AntiVirusINSTALL - INSTALL file for the Anti-Virus Plugin for DansGuardian. Created by James A. Pattie (james@pcxperience.com) (c) 2002-2003 by Xperience, Inc. (http://www.xperienceinc.com/) Licensed under the GPL. 07/29/2003 Version 4.2 for DansGuardian 2.7 This documents how to add Anti-Virus scanning to the DansGuardian project. REQUIREMENTS: perl 5.6.1 or 5.8.0 DansGuardian 2.7.1-4 dansguardian-virus-scripts 1.05 Mail::Sender 0.8.00 Download the latest Dansguardian-Virus-Scripts tarball or rpm package from http://www.pcxperience.org/dgvirus/. These scripts come from the MailScanner project. Also, some of the code that is integrated into DansGuardian is from the MailScanner package. See the MailScanner site for any installation notes regarding your Anti-Virus product. http://www.mailscanner.info/ If installing from the tarball, copy the usr/lib/DGVirus directory structure to /usr. If installing from rpm, you need to install before the DansGuardian-Virus package. Download the tarball or our rpm of Mail::Sender 0.8.00 from CPAN or the support directory. This needs to be installed before installing DansGuardian. Download the source to DansGuardian 2.7.1-4. Now you need to patch the source. gunzip DansGuardian-2.7.1-4-AntiVirus-4.2.patch.gz You can either build manually: tar xvzf DansGuardian-2.7.1-4.source.tar.gz cd DansGuardian-2.7.1-4 patch -p1 < ../DansGuardian-2.7.1-4-AntiVirus-4.2.patch.gz This assumes you have the patches in the same directory as the source tarball for DansGuardian 2.7.1-4. Now read the INSTALL file and follow the steps to build DansGuardian. Or you can build an rpm from the included DGVirus.spec file: cp DansGuardian-2.7.1-4.source.tar.gz /usr/src/redhat/SOURCES cp DansGuardian-2.7.1-4-AntiVirus-4.2.patch /usr/src/redhat/SOURCES cp linux.in-rpmfixup.patch /usr/src/redhat/SOURCES cp DGVirus.spec /usr/src/redhat/SPECS cd /usr/src/redhat/SPECS rpmbuild -bb DGVirus.spec first install the DansGuardian-Virus-Scripts support package: rpm -Uvh DansGuardian-Virus-Scripts-1.05-1.noarch.rpm next install the perl-Mail-Sender package: rpm -Uvh perl-Mail-Sender-0.8.00-1.i386.rpm now install the newly created DansGuardian package: rpm -Uvh ../RPMS/i386/DansGuardian-Virus-4.2-1.i386.rpm VIRUS Engine Configuration: To enable your virus scanner (if not F-Prot and it's not installed in /usr/local/f-prot) then you need to edit virusscanner.conf in the dansguardian configuration directory. This file also has other options that can be tweaked, though not all options are currently being used. NOTE: Currently, once this patch is applied, all content (html/text, etc.) other than SSL connections are scanned by default. If you want to disable the virus scanning code, modify the generated dansguardian.conf file and change on to off for the virusscan option. If a virus is detected, an HTML document stating that fact will be sent to the browser. In the event that you were downloading a big file, you might have the first couple of bytes of the file in question already downloaded, and so the HTML error document will be appended to it. If downloading and saving to disk, always check to make sure that the resulting file is what you were expecting. The Virus scanning code will log, via syslog, the scanning messages and output the results of any virus found messages. F-Prot is the anti-virus engine I'm testing. The other virus programs that MailScanner supports have been converted but since I don't own them I haven't tested the code yet. If you own one of the other engines I would appreciate any help in debugging the code and getting it supported. I have had confirmation that the Sophos code works. I have added code provided by G.H.J. Dorssers to make the AntiVir virus scanner work, but it is totally unsupported by me. You will have to modify virusscanner.conf and change 'Minimum Code Status' from supported to unsupported along with the Virus Scanner and Sweep values. 2002/12/17 - I now rely on the DansGuardian-Virus-Scripts package I'm creating from the MailScanner 4.x release for virus wrapper scripts. This is now in /usr/lib/DGVirus and the names of the virus wrapper scripts are slightly different. If things break after an upgrade, check to make sure you are pointing at the right file. 2002/11/27 - Postmaster will now always receive an email when a virus is detected. If squid is requiring proxy authentication, then the detected user will also get an email (as long as virusscanner.conf is properly configured). I recommend using pam_auth (provided with squid) and configuring to use whatever authentication mechanism that PAM provides that you have easily available to specify valid users where their username is also a valid email address user. Any emails generated to users, will have the Mail Domain value appended to them as follows: user@MailDomain where user is the detected username. Quarantining of the infected files is now available and will store the files in the following format: prefix/dgvirus/quarantine/DATE/USER//FILE where prefix/dgvirus/quarantine is user defined in virusscanner.conf, DATE is todays date in YYYYMMDD format, USER is the detected users name or no-user if proxy auth disabled, is the url with any & escaped, FILE is the temporary file DansGuardian uses in format fileXXXXXX 01/13/2003 - A status file is now generated that will allow the user to see the status of large files being downloaded. The status files are stored in the DownloadDir directory under status and are grouped by the IP address of the client or the detected user name (no-user if none detected). This grouping is configurable in virusscanner.conf. Ex: DownloadDir = /tmp/dgvirus, Temp file = fileXYZ123, User Name = james, Status File = /tmp/dgvirus/status/james/fileXYZ123 If grouping by IP and the IP was 10.0.0.2, then Status File = /tmp/dgvirus/status/10.0.0.2/fileXYZ123 The status file will be deleted when the file is done downloading or the file transfer is canceled or on any other error condition. The status file is locked via flock, so any monitoring scripts should acquire a LOCK_SH before reading from the file to make sure that they get complete data. The output format is: started: Start TimeStamp last: Last Updated TimeStamp url: url file: name of temporary file fileLength: # bytes in file bytesDownloaded: # bytes currently downloaded user: detected user name userIP: IP of browser Changelog: 4.0 - Ported 2.2 forward into the 2.7.1-0 tree. 4.1 - Added optional simultaneous write to client socket, activated by tricklelength variable in dansguardian.conf. Added firsttrickledelay and followingtrickledelay variables in dansguardian.conf. (Code by Aecio F. Neto (afn@harvest.com.br) - Harvest Consultoria (http://www.harvest.com.br) 4.2 - Added optional parameter to not scan sites and urls in exception lists. (Code by Aecio F. Neto (afn@harvest.com.br) - Harvest Consultoria (http://www.harvest.com.br)