13
of the NOD32LFS/NOD32BFS product and thus it must be compiled and installed into the kernel prior the NOD32 on-
access scanner (nod32dac daemon) initialization. On the other hand the Dazuko technique make on-access scanning
independent of used le system type. It is also suitable for controlling le system objects via Network File System (NFS),
Nettalk and Samba.
The additional installation of the Dazuko module can be non-wished for Linux OS system administrators which
carry on the critical systems where source code and/or conguration le appropriate to the currently running kernel
is not available or the kernel is rather monolithic than modular. In this case the second discussed on-access scanning
technique based on the preload LIBC library comes in handy.
IMPORTANT: Before we provide user with the detailed information related with the on-access scanner conguration
and operation, we would like to point out that any NOD32 on-access scanner is not assumed to provide protection of
whole le system where installed. It has been developed and tested to protect primarily the le systems mounted
externally. If this is not your case, you will have to count on exclusion of multiple directories from le access control
to prevent system from hang-up. Typical directory to be excluded in this case is ‚/dev‘ directory or directories used by
NOD32LFS/NOD32BFS.
4.2.1. On-access scanner powered by Dazuko
This section contains information concerned with operation, installation and conguration of on-access scanner
using Dazuko kernel module.
4.2.1.1. Operation principle
On-access scanner ‘nod32dac’ (NOD32 Dazuko powered le Access Controller) is a resident program (daemon)
providing permanent monitoring and control over the le system. Scanning of each le system object is performed
upon customizable le access event of the user and/or operating system. The following le access types are supported
by the current version:
ON_OPEN events
This le access type is controlled once the rst bit of the integer parameter ’event_mask’ in the main NOD32
conguration le (section [dac]) is 1. In this case ON_OPEN bit of Dazuko access mask is set on.
ON_CLOSE events
This le access type is controlled once second bit of the integer parameter ’event_mask’ in the main NOD32
conguration le (section [dac]) is 1. In this case ON_CLOSE bit and ON_CLOSE_MODIFIED bit of Dazuko access mask
is set on.
Note that some of the kernel versions do not support interception of the ON_CLOSE events. In this case problems
could be detected when running nod32dac module.
ON_EXEC events
This le access type is controlled once third bit of the integer parameter ‘event_mask’ in the main NOD32
conguration le (section [dac]) is 1. In this case ON_EXEC bit of Dazuko access mask is set on.
By using this mechanism all opened, closed and executed regular les are scanned by daemon nod32d for viruses.
Based on the result of this scanning the access to the les is denied or allowed.
chapter 4 / Integration with Linux/BSD File System
To Next Page
Loading...