DansGuardian Documentation Wiki

You are here: Main Index » faq


|

Wiki Information

Differences

This shows you the differences between the selected revision and the current version of the page.

faq 2010/02/06 19:55 faq 2010/10/22 16:50 current
Line 152: Line 152:
so a caching backend proxy should be used. Squid fills the bill for a fast caching proxy. so a caching backend proxy should be used. Squid fills the bill for a fast caching proxy.
-(The relatively heavy weight Squid is most appropriate for use in filtering an entire network of computers. For single-user single-computer applications of DansGuardian, some other backend proxy [TinyProxy?] may be more appropriate.)+(The relatively heavyweight Squid is most appropriate for use in filtering an entire network of computers [and for providing assistance with some Auth schemes]. For single-computer or single-user applications, marrying DansGuardian with some other backend proxy [Tinyproxy? Oops!?] may be more appropriate, for example providing  better perceived performance.)
**//General#6. How much does DansGuardian cost?//** \\ The [[http://dansguardian.org/?page=copyright|licensing for DansGuardian 1]] is different from the [[http://dansguardian.org/?page=copyright2|licensing for DansGuardian 2]]. See these two documents for licensing. Also see the [[http://dansguardian.org?page=pricing|Pricing page]]. **//General#6. How much does DansGuardian cost?//** \\ The [[http://dansguardian.org/?page=copyright|licensing for DansGuardian 1]] is different from the [[http://dansguardian.org/?page=copyright2|licensing for DansGuardian 2]]. See these two documents for licensing. Also see the [[http://dansguardian.org?page=pricing|Pricing page]].
Line 195: Line 195:
DansGuardian actually scans its content word by word against the configured phraselists. Some commercial web filters call themselves content filters when they are not - they are just glorified URL filters. They are lying through their teeth. People who don't realise this waste a lot of money on them. DansGuardian actually scans its content word by word against the configured phraselists. Some commercial web filters call themselves content filters when they are not - they are just glorified URL filters. They are lying through their teeth. People who don't realise this waste a lot of money on them.
-**//General#15. Can DansGuardian do anti-virus filtering?//** \\ Yes. A standard feature in version 2.10 allows anti-virus checkers (and other content scanners) to be incorporated into DansGuardian. (Versions 2.8 and earlier required "the DGAV patch" to do anti-virus scanning. No patch nor special build or distribution is needed to use anti-virus scanning with version 2.10.)+**//General#15. Can DansGuardian do anti-virus filtering?//** \\ Yes. A standard feature in version 2.10 allows anti-virus checkers (and other content scanners) to be incorporated into DansGuardian. (Versions 2.8 and earlier required "the DGAV patch" to do anti-virus scanning. No patch nor special build or distribution is needed to use anti-virus scanning with version [2.9]2.10.)
**//General#15b. Are infected files quarantined or deleted?//** \\ With the newer method of incorporating anti-virus checking as an external scan (clamdscan), **//General#15b. Are infected files quarantined or deleted?//** \\ With the newer method of incorporating anti-virus checking as an external scan (clamdscan),
whether or not infected files are copied to quarantine is controlled by whether or not infected files are copied to quarantine is controlled by
the configuration of the anti-virus scanning tool, the configuration of the anti-virus scanning tool,
-not by DansGuardian. (With the DGAV patch and with the older integral [linked in ClamAV] method of including anti-virus checking, +not by DansGuardian. (With the DGAV patch and with the older integral [clamav with linked in ClamAV] method of including anti-virus checking,
infected files were deleted.) infected files were deleted.)
Line 271: Line 271:
although doing this is not so common.) although doing this is not so common.)
-**//General#21. I want my web filter to behave differently at different times of day. Can DansGuardian do this?//** \\ Yes, any list file of filter restrictions can be made active only at certain times of day simply by specifying times within that file itself. Comments within each list configuration file provide a guide for adding time of day restrictions to that particular file. (Note this method may not be suitable for changes to items in a //conf// file, and may not be the best way to handle massive changes affecting many list files simultaneously.)+**//General#21. I want my web filter to behave differently at different times of day. Can DansGuardian do this?//** \\ Yes, the simplest way to have the filter behave differently at different times of day is to use the time limiting syntax inside most //list// files. This method does not require restarting DansGuardian at all  ...not even a "soft" restart with\ <color #351>-g</color>. Specifying times inside most list files will allow those files of filter restrictions to be made active only at certain times of day. Comments within most list configuration files provide a guide for adding time of day restrictions to that particular file. (If there are no comments about time limiting syntax inside a specific file, the behavior is not supported for that particular file.)  
 + 
 +The time limiting syntax within a file is applied to __all__ items in that file; there is no syntax for limiting individual items. So the conventional procedure is to add <color #351>.Include</color> statements to a list file which point at newly created additional list files which each contain their own time limits. For example, two newly created list files might be one for "sites that are always banned" and another for "sites that are banned only during business hours". (The former contents of the existing base list file are usually distributed into the new list files.) 
 + 
 +(Note this method may not be suitable for changes to items in a //conf// file, may not work for more than one time block per day, and may not be the best way to handle massive changes affecting many list files simultaneously. See the items below for other alternatives.)
**//General#21b. I want to use different list files (not just turn them on or off) at different times of day. How can I do this?//** \\ One option is to use DansGuardian's <color #351>.Include</color> to split a list into more than one file. Then use clever settings of the "time" instructions within each file to enable one or the other (or both or neither) at different times of day. **//General#21b. I want to use different list files (not just turn them on or off) at different times of day. How can I do this?//** \\ One option is to use DansGuardian's <color #351>.Include</color> to split a list into more than one file. Then use clever settings of the "time" instructions within each file to enable one or the other (or both or neither) at different times of day.
-A second option is to set up a 'cron' job (one launched automatically at a certain time of day) to stop DansGuardian, then restart it with a different configuration that points at different list files. Use the  <color #351>-c\ ...</color>  option to point DansGuardian at a different configuration (rather than the default one). (You may need to figure out how to specify options such as <color #351>-c\ ...</color> through whatever mechanism your distribution uses to start services [daemons].)+A second option is to have the conf file point at a symbolic link which OS tools (rm\ ..., ln\ -s\ ..., etc.) manipulate before restarting DansGuardian. The symlink change is generally performed as part of a 'cron' job (one launched automatically at a certain time of day) that both changes configuration and restarts DansGuardian.  
 + 
 +(A 'cron' job can also restart DansGuardian with a different configuration altogether, one that points at different list files. Use the  <color #351>-c\ ...</color>  option to point DansGuardian at a different configuration [rather than the default one]. [For this option you may need to figure out how to specify options such as <color #351>-c\ ...</color> through whatever mechanism your distribution uses to start services (daemons).])
The major factor in choosing which mechanism to use is your own comfort level. Some administrators find 'cron' jobs drop-dead simple, while other administrators are allergic to 'cron' jobs and much prefer the convenience of time-of-day instructions inside DansGuardian list files. The major factor in choosing which mechanism to use is your own comfort level. Some administrators find 'cron' jobs drop-dead simple, while other administrators are allergic to 'cron' jobs and much prefer the convenience of time-of-day instructions inside DansGuardian list files.
Line 666: Line 672:
**//Installation#21. Which Kaspersky anti-virus package do I need for the "kavd" contentscanner?  And what should I do after I've attempted to install Kasperky A-V but just get the message "'cannot perform virus scan"?//** \\ The <color #351>aveserver</color> program the "kavd" content scanner uses may have been moved to the 'kav4mailserver' package. Furthermore, the license terms provided by Kaspersky may no longer sanction its use for this purpose. **//Installation#21. Which Kaspersky anti-virus package do I need for the "kavd" contentscanner?  And what should I do after I've attempted to install Kasperky A-V but just get the message "'cannot perform virus scan"?//** \\ The <color #351>aveserver</color> program the "kavd" content scanner uses may have been moved to the 'kav4mailserver' package. Furthermore, the license terms provided by Kaspersky may no longer sanction its use for this purpose.
-To use Kaspersky anti-virus with DansGuardian, use the ICAP server and the "icap" contentscanner instead. +To use Kaspersky anti-virus with DansGuardian, use the ICAP server and the "icap" contentscanner configuration instead.
-//**Installation#22. Which "contentscanner" option should I use with Clam Anti-Virus?**// \\ Use the //second// option, the one that references 'clamdscan.conf', which says 'plugname=clamdscan'. The 'clamdscan' option guarantees there will never be any sort of version dependency between DansGuardian and ClamAV. +//**Installation#22. Which "contentscanner" option should I use with Clam Anti-Virus?**// \\ Use the //second// option, the one that references 'clamdscan.conf', which says 'plugname=clamdscan'. The 'clamdscan' option largely eliminates any sort of version dependency [build-time or run-time] between DansGuardian and ClamAV. It interfaces with the interprocess named pipe socket provided by the current version of ClamAV, and has no special requirements or restrictions.
-The old 'clamav' runtime option is present mainly for historical reasons (it may not even work at all with some recent versions of ClamAV); the old 'clamav' runtime option is effectively deprecated. The <color #351><nowiki>--enable-clamav</nowiki></color> build option is __//not//__ necessary. Most builds should use only the <color #351><nowiki>--enable-clamd</nowiki></color> option. (In fact in some situations the unnecessary presence of <color #351><nowiki>--enable-clamav</nowiki></color> can cause DansGuardian to emit a weird error message about a ClamAV library version mismatch, then refuse to start up.  Executables without the old 'clamav' build option will not experience this problem.) +The old 'clamav' runtime option remains present mainly for historical reasons (it may not even work at all any more with recent versions of ClamAV); the old 'clamav' runtime option is effectively deprecated. The <color #351><nowiki>--enable-clamav</nowiki></color> build option should __//not//__ be specified (it's not necessary, and probably won't even work any more). Most builds should use __//only//__ the <color #351><nowiki>--enable-clamd</nowiki></color> option. (In fact the unnecessary presence of build/configure option <color #351><nowiki>--enable-clamav</nowiki></color> will probably cause DansGuardian to emit a weird error message about a ClamAV library version mismatch, for example 
 +<code> 
 +dansguardian: error while loading shared libraries: libclamav.so.5: cannot open 
 +shared object file: No such file or directory 
 +</code> 
 +then refuse to start up, even if 'clamav' is not being used and so is not configured in dansguardian.conf.  Executables //without// the old 'clamav' build option will not experience this problem.)
-**//Installation#22b. The clamdscan option says //!!Not Compiled!!//, but the clamav option is present. Can I use the clamav option instead? If not, what should I do?//** \\ Technically, you could probably make <color #351>clamav</color> work in many cases. But it's not exactly the same, does not work in all situations, can be more difficult to install and maintain, and is not recommended.+**//Installation#22b. On my system the 'clamdscan' option in dansguardian.conf says //!!Not Compiled!!//, but the 'clamav' option is present. Can I use the 'clamav' option instead? If not, what should I do?//** \\ The 'clamav' option is not exactly the same, probably will not work at all with more recent releases of ClamAV, unneccessarily introduces an overly tight version dependency, can be difficult to install and maintain, and for all these reasons is not recommended.
Instead, do one or more of the following: Instead, do one or more of the following:
-  * complain to your distribution about their DansGuardian package having been built inappropriately+  * complain to your distribution about their DansGuardian package having been built inappropriately (builds should use //only// ./configure option <color #351>--enable-clamd</color>, //not// <color #351>--enable-clamav</color> too)
  * obtain a more appropriate (and later?) DansGuardian package for your distribution from an "unofficial" repository (most distributions have one or more)   * obtain a more appropriate (and later?) DansGuardian package for your distribution from an "unofficial" repository (most distributions have one or more)
-  * rebuild DansGuardian from source, adding <color #351>--enable-clamd</color> (rather than <color #351>--enable-clamav</color>) to its configuration (see Installation#24b for rebuilding "almost" the same)+  * rebuild DansGuardian from source, adding <color #351>--enable-clamd</color> to (and removing <color #351>--enable-clamav</color> from) its configuration (see Installation#24b for rebuilding "almost" the same)
-  * forego the use of an Anti-Virus with DansGuardian+  * forego entirely the use of an Anti-Virus with DansGuardian
-//**Installation#23. My system already runs the clam daemon. Can I just use the existing clam installation?**// \\ Yes, that's what <color #351>clamdscan</color> does, communicate with a clam daemon through the named pipe socket it provided.+//**Installation#23. My system already runs the clam daemon. Can I just use the existing clam installation?**// \\ Yes, that's what <color #351>clamdscan</color> does, communicate with a clam daemon through the named pipe socket it provides.
-//**Installation#23b. I tried to enable clamdscan, but it just says "Could not perform virus scan!" What should I do?**// \\ Back up. Debugging clamdscan through DansGuardian is usually needlessly difficult and is seldom necessary. It will work much better to debug clamdscan directly. +//**Installation#23b. I tried to enable clamdscan, but it just says "Could not perform virus scan!" What should I do?**// \\ Start by backing out of your hole. Debugging clamdscan through DansGuardian is usually needlessly difficult and is seldom necessary. It will work much better to debug clamdscan directly.
At a shell prompt you should be able to execute <color #351>clamdscan\ [filename]</color> and get a few lines of output --including an OK and a SCAN\ SUMMARY. Until this direct use of clamdscan works correctly for you, don't even bother trying to use it through DansGuardian. If you have problems, you may find the ClamAV log (follow <color #351>LogFile</color> from /etc/clamd.conf), the ClamAV options related to debugging (probably <color #351>LogClean</color> and <color #351>Debug</color>), and the ClamAV documentation helpful. At a shell prompt you should be able to execute <color #351>clamdscan\ [filename]</color> and get a few lines of output --including an OK and a SCAN\ SUMMARY. Until this direct use of clamdscan works correctly for you, don't even bother trying to use it through DansGuardian. If you have problems, you may find the ClamAV log (follow <color #351>LogFile</color> from /etc/clamd.conf), the ClamAV options related to debugging (probably <color #351>LogClean</color> and <color #351>Debug</color>), and the ClamAV documentation helpful.
Line 923: Line 934:
**//Usage#12b. Should I treat adjustments I have to make to the DansGuardian configuration as "bugs"?//** \\ Not usually. The DansGuardian "default" configuration is __not__ a fixed canned configuration (it's more of a "starting point"). Some tweaking of the DansGuardian "default" configuration to better match your local usage patterns and policies is expected. **//Usage#12b. Should I treat adjustments I have to make to the DansGuardian configuration as "bugs"?//** \\ Not usually. The DansGuardian "default" configuration is __not__ a fixed canned configuration (it's more of a "starting point"). Some tweaking of the DansGuardian "default" configuration to better match your local usage patterns and policies is expected.
-**//Usage#13. DansGuardian doesn't work the way I want it to on my IPCop system.//** \\ Although the Cop+ that runs on the IPCop distribution is derived from DansGuardian+**//Usage#13. DansGuardian doesn't work the way I want it to on my IPCop system.//** \\ The Cop+ Web interface that controls DansGuardian gives you limited ability to edit Dansguardian Configuration files. The configuration files are all in /etc/dansguardian/ and subdirectories. You can edit the configuration files directly with vi from the command line or using WinSCP from a windows workstation. **Care Must be taken to keep the files owned by "nobody" or the Web interface will not be able to edit them anymore.** 
-the configuration tools are specific to Cop+ and are quite different from those used by vanilla DansGuardian.  +For help with Cop+, try [[http://home.earthlink.net/~copplus/dghelp.html]].
-For help with Cop+, try [[http://copfilter.endlich-mail.de/]].+
**//Usage#14. DansGuardian doesn't work the way I want it to on my SmoothWall Express or SmoothWall system.//** \\ For help with the homebrew DansGuardian package for SmoothWall Express, **//Usage#14. DansGuardian doesn't work the way I want it to on my SmoothWall Express or SmoothWall system.//** \\ For help with the homebrew DansGuardian package for SmoothWall Express,