ScannerDaemon Howto

The ScannerDaemon listens on localhost's port 8127 for absolute filenames and absolute directorynames. It scans the files/all files in the directory and reports 'OK' if no virus has been found or 'FOUND: <virusname>' if a virus has been detected.

Necessary software

You need an installed Java 2 Runtime Environment, Standard Edition (JRE), . Every JRE >= 1.2 should be fine, but I just tested it with 1.4. You can get it from Sun at http://java.sun.com/j2se/ .

You do also need at least one Credo-file that came with the ScannerDaemon in a subdirectory 'credo' of the directory where you start the ScannerDaemon. Otherwise give the fill path on the command line.

Usage

You start the ScannerDaemon simply by entering

java -jar ScannerDaemon.jar

If you did not forget the Credo-files, it should come up and listen on port 8127. You can also give the name of the signature file as a command-line parameter, like

java -jar ScannerDaemon.jar /opt/openantivirus/VirusSignatures.credo

Hint: If you are running Linux and activated the executable Jar-file support documented in '/usr/src/linux/Documentation/java.txt', you can omit the 'java -jar' if you make the Jar-file executable.

Symbolic links

ScannerDaemon does not follow symbolic links. I you want this, give the option '-followsymlinks' on the command line.

Temporary directory

A temporary directory is needed to scan several filetypes. You should specify a diretory where to put these files with the option '-tempdir '. Otherwise, the system's temporary directory is used which may be a security issue.

Digital signature

The Credo-files are digitally signed with keys which were digitally signed from the OpenAntivirus project. This signature is checked automatically on startup and execution is aborted if the signature does not exist or is invalid. You can disable this with the option '-nosignature'. You have to do this, if you want to run ScannerDaemon with Kaffe or other JVMs that do not support the JCE (cryptography stuff).

Scan

Now you can connect to port 8127 and send absolute filenames or absolute directorynames ended by <CR>/<LF>. Use 'telnet' or 'netcat' for this.

Example:

kurt@lobo:~ > telnet localhost 8127
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SCAN /home/kurt/MTX.pif
FOUND: W95/Matrix.SCR
Connection closed by foreign host.

kurt@lobo:~ > echo "SCAN /home/kurt/Fix2001.exe" | netcat localhost 8127
FOUND: TR/IWorm.Fix2001

Have fun!

Post

You can also send files directly to the scanner. This is done by sending POST to the daemon. It answers with a port where you have to send the files to:


kurt@lobo:~> telnet localhost 8127
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
POST
Send data to port '34705' within 10 seconds.

kurt@lobo:~> cat eicar | netcat localhost 34705

Connected.
FOUND: Eicar-Test-Signatur

The socket is closed if a virus is found, so be prepared for this.

Filter

Similar to POST, but with an additional port that echoes all data that has been scanned without finding a virus.

kurt@lobo:~> telnet localhost 8127
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
FILTER
Send/receive data to/from port '34709/34710' within 10 seconds.

Both sockets are closed if soon as a virus is found, so be prepared for this.

Credo reload

You can reload the Credo files by sending the string 'COMMAND CREDO RELOAD' to port 8127.

kurt@lobo:~> telnet localhost 8127
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
COMMAND CREDO RELOAD

The Credo files will be reloaded, e.g. aftern an update.

Shutdown

You can shutdown the ScannerDaemon by sending the string 'COMMAND SHUTDOWN' to port 8127.

kurt@lobo:~> telnet localhost 8127
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
COMMAND SHUTDOWN

ScannerDaemon will terminate immediately!