|
AMaViS - A Mail Virus Scanner
|
version 0.2.1, $Date: 2001/01/18 19:44:20 $
This document describes version 0.2.1 of AMaViS - A Mail Virus Scanner for Linux and other UN*X based platforms ( tested to run on Solaris, *BSD, AIX, HP-UX, too )
-
1. Introduction
Most people will say: "A virus scanner? For UN*X? Why? Viruses do not work in a UNIX environment." On the first glance they are right (even if there are at least two viruses which run under Linux - well, actually they are Trojan Horses)
On the second view though, imagine a heterogene network environment with both UN*X and DOS / Windows / Macintosh workstations. Now think of an UN*X server that serves Windows and/or Macintosh workstations via a POP3 service.
Would it not be nice to ensure attachments coming via email are scanned for viruses before they reach a system they are able to infect?
Well - that is what this package is for. It resides on the server that handles your incoming mails. When a mail arrives, instead of being delivered via procmail directly, is parsed through a script that extracts all attachments from the mail, unpacks (if needed) and scannes them using a professional virus scanner program.
Please note:
This document mainly describes the function and implementation in a Linux environment, but it should be portable to any UN*X available within the limitations outlined in this document ( currently only Linux tested by the authors). Successful installation has also be reported running on SUN Solaris, *BSD, AIX and HP-UX (some with minor modification to the package). Links to software packages point mainly point to source code which should compile under different UN*X systems.
2. System Requirements
2.1 Virus Scanners
Note: For additional information please read README.scanners, too.
2.1.1 Network Associates Virus Scan
Version 3.x Engine
Network Associates''s Virus Scan for AIX, HP-UX, Linux, NCR and Solaris is no longer available from Network Associates. However, you may download the engine using the links above.
An exerpt from NAI's "README" dated 12-15-99 04:22AM:
[..]
Release Notes
for Network Associates 3212 .DAT Files
Copyright (c) 1992-1999 Networks Associates
Technology, Inc. All Rights Reserved.
////////////////////////////////////////////////////
/ THIS IS THE FINAL .DAT FILE RELEASE FOR THE V3.X /
/ PRODUCT SERIES. NETWORK ASSOCIATES RECOMMENDS /
/ THAT YOU UPGRADE TO CURRENT VERSIONS OF YOUR /
/ ANTI-VIRUS SOFTWARE. /
////////////////////////////////////////////////////
[..]
This latest (and last) DAT file is available here
Version 4.x Engine
Cite: "A new Network Associates scanning engine has been created and backed by the combined efforts of the McAfee Labs and Dr Solomon anti-virus research teams to deliver the outstanding virus detection and cleaning rates."
You may try to fetch the current version from a mirror for HPUX, Linux, SCO and Solaris. However, they may not have the lastest Version available.
Direct download from Network Associates is available from the NAI/McAfee Website.
Current DAT files have to be version 4.x and are the same for DOS/Windows. You may also use the daily updated DAT files
Note: This evaluation version is to be used free of charge for a limited time of 30 days. Then it has to be registered.
2.1.2. DrSolomon
DrSolomon's Anti-Virus Toolkit for SCO-UNIX (running with the iBCS kernel module)
Note: DrSolomon has become part of Network Associates (NAI) and their product merged with NAI/McAfee's VirusScan v4
2.1.3 H+BEDV AntiVir/X
AntiVir/X (German + English)
AntiVir/X may be used free of charge in a non commercial environment. Please send a short e-mail with name, address and point out that you want to use AntiVir/X exclusive on your personal system. You then will receive a license for it. Support is avalialable via linux_support@antivir.de
2.1.4 Sophos Sweep
Sophos Anti-Virus for Unix is virus detection and disinfection software which can be installed on Unix file servers and workstations. Binaries for various Unices are available here.
2.1.5 Kaspersky Lab AntiViral Toolkit Pro (AVP)
Kaspersky Lab AntiViral Toolkit Pro (AVP) for Linux is available here.
2.1.6 CyberSoft VFind
CyberSoft VFind is available here
2.1.7 Trend Micro FileScanner
Trend Micro FileScanner is available here.
It's free for personal use.
2.1.8 CAI InoculateIT
See CAI's product page and get it here.
2.1.9 F-Secure Inc. (former DataFellows) F-Secure AV
Download it here
2.2 Mail Transport Agents
2.2.1 Sendmail
Sendmail is available at: http://www.sendmail.org/
FIXME: For further information that may not be covered by this document please read the provided file README.sendmail
2.2.2 qmail
qmail is available at: http://www.qmail.org/
FIXME: For now please read the provided file README.qmail
2.2.3 Postfix
Postfix is available at: http://www.postfix.org/
FIXME: For now please read the provided file README.postfix
2.2.4 Exim
Exim is available at: http://www.exim.org/
FIXME: For now please read the provided file README.exim
2.3 MIME Handlers
2.3.1 metamail
most recent version of metamail is available at: ftp://ftp.funet.fi/pub/Linux/PEOPLE/Linus/net-source/mail/tools/.
We do not recommend to use it anymore, as it seems not to be maintained and metamail can not handle MIME multipart/alternative messages.
Please use reformime out of the maildrop package instead (see below). See also: README.metamail
2.3.2 reformime
reformime is part of the http://www.flounder.net/~mrsam/maildrop/maildrop package.
Please have a look at README.reformime, too.
2.4 Decompressors
2.4.1 uudecode
Note: GNU uuencode/uudecode 1.0 distribution has been merged into GNU shar utilities 4.2 distribution. Look for sharutils-*.*.tar.gz
available at: ftp://ftp.gnu.org/gnu/sharutils/
2.4.2 compress
From the compress (4.1) manpage:
Compress reduces the size of the named files using adaptive Lempel-Ziv coding. Whenever possible, each file is replaced by one with the extension .Z, while keeping the same ownership modes, access and modification times.
Note: (un)compress is not needed as gunzip is also able to uncompress .Z files.
Source code for compress is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/compress.tar.Z
2.4.3 gunzip
From the gzip-1.2.4L.lsm file:
gzip (GNU zip) is a compression utility designed to be a replacement for compress. Its main advantages over compress are much better compression and freedom from patented algorithms.
Source code for gunzip is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/gzip-1.2.4L.tar.gz (also available as special Pentium optimized binary version)
2.4.4 unzip
From the unzip-5.31.lsm file:
UnZip 5.31 is a free unarchiver compatible with PKZIP archives (zipfiles) but not a clone of PKUNZIP. This version improves performance somewhat and adds a new "timestamp" function for very fast dating of multiple archives, but most of its new features have to do with better cross-platform support and/or new ports. Multi-part archive support is *not* yet supported (sorry!). Work on that is already underway, however.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
A tool named "zipsecure" comes with AMaViS. This program reads a zip file from stdin, removes any pathes of a contained file and changes the name of the file to a new file name. The new name starts with a "z" followed by the process ID and a sequence number. If any extension in the original name was present, it is also appended to the new name.
The provided tool "securetar does similar to tar-files.
2.4.5 unarj
From the unarj241a.lsm file:
Standard unarj un-archiver, provided with the capability of creating directory hierarchies.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.6 unrar
From the unrar-2.04.1.lsm file:
The unRAR utility is a freeware program, distributed with source code and developed for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.7 xbin
xbin is available as: ftp://sunsite.unc.edu/pub/packages/TeX/tools/xbin/xbinunix.c
2.4.8 LHArc
latest seems to be version 1.14g but there is a version 1.15 at http://shibuya.cool.ne.jp/lha/.
2.4.9 bunzip2
Have a look at the bzip2 homepage at: http://sources.redhat.com/bzip2/
2.4.9 zoo
primary site: ftp://metalab.unc.edu/pub/Linux/utils/compress/
2.4.10 arc
original site: ftp://ftp.uu.net/pub/archiving/
primary site: ftp://metalab.unc.edu/pub/Linux/utils/compress/
2.4.11 freeze
http://metalab.unc.edu/pub/Linux/utils/compress/
2.4.12 tnef
A tool for decoding TNEF files is available at http://world.std.com/~damned/software.html
2.5 File Type Recognition
2.5.1 file
The "file" command is available at ftp://ftp.astron.com/pub/file/ (primary site) or its mirrors ftp://ftp.gw.com/pub/unix/file/ and ftp://ftp.funet.fi/pub/unix/tools/file/.
3. Installation Instructions
3.1 Installing the Software
Installation and operation is described here only for sendmail as SMTP-server. (See also the Future Outlook section of this document)
QMail users please read README.qmail, Postfix users please read README.postfix and Exim users please read README.exim.
- Get the package,
- untar contents into a temporary directory,
- read the instructions
- be sure all required programs have been installed
- run ./configure
- run make
- run make install
- modify your /etc/sendmail.cf
- send a SIGHUP to your SMTP server ("killall -HUP sendmail")
- test your installation
3.2 Modifying /etc/sendmail.cf
3.2.1 Modifying /etc/sendmail.cf manually
In your sendmail configuration file (usually /etc/sendmail.cf) the local mail delivery agent needs to be changed (typically this is one of procmail, deliver or mail)
Find the line that begins with Mlocal and change the call for the program which resides after the "P=" directive. This has also to be changed after the "A=" directive:
For example:
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d $u
changes to:
#Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
# T=DNS/RFC822/X-Unix,
# A=procmail -Y -a $h -d $u
Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=scanmails -Y -a $h -d $u
Please have a look at the FAQ or BUGS if this leads to a malfunction.
Note: If you prefer the m4 technique to configure sendmail, please read below.
3.2.2 Modifying sendmail.cf via M4 macros
Add the following to you .mc file, i.e. linux.mc, just before the MAILER definitions:
dnl change Mlocal to use AMaViS
define(`LOCAL_MAILER_PATH', `/usr/sbin/scanmails')dnl
define(`LOCAL_MAILER_ARGS', `scanmails -Y -a $h -d $u')dnl
Note: On some systems, i.e. SuSE Linux, procmail is not suid for security reasons (see BUGS). So,
if you're using sendmail 8.10.x or above, you may add
dnl for security reasons on some systems procmail is not suid.
dnl so we have to add the "o" flag and remove the "S"-flag
dnl see BUGS for details on this issue
MODIFY_MAILER_FLAGS(`LOCAL', `+o')dnl
MODIFY_MAILER_FLAGS(`LOCAL', `-S')dnl
3.3 Test Installation
So, how do you test if your installation has been successful? Don't ask me to send a wild virus ;-). Instead, create a file called eicar.com with the following contents:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(The file should end up being 69 bytes long). As an alternative, feel free to download the file at: http://www.eicar.org/download/eicar.com
This should be recognized as a test pattern. It is NOT a virus, just a test pattern that triggers the alert. Use this file in your mail. Try sending it as binhex, tar'ed, gzip'ed, uuencoded, etc.
For more information visit the Eicar Anti-Virus test file webpage
4. Download
Current versions are available at http://www.amavis.org/download/
5. Future Outlook
Features to be added to next Version:
- simple installation and configuration via script for more systems
- apply "sendmail hack" directly in M4 configuration file
- content filtering support
- modularisation
- ...
6. Bugs
- Documentation should be more accurate
- ...
Send bugreports to: amavis@aachalon.de or to our amavis-bugs mailing list. Prior to this, please read through the files FAQ or BUGS provided and check through the mailing list archive to be sure your bug has not already been discovered.
Please include information about the system you are using (eg. Linux, Solaris,...), the OS or distribution release (eg. RedHat 5.2, SuSE 6.0, SUN Solaris 2.6, ...) and anything that might be useful to trace a bug or shortcoming (like exerpts from your logfile which ususally is /var/log/scanmails/logfile and/or /var/log/maillog)...
7. Disclaimer
The software is provided as is. Please bear in mind that we have done this in our spare time. While it is as accurate as we could make it there is a reasonable chance that there are mistakes somewhere in here. If you email us and tell us about them we will be happy to fix them but we can't take responsibility for your system. Basically use this at your own risk.
7. Copyright
AMaViS - A Mail Virus Scanner
(c) 1997..2000 Mogens Kjaer, Carlsberg Laboratory mk@crc.dk, Jürgen Quade quade@amavis.org, Christian Bricart, shiva@aachalon.de, Rainer Link link@suse.de, Lars Hecking lhecking@users.sourceforge.net and others.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Product names and various content (including but not limited to audio, video, and graphics) are trademarks of their respective owner.
8. Credits
| Mogens Kjaer |
- minor modifications
- press work
| Jürgen Quade |
- minor modifications and enhancements
- official Website
- official support e-mail adress
- packet mainenance
| Christian Bricart |
- bug fixes and code improvements
- qmail support
| Chris L. Mason |
- modifications and enhancements
- added support for several anti-virus products
- added support for exim and postfix (based on work from Lars Hecking)
- product support
- thanks to SuSE Germany for funding my work
| Rainer Link |
9. AMaViS in the Press
10. History and Changes
for a full description of changes have a look at the ChangeLog
- Version 0.2.1 (30. Oct 2000)
- lot of bug fixes and code improvements
- added support for exim, postfix and qmail
- added support for more anti-virus products
- Version 0.2.0-pre6 (20. Jul 1999)
- root exploit fix recode to work with non Bash2
- fix misplaced "fi" in if-clause
- Version 0.2.0-pre5 (19. Jul 1999)
- fixed possible exploit allows that allowed for malicious users to insert arbitrary commands
- updated zipsecure to work with self-extracting ZIP's
- optional line in mail header after scanning
- AVP support
- Version 0.2.0-pre4 (31. Mar 1999)
- fixed empty helper application bug ("if [ -x ${prog} ]" always true when $prog=(empty))
- mail gets dumped if there is no program for delivery
- Version 0.2.0-pre3 (29. Mar 1999)
- added Sophos Anti-Virus scanner support
- added new archive handlers
- (hopefully) improved configure
- Version 0.2.0-pre2 (25. Feb 1999)
- fixed some possible loops in handling archives
- added some comments in BUGS
- changed version numbering in tarball, now conform to GNU
- Version 0.2.0pre1 (08. Dec 1998)
- switched to GNU-AutoConfig
- droped security fix from 0.1.1 in favour to "zipsecure" and "securetar"
- H&BEDV AntiVir/X scanner added
- enhanced logging via syslogd
- many fixes more
- Version 0.1.1 (28. Jan 1998)
- untar and unzip is now done by user "nobody" -> security fix
- ${virusmaildir} (default /root/virus) is now created
- Logfile is now REALLY created in specified log-directory
- Version 0.1.0 (17. Jan 1998)
- first official release
- assigned a package name "AMaViS - A Mail Virus Scanner"
- package maintenance assigned to Christian Bricart with official email adress amavis@aachalon.de and official Website at http://aachalon.de/AMaViS/
- minor recoding of scanmails
- installation enhancements
- initial, unsupported base version
- never released officially to the public
- original code done by Mogens Kjaer, Carlsberg Laboratory, mk@crc.dk
- Modified by Jürgen Quade, Softing GmbH, quade@softing.com
$Revision: 1.1.1.1.2.2.2.1 $ $Date: 2001/01/18 19:44:20 $ amavis@aachalon.de