Kaspersky Administration Kit 6.0

 
 
 

Policy of Kaspersky Anti-Virus 5.7 for Novell Netware

Back to "Maintenance"
2012 Jan 23 ID: 419
 
 
 
 

Concerning to: 

  • Kaspersky Anti-Virus 5.7 for Novell NetWare 
  • Kaspersky Administration Kit versions 6.0 

policy is a set of application parameters shared by all computers in a group. Each application has its own policy. 

Several policies can be defined for one application in a group. But only one policy can be active: it's the policy whose settings are running at present. Kaspersky Administration Kit 6.0 has a new opportunity to set policy for mobile users. It will be enforced when a host is disconnected from the logical network 

Warning Policy for mobile users has not been added to Kaspersky Anti-Virus 5.7 for Novell NetWare. That is why when disconnecting the Netware server from the network active group policy to which this server is added will influence it. 

You can "lock" most policy settings from modifying. You can lock a policy in the policy's properties by clicking   for the settings of a specific group. After the image has changed to it is impossible to change this group of settings in the policies of nested groups, task settings or on client computers. When the "lock" is clicked the settings described in the policy are applied to the nested groups' policies, tasks and client computers. 

To create a policy, go to > the Policy subfolder > the Add a policy link in the details panel. During the work of the New Policy Wizard define the name of the policy, the application it is created for and configure the maximum necessary number of application parameters. 

Policies can be imported and exported. 

All Kaspersky Anti-Virus 5.7 for Novell Netware settings are grouped on its policy tabs: 

 

The General tab 

The General tab displays policy name, application for which it is created, creation and modification time and date. On this tab the name of the policy can be changed or the policy can be activated based on the event after which it becomes active. In the current Kaspersky Administration Kit version the administrator can configure activation of the selected policy only if the Virus outbreak event occurs. I.e. the policy activates when a certain number of malicious programs is detected on the computers in the logical network during a restricted period of time. Parameters of virus outbreak can be configured in the Administration Server > Properties > the Virus outbreaks tab. 

You can activate the policy manually. To do it, check the Activate policy box. 

Warning Policy for mobile users has not been added to Kaspersky Anti-Virus 5.7 for Novell NetWare. That is why when disconnecting the Netware server from the network active group policy to which this server is added will influence it. 

When some other policy is activated, the prior deployed policy is not active any more. 

If you uncheck the Activate policy box in all policies for one application then no policy is deployed. Settings of the application installed locally and with which the application will work will depend on the policy parameters that influenced this application configured on the policy Enforcement tab (the Local settings modification section) 

Back to the list of tabs 

 

The Advanced tab 

 

On this tab the administrator can change the performance priority of the on-demand server scan task using the CPU usage scale. The less is the CPU usage (i.e. the closer the slider is to the Min value of the scale), the slower Kaspersky Anti-Virus module works when performing the on-demand scan task, and more often and for longer periods of time gives the management to the server. 

Kaspersky Anti-Virus 5.7 for Novell NetWare can start and work with several anti-virus kernel instances. It allows scanning any number of files for viruses concurrently in the real-time mode. The number of files under scan is limited by the hardware server possibilities. 

The number of anti-virus kernel instances downloaded simultaneously defines the number of simultaneous requests for file scan. The default parameter is 2 (two). The number can be changed on this tab via the policy (the Number of anti-virus kernel instances parameter) or by downloading additional number of the anti-virus kernel instances manually using the server command line: 

LOAD ADDRESS SPACE=KLAB(N) RESTART SYS:/KLAB/KLABSCAN.NLM – this command loads additional N – numbers of the anti-virus kernel; 

UNLOAD ADDRESS SPACE= KLAB(N) – this command unloads additional N-number of the anti-virus kernel.

The Anti-Virus application maintains its work on the multi-processor computer due to the use of the Novell library. This library balances the load among the processors. 

Back to the list of tabs 

 

The Enforcement tab 

The tab gives reference information about results of the policy application on client computers in the group: for how many computers the policy was applied (the list of Clients on which the policy was applied or is going to be applied can be viewed if you click the Details button) - this information can be helpful to know why the settings/ policy have (has) not been applied on some client computers. 

Each anti-virus application has its own settings – they are called local settings. When a policy is applied to the application, the application stops using its local settings and starts functioning the following way: 

  • “locked” parameters (mandatory parameters), are taken from the policy. 

 

  • other parameters (i.e. parameters which are not “locked” in the policy) are taken from its local settings. 

According to the default settings the policy does not change the application local settings and when the policy is no longer applied to the application, it gets back to its “old” settings (those which were used before the first policy application). 

If necessary the administrator can change the application local settings when the policy is applied, only mandatory parameters (“locked”) or all policy parameters (of both locked and not locked ones) can be changed. If local parameters have been changed then when the policy is not applied to the application any more the application will go on working with the parameters from the policy. 

You can modify local parameters in the Advanced window (policy > the Enforcement tab > the Advanced link). 

 

Warning Remember local settings can be changed when the policy is enforced for the first time! In order to force the set variant after the first policy application use the Change now button – local parameters will be changed according to the choice made during the next synchronization of a client computer with the server. 

 

Example: in the policy we select the variant Do not modify local settings > a computer gets in the “policy zone” > local settings do not change. If now you check Apply mandatory policy settings to the local settings at first policy application and click OK, local settings will not change! In order to change these settings click the Change now button! 

 

 

Information Once the local settings are changed, the initial settings, which the application used before the policy application, cannot be reset. If you have selected the third variant and all local settings have been changed then there is no point in choosing either the first or the second variant – local settings cannot be reset. 

WarningIt is strongly recommended not to change local settings if not necessary - as the process to change them back increases load on the CPU, network traffic and on the network in general and causes lots of problems – settings cannot be rollbacked, local settings are not defined (administrator cannot always remember what local settings should be applied on a computer), etc. 

In order to change the “working’ application settings “lock” the settings necessary to be applied to the application! 

Back to the list of tabs 

 

The Scan settings tab 

The types of files to be scanned in real time mode can be defined on this tab. 

Pay attention: the scan area can be defined and set in the task properties of the Anti-Virus. 

When configuring the scan area, take the following in the consideration: 

  • If you select the By extension option, only the files with the extension from the list on the right will be scanned. 

 

  • If you select the All infectable option, before the file is scanned for viruses, the internal header of the file is scanned for a format file (txt, doc, etc.). If the analysis shows this file format is not infectable it is not scanned for viruses. If the file format is infectable, the file is canned for viruses. 

Do not forget that a virus can penetrate the server in a file with the .txt extension though in reality it is an executable file which has been renamed into txt-file. If you choose By extension option, this file will be skipped during the scan. If you choose all infectable, the Anti-Virus will scan the header of the file irrespective of its extension, the scan will show that the file has the exe-format and this file will be scrutinized for viruses. 

  • The All files option scans files of all types and formats. 

In order to exclude some files from the scan, check the Excluding files box and in the field on the right define names or masks of the excluded objects. 

Note: you can divide masks by a gap from each other, for example: *.exe *.com. To specify the mask you can use symbols allowed for the files names in MS-DOS (example, the mask *.* means all files with this extension will be scanned). 

You can additionally enable/disable scan of archives, mail databases, packed files and files of the mail archives. More detailed about archive extracting engine and  executable module extracting engine

NOTE! The real-time protection task started on the server slows down the server’s work. That is why it is not recommended to enable the mechanism in the tasks of the kind. 

NOTE! In order to scan the files correctly enable maintenance of the long names on all volumes of the server. 

In the real-time protection mode the files can be scanned when created, opened or saved. Parameters of the Scan files section define when the files should be scanned by the Anti-Virus. 

    • created or modified, 
    • accessed. 

To detect the viruses unknown for the program, enable  heuristic analyzer

Back to the list of tabs 

 

The Protection (actions) tab 

During real-time scan the file can be given one of the following statuses: 

  • not infected – no known malicious program is detected in the file; no suspicious viruses that could be detected by heuristic analyzer were found; 
  • infected – a known malicious program is detected in the file; 
  • suspicious – when scanning the file the anti-virus engine did not detect in this file known malicious programs, but scan with the help of the heuristic analyzer has shown that: 
    • code of the object under analysis is similar to a known malicious program but is slightly changed. 
    • code of the detected object is similar in structure to a malicious program, but no threats of the kind can be found in the databases of known threats. 
  • warning – a processing error occurred during the file scan. 

If an error occurs when processing a file, the Anti-Virus applies no further actions to the file. 

If an infected status is granted to a file, the action over the file might be one of the following: 

  • skip; 
  • disinfect; 
  • delete; 
  • move to quarantine; 
  • rename into a file with the same name and the .vir extension (or .vi1, .vi2, ..., if the file with the same name already exists). Example, the eicar.com file will be renamed to eicar.vir. 

If delete or disinfect action was chosen, better save the copy of the file in the quarantine folder in order to restore this file if disinfection failed or an important file was deleted. 

Sometimes an infected object cannot be disinfected: for example, this type of Malware, like trojans, cannot be disinfected, or an error occurred during disinfection. For cases like this it is necessary to define an action to be taken in disinfection fails: 

    • skip; 
    • delete; 
    • rename to the file with the same name and the .vir extension (or .vi1, .vi2, ..., if the file with this name already exists). 

Files with infected and suspicious statuses have the same set of actions applied to them (except disinfection). Suspicious files cannot be disinfected. 

Actions applied to infected and suspicious objects detected during real-time file protection are set on the Protection (actions) tab. 

If an attempt is made to lay out an infected file from a workstation on a server, Kaspersky Anti-Virus 5.7 for Novell NetWare can automatically block such connection. To set the option, check the Block access box in the Actions on infected workstations section. A workstation will be denied access to the server file system and to restore access the user will have to log in the network once again. Access can also be restored if you restart the workstation or Kaspersky Anti-Virus on the server. 

To notify the user that he/she is trying to infect the server check the Display warning box. 

NOTE! If one of the attached files in the archive is infected and the Delete action is applied to infected objects, as a result the whole archive will be deleted. For example, an infected attachment is detected in a mail database in one message; with the Delete action set, the whole mail database will be deleted. To avoid such situations, uncheck the Allow deleting or removing archives box. 

Back to the list of tabs 

 

The On-demand scan (settings) tab 

On this tab you can select the types of files that should be scanned in the on- demand scan task

Pay attention, scan areas can be set only when configuring the Anti-Virus tasks. 

When configuring scan areas, take the following into consideration: 

  • If you select the By extension option, only the files with the extension from the list on the right will be scanned. 

 

  • If you select the All infectable option, before the file is scanned for viruses, the internal header of the file is scanned for a format file (txt, doc, etc.). If the analysis shows this file format is not infectable it is not scanned for viruses. If the file format is infectable, the file is canned for viruses. 

Do not forget that a virus can penetrate the server in a file with the .txt extension though in reality it is an executable file which has been renamed into txt-file. If you choose By extension option, this file will be skipped during the scan. If you choose All infectable, the Anti-Virus will scan the header of the file irrespective of its extension, the scan will show that the file has the exe-format and this file will be scrutinized for viruses. 

  • The All files option scans files of all types and formats. 

In order to exclude some files from the scan, check the Excluding files box and in the field on the right define names or masks of the excluded objects. 

Note: you can divide masks by a gap from each other, for example: *.exe, *.com. To specify the mask you can use symbols allowed for the files names in MS-DOS (example, the mask *.* means all files with this extension will be scanned). 

You can additionally enable/disable scan of archives, mail databases, packed files and files of the mail archives. More detailed about archive extracting engine and executable module extracting engine

NOTE! In order to scan the files correctly enable maintenance of the long names on all volumes of the server. In the real-time protection mode the files can be scanned when created, opened or saved. Parameters of the Scan files section define when the files should be scanned by the Anti-Virus. 

To detect viruses unknown to the program, enable the  heuristic analyzer. 

Back to the list of tabs 

 

The On-demand scan (actions) tab 

During on-demand scan the file can be given one of the following statuses: 

  • not infected – no known malicious program is detected in the file; no suspicious viruses that could be detected by heuristic analyzer were found; 
  • infected – a known malicious program is detected in the file; 
  • suspicious – when scanning the file the anti-virus engine did not detect in this file known malicious programs, but scan with the help of the heuristic analyzer has shown that: 
    • code of the object under analysis is similar to a known malicious program but is slightly changed. 
    • code of the detected object is similar in structure to a malicious program, but no threats of the kind can be found in the databases of known threats. 
  • warning – a processing error occurred during the file scan. 

If an error occurs when processing a file, the Anti-Virus applies no further actions to the file. If an infected status is granted to a file, the action over the file might be one of the following: 

  • skip; 
  • disinfect;
  • delete; 
  • move to quarantine;
  • rename into a file with the same name and the .vir extension (or .vi1, .vi2, ..., if the file with the same name already exists). Example, the eicar.com file will be renamed to eicar.vir. 

If delete or disinfect action was chosen, better save the copy of the file in the quarantine folder in order to restore this file if disinfection failed or an important file was deleted. 

Sometimes an infected object cannot be disinfected: for example, this type of Malware, like trojans, cannot be disinfected, or an error occurred during disinfection. For cases like this it is necessary to define an action to be taken in disinfection fails: 

    • skip; 
    • delete;
    • rename to the file with the same name and the .vir extension (or .vi1, .vi2, ..., if the file with this name already exists). 

Files with infected and suspicious statuses have the same set of actions applied to them (except disinfection). Suspicious files cannot be disinfected. 

Actions applied to infected and suspicious objects detected during real-time file protection are set on the On-demand scan (actions) tab. 

NOTE! If one of the attached files in the archive is infected and the Delete action is applied to infected objects, as a result the whole archive will be deleted. For example, an infected attachment is detected in a mail database in one message; with the Delete action set, the whole mail database will be deleted. To avoid such situations, uncheck the Allow deleting or removing archives box. 

Back to the list of tabs 

 

The Updates source tab 

On the Updates source tab the parameters to update antivirus database for all update tasks of the server can be configured. 

 

Here you can define the updates source. A client computer can update from: 

    • the updates storage on the Administration Server (the Kaspersky Administration Kit option). In this case update files are delivered on the file server by the Network Agent installed on the server. 
    • the Kaspersky Lab’s servers in Internet or from any http-, ftp- resource (the Internet option). To add additional sources, click the Add button. 

Connection settings can be configured in the Connection settings window; to open the window click the corresponding button. 

NOTE! Network folder can be set as an updates source only if you configure the task form the local interface of the Anti-Virus (as there is no access to the server file system). 

If the connection is broken when connecting to the main updates source by schedule, three repeated attempts to restore the connection will be made with the 15 minutes’ interval (the next attempt is made if the previous one failed). Administrator can redefine number of repeated attempts to connect with the source when configuring the schedule of the update task. 

By each attempt to connect the address list to get updates is searched starting from the first (main) one. The search continues until the connection succeeds or all addresses in the list are searched. If necessary, addresses can be shifted up or down the list. 

To download from the selected updates source only modified and new anti-virus databases check the ……. In the Copying mode section. Information about modification is received by comparing files with the description of the databases on the updates source and on the update server. Otherwise all anti-virus databases located on the updates source will be downloaded. 

Back to the list of tabs 

 

The Event processing tab 

On the tab an administrator can choose information about which events in the work of Kaspersky Anti-Virus he/she should be notified and how. 

For all Kaspersky Lab applications, events related to anti-virus protection may have the following severity levels according to their importance 

  • Critical 
    • Virus detected 
  • Warning 
    • A suspicious object is detected 
    • A password-protected archive is detected 
    • Object is disinfected
    • Object is deleted
    • Object is blocked 
    • The license has expired 

You can store information about events that occurred during application operation on the Administration Server (in the Events node of the console tree) or locally, on a client host (in this case you can view events through the locally installed Administration Console). 

If you do not want an event to be stored in the Administration Server database, highlight this event and uncheck Store events on the Ssrver for

To notify administrator about the event the user can send email, use NET SEND or run executable. By clicking the Advanced button open the Advanced window and the user can specify SMTP server to send email notification, Default net send notification computers and default script for notification. 

But if all these parameters are already configured in the properties of the Administration Server on the Notification tab, then there is no need to configure them in the policies. 

NOTE! Parameters for storing and sending event notifications are configured for each event SEPARATELY! Highlight EACH event by a mouse and specify its parameters. 

Back to the list of tabs 

 
 
 
 
Did the provided info help you?
Yes No