Zoner Antivirus – The Latest Technology

The program core has a modern design, contains a state-of-the-art code emulator, and boasts a unique heuristic analyzer, designed precisely to meet the threats of today.

NAME

zavd.conf - Zoner AntiVirus configuration file

DESCRIPTION

Zavd.conf is the main configuration file for Zoner AntiVirus daemon (ZAVd). This file consists of comments (starting with #) and option names with their respective values (VALUE_NAME = VALUE). The file is (visually) separated into sections, which will be described later. Note that options do not have to be set in order (except where explicitely said otherwise).

Changes made to the configuration in zavd.conf will not apply until ZAVd is restarted.

Note that the configuration parser is case-insensitive.

VALUE TYPES

[bool] - boolean value, i.e. YES/NO, TRUE/FALSE or 1/0

[int] - integer number

[time] - time value, in seconds or in a specified unit: s, m or h

[size] - size value, in bytes or in a specified unit: kB, MB or GB

[string] - an ASCII string enclosed in "" (optional for strings containing only [a-zA-Z0-9_-/.]).

[enum] - a special enumeration value represented by an uppercase string (option-dependant)

DAEMON SETUP

This section configures ZAVd's behaviour and environment. Note that all paths (except for PATH_TMP) should point to a private directory, not accessed by any other applications. If you decide to change the user:group setting, please run chown user:group PATH_LIB PATH_LIB/zavdupd.ver and chown -R user:group PATH_RUN PATH_LOG.
ZAVD_USER = [string]
User for ZAVd to run as, there is no need to run ZAVd as root to access requested files, any data that a client can access, ZAVd can access too.
ZAVD_GROUP = [string]
Group for ZAVd to run as (overrides default user group for the user set above).
ZAVD_PRIORITY = [int]
The nice value for ZAVd processes represented in a standard way.
PATH_ETC = [string]
Directory with ZAVd configuration files.
PATH_LIB = [string]
Directory with ZAVd shared libraries. This directory has to be writeable by ZAVD_USER.
PATH_LOG = [string]
Directory for created log files. This directory has to be writeable by ZAVD_USER.
PATH_RUN = [string]
Directory for created runtime files. This directory has to be writeable by ZAVD_USER.
PATH_TMP = [string]
Directory for temporary files. This directory has to be writeable by ZAVD_USER.

SCANNING SETUP

This section configures the scanning engine. These settings are default settings when clients do not set their own explicitely.
SCAN_LEVEL = [enum]
[enum]: FASTEST, NORMAL, ADVANCED or BRUTE
Specifies how thorough the scan should be (different memory limits, thresholds, etc).
SCAN_FULL = [bool]
Do not end the scanning process until an infection is found, this way suspicious patterns do not prevent infection detection.
SCAN_HEURISTICS = [bool]
Enable heuristic analysis (detects malware based on its behaviour, not static patterns).
SCAN_EMULATION = [bool]
Enable emulation of binaries to perform runtime code analysis (detects polymorphic malware).
SCAN_ARCHIVES = [bool]
Enable archive decompression (like TAR).
SCAN_PACKERS = [bool]
Enable runtime-packers decompression (like UPX).
SCAN_GDL = [bool]
Enable Generic Detection Language execution (special method to detect some polymorphic malware).
SCAN_PHISHING = [bool]
Enable heuristic phishing detection.
SCAN_DEEP = [bool]
Enable scaning of the whole file instead of only the first few MB.
SCAN_MAX_SIZE = [size]
Set limit for unpacking, more bytes will not be unpacked from a single archive.
SCAN_MAX_FILES = [int]
Set limit for unpacking, more files will not be unpacked from a single archive.
SCAN_RECURSION = [int]
Set nested-level limit for unpacking (i.e. 3 for: archive in archive in archive).
SCAN_TIMEOUT = [time]
Maximum amount of time allowed for scanning a single file. Timeout is returned after this amount.
SCAN_INSTANCES = [int]
How many scanning processes should be running, not that one process can only scan one file at a time.
SCAN_MEMORY = [int]
Maximum amout of memory used by a single scanning process. The minimal value for this limit is 32 MB.

LOGGING SETUP

This section configures ZAVd logging capabilities.
LOG_SYSLOG = [bool]
Send messages to a syslog daemon.
LOG_SYSLOG_FACILITY = [string]
Syslog facility to use with syslog (e.g. 'mail', 'daemon', 'local0', etc.)
LOG_ZAVDLOG = [bool]
Save messages to a log file in PATH_LOG.
LOG_MAX_SIZE = [size]
If a logfile reaches this size, it is truncated or a logrotate is performed.
LOG_ROTATE = [bool]
Perform a logrotate instead of truncation when a log limit is reached.
LOG_TTY = [string]
Send messages to given tty device.
LOG_STATS = [bool]
Log the duration of scan and the size of the scanned file/memory.
Following options enable the logging of overall results (per one file) on ZAVd's side (useful for usage statistics or auditing), see zavcli(1) for the result types.
LOG_SCANERROR = [bool]
LOG_CLEAN = [bool]
LOG_INFECTED = [bool]
LOG_PROBINFECTED = [bool]
LOG_SUSPICIOUS = [bool]
LOG_NONSTANDARD = [bool]
LOG_UNKNOWN = [bool]
LOG_TIMEOUT = [bool]

UPDATES SETUP

This section configures virus-definition and scan-engine updates. Such updates are required to provide up-to-date malware protection. If you do not want ZAVd to perform upates automatically, at least fill in the UPDATE_KEY and run 'zavd --update' periodically.
UPDATE_ENABLE = [bool]
Let ZAVd perform automatic updates.
UPDATE_INTERVAL = [time]
How often should ZAVd check for new updates (one hour should be an optimal value).
UPDATE_SERVER = [string]
Update server to download updates from.
UPDATE_KEY = [string]
Your license key for Zoner AntiVirus, you can obtain one at http://www.zonerantivirus.com.
UPDATE_VERBOSE = [bool]
Log every update attempt along with 'ZAVd is up to date' messages.

REPORTING SETUP

This section configures error reporting and sending samples to ZAV laboratory. This information is used for debugging and new malware analysis.
REPORT_ERRORS = [bool]
Enable error reporting.
REPORT_SAMPLES = [bool]
Enable virus samples reporting.

INOTIFY MODULE SETUP

This section configures the iNotify module. iNotify is a kernel-side filesystem changes notification system. iNotify module listens for events happening on selected directories and serves as an on-access scanner. Because of the nature of iNotify, ZAV cannot block access to infected files, it can only detect their creation. You can let ZAVd delete such files or move them into a quarantice directory. Note that ZAVd will only scan files that have been changed (open for writing to be exact), not accessed ones.

Beware: iNotify userspace functions require glibc-2.4, when missing the module will be disabled.

ZAVNOTIFY_ENABLE = [bool]
Enable ZAV iNotify module.
ZAVNOTIFY_QUEUE_SIZE = [int]
Number of files waiting to be scanned that the module can hold in memory (after this limit is reached, new scan requests are discarded). If a watched directory generates more events than the scanner can service, such events are saved into a queue for later.
ZAVNOTIFY_DIRECTORY = [string]
This directory is used to store quarantined files (when missing, it will be created).
ZAVNOTIFY_CONFIG = [string]
Which configuration file to read for directories watched by iNotify module. You can specify only one configuration file.

LMTP MODULE SETUP

This section configures the LMTP module. LMTP module communicates with a running MTA (using LMTP protocol) and serves as a mail-filter. You can have multiple running LMTP services, each listening on a different port (useful for multiple levels of security). For more information consult your MTA's documentation.
ZAVLMTP_ENABLE = [bool]
Enable ZAV LMTP module.
ZAVLMTP_DOMAIN = [string]
Specify an internal name of a domain. This name will be used to create a separate configuration file in ZAV configuration directory to setup this domain. For more detailed description, see zavlmtp.conf(5).

ICAP MODULE SETUP

This section configures the ICAP module. ICAP module communicates with a running proxy (using ICAP protocol) and serves as a web-content-filter. You can have multiple running ICAP services, each listening on a different port (useful for multiple levels of security). For more information consult your proxy's documentation.
ZAVICAP_ENABLE = [bool]
Enable ZAV ICAP module.
ZAVICAP_DOMAIN = [string]
Specify an internal name of a domain. This name will be used to create a separate configuration file to setup this domain. For more detailed description, see zavicap.conf(5) in ZAV congfiguration directory.

LD_PRELOAD MODULE SETUP

This section configures the LD_PRELOAD module. LD_PRELOAD module listens for incoming filedescriptors from libzavld.so library that is preloaded in watched processes and scans them.
ZAVLD_ENABLE = [bool]
Enable ZAV LD_PRELOAD module.
ZAVLD_PROC_WORKAROUND = [bool]
Be compatible with kernels older than 2.6.22. WARNING - this option needs ZAVd to be run as root and it does setuid() only on the modules. This means that there will be a few processess running as root!
ZAVLD_DIRECTORY = [string]
This directory is used to store quarantined files (when missing, it will be created).
ZAVLD_FLOCK = [enum]
This option specifies the behaviour for locked files by a flock(LOCK_EX) call (not those locked by fcntl() or flock(LOCK_SH) calls). MPossible settings:
BLOCK - treat such file normally, i.e. hold the lock when scanning and (possibly) block the watched process
UNLOCK - unlock all files before scanning, this can break watched process' behaviour (as all dup-ed descriptors are also unlocked)
SKIP - check if the file is locked and skip locked ones, creates an overhead for ZAVd (has to check /proc/locks for each checked file)
ZAVLD_CONFIG = [string]
Which configuration file to read for directories watched by LD_PRELOAD module. You can specify only one configuration file.

AUTHOR

Written by Jaromir Smrcek.

BUGS

Report bugs to Jaromir Smrcek <jaromir.smrcek@zoner.com>. Start your 'Subject:' by 'ZAV' and please include the output of 'zavcli -V'.

SEE ALSO

zavd(8), zavld.conf(5), zavnotify.conf(5), zavlmtp.conf(5), zavicap.conf(5), zavcli(1)

Shield your Android

Current Virus Activity

Heuristics13.0%
I-Worm.Runouce.b7.7%
Dropper.Generic2.ANED7.3%
Trojan.Poison-14625.4%
Trojan.Injector.CK2.5%

Current Version

ZAV Core:
20140818-646
ZAV Database:
20171115-2171315
Zoner Antivirus

Zoner Sandbox

If you suspect that a file might be infected and you thus want to determine what a given program is doing, you can send a file for us to analyze. We will evaluate the given program's behavior and send you back detailed results.