NAME

f-protd - F-Prot Antivirus for UNIX Daemon Scanner

 

SYNOPSIS

f-protd [-options]

 

DESCRIPTION

f-protd is a daemon which scans individual files, which are submitted to it by an "HTTP-like" GET request. It returns XML formatted reports on whether the scanned file was infected or not, whether disinfection succeeded, etc.

If no commandline argument is given, f-protd will assume the virus signature files are in the same directory as the executable. By default f-prot scans all files, including inside archives, and reports to STDOUT.

 

DETAILED DESCRIPTION

The Daemon Scanner binds itself by default to a port in the range 10200-10204 (inclusive) on the loopback address. To request that the daemon scan a file, a "HTTP-like" GET request is submitted to the active port, supplying the full path to the file to be scanned. The scanner accepts most of the same arguments as the command line version, although they must be url-encoded as a proper HTTP request, following the file name and a question mark.

The Daemon Scanner is designed to automatically update itself by executing itself when a new version is in place. The newly executed copy is will bind to the next available port in it's range (by default 10200-10204) since the outdated process stays alive for about 5 - 10 seconds. This is done to guarantee that there is always at least one daemon available at any given time. Clients are expected to cycle through the port range to find a live Daemon Scanner when the one they were previously using dies.

The Daemon Scanner uses a simple forking model, to isolate memory leaks or crashes within child processes and keep them from effecting the main daemon process.

 

STARTUP OPTIONS

-b, --background

Causes the Daemon Scanner to detach from the controlling tty and run as a daemon.

-d, --defpath </path/to/deffiles>

Instructs the Daemon Scanner to look for SIGN.DEF, SIGN2.DEF and MACRO.DEF inside the specified directory instead of the default location.

-a, --address <inet_address:port>

Instructs the Daemon Scanner to listen for scanning requests on the specified addres:port instead of the default (127.0.0.1:10200).

-f, --fullreport

By default the Daemon Scanner will group similar scan results to simplify interpretation for connecting clients. Using this argument during startup will cause f-protd to skip this step and report more detailed results.

-h, --help

Displays commandline usage and quits.

 

SCANNING OPTIONS

-ai

Enable neural-network virus detection. The -ai option should not be used with the -noheur option.

-archive=n [default is 5]

Scan inside supported archives n levels deep, the supported range is between 1 and 99. The older form '-archive' is supported for compatibility reasons, in which case n is set to 5. Supported archives are .zip, .cab, .tar, .gz, .lzh and .arj files. Currently F-Prot Antivirus does not support disinfection or removal of infected files within archives. Unix mailboxes are considered to be archives and therefore F-Prot Antivirus is not able to remove infected attachments from mailboxes.

-server [default]

Attempts to identify infections within password protected archives. "-server" implies "-archive=5".

-noserver

Does not attempt to identify infections within password protected archives.

-auto

This option is provided for compatibility with the Command-Line Scanner. It has no effect in the Daemon Scanner.

-collect

Scan a virus collection. This option is intended for advanced users. When this option is used it will, e.g. scan for bootsector viruses within files, even though the virus resides within a file instead of a bootsector.

-delete

The -delete option is disabled. It is expected that applications interfacing with the daemon delete the files. This is so the applications do not run into problems as a result of a stale file descriptor.

-disinf

Disinfect whenever possible. User confirmation is required. However, the -auto option can be used to automatically confirm the action. F-Prot Antivirus does not support disinfection of infected objects located in archives.

-dumb [default]

Scan all files, regardless of extensions or content.

-ext

Scan only files with default extensions.

-follow

Follow symbolic links. This should be used with care, as the program does not detect "circular" directories, and may get stuck in an endless loop.

-noheur

Disable heuristic scanning. The -noheur option should not be used with the -ai option.

-nosub

Do not scan subdirectories.

-onlyheur

Only use heuristics, do not scan for known virus signatures. By using this option f-prot will only detect a fraction of infected files.

-packed [default]

Unpack compressed executables. There is no corresponding -nopacked option. This option is provided for legacy reasons.

-rename

The -rename option is disabled. It is expected that applications interfacing with the daemon renamed the files. This is so the applications do not run into problems as a result of a stale file descriptor.

-move

The -move option is disabled. It is expected that applications interfacing with the daemon moved the files. This is so the applications do not run into problems as a result of a stale file descriptor.

-type

Scan files by content. By default f-prot scans all files. By using the -type option, you are instructing the scanner to limit the search to scanning by content.

-nomacro

Do not scan for macro viruses.

-onlymacro

Only scan for macro viruses.

-removeall

Remove all macros from all documents. When this option is used with -disinf or -delete all identified macros will be removed.

-removenew

Remove new variants of macro viruses by removing all macros from infected documents.

-saferemove

Remove all macros from documents, if a known virus is found.

-id

The -id option will associate an ID with the scan request, and can prove to be useful for certain applications. To associate the ID 435 with that particular file.

-remote-dtd

The -remote-dtd option will reference remotely the data type definition (DTD) file for the Daemon Scanners' XML report. The DTD referenced will be at http://www.f-prot.com/f-protd.dtd

 

SUMMARY CODES

By default, f-prot may return any of the following summary codes in its XML report:

1

Not scanned due to an I/O error.

2

Not scanned, out of memory.

3

The object is invalid. This may either mean it was misidentified or that it is corrupted.

4

The object was valid, but encrypted and could not be scanned.

5

Scanning of the object was interrupted.

9

The object is clean, i.e. was successfully scanned and nothing was found.

10

Heuristics found the object to be highly suspicious. It should be quarantined.

11

The object is infected, and should be removed. The type of malware detected (infection, trojan, suspicious archives etc.) is returned in the XML-report.

13

The object was disinfected.

30

The object was not scanned; maximum recursion level (N) was reached as specified with '-archive=N'

When the '-fullreport' startup switch is used, the following additional codes may be returned:

6

Known archive object was scanned and nothing was found.

7

Object is of a known, innocent format and cannot contain malware.

8

Object is clean.

18

Object is infected, and disinfection failed.

22

Infection found in an object inside archive object.

31

Not scanned, suspicious decompression ratio found in archive, possible archive bomb

 

LICENSING

For information about licensing, see the LICENSE file that comes with F-Prot Antivirus.

 

BUGS

Updating the binary or virus signature files more than four times within 30 seconds may cause problems with port allocation. Don't do that.

 

CONTACT INFORMATION

Please direct any feedback to: http://www.f-prot.com/support/contact_support.html

Updates will be advertised on: http://www.f-prot.com/

 

SEE ALSO

f-prot(1)
f-prot.so(8)
f-prot.conf(5)
scan-mail.pl(8)