Enabling On-Access Scanning for Linux Virtual Machines
Bitdefender GravityZone provides full visibility into organizations’ overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender’s Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.
This article is meant to help you enable the on-access scanning module of Security for Virtualized Environments on Linux virtual machines.
Note: This article provides information about manually enabling the On-Access scanning for Linux Virtual Machines for GravityZone versions prior to 5.0.4-1415 (released on June 12th 2013). Since version 5.0.4-1415 of GravityZone, a new option available in the Virtual Machines policy settings allows to automatically enable and configure the On-Access scanning for Linux Virtual Machines.
The Linux version of Bitdefender Tools includes a beta on-access scanning module that works with specific Linux distributions and kernel versions. On-access scanning support can be enabled manually on each virtual machine. On-access scanning requires the DazukoFS loadable kernel module.
DazukoFS is a stackable file system that enables third-party applications to control file access on Linux systems. For more information, go to http://www.dazuko.org
On-access scanning is available for all supported Windows versions. A beta on-access scanning module is also available for specific Linux distributions and kernel versions, as shown in the following table:
|Linux Distribution||Kernel Version|
|Ubuntu 10.04||2.6.32-44-generic-pae i686, 2.6.32-44-server x86_64, 2.6.32-45-generic-pae i686, 2.6.32-45-server x86_64|
|RHEL/CentOS 5.7, 5.6||2.6.18-308.24.1.el5 i686 & X86_64, 2.6.18-308.el5 i686 & x86_64, 2.6.18-348.el5 i686 & x86_64|
|RHEL / CentOS 6.2, 6.1||2.6.32-279.19.1.el6 i686 & x86_64, 2.6.32-279.el6 i686 & x86_64|
To enable on-access scanning support on a Linux virtual machine with Bitdefender Tools installed:
Load the DazukoFS kernel module
During Bitdefender Tools installation, DazukoFS is set to load automatically at boot time. To load the module immediately after installation, you must either restart the virtual machine or run the following command:
# modprobe dazukofs
Note: If the DazukoFS package shipped with Bitdefender Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or recompile the DazukoFS module for your kernel version. You can find the DazukoFS package in the Bitdefender Tools installation directory:
For more information on compiling and loading DazukoFS for an unsupported kernel version, refer to this KB article
To check if DazukoFS is loaded, run the following command:
# lsmod | grep dazukofs
If the module is loaded, the command outputs a line starting with dazukofs.
Note: To unload the DazukoFS kernel module, you must first reset monitored directories and then make sure to stop the Bitdefender services.
To reset monitored directories:
# /opt/BitDefender/bin/bdsafe registry setkey "/BDUX/EpsecDaemon/OASWatch" ""
To stop the Bitdefender services, run this command:
# /opt/BitDefender/bin/bd stop
To unload the DazukoFS module:
# rmmod dazukofs
After unloading the module, restart the Bitdefender services using this command:
# /opt/BitDefender/bin/bd start
Manage Monitored Directories
Monitoring directories using DazukoFS is issued with the command:
# /opt/BitDefender/bin/bdsafe registry setkey "/BDUX/EpsecDaemon/OASWatch" "/path_1:/path_2:/path_n"
For example, to enable on-access scanning for the /home and /root directories, the command is:
# /opt/BitDefender/bin/bdsafe registry setkey "/BDUX/EpsecDaemon/OASWatch" "/home:/root"
All monitoring will be activated after bdepsecd has been restarted:
# /opt/BitDefender/bin/bd restart
DazukoFS monitors the entire directory tree under a mounted directory, unless a subdirectory is explicitly excluded by the policy.
Important: DazukoFS must be loaded after all separate file systems were mounted (ie: mount a nfs, cifs, ecryptfs and only afterwards activate protection for those mount points).
Note: You cannot watch root file system (/) with DazukoFS. Also protection for the following system paths is not supported and should be avoided: /proc;/bin;/usr;/sbin;/lib
To check the list of directories mounted using DazukoFS, run the following command:
# /opt/BitDefender/bin/bdsafe registry getkey "/BDUX/EpsecDaemon/OASWatch"