Manual installation (Linux)

This section describes how to manually install Kaspersky Scan Engine on Linux systems.

Before installing and configuring Kaspersky Scan Engine, you need to specify the locale of the computer on which Kaspersky Scan Engine is installed. Use the following commands:

To install Kaspersky Scan Engine manually:

1. Make sure that you have root (administrator) privileges.
2. Create the /opt/kaspersky/ScanEngine directory. This directory is called %service_dir% in this Help document.
3. Unpack the distribution kit contents to the %service_dir% directory on your system.
4. Unpack the objects from the KAV SDK distribution kit (hereinafter %SDK_kit%) as follows:
   • Objects from %SDK_kit%/bin/bases to %service_dir%/bin/bases
   • Objects from %SDK_kit%/include to %service_dir%/include
   • Objects from %SDK_kit%/lib to %service_dir%/lib
   • Objects from %SDK_kit%/ppl to %service_dir%/ppl
   • The %SDK_kit%/tools/kavsigner file to %service_dir%/tools
   • The %SDK_kit%/tools/integrity_check_sdk.xml file to %service_dir%

   Only users with administrator rights must have access to the objects from %SDK_kit%.
   For compatibility with Kaspersky Scan Engine, use the KAV SDK version 8.9.2.595 or later.

5. Read the End User License Agreement (EULA) for Kaspersky Scan Engine. The EULA is located at %service_dir%/doc/license.txt.

   If you agree to the terms of the EULA, proceed to the next step. If you decline the terms of the EULA, cancel the installation.

6. Open file %service_dir%/etc/klScanEngineUI.xml.
7. Accept the EULA. Change <Common>rejected</Common> to <Common>accepted</Common> in the klScanEngineUI.xml file.
8. If you want to use Kaspersky Security Network (KSN), read the EULA for KSN and the Privacy Policy. This EULA is also located at %service_dir%/doc/ksn_license.txt and contains the link to the Privacy Policy.

   If you agree to the terms of the EULA for KSN and the Privacy Policy, proceed to the next step. If you decline the terms of the EULA for KSN or the Privacy Policy, proceed to step 10.

9. Accept the EULA for KSN. Change <KSN>rejected</KSN> to <KSN>accepted</KSN> in klScanEngineUI.xml.
10. Save and close %service_dir%/etc/klScanEngineUI.xml.
11. Create a symbolic link to %service_dir%/etc/klScanEngineUI.xml from the /etc/ directory:

    ln -s %service_dir%/etc/klScanEngineUI.xml /etc/klScanEngineUI.xml

12. If you want to use Kaspersky Scan Engine GUI, read subsection "Enabling Kaspersky Scan Engine GUI" below.
13. Make a symbolic link to the proper Kaspersky Scan Engine configuration file from the /etc/ directory:
    • For HTTP mode, copy the %service_dir%/etc/kavhttpd.xml file to the /etc/ directory.
    • For ICAP mode, copy the %service_dir%/etc/kavicapd.xml file to the /etc/ directory.

    For example, in HTTP mode you have to run the following command:

    ln -s %service_dir%/etc/kavhttpd.xml /etc/kavhttpd.xml

14. If you do not use the Kaspersky Scan Engine GUI and a connection through proxy server is needed, you have to specify an encrypted user name and password for the proxy server. To encrypt the user name and password:
    1. Generate an encryption key as follows:

       openssl rand -out %service_dir%/httpsrv/kl_scanengine_db.key 512

    2. Provide read permission to the owner only by running the following command:

       chmod 400 %service_dir%/httpsrv/kl_scanengine_db.key

    3. To encrypt the credentials, use the kav_encrypt utility. This utility also automatically writes the encrypted user name and password to the configuration file kavhttpd.xml (for HTTP mode) or kavicapd.xml (for ICAP mode). The utility is located in the %service_dir%/tools/ directory.

       Run the kav_encrypt utility with the following options:

       -m <httpd | icap> -p <user_name:password>

15. In /etc/systemd/system/multi-user.target.wants/, make symbolic links to the following files:
    • For ICAP mode, make a symbolic link to /opt/kaspersky/ScanEngine/etc/kavicapd.service by using the following command:

    ln -s /opt/kaspersky/ScanEngine/etc/kavicapd.service /etc/systemd/system/kavicapd.service

    • For HTTP mode, make a symbolic link to /opt/kaspersky/ScanEngine/etc/kavhttpd.service by using the following command:

    ln -s /opt/kaspersky/ScanEngine/etc/kavhttpd.service /etc/systemd/system/kavhttpd.service

16. Register Kaspersky Scan Engine in the system by using the following commands:

    systemctl daemon-reload systemctl enable kavhttpd systemctl enable kavicapd

17. Run registered Kaspersky Scan Engine services:
    • For ICAP mode, run:

    service kavicapd start

    • For HTTP mode, run:

    service kavhttpd start

18. Go to the next steps as described in Getting started for HTTP mode or ICAP mode.
19. Activate Kaspersky Scan Engine either in offline licensing mode or online licensing mode.

After you install Kaspersky Scan Engine, you can check the integrity of its components at any time by using the integrity check tool.

Enabling Kaspersky Scan Engine GUI

To enable Kaspersky Scan Engine GUI:

1. Make sure that you have root (administrator) privileges.
2. Do one of the following:
   • If you have never installed an instance of Kaspersky Scan Engine with GUI before or you do not want to add the new instance to an existing cluster, perform the actions described in section "Preparing to install Kaspersky Scan Engine GUI".
   • If you already have an instance of Kaspersky Scan Engine with GUI and you want to add the new instance to the same cluster, go to the step 4.
3. On the computer that has PostgreSQL installed, perform the actions listed below under a user that can create new users and databases. To perform these actions, you can use either the psql utility or pgAdmin.

   Make sure that the user running the database queries has access to the directory containing tables.sql and also has read access to tables.sql itself.

   1. Create a new PostgreSQL user called scanengine:

      CREATE USER scanengine;

   2. Set the password for the scanengine user:

      ALTER USER scanengine WITH PASSWORD '%PASSWORD%';

   3. Using PostgreSQL, create a database called kavebase:

      CREATE DATABASE kavebase OWNER scanengine;

   4. In the kavebase database run the queries described in %service_dir%/samples/tables.sql.

      psql -d kavebase -a -f tables.sql

4. Open /etc/klScanEngineUI.xml.
5. In the <Mode> element, specify the mode that Kaspersky Scan Engine will work in:

   For HTTP mode:

   <Mode>httpd</Mode>

   For ICAP mode:

   <Mode>icap</Mode>

6. Change <EnableUI>false</EnableUI> to <EnableUI>true</EnableUI>.
7. In the <ConnectionString> element, specify the address of the Kaspersky Scan Engine GUI web service in %IP%:%port% format.

   For example:

   <ConnectionString>198.51.100.0:443</ConnectionString>

8. Specify the SSL certificate to install in the Kaspersky Scan Engine GUI web service.
   • If you already have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, specify the paths to your certificate and your private key:
     1. In the <SSLCertificatePath> element, specify the path to your SSL certificate.
     2. In the <SSLPrivateKeyPath> element, specify the path to your private key.
   • If you do not have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, generate a new one. Run the %service_dir%/tools/openssl utility as follows:

   /opt/kaspersky/ScanEngine/tools/openssl req -x509 -nodes -days 1825 -subj /C=RU/CN="%ConnectionString%" -newkey rsa:4096 -extensions EXT -config "/opt/kaspersky/ScanEngine/tools/openssl.cnf" -keyout "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_private.pem" -out "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_cert.pem"

   Here %ConnectionString% is the value that is specified in the <ConnectionString> element. It is recommended to use the values rsa:4096 or rsa:3072 with the -newkey parameter. The minimum supported value is rsa:2048.

   You must configure access to the private key file for Kaspersky Scan Engine GUI so that only the root user and the user account under which the service is running can have the read permission.

9. Generate an encryption key as follows:

   openssl rand -out %service_dir%/httpsrv/kl_scanengine_db.key 512

10. Provide read permission to the owner only by running the following command:

    chmod 400 %service_dir%/httpsrv/kl_scanengine_db.key

11. In the DatabaseSettings > ConnectionString element, specify the address of a new or existing kavebase database that you want to connect to by using the format %IP%:%port%.
12. Save and close /etc/klScanEngineUI.xml.
13. Encrypt the user name and password of the user that will be used to access to the kavebase database:
    • If you have never installed an instance of Kaspersky Scan Engine with GUI before or you do not want to add the new instance to an existing cluster, encrypt the user name and password of the user that you specified in step 3.
    • If you already have an instance of Kaspersky Scan Engine with GUI and you want to add the new instance to the same cluster, encrypt the user name and password of the user that is used to access the kavebase database of the cluster.

    To encrypt the credentials, use the kav_encrypt utility. This utility also automatically writes the encrypted user name and password to /etc/klScanEngineUI.xml. The utility is located in the %service_dir%/tools/ directory.

    Run the kav_encrypt utility with the following options:

    -d '%username%:%password%'

14. In /etc/systemd/system/multi-user.target.wants/, make a symbolic link to /opt/kaspersky/ScanEngine/etc/klScanEngineUI.service by using the following command:

    ln -s /opt/kaspersky/ScanEngine/etc/klScanEngineUI.service /etc/systemd/system/klScanEngineUI.service

15. Register Kaspersky Scan Engine in the system by using the following commands:

    systemctl daemon-reload systemctl enable klScanEngineUI

16. Run the registered Kaspersky Scan Engine service:

    service klScanEngineUI start