Manual installation (Linux)

This section describes how to manually install Kaspersky Scan Engine on Linux systems.

To install Kaspersky Scan Engine manually:

  1. Make sure that you have root (administrator) privileges.
  2. Create the /opt/kaspersky/ScanEngine directory. This directory is called %service_dir% in this Help document.
  3. Unpack the distribution kit contents to the %service_dir% directory on your system.
  4. Read the End User License Agreement (EULA) for Kaspersky Scan Engine. The EULA is located at %service_dir%/doc/license.txt.

    If you agree to the terms of the EULA, proceed to the next step. If you decline the terms of the EULA, cancel the installation.

  5. Open file %service_dir%/etc/klScanEngineUI.xml.
  6. Accept the EULA. Change <Common>rejected</Common> to <Common>accepted</Common> in the klScanEngineUI.xml file.
  7. If you want to use Kaspersky Security Network (KSN), read the EULA for KSN and the Privacy Policy. This EULA is also located at %service_dir%/doc/ksn_license.txt and contains the link to the Privacy Policy.

    If you agree to the terms of the EULA for KSN and the Privacy Policy, proceed to the next step. If you decline the terms of the EULA for KSN or the Privacy Policy, proceed to step 9.

  8. Accept the EULA for KSN. Change <KSN>rejected</KSN> to <KSN>accepted</KSN> in klScanEngineUI.xml.
  9. Save and close %service_dir%/etc/klScanEngineUI.xml.
  10. Create a symbolic link to %service_dir%/etc/klScanEngineUI.xml from the /etc/ directory:

    ln -s %service_dir%/etc/klScanEngineUI.xml /etc/klScanEngineUI.xml

  11. If you want to use Kaspersky Scan Engine GUI, read subsection "Enabling Kaspersky Scan Engine GUI" below.
  12. Make a symbolic link to the proper Kaspersky Scan Engine configuration file from the /etc/ directory:
    • For HTTP mode, copy the %service_dir%/etc/kavhttpd.xml file to the /etc/ directory.
    • For ICAP mode, copy the %service_dir%/etc/kavicapd.xml file to the /etc/ directory.

    For example, in HTTP mode you have to run the following command:

    ln -s %service_dir%/etc/kavhttpd.xml /etc/kavhttpd.xml

  13. Make a symbolic link to the proper Kaspersky Scan Engine init script from the /etc/init.d directory:
    • For HTTP mode, copy the %service_dir%/etc/init.d/kavhttpd file to the /etc/init.d directory.
    • For ICAP mode, copy the %service_dir%/etc/init.d/kavicapd file to the /etc/init.d directory.

    For example, in HTTP mode you have to run the following command:

    ln -s %service_dir%/etc/init.d/kavhttpd /etc/init.d/kavhttpd

  14. If you want Kaspersky Scan Engine to start automatically on system bootup, do the following:
    1. Go to the /etc/init.d/ directory.
    2. Add the proper Kaspersky Scan Engine service to the system startup.
      • For HTTP mode, run the following command:
        • Red Hat-based distributions:

        chkconfig --add kavhttpd

        • Debian-based distributions:

        update-rc.d kavhttpd defaults

      • For ICAP mode, run the following command:
        • Red Hat-based distributions:

        chkconfig --add kavicapd

        • Debian-based distributions:

        update-rc.d kavicapd defaults

  15. Go to the next step of your "Getting started" section:

After you install Kaspersky Scan Engine, you can check the integrity of its components at any time by using the integrity check tool.

Enabling Kaspersky Scan Engine GUI

To enable Kaspersky Scan Engine GUI:

  1. Make sure that you have root (administrator) privileges.
  2. Do one of the following:
  3. On the computer that has PostgreSQL installed, perform the actions listed below under a user that can create new users and databases. To perform these actions, you can use either the psql utility or pgAdmin.
    1. Create a new PostgreSQL user called scanengine:

      CREATE USER scanengine;

    2. Set the password for the scanengine user:

      ALTER USER scanengine WITH PASSWORD '%PASSWORD%';

    3. Using PostgreSQL, create a database called kavebase:

      CREATE DATABASE kavebase OWNER scanengine;

    4. In the kavebase database run the queries described in %service_dir%/samples/tables.sql.

      psql -d kavebase -a -f tables.sql

  4. Open /etc/klScanEngineUI.xml.
  5. In the <Mode> element, specify the mode that Kaspersky Scan Engine will work in:

    For HTTP mode:

    <Mode>httpd</Mode>

    For ICAP mode:

    <Mode>icap</Mode>

  6. Change <EnableUI>false</EnableUI> to <EnableUI>true</EnableUI>.
  7. In the <ConnectionString> element, specify the address of the Kaspersky Scan Engine GUI web service in %IP%:%port% format.

    For example:

    <ConnectionString>198.51.100.0:443</ConnectionString>

  8. Specify the SSL certificate to install in the Kaspersky Scan Engine GUI web service.
    • If you already have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, specify the paths to your certificate and your private key:
      1. In the <SSLCertificatePath> element, specify the path to your SSL certificate.
      2. In the <SSLPrivateKeyPath> element, specify the path to your private key.
    • If you do not have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, generate a new one. Run the %service_dir%/tools/openssl utility as follows:

    /opt/kaspersky/ScanEngine/tools/openssl req -x509 -nodes -days 1825 -subj /C=RU/CN="%ConnectionString%" -newkey rsa:4096 -extensions EXT -config "/opt/kaspersky/ScanEngine/tools/openssl.cnf" -keyout "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_private.pem" -out "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_cert.pem"

    Here %ConnectionString% is the value that is specified in the <ConnectionString> element. It is recommended to use values rsa:4096 or rsa:3072 with the -newkey parameter. The minimum supported value is rsa:2048.

    You must configure access to the private key file for ScanEngine GUI so that only the root user and the user account under which the service is running can have the read permission.

  9. Generate an encryption key as follows:

    openssl rand -out %service_dir%/httpsrv/kl_scanengine_db.key 512

  10. Provide read permission to the owner only by running the following command:

    chmod 400 %service_dir%/httpsrv/kl_scanengine_db.key

  11. In the DatabaseSettings > ConnectionString element, specify the address of a new or existing kavebase database that you want to connect to by using the format %IP%:%port%.
  12. Save and close /etc/klScanEngineUI.xml.
  13. Encrypt the user name and password of the user that will be used to access to the kavebase database:
    • If you have never installed an instance of Kaspersky Scan Engine with GUI before or you do not want to add the new instance to an existing cluster, encrypt the user name and password of the user that you specified in step 3.
    • If you already have an instance of Kaspersky Scan Engine with GUI and you want to add the new instance to the same cluster, encrypt the user name and password of the user that is used to access the kavebase database of the cluster.

    To encrypt the credentials, use the kav_encrypt utility. This utility also automatically writes the encrypted user name and password to /etc/klScanEngineUI.xml. The utility is located in the %service_dir%/tools/ directory.

    Run the kav_encrypt utility with the following options:

    -d %username%:%password%

  14. Make a symbolic link to %service_dir%/etc/init.d/klScanEngineUI from /etc/init.d:

    ln -s %service_dir%/etc/init.d/klScanEngineUI /etc/init.d/klScanEngineUI

  15. If you want Kaspersky Scan Engine to start automatically on system bootup, do the following:
    1. Go to the /etc/init.d/ directory.
    2. Add the Kaspersky Scan Engine GUI service to the system startup. Run the following command:
      • Red Hat-based distributions:

        chkconfig --add klScanEngineUI

      • Debian-based distributions:

        update-rc.d klScanEngineUI defaults

  16. Start Kaspersky Scan Engine GUI:

    /etc/init.d/klScanEngineUI start

Page top