Frequently Asked Questions

General Questions

What are your hours for technical support?

Monday through Friday from 8:00 AM to 5:00 PM

How long is your trial license period?

Our trial licenses last for 30 Days. If for any reason you need an extension, send an email request to support@cybersoft.com. Depending upon the situation, we will evaluate the request and get back to you as soon as possible.

How can I contact a CyberSoft representative?

Please see the Contact page for more information on how you can contact CyberSoft.

How do I lodge a complaint about a CyberSoft service or product?

Call us during business hours, and let the operator know why you are calling. If they are unable to help you on the spot, ask to speak to Peter Radatti, the CEO of CyberSoft.

What operating systems / platforms do you support?

Please see the Product Compatibility Page for more information on product compatbility.

VFind Security Toolkit

How much RAM and disk space does VSTK require?

There is no easy answer to this question, it is completely dependent upon several factors including your system architecture, configuration, and load. For example, a system with 8 GB of RAM running a light load might execute VSTK very quickly, on the other hand a large system with 1 TB of RAM that is heavily loaded might cause VSTK to excessively swap. The only way to determine your needs is install VSTK and make adjustments from there.

On the other hand the Avatar program contained in VSTK requires enough disk space to create it's database. Since Avatar uses compression this could be anywhere from 40%-100% of the material to be archived (plus the database overhead). The easiest way to get a guesstimate is to create a tarball of all the files you want Avatar to manage and note the final size of the tarball. This will be close to the maximum size that the Avatar database needs. After you have figured out the maximum size use the UNIX compress command to compress the tarball. Then note the file size. This will be near the minimum size of the Avatar database.

An additional source of system usage is UAD, which uses the hard disk for temporary scratch space when recursively decompressing a compound file. Since the amount of disk space is completely dependent upon the file being decomposed, this is impossible to predetermine. You can, however, direct UAD to use scratch space in any partition or drive of your choice (this includes network drives).

Lastly, the VSTK product uses an insignificant amount of disk space when installed on a system. However, even this value will change depending upon your system architecture. Other important factors to consider are whether the binaries are stripped or unstripped, if you are dynamically or statically linking the binaries, and the size of the virus databases (which can change multiple times in a week).

I am having trouble mounting the VSTK CD-ROM on my HP System.

These steps have worked for users who have had problems mounting VSTK CD-ROM in the past.

  1. nohup /usr/sbin/pfs_mountd &
  2. nohup /usr/sbin/pfsd &
  3. Edit /etc/pfs_fstab; add the filesystem you want to mount: /dev/dsk/c#t#d# /mountpoint pfs-rrip ro,suid,cdcase 0 0
  4. Edit /etc/pfs_exports /mountpoint -access=newton
  5. pfs_exportfs -a
  6. pfs_mount /mountpoint

    To unmount:
  7. pfs_umount /mountpoint

Notes:

a. DO NOT do steps 1 and 2 with a CD already pfs mounted.

b. If you use 'umount' to unmount a pfs mounted CD, you will not be able to remount another CD using pfs_mount. You will need to kill the pfs daemons first.

c. You must follow all of the steps each time you want to pfs mount. If you do not, the CD will mount, but won't show up in 'bdf'.

d. This info came from HP, so please contact them, see the pfs 'man' page if you have presistent problems.

I installed the permanent activation key but VFind does not execute properly.

One of three things could be the problem...

1. First, check that the node name you supplied to CyberSoft was correct.

2. The second thing to do is check the LICENSE file and make sure the permanent key was copied and pasted correctly.

3. Finally, check that the VSTK_HOME environment variable is set to the directory where the LICENSE file is located on the system.

If you are still having problems, please send us the vtest.log file. This file was generated during the install of the VFind Security ToolKit and is located in the VSTK directory. If this file does not exist on your system, then please execute the vtest program and pipe the results into a file called vtest.log. Afterwards, kindly email the vtest.log file to support@cybersoft.com along with a description of your problem.

How do I make VFind run automatically?

You can install VFind™ into the "cron" system for automatic execution. We suggest you run it every evening. For more information execute the command "man cron".

The first time I ran VFind, I got a report on the number of files checked, number of viruses found, and how many suspicious files were located. I don't seem to receive this report any more. Why?

Remove the [ -vlist ] option from your command list. The [ -vlist ] option lists all viruses that the program detected and then exits. If you remove that option, the output from your find command will be scanned by VFind™. The recommended use of VFind™ is in conjunction with UAD. See below:

    /opt/vstk/bin/vfind --uad="" /path/to/files | grep -e "^##==>>>"

There is a "scripts" directory included with VSTK that gives examples on how to use the tools, in conjunction with each other, for optimal performance.

 

UAD displays a "File System Full" error message. Why?

UAD needs to write temporary files when it is rendering. If the file it is rendering is larger than the available amount of space in the default scratch directory (/tmp), then you will receive this message. UAD will automatically recover from this error, skip the "file" that caused the problem and attempt to continue.

What can cause CIT to crash?

There is very little that can crash CIT. One of the few things that will do it, is if you run out of disk space. The UAD program will sometimes cause a system to run out of disk space for a short period of time, and it is common to use CIT and UAD together. This problem can be resolved by modifying the invoking script, to disconnect CIT from UAD. This can be done by breaking the command line, so that the output from CIT goes into a file. At the completion of CIT the file is then read into UAD.

What is the proper command to call VFind from AMaViS?

    chop($output = `/usr/local/vstk/bin/uad -ssw $TEMPDIR/parts/* | $vfind -ssr -vexit $TEMPDIR/parts/*`);

Note also that this line from amavis/av/cyber is wrong:

    @virusname = ($output =~ /##==>>>> VIRUS ID: CVDL (.+)/g);

and should be:

    @virusname = ($output =~ /##==>>>> VIRUS ID: (.+)/g);

On Solaris 6 UAD appears to hang on large files. What is wrong?

On Solaris 6, /tmp mounted on swap does not support files larger than 2 GB. Previously we had looked through the Sun documentation for Solaris 6 large files, but we did not find any such restriction mentioned.

So that means that your problem should go away by using UAD's -t option to specify a temporary directory other than the default /tmp/. -t /var/tmp may be used, for example, if /var is on a big enough disk partition.

I would like to test some of the applications we are using. Would it be possible to obtain a file that is known to be infected with a virus to verify our integration?

Download the "eicar.com" test virus and a virus signature for the test virus "eicar.vdl" to your target machine from here and execute UAD and VFind as shown to test the sample.

    find [test_virus_directory] | uad -s -ssw | vfind --libon=eicar -ssr --vdl=[path]/eicar.vdl > virus_report.txt

or

    find [test_virus_directory] | uad -s -ssw | vfind --libon=eicar -ssr --vdl=[path]/eicar.vdl | mail root

Does VFind make any Name Service calls to CyberSoft's DNS servers?

VFind is not linked with any CyberSoft DNS servers; it uses no Name Service calls and simply uses uname() to get the Node name to check the license. However, VDL updates require the use of DNS in order to contact CyberSoft's update servers.

Is VFind linked with RPC in any way?

VFind is not linked with RPC, and it does not make any remote procedure calls.

Does VFind need to use SetUID to run?

VFind does not use SetUID. It can be run by root or any user, although it will only read and scan those files readable to the user.

VFind seems to be using up too much memory - do I need to get more memory?

No it is not likely; you should not need more memory. Every time you start a copy of VFind, machine memory is allocated to it's use. If you run 4, or 5, copies of VFind at the same time, then this will impede the performance of your machine unless you have a large amount of memory. If you need to run multiple copies of VFind, then it is recommended that you upgrade to the Turbo version of whatever ToolKit you are using. VFind is single-threaded; it can only do one thing at a time. The Turbo upgrade with the VFind Daemon is multi-threaded. It not only makes VFind able to do more than one thing at a time, but it greatly reduces start-up memory usage, as your system is only starting one program.

VFind is having permission errors when running as a non-root user. How can I correct it?

When running vfind as a non-root user, you should use the flag--vdl-data-file, with a filename somewhere where you have write permission, e.g. vfind --vdl-data-file="$HOME/vdl.dat". This way you won't have any permissions problems when the VDLs are updated.

How do I run VTest?

The VTest program has no command line options. It is normally run at the command line, for the purpose of "testing" the system to ensure it is ready to run the VFind Security ToolKit. It will report on:

 

1. The nodename of the system. This is needed to make an activation key.
2. The number of characters in the nodename. This is necessary because sometimes people use nonvisable characters before or after the nodename.
3. Test to see if the environment variable $VSTK_HOME is set.
4. The location of a valid activation key.

Here is an example of what running a vtest program looks like:

Macintosh:programs peterradatti$ ./vtest
##==> Nodename is Macintosh.local with length of 15
##==> System Date -- Year: 2009 Month: 5 Day: 13 12:23:05

##==> SECURITY: $VSTK_HOME not defined; searching for alternate location.
##==> SECURITY: /LICENSE not found; searching for alternate.
##==> SECURITY: /etc/LICENSE not found; searching for alternate.
##==>>> SECURITY: ./LICENSE not found; no alternate available.

When I run VDLUpdate I receive an error. What's wrong?

There are a number of possible causes for this error. The most common causes include:

  • The machine is not connected to the internet.
  • The machine has a poor connection to the internet.
  • A local firewall is blocking access to the internet.
  • The login credentials specified in account.conf are incorrect.
  • The my.cybersoft.com account specified in account.conf is no longer active or has expired.

Virus Definitions

I just downloaded the latest Virus Definitions. Now what do I do?

Use the following instructions:

  1. Move the file to $VSTK_HOME/data where $VSTK_HOME is.
  2. Uncompress the tar file with the uncompress command.
  3. With the uncompressed tar file in the proper directory execute the following command, tar xvf filename

How do I determine when I last updated my virus definitions?

  1. "cd" into the vstk/data directory.
  2. Open the update.list file.
  3. Line #1 in the file contains the date of when the last update took place.

How can I automate the updating of my virus definitions?

A script is provided with VSTK, that downloads virus definition updates from www.cybersoft.com and installs the updates. The script, $VSTK_HOME/bin/vdlupdate, requires that the system on which it is installed has access to the internet.

An entry for VDLupdate can be added to crontab to automatically run VDLupdate every day. The $VSTK_HOME/example_scripts/cron_vdlupdate.sh script can be used to add an entry for vdlupdate to crontab. cron_vdlupdate.sh can be edited to set the time of day for performing the update.

What are the files update.list and update.md5 used for?

These files are used by our automated virus definition update script. The file update.list, contains a line with the base name of the tar.Z file with the updated virus definitions and the MD5 sum of that tar.Z file. For example, update.list might contain the line

    vfind13-2005-09-14-10-36-06 2d33d51127b6587aa4782cc6cf3e92b9

From this, the update script knows to download vfind13-2005-09-14-10-36-06.tar.Z and after the file is downloaded, it should have the MD5 sum of 2d33d51127b6587aa4782cc6cf3e92b9.

The file update.md5 contains the MD5 sum of the update.list file, so that the update script can verify that the update.list file was downloaded correctly and has not been tampered with.

VFind and Email

Is it normal that I receive empty email messages from VFind?

This is typically a good sign. An empty E-mail message means that VFind™ found no viruses and has no messages for you. (Assuming that the message only contains the output of a grep). If you are not comfortable with this, you can force the E-mail to contain a message by modifying the script. Here is an example that you can customize:

      touch xyzzy

 

      uname -a >> xyzzy

 

      date >> xyzzy

 

      find / -type f -print | --- other commands --- | vfind | grep "##==>>" |

 

      cat - >> xyzzy

 

    cat xyzzy |mail root

How can I optimize VFind/UAD for scanning my email system?

There are two major steps you can take. The first is to understand that there is a processor load, and wall clock cost, to the startup of VFind. VFind has to build trees and initialize all of it's engines prior to scanning. If you start VFind for every E-mail message, then you are using a large amount of startup overhead for scanning a small amount of data. The answer is to start up VFind and allow it to run in background. There are two easy ways of doing this. The first is to make a Daemon process out of VFind/UAD. See above for an easy way to make a VFind Daemon using scripts. The second way is to use the SmartScan communication system to talk with VFind. See the white paper on SmartScan (link to old site).

An additional step that will greatly increase the speed at which you can scan E-mail, is to start more than one copy of VFind. Your right to use licenses allows you to start more than one copy on the same licensed system, and the products were technically created to not interfere with multiple running copies. [ There is a great (very) technical white paper by Dr. Rick Perry on optimal queue theory for virus scanning of E-mail. His white paper was actually written using VFind/UAD and the SafeInternetEmail system. You can read his white paper here (link to old site)].

Where can I find examples of how to scan emails using VSTK

There are several ways to interface VSTK with email. Whatever way you choose, you must be careful not to infringe on any patents. The following is a discussion of the technical means to accomplish this goal.

SOLUTION-1 LIBMILTER

The sendmail people have developed an interface that allows you to directly process email, for virus scanning, from within sendmail. This interface is called libmilter. There is already a lot of free code available using libmilter, and milters, that can be adapted for use with VSTK. A good place to start looking at these programs is https://github.com/opnsense/src/tree/master/contrib/sendmail/libmilter

You can also purchase a product, called "PerlMx", that makes using libmilter with VSTK easy. Take a look at ActiveState

If you decide to write your own libmilter interface, be sure to call CyberSoft for technical support.

SOLUTION-2 AMaViS

The AMaVis Mail Virus Scanner is available, for free, from www.amavis.org and works with the VSTK. If you choose to use AMaViS, then contact CyberSoft for technical support. The default VFind command string recommended by the AMaViS development group does not take full advantage of the features provided by VFind and UAD.

SOLUTION-3 BOURNE SHELL SCRIPTS

To see what you could do on your own using just Bourne shell scripts and VSTK, take a look at SafeInternetEmail. This service was created using just the VFind and UAD tools of VSTK. They were interfaced to sendmail, using Bourne shell scripts and one change to the sendmailconfig.cf control file.

SOLUTION-4 DIRECT INTERFACE TO SENDMAIL

A third option is to write a direct interface to sendmail that does what you want. Several companies have done this since there is significant benefits that can be built in such as translation to X.400. Again, we have published software code segments to make this easy to do. Look at the SmartScan white paper.

SOLUTION-5 NETWORK TRAFFIC INTERCEPTER

The Network Traffic Intercepter. (NTI), is included with VSTKCW but not with VSTK or VSTKP. You can upgrade to VSTKCW in order to get the NTI program. Call CyberSoft for pricing.

The NTI system provides real time scanning of all selected tcp/ip and UDP ports. It can scan all E-mail (port 25, pop3 and imap). It can also be used to scan http, ftp and telnet sessions.

NTI is not supported on all systems, but it is currently supported on Sun Solaris 2.5.1 and above and HPUX 11.0 and above. It is also supported under Microsoft Windows NT. For more information on NTI, read the Network Traffic Interceptor whitepaper.

SOLUTION-6 CONTRACT OUT THE PROBLEM

Your fifth option is to contract out the problem to us or others. See the SafeInternetEmail service. We can install this product as a service on your mail servers, in your data center, or even supply systems.

 

 

Can I use VSTK to scan emails?

Yes, you can. Both UAD and VFind can be used to scan emails for malicious content. You can use VFind by piping your incoming mail through the tool, the output of which should look like this:

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> ""

##==> Checking file: "./email.text" -> "shipping_8182153.doc"

Wherein the file "email.text" is scanned and it's attachments are broken down. For a more verbose VFind out, you can use the -sst option to get output that looks like this:

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (no enclosures found)'

##==> Skipping VDL `W32/Hacksite.expl01(2)'

##==> Skipping VDL `W32/Hacksite.expl05(2)'

##==> Skipping VDL `W32/Hacksite.expl12(2)'

##==> Skipping VDL `W32/Hacksite.expl11(2)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `HTML text (no enclosures found)'

##==> Skipping VDL `W32/Hacksite.expl01(2)'

##==> Skipping VDL `W32/Hacksite.expl05(2)'

##==> Skipping VDL `W32/Hacksite.expl12(2)'

##==> Skipping VDL `W32/IE.Url.Market.expl'

##==> Skipping VDL `W32/Hacksite.expl11(2)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (no enclosures found)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (no enclosures found)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (no enclosures found)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `HTML text (no enclosures found)'

##==> Checking file: "./email.text" -> ""

##==>> SmartScan file type: `text (mail header)'

##==> Checking file: "./email.text" -> "shipping_8182153.doc"

##==>> SmartScan file type: `OLE2 stream'

##==> Skipping VDL `W32/Hacksite.expl01(2)'

##==> Skipping VDL `W32/Hacksite.expl05(2)'

##==> Skipping VDL `W32/Hacksite.expl12(2)'

##==> Skipping VDL `Constr/WM.NJ-WMDLK1.fam'

##==> Skipping VDL `W32/Hacksite.expl11(2)'

##==> Skipping VDL `W32/VB.LH.itw'

##==> Skipping VDL `W32/Small.fam4.trjdldr(2)'

##==> Skipping VDL `W32/Vote.a@mm.itw'

##==> Skipping VDL `W32/Warvote'

##==> Skipping VDL `W32/Aimdes.ABC.wrm'

VFind automatically uses UAD when scanning a file, but if you want to scan a file only using uad, the output should look like this:

0: Name: ./email.text

0: Type: text

0: Components...

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: HTML text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Unnamed

1: Type: HTML text (no enclosures found)

1: Unnamed

1: Type: text (mail header)

1: Name: shipping_8182153.doc

1: Type: OLE2 stream

Upgrades

My company is upgrading from our current UNIX system to a another brand of UNIX system. How do I move the VSTK to our new server?

 

CyberSoft includes all supported UNIX platforms on the product downloads page of MyCybersoft.

The most important thing to remember is that VSTK is locked to a server by node name. If you are not violating your license agreement, then all you should have to do is ensure that your new server has the same node name as the old server. First remove VSTK from the old server, while saving the LICENSE file, then reinstall VSTK on to the new server. Then copy the LICENSE file to the new machine. After all these steps are completed everything should work fine.

If for some reason you are unable to keep the same node name then contact CyberSoft, and for a small fee we will generated a new LICENSE key.

Will VFind run when I upgrade the system hardware?

If you are running the same operating system and keep the node name the same, then VFind should continue to run without interruption.

How much does it cost to upgrade to the current version of VSTK?

You can upgrade to the latest version of VSTK for free, if your maintenance and support contract is up to date.

If your maintenance and support has expired, you will need to renew your contract before you will be able to update your version of VSTK.

Activation Keys

My temporary activation key expired. How do I obtain a permanent key?

You can contact CyberSoft or your dealer and request a new temporary key, or, if you purchased the product, you can apply for a Permanent Activation key by sending an email to support@cybersoft.com.