Document Information
Preface
Part I Security Overview
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
About Virus Scanning
About the Vscan Service
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
11. Privileges (Tasks)
12. Privileges (Reference)
Part IV Solaris Cryptographic Services
13. Solaris Cryptographic Framework (Overview)
14. Solaris Cryptographic Framework (Tasks)
15. Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
17. Using PAM
18. Using SASL
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
Part VI Kerberos Service
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Solaris Auditing
28. Solaris Auditing (Overview)
29. Planning for Solaris Auditing
30. Managing Solaris Auditing (Tasks)
31. Solaris Auditing (Reference)
Glossary
Index
|
Using the Vscan Service
Scanning files for viruses is available when the following requirements are met:
At least one scan engine is installed and configured. The files reside on a file system that supports virus scanning. Virus scanning is enabled on the file system. The vscan service is enabled. The vscan service is configured to scan files of the specified file type.
The following table points to the tasks you perform to set up
the vscan service.
How to Enable Virus Scanning on a File SystemUse the file system command to allow virus scans of files. For
example, to include a ZFS file system in a virus scan, use the
zfs(1M) command.
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. The ZFS file system allows some administrative tasks
to be delegated to specific users. For more information about Delegated Administration, see
the ZFS Administration Guide. For more information about roles, see Configuring RBAC (Task Map). To configure a
role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Enable virus scanning on a ZFS file system, for example, pool/volumes/vol1.
# zfs set vscan=on path/pool/volumes/vol1
How to Enable the Vscan Service
- Use the “VSCAN Management” RBAC profile to obtain the authorizations needed for managing
the vscan service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- Use the svcadm(1M) command to enable virus scanning.
# svcadm enable vscan
How to Add a Scan Engine
- Use the “VSCAN Management” RBAC profile to obtain the authorizations needed for managing
the vscan service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- To add a scan engine to the vscan service with default properties, type:
#vscanadm add-engine engine_ID See the manpage for the vscanadm(1M) command for a description of the command.
How to View Vscan Properties
- View the properties of the vscan service, of all scan engines, or of
a specific scan engine.
- To view the properties of a particular scan engine, type:
# vscanadm get-engine engineID
- To view the properties of all scan engines, type:
# vscanadm get-engine
- To view one of the properties of the vscan service, type:
# vscanadm get -p property where property is one of the parameters described in the manpage for the
vscanadm(1M) command. For example, if you want to see the maximum size of a
file that can be scanned, type: # vscanadm get max-size
How to Change Vscan PropertiesYou can change the properties of a particular scan engine and the
general properties of the vscan service. Many scan engines limit the size of
the files they scan, so the vscan service's max-size property must be set to
a value less than or equal to the scan engine's maximum allowed size.
You then define whether files that are larger than the maximum size, and
therefore not scanned, are accessible.
- Use the “VSCAN Management” RBAC profile to obtain the authorizations needed for managing
the vscan service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- View the current properties by using the vscanadm show command.
- Set the maximum size for virus scans to, for example, 128 megabytes.
# vscanadm set -p max-size=128M
- Specify that access is denied to any file that is not scanned due
to its size.
# vscanadm set -p max-size-action=deny See the manpage for the vscanadm(1M) command for a description of the command.
How to Exclude Files From Virus ScansWhen you enable antivirus protection, you can specify that all files of specific
types are excluded from the virus scan. Because the vscan service affects the
performance of the system, you can conserve system resources by targeting specific file
types for virus scans.
- Use the “VSCAN Management” RBAC profile to obtain the authorizations needed for managing
the vscan service.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- View the list of all file types included in the virus scan.
# vscanadm get -p types
- Specify the types of files to be scanned for virus:
- Exclude a specific file type, for example the JPEG type, from the virus
scan.
# vscanadm set -p types=-jpg,+*
- Include a specific file type, for example executable files, in the virus scan.
# vscanadm set -p types=+exe,-* See the manpage for the vscanadm(1M) command for a description of the command.
|
