| AMaViS - A Mail Virus
Scanner |
version 0.2.1, $Date: 2000/10/31 10:59:53 $
This document describes version 0.2.1 of AMaViS - A Mail Virus Scanner
for Linux and other UN*X based platforms ( tested to run on Solaris, *BSD, AIX,
HP-UX, too )
IMPORTANT NOTE: A lot of features have
been added to amavis-perl and amavisd, which are not described in this document!
Please read the README files within the amavis-perl/amavisd package! The
development of the AMaViS 0.2.x tree has been discontinued
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
1. Introduction
Most people will say: "A virus scanner? For UN*X? Why? Viruses do not work
in a UNIX environment." On the first glance they are right (even if there
are at least two viruses which run under Linux - well, actually they are
Trojan Horses)
On the second view though, imagine a heterogene network environment with both
UN*X and DOS / Windows / Macintosh workstations. Now think of an UN*X server
that serves Windows and/or Macintosh workstations via a POP3 service. Would it
not be nice to ensure attachments coming via email are scanned for viruses
before they reach a system they are able to infect? Well - that is what
this package is for. It resides on the server that handles your incoming mails.
When a mail arrives, instead of being delivered via procmail directly, is parsed
through a script that extracts all attachments from the mail, unpacks (if
needed) and scannes them using a professional virus scanner program.
Please note:
This document mainly describes the function and
implementation in a Linux environment, but
it should be portable to any UN*X available within the limitations outlined in
this document ( currently only Linux tested by the authors). Successful
installation has also be reported running on SUN Solaris, *BSD, AIX and HP-UX
(some with minor modification to the package). Links to software packages point
mainly point to source code which should compile under different UN*X systems.
2. System Requirements
2.1 Virus Scanners
Note: For additional information please read
README.scanners, too.
2.1.1 Network Associates Virus Scan
Version 3.x Engine
Network
Associates''s Virus Scan for AIX,
HP-UX,
Linux,
NCR
and Solaris
is no longer available from Network Associates. However, you may download the
engine using the links above.
An exerpt from NAI's "README" dated 12-15-99
04:22AM: [..]
Release Notes
for Network Associates 3212 .DAT Files
Copyright (c) 1992-1999 Networks Associates
Technology, Inc. All Rights Reserved.
////////////////////////////////////////////////////
/ THIS IS THE FINAL .DAT FILE RELEASE FOR THE V3.X /
/ PRODUCT SERIES. NETWORK ASSOCIATES RECOMMENDS /
/ THAT YOU UPGRADE TO CURRENT VERSIONS OF YOUR /
/ ANTI-VIRUS SOFTWARE. /
////////////////////////////////////////////////////
[..]
This latest (and last) DAT file is available here
Version 4.x Engine
Cite: "A new Network Associates scanning engine
has been created and backed by the combined efforts of the McAfee Labs and Dr
Solomon anti-virus research teams to deliver the outstanding virus detection and
cleaning rates."
You may try to fetch the current version from a
mirror for HPUX,
Linux,
SCO
and Solaris.
However, they may not have the lastest Version available.
Direct download
from Network Associates is available from the NAI/McAfee
Website.
Current DAT
files have to be version 4.x and are the same for DOS/Windows. You may also
use the daily
updated DAT files
Note: This evaluation version is to be used
free of charge for a limited time of 30 days. Then it has to be registered.
2.1.2. DrSolomon
DrSolomon's Anti-Virus Toolkit for SCO-UNIX (running
with the iBCS kernel module)
Note: DrSolomon has become part of Network Associates (NAI) and their product merged
with NAI/McAfee's VirusScan
v4
2.1.3 H+BEDV AntiVir/X
AntiVir/X
(German + English)
AntiVir/X may be used free of charge in a non commercial
environment. Please send a short e-mail with name, address and point out that
you want to use AntiVir/X exclusive on your personal system. You then will
receive a license for it. Support is avalialable via linux_support@antivir.de
2.1.4 Sophos Sweep
Sophos Anti-Virus for
Unix is virus detection and disinfection software which can be installed on
Unix file servers and workstations. Binaries for various Unices are available here.
2.1.5 Kaspersky Lab AntiViral Toolkit Pro (AVP)
Kaspersky Lab AntiViral Toolkit Pro
(AVP) for Linux is available here.
2.1.6 CyberSoft VFind
CyberSoft
VFind is available here
2.1.7 Trend Micro FileScanner
Trend
Micro FileScanner is available here. It's free for
personal use.
2.1.8 CAI InoculateIT
See CAI's product page and get it
here.
2.1.9 F-Secure Inc. (former DataFellows) F-Secure AV
Download it here
2.2 Mail Transport Agents
2.2.1 Sendmail
Sendmail is available at: http://www.sendmail.org/
FIXME: For
further information that may not be covered by this document please read the
provided file README.sendmail
2.2.2 qmail
qmail is available at: http://www.qmail.org/
FIXME: For now please
read the provided file README.qmail
2.2.3 Postfix
Postfix is available at: http://www.postfix.org/
FIXME: For now
please read the provided file README.postfix
2.2.4 Exim
Exim is available at: http://www.exim.org/
FIXME: For now please
read the provided file README.exim
2.3 MIME Handlers
2.3.1 metamail
most recent version of metamail is available at:
ftp://ftp.funet.fi/pub/Linux/PEOPLE/Linus/net-source/mail/tools/.
We do not recommend to use it anymore, as it seems not to be maintained and
metamail can not handle MIME multipart/alternative messages. Please use
reformime out of the maildrop package instead (see below). See also:
README.metamail
2.3.2 reformime
reformime is part of the http://www.flounder.net/~mrsam/maildrop/.
Please have a look at README.reformime, too.
2.4 Decompressors
2.4.1 uudecode
Note: GNU uuencode/uudecode 1.0 distribution has
been merged into GNU shar utilities 4.2 distribution. Look for
sharutils-*.*.tar.gz
available at: ftp://ftp.gnu.org/gnu/sharutils/
2.4.2 compress
From the compress (4.1) manpage:
Compress reduces the size
of the named files using adaptive Lempel-Ziv coding. Whenever possible, each
file is replaced by one with the extension .Z, while keeping the same ownership
modes, access and modification times.
Note: (un)compress is not needed as gunzip is also able to
uncompress .Z files.
Source code for compress is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/compress.tar.Z
2.4.3 gunzip
From the gzip-1.2.4L.lsm file:
gzip (GNU zip) is a
compression utility designed to be a replacement for compress. Its main
advantages over compress are much better compression and freedom from patented
algorithms.
Source code for gunzip is available at: ftp://sunsite.unc.edu/pub/Linux/compress/gzip-1.2.4L.tar.gz
(also available as special Pentium
optimized binary version)
2.4.4 unzip
From the unzip-5.31.lsm file:
UnZip 5.31 is a free
unarchiver compatible with PKZIP archives (zipfiles) but not a clone of PKUNZIP.
This version improves performance somewhat and adds a new "timestamp" function
for very fast dating of multiple archives, but most of its new features have to
do with better cross-platform support and/or new ports. Multi-part archive
support is *not* yet supported (sorry!). Work on that is already underway,
however.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
A tool named "zipsecure" comes with AMaViS. This program
reads a zip file from stdin, removes any pathes of a contained file and changes
the name of the file to a new file name. The new name starts with a "z" followed
by the process ID and a sequence number. If any extension in the original name
was present, it is also appended to the new name.
The provided tool "securetar does similar to tar-files.
2.4.5 unarj
From the unarj241a.lsm file:
Standard unarj un-archiver,
provided with the capability of creating directory hierarchies.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.6 unrar
From the unrar-2.04.1.lsm file:
The unRAR utility is a
freeware program, distributed with source code and developed for extracting,
testing and viewing the contents of archives created with the RAR archiver
version 1.50 and above.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.7 xbin
xbin is available as: ftp://sunsite.unc.edu/pub/packages/TeX/tools/xbin/xbinunix.c
2.4.8 LHArc
latest seems to be version 1.14g but there
is a version 1.15 at http://shibuya.cool.ne.jp/lha/.
2.4.9 bunzip2
Have a look at the bzip2 homepage at: http://sources.redhat.com/bzip2/
2.4.9 zoo
primary site: ftp://metalab.unc.edu/pub/Linux/utils/compress/
2.4.10 arc
original site: ftp://ftp.uu.net/pub/archiving/
primary
site: ftp://metalab.unc.edu/pub/Linux/utils/compress/
2.4.11 freeze
http://metalab.unc.edu/pub/Linux/utils/compress/
2.4.12 tnef
A tool for decoding TNEF files is available at http://world.std.com/~damned/software.html
2.5 File Type Recognition
2.5.1 file
The "file" command is available at ftp://ftp.astron.com/pub/file/
(primary site) or its mirrors ftp://ftp.gw.com/pub/unix/file/ and
ftp://ftp.funet.fi/pub/unix/tools/file/.
3. Installation Instructions
3.1 Installing the Software
Installation and operation is described
here only for sendmail as SMTP-server. (See also the Future Outlook section
of this document)
QMail users please read README.qmail, Postfix users
please read README.postfix and Exim users please read
README.exim.
- Get the package,
- untar contents into a temporary directory,
- read the instructions
- be sure all required programs have been installed
- run ./configure
- run make
- run make install
- modify your
/etc/sendmail.cf
- send a SIGHUP to your SMTP server ("killall -HUP sendmail")
- test your
installation
3.2 Modifying /etc/sendmail.cf
3.2.1 Modifying /etc/sendmail.cf manually
In your sendmail configuration
file (usually /etc/sendmail.cf) the local mail delivery agent needs to be
changed (typically this is one of procmail, deliver or
mail)
Find the line that begins with Mlocal and change
the call for the program which resides after the "P=" directive.
This has also to be changed after the "A=" directive:
For
example:
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30,
R=20/40,
T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d
$u
changes to:
#Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30,
R=20/40,
# T=DNS/RFC822/X-Unix,
# A=procmail -Y -a $h -d
$u
Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@SPfhn, S=10/30,
R=20/40,
T=DNS/RFC822/X-Unix,
A=scanmails -Y -a $h -d
$u
Please have a look at the FAQ or BUGS if this leads to a
malfunction.
Note: If you prefer the m4 technique to configure sendmail,
please read below.
3.2.2 Modifying sendmail.cf via M4 macros
Add the following to you .mc
file, i.e. linux.mc, just before the MAILER definitions:
dnl change Mlocal to use
AMaViS
define(`LOCAL_MAILER_PATH',
`/usr/sbin/scanmails')dnl
define(`LOCAL_MAILER_ARGS', `scanmails -Y -a $h
-d $u')dnl
Note: On some systems, i.e. SuSE Linux,
procmail is not suid for security reasons (see BUGS). So, if you're using
sendmail 8.10.x or above, you may add
dnl for security reasons on some systems procmail is not
suid.
dnl so we have to add the "o" flag and remove the "S"-flag
dnl see
BUGS for details on this issue
MODIFY_MAILER_FLAGS(`LOCAL',
`+o')dnl
MODIFY_MAILER_FLAGS(`LOCAL', `-S')dnl
3.3 Test Installation
So, how do you test if your installation has been
successful? Don't ask me to send a wild virus ;-). Instead, create a file called
eicar.com with the following contents:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(The file should end up being 69 bytes long). As an alternative, feel
free to download the file at: http://www.eicar.org/download/eicar.com
This
should be recognized as a test pattern. It is NOT a virus, just a
test pattern that triggers the alert. Use this file in your mail. Try sending it
as binhex, tar'ed, gzip'ed, uuencoded, etc.
For more information visit the Eicar Anti-Virus test
file webpage
4. Download
Current versions are available at http://www.amavis.org/download/
5. Future Outlook
Features to be added to next Version:
- simple installation and configuration via script for more systems
- apply "sendmail hack" directly in M4 configuration file
- content filtering support
- modularisation
- ...
6. Bugs
- Documentation should be more accurate
- ...
Send bugreports to: amavis@aachalon.de or to our amavis-bugs mailing
list. Prior to this, please read through the files FAQ or
BUGS provided and check through the mailing list archive to be sure your
bug has not already been discovered.
Please include information about the
system you are using (eg. Linux, Solaris,...), the OS or distribution release
(eg. RedHat 5.2, SuSE 6.0, SUN Solaris 2.6, ...) and anything that might be
useful to trace a bug or shortcoming (like exerpts from your logfile which
ususally is /var/log/scanmails/logfile and/or /var/log/maillog)...
7. Disclaimer
The software is provided as is. Please bear
in mind that we have done this in our spare time. While it is as accurate as we
could make it there is a reasonable chance that there are mistakes somewhere in
here. If you email us and tell us about
them we will be happy to fix them but we can't take responsibility for your
system. Basically use this at your own risk.
7. Copyright
AMaViS - A Mail Virus Scanner (c) 1997..2000 Mogens
Kjaer, Carlsberg Laboratory mk@crc.dk, Jürgen
Quade quade@amavis.org, Christian Bricart,
shiva@aachalon.de, Rainer Link link@suse.de, Lars Hecking lhecking@nmrc.ie and others.
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU
General Public License as published by the Free Software Foundation; either
version 1, or (at your option) any later version.
This program is distributed
in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License
for more details.
Product names and various content (including but not limited to audio, video,
and graphics) are trademarks of their respective owner.
8. Credits
|
|
Mogens Kjaer |
- minor modifications
- press work
|
Jürgen Quade |
- minor modifications and enhancements
- official Website
- official support e-mail adress
- packet mainenance
|
Christian Bricart |
- bug fixes and code improvements
- qmail support
|
Chris L. Mason |
- modifications and enhancements
- added support for several anti-virus products
- added support for exim and postfix (based on work from Lars Hecking)
- product support
- thanks to SuSE Germany for funding
my work
|
Rainer Link |
9. AMaViS in the Press
10. History and Changes
for a full description of changes have a look
at the ChangeLog
- Version 0.2.1 (30. Oct 2000)
- lot of bug fixes and code improvements
- added support for exim, postfix and qmail
- added support for more anti-virus products
- Version 0.2.0-pre6 (20. Jul 1999)
- root exploit fix recode to work with non Bash2
- fix misplaced "fi" in if-clause
- Version 0.2.0-pre5 (19. Jul 1999)
- fixed possible exploit allows that allowed for malicious users to insert
arbitrary commands
- updated zipsecure to work with self-extracting ZIP's
- optional line in mail header after scanning
- AVP support
- Version 0.2.0-pre4 (31. Mar 1999)
- fixed empty helper application bug ("if [ -x ${prog} ]" always true when
$prog=(empty))
- mail gets dumped if there is no program for delivery
- Version 0.2.0-pre3 (29. Mar 1999)
- added Sophos Anti-Virus scanner support
- added new archive handlers
- (hopefully) improved configure
- Version 0.2.0-pre2 (25. Feb 1999)
- fixed some possible loops in handling archives
- added some comments in BUGS
- changed version numbering in tarball, now conform to GNU
- Version 0.2.0pre1 (08. Dec 1998)
- switched to GNU-AutoConfig
- droped security fix from 0.1.1 in favour to "zipsecure" and "securetar"
- H&BEDV AntiVir/X scanner added
- enhanced logging via syslogd
- many fixes more
- Version 0.1.1 (28. Jan 1998)
- untar and unzip is now done by user "nobody" -> security fix
- ${virusmaildir} (default /root/virus) is now created
- Logfile is now REALLY created in specified log-directory
- Version 0.1.0 (17. Jan 1998)
- first official release
- assigned a package name "AMaViS - A Mail Virus Scanner"
- package maintenance assigned to Christian Bricart with official email
adress amavis@aachalon.de and
official Website at http://.aachalon.de/AMaViS/
- minor recoding of scanmails
- installation enhancements
- initial, unsupported base version
- never released officially to the public
- original code done by Mogens Kjaer, Carlsberg Laboratory, mk@crc.dk
- Modified by Jürgen Quade, Softing GmbH, quade@softing.com
$Revision: 1.7 $ $Date: 2000/10/31 10:59:53 $ amavis@aachalon.de