xref: /titanic_50/usr/src/man/man1m/vscand.1m (revision 7b07063d906859b2be1e88791f801b3c96e432f6)
te
Copyright (c) 2007 Sun Microsystems, Inc. All Rights Reserved.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
VSCAND 1M "Nov 6, 2007"
NAME
vscand - vscan service daemon
SYNOPSIS

/usr/lib/vscan/vscand
DESCRIPTION

vscand is the daemon that handles virus scan requests from file systems on file open and close operations. A file system may support enabling and disabling of virus scanning on a per dataset basis, using that file system's administrative command, for example zfs(1M).

If the file state or scan policy (see vscanadm(1M) requires that a file be scanned, vscand communicates with external third-party virus scanners (scan engines) using the Internet Content Adaptation Protocol (ICAP, RFC 3507) to have the file scanned.

A file is submitted to a scan engine if it has been modified since it was last scanned, or if it has not been scanned with the latest scan engine configuration (Virus definitions). The file's modified attribute and scanstamp attribute are used to store this information. Once the file is scanned, the modified attribute is cleared and the scanstamp attribute is updated.

If the file is found to contain a virus, the virus is logged in syslogd(1M), an audit record is written, and the file is quarantined (by setting its quarantine attribute). Once a file is quarantined, attempts to read, execute or rename the file will be denied by the file system. The syslogd(1M) entry and the audit record specify the name of the infected file and the violations detected in the file. Each violation is specified as "ID - threat description", where ID and threat description are defined in the X-Infection-Found-Header in ICAP RFC 3507; Extensions.

By default, vscand connects to scan engines on port 1344. The port and other service configuration parameters can be configured using vscanadm(1M).

The vscan service is disabled by default, and can be enabled using svcadm(1M).

EXIT STATUS

The following exit values are returned: 0

Daemon started successfully.

non-zero

Daemon failed to start.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability Uncommitted
SEE ALSO

ps(1), svcs(1), logadm(1M), svcadm(1M), syslogd(1M), vscandadm(1M), zfs(1M), attributes(5), smf(5)

NOTES

If a file is accessed using a protocol which does not invoke the file system open and close operations, for example NFSv3, virus scanning is not initiated on the file.

File content is transferred to the scan engines as cleartext data.

Administrative actions for the vscan service, such as enabling, disabling, or requesting a restart, can be performed using svcadm(1M). The vscan service status can be queried using the svcs(1) command.

The vscan service is managed by the service management facility, smf(5), under the service identifier:

svc:/system/filesystem/vscan