FireBreak 4 70

Norman Virus Control
for NetWare
Version 4.70
Administrators Guide
ii Norman Virus Control for NetWare - Administrators Guide
Copyright 1990-2004 Norman
Limited warranty
Norman guarantees that the enclosed diskette/CD-ROM and documentation do not have
production flaws. If you report a flaw within 30 days of purchase, Norman will replace
the defective diskette/CD-ROM and/or documentation at no charge. Proof of purchase
must be enclosed with any claim.
This warranty is limited to replacement of the product. Norman is not liable for any other
form of loss or damage arising from use of the software or documentation or from errors
or deficiencies therein, including but not limited to loss of earnings.
With regard to defects or flaws in the diskette/CD-ROM or documentation, or this
licensing agreement, this warranty supersedes any other warranties, expressed or implied,
including but not limited to the implied warranties of merchantability and fitness for a
particular purpose.
In particular, and without the limitations imposed by the licensing agreement with regard
to any special use or purpose, Norman will in no event be liable for loss of profits or other
commercial damage including but not limited to incidental or consequential damages.
This warranty expires 30 days after purchase.
The information in this document as well as the functionality of the software is subject to
change without notice. The software may be used in accordance with the terms of the
license agreement. The purchaser may make one copy of the software for backup
purposes. No part of this documentation may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, recording or
information storage and retrieval systems, for any purpose other than the purchaser's
personal use, without the explicit written permission of Norman.
The Norman logo is a registered trademark of Norman ASA.
Names of products mentioned in this documentation are either trademarks or registered
trademarks of their respective owners. They are mentioned for identification purposes
only.
NVC documentation and software are
Copyright 1990-2004 Norman ASA.
All rights reserved.
Last revised on 5 July 2004.
iii
Norman Offices
Norman Data Defense Systems AS
Blangstedgrdsvej 1, DK-5220Odense S, Denmark
Tel. +45 6311 0508 Fax: +45 6590 5102
E-mail: normandk@normandk.com Web: http://www.norman.com/dk
Norman Ibas OY
Lkkisepntie 11, 00620 Helsinki, Finland.
Tel: +358 9 2727 210 Fax: +358 92727 2121
E-mail: norman@norman-ibas.fi Web: http://www.norman-ibas.fi
Norman Data Defense Systems GmbH
Kieler Str. 15, D-42697 Solingen, Germany.
Tel: +49 212 267 180 Fax: +49 212 267 1815
E-mail: norman@norman.de Web: http://www.norman.de
Norman/SHARK BV
Postbus 159, 2130 AD, Hoofddorp, The Netherlands.
Tel: +31 23 789 02 22 Fax: +31 23 561 3165
E-mail: support@norman.nl Web: http://www.norman.nl
Norman ASA
Mailing address: P.O. Box 43, N-1324, Lysaker, Norway.
Physical address: Strandveien 37, Lysaker, N-1324 Norway.
Tel: +47 67 10 97 00 Fax: +47 67 58 99 40
E-mail: norman@norman.no Web: http://www.norman.no/no
Norman Data Defense Systems AB
Vstgtegatan 7, SE-602 21 Norrkping, Sweden
Tel. +46 11 230 330 Fax: +4611 125 126
E-mail: sales.se@norman.no Web: http://www.norman.com/se
Norman Data Defense Systems AG
Postfach CH-4015, Basel, Switzerland.
Tel: +41 61 487 2500 Fax: +41 61 487 2501
E-mail: norman@norman.ch Web: http://www.norman.ch
Norman Data Defense Systems (UK) Ltd
PO Box 5517, Milton Keynes MK5 6XJ, United Kingdom.
Tel: +44 08707 448044 Fax: +44 08717 176999
E-mail: norman@normanuk.com Web: http://www.normanuk.com
Norman Data Defense Systems Inc.
9302 Lee Highway, Suite 950A, Fairfax, VA 22031, USA
Tel: +1 703 267 6109, Fax: +1 703 934 6367
E-mail: norman@norman.com Web: http://www.norman.com
Training and Technical Support
For training or technical support, please contact your local dealer
or Norman ASA.
iv Norman Virus Control for NetWare - Administrators Guide
System requirements
For server operating system:
NetWare versions 4.11 or later
For NetWare 4, support pack 9 is required
For NetWare 5 and 6 the latest support packs are
recommended
For NetWare 5.0, support pack 6 is required
On NetWare 5.1 we strongly recommend support pack 6,
and on NetWare 6.0 we strongly recommend support
pack 3. See note below.
Note: With the release of support pack 6 for NetWare 5.1 and
support pack 3 for NetWare 6.0, Novell fixed a set of
bugs that influenced FireBreaks performance. The apis
needed to detect if a file residing on a NSS volume had
changed or not have been broken until the release of
these support packs. Servers running older SPs on
NetWare 5.1/6.0 or NetWare 5.0 with NSS volumes are
subject to this error. On these servers we scan files on
close if they were opened for write, regardless of
whether they were changed or not, as we have no choice
in the matter.
NetWare support packs are available from Novell at
http://support.novell.com
The servers SYS volume must have LONG name space
installed.
NDS v6 or later including eDirectory
Disk space required on server: approximately 10 Mb.
Memory required on server: approximately 5 Mb.
For installation and administration:
A workstation with Windows 98/ME with Novell client,
or
Windows NT/2000/XP with Novell client
ConsoleOne v1.3 or later running on a workstation or on
the servers graphical console.
v
= See also System requirements - NIU on page 97 and
Preparing FireBreak for NIU downloads on page 98,
as well as the Readme file for other details.
Who should read this manual?
This manual is intended for system administrators with an
overall responsibility for maintenance of the network, including
installation and distribution of software to the workstations.
About this manual
The general outline of this manual is based on the logical
sequence the average user will approach the product, i.e. a brief
introduction to FireBreak followed by installation, configuration,
administration, and troubleshooting-related topics. As you will
see, each module has its own configuration section, starting with
two screen dumpsone for the NDS object and one for the
Console menu. In other words, when we describe configuration
options in this document, the corresponding NDS object GUI
and the console menu will be displayed. Whenever the rare
occasion occurs that an option is available from the console
menu only, the option is duly marked:
E Operate as communications hub
(Console menu only.)
See also the section Considerations before you start on page 23,
which addresses the NDS object vs. the Console menu matter.
Any references to NDS in this manual also include eDirectory,
i.e. the newer version of NDS.
Technical support
Norman provides technical support and consultancy services for
NVC and security issues in general. Technical support also
comprises quality assurance of your anti-virus installation,
including assistance in tailoring NVC to match your exact needs.
Note that the number of services available will vary between the
different countries.
vi Norman Virus Control for NetWare - Administrators Guide
Check Normans web site for more information:
www.norman.com.
Prerequisites
We assume, in this documentation, that you are familiar with
LAN terminology in general and NetWare terminology in
particular. We further assume that you are familiar with the tasks
involved in administrating a NetWare-based LAN. Within this
manual, we sometimes refer you to the NetWare manuals since
explaining NetWare utilities is beyond the scope of this
documentation.
For more information about NetWare see
http://www.novell.com/documentation
vii
Contents
System requirements ................................................................................iv
Who should read this manual? ..................................................................v
About this manual .....................................................................................v
Technical support ......................................................................................v
Prerequisites .............................................................................................vi
About NVC for NetWare ..........................................................................11
What is NVC for NetWare? ....................................................................11
Components in NVC for NetWare ..........................................................12
Scanning modes ......................................................................................12
What is protected? ...................................................................................12
Before you install .......................................................................................13
Directory structure ..................................................................................14
FireBreak files.................................................................................... 15
FireBreak log files.............................................................................. 16
Installing FireBreak ..................................................................................18
Installing on a single server ....................................................................18
Installing on multiple servers ..................................................................18
Why do I need a configuration object in my NDS? ........................... 19
Where do I place the configuration object? ....................................... 19
How do I insert the configuration object?.......................................... 20
Multi-server environment and configuration object .......................... 20
Real-time configuration change detection vs. polled checks ............. 21
What if the object cant be read? ............................................................21
A special user group ......................................................................22
Configure FireBreak .................................................................................23
Considerations before you start ..............................................................23
Basic options ...........................................................................................24
viii Norman Virus Control for NetWare - Administrators Guide
Common scanning options ......................................................................27
Real-time scanning options .....................................................................31
Include list for server-based processes............................................... 33
Server scanning options ..........................................................................35
Virus detected options .............................................................................38
Messaging options ...................................................................................43
The Inter-server tab ............................................................................ 44
The NetWare tab ................................................................................ 45
The Printing tab.................................................................................. 50
The SNMP tab.................................................................................... 53
The e-mail tab..................................................................................... 56
Test alerts ........................................................................................... 59
NDS options ............................................................................................60
Auto update options ................................................................................63
Loading and unloading ..............................................................................68
Loading FireBreak ..................................................................................68
Unloading FireBreak ...............................................................................69
Command line switches ..........................................................................70
Specifying a configuration object on the command line.................... 70
Specifying a configuration file on the command line ........................ 70
Forcing polled checks for changes to the configuration object.......... 70
FireBreak Administration .........................................................................71
The FireBreak console menus .................................................................71
The ConsoleOne snap-in .........................................................................72
Password protection of configuration and unload.............................. 72
The Main menu .......................................................................................73
Scan server ......................................................................................... 73
The keys used..................................................................................... 74
The information displayed ................................................................. 74
Administer FireBreak......................................................................... 77
Display monitor.................................................................................. 78
Display virus library........................................................................... 79
Virus characteristics ......................................................................79
The keys used..................................................................................... 80
Find virus............................................................................................ 81
ix
Information on each virus .................................................................. 81
Exit FireBreak .........................................................................................82
Monitor screen ........................................................................................83
The keys used..................................................................................... 84
The information displayed ................................................................. 84
Monitor menu..................................................................................... 90
List alert group members ...............................................................91
Display statistical information .......................................................92
List the five files with the longest scan time .................................94
Display NDS related information ..................................................94
Norman Internet Update ...........................................................................97
System requirements - NIU................................................................ 97
Preparing FireBreak for NIU downloads ........................................... 98
Installation ...............................................................................................98
Directory structure ..................................................................................99
Loading NIU on NetWare .....................................................................100
Configure and use NIU on NetWare................................................ 100
From the server console ................................................................... 100
The keys used................................................................................... 101
Update now! ..................................................................................... 102
Configure NIU ................................................................................. 103
Products............................................................................................ 104
Languages ........................................................................................ 105
Platforms .......................................................................................... 106
Authentication key ........................................................................... 107
Exit ................................................................................................... 107
Scheduler.......................................................................................... 108
Exit ................................................................................................... 108
Other issues related to updating and NIU .............................................109
Updating the ConsoleOne snap-in ........................................................109
Changing update paths ..........................................................................109
Updating FireBreak on servers that are not connected to the Internet ..110
Alternative A ...............................................................................110
Alternative B ...............................................................................111
Testing new updates before large scale distribution .............................111
x Norman Virus Control for NetWare - Administrators Guide
Setting up multiple NIU servers in your network .................................112
Using NetWare and NIU as distribution central for workstations with-
out NetWare Client installed .......................................................113
Advanced FireBreak ................................................................................114
Virus alerts and messaging structure ....................................................114
Understanding how messaging works with FireBreak..................... 114
Using SNMP to centralize monitoring of infections .............................114
Setting up a FireBreak messaging hierarchy in your network ..............115
Using FireBreak messaging in a multi-tree environment................. 119
How FireBreak finds the communication hub address .................... 119
Using different NDS configuration objects for a single server or group of
servers............................................................................................... 120
Special issues ............................................................................................122
iFolder, viruses, and FireBreak .............................................................122
Using FireBreak with Novells Native File Access Protocols ..............122
CIFS users and FireBreak message handling ........................................123
Using FireBreak with IPX and protocol routers............................... 124
Using a FireBreak communication hub in an IP/IPX bridged network
125
Troubleshooting .......................................................................................126
Missing ConsoleOne FireBreak snap-in .......................................... 126
ClibAux.NLM is a library ................................................................ 126
Norman eLogger .............................................................................. 127
Appendix A - Sandbox .............................................................................128
Background ...................................................................................... 128
What is a sandbox?........................................................................... 128
Sandboxing techniques..................................................................... 129
How does sandboxing affect the user?............................................. 129
Index ..........................................................................................................131
About NVC for NetWare 11
About NVC for NetWare
What is NVC for NetWare?
Note: FireBreak v4.70 supports NetWare version 4.11 Support
Pack 9 and higher.
Norman Virus Control for NetWarealso known as FireBreak
is a server-based anti-virus program that monitors your server for
malicious software, also referred to as malware. Malware is
viruses, worms, and other varieties of destructive code.
FireBreak can detect and remove known and unknown viruses
from your NetWare server.
FireBreak checks files when they are accessed, and possible
viruses are removed automatically.
The primary strength of FireBreak is in providing real-time
scanningcontinuous scanning of files accessed on the server.
This means that if a user tries to copy an infected file to or from
your server, or run an infected file from the server, FireBreak
will detect the file and move, delete, or clean it. These actions are
all configurable.
Another feature of FireBreak is its on-demand scanning. In
addition to real-time scanning, you can at any time scan the
server for possible viruses.
We have not overlooked the possibility that your NetWare
servers might be operating in a multi-server environment.
Enterprise-wide functioning is yet another strength of FireBreak.
If you have two or more NetWare servers running FireBreak, you
may configure some of them to be a communications hub. The
hub can then operate as a central monitoring station, enabling
you to better administer your servers efficiently.
12 Norman Virus Control for NetWare - Administrators Guide
FireBreak creates a configuration object in your NDS /
eDirectory. Then you can use this object to configure all your
FireBreak objects from one central location.
Components in NVC for NetWare
NVC for NetWare is made up from three main components:
1. The server-based modules running on the NetWare server as
NetWare Loadable Modules.
2. The snap-in configuration object module for ConsoleOne.
With this module you can configure and control FireBreak
from a central location.
3. Norman Internet Update (NIU), which is the mechanism for
updating all parts of the product.
= Why do I need a configuration object in my NDS? on page
19.
Scanning modes
FireBreak has two different scanning methods. The first, and
most important, is real-time scanning.
The second mode is the on-demand, manual scanning. This is
performed at your discretion.
What is protected?
Even though FireBreak communicates with Norman anti-virus
software running on workstations, FireBreak is a network
product. This means that it does not take any action on infected
files that are manipulated on local hard drives or floppies. This
job is the responsibility of the workstation software. If those
infected files are transferred to the server, however, FireBreak
will take action in accordance with its configuration.
Before you install 13
Before you install
Before you install FireBreak on your server you should decide if
you want to:
1. Administer FireBreak configuration from an NDS object,
facilitating a central configuration environment, or
2. Administer each of your FireBreak server(s) from the
NetWare console.
It is highly recommended that you choose the NDS object
configuration method. This will reduce your administration
time and provide a consistent configuration for all your
FireBreak servers.
3. Install Internet Update on one server.
If you install this component, you can update both your
FireBreak servers and other NVC platforms in your network.
= For more information about the update functionality, see
Norman Internet Update on page 97.
Note: If you intend to install the ConsoleOne snap-in, make
sure that you close this application to avoid a restart of
the server.
Directory structure
The installation routine will create the directory structure that
FireBreak requires. The following tree will be created on the
SYS volume.
Directory: Description:
SYS:FIREBRK
FireBreaks home directory.
SYS:FIREBRK\LOG
This is where FireBreak places log
files as they are created. All
members of the FireBreak user
group should have Read and File
Scan rights in this directory.
FireBreak files
During installation, the following files from the FireBreak
distribution are copied to the SYS:FIREBRK directory:
SYS:FIREBRK\VIRUS
This directory is used as a virus
container. Infected files are
moved here, provided the system is
configured to do so. We
recommend that only the Admin
user have rights in this directory.
SYS:FIREBRK\DOWNLOAD
Where the ZIP files fetched by
NIU are placed. Make sure that
Enable auto update of local
server (see page 63) is on for
FireBreak to check this directory
for updates.
FIREBRK.NLM
The programs executable file.
NVCMACRO.DEF
FireBreaks macro virus
information database.
NVCBIN.DEF
FireBreaks binary virus
information database.
NVCINCR.DEF
Contains updates to the other .def
files.
FB400.CFG
FireBreaks configuration file.
NSENW.NLM
The scanner engine is implemented
as a support NLM, keeping
FireBreak at the same level as the
workstation products with regard
to virus detection.
NRELOAD.NLM
This is a helper NLM exclusively
for FireBreak. Part of the
automatic update feature.
ELOGGER.NLM
This is a troubleshooting tool.
ELOGWS32.NLM
Support NLM for ELOGGER.NLM.
During installation, the following file is copied to the
SYS:SYSTEM directory.
For the sake of simplicity, FB.NCF is automatically copied to
the SYS:SYSTEM directory. This makes it available through the
servers standard search path. Alternatively, you may add
FireBreaks home directory to the servers search path by typing
the command:
SEARCH ADD SYS:FIREBRK [Enter]
from the system console. Or add the command to the
AUTOEXEC.NCF file on a line prior to that which loads
FireBreak.
Refer to page 68 for instructions on Loading FireBreak.
FireBreak log files
FireBreaks log files are all stored in the SYS:FIREBRK\LOG
directory. They are created automatically when, and if they are
needed. There are five (5) different log files:
FB.NCF
This .NCF eases loading of
FireBreak.
FBERROR.LOG
This file holds error messages.
FBREALTI.LOG
The file logs virus incidents that
are detected by the real-time
scanner and incidents
communicated by Norman anti-
virus software running on
workstations that are connected to
the server.
FBSCAN.LOG
The results of manual/scheduled
scanning are placed in this file.
FBVIRUS.LOG
This log holds the name of each
infected file that has been moved
to the SYS:FIREBRK\VIRUS
directory, the files original path
and file name, and the name of the
virus.
FBEVENTS.LOG
This log holds information about
file updates performed by the auto
update function (see page page 63).
Installing FireBreak
Installing on a single server
1. Log in to your desired tree as Admin or an equivalent user.
2. Ensure that you have a drive mapped to the root of the
servers SYS volume.
3. Start the installation program and work your way through
the dialogs.
4. Start FireBreak on the server by typing FB and pressing
[Enter] on the servers console screen. If FireBreak
during load cant find an object or the schema has not been
extended, a warning message is issued. Operation will
continue with configuration data stored on the server. On the
monitor screen you can check the name of the object used.
You can also see the change detection mechanism used (see
below).
Installing on multiple servers
If you wish to install FireBreak on other servers in the same tree,
you do not necessarily need to repeat all the previous steps for
each server. Just make sure that you have a drive mapped to the
root of the SYS volume to each of the desired servers as
illustrated below.
Then just follow the normal setup.
Installing FireBreak 19
Note: If you load FireBreak from AUTOEXEC.NCF during the
servers startup, please note that it should be loaded
towards the end of the file to ensure that NDS is fully
operational.
Why do I need a configuration object in my NDS?
The FireBreak NDS configuration object controls the behavior of
the FireBreak NLM. You can set all FireBreak configuration
options in this object. This object can configure all servers in
your tree running FireBreak.
Where do I place the configuration object?
Normally the configuration object resides in the organization
container of the user you installed FireBreak with. If you have
several servers in multiple containers, the optimal solution is to
put the configuration object either in root, or in the servers
parent container(s).
Administrators or users that need to change the FireBreak
configuration object will need Write privileges to the objects
properties.
Note: A FireBreak configuration object can reside in an
Organizational container (O), Organizational Unit (OU),
or in a Country container (C).
Note well: When FireBreak is loaded it will search the container
where the server object resides for a configuration
object. If no object is found, FireBreak will start a
reverse tree-walk, looking for a configuration object in
the parent container, searching upwards to the root until
it finds a configuration object, or it reaches the root of
the tree. FireBreak uses the first configuration object that
is found. Note that FireBreak does not search down into
existing containers, only up towards the root.
How do I insert the configuration object?
Select New|Norman FireBreak config or click the Norman N-
button on the tool bar. This is a limitation in ConsoleOne.
You can no longer press [Ins] to create the FireBreak object as
you could in NWAdmin. To run the proper object creator code,
ConsoleOne requires that you to use the menu or the popup
menu.
Multi-server environment and configuration object
If you are managing a multi-server environment you can place
the configuration object in a container where it can be accessed
by all servers. By providing access to the configuration object all
servers will use the same configuration.
If you want to provide different configuration for a specific
server, simply put a configuration object in this servers
container. The server will then find this object first, and
consequently use it. You can apply the same principle for a group
of servers.
= See Advanced FireBreak on page 114.
Installing FireBreak 21
Real-time configuration change detection vs. polled checks
When you have applied changes to a configuration object,
FireBreak in turn can apply these to all servers that use this
specific object.
Real-time scanning and detection is the default mode, provided
that it can be implemented on your system. This relies on the
event mechanism being built into NDS (DSEvents). Once the
object is changed, FireBreak is informed of the event and the
new configuration is read and made the active one. The time
delayif any may vary from the time the change is saved by
the configuration utility to when it is picked up by FireBreak
running on a server. Even if the real-time change detection is
used, there may be a delay. A delay depends on when NDS
synchronizes the changes to the partition between the servers in
the tree.
Polled checks for changes are another mode. Once every x
minutes (the default value is 240), the object is checked for
changes by reading the objects version number. If it has
changed, the new configuration is read and made the active one.
Polled checks are always used if the server does not hold a local
replica of the NDS partition where the configuration object is
stored.
What if the object cant be read?
There may be several reasons why a configuration object cannot
be found: broken server links, the server holding the object may
be temporarily unavailableor the administrator may have
failed to create one. Regardless of the reason, FireBreak loads
and works. Whenever a configuration is read from NDS, its
saved in a local file, FB400.CFG. This file is used as a fallback
in such situations as described above.
FB400.CFG is located in the root of the servers
SYS:FIREBRK directory. This is a binary file and cannot be
edited.
A special user group
An important feature of FireBreak is the messaging functionality.
When a virus is detected, FireBreak can send alerts to the
offending user, to the server console, and to a pre-defined user
group.
Note: The Admin will only be notified of virus events if this
user is a member of FireBreaks special user group. Use
NetWares workstation-based administration utility,
ConsoleOne, to create the group and add the appropriate
members (see your NetWare Utilities Reference for
further details). If you want to use a group that already
exists, change the name of the group that FireBreak
should use. Make these changes from the appropriate
menu (see Configure FireBreak on page 23).
Once you have decided upon a user group, make sure that all
members of the group have Read and File Scan rights to the
SYS:FIREBRK\LOG
directory. A simple way to do this is to use NetWares
ConsoleOne to add the group as a trustee in the
SYS:FIREBRK\LOG
directory.
Configure FireBreak 23
Configure FireBreak
When you configure FireBreak you have a number of possible
options available. Most of the options are enabled or disabled
from this menus submenus.
FireBreak is shipped with many preselected options.These
default options are identified by a marker in the check box, like
this:
E Scan incoming files
You can always click on the Default button to view the default
settings in a dialog. (Only the snap-in.)
Note:
If you dont use the NDS object you can reset all options to their
default values this way:
1. Unload FireBreak
2. Delete SYS:FIREBRK/FB400.CFG
3. Load FireBreak
Considerations before you start
Before you start your configuring FireBreak you should consider
the structure of your network, how you want your server(s)
running FireBreak to act, and how you would like to manage
them.
There are two principal approaches for configuring and
administering FireBreak:
1. Use NDS / eDirectory to configure all FireBreak servers in
your tree. You can also have several FireBreak NDS objects
in your tree, facilitating different configurations for different
FireBreak servers.
2. Use the console menus to configure each server
individually.
Note: When we describe configuration options in this
document, the corresponding NDS object GUI and the
console menu will be displayed.
Clicking the Default button, present in all GUIs, restores
the original, default values for that dialog.
Basic options
E Display messages on system console
Instructs FireBreak to display important virus detection
messages on the servers console screen as follows:
Note: In NetWare 6 all virus detection messages are displayed
in the server console Logger screen.
FB :Virus detected by real-time
scanner
Time :Mon 2003/06/23 11:34:36
Info
Server :LANCELOT.roundtable
In tree :EXCALIBUR
Virus name :VW/SHowOffD
Infected file :DATA:USERS/FRED/LETTER2.DOC
File was :created
File accessed by :fred.roundtable
From :172.17.7.34
Action taken :quarantined
E Display monitor-screen upon load
FireBreak can open a monitor screen at startup displaying
information about real-time scanning and available
options.Various informative submenus are available.
= Monitor screen on page 83.
E Save infection information across loads
FireBreak can save information across loads about the last
detected virus and the total number of infected files detected by
both the real-time scanner and any Norman anti-virus products
running on connected workstations. FireBreak displays this
information in its Monitor window (see page 83). If the
information has been saved, it will be restored when FireBreak is
loaded. The saved information is updated automatically when
FireBreak exits or is unloaded by the server.
Password protected configuration
This option allows you to edit an existing password or create a
new one. If you have specified a password, FireBreak prompts
you for this password when you enter the Configure FireBreak
menu or attempt to exit FireBreak.
The minimum password length is 4 characters, while 15 is
maximum. You can use the ASCII characters 1 through 255. The
password is not case sensitive for the characters A through Z,
and is case sensitive for the remaining valid characters. Password
protection is optional.
To remove a password, delete all characters and press [Enter].
Click on Change password to change an existing password.
The password is only visible when you edit it. At all other times,
the characters are echoed as *.
Note: By default, a password is not assigned. If you forget a
specified password, you can change this in the FireBreak
ConsoleOne snap-in. FireBreak assumes that if you have
modify rights to the FireBreak configuration object, you
are the Admin or equivalent in the network.
Note well: If you have chosen to run FireBreak without an NDS
object, you must delete the FB400.CFG file from the
SYS:FIREBRK directory, then restart the server. You will not be
able to unload FireBreak before restarting the server. To restore
FB400.CFG run the install program to replace it. If you do this,
however, remember that all configuration settings are restored to
default values.
Common scanning options
Scanning options are specified separately for real-time scanning
and on-demand scanning (see Server scanning options on page
35). Options that apply to both scanning methods are located in
this dialog.
E Scan inside compressed program files
When this option is enabled, FireBreak can scan for possible
infections inside executable files compressed by utilities such as
PKLite and Diet.
E Scan for security risks
This option instructs FireBreak to scan for objects that represent
a possible security risk. Some administrators have installed
programs like password crackers and remote administrative tools
that are perfectly legal and probably useful too. However, the
lack of security features in some of these tools can expose
machines to unauthorized users and crackers. FireBreak detects
the activity of such tools and will warn against potential security
risks. Warnings will report the name of the program, and you can
therefore decide if it is a legitimate program or cracker activity
that triggers the alarm.
E Scan for aggressive commercials
Sometimes unwanted programs are attached to programs that
you download from the Internet for evaluation purposes, for
example. They do not inform you about their presence, and if
you uninstall the original program, the hidden program may still
be on your machine. It is hard to find and has no uninstall
procedure. At odd intervals these programs will log on to the
Internet and download commercials all by themselves. They are
not harmful like a traditional virus, but it is annoying and creates
unnecessary network traffic. FireBreak can detect and remove
such programs. Note that free software that you have installed
may not work when this option is selected.
E Exclude files of indeterminate format
Select this option to instruct FireBreak to skip files of
indeterminate format. Such files may be damaged files, or files
with an unknown format.
E Exclude list
Specify files, directories, or entire volumes that you want to
exclude from real-time and server scanning.
Use the [Insert] and [Delete] keys to add or remove entries in the
list. You can browse to directories and even select a specific file
name to include. Remember that if you select a directory,
possible subdirectories are included.
When specifying a file, you can choose to exclude the specific
file only, or to exclude all files of same type.
Note well:
Exclude lists should be handled with great care, as they represent
a potential security risk.
Real-time scanning options
These options allow the administrator to tailor FireBreak to
better meet the organizations needs. You can select scanning of
incoming and/or outgoing files.
E Scan incoming files
FireBreak considers the following types of files as incoming
files:
New files created on the server.
Existing files that have been changed.
E Scan outgoing files
FireBreak considers the following types of files as outgoing
files:
Files residing on the server that are read by a
workstation, for example when a program installed on
the server is executed from the workstation. Another
example is when a file on the server is copied to the
workstation.
E Scan outgoing files opened for write
An alternative to the previous option is to instruct FireBreak to
scan files on open, provided they are opened in a way that they
may be changed (open for write). This means that programs
executed from the server are not scanned before access is granted
to the file, as the execute opens the file only for read. If a user
opens a file on the server in a word processor, for example, this
file will be opened for write. If this option is enabled, FireBreak
scans the file before the word processor is granted access to the
file. As this option is a variant of the Scan outgoing files option,
it is flagged as not applicable (N/A) if Scan outgoing files is
selected.
E Scan for new, unknown viruses using sandbox
Select this option if you want FireBreak to look out for new virus
variants. The sandbox is particularly tuned to find new email-,
network- and peer-to-peer worms and file viruses, and will also
react to unknown security threats. When a new piece of
malicious code is detected, the system administrator receives a
message through FireBreaks messaging system listing the vital
facts.
When this option is selected, scanning time will increase.
Note well:
Files copied from the server to a workstation are not opened
for write. To scan files on copy, Scan outgoing files must be
enabled.
Include list for server-based processes
E Include list for server-based processes
By design, FireBreak will not scan files that are created or
changed by server-based processes. By excluding such scans,
FireBreak will not interfere with server-based processes, thus
avoiding potential performance and time-out problems affecting
the server.
You may be running services on your server where the default
exclusion represents a security risk. This option allows you to
select directories that these services use for file operations, and
make sure that all files that pass through them are scanned by
FireBreaks real-time scanner. Typical examples are CIFS (part
of Native File Access Protocols) where users can access files on
the server without a Novell client as well as FTP and web servers
that allow connected users to upload files.
= For more information, see Using FireBreak with IPX and
protocol routers on page 124.
Entries in FireBreaks Exclude list have higher priority and are
checked after the Include list.
Consequently, if a directory, file or a specific file type is listed in
the Exclude list, these will not be scanned even if they reside in a
directory on the Include list.
Note: Be careful to select the correct directory you want
FireBreak to scan.
Be aware that FireBreak scans all files in the selected directory
and its subdirectories regardless of which server-based process
they belong to. Hence the number of directories in the list should
be kept at a minimum.
Note well:With this option you can choose an entire volume. We
strongly recommend NOT doing this. Including an entire
volume can seriously slow down and destabilize your
server.
Server scanning options
These options allow the Administrator to configure FireBreaks
behavior during manual server scans. You can set the priority for
allocation of resources, in addition to what FireBreak should log.
Scanning priority
Scanning priority decides how FireBreak should operate when
the system is busy. If you set the priority to Low, FireBreak will
give way for other tasks and wait for a suitable occasion to
proceed. If the priority is set to High, FireBreak will acquire the
necessary resources to complete its task. You can choose
between High, Medium, and Low, where High is the default
setting.
E Scan for new, unknown viruses using sandbox
FireBreak employs its sandbox functionality to detect new,
unknown viruses. Select this option if you want FireBreak to
look out for new virus variants. The sandbox is particularly tuned
to find new email-, network- and peer-to-peer worms and file
viruses, and will also react to unknown security threats. When a
new piece of malicious code is detected, the system
administrator receives a message through FireBreaks messaging
system listing the vital facts.
When this option is selected, scanning time will increase, but it is
not likely to affect the performance considerably.
= See also Scanning priority on page 36 and
Appendix A - Sandbox on page 128.
Logging
E Log results to file
As the manual scan progresses, information is logged to
SYS:FIREBRK\LOG\FBSCAN.LOG.
E Append to existing file
When selected, FireBreak appends the information from each
scan to the existing log file. If this option is disabled, FireBreak
deletes a possible old log file before the scan is started. A
Header and Footer is included in each scan.
O Log infected files
Include names and location of all infected files that are detected.
O Scanned directories
Include names of all scanned directories.
O Scanned files
Include names of all scanned files.
Virus detected options
Use these options to configure how FireBreak should behave
when a virus is found. By default, FireBreak will clean viruses
when found, and move infected files that cannot be cleaned, off-
line.
From this dialog you determine how FireBreak should handle
infected files.
E Clean viruses if possible
FireBreak has the ability to clean infected files on-the-fly. This
functionality has been implemented for the on-demand scanner
for incoming and outgoing files.
On the monitor screen and in the log files, the Action taken field
will read The file was cleaned.
E Log incidents to file
Tells FireBreak to add entries in the log whenever a virus is
detected by the real-time scanner or any NVC software running
on a workstation in the network. The log file is created only if
necessary and is named
SYS:FIREBRK\LOG\FBREALTI.LOG.
E Log workstation virus alerts
If you enable this option, the individual NVC workstations must
be configured correctly with the server address specified. Please
refer to NVCs Reference Guide for more information on NVCs
messaging system. In addition, the communication hub must be
on. See The Inter-server tab on page 44.
Note that the log files grow faster in size when this option is
enabled.
When cleaning is not possible
In some situations, FireBreak cannot clean infected files. For
example, FireBreak cannot clean files that are in use or reside on
a write-protected floppy, or if there is no repair script for the
virus in the virus definition files. Use this section to determine
how FireBreak should handle files that cannot be cleaned.
O Purge infected files
If you select this option, FireBreak purges infected files, making
them unrecoverable.
When you select this option, FireBreak uses NetWares inherent
PURGE capability to permanently remove an infected file.
There may be more than one retrievable file in one directory with
the same file name as the infected one, and FireBreak will purge
them all when you use this option.
O Move infected files off-line
When you select this option, FireBreak moves all infected files
to the SYS:FIREBRK\VIRUS directory. FireBreak uses this as
a quarantine. Since it contains infected files, we recommend
that only Admins and possibly the members of the FireBreak
user group have rights in this directory.
Note: As long as FireBreak is running and the real-time
scanner is checking outgoing files, ALL userseven
Admin and members of FireBreaks special user group,
are denied access to the files in this directory.
Several infected files may happen to have identical names. If a
file exists in the SYS:FIREBRK\VIRUS directory with the
same name as that of a new file being moved there, FireBreak
will change the name of the newest file until it is unique.
The technique increments the first eight characters of the files
name onlyextensions are left untouched. First, if the name is
less than eight characters, it is padded with @ to achieve full
length. Then characters are incremented until they reach Z,
starting with the last going forward.
For example:
COMMAND.COM
COMMAND@.COM
COMMANDA.COM
COMMANDB.COM
:
CZZZZZZZ.COM
Whenever an infected file is moved off-line, the event is logged
in FBVIRUS.LOG along with the virus name, the name of the
infected file as it now appears in the SYS:FIREBRK\VIRUS
directory, and the full path and name of the infected file as it
appeared in its original location.
Note: When files in long (OS/2) name space is moved off-line,
some of the extended directory information is lost. The
file owner information is part of the information that is
lost. This limitation will be addressed in future versions
of FireBreak.
If files are moved from a volume that has LONG (OS/2) name
space to a SYS: volume that does not, file names are converted to
comply with the FAT 8+3 specification. An example of a
converted name is: THIS IS A LONG DOCUMENT
NAME.DOC changes to THIS~IS~.DOC.
This is done only if Use numeric names for moved files is
deselected and the name is not FAT compliant.
E Use numeric names for moved files
To speed up naming infected files that are moved to
SYS:FIREBRK\VIRUS, this is an alternative naming method.
It involves creating unique names for the infected files using a
numeric value rather than the incremental names described
below.
Here is a sample from FBVIRUS.LOG, which displays the name
of the virus that infected the file, the name of the infected file in
SYS:FIREBRK\VIRUS, and the full path and name of the
original file, respectively.
UNIX/Svat.B S08830E8.H4 <= SYS:/APPS/UNIX/SE83382D.H4
VBS/Blebla.A@mm W0883101.CHM <= SYS:/APPS/WINTEL/TEST/WE527741.CHM
You can see that there were four infections in different
directories. They were all infected by different viruses, and they
now reside in the SYS:FIREBRK\VIRUS directory with
slightly different names.
W32/Gop.A W0883105.SYS <= SYS:/USERS/CIFS/FRED/WE527747.SYS
W32/Klez.H@mm SF0CF0BD.PIF <= SYS:/INFECTED/SLUTTEN.PIF
Messaging options
FireBreaks messaging system is extremely powerfulit can
send messages to and receive messages from workstations and
other servers running FireBreak, and print messages to a queue.
Choose between FireBreaks messaging system or SNMP traps,
or both. You can configure all of these features from the four
tabbed dialogs:
The Inter-server tab
E Send messages to communication hub
Tells FireBreak to send a message to the server running as
Communication Hub (see below) if a virus is detected by
FireBreaks real-time scanner.
Note: You can set up a hierarchy of communication hubs. See
Advanced FireBreak on page 114.
Server to use as communication hub:
Enter the server name, or click browse to view available servers.
The selected server will operate as a communications hub for a
network with multiple servers running FireBreak. The NDS
object must be configured to Send messages to
communications hub (see above).
As a message is received, it is broadcast to all connected
members of this servers FireBreak user group. If logging is
enabled, the event is logged in the systems log file.
Note: The selected communications hub must be enabled at the
FireBreak console menu. See Operate as
communication hub below.
Note well:
The FireBreak messaging hierarchy limits the number of servers
a message can be relayed to. In this version the number of levels
is limited to 16.
In addition, messages that are routed back to the originating
server are removed to avoid packet storms in your network.
For more detailed information on how FireBreak is finding the
address of the communication hub, see Special issues on page
122.
E Operate as communications hub
On the server targeted as the communications hub this option
must be enabled. If NetWare is bound to both IP and IPX, then IP
will be the preferred protocol for messaging.
= Setting up a FireBreak messaging hierarchy in your
network on page 115.
E Advertise communications hub using SAP
This option is valid only when running an IPX network. SAP is
short for Service Advertising Protocol and provides
information about services and network addresses to client and
servers in an IPX network.
Note: Only one server per network can operate as a hub if you
are using the SAP option above. The first server to load
FireBreak configured as a hub operates as one.
Subsequent attempts with other servers loading as hubs
will fail with a non-fatal error message.
The NetWare tab
The NetWare options allow you to include a group of users to
be alerted when a virus is found. You can also choose to enable/
disable broadcast virus infections both from the servers and
workstations real-time scan.
Group to notify
In addition to the offending user, all members in a configured
user group can be notified of a virus detection. FireBreak will
send the message to all group members who are connected to the
server at the time of detection. And if a member is connected to
two workstations with a single user ID, for example, this user
will receive the message at both workstations.
To locate the desired group for FireBreak alerts, click the browse
button, and add the group object.
If no existing group is appropriate, create a new group using
NetWares administration tool ConsoleOne.
There is no default name for this group.
Note: There are no limitations for the location of the group to
be alerted. It can reside anywhere in the directory, but in
the same tree.
.
E Notify offending user
By default, the infected user is notified about the infection. Use
the field Message to be broadcast to edit the message.
E Broadcast when a virus is detected
By default, all members in the specified group(s) are informed
about the virus incident.
E Broadcast when unable to clean
Select this option if you to want to inform the selected group(s)
of viruses that couldnt be removed.
Message to be broadcast, real-time scan
The default message that is broadcast when the real-time scanner
detects an infected file is:
FB: @U may be infected with @V
You can edit the message to suit your needs with tokens, which
are shorthand placeholders. When messages are created and sent,
FireBreak replaces the tokens with the appropriate information.
The following table lists the available tokens and what they
represent:
The tokens are case sensitivethe second character must be in
upper case for FireBreak to recognize it.
When an actual message is created, FireBreak will truncate the
result so that it will fit within NetWares limit of 250 characters.
Below are two examples of possible messages in the form they
would be entered and how they would look when sent:
FB: Server @S infected with '@V' - check log
file!
FB: Server SIRIUS infected with W32/Klez.H
- check log file!
E Broadcast alerts from workstation
For this option to work, the individual NVC workstations must
refer to NVCs Reference Guide and Administrators Guide for
more information on NVCs messaging system.
If you select this option, enter the message in the box below.
FireBreaks default message is:
FB: @U received a virus alert on workstation
When used in conjunction with other Norman products,
FireBreak allows you to monitor virus infections both on local
hard drives and server drives.
As with the real-time scan broadcast message above, you can
edit this message to suit your needs. This message appears when
Token Representation
@F The full path of the infected file.
@D The distinguished name of server.
@P The offending users physical IP or
IPX address.
@S The server's common name
@U The offending users login name.
@V The name of the detected virus.
any NVC workstation software sends an alert to FireBreak. For
example, if a machine logged into a server running FireBreak
runs NVC and finds a virus on C:, NVC sends this message to
the members of the FireBreak user group.
In the event that the offending user is in the network but not
logged in, FireBreak cannot establish the users name, and the
token @U will be replaced with the word unknown.
The Printing tab
Not only can FireBreak alert members of a special user group, it
can also print messages to an existing print queue. The printed
information is the same as that logged in FBREALTI.LOG, and
the report is printed when either the FireBreak real-time scanner
or any Norman anti-virus workstation product in the network
detects a virus.
You may specify which print queue to use, whether or not a
banner is to be printed, and whether or not a form feed command
is issued after each alert.
Print queue to use for alerts
Click on the browse button to view and select a print queue. If
you wish to print out each virus event, select the name of an
existing print queue in this field.
If you enter a print queue that does not exist, FireBreak will not
accept the entry. Either change the entry to a print queue that
does exist, create a new print queue, or click on the browse
button to select an existing queue.
Note: NDPS and iPrint are not supported in this version. Only
queue-based printing is supported.
E Print banner
If no print queue is specified (see section above), this option is
not applicable. If you did specify a print queue, however,
FireBreak will print a NetWare banner page as a cover page for
each virus alert when this option is selected.
The options Print banner and Form feed after each alert (see
below) work together: if Form feed is selected, then a banner is
printed for each alert. If Form feed is not selected, then a banner
is printed only the first time per session that an alert is printed.
Session is defined as the time between loading and unloading
FireBreak or between loading FireBreak and downing the server.
E Form feed after each alert
If no print queue is specified, then this option is not applicable. If
you did specify a print queue, however, FireBreak will issue
form feed after each printed alert.
The Print banner and Form feed after each alert (see above)
options work together: if Form feed is selected, then a banner is
printed for each alert. If Form feed is not selected, then a banner
is printed only the first time per session that an alert is printed.
Session is defined as the time between loading and unloading
FireBreak or between loading FireBreak and downing the server.
The SNMP tab
SNMP (Simple Network Management Protocol) is a protocol
governing network management and the monitoring of network
devices and their functions. Typical solutions that use SNMP for
network management are CA Unicenter, IBMs Tivoli, and HP
Open View. SNMP can provide central monitoring of all servers
and workstations running NVC.
= For more details on SNMP, please refer to page 114.
Note: Only the trap portion of SNMP is used. Management
and configuration through SNMP is not supported.
E Enable SNMP
You must select this option to activate the different trap types.
Note that all the following options are automatically selected
(default) when SNMP is enabled:
Real-time scanning traps:
E On all virus detections
Send SNMP trap whenever the real-time scanner finds an
infected file.
E When unable to clean
Send SNMP trap whenever the real-time scanner cannot clean an
infected file.
Server scanning traps:
E On all virus detections
Send SNMP trap whenever the on-demand scanner finds an
infected file.
E When unable to clean
Send SNMP trap whenever the on-demand scanner cannot clean
an infected file.
In addition to the real-time and server scanning traps, these two
options are available when SNMP is activated:
E Send general information traps
When selected, FireBreak sends SNMP traps on other incidents
than virus attacks, such as load and unload of FireBreak, update
of virus definition files and update of scanner engine.
= The SNMP tab on page 53.
E Forward workstation alerts
Workstation alerts (see The NetWare tab on page 45) are sent as
SNMP traps. If you select this option, you must have enabled the
Broadcast alerts from workstation option in the NetWare tab.
For this option to work, the individual NVC workstations must
refer to NVCs Reference Guide and Administrators Guide for
more information on NVCs messaging system.
Alternate community name
If you dont want to use the default community name which is
public, you can enter the alternate community name here.
The e-mail tab
E Enable e-mail messaging
You must select this option to activate the other options. Note
that when you select this option, a check is performed to see that
the required information is available for SMTP server, Mail
recipients, Reply to, and Port.
E When a virus is detected
By default, all members defined in the Mail recipients field are
informed that a virus was found.
E When a virus is detected, but could not be cleaned
All members defined in the Mail recipients field are informed
that a detected virus could not be cleaned.
E General information and alerts
Sends e-mails on other incidents than virus attacks, such as load
and unload of FireBreak, update of virus definition files and
update of scanner engine.
SMTP server
The host name or IP address of the SMTP server you want
FireBreak to send messages through.
Mail recipients
All names on this list receive e-mails. Click Add to enter a new
recipient. Highlight an existing name and click Edit to change
the entry. Highlight one or more recipients and click Remove to
delete them from the list. You can also double-click on an
existing entry to edit it, and on an empty area to add new a new
recipient.
Reply to
The e-mail address of the system administrator, for example.
Port
Enter the port number to be used. The default is 25.
Mail message body
You can enter a permanent Subject for the e-mails, as well as a
Common appended text. Edit these fields as you like.
In addition to the permanent subject you may enter the system
appends the common name of the server sending the e-mail to
the subject line. The e-mails are labelled with tags to simplify
the rating and sorting based on the mails importance. The e-
mails are made up like this: first the text entered in the Subject
field. Then the Event: followed by the event in question.
Finally the name of the server that originated the mail. For
example:
Norman message - Event: Server scan - On: FS1
The different events are:
Start Start of FireBreak.
Stop Stop/unload of FireBreak.
NSE updated New search engine or definition files.
Virus alert Virus detected by the real-time scanner.
General General messages, including updated
modules which are downloaded/unpacked.
May require Admin intervention.
Multi-part
message
A number of e-mail, possibly of different
types, were queued up to be sent. These
were merged into one long message.
Messages that cannot be sent, can be kept in a queue for up to
eight hours. When an error during send occurs, an error message
is logged to FBERROR.LOG, sent to the console screen or
communicated as an SNMP trap, depending on your
configuration.
Test alerts
The purpose for this function is to test that the protocols you
have set up works and messages are transmitted as intended.
If you have established a message hierarchy (see The Inter-
server tab on page 44), messages are not issued.
When a test alert is generated, test data is used to simulate a virus
detected by the real-time scanner. The data is as follows:
Server name: : The servers real name.
NDS tree : The tree the server is in.
Time : The actual time when the alert
was issued.
User :testuser.department.organization
Workstation IP
address
: 10.10.10.10
The test alert is issued using live configuration and sent via the
protocols you have enabled. Test alerts are not shown on
FireBreaks monitor screen.
NDS options
Infected file :SYS:/TESTDIRCTORY/TESTFILE.XXX
Detected virus :########
File scanned
during : create
Action taken on
the file : None, it was left alone.
Minutes between DS polls when controlled from an object
outside the local replica
This option relates to changes made to the NDS FireBreak
configuration object. The change detection mechanism used,
depends on whether the server FireBreak is running on has a
replica of the NDS partition that holds the configuration object or
not. If the object is available locally, changes are detected at once
using the event services in NDS. Note that at once may be after
a period of time. The delay depends on how often NDS
synchronizes the replicas of the partition that holds the object
and whether the change was made to the local object or to one in
another replica.
If the object is stored in a partition that does not have a local
replica (i.e. resides on another server), the system will poll for
changes regularly. The default interval is once every 4 hours
(240 minutes), and it is configurable. You can see which
mechanism is in use by checking FireBreaks monitor screen.
= Monitor screen on page 83.
Changes made to an alert group is detected the same way.
Information cannot be inherited from one object higher up in the
tree by one below it. Each object is a separate entity.
E Use typeful name for FireBreak
Typeful name is the NDS object name that includes the name
type (OU, O, and so forth) of each object when identifying the
distinguished name of that object.
E Poll NDS for changes every x minutes
(Console menu only).
If the server is in polled mode, use this option to check for NDS
changes at regular intervals. The default number of minutes
between each poll is 240, i.e. 4 hours.
Re-read FireBreaks configuration from the NDS
(Console menu only).
If the server is in polled mode, use this option to re-read the
configuration from NDS after changes have been applied to the
object. See the previous page for more explanatory information.
Re-scan NDS for a configuration object
(Console menu only)
If the NDS FireBreak object has not been replicated at the time
of load you can use this option to find the object. If an object is
unavailable at the time of load, you can use this option to scan
for a valid object.
Auto update options
This feature allows you to fully automate the process of keeping
FireBreak updated. All parts of FireBreak can be updated.
E Enable auto update of local server
This feature allows you to fully automate the process of keeping
all FireBreak elements updated. When this option is enabled
(default), FireBreak will check the Download directory
regularly for updated files. The files in this directory
(NVCxxxx7.ZIP) will be supplied by Norman Internet Update
(NIU) directly or replicated from a central server in your tree
running NIU. See Fetch updates from distribution server on
page 65) and Norman Internet Update on page 97.
New files are extracted to SYS:\FIREBRK or its subdirectories
and appropriate action is taken. This action depends on the
content of the file. If a new FIREBRK.NLM is extracted, the
system reloads itself. If new .DEF files are detected or a new
NSENW.NLM is found, NSENW.NLM is unloaded and re-loaded
to activate the update.
Some files may not be consumable directly. These will be
extracted to their appropriate subdirectories and the
administrator is notified of the updates via entries in
FBEVENTS.LOG as well as via e-mail. One example of an
update that cannot be consumed directly is a new release of the
ConsoleOne snap-in. When the update is received, FireBreak
cannot predict where ConsoleOne is installed or if it is running
and the files are locked. The ZIP file is therefore extracted to the
appropriate subdirectory under SYS:\FIREBRK and you are
notified as described above. To update your ConsoleOne
installation(s), simply replace the existing files with the new
ones after ensuring that no one is running ConsoleOne from the
location(s) you wish to update.
Note: For e-mail messaging to work, the SMTP server and
mail recipients settings must be properly configured.
Also remember to enable the General information and
alerts option (see page 57).
E Fetch updates from distribution server
Enabling this option allows FireBreak to check a server in the
network for updated files. The name of the server is taken from
distribution server in the configuration. FireBreak logs on to
this server using the user name and optional password specified
in the fields Remote users name and Remote users password
(see below) and checks for new files. FireBreak checks the
directory on the distribution server that is specified in the
Distribution folder field on the Auto update options tab.
If new or changed files are detected, they are replicated to the
local servers SYS:\FIREBRK\DOWNLOAD directory. The
local update process will take care of them from there.
Note well:If this option is selected you must configure the server
running as distribution server properly:
You must make sure that the path specified in the
Distribution folder field exists.
You must make sure that the user specified in the
Remote users name field is granted the appropriate
access rights to the distribution folder on the distribution
sever. You can select an existing user or create a new
one. The minimum access rights that must be granted to
this user is Read and File Scan.
We strongly recommend that you run Norman Internet Update
(NIU) on the distribution server to ensure that you keep your
servers completely up to date with the latest released files. You
must make sure that NIU is configured to place the downloaded
files that FireBreak applies in the distribution folder. Please refer
to Norman Internet Update on page 97 for details.
The files handled by this feature are the same as for Auto update
of local server.
Activity is logged in FBEVENTS.LOG.
Auto update of local server must be enabled to activate this
feature. By default this feature is not enabled.
E Check more than once during interval
Select this option if you want FireBreak to look for updates
several times in the interval specified below. If you select this
option, FireBreak will check for updates approximately every
30-35 minutes.
Remote fetch interval (local time)
Select the time intervals during which you wish to activate the
remote update feature. You can select several, or even all, time
slots. The checks for new files are performed regularly during
the selected time slots. By default it is set to be active from 21:00
to 23:00.
Note: In large networks with a high number of servers, you
should consider the start-up time carefully for the
different servers to avoid choking the distribution server.
Remote users name
Enter or browse for the login name of the user you want
FireBreak to use in order to log into the server operating as
distribution hub to fetch updated files, or click on the browse
button and select an user from the list. The user must be granted
Read and File Scan rights to
SYS:\NORMAN\DISTRIB\DOWNLOAD on the distribution
server.
Remote users password
Enter the password the remote user should use to log into the
server where FireBreak is operating as a distribution hub. For the
default user no password is established. Click on the Change
password button to assign a password or change an existing one.
Distribution server
Enter the server where NIU has been installed.
Distribution folder
Enter the folder where the servers fetch the updates.
= For more information about distribution of updates, please
refer to Norman Internet Update on page 97.
Loading and unloading
Loading FireBreak
Generally, we recommend that FireBreak is loaded in your
servers AUTOEXEC.NCF file. This will ensure that FireBreak is
up and running as soon as the server has finished its boot and
load sequence.
The following command is used either in the AUTOEXEC.NCF
file or directly from the servers console screen:
LOAD SYS:FIREBRK/FIREBRK [Enter]
To ease loading from the console, we have included a file called
FB.NCF. This is copied to the SYS:SYSTEM directory during
installation, and it enables you to load FireBreak by simply
typing:
FB [Enter]
from the servers console. You can also use the FB command in
AUTOEXEC.NCF.
Note: It is recommended to put the FB command late in the
AUTOEXEC.NCF file to ensure that all the services
running on the server are properly loaded and initialized.
Loading and unloading 69
On load, the system certifies that the operating environment is
okay.
Unloading FireBreak
Unloading FireBreak can be done in two different ways:
1. Select Exit from the Main Menu. (see Exit FireBreak on
page 82). The unload command will fail if the configuration
is protected by a password, or if a server scan is in progress.
Refer to page 26 for more details on the password function.
2. From the console screen, enter:
UNLOAD FIREBRK
As the system can be unloaded using the UNLOAD command
from the servers console. Use the password option to prevent the
system from being unloaded by unauthorized personnel.
Command line switches
Command line switches are primarily used to override the
default startup configuration. If you are not familiar with the
command line switches, do not use these.
Specifying a configuration object on the command line
To specify a given NDS object, enter the objects full
distinguished name on the command line, including the leading
dot ..
load sys:/firebrk/firebrk
.fbconfig.applications.research.acme
This will override the default search for a configuration object.
= See page 20.
Specifying a configuration file on the command line
You can force the system to not scan NDS for a configuration
object, but instead use the assigned configuration file. The full
path of the file must be entered like this:
load sys:/firebrk/firebrk SYS:\FIREBRK\FB400.CFG
Note: When using the above command line parameters, the
FireBreak initialization screen displays the messages
Operator configuration override and
Search for NDS cfg object overridden
by operator.
For use in troubleshooting situations.
Forcing polled checks for changes to the configuration object
Starting FireBreak with a /DSE- command line option will
disable the use of NDS events to detect changes to the
configuration object. The system will operate in polled mode as
if the NDS object was located on a partition that wasnt
replicated on the local server.
/DSE-
load sys:/firebrk/firebrk /DSE-
For use in troubleshooting situations.
FireBreak Administration 71
FireBreak Administration
Most of the administrative tasks for FireBreak you can do in the
NDS FireBreak object in the NDS, such as configuration of auto-
updates, messaging and NDS options.
However, other tasks like monitoring real-time actions can be
done both at the server console and by browsing in log files.
The FireBreak console menus
FireBreaks console menus follow the conventions for NetWares
look and feel, like implementation of first letter selection in
the menus.
The ConsoleOne snap-in
The illustration above demonstrates how the ConsoleOne snap-in
appears on the workstation and the servers graphical console.
We believe that ConsoleOne represents a simplified and
consequently more user-friendly approach for configuration and
administration of your FireBreak installation.
Password protection of configuration and unload
= Basic options on page 24 in the Configure FireBreak
section.
The Main menu
The systems main menu is what greets you when FireBreak first
loads.
Scan server
Allows you to select one or more volumes or sub-directories on
the server for manual scanning. Starting a manual scan does not
interfere with FireBreaks real-time scanning mode. Note well,
however, that the manual scan generates a considerable amount
of work for the server, thus slowing other processing down for
the duration of the scan.
= Exclude list on page 29, and
Server scanning options on page 35.
The keys used
Navigate through the list by using the following keys:
The information displayed
The uppermost area of the scanning window shows the name of
the server as well as the current system date and time.
Following that is information on what version of NseNW.NLM
FireBreak is using and how many virus strains it supports.
The counters on the next line are:
[Enter] Browse entry / Brings you back to the
Main Menu after a scan has
completed or aborted.
[Esc] Start scan / Abort scan.
[F5] Select / Deselect an item for scanning.
In the center of the window displays which files FireBreak is
scanning at the moment.
Completed items:
Names of selected completed items are listed as FireBreak has
scanned them.
Dirs: The number of directories found.
Files: The total number of files found in
those directories.
Scanned: The total number of files that
FireBreak has scanned.
Infected: The number of files found by
FireBreak that contain possible virus
infections.
Infected files are shown in the lower section of the window.
See also page 37 about logging. The details in the log file
depends on your configuration. If you have enabled e-mail and
selected the option General information and alerts (page 57),
you will also receive a short statistic report on e-mail scans.
Note: All manual scans are logged in the file.
= Appendix A - Sandbox on page 128.
Volume: The number of the current volume as well
as the total number of available volumes.
The name of the current volume is also
shown.
Directory: The directory being scanned,
including volume name.
File: The current file. File names scroll
downwards. This section is separated
from the rest of the window by a line that
says:
Administer FireBreak
From this menu you can administer FireBreak.
= Configure FireBreak on page 23.
There are two submenus that are not available from the
ConsoleOne snap-in:
Administer log files
This menu provides options for browsing, deleting, and printing
of FireBreak log files.
Why dont I see all the log files?
Only log files that have been created are available.
For example, if no virus infections have been reported by the
real-time scanner, no FBREALTI.LOG has been created either.
Browse the selected file
This option allows you to browse the content of the selected log
file.
If the log file is bigger than 100Kb, only the last 100Kb of the
file is displayed.
To view the entire log file, you can use Notepad and open the file
which is located in sys:firebrk/log.
Print the selected file
To be able to print the selected log file, a print queue must have
been set in the configuration option. (See The Printing tab on
page 50 in the section Messaging options.)
Delete the selected file
You can delete the selected log file. A confirmation dialog will
appear to ensure that log files are not accidentally deleted.
The actual file is not deletedonly the content.
Clear saved infection information
This menu provides you with the option of resetting the saved
information from the real-time scanner. If the option Save
infection information across loads is selected (see page 26),
FireBreak normally will save this information.
Display monitor
This menu option opens a new screen that allows you to monitor
the activity of the real-time scanner.
FireBreaks Monitor screen displays information about real-time
scanner events, and incidents detected by Norman products
running on workstations in the network.
Display virus library
Virus characteristics
The ability to clean any one virus is indicated in the list of virus
characteristics. The list is shown for each virus as you scroll
through each of the libraries. If the system has the ability to clean
a virus, this is indicated by:
We can clean it
You will notice that all entries in the macro virus library has this
indicator. This is, however, not the case for the binary viruses.
The virus library has its own sub-menus. From this menu you
can browse both binary and macro viruses. The operation of the
macro virus library is identical to that of the binary virus library.
The keys used
Navigate through the list by using the following keys:
[q] Go to the previous virus.
[+] Go to the next virus.
[Home] Go to the top of the current
screen.
[End] Go to the end of the current
screen.
[PgUp] Go up by one page.
[PgDn] Go down by one page.
[Ctrl][Home
]
Go to the top of the list.
[Ctrl][End] Go to the end of the list.
[F3] Exports the entire virus library,
including name and description,
to a log file in the log directory.
Find virus
You can also search for a given virus by typing its name. The list
scrolls as you type the name. So you do not have to type the
entire name of a virus to ask FireBreak search for it. To delete
characters, use the [Backspace] key. When you press any of
the cursor navigation keys, the characters in the Find Virus text
box are cleared.
Information on each virus
For the entry in the list highlighted by the cursor, a summary of
the information known about this virus is shown.
[F9] Toggle to include boot viruses in
the list. The default is off.
Viruses that infect both files and
boot areas are included in the list
when this function is off.
[Esc] Close the virus library window
and return to the main menu.
Exit FireBreak
This terminates FireBreak. If a password has been assigned, you
are required to enter it correctly before the system exits. Refer to
page 26 for information on the password function.
You cannot unload FireBreak from the server console prompt if a
password is assigned, but use this menu option instead.
Monitor screen
FireBreaks Monitor screen displays information about real-time
scanner events and events detected by Norman products running
on workstations in the network. You can also get statistical
information and NDS information from the Monitor screen.
FireBreaks Monitor screen is different from the screen which
appears during a manual scan. Refer to page 35 for details on
manual scanning.
The Monitor screen can not be opened if the real-time scanner is
not activated. Activate real-time scanning by instructing
FireBreak to scan incoming files, outgoing files, or both. Refer to
page 31 for more details on configuring the real-time scanner.
Information is updated once every second, providing something
has changed. Thus you might not see every file name, but this
solution reduces the load on the server during heavy file activity.
The keys used
The information displayed
As described above, the Monitor screen displays infection
information both from the real-time scanner and Norman
workstation products.
The Monitor screen are divided into 6 areas:
1. Status information in the left topmost portion of the screen. It
includes:
[Esc] Closes the window and return to
the Main menu.
[F2] Displays information menu.
Server The servers common name.
CPU utilization The total load, as a percent, on the
server at any given time. (CPU 0 in a
Multi Processor system).
NseNW
vX.XX.XX
The version of the scanning engine, for
example v5.60.08.
Macro/binary
viruses
The dates for the virus information
database files NVCMACRO.DEF and
NVCBIN.DEF, and the total number
of virus strains they support.
2. Status information in the right topmost portion of the screen. It
includes:
3. Status line in the top middle of the screen displays the state of
the real-time scanner. The following explains each of the fields
on the status line.
Last file scanned by the real-time scanner
Date and time Local date and time (fetched from
server).
Files scanned Number of files scanned by the real-
time scanner.
Files infected The number of infected files that
FireBreak has intercepted. If you
have set FireBreak to Save
information across loads (see page
page 26) and have not cleared the
information by using the option
Clear saved information, this is the
total number of infected files
detected since you started running
FireBreak.
Files cleaned Number of virus infected files
cleaned by the real-time scanner.
Workstation
alerts
Number of alerts received by
workstations running NVC.
Displays the name and user of the last file scanned by the real-
time scanner. Includes volume, directory and file name. Since
NetWare allows paths up to 255 characters, FireBreak formats
the name to keep the displayed data within screen limits.The
following is an example of a formatted path:
SYS:PROGRAMS/DBMS/.../DRV/TEST.COM
Possible values are:
In Incoming/created file. File saved
to a network disk.
OutW Outgoing file opened for write.
Out Outgoing file.
File created by The offending users NDS name.
4.Status line in the middle of the screen displays the name of the
last virus detected by the real-time scanner.
Other information includes what action was taken. Possible
forms of action are:
Last virus
detected
Displays the name of the virus.
Includes also the full name of the
last infected file: volume,
directory and file name. Since
NetWare allows paths up to 255
characters, FireBreak formats the
name to keep the displayed data
within screen limits. The
following is an example of a
formatted path:
SYS:PROGRAMS/DBMS/.../DRV/
TEST.COM
File created by The offending users NDS name
From The offending users physical network
address (IP or IPX) and the date and
time.
Quarantine The file is moved off-line and are
no longer accessible for users.
Cleaned The file was cleaned.
Deleted The file was deleted.
Left alone FireBreak has not been configured to
take action on infected files, so the
file will be left alone.
5.Status line in the low middle area of the screen displays the
name of the last workstation alerts. This information is provided:
1. Which NVC component that sent the alert.
2. Name of the user who was logged on the workstation.
3. Name of the machine that NVC was running on.
4. Name of the virus.
5. The IP/IPX address of the machine that sent the alert.
6. Time on the local machine that sent the alert.
6. Status line in the lowest part of the screen displays the most
important configuration options. The following explains each of
the fields on the status line.
Configuration
object
Displays the configuration object
name or the local configuration
file name. Inline NDS is
displayed if the server holds a
local replica of the NDS partition
where the configuration object is
stored. Polled checks is
displayed if the server does not
hold a local replica of the NDS
partition where the configuration
object is stored.
Local file is displayed if a local
configuration file is used.
Hub If the server is operating as a
communications hub. Possible values
are yes or no.
Adv Indicates if the server is advertising
services using SAP. Possible values
are yes or no.
Send If the server is sending alerts to the
communications hub. Possible values
are yes or no.
Target The name of the machine that
messages should be sent to
(communications hub).
Monitor menu
Press [F2] to display the menu to the FireBreak Monitor.
The submenu provides both configuration and statistical
information about FireBreak and NDS.
List alert group members
This menu displays the members of the group that has been set in
the FireBreak configuration to receive alerts when infected files
are accessed.
Display statistical information
Displays information about server up time, scan time statistics,
and hub communication details.
The information includes:
Files and virus infection information:
Server up time Displays how long since the
server was started.
FireBreak up
time
Displays how long FireBreak has
been loaded on the server.
Files scanned Displays how many files have
been scanned by the real-time
scanner since FireBreak was
started.
Statistics about time used for the real-time scanner:
Max scan time used on a file (secs approx):
Indicates the maximum time FireBreak has used for scanning a
file on the server. Time specified in seconds.
Min scan time used on a file (secs approx):
Indicates the minimum time FireBreak has used for scanning a
file on the server. Time specified in seconds.
Average scan time per file (secs approx):
Indicates the average scanning time FireBreak use per file. Time
specified in seconds.
Note: The statistics are only approximates.
The bottom part of the submenu screen displays configuration
information for FireBreak:
Hub running
Indicates if this FireBreak server is running as a communications
hub for your network, and what protocol it employs.
Possible values are:
Files infected Displays how many infected files
have been found since FireBreak
started.
Files cleaned Displays how many infected files
have been cleaned since FireBreak
started.
Yes This server is running as a
communications hub.
No This server is not running as a
communications hub.
IP The communications hub is bound to
the IP protocol.
IPX The communications hub is bound to
the IPX protocol.
List the five files with the longest scan time
Displays a list of the five files with the longest scan time, where
time is specified in seconds. You can use this feature for
troubleshooting performance issues. For example if scanning in
general is too slow, or if an unanticipated increase of scanning
time occurs.
Note: Times are only approximates.
Display NDS related information
This information is primarily provided for troubleshooting
reasons.
Displays NDS configuration details and how FireBreak checks
for NDS configuration object changes.
IP loaded and
bound
Possible values are Yes or No.
IPX loaded and
bound
Possible values are Yes or No.
Active NDS
version
Displays the version of your NDS
/ eDirectory.
NDS tree Displays the NDS tree where your
server resides.
Configuration
object name
Displays the configuration object
name where FireBreak is reading its
configuration.
- local entry ID Displays the object entry ID in the
local replica of the partition where
the configuration object resides.
- partition root
name
Displays the name of the NDS
partition where the configuration
object resides.
- last changed
on
Indicates the time of the last change
made to the configuration object, as
detected by FireBreak on this server.
Changes
detected using
Indicates whether the server is using
DSEvents or polled mode to detect
changes in the configuration object.
(See Real-time configuration change
detection vs. polled checks on page
21).
Norman Internet Update 97
Norman Internet Update
Its strongly recommended that you update NVC on a regular
basis. In networks with direct/router based connection to the
Internet, its easy to fully automate the update process.
Norman Internet Update (NIU) is a program that checks
Normans product server for new or updated products.
Using NIU, the NetWare server will download updates for itself
as well as other servers and workstations in the network where
NVC is installed.
Refer to the Reference Guide for more general information about
NIU for other platforms.
System requirements - NIU
Please also read the next section carefully; Preparing FireBreak
for NIU downloads.
NIU for NetWare requires minimum FireBreak v4.70.
TCP/IP and the Winsock protocol stacks must be
installed and properly configured. NIU will not work on
a server running IPX only.
The server running NIU must have access to the Internet
on port 80 (http)
The server must have a DNS server configured, i.e. be
able to resolve DNS queries.
Note: NIU utilizes TCP port 80 for connections to Normans
product server on the Internet. Make sure that your
firewall allows your servers IP address to communicate
at this port.
Preparing FireBreak for NIU downloads
FireBreak needs a temporary directory where zip files
downloaded via NIU are unpacked. To identify this directory,
you should look for it following this sequence:
1. Check the servers Environment for the variables TMP
and TEMP. Use the directory for either that is found, and
it must exist before FireBreak loads. This step does not
apply to NetWare 4.
2. FireBreak looks for or will try to create SYS:TMP and use
this directory.
3. FireBreak utilizes SYS:FIREBRK as its temporary area. We
do not recommend such usage.
To set the environment variable TMP or TEMP is not possible on
NetWare 4.11 and 4.2.
On NetWare 5.0 and later, use the console command
env tmp=volume:directory
This command is not set permanently and must therefore be
repeated each time the server starts. To achieve this, enter the
command into the autoexec.ncf, and do it before FireBreak
is loaded.
Installation
Organizations with offices located on different geographical
locations, should only install NIU on one server only per site.
The same recommendation apply if there are more than one
network within a geographical locationselect just one server
that NIU should run on.
If you have aleady updated an existing FireBreak installation to
v4.70, you can simply select the Internet Update component
only and follow the instructions on the screen:
You can select one server only at the time. If you prefer to install
to more than one server, you must run setup again for each server
you install NIU to.
If you install FireBreak for the first time, we recommend that
you select all three componentsi.e. include the Internet
Update componentbefore you click Next and complete the
installation procedure.
Note: During installation, you will be prompted for the
Authentication key.
Directory structure
During installation, the following directories are created in the
SYS directory:
Directory: Description:
SYS:NORMAN
Normans home directory.
Loading NIU on NetWare
NIU is not loaded as a part of Norman FireBreak. To load NIU,
type the following on the server console:
LOAD SYS:NORMAN/NVC/BIN/NIU
The NIU.NLM will also load the following helper NLMs when
needed:
SYS:NORMAN/NVC/BIN/NORMLIB.NLM
SYS:NORMAN/NVC/BIN/NIULIB.NLM
To ease loading from the console, we have included a file called
NIU.NCF. This is copied to the SYS:SYSTEM directory during
install, and it enables you to load NIU simply by typing:
NIU [Enter]
Note: To enable auto-load of NIU at server start-up, insert the
command NIU.NCF in your servers
AUTOEXEC.NCF.
Configure and use NIU on NetWare
Norman Internet Update is configured from the server console.
From the server console
Provided NIU.NLM has been loaded, you will see this screen on
the server console:
SYS:NORMAN/DISTRIB
Home for NIU updates.
SYS:NORMAN/DISTRIB/DOWNLOAD
This is where updates are stored.
../NWDIST
Working directory for NIU.
../C1SNAPIN
Updates for the ConsoleOne Norman snap-in.
SYS:NORMAN/NVC/BIN
This is where NIU NLMs are stored.
SYS:NORMAN/NVC/CONFIG
Configuration for NIU. Do not alter files!
SYS:NORMAN/TEMP
Temporary extractions of downloaded updates.
The keys used
Navigate through the menus by using the following keys:
[Enter] Browse entry.
[Esc] Back to the Main Menu/Abort
choice.
[F5] Select/Deselect an item.
Update now!
Allows you to perform an on-demand update of virus signature
files and scanning engine updates.
Note: You can schedule updates as well, by using the
Configuration menu.
Configure NIU
This option allows you to specify the products, languages,
platforms and the authentication key necessary for updates.
Products
Specify which products you wish to update by selecting from the
list. Note that your license determines what products you can
update.
Languages
FireBreak exists in English only. However, on different
platforms NVC is available in different languages. New
languages for these platforms are added at irregular intervals.
Contact your Norman dealer for information about NVC in your
language.
Platforms
Specify which products you wish to update by selecting from this
list.
Authentication key
Enter the authentication key provided by Norman.
Exit
Leave this menu.
Scheduler
This option let you specify how updates are obtained.
Exit
Leave this menu.
Other issues related to updating and NIU 109
Other issues related to
updating and NIU
Please refer to Auto update options on page 63 for information
on how to update networked FireBreak installations.
Updating the ConsoleOne snap-in
When NIU downloads an update to the ConsoleOne snap-in to
sys:firebrk/c1snapin, an example batch file is included.
The purpose of the batch file is to assist the administrator to
place the ConsoleOne snap-in to the correct location. Hence the
administrator can choose between modifying the example batch
file in accordance to his network, or do the job manually.
Changing update paths
You may wish to build your own directory structure where NIU
stores the update files. This can be done on the servers console
or by changing the environment set in NIU.NCF.
One of the scenarios where a change of update directory can be
beneficial is when NetWare is running in a clustered
environment. To ensure that the workstations are available for
updates, the updated files can reside on a clustered volume.
Note: The correct steps to ensure conformity are changing
NIU.NCF first, then load NIU on the server, and finally
change the ConsoleOne FireBreak configuration object
to reflect the changes made to NIU.NCF.
The default directory for FireBreak updates is:
SYS:FIREBRK/DOWNLOAD
The default directory for NIU installation is:
SYS:NORMAN
(Where SYS:NORMAN/DISTRIB/DOWNLOAD is where
updated files are stored.)
Whenever a change to the default directory structure is done, you
must update NIU to make sure that downloaded updates are
being handled correctly.
This is done by changing the NORMLIB.NLM environment
variables.
To change the directory where updates are being put:
NORMLIB SET FIREBREAKUPDATEDIR=<new path>
To change the directory for NIU directories:
NORMLIB SET NORMAN=<new path>
To ensure that these changes are consistent at next start-up,
update the file NIU.NCF to reflect the changes, then change the
ConsoleOne FireBreak configuration object.
Note: Most installations will never need to change the default
settings.
Updating FireBreak on servers that are not con-
nected to the Internet
In situations where network environments cannot be connected
to the Internet due to internal security regulations or legal
provisions, you can update such FireBreak installations in the
following ways:
Alternative A
1. Install and run NIU on FireBreak installations that are
connected to the Internet.
2. After NIU has completed, copy all zip files from
SYS:FIREBRK/DOWNLOAD or SYS:NORMAN/
DISTRIB/DOWNLOAD to a removable media and paste
them into SYS:FIREBRK/DOWNLOAD to update a local
server in a closed environment.
To update FireBreak installations in a network, paste the
files into SYS:/NORMAN/DISTRIB/DOWNLOAD on the
distribution server in the closed environment.
If the configuration for Auto update options is correct (see page
63), FireBreak automatically completes the task.
Alternative B
1. Install NVC v5.x corporate version on a Windows
workstation that is connected to the Internet. Run setup and
follow the instructions on the screen. Make sure that you
enter the corporate key in the Authentication key field.
2. Choose all three alternatives during setup (Norman Virus
Control, Network Distribution Directories, Administration
tools).
3. Run niucf.exe from the local
[Normanpath]\NVC\BIN folder and follow the
instructions on the screen. Make sure that you select NVC
for servers from products, English as language and Novell
NetWare as platform.
4. Each time you run Internet Update, the updated packages are
downloaded to the folder
[Normanpath]\DISTRIB\DOWNLOAD. To update a
local FireBreak installation on a server in a closed
environment, copy all updated files with names ending on 7,
for example NVC11007, to a removable media and paste
these files into SYS:FIREBRK/DOWNLOAD on the
NetWare server.
To update FireBreak installations in a network, paste the
files into SYS:/NORMAN/DISTRIB/DOWNLOAD on the
distribution server in the closed environment.
If the configuration for Auto update options is correct (see page
63), FireBreak automatically completes the task.
Testing new updates before large scale distribu-
tion
If you wish to run a test of new updates on a test server before
deploying to all your servers, use this method:
1. Install NIU on the test server. FireBreak should already be
installed. By default, NIU fetches all updated files and
places them in the local servers SYS:FIREBRK/
DOWNLOAD directory ready for use by FireBreak.
Note: Enter a distribution server and distribution folder in
the FireBreak ConsoleOne configuration object.
This must not be the test server.
If it is, all FireBreak servers will still replicate the update
without being tested first.
2. When you are ready to deploy the tested updates, copy the
updated files to the correct path of the distribution server.
Now all FireBreak servers will be updated.
Note: FireBreak does not distinguish between engine updates
or definition file updates. These are generally treated in
the same manner.
Setting up multiple NIU servers in your network
NIU can, in addition to fetch updated files for FireBreak servers,
also fetch updated files for other platform, like Windows and
Linux.
Thus your NetWare server with NIU installed provides a central
distribution point for your networked workstations.
Normally, in a standard single site network, there is no need for
multiple NIU servers.
However, if your company have servers at different geographical
locations, you might want to consider setting up a NIU server at
each site, so your WAN link doesnt choke.
If you have several servers at the same geographical location,
make sure the specific FireBreak configuration object points to
the correct distribution sever.
Using NetWare and NIU as distribution central
for workstations without NetWare Client
installed
If you are running workstations that do not have the NetWare
client installed, they will not be able to authenticate to the
NetWare server. As a result, they will not be able to log in to the
server to fetch updated files.
To correct this problem, configure your NetWare server to use
CIFS (Common Internet File System). CIFS running on a
NetWare server will provide a windows emulated file system,
and provides an authentication method similar to a Windows
server.
Now these workstations can be updated from the NetWare server.
= To learn more about CIFS, please consult your NetWare
documentation, also available online at
http://www.novell.com/documentation.
Advanced FireBreak
This section will address issues related to how you can configure
and set up FireBreak with advanced options.
Virus alerts and messaging structure
With FireBreak and NetWare you can set up a powerful
messaging infrastructure for virus alerts. To take full advantage
of the information in this chapter, you should have acquired an
in-depth understanding of the messaging options available in the
FireBreak configuration.
Understanding how messaging works with FireBreak
There are three methods of messaging that can be used with
FireBreak:
The included protocol independent messaging system in
FireBreak, that utilizes the fundamental messaging system in
NetWare, the SNMP traps functionality which is supported by
FireBreak as well as NetWare, and e-mail functionality by
SMTP.
All schemes provide central messaging of all virus alerts, and
you can use both at the same time if you wish.
Using SNMP to centralize monitoring of infections
SNMP (Simple Network Management Protocol) is a protocol for
network management and monitoring of network devices and
their functions. Typical solutions that use SNMP for network
management are CA Unicenter, IBMs Tivoli, and HP Open View.
To ease monitoring of incidents, FireBreak can be set up to use
SNMP traps for virus alerts as well as for general system events
Advanced FireBreak 115
like load and unload. Traps are sent using NetWares SNMP
services.
This means that the trap destination is set in the
TRAPTARG.CFG file residing in the SYS:\ETC directory on
the server. Note that if changes are made to TRAPTARG.CFG,
the server must be restarted for the changes to take effect.
For further information on configuring this file, see your
NetWare documentation.
If alerts are sent from one server to another using the inter-server
communications feature (see The Inter-server tab on page 44),
SNMP traps are sent only once for each alert. SNMP traps are
sent by the first server where FireBreak is set up to send SNMP
traps. Servers that receive the alert will see that traps have been
issued and thus refrain from sending additional traps.
Note: To use SNMP you need an application that can receive
SNMP traps. FireBreak does not include a SNMP trap
receiver. If you are not using HP Openview, IBM Tivoli
or similar utilities, you can easily find a SNMP trap
receiver on the Internet.
Setting up a FireBreak messaging hierarchy in
your network
With FireBreak you can use several methods to alert your help
desk, for example, when a server or a user is infected. The
default method is the built-in messaging system in NVC which is
described below.
By enabling the messaging system, you can decide where alerts
should be displayed. See also Messaging options on page 43.
In this scenario we describe a corporate multi-server
environment with three different locations, each with several
servers. A central communication hub is enabled at the Head
Quarter location, but the local administrators at the Branch
Offices would also like to be alerted of virus infections on their
local servers.The corporate network is made up of one NDS tree.
See network diagram.
The NDS structure looks like this (simple view).
As you can see the NDS FireBreak configuration object is placed
in the root of the tree. This ensures that all servers below root can
use this configuration object. See Figure 1.
The NDS FireBreak object is configured with Server HQ1_1 as
the communications hub (marked in red).
All servers in the tree will now send virus alerts to this server.
However, if the local administrators at the Branch Offices want
centralized alerts for their servers, you can put a NDS FireBreak
configuration object in the Branch Offices containers, BO1 and
BO2 as illustrated in Figure 2 above.
Now the Branch Office FireBreak servers will find the FireBreak
configuration object that resides in their own container first, and
consequently use this.
This object can be configured identical to the one in root, except
that the communications hub option now can be set to any of the
servers in the Branch Office, centralizing virus alerts from the
local servers. In this scenario we specify Server BO1_1 for
Branch Office 1 (BO1) and Server BO2_1 for BO2 (marked in
red).
The drawback of this configuration is that all the Branch Servers
now will send virus alerts only to the specified local server, and
not to the central server in HQ.
But this can be rectified.
To override the default configuration object and make sure that
the alerts are forwarded to the central communications hub at
HQ, use the following command line parameter (enter on one
line):
LOAD SYS:\FIREBRK\FIREBRK
.FIREBREAKCFG.CORPORATIONNAME
By specifying a configuration object, the FireBreak server will
not search for a configuration object.
Remember to use the full distinguished name, including the
leading ..
Note: In this scenario the command should only be used for
servers BO1_1 and BO2_1. Feel free to name the objects
as you like. In this scenario, all objects have similar
names, but they are still unique due to the distinguished
names they inherit from their respective containers.
Note well:
Remember to enable Operate as communications hub at the
console menu for all servers that should act like one. See
Messaging options on page 43.
Using FireBreak messaging in a multi-tree environment
The same principles described in the previous chapter can be
applied in scenarios where you want to send centralized
messages to a server outside the current NDS tree, but with one
major difference:
If the target server is in a different NDS tree, it must be identified
by its IP address or the common name of the server. You can not
use fully qualified distinguished names for multi-tree messaging.
How FireBreak finds the communication hub address
When FireBreak is looking for the communication hub, it will try
to resolve the information entered in the communications hub
field. To ensure that the communication hub is found, several
techniques can be used. The flowchart below outlines the
common method used by FireBreak. This method is the same
whether the communication hub is located in the same or in a
different NDS tree.
Using different NDS configuration objects for a single server or
group of servers
As described in the previous chapter, FireBreak servers can be
configured individually if desired.
There are many alternative locations where this object could be
placed. It depends on the structure of your directory tree and the
servers location in it.
When FireBreak is loaded it will search the container holding the
configuration object on the server it is loading on. If no object is
found, FireBreak will start a reverse tree-walk, looking for a
configuration object in the parent container, searching upwards
until it finds a configuration object, or the root of the tree. The
first one that is found will be used. Note that FireBreak does not
search down into containers foundonly up towards the root.
See Loading and unloading on page 68.
Special issues
iFolder, viruses, and FireBreak
Novell iFolder v1.1 and v2.0 are products from Novell that are
available for NetWare 5.x and 6.x.
iFolder provides users with a synchronization service with their
stored files on a NetWare server. Synchronization can be done
through Internet or in a local LAN/WAN using either an iFolder
client or a web browser.
iFolder stores the synchronized files on the server in an
encrypted proprietary file format that FireBreak cannot access.
(iFolder uses Blowfish 128-bit key encryption.)
Consequently, FireBreak cannot virus control the files on the
server provided by iFolder.
Knowing this, it is imperative that the workstations that
synchronize or download files using the iFolder service, are
running an updated version of an anti-virus program, for
example Norman Virus Control.
Areas where iFolder stores user files are good candidates for the
exclude list.
For more information about iFolder go to Novells product site at
http://www.novell.com/ifolder.
Using FireBreak with Novells Native File Access
Protocols
The services that make up Novells native file access feature are
a set of NLMs that run on your server to offer access to the
NetWare file system without requiring Novells proprietary
client software. Currently NFAP offers access via three non-
Novell protocols: Apple File Talk, AFT (used by Apple McIntosh
Special issues 123
OSs), NFS (used by Unix and Linux) and CIFS (used by
Windows). The latter is the most relevant in this context and thus
the one that is discussed in detail here. Nonetheless the principles
outlined for CIFS apply to the other protocols as well.
CIFS support is implemented as a process running on the server
and as such files accessed by iteven if it is done on behalf of a
useris excluded from scan by default. Unless your shares are,
and forever will be, read only, you will want to include at least
parts of this directory structure in FireBreaks real-time virus
protection. You have to tell FireBreak the location of the
directories that users can access via CIFS.
By default the root of all mounted volumes are shared out when
you install CIFS support. Access to these shares, and the
directories within them, are controlled via the normal file
systems rights assigned to users, containers etc. just as you are
used to (see your NetWare documentation for further details).
We strongly recommend that you do not set up FireBreak to
include an entire volume. In particular this applies to the SYS-
volume, as this will slow your server down. Exactly how you
should configure your individual server(s) is your privilege. You
could for instance create a directory below the root of the volume
and set that up as the top of the share. Add this directory to the
list of include directories and all files that are created and/or
modified in this directory as well as its subdirectories, will be
scanned by FireBreak. See Include list for server-based
processes on page 33 for a description how. Remember that you
should only add directories where one or more users have rights
to modify and create files.
CIFS users and FireBreak message handling
Message handling is a integral part of FireBreaks architecture,
and enables users and administrators to be alerted when an
infected file is found. To receive messages users must be
authenticated to the NDS.
In NetWare 5.x and 6 you can configure NetWare to act as a
Windows host. This feature is called Common Internet File
System (CIFS), and is a part of Novells Native File Access Pack
(NFAP)
Basically, CIFS provides users without a Novell Client native
access to the NetWare servers file system through familiar
Windows environment like Network Neighborhood.
You can use two different methods of user authentication for this
service:
Simple password
Domain authentication
None of these authentication methods utilizes the NCP over IP
protocol, thus users are not authenticated as NetWare users per
se.
FireBreak is using NetWares underlying message capabilities
which utilizes NCP.
As a result, CIFS users will not be able to receive NetWare
messages by FireBreak, and may not be aware of any possible
virus infected files they create on the server.
Note: FireBreaks real-time scanner will still detect and
remove virus infected files created on the server by any
CIFS user.
Using FireBreak with IPX and protocol routers
If you are running FireBreak on multiple servers in a network
that uses protocol routers, please read the following carefully:
In a multi-server environment, one of FireBreaks strengths is its
ability to have one server act as a central communications hub.
This allows the other servers connected to the same network to
send messages to this point. For this to work, the central server
must be configured Operate as Communications Hub and the
other servers to Send messages to Communications Hub.
When you are using IPX you can turn on the options to use IPX
with NetWares Service Advertising Protocol (SAP) feature with
a SAP ID that is reserved with Novell by Norman.
Most protocol routers have a feature that filters these SAP IDs to
keep the network from being over-flooded. With these routers,
you can configure them to let certain SAP IDs pass through.
Special issues 125
If you wish to take advantage of FireBreaks Hub feature, it is
essential that you configure your protocol router to allow
FireBreaks SAP to pass through.
The SAP ID FireBreak uses is 0577h (1399 decimal).
Using a FireBreak communication hub in an IP/IPX bridged net-
work
A bridged network normally consists of two networks with
different protocols connected together via a protocol bridge. This
bridge can be a server, routing both IP and IPX packets.
In scenarios where you are running a NetWare server as your
protocol bridge, the optimal solution is to appoint this server as
the communication hub.
Then this server will be able to receive virus infection alerts from
servers in both networks, using IP and IPX.
Troubleshooting
Missing ConsoleOne FireBreak snap-in
The Norman FireBreak ConsoleOne snap-in consists of the files
fbc1s.jar, fbc1sRes.jar and fbc1sLib.jar.
If the snap-in for some reason didnt get copied or installed,
locate these three files, and copy them to the snap-in directories
under where you have installed ConsoleOne.
This batch file will create the necessary directory structure, and
install the snap-in files. Simply edit the first line to match the
path to your ConsoleOne installation.
set C1_HOME=m:\public\mgmt\ConsoleOne\1.2
mkdir %C1_HOME%\snapins\Norman\
mkdir %C1_HOME%\resources\Norman\
mkdir %C1_HOME%\lib\Norman\
copy fbc1s.jar %C1_HOME%\snapins\Norman\
copy fbc1sRes.jar %C1_HOME%\resources\Norman\
copy fbc1sLib.jar %C1_HOME%\lib\Norman\
Now you can create a FireBreak configuration object if needed.
See How do I insert the configuration object? on page 20.
ClibAux.NLM is a library
For backward compatibility with NetWare v4.11 and 4.20,
FireBreak requires, and will auto-load CLIBAUX.NLM. If
CLIBAUX is not present, FireBreak will not load. On NetWare 5
and later, FireBreak also auto-loads CLIBAUX.NLM. When
CLIBAUX.NLM loads on NetWare 5+, it displays the following
message on the console screen and then unload:
CLIBAUX.NLM is a library that normally
exports symbols needed to shim more support
atop CLIB.NLM. None of these symbols are
Troubleshooting 127
needed at present. CLIBAUX.NLM has been
unloaded as unnecessary.
This is normal and how it should be.
Norman eLogger
The Norman ELOGGER.NLM that is shipped with FireBreak is a
tool used only for debugging in troubleshooting situations.
Note: You do not need to load this tool unless specifically
instructed to do so by Norman support personnel.
Appendix A - Sandbox
Background
The vision of inventing a method that automatically detects new,
unknown viruses is as old as the antivirus industry itself.
Throughout the years, the AV business has invested significant
resources to come up with a solution which could fulfill this
ambitious goal.
At the Virus Bulletin Conference in 2001, Norman produced a
fully functional prototype of a scanning engine with sandbox
functionality.
What is a sandbox?
Sandbox is the term that best describes the technique that is used
to check if a file is infected by an unknown virus. The name is
not randomly picked, because the method allows untrusted,
possible viral code to play around on the computer not in the
real computer, but in a simulated and restricted area within the
computer. The sandbox is equipped with everything a virus
expects to find in a real computer. This is a playground where it
is safe to let a virus replicate, but where every step is carefully
monitored and logged. The virus is exposing itself in the
sandbox, and because its actions have been recorded, the cure for
this new perpetrator can be generated automatically.
Today, a new e-mail worm can infect ten thousands of
workstations in a matter of seconds. The AV vendors are
expected to find the cure, update the virus definition files, and
distribute these to its customers immediately. The need for speed
is imperative, because the nature of todays malware is such that
a successful piece of viral code can paralyze networks and
cause serious damage to an unlimited number of computers.
Appendix A - Sandbox 129
Sandboxing techniques
Sandboxing using emulation
A computer virus is a computer program, defined through its
behavior. It will transfer code/data to other computer files. When
these other computer file in turn is given control, the virus code
is somehow activated, trying to infect other computer files. This
process is called replication. For a computer program to be called
viral, it must be able to perform this task recursively.
Normans sandbox is a virtual world where everything is
simulated. It is powered by an emulator, and together they let
possible virus infected binary executables run just as they
would do on a real system. When execution stops, the sandbox is
analyzed for changes.
Sandboxing using a virtual machine
It is also possible to build a sandbox by creating a VM (Virtual
Machine). The idea is to block all exits, so the executable you are
examining cannot escape. However, we dont consider this
solution as safe enough. There will always be another exploit
of the PCs processor, some weird interrupt/exception/fault etc.
that will allow malicious code to escape a VM, and spread to
your real system.
How does sandboxing affect the user?
The fundamental idea about the sandbox is to offer better
protection for the user. A major challenge is to integrate the new
technology in the product without slowing down scanning speed.
The other capital problem false alarmshas already been
solved. Normans sandbox technology is officially introduced
with NVC v5.60, even through is has been covertly used by the
scanning engine for some time. But as of v5.60 the sandbox is
visible among the configuration options in certain modules.
131 Index
Index
Symbols
/DSE- 70
@D 48
@F 48
@P 48
@S 48
@U 48
@V 48
A
Admin 15, 18, 22, 26, 40
Administer FireBreak 77
Administer log files 77
Advertise communications hub using
SAP 45
AFT - Apple Fix Talk 122
Aggressive commercials 28
Alternate community name 55
Append to existing file 37
Auto update options
Check more than once during in-
terval 66
Distribution folder 67
Distribution server 67
Enable auto update of local server
63
Fetch updates from distribution
server 65
Remote fetch interval (local time)
66
Remote users name 66
Remote users password 67
AUTOEXEC.NCF 16, 19, 68
automatic update feature 15
Average scan time per file 93
B
Basic options
Display messages on system con-
sole 25
Display monitor-screen upon load
26
Password protected configuration
26
Boot virus 81
Broadcast alerts from workstation 48
Broadcast when a virus is detected 47
Broadcast when unable to clean 47
Browse the selected file 77
C
CA Unicenter 53
centralized alerts 118
Check more than once during interval
66
CIFS 33, 123
CIFS (Common Internet File System)
113
Clean viruses if possible 39
Cleaning not possible 40
Clear saved infection information 78
CLIBAUX.NLM 126
Common Internet File System (CIFS)
123
Common scanning options
Exclude files of indeterminate for-
mat 29
Exclude list 29
Scan for aggressive commercials
28
Scan for security risks 28
Scan inside compressed program
files 28
Common settings
Aggressive commercials 28
communication hub 44
communications hub 11
community name 55
compressed executables 28
132 Index
ConsoleOne 12, 20, 22, 46
consultancy services v
Country container (C) 20
D
Delete the selected file 78
Display messages on system console
25
Display monitor-screen upon load 26
Display statistical information 92
distinguished name 118
Distribution folder 67
distribution folder 112
Distribution server 67
distribution server 112
DS polls 61
DSEvents 21
E
eDirectory v, 12, 23
ELOGGER.NLM 15
ELOGWS32.NLM 15
email worms 33, 36
Enable auto update of local server 63
Enable e-mail messaging 57
Enable SNMP 54
Exclude files of indeterminate format
29
Exclude list 29
F
FB.NCF 16
FB400.CFG 15, 23, 26
fbc1s.jar 126
fbc1sLib.jar 126
fbc1sRes.jar 126
FBERROR.LOG 16, 59
FBEVENTS.LOG 17
FBREALTI.LOG 16, 50, 77
FBSCAN.LOG 16
FBVIRUS.LOG 17, 41
Fetch updates from distribution server
65
FIREBRK.NLM 15
Form feed after each alert 52
Forward workstation alerts 55
full distinguished name 70
Fully qualified distinguished name 119
G
General information and alerts 57
Group to notify 46
H
hub 11
I
iFolder 122
Include list for server-based processes
33
included protocol independent messag-
ing system 114
incremental names 41
IP 45
IP and IPX packets 125
iPrint 51
IPX 45
L
List alert group members 91
Log incidents to file 39
Log infected files 37
Log results to file 37
Log workstation virus alerts 39
Logging 37
long name space 41
M
Mail message body 58
Mail recipients 58
Main menu
Administer FireBreak 77
Display monitor 78
Virus library 79
main menu 73
Index 133
Malware 11
Max scan time used on a file 93
Message to be broadcasted, real-time
scan 47
messaging functionality 22
Messaging options
Advertise communications hub us-
ing SAP 45
Alternate community name 55
Broadcast alerts from workstation
48
Broadcast when a virus is detected
47
Broadcast when unable to clean 47
Enable e-mail messaging 57
Enable SNMP 54
Form feed after each alert 52
Forward workstation alerts 55
General information and alerts 57
Group to notify 46
Mail message body 58
Mail recipients 58
Message to be broadcasted, real-
time scan 47
Notify offending user 47
On all virus detections 54
Operate as communications hub
45
Port 58
Print banner 51
Print queue to use for alerts 51
Real-time scanning traps 54
Reply to 58
Send general information traps 55
Sendmessages to communication
hub 44
Server scanning traps 54
Server to use as communication
hub 44
SMTP server 57
When a virus is detected 57
When a virus is detected, but could
not be cleaned 57
When unable to clean 54
Min scan time used on a file 93
Monitor screen 78, 83
Move infected files off-line 40
N
Native File Access Pack (NFAP) 123
Native File Access Protocols 33
NCP 124
NDPS 51
NDS FireBreak object 62, 71, 118
NDS options
Poll NDS for changes every x
minutes 62
Re-read FireBreaks configuration
from the NDS 62
Re-scan NDS for a configuration
object 62
Use typeful name for FireBreak 62
NetWare Loadable Module 12
network worms 33, 36
NFAP
AFT 122
CIFS 123
NFS 123
NFAP - Native File Access Protocols
122
NFS 123
NIU 63, 66
NIU.NCF 109, 110
Norman Internet Update (NIU) 66, 67,
97
NORMLIB.NLM 110
Notify offending user 47
NRELOAD.NLM 15
NSENW.NLM 15
NVCBIN.DEF 15
NVCINCR.DEF 15
NVCMACRO.DEF 15
O
On all virus detections 54
on-demand scanner 54
134 Index
on-demand scanning 12, 27
Open View 53, 114
Operate as communications hub 45
Organizational container (O) 20
Organizational Unit (OU) 20
P
password crackers 28
PKLite 28
Poll NDS for changes every x min-
utes 62
Port 58
Print banner 51
Print queue to use for alerts 51
Print the selected file 78
Purge infected files 40
R
real-time scanning 12, 21, 27
Real-time scanning options
Scan for new, unknown viruses us-
ing sandbox 33
Scan incoming files 32
Scan outgoing files 32
Scan outgoing files opened for
write 32
Real-time scanning traps 54
remote administrative tools 28
Remote fetch interval (local time) 66
Remote users name 66
Remote users password 67
Reply to 58
Requirements, system iv
Re-read FireBreaks configuration
from the NDS 62
Re-scan NDS for a configuration object
62
S
sandbox 33, 36
Sandboxing
emulation 129
virtual machine 129
SAP (Service Advertising Protocol) 45
Scan for new, unknown viruses using
sandbox 33, 36
Scan for security risks 28
Scan incoming files 32
Scan inside compressed program files
28
Scan outgoing files 32
Scan outgoing files opened for write 32
Scanned directories 37
Scanned files 37
Scanning priority 36
Send general information traps 55
Send messages to communication hub
44
Server scanning options
Append to existing file 37
Log infected files 37
Log results to file 37
Logging 37
Scan for new, unknown viruses us-
ing sandbox 36
Scanned directories 37
Scanned files 37
Scanning priority 36
Server scanning traps 54
Service Advertising Protocol (SAP)
124
Simple Network Management Protocol
(SNMP) 53
SMTP server 57
SNMP trap 43, 55
SNMP traps 114
SYS
FIREBRK 14
FIREBRKOWNLOAD 15
FIREBRKLOG 14, 22
FIREBRKUPDATE ASTER 67
FIREBRKVIRUS 15
System requirements iv
T
technical support v
Tivoli 53, 114
Index 135
token 47
TRAPTARG.CFG 115
U
Unicenter 114
Use numeric names for moved files 41
Use typeful name for FireBreak 62
V
Virtual Machine (VM) 129
virus characteristics 79
virus container 15
Virus detected options
Clean viruses if possible 39
Log incidents to file 39
Log workstation virus alerts 39
Move infected files off-line 40
Purge infected files 40
Use numeric names for moved
files 41
When cleaning is not possible 40
Virus library 79
Virus, boot 81
W
When a virus is detected 57
When a virus is detected, but could not
be cleaned 57
When unable to clean 54

FireBreak 4 70

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

FireBreak 4 70

Hochgeladen von

Copyright:

Verfügbare Formate

Norman Virus Control

Das könnte Ihnen auch gefallen