Manual installation (Linux)
5 March 2024
ID 180652
This section describes how to manually install Kaspersky Scan Engine on Linux systems.
Before installing and configuring Kaspersky Scan Engine, you need to specify the locale of the computer on which Kaspersky Scan Engine is installed. Use the following commands:
LC_ALL=en_US.utf8 export LC_ALL |
To install Kaspersky Scan Engine manually:
- Make sure that you have root (administrator) privileges.
- Create the
/opt/kaspersky/ScanEngine
directory. This directory is called%service_dir%
in this Help document. - Unpack the distribution kit contents to the
%service_dir%
directory on your system. - Unpack the objects from the KAV SDK distribution kit (hereinafter
%SDK_kit%
) as follows:- Objects from
%SDK_kit%/bin/bases
to%service_dir%/bin/bases
- Objects from
%SDK_kit%/include
to%service_dir%/include
- Objects from
%SDK_kit%/lib
to%service_dir%/lib
- Objects from
%SDK_kit%/ppl
to%service_dir%/ppl
- The
%SDK_kit%/tools/kavsigner
file to%service_dir%/tools
- The
%SDK_kit%/tools/integrity_check_sdk.xml
file to%service_dir%
Only users with administrator rights must have access to the objects from
%SDK_kit%
.
For compatibility with Kaspersky Scan Engine, use the KAV SDK version 8.9.2.595 or later. - Objects from
- Read the End User License Agreement (EULA) for Kaspersky Scan Engine. The EULA is located at
%service_dir%/doc/license.txt
.If you agree to the terms of the EULA, proceed to the next step. If you decline the terms of the EULA, cancel the installation.
- Open file
%service_dir%/etc/klScanEngineUI.xml
. - Accept the EULA. Change
<Common>rejected</Common>
to<Common>accepted</Common>
in theklScanEngineUI.xml
file. - If you want to use Kaspersky Security Network (KSN), read the EULA for KSN and the Privacy Policy. This EULA is also located at
%service_dir%/doc/ksn_license.txt
and contains the link to the Privacy Policy.If you agree to the terms of the EULA for KSN and the Privacy Policy, proceed to the next step. If you decline the terms of the EULA for KSN or the Privacy Policy, proceed to step 10.
- Accept the EULA for KSN. Change
<KSN>rejected</KSN>
to<KSN>accepted</KSN>
inklScanEngineUI.xml
. - Save and close
%service_dir%/etc/klScanEngineUI.xml
. - Create a symbolic link to
%service_dir%/etc/klScanEngineUI.xml
from the/etc/
directory:ln -s
%service_dir%/etc/klScanEngineUI.xml /etc/klScanEngineUI.xml
- If you want to use Kaspersky Scan Engine GUI, read subsection "Enabling Kaspersky Scan Engine GUI" below.
- Make a symbolic link to the proper Kaspersky Scan Engine configuration file from the
/etc/
directory:- For HTTP mode, copy the
%service_dir%/etc/kavhttpd.xml
file to the/etc/
directory. - For ICAP mode, copy the
%service_dir%/etc/kavicapd.xml
file to the/etc/
directory.
For example, in HTTP mode you have to run the following command:
ln -s
%service_dir%/etc/kavhttpd.xml /etc/kavhttpd.xml
- For HTTP mode, copy the
- If you do not use the Kaspersky Scan Engine GUI and a connection through proxy server is needed, you have to specify an encrypted user name and password for the proxy server. To encrypt the user name and password:
- Generate an encryption key as follows:
openssl rand -out %service_dir%/httpsrv/kl_scanengine_db.key 512
- Provide read permission to the owner only by running the following command:
chmod 400 %service_dir%/httpsrv/kl_scanengine_db.key
- To encrypt the credentials, use the
kav_encrypt
utility. This utility also automatically writes the encrypted user name and password to the configuration filekavhttpd.xml
(for HTTP mode) orkavicapd.xml
(for ICAP mode). The utility is located in the%service_dir%/tools/
directory.Run the
kav_encrypt
utility with the following options:-m <httpd | icap> -p <user_name:password>
- Generate an encryption key as follows:
- In
/etc/systemd/system/multi-user.target.wants/
, make symbolic links to the following files:- For ICAP mode, make a symbolic link to
/opt/kaspersky/ScanEngine/etc/kavicapd.service
by using the following command:
ln -s /opt/kaspersky/ScanEngine/etc/kavicapd.service /etc/systemd/system/kavicapd.service
- For HTTP mode, make a symbolic link to
/opt/kaspersky/ScanEngine/etc/kavhttpd.service
by using the following command:
ln -s /opt/kaspersky/ScanEngine/etc/kavhttpd.service /etc/systemd/system/kavhttpd.service
- For ICAP mode, make a symbolic link to
- Register Kaspersky Scan Engine in the system by using the following commands:
systemctl daemon-reload
systemctl enable kavhttpd
systemctl enable kavicapd
- Run registered Kaspersky Scan Engine services:
- For ICAP mode, run:
service kavicapd start
- For HTTP mode, run:
service kavhttpd start
- Go to the next steps as described in Getting started for HTTP mode or ICAP mode.
- Activate Kaspersky Scan Engine either in offline licensing mode or online licensing mode.
After you install Kaspersky Scan Engine, you can check the integrity of its components at any time by using the integrity check tool.
Enabling Kaspersky Scan Engine GUI
To enable Kaspersky Scan Engine GUI:
- Make sure that you have root (administrator) privileges.
- Do one of the following:
- If you have never installed an instance of Kaspersky Scan Engine with GUI before or you do not want to add the new instance to an existing cluster, perform the actions described in section "Preparing to install Kaspersky Scan Engine GUI".
- If you already have an instance of Kaspersky Scan Engine with GUI and you want to add the new instance to the same cluster, go to the step 4.
- On the computer that has PostgreSQL installed, perform the actions listed below under a user that can create new users and databases. To perform these actions, you can use either the psql utility or pgAdmin.
Make sure that the user running the database queries has access to the directory containing
tables.sql
and also has read access totables.sql
itself.- Create a new PostgreSQL user called
scanengine
:CREATE USER scanengine;
- Set the password for the
scanengine
user:ALTER USER scanengine WITH PASSWORD '%PASSWORD%';
- Using PostgreSQL, create a database called
kavebase
:CREATE DATABASE kavebase OWNER scanengine;
- In the
kavebase
database run the queries described in%service_dir%/samples/tables.sql
.psql -d kavebase -a -f tables.sql
- Create a new PostgreSQL user called
- Open
/etc/klScanEngineUI.xml
. - In the
<Mode>
element, specify the mode that Kaspersky Scan Engine will work in:For HTTP mode:
<Mode>httpd</Mode>
For ICAP mode:
<Mode>icap</Mode>
- Change
<EnableUI>false</EnableUI>
to<EnableUI>true</EnableUI>
. - In the
<ConnectionString>
element, specify the address of the Kaspersky Scan Engine GUI web service in %IP%:%port% format.For example:
<ConnectionString>198.51.100.0:443</ConnectionString>
- Specify the SSL certificate to install in the Kaspersky Scan Engine GUI web service.
- If you already have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, specify the paths to your certificate and your private key:
- In the
<SSLCertificatePath>
element, specify the path to your SSL certificate. - In the
<SSLPrivateKeyPath>
element, specify the path to your private key.
- In the
- If you do not have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, generate a new one. Run the
%service_dir%/tools/openssl
utility as follows:
/opt/kaspersky/ScanEngine/tools/openssl req -x509 -nodes -days 1825 -subj /C=RU/CN="%ConnectionString%" -newkey rsa:
4096
-extensions EXT -config "/opt/kaspersky/ScanEngine/tools/openssl.cnf" -keyout "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_private.pem" -out "/opt/kaspersky/ScanEngine/httpsrv/kl_scanengine_cert.pem"Here
%ConnectionString%
is the value that is specified in the<ConnectionString>
element. It is recommended to use the valuesrsa:4096
orrsa:3072
with the-newkey
parameter. The minimum supported value isrsa:2048
.You must configure access to the private key file for Kaspersky Scan Engine GUI so that only the root user and the user account under which the service is running can have the read permission.
- If you already have an SSL certificate that you want to install in the Kaspersky Scan Engine GUI web service, specify the paths to your certificate and your private key:
- Generate an encryption key as follows:
openssl rand -out %service_dir%/httpsrv/kl_scanengine_db.key 512
- Provide read permission to the owner only by running the following command:
chmod 400 %service_dir%/httpsrv/kl_scanengine_db.key
- In the
DatabaseSettings > ConnectionString
element, specify the address of a new or existing kavebase database that you want to connect to by using the format %IP%:%port%. - Save and close
/etc/klScanEngineUI.xml
. - Encrypt the user name and password of the user that will be used to access to the kavebase database:
- If you have never installed an instance of Kaspersky Scan Engine with GUI before or you do not want to add the new instance to an existing cluster, encrypt the user name and password of the user that you specified in step 3.
- If you already have an instance of Kaspersky Scan Engine with GUI and you want to add the new instance to the same cluster, encrypt the user name and password of the user that is used to access the kavebase database of the cluster.
To encrypt the credentials, use the kav_encrypt utility. This utility also automatically writes the encrypted user name and password to
/etc/klScanEngineUI.xml
. The utility is located in the%service_dir%/tools/
directory.Run the kav_encrypt utility with the following options:
-d '%username%:%password%'
- In
/etc/systemd/system/multi-user.target.wants/
, make a symbolic link to/opt/kaspersky/ScanEngine/etc/klScanEngineUI.service
by using the following command:ln -s /opt/kaspersky/ScanEngine/etc/klScanEngineUI.service /etc/systemd/system/klScanEngineUI.service
- Register Kaspersky Scan Engine in the system by using the following commands:
systemctl daemon-reload
systemctl enable klScanEngineUI
- Run the registered Kaspersky Scan Engine service:
service klScanEngineUI start