Scanning Email for Virii
Lawrence Sica <[email protected]>
Introduction
With the recent rise in virus activity on the internet
and the increase of clients sending viruses to my
workplace, it was decided a server solution for
finding virii was needed in addition to a desktop
one.
Since the mail server is running FreeBSD, a UNIX
solution was necessary. There are actually quite a
few UNIX-based virus scanners out there, so I needed
to do some research. The major requirement was the
ability to plug it into sendmail and scan incoming
and outgoing emails. There are a few ways to do
this which involve using two pieces of software. The
virus scanning software, and the software to hook it
into sendmail. Most of these software packages will
tie into other mail server software as well.
The Virus Scanners
There are a few virus scanning packages out there they
are:
Hooking Programs
There are the two main programs that can hook your virus
scanner into the MTA. They are:
Deciding What to Use
In my situation, a combination of Amavis and uvscan
seemed to be the best solution. My reasons were that
Amavis, being written in perl, would be easy for me to
debug and modify as I needed. Its documentation is
also more complete. As for uvscan, well it has a very
good reputation and a decent price, not to mention the
fact that McAfee products have always worked well for
me.
Inflex, on the other hand, is written as a shell script
and its documentation is not as complete. Since my
perl is better than my sh scripting, Amavis was a
better option. Also Amavis' ability to easily plug
into anything, and its documentation, made me lean
towards it.
My installation was with sendmail, but configuring it
other MTAs appears to be very simple.
Installation
Prepare for the install:
First, backup your existing sendmail.cf:
# cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.bak
Install Amavis:
Make sure you have an up-to-date ports tree. Amavis has
quite a few dependencies, mostly archive extracters,
some perl modules and a virus scanner.
# cd /usr/ports/security/amavis-perl
# make install distclean
The Amavis port installs uvscan by default. For
uvscan, you will need to buy a license (check
NAI's web site for
the current pricing) if you intend to use it for
more than 30 days. The license includes a 2 year
subscription for dat file updates.
Amavis creates 2 new spools:
It also creates a mail aliased to root named virusalert.
It uses this to inform you if a virus is found.
The sendmail.cf File
The port installs a new sendmail.cf file
based on your old one. It also creates a backup copy
called sendmail.cf.pre-amavis so you can
roll back if necessary.
If you want to change the virus scanner or MTA, you
will need to edit the amavis perl script. The Amavis web site has
a section dedicated to doing this.
Another thing you can do is alter the virus scanner
options. Read the docs on the virus scanner you decided
to use. Amavis itself has comments for each virus
scanner as well.
Updating your DAT Files
There are two ways to install dat files for
uvscan:
Install the the uvscan-dat port:
# cd /usr/ports/security/uvscan-dat
# make install distclean
Use the update utility. Do the following as
root:
# /usr/local/sbin/update_dat
I decided to use update_dat, so I set up
a weekly crontab for it. Do the following as
root:
# crontab -e
Then add this entry:
0 0 * * 0 /usr/local/sbin/update_dat
Amavis in Action
In the 30 days that Amavis has been implemented
at my place of work, it has caught 12 viruses total.
Overall, a good track record that has made the
investment in time and money worth it.
- Larry
Return to
Issue 1, May 2001