vfindd - Heterogeneous Antivirus Daemon
Synopsis
Description
Options
Usage
Licenses
Input
Output
Locking
Restarting
Clamav Clamd Compatibility
Files
See Also
Bugs
Copyright
vfindd [-c, --copyright]
[-h, --help]
[-v, --version]
[--vlist]vfindd [-d, --dup-check]
[--trig-count]
[-e, --exit-on-error]
[-ev, --exit-on-vdl-error]
[--emu-help]
[--emu=options]
[--emu-config=file]
[-f, --foreground]
[--user=username]
[-i, --ignore-eof]
[-4, --IPv4]
[-6, --IPv6]
[--jadevdl=file]
[--keep-tmpfiles]
[--liboff=library]
[--libon=library]
[-l, --localhost]
[--md5=file]
[--cbayes=file]
[--noload=virus]
[--noloads=file]
[--pid]
[--quiet=num]
[--rcf=file]
[--pidfile=file]
[--savepid=file]
[-sst, --smartscan-types]
[-nosst, --no-smartscan-types]
[--vdl-list=file]
[--vdl=file]
[--vdlc=file]
[--vdle=file]
[--vdlE=file]
[--vdlm=file]
[--vdl-data-file=file]
[--max-vdl-data-size=bytes]
[--rebuild-vdl-data]
[--tmpdir=dir]
[-#=num]
[--svsp-port=portnum]
[--smtp-in-port=portnum]
[--smtp-out-port=portnum]
[--smtp-out-host=hostname]
[--vfdclam-port=portnum]
[--vfdclam-mailscan]vfindd-mt [--threads=num]
[vfindd options...]
VFindd is a heterogeneous virus scanning daemon that simultaneously scans for UNIX, Amiga, Macintosh, Windows 95/NT, and Dos viruses, including Denial of Service attacks, Back Door attacks, hostile Java Applications and Applets, OLE/VB5 Macro viruses, and common hacks. The daemon runs in the background and accepts SVSP(5), SMTP(5), and CLAMD connections.
Note: In the current version, the SVSP SCAN command is only implemented in its SCAN/FILE form.OPTIONS
-c, --copyright Display copyright information and then exit. All other options will be ignored. -h, --help Display usage message and then exit. All other options will be ignored. -v, --version Display version information and then exit. All other options will be ignored. -d, --dup-check Tells vfindd to check for duplicate VDL names and definitions, and other potential problems. With this option enabled, duplicates will be reported as parser errors. Also, any VDL segment which starts with an offset range or .* operator will be reported as a parser error. An offset at the beginning of a VDL segment is allowed by the CVDL syntax, but does not make sense to use, and may cause the VDL to run very slow. --trig-count Lists the names of any VDLs that could not be indexed for speed, and also the trigger and run counts for all VDLs. In general, only simple VDL constructs can be indexed, and only constructs containing strings of four or more bytes. Having many non-indexed VDLs, or VDLs with excessive trigger hit counts, will make VFind run significantly slower. -e, --exit-on-error Tells VFindd to exit immediately after encountering any kind of error or warning condition. Normally, VFindd prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description. -ev, --exit-on-vdl-error Tells VFind to exit immediately after encountering any kind of error related to processing of vdl files. Normally, vfind prints a warning message and attempts to continue processing after encountering a non-fatal error, such as a syntax error in a VDL description. --emu-help List options for polymorphic virus emulation. This option is still under development and its usage will be documented further in a future release. --emu=options Set options for polymorphic virus emulation. This option is still under development and its usage will be documented further in a future release. --emu-config=file Specify emulation configuration file. This option is still under development and its usage will be documented further in a future release. -f, --foreground Stay connected to the controlling terminal, do not fork a background process. --user=username Run vfindd as the specified user. This option is only available when vfindd is started by the superuser. -i, --ignore-eof Tells VFindd to ignore end-of-file and keep trying to read input files names or SmartScan input. -4, --IPv4 Listen for connections using internet protocol version 4. If not specified, the server will use both IPv4 and IPv6, if available. -6, --IPv6 Listen for connections using internet protocol version 6. If not specified, the server will use both IPv4 and IPv6, if available. --jadevdl=file Tells VFindd to load additional virus signatures from file. File contains VDL models for hostile java applets and applications. --tmpdir=dir Set the directory used for temporary files to dir. Without this option, the default temp directory appropriate to the operating system is used. --keep-tmpfiles The temporary files containing constituent files created during expansion are retained (normally they are deleted). These files are announced as each input file is scanned when this option is specified. --libon=library, --liboff=library Turn on/off library. VFindd will list the available libraries upon startup. Amiga and eicar libraries are turned off by default. Use --libon=’*’ to turn on all libraries. -l, --localhost Listen for connections on the local host loopback interface only. Without this, the server will listen on all interfaces. --md5=file Tells vfindd to read additional MD5 virus signatures from file. --cbayes=file Tells vfind to read Read additional cbayes data from file. --noload=virus This option provides a way to disable loading of individual VDLs. This may be useful if your site gets a lot of false positives for some particular virus due to the type of data you have. Virus is the name of the virus as it appears in the VDL file, for example: --noload="W95/Sircam.Worm" --noloads=file This provides a way to specify multiple noload parameters in a file. File is a file that contains valid virus parameters as described in the ’--noload‘ option. For each line of the file, leading and trailing whitespace is stripped, then lines which are empty or start with ’#’ (i.e. comments) are skipped. --pid Print process id to stderr. See also --pidfile. --quiet=num This flag is available for backwards compatibility only, and may go away in a future release. --rcf=file Run Control File. Tells VFindd to read additional command-line arguments from file. --pidfile=file Save process id to file. --savepid=file This option is available for backwards compatibility only, and is scheduled to be removed in a future release. -sst, --smartscan-types SmartScan Types: Displays file types and any VDL’s skipped due to file type restrictions. -nosst, --no-smartscan-types No SmartScan Types: Disables skipping any VDLs due to file type restrictions. VDL file type restrictions will be ignored and all VDLs will be applied to all file types. --threads=num Specify maximum number of threads (default=1). Only the multithreaded VFindd executable vfindd-mt support use of multiple threads. --vdl-list=file Tells vfindd to read the VDL library list from file instead of $VSTK_HOME/data/vfindd/vdl.list. Must be the first command-line option if used because it must be processed before other options like --libon= which require the VDL library list file to already be read. Note that the VDL files specified in the VDL library list must be in the $VSTK_HOME/data/vfindd/ directory. --vdl=file Tells vfindd to read additional virus description codes from file. --vdlc=file Tells VFindd to read additional case-insensitive virus descriptions from file. Case-insensitive VDL constructs (i.e. ~"..." strings) are not compiled into the regular parallel search engine. But VDL files specified using the --vdlc option are compiled into a separate case-insensitive parallel search engine for faster processing.
--vdle=file Tells VFindd to read additional decrypted polymorphic virus descriptions from file. Used in conjunction with the --emu option. This option is still under development and its usage will be documented further in a future release. --vdlE=file Tells VFindd to read additional Entry point virus descriptions from file. Used in conjunction with the --emu option. This option is still under development and its usage will be documented further in a future release. --vdlm=file Tells VFindd to read additional meta virus descriptions from file. Note that meta VDLs match on the names of other VDL hits, not on the data being scanned. See the CVDL documentation for more information. --vdl-data-file=file Name of the file holding the compiled VDL data between VFindd invocations. If not set, $VSTK_HOME/var/vdl.dat is used. --max-vdl-data-size=bytes Maximum size in Mbytes of the compiled VDL data file, default 128. --rebuild-vdl-data This option causes VFindd to always rebuild the VDL data file on startup, even when the file is up to date. --vlist This option causes vfindd to print to stdout a list of all viruses for which it currently scans. --svsp-port=portnum Specifies which port vfindd should listen to for SVSP connections. If not given, it will use TCP port 8081 by default. If the port is given as an empty string, vfindd will not accept SVSP connections. --smtp-in-port=portnum Specifies which port vfindd should listen to for SMTP connections. If not given, vfindd will not accept SMTP connections. --smtp-out-port=portnum Specifies which port vfindd should send SMTP results to. If not given, vfindd will use a port numbered one more that the one specified by --smtp-in-port. --smtp-out-host=hostname Specifies which host vfindd should send SMTP results to. If not given, vfindd will send data back to the originating host. --vfdclam-port=portnum Specifies which port vfindd should listen to for CLAMD connections. If not given, vfindd will not accept CLAMD connections. --vfdclam-mailscan Treat scanned files as email USAGE
LICENSES
VFindd requires a LICENSE file to run. This LICENSE file is host specific, therefore vfindd will only run on the licensed machine. Additional licenses may be purchased by contacting:
CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428.
Phone: +1.610.825.4748
Fax: +1.610.825.6785At start-up, vfindd searches for the LICENSE file in these locations:
* /LICENSE
* /etc/LICENSE
* The current working directory.
* The VSTK library directory set at installation.INPUT
VFindd runs as a background deamon, accepting connections by TCP and Unix sockets.
OUTPUT
VFindd doesn’t produce much output; output is instead expected from any client connecting to the daemon. When running in the background (normally, without --foreground), any output from vfindd can be found in $VSTK_HOME/var/vfindd.log.
LOCKING
VFindd does not provide any locks agains multiple access. To update VDL files on the fly, the files should be copied/untarred first with a different name, and then renamed to their correct name. This will assure that VFindd can not read a file before it’s complete.
RESTARTING
VFindd will restart using execvp() when receiving signal SIGHUP. This is useful to restart after updating VDLs. VFindd should only be restarted when it is idle, otherwise stdio buffering can cause a loss of data and/or smartscan desyncronization.
CLAMAV CLAMD COMPATIBILITY
The VFind Daemon supports the interface for the ClamAV’s clamd daemon, it recognises SCAN, CONTSCAN, RAWSCAN, STREAM, SESSION, and END requests. By default the vfdclam interface uses a unix socket and listens on /tmp/clamd.
FILES
$VSTK_HOME/LICENSE
$VSTK_HOME/data/vfindd/vdl.list
$VSTK_HOME/car/vfindd.log
SEE ALSO
vfind(1), SVSP(5),
BUGS
Please report all bugs to support@cyber.com Make sure to include the version of vfindd, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.COPYRIGHT
Copyright 1991-2005 by CyberSoft, Inc. All rights reserved.
Generated by manServer 1.07-cyber from vfindd.1 using man macros.
CyberSoft, Inc. vfindd (1) December 2005