Powertech Anti-Virus for AIX/Linux Audit

Overview

Powertech Anti-Virus for AIX/Linux provides all of the power and protection of the industry leading McAfee scanning engine.

Powertech Anti-Virus is easy to use and a breeze to keep current with the latest virus definitions directly from McAfee and software updates from Powertech. With Powertech Anti-Virus for AIX/Linux you have the essential tools to ensure that your AIX and Linux servers is protected from the threats of viruses, worms, and malware.

Powertech Anti-Virus for AIX/Linux Features

The major product features are:

On-Access scanning. Powertech Anti-Virus' On-Access virus scanner has been integrated with the scanning software to ease installation and management.
Simplified virus scanning. A single command, avscan, allows you to scan all or part of the system manually or at scheduled times.
Accessible virus definitions. Having the latest virus definitions from McAfee ensures the best possible protection against current virus threats. A simple command can be used to acquire the latest virus definitions.
Network-friendly. Powertech Anti-Virus for AIX can retrieve virus definitions and program updates from either an FTP server or a shared network path. This allows you to use one AIX server to download the virus definitions (from McAfee’s FTP server) and the remaining servers can retrieve their virus definition files from the shared network path or local FTP server.
Powered by McAfee, the leading provider of network security and availability technology.

System Pre-requisites

Syslog Events must be forwarded to the Event Manager machine.

AIX Syslog Configuration

Use the following information to configure Powertech Anti-Virus syslog logging for AIX.

For information about the Zlog configuration file, see https://hardysimpson.github.io/zlog/UsersGuide-EN.html.

Log files are created in the/opt/sgav/log folder. If they are not, verify the following:

The zlog.conf file exists
The zlog.conf file can be read by the user
The zlog.conf file doesn’t contain typos that could cause the file to not be read correctly

NOTE: /var/adm/ras/errlog also stores output from avscan and avupdate, and is also controlled within zlog.conf.

Logging levels

The following severity levels are used.

ERROR	Serious messages that cause the product to fail or stop working
WARN	Important messages that should be looked at (virus infections, quarantine etc.)
NOTICE	General startup and shutdown activity, completion messages
INFO	Detailed messages, files not scanned, etc.

Each level includes all messages from the previous level unless preceded by '=' sign.

Linux Syslog Configuration

Use the following information to configure Stand Guard Anti-Virus syslog logging.

Powertech Anti-Virus uses Zlog to send log messages to local logs and to mirror them to syslog. For information about the Zlog configuration file, see https://hardysimpson.github.io/zlog/UsersGuide-EN.html.

Log files are created in the/opt/sgav/log folder. If they are not, verify the following:

The zlog.conf and zlog-avsvc.conf files exists
The zlog.conf and zlog-avsvc.conf files can be read by the user
The zlog.conf and zlog-avsvc.conf files do not contain typos that could cause the file to not be read correctly

NOTE: The destination for the syslog messages depends on the syslog configuration of the host. By default, it may be /var/log/messages or /var/log/syslog.

Logging levels

The following severity levels are used by Powertech Anti-Virus:

FATAL	Fatal conditions that will cause the product to stop running.
ERROR	Serious messages that will cause the product to stop running.
WARN	Important messages that should be looked at (e.g. virus infections, quarantine).
NOTICE	General startup and shutdown activity, completion messages.
INFO	Detailed messages, files not scanned, etc.
DEBUG	Debug trace

You can set the syslog log level names to which these messages are sent in the zlog configuration files.

By default:

FATAL and ERROR messages are sent to syslog at level LOG_LOCAL3.
WARN messages are sent to LOG_LOCAL4.
NOTICE messages are sent to LOG_LOCAL5.
INFO and DEBUG messages are not mirrored to syslog.

Zlog configuration for the avupdate and avscan tools are defined by the avupdate and avscan rules in zlog.conf. Changes will take effect the next time these tools are run.

The avsvc server uses the avsvc rules in zlog-avsvc .conf. Changes will take effect the next time the server is started or configuration is reloaded (“avsvcctl reload”).

Possible Syslog Messages

Please refer to the following manuals and search for Possible Syslog Messages that may be generated by each operating platform:

AIX

https://static.helpsystems.com/powertech/help/stand_guard_anti_virus_aix/4_1_3/StandGuardAntivirusforAIXHelp.pdf

Linux

https://static.helpsystems.com/powertech/help/stand_guard_anti_virus_linux/4_2/StandGuardAntivirusforLinuxHelp.pdf

Copyright © Fortra, LLC and its group of companies.
All trademarks and registered trademarks are the property of their respective owners.
Version: 6.9 | April 2024