SecureTransport - Antivirus Module

SecureTransport provides modules to allow files to be scanned for malware. At present Axway has integration with Symantec, Kaspersky and McAfee antivirus scan engines.

The Symantec module is installed within SecureTransport and requires that you separately purchase the Symantec Scan Engine. Be aware that the Symantec scan engine works by transferring files over the network for scanning.

The Kaspersky and McAfee AV integration has a module to be installed on your SecureTransport server and a Axway provided McAfee / Kaspersky antivirus software that runs on Linux (SUSE or RHEL). They both require that the SecureTransport Server and the Linux AV server have access to a common file share.

The McAfee AV software that runs on the Linux server requires JRE 1.6 (32-bit). It is supplied with a number of scripts for starting and stopping the AV service / daemon and updating the AV definitions.

Unfortunately there are a few shortcomings with the McAfee AV module:

Start-up Scripts

The antivirus module is not shipped with any operating system integrated start-up scripts and Axway charge for such scripts to be created as custom development work. This is a bit of a pain because without such a script you would need to manually start the service after a reboot or cold-boot.

In view of this, the scripts below may be of use others deploying the McAfee AV module to automatically start and stop the antivirus service as the Linux server moves from one run-level to another.

• SSH to the Linux AV server and navigate to the /etc/sysconfig directory

•  cd /etc/sysconfig  
  

• Save text below in a file named stavserver.config to the directory /etc/sysconfig directory

•  # SecureTransport RemoteAntivirus Server Configuration File  
   #   
   # This file is used by the application's Sysv Init Script to determine the port the service should bind to  
   # and to determine the IP addresses that should be allowed to connect to the service  
   #   
   # Configuration information is specified in key value paris e.g. key=value (no spaces between the key and value)  
   # At present this configuration file only uses the port and allowedaddresses keys, this is because although the application  
   # supports a --host field the stop script is hardcoded to attempt to shutdown the service on the loopback address even if the --host switch was specified.  
   # The --host switch forces the service to bind to a specific interface   
   #  
   port=8080  
   allowedaddresses=10.67.87.40  

The same information could have been hard coded into the script but it seemed a better option to put this in a configuration file so that system administrators do not have to modify code.

• Save the code below into a file named stavservice to the /etc/init.d/ directory

•  #!/bin/sh  
   # chkconfig: 345 99 01  
   # description: The SecureTransport Antivirus Service  
   # config: /etc/sysconfig/stavserver.config  
   #  
   # Derived from -  
   # URL: http://shrubbery.mynetgear.net/c/display/W/Java+Daemon+Startup+Script  
   #  
   # Notes:  
   #     The ST AV Service will run in runlevel 3,4 and 5.  
   #     It will start at the very end of the (S99) of the init run and terminate very early (K01) when leaving the runlevel  
   #   
   # Change History:  
   # 2012-07-21     Vijay Thakorlal: Modified Christian d'Heureuse's script to be used to stop / start   
   #          the SecureTransport 5.1 Antivirus Service (McAfee Engine)  
   #          Rewrote the getServiceFunction to work with the ST AV service  
   #          Modified the stop and start functions  
   #  
   # To Do:  
   #     1) Modify the script to forcibly kill the ST AV service if a graceful stop fails  
   #  
   # Source function library.  
   . /etc/rc.d/init.d/functions  
   # VARIABLES  
   appBinDir="/opt/Axway/RemoteAntivirusServer/bin/"     # location of the application / service   
   maxShutdownTime=15                       # maximum number of seconds to wait for the daemon to terminate normally  
                                                                    # currently not used but could be used to forcibly kill service if stop script does not work  
   serviceName="ST RemoteAntivirus Service"               # The name of the service  
   serviceUser="axwayav"                      # OS user name for the service  
   serviceGroup="axwayav"                     # OS group name for the service  
   CONFIGFILE="/etc/sysconfig/stavserver.config"     # Configuration file containing value for start/stop script switches  
   # FUNCTIONS  
   function getPort  
   {  
       XPORT=`grep port $CONFIGFILE | grep -v "#" | cut -d"=" -f2`  
       echo "$XPORT"  
   }  
   function getAddrs  
   {  
       XADDRS=`grep allowedaddresses $CONFIGFILE | grep -v "#" | cut -d"=" -f2`  
       echo "$XADDRS"  
   }  
   function getServicePID  
   {  
        procfound=`pgrep -l -f /opt/Axway/RemoteAntivirusServer/lib/servlet-api.jar`  
        PFRETVAL=$?  
        pid=`pgrep -l -f /opt/Axway/RemoteAntivirusServer/lib/servlet-api.jar | cut -d" " -f1`  
          if [[ $PFRETVAL -eq 0 ]]; then  
            #echo $pid is already running!  
            return 0  
          fi  
          return 1  
   }  
   function startSTAVService  
   {  
        getServicePID  
        if [[ $? -eq 0 ]]; then echo -n "$serviceName is already running"; echo ""; RETVAL=0; return 0; fi  
        PORT=$(getPort)  
        ALLOWEDADDRS=$(getAddrs)  
        echo -n "Starting SecureTransport AV Server Service on port $PORT and with the allowed addresses $ALLOWEDADDRS: "  
        cd $appBinDir  
        if [[ $? -ne 0 ]]; then RETVAL=1; echo "failed"; return 1; fi  
        cmd="./RemoteAntivirusServerService.sh --port=$PORT --allowedaddresses=$ALLOWEDADDRS"  
        su -m $serviceUser -c "$cmd"  
        if [[ $? -ne 0 ]]; then RETVAL=1; echo "failed"; return 1; fi  
        sleep 8 # sleep for 8 secs since sometimes it takes a while for the service to startup  
        echo "started PID=$pid"  
        RETVAL=0  
        return 0  
   }  
   function stopSTAVService  
   {  
        getServicePID  
         if [[ $? -ne 0 ]]; then echo -n "$serviceName is not running, nothing to do"; RETVAL=0; echo ""; return 0; fi  
        echo -n "Shutting down SecureTransport AV Server Service (this may take some time): "  
        echo ""  
        cd $appBinDir  
          if [[ $? -ne 0 ]]; then RETVAL=1; echo "failed"; return 1; fi  
        PORT=$(getPort)  
        cmd="./StopRemoteAntivirusServer.sh --port=$PORT"  
          su -m $serviceUser -c "$cmd" || return 1  
        if [[ $? -ne 0 ]]; then RETVAL=1; echo "failed"; return 1; fi  
        echo "stopped PID=$pid"  
        RETVAL=0  
        return 0  
   }  
   function checkServiceStatus   
   {  
          echo -n "Checking for $serviceName: "  
          getServicePID  
          if [[ $? -eq 0 ]]; then  
               echo "running PID=$pid"  
               RETVAL=0  
          else  
               echo "stopped"  
               RETVAL=3  
          fi  
          return 0;   
   }  
   function main   
   {  
        RETVAL=0  
        case "$1" in   
             start)  
                  startSTAVService  
             ;;  
             stop)  
                  stopSTAVService  
             ;;  
             status)  
                  checkServiceStatus  
             ;;  
             restart|reload|condrestart)  
                  stop  
                  sleep 8  
                  start  
             ;;  
             *)  
                  echo "Usage: $0 {start|stop|status|restart|reload}"  
                  exit 1  
             ;;  
        esac  
        exit $RETVAL  
   }      
   main $1  
  

• Change the permissions of the file

•  chmod 755 stavservice  
  

• Add a new service 

•  chkconfig --add stavservice  
   chkconfig stavservice on  
  

• Check the service has been “registered” with chkconfig (example output shown below)

•  [root@stavserver init.d]# chkconfig --list stavservice  
   stavservice   0:off  1:off  2:on  3:on  4:on  5:on  6:off  
   [root@stavserver init.d]# service stavservice status  
   Checking for ST RemoteAntivirus Service: stopped  
   [root@stavserver init.d]#  
  

• Now you should be able to control the service using the standard Red Hat commands chkconfig and service

•  # determine the service status  
   service stavservice status  
   # start the service  
   service stavservice start  
   #stop the service  
   service stavservice stop  
  

Port Bindings and Stop Script, and Web Console

The McAfee AV module is supplied with a script, RemoteAntivirusServerService.sh,that starts the antivirus software as a service / daemon. By default the service listens on port 80. The --port switch can be used to specify an alternative port that the service will listen .e.g. --port =8080

The script also has a --hosts switch which specifies the interface on which the service should listen. The script it self passes this parameter to the Java application (servlet). Unfortunately, if you use this switch and attempt to stop the service you will find it fails, this is because the application is hard-coded send the shutdown signal to the application on the loopback address regardless of what you specified with the hosts switch.

The application has a web console that can be used to view files that are in the process of being scanned and for creating / deleting engine definitions. The console is accessible on port 80 (assuming an alternate port was not used to start the service). The web application is not protected by a password so anyone could potentially shutdown the service. However, there is an allowedaddresses switch that can be used to specify the IP addresses that are allowed to connect to the antivirus service. You can specify multiple IP addresses by separating them with commas or using asterisk wildcards.

The script and configuration file are available on GitHub at http://github.com/vijayjt/SecureTransportScripts