最後更新: 18/4/2012

 

介紹:

http://www.trendmicro.com/us/enterprise/cloud-solutions/server-protectio...

 

System Requirements:

• Memory: 512MB
• Kernel Hook Module (KHM) <-- 幾乎是要自行 complie 的, 因為官方版本很舊 .....

 

什麼是 KHM ?

Kernel Hook Module (KHM) 是以 GPL 發報的, 所以原則上什麼版本的 Linux 都可以安裝 <== for real-time scanning

 

事前的安裝的 package:

yum install compat-libstdc++-296

yum install perl

 

---

 

安裝過程:

 

下載官網的安裝包, 之後解壓, 然後執行

./SProtectLinux-3.0.bin

其他安裝選項:

./SProtectLinux-3.0.bin -h

 

Example:

SProtectLinux -n

-n install ServerProtect with Real-time Scan disabled

設定:

tmsplx.xml

RealtimeScan    0

 

---

 

過程:

 

按 q

Do you agree to the above license terms? (yes or no)

yes

Do you wish to connect this SPLX server to Trend Micro Control Manager? (y/n) [y]

n

入 KEY

P.S.

Registration Key, 是要網上 active 才用到, 而 Activation Code 可以直接使用, 它的格式如下:

XX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

 

Trend Micro consolidates virus-scanning results from worldwide customers,
compiles real-time statistics, and displays them on the Virus Map
(http://www.trendmicro.com/map). Use this map to view virus trends for
each continent and selected countries.
Please input your choice [Yes] : No

 

最後會出 Result:

Starting services...
Starting ServerProtect for Linux:
Checking configuration file:                               [  OK  ]
Starting splxcore:
Starting Entity:                                           [  OK  ]
Loading splx kernel module:                                [  OK  ]
Starting vsapiapp:                                        [  OK  ]
ServerProtect for Linux core started.                      [  OK  ]
Starting splxhttpd:
Starting splxhttpd:                                       [  OK  ]
ServerProtect for Linux httpd started.
                                                           [  OK  ]
ServerProtect for Linux started.

 

沒有 KHM 的情況:

Loading splx kernel module:                                [Not available]]

 

Error:   Kernel Hook Module (KHM) for this Linux kernel version is not
available. Check if the KHM for your  Linux kernel version is released
on the Trend Micro website at  "http://www.trendmicro.com/en/products/
file-server/sp-linux/use/kernel.htm".Or,follow the instructions in the
INSTALL file in "/opt/TrendMicro/SProtectLinux/SPLX.module/src/module"
to build the KHM for your Linux kernel version.

 

---

Linux license 是不可以用在 Window 上

 

 

 

---

 

Path:

 

Log:

/var/log/TrendMicro/SProtectLinux

Quarantine:

/opt/TrendMicro/SProtectLinux/SPLX.Quarantine

 

---

 

Check 是否在行

 

[root@centos6 ~]# /etc/init.d/splx status

splxmod module is running...
vsapiapp (pid 1470) is running...
entity (pid 1431 1424) is running...
ServerProtect for Linux core is running...
splxhttpd (pid 1506 1505 1504 1503 1502 1495) is running...
ServerProtect for Linux httpd is running...
ServerProtect for Linux manual scan is stopped
ServerProtect for Linux scheduled scan is stopped
ServerProtect for Linux Control Manager agent is not registered to Trend Micro Control Manager server

 

停止:

/etc/init.d/splx stop

 

---

 

Web Panel:

 

http://<host server>:14942/ or https://<host server>:14943/

 

Panel Default PW: null

 

---

設定:

 

Firewall 開 port

-A INPUT -m state --state NEW -m tcp -p tcp --dport 14942 -j ACCEPT

 

開啟:

https://IP:14942

 

Default: 無 PW, 改 PW 方式 Administration -> Startup Settings -> Password

 

Update:

Default 每晚 00:00 updata Comonents

 

---

Testing

 

仕途檔案只有以下一句就會被 Delete

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

 

---

 

KHM 安裝

 

如果沒有安裝 KHM, 那 realtime 掃毒是 Enable  唔到的 !!

 

事前 package

• module-init-tools

 

使用已 complie 好的 KHM module

http://www.trendmicro.com/download/kernel.asp?productid=20

 

人手 complie:

 

下載 splx_kernel_module-3.0.0.0002.src.tar.gz

http://www.trendmicro.com/ftp/products/kernel/splx_kernel_module-3.0.0.0002.src.tar.gz

 

安裝所需 Package:

• gcc
• kernel-devel <-- kernel-source 的一部份

如果是用未 centos 的 source, 那要在 Source 的根目錄上行

1. cp /boot/config-2.6.32-220.7.1.el6.i686 /usr/src/linux-2.6.32-220.7.1.el6.i686/.config
2. cd /usr/src/linux-<Kernel Version>
3. make oldconfig
4. make modules_prepare
5. make prepare

 

查看現在 Kernel 版本:

• uname -a

 

下載相應版本的 kernel:

1. http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/
2. http://vault.centos.org/6.2/os/Source/SPackages/
3. http://vault.centos.org/6.2/updates/Source/SPackages/

 

注意, 以下兩個是簡化包:

• kernel-devel.i686 ---> driver module
• Kernel-headers ---> C header files (structures and constants)

 

安裝:

# /etc/init.d/splx stop

# cd /opt/TrendMicro/SProtectLinux/SPLX.module/src/module    <-- 使用 default 的包

# make  <----建立 /opt/TrendMicro/SProtectLinux/SPLX.module/splxmod-<kenel-version-number>.o

# make test   <----- it will test to insert the KHM file

 

會見到:

!! Warning !!
You are about to start testing the Kernel Hook Module (KHM).
This test program will insert the KHM file (shown above) into the Linux kernel.
This operation may cause your system to stop responding (hang) or kenrnel panic.

Do you want to continue? (yes or no)

 

# make install  <--- put it to /opt/TrendMicro/SProtectLinux/SPLX.module/

# /etc/init.d/splx start

 

---

 

不查某 Package

 

Bypass command  for real time scan temporarily

#echo "command name" > /proc/splx/command_exclusion

Example:

#echo httpd postfix > /proc/splx/command_exclusion

 

---

 

Command 下管理 - splxmain

 

/opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/splxmain

 

-v    Enable Real-time Scan
-x    Disable Real-time Scan

-r    Reload the SPLX configuration without restarting vsapiapp.
-i    Restart vsapiapp processes.

-u    Update Scan Engine and Virus Pattern accord-ing to the settings in the tmsplx.xml file
    ask vsapiapp to reload the Engine and Pattern.
    
-p    Trigger the Scheduled Update process.
    
-a    Terminate all vsapiapp processes
-k    Terminate the vsapiapp processes, Manual Scan processes, and Scheduled Scan processes immediately

 

Execute a Manual Scan

For example, to scan /temp1 and /temp2:    

       splxmain -m /temp1:/temp2

Schedule:
-t    Terminate the Scheduled Scan processes that are running through /etc/cron.d/splx file.
-s    Execute Scheduled Scan now.
-c    Refresh the Schedule (tmsplx.xml file to /etc/cron.d/splx file)
-n    Terminate the Manual Scan process that is currently running.

-j    Set the Web console password.

 

Activation:

-q <Activation Code>    Set the Activation Code
-E                               Check the remaining days left before the evaluation version expires.

 

P.S.

在 Version 3 下, 當 License 過期時就有以下問題

root     29940 99.9  0.0  14056  3820 ?        R    Mar09 9680:53 /opt/TrendMicro/SProtectLinux/SPLX.vsapiapp/splxmain -p

 

---

 

Toubleshot:

Q1: Please put your configured kernel source in /usr/src/linux-2.6.32-220.7.1.el6.i686

A1: 未有安裝相應的 kernel-devel

 

Q2: WARNING: Symbol version dump /usr/src/kernels/linux-2.6.32-220.7.1.el6/Module.symvers is missing

A2: Source 不正確

 

---

 

移除:

 

rpm -e SProtectLinux

http://esupport.trendmicro.com/solution/en-us/1036801.aspx

 

---

 

Process:

 

• splxhttpd