up Avira.
Then hold off.
I am not sure exactly the issues i am having other that Avira has some very stupid setup and updating routines.

[janet]

purvis

Expand your ssh program window to a full window size or some code may not wrap proper.
Be sure to make sure the wget lines are full and not wrapped around like mine did.
I use the nano editor.

Always use
nano -w filenametoedit
to prevent unintended line wrapping
(instead of just using nano filenametoedit)

PS Please fully test & check your work before posting here.

[Stefano]

nano -w filenametoedit
to prevent unintended line wrapping
(instead of just using nano filenametoedit)

I suggest Purvis to create an alias in .bashrc eg.

Code: [Select]

alias nano='nano -w'


PS Please fully test & check your work before posting here.

I agree and would say: before posting something that coud lead an unexperienced user to server compromisation, think twice (and add alwais a BIG disclaimer)

in any case, Purvis, thank you for your effort, very apreciated

[purvis]

If we could upload files there would be less errors from cutting and pasting.
I had asked for permission a couple years ago to see if I could edit on wiki
That never came.
So as far as errors. I will let others edits flaws

[janet]

purvis

If we could upload files there would be less errors from cutting and pasting.

Well if you ask for access to a user contrib area, you can upload files
ie here
http://distro.ibiblio.org/smeserver/contribs/
IIRC you send an email to admin@contribs.org requesting that type of access, or it might even be achieved nowadays by lodging a bug request.

I had asked for permission a couple years ago to see if I could edit on wiki, That never came.

Did you ever follow up ?
Remember this place is run by volunteers & some jobs get overlooked or lost in the pile of things to do.

The correct & only place to ask for wiki edit access is in your Forum user profile
Select Profile at top of Forums, select Group Membership, then under Wiki & Docs Team section click on Request Membership
Wait a day or a few days & someone should let you know.
If you do not hear back within say a week, then follow up at admin@contribs.org

So as far as errors. I will let others edits flaws

That is quite an irresponsible attitude.
If you are creating code (even basic simple scripts etc), then you have an inherent responsibility to make it as good as you can, & certainly without fundamental errors or
"flaws", when you first release it to the world. From some of your posts you seem to be releasing scripts, announcing it is under test, and then correcting problems or mistakes or "flaws" after the event.
At least run some comprehensive tests, wait a while, run them again, make sure no other issues surface, wait a while again, test again fully on a clean system to ensure repeatability, and then release your code. The world is not in that big a rush to receive the gift of your code, we all would probably prefer the bugs or at least basic functionality to be sorted out before you release.

As Stefano hints at, some people who are less experienced or less knowledgeable at reading or writing code, will assume your scripts are good & fully functional, and jump in and start using them, simply based on the fact that you have published them here, and so therefore they must be OK. They then get into trouble when they have problems & have difficulty sorting out why it is not working etc (having expected that it would work in totality).

So please be more careful when releasing code or scripts, please test it a little more to ensure the basics are correct.

I am in no way criticising your efforts, just asking you to be more considerate when you actually publish.

By the way, the "wait a while" suggestions are very important, as it allows your mind to clear out everything you have been doing code wise, & when the mind has been cleared you will then more easily see things you have overlooked or could have done better or perhaps even see a totally different approach. So "waiting a while" before releasing, allows this processes to happen, thus improving your first release versions of code or scripts.

[purvis]

No code is perfect. None.
I did take insult that you would think I do not test my code.
There is probably over a week(not the 40 hours but likely over 100 hours of testing and 24/7 of me testing and running of code on production units) of all code that get posted here to my scripts. That is a lot of hard hours that most would not even put in to try to over come some improvements to the server system.

I have been working on viruses coming into one location for over 2 months now and that has me worried a lot.

I do not post code that I think is harm full. I take the high ground and safe approach.
When creating scripts, or any code, you get the code to working then the second step is to improve the code.
Very few people work with any of ix systems directly. Because of so many different operating system setups, that is what has hurt the spread of of ix systems in my opinion. So help is not found just around the corner and not even in books. I have never seen an expert book or even a book on SME SERVER.

Usually when script or code is placed on this site. Others users have input on it and can improve it or the commands. We get to learn from that.  SME Server is not a generic server and there is a lot of work, CAN I STRESS A LOT OF WORK,  that went into the development and on going fixes to keep it running. I have no control of what is going on with the main parts of SME SERVER. It is very complicated to say the very least.
So any code or installed program has to play well with all the complicated stuff in the SME SERVER.
 
Any code that I post is for two reason. I like to share and I like for others help improve the code where it might help them.

I cannot control code that comes from others sources. I get very aggravated when some thing is suppose to do it job and does not do it. And when it was working and then it is not working is very upsetting. Changes are going to happen. That is one thing that you can count on whether you like it or not.

If you do internet searches on any piece of code or software . You will always find lots of problems on every piece of code that exist. That is just the way it is.

I also do not like any negative attitude or remarks. Positive criticism is not negative. Negative and uncontrolled remarks will always addressed. Nobody saw me making any bad remarks about me not being allowed or being able to do wiki post. Actually I have never done anything wiki. But I went on my way and did not complain.

I think there could be an area on the forums for testing works of code if possible. As far as I know, that is what the contribs forum area was made for. Then a wiki can be produced only after that it is safe to assume the work on the code has come to a somewhat completion.

[purvis]

Thanks Stefano, I did not know that.

I get so frustrated working with many editors.
I am sure to a geek some power full editors are great, those editors can get you in trouble quick as well.
But to the most of us, a good basic editor is all that is needed.
I have always thought of nano as being a editor and not a word processor.
I am going to do some nano learning or maybe even look for a better editor.
Edit on windows is about as good as simple editor gets. But linux does run that.

[janet]

purvis

I think you have overreacted a little and/or misunderstood my sentiment.
I NEVER said you do not test. I even said you annouced you are testing. Please read what I said carefully.
.....and that is what I said about your code, to be more careful when releasing it & to test more before releasing it, and I even suggested a more thorough testing regime.

The whole point I was making was for you to improve your code further first, before releasing it with obvious issues, and one of the ways to achieve that was to test more & to test for longer on multiple clean setups. Had you done that then probably the following scenario would not have happened. If it is not obvious to you, I was trying to help you perform better.

ie on 25 March you said you were running scans (tests I assume by that), and then on 26 March you withdrew the whole attempt by saying

"I am having issues with Avira today.
I will get back with anybody.
I believe at this point it was wrong to let Avira setup any symbolic links, cron jobs, or anything else from the install
I am reinstalling.
If you have not set up Avira.
Then hold off.
I am not sure exactly the issues i am having other that Avira has some very stupid setup and updating routines."

[purvis]

Only on 1 machine did i have problems , the software was loaded up 4 days and then one day it failed to run , likely due to the software's own code. I think internet updates. Even Clamav has had a lot of issues and continues to have issues.
That is the reason for the post on having others to hold off.
It is hard sometimes to find and reproduce what ever caused the issue.
Nobody can work on this stuff for hours on end.  I

There is no way anybody can be assured software is going to work.
But it is great to have a heads up of possible problems.
Which is what I done.

I am thinking if we can get three good dependable stable antivirus software running dependably, specially with incoming emails.
This would spark a lot attention to SME SERVER and help me out as well. In order to do that, we may need four antivirus programs to allow for problems with the possibility of one not working. I see this doable.
SME surely needs more than just Clamav for incoming emails from what i have seen lately.

[janet]

purvis

I am puzzled and surprised that you want or feel you need 3 anti virus solutions running on the server.

Do you really have all available antivirus features functioning fully & correctly now ?
ie
RBL's enabled (RHSBL & DNSBL) ?
with suitable RBL list sources enabled eg spamhaus & so on ?
executable content rejection including zipv1 file blocking ?
spam filtering & rejection enabled (custom level set) ?
additional spam learning techniques (Bayesian & Learn As Spam etc) ?
Greylisting (recommended by some & not by others) but it will kill spam & viruses almost instantly to zero ?
Is your sme server in gateway & server mode (for best rejection) or are you behind a router (many features are less effective or not effective at all) ?

If you are doing all of the above (except greylisting) & they are properly & adequately configured, I am surprised you have such a big problem.
If your situation is that bad then perhaps you need to enable greylisting, and if you are using greylisting then you should have no viruses or spam at all.

[Stefano]

purvis

I am puzzled and surprised that you want or feel you need 3 anti virus solutions running on the server.

purvis.. if this is true, please explain your problem (or what you are trying to achieve).. your solution maybe wrong (but your testing and scripting activity no)

thank you

[purvis]

Mary, some of your suggestions have helped.
If i knew that all spam marked emails where true spam, I could get rid of much of it.
Our emails are need to be seen. We can delete those on a email notifier without an issue.
Yes most of the viruses are getting marked as spam but not all.
I have some tricks i might be trying later concerning geoip.
Geoip will not stop a email where the original email account sender came from an unwanted country.
Seems Geoip will only stop a email server from another country.
That is another issue.
I am continuing with virus detection, the effort is worth it.
Thanks Paul

[purvis]

Linux is still strange to me.
Prelinking what is that? Seems to be a linux speedup feature i was not aware of.
Following the below webpage,  i am editing the /etc/prelink.conf file and placing

Code: [Select]

-b /usr/lib/AntiVir/
During the install of Avira, it mentioned prelinking may cause problems but i had overseen that.
So I will seeing what happens next. I am keeping my fingers crossed that this solves the problem.

read the below website
http://www.avira.com/en/support-for-home-knowledgebase-detail/kbid/616

[janet]

purvis

I am continuing with virus detection, the effort is worth it.

To me your basic concept is wrong.
Virus definitions are updated with knowledge of new viruses when those viruses have been observed & detected & a suitable update developed, which can typically take a day or two or three or longer. Most companies who monitor virus activity throughout the world will identify new viruses around the same time, & therefore releases updates around the same time for their product, so no one company or anti virus software brand will have any significant time advantage over another.

So whether you have one, two, three or even four virus scanners functioning on your sme server scanning your email & files etc, I doubt there is any significant gain or improvement in the speed your system will detect & clean new viruses.
There will still be viruses that slip through initial detection by all four scanners, as in the first day or two or three, none of the four scanners knows about these latest viruses, so therefore cannot detect them.
The virus payload is usually targetted at workstation operating systems (eg Windows), so the workstation (or other susceptible devices) are where you should concentrate your secondary virus detection efforts, with systems configured for daily updates & scans, & ensure real time heuristic monitoring is enabled.

You could also look at using Dansguardian with the anti virus scanner enabled, to scan files downloaded from the net by people using your sme as a gateway, for an additional form of protection.

You did not specifically answer each of my questions about how your sme server is configured, without knowing the specific settings you have it's imposdible for me (us) to comment further re whether your sme server is doing the best posdible rejection of viruses etc. Remember many virus laden messages come from the same (server IP) sources as spam messages, so blocking spammers by using RBL's will dramatically reduce the amount of virus infected email messages as a n"additional benefit". Same applies for blocking virtually all known executable content including zipv1, most viruses will be blocked. Educate & force by system policy, your users to send rar compressed files instead of zip. Make sure you use server gateway mode as the sme server will perform better in that mode to reject "bad" messages which may coincidently include viruses.

[purvis]

Honestly and truly , thank you Mary.
What you say mostly is very true about how to setup server to do it's best.

But my servers will not be going into server-gateway mode.
I am happy with dedicated firewall routers bc our users are not allowed to browse the internet from the working lan but only by using computers connected remotely on another lan.
If your servers would never have a problem, then i could put them in server-gateway mode. But all kinds of things cause these servers to break and the dedicated firewall routers are more
dependable.
No computers are allowed on the lan but those I setup as long as I am living and I make my living from the work being done on those computers.
Files are not allowed to be transferred onto the lan except by me. I make those transfers.

I do not depend on a user doing as I ask them too.
That is like asking a male not to go to a porn site. If he can he will, that is guaranteed almost 100 percent.

Concerning email.
It would nice to let people read email more conveniently than having to access the email from a remote computer.
I am working on that. But you are very wrong about not hitting emails with all you got in a server.
In a real world environment like ours. There are emails that do come in from servers that do not meet email standards, such as missing dates and subjects, from very large companies.
Many businesses can do business with emails not being delivered. We are not fortunate to be one of those.

For write now, allowing spam email through is ok,  at least enough to the maillog account, because it give me a chance to see what is coming in.
We do not a have large volume of spam right now,because our email accounts are not listed on internet and apparently not in many other people's email clients.
I can stop spam marked email in all other accounts.

We will be scanning emails with antivirus software and other scanning techniques and use those techniques in the server first if they can run there.
I will also happy share any worth while techniques as they are developed.

[janet]

purvis

You can use server & gateway mode with the static IP option thus creating a DMZ for an additional layer of security.

With system policies in place on Windows workstations you can stop users "doing things they should not" and also prevent them from changing workstation setup etc, you can "lock down" your workstations very tightly indeed.

But you are very wrong about not hitting emails with all you got in a server.

I am not sure what you actually mean.
I do hit emails with "everything the server can do" and I receive very little spam & only the occasional virus infected email. Usually any virus infected email is sitting in the junkmail folder as spam techniques have already detected that message as being problematic.
That's a good example of the point I am making re anti virus "techniques", as detecting and/or filtering and/or blocking those spam source or spam content messages, does also detect virus laden messages due to common elements within them.

I referred to a secondary (ie additional) layer of virus protection being in the workstations, which should not be alterable by users. That is there to catch anything that occasionally slips through the primary layer of protection in the server, ie scanners & filters etc. It also protects the workstation from viruses coming from sources other than email messages. Real time & heuristic detection catches as yet unknown viruses.

The point I am making which you seem te be overlooking, is that multiple additional virus scanners (on your server) are not likely to prevent virus infected email messages "getting through" on "day 1" of a new virus being released. If all four scanners do not yet know about the virus then they will not detect it, so having four scanners gives no immediate benefit compared to one scanner.
Other server level techniques (such as those previously mentioned ie executable content in attachments is a good one. block spam/virus sources is also a good one  etc) which do not use or rely on virus definitions, are more likely to catch email messages with "unknown viruses" on "day 1".

Anyway you are free to do whatever you want & spend your time as you please, It's just to me that you seem to be investing time & research into areas that will not necessarily be that beneficial, & are covered by existing available techniques should you choose to use them.