Suse 10.2 - How To Get Antivir And Dazuko Real Time Virus Scanner Work

I am passing this on to share what has worked well for me on several systems for having Dazuko stay loaded in the kernel after rebooting. I'm assuming people reading this already know about Dazuko and AntiVir which provide an outstanding real time virus scanner with automatic updates every two hours, for free!

http://www.dazuko.de/ and http://www.free-av.com/

I've been using Dazuko releases together with a number of SuSE and AntiVir releases for quite awhile. When I installed SuSE 10.2, I had difficulties with Dazuko staying loaded in the kernel for booting. As a note, the Dazuko app. provided with SuSE 10.2 would not work correctly with AntiVir for me.

I am not using SuSE AppArmor and have it disabled in Yast in SuSE. As I understand, occasionally, there can be conflicts between kernel modules added, such as, Dazuko, and AppArmor.

I installed openSUSE 10.2 and installed the Dazuko kernel module from the Dazuko website following the HOWTO there with no difficulty, as usual, and AntiVir functioned correctly with Dazuko. On reboot, the Dazuko module did not stay loaded in the kernel. If I started it manually, it worked, and all was fine scanning real time with AntiVir. As AppArmor is enabled by default in SuSE 10.2, I had already disabled it before loading Dazuko.

I surfed the Internet quite a bit and found others that had had similar problems with Dazuko in SuSE 10.2. I tried a number of solutions listed on the Internet I found in surfing, none worked.

My Resolution: After installing Dazuko kernel as normal, per the excellent HOWTO Install on the Dazuko website http://www.dazuko.de/ I then referenced the FAQ for SuSE 9.1, steps 2. through 5. on the same website.

Note: As I am not using AppArmor, I did not do the step $ ./configure --enable-syscalls --mapfile=/path/to/mapfile as explained in the FAQ for SuSE.

From the SuSE 9.1 Dazuko FAQ I did:

2. copy dazuko.ko to kernel module directory and refresh module dependencies

# cp dazuko.ko /lib/modules/`uname -r`/kernel/security
# depmod -a

3. I FOUND STEP 3., WAS NOT NECESSARY FOR ME WHICH WAS: modify the boot parameters to disable NSA SELinux support

- edit /boot/grub/menu.lst and add "selinux=0" to the end of the line:
kernel hd(... showopts

4. set Dazuko and Capability to be automatically loaded on startup

- edit /etc/sysconfig/kernel and change the line:
MODULES_LOADED_ON_BOOT=""
to
MODULES_LOADED_ON_BOOT="dazuko capability"

5. reboot machine

From then on the Dazuko module was still in the kernel after reboot and AntiVir worked properly for realtime scanning.

I'm just passing this on an an FYI, hopefully of some help, as to what I experienced.

I left my findings with the Dazuko developer.

I hope this was helpful to you.

Duane

AVG is a great Linux antivirus.

Main Page: http://www.grisoft.com/doc/289/lng/us/tpl/tpl01
AVG Free version Download page: http://free.grisoft.com/doc/5390/lng/us/tp...anti-virus-free
AVG Commercial Download Page: http://www.grisoft.com/doc/35234/lng.../tpl01?prd=avl
AVG 7.1 SuSE package: http://free.grisoft.com/softw/70free/setup...vi0720.i386.rpm

Dazuko Module can be found in repositories, so you can install it using smart or yast.

Quote:

AVG is a great Linux antivirus.

Main Page: http://www.grisoft.com/doc/289/lng/us/tpl/tpl01
AVG Free version Download page: http://free.grisoft.com/doc/5390/lng/us/tp...anti-virus-free
AVG Commercial Download Page: http://www.grisoft.com/doc/35234/lng.../tpl01?prd=avl
AVG 7.1 SuSE package: http://free.grisoft.com/softw/70free/setup...vi0720.i386.rpm

Dazuko Module can be found in repositories, so you can install it using smart or yast.
[/b]

Thanks for the additional information!!!

Duane

What exactly is the POINT of real time scanning? Of the fewer than 100 native linux viruses, there is only ONE native linux virus in the wild and you need to MANUALLY compile and install it as Root. Real Time Scanning is a complete waste of system resources

You only need to....

A: Have an e-mail scanner so any infected mails do not get passed on to others. (you won't get infected but like Typhoid Mary, you can spread it around.)

B: A scanner for windows network shares.

C: An occasional manual scan of the /home dir to double check that there are no infected downloaded files/attachments which can spread back to the internet or to a local windows network.

I have run unix or a unix clone for over 30 years and have never gotten any sort of infection. But I have found windows viruses hiding in my e-mail.

Quote:

What exactly is the POINT of real time scanning? Of the fewer than 100 native linux viruses, there is only ONE native linux virus in the wild and you need to MANUALLY compile and install it as Root. Real Time Scanning is a complete waste of system resources

You only need to....

A: Have an e-mail scanner so any infected mails do not get passed on to others. (you won't get infected but like Typhoid Mary, you can spread it around.)

B: A scanner for windows network shares.

C: An occasional manual scan of the /home dir to double check that there are no infected downloaded files/attachments which can spread back to the internet or to a local windows network.

I have run unix or a unix clone for over 30 years and have never gotten any sort of infection. But I have found windows viruses hiding in my e-mail.
[/b]

Yes, I agree, the need is border. However, I have it and it works well. To date, I've never seen much of a performance impact here, but I have plenty of reserve power for what I am doing. I do get a number of windows viruses detected in email and occasionally web sites. I'm always amazed when I look in the logs at what it has picked up, again, for windows.

Quote:

AVG is a great Linux antivirus.

Main Page: http://www.grisoft.com/doc/289/lng/us/tpl/tpl01
AVG Free version Download page: http://free.grisoft.com/doc/5390/lng/us/tp...anti-virus-free
AVG Commercial Download Page: http://www.grisoft.com/doc/35234/lng.../tpl01?prd=avl
AVG 7.1 SuSE package: http://free.grisoft.com/softw/70free/setup...vi0720.i386.rpm

Dazuko Module can be found in repositories, so you can install it using smart or yast.
[/b]

Oops, I'm sorry cesar_spain, I just happened to reread your post and just now saw the last sentence of your post. I hadn't noticed your last sentence before about Dazuko in the repositories. I'm just simply sharing some more info now on what happened in my case... I tried using the Dazuko module from the repositories with Antivir on an identical system, same results, when first installing SuSE 10.2. For whatever reason, Antivir would not work with the Dazuko module for me loading it from the repositories, that's how I got off on this other path, mostly from the directions for SuSE 9.1 in the Dazuko support FAQ on their site, but in my case using it for for 10.2, but omitting the step to modify the boot parameters to disable NSA SELinux support.

Over the past several weeks, all seems fine with Dazuko and Antivir for me in SuSE 10.2 on two systems here. I'm really really glad you posted about AVG. If I do run into difficulties with Antivir, I'll switch to AVG using Dazuko from the repositories. It sure would be a lot simpler for me. I do agree with another SuSE user's posting that it is overkill scanning real time for a virus in Linux, but it all seems to work so well and so absolutely transparent to the user for us, none here has seen any performance difference with it on or off. Again, clearly because there is a lot of extra horsepower in the two systems for the apps being used here.

Thanks again for your great info on AVG!!! And using the Dazuko repositories with AVG!!!

Quote:

A: Have an e-mail scanner so any infected mails do not get passed on to others. (you won't get infected but like Typhoid Mary, you can spread it around.)

B: A scanner for windows network shares.

C: An occasional manual scan of the /home dir to double check that there are no infected downloaded files/attachments which can spread back to the internet or to a local windows network.[/b]

Finally, A, B and C are all three for protecting winblows' systems. May I ask you why someone running Linux will want to scan for viruses for windows? I can only see two consequences:
1) You are wasting (your) system ressources. Let the winblows' users waste theirs: they need to do it and they are used to that anyways.
2) You are only helping to hide the real problem: people need to understand what windows is good for (nothing at all IMO). If they need to swim on thousands of virus to get to understand that, so it be.

If we want (as Linux' users) to finally get the monopoly broken, so that we will get a) better Linux' drivers, b ) more companies porting their software to Linux (I think about products as CAD or Photoshop, which some people just need for performing their every day work), then helping windows deal with their inherent problems and, by doing so, wasting system ressources is not the direction to go.

Sorry, for this little rant. I am not criticising you at all. I respect your being good enough to share your discover with the rest of us. Sorry again.

Most of the antivirus requires dazuko, and this module is incompatible with Apparmor, so it has to be patch.

----------------------------------
INSTALLING DAZUKO
----------------------------------

1.- Compiling and Installing the Module

Code:

root@linux# smart remove dazuko-kmp-bigsmp
root@linux# smart install dazuko
root@linux# cd /opt
root@linux# mkdir ./dazuko
root@linux# cd ./dazuko
root@linux# wget http://www.dazuko.org/files/dazuko-2.3.2.tar.gz
root@linux# tar xvzf ./*gz
root@linux# cd dazu*
root@linux# ./configure --enable-syscalls --mapfile=/boot/System.map-`uname -r`
root@linux# make
root@linux# make install
root@linux# cp /lib/modules/`uname -r`/extra/dazuko.ko**/lib/modules/`uname -r`/kernel/security
root@linux# modprobe dazuko
root@linux# cd 
root@linux# rm -R /opt/dazuko

2.- Loading module on boot

Edit /etc/sysconfig/kernel and change the line:
MODULES_LOADED_ON_BOOT=""
to
MODULES_LOADED_ON_BOOT="dazuko capability"

----------------------------------
INSTALLING ANTIVIRUS
----------------------------------

Available on te repositories: clamv, klamv, antivir. You can use any package manager for installing them.

AVG Antivirus:
http://free.grisoft.com/softw/70free/setup...vi0720.i386.rpm

----------------------------------
CRON ACTIONS OF ANTIVIRUS
----------------------------------

Here an example with AVG.

Code:

root@linux# crontab -e
################################################################
#******************SCHEDULED TASKS
################################################################

# Special properties (on boot, daily, ...)
#--------------------------------------------
#@reboot /usr/bin/avgupdate -n --no-daemons --priority 2 --online
#@reboot (FILENAME=/root/.avg7/testresults/testreport.`date**+\%s`; /usr/bin/avgscan -report $FILENAME -heur -smart /home|| mv $FILENAME $FILENAME.)

# Scheduled**by hour
#------------------------------------------------------
#**Min**| Hour | Day | Month | Day of Week | Command
#------------------------------------------------------
****30**** */2*******************************smart**upgrade --update --yes
****0*******/3*******************************/usr/bin/avgupdate -n --no-daemons --priority 2 --online

# Examples of Hour Column:
# */3****=> Every 3 hours
# 8-12/2 => From 8 to 12, every 2 hours: 8, 10, 12

Thank you for the description.
But now I get a message that say's

WARNING: add local extensions to this file line 4: ignoring bad line starting with 'dazuko'

when I do a
modprobe dazuko

thx for eny suggestions....

Quote:

Thank you for the description.
But now I get a message that say's

WARNING: add local extensions to this file line 4: ignoring bad line starting with 'dazuko'

when I do a
modprobe dazuko

thx for eny suggestions....
[/b]

Hi, I think you're asking cesar_spain your question? I did the original post. For me, I've never been able to get Dazuko and AntiVir to work successfully with AppGuard enabled, so for my needs I leave AppGuard disabled. I'm still having success with my initial approach that worked for me, even through some recent kernel updates. I just had to do it again, recently, for the last kernel update I received. cesar_spain is far more familiar than I with the internals of Dazuko and getting it to work with AppArmor if you need it, so I'm keeping quiet.

Note: As I am not using AppArmor, HOWEVER, for kernel 2.6.18.8-0.1-default I had to do the step $ ./configure --enable-syscalls --mapfile=/path/to/mapfile as explained in the FAQ for SuSE on the Dazuko web site. Otherwise, Dazuko would not stay loaded in the kernel after rebooting. It is now working perfectly after reboots.