|
AMaViS - A Mail Virus Scanner
|
version 0.2.0-pre6, 20. Jul 1999
This document describes version 0.2.0-pre6 of AMaViS - A Mail Virus Scanner for Linux and other UN*X based platforms ( tested to run on Solaris, *BSD, AIX, HP-UX, too )
1. Introduction
Most people will say: "A virus scanner? For UN*X? Why? Viruses do not work in a UNIX environment." On the first glance they are right (even if there are at least two viruses which run under Linux - well, actually they are Trojan Horses)
On the second view though, imagine a heterogene network environment with both UN*X and DOS / Windows / Macintosh workstations. Now think of an UN*X server that serves Windows and/or Macintosh workstations via a POP3 service.
Would it not be nice to ensure attachments coming via email are scanned for viruses before they reach a system they are able to infect?
Well - that is what this package is for. It resides on the server that handles your incoming mails. When a mail arrives, instead of being delivered via procmail directly, is parsed through a script that extracts all attachments from the mail, unpacks (if needed) and scannes them using a professional virus scanner program.
Please note:
This document mainly describes the function and implementation in a Linux environment, but it should be portable to any UN*X available within the limitations outlined in this document ( currently only Linux tested by the author). Successful installation has also be reported running on SUN Solaris, *BSD, AIX and HP-UX (some with minor modification to the package). Links to software packages point mainly point to source code which should compile under different UN*X systems.
2. System Requirements
2.1 Virus Scanners
2.1.1 McAfee
Version 3.x Engine
McAfee's AntiVirus for AIX, HP-UX, Linux, NCR and Solaris is available at: ftp://ftp.mcafee.com/pub/antivirus/unix/
Current DAT files have to be version 3.x and are the same for DOS/Windows. You may also use the hourly updated DAT files
Version 4.x Engine
A new Network Associates scanning engine has been created and backed by the combined efforts of the McAfee Labs and Dr Solomon anti-virus research teams to deliver the outstanding virus detection and cleaning rates.
There is a beta version (4.03 Beta) of for AIX, HP, Linux, SCO and Solaris. Direct download from Network Associates is available here.
Current DAT files have to be version 4.x and are the same for DOS/Windows. You may also use the hourly updated DAT files
Note: This evaluation version is to be used free of charge for a limited time of 30 days. Then it has to be registered.
2.1.2. DrSolomon
DrSolomon Anti-Virus Toolkit for SCO-UNIX (running with the iBCS kernel module)
Note: I have no information about a price yet. There is no evaluation version. DrSolomons has become part of Network Associates (NAI)
2.1.3 AntiVir/X
AntiVir/X (German + English)
AntiVir/X may be used free of charge in a non commercial environment. Please send a short e-mail with name, address and point out that you want to use AntiVir/X exclusive on your personal system. You then will receive a license for it. Support is avalialable via linux_support@antivir.de
To use AntiVir/X in a commercial environment you have to obtain one of the following:
- Base Package: DM: 481.- (EUR: 245.93)
- Package with every two months update for one year: DM: 960.- (EUR: 490.84)
- Package with monthly updates for one year: DM: 1,561.- (EUR: 798.13)
- Package with monthly updates and FTP access: DM: 1,841.- (EUR: 941.29)
2.1.4 Sophos Anti-Virus
Sophos Anti-Virus for Unix is virus detection and disinfection software which can be installed on Unix file servers and workstations. Binaries for various Unices are available here.
2.1.5. Kaspersky Lab AntiViral Toolkit Pro (AVP)
Kaspersky Lab AntiViral Toolkit Pro (AVP) for Linux is available here.
2.2.1 sendmail
Currently your SMTP server has to be sendmail. Support for other servers (e.g. smail) will be added in future versions.
sendmail is available at: http://www.sendmail.org/
2.2.2 Qmail
Support for Qmail has been integrated due to contribution of several people. It still remains untested!
2.3 MetaMail
most recent version of metamail is available at: ftp://ftp.funet.fi/pub/Linux/kernel/net-source/mail/tools/
2.4 Decompressors
2.4.1 uudecode
Note: GNU uuencode/uudecode 1.0 distribution has been merged into GNU shar utilities 4.2 distribution. Look for sharutils-*.*.tar.gz
available at: ftp://ftp.gnu.org/gnu/sharutils/
2.4.2 compress
From the compress (4.1) manpage:
Compress reduces the size of the named files using adaptive Lempel-Ziv coding. Whenever possible, each file is replaced by one with the extension .Z, while keeping the same ownership modes, access and modification times.
Note: (un)compress is not needed as gunzip is also able to uncompress .Z files.
Source code for compress is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/compress.tar.Z
2.4.3 gunzip
From the gzip-1.2.4L.lsm file:
gzip (GNU zip) is a compression utility designed to be a replacement for compress. Its main advantages over compress are much better compression and freedom from patented algorithms.
Source code for gunzip is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/gzip-1.2.4L.tar.gz (also available as special Pentium optimized binary version)
2.4.4 unzip
From the unzip-5.31.lsm file:
UnZip 5.31 is a free unarchiver compatible with PKZIP archives (zipfiles) but not a clone of PKUNZIP. This version improves performance somewhat and adds a new "timestamp" function for very fast dating of multiple archives, but most of its new features have to do with better cross-platform support and/or new ports. Multi-part archive support is *not* yet supported (sorry!). Work on that is already underway, however.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
A tool named "zipsecure" comes with AMaViS. This program reads a zip file from stdin, removes any pathes of a contained file and changes the name of the file to a new file name. The new name starts with a "z" followed by the process ID and a sequence number. If any extension in the original name was present, it is also appended to the new name.
The provided tool "securetar does similar to tar-files.
2.4.5 unarj
From the unarj241a.lsm file:
Standard unarj un-archiver, provided with the capability of creating directory hierarchies.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.6 unrar
From the unrar-2.04.1.lsm file:
The unRAR utility is a freeware program, distributed with source code and developed for extracting, testing and viewing the contents of archives created with the RAR archiver version 1.50 and above.
Source code is available at: ftp://sunsite.unc.edu/pub/Linux/utils/compress/
2.4.7 xbin
xbin is available as: ftp://sunsite.unc.edu/pub/packages/TeX/tools/xbin/xbinunix.c
2.4.8 LHArc
needs documentation
2.4.9 bunzip2
Have a look at the bunzip2 homepage at: http://www.muraroa.demon.co.uk/
2.4.9 zoo
needs documentation
2.4.10 arc
needs documentation
2.4.11 freeze
http://metalab.unc.edu/pub/Linux/utils/compress/
3. Installation Instructions
3.1 Installing the Software
Note: Installation and operation is only fully tested in a Linux environment with sendmail as SMTP-server. (See also the Future Outlook section of this document
- Get the package,
- untar contents into a temporary directory,
- read the instructions
- be sure all required programs have been installed
- run ./configure
- run make
- run make install
- modify your /etc/sendmail.cf (This will be done automagically in 0.2.0 final release)
- send a SIGHUP to your SMTP server ("killall -HUP sendmail")
- test your installation
3.2 Modifying /etc/sendmail.cf manually
In your sendmail configuration file (usually /etc/sendmail.cf) the local mail delivery agent needs to be changed (typically this is one of procmail, deliver or mail)
Find the line that begins with Mlocal and change the call for the program which resides after the "P=" directive. This has also to be changed after the "A=" directive:
For example:
Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d $u
changes to:
#Mlocal, P=/usr/bin/procmail, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
# T=DNS/RFC822/X-Unix,
# A=procmail -Y -a $h -d $u
Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,
T=DNS/RFC822/X-Unix,
A=scanmails -Y -a $h -d $u
Please have a look at the FAQ if this leads to a malfunction.
3.3 Test Installation
So, how do you test if your installation has been successful? Don't ask me to send a wild virus ;-). Instead, create a file called eicar.com with the following contents:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
(The file should end up being 69 bytes long).
This is recognized both by McAfee and Dr. Solomon as a test pattern. It is NOT a virus, just a test pattern that triggers the alert. Use this file in your mail. Try sending it as binhex, tar'ed, gzip'ed, uuencoded, etc.
4. Download
Current Version 0.2.0-pre6 is available at http://aachalon.de/AMaViS/amavis-0.2.0-pre6.tar.gz (97K)
5. Future Outlook
Features to be added to next Version:
- simple installation and configuration via script for more systems
- scanning of outgoing and relayed email
- built-in support of other mail transport agents (e.g. smail, qmail, exim...)
- apply "sendmail hack" directly in M4 configuration file
- ...
6. Bugs
- Perhaps still bugs and shortcomings whith GNU-AutoConfig and GNU-AutoMake
- Documentation should be more accurate
Send bugreports to: amavis@aachalon.de Please include information about the system you are using (eg. Linux, Solaris,...), the OS or distribution release (eg. RedHat 5.2, SuSE 6.0, SUN Solaris 2.6, ...) and anything that might be useful to trace a bug or shortcoming (like exerpts from your logfile which ususally is /var/log/scanmails/logfile)...
7. Disclaimer
The software is provided as is. Please bear in mind that we have done this in our spare time. While it is as accurate as we could make it there is a reasonable chance that there are mistakes somewhere in here. If you email us and tell us about them we will be happy to fix them but we can't take responsibility for your system. Basically use this at your own risk.
7. Copyright
AMaViS - A Mail Virus Scanner
(c) 1997..99 Mogens Kjaer, Carlsberg Laboratory, mk@crc.dk,
Jürgen Quade, Softing GmbH, quade@softing.com,
Christian Bricart, shiva@aachalon.de
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 1, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
Product names and various content (including but not limited to audio, video, and graphics) are trademarks of their respective owner.
8. Credits
| Mogens Kjaer |
- minor modifications
- press work
| Jürgen Quade |
- minor modifications and enhancements
- official Website
- official support e-mail adress
- packet mainenance
| Christian Bricart |
9. AMaViS in the Press
10. History and Changes
for a full description of changes have a look at the ChangeLog
- Version 0.2.0-pre6 (20. Jul 1999)
- root exploit fix recode to work with non Bash2
- fix misplaced "fi" in if-clause
- Version 0.2.0-pre5 (19. Jul 1999)
- fixed possible exploit allows that allowed for malicious users to insert arbitrary commands
- updated zipsecure to work with self-extracting ZIP's
- optional line in mail header after scanning
- AVP support
- Version 0.2.0-pre4 (31. Mar 1999)
- fixed empty helper application bug ("if [ -x ${prog} ]" always true when $prog=(empty))
- mail gets dumped if there is no program for delivery
- Version 0.2.0-pre3 (29. Mar 1999)
- added Sophos Anti-Virus scanner support
- added new archive handlers
- (hopefully) improved configure
- Version 0.2.0-pre2 (25. Feb 1999)
- fixed some possible loops in handling archives
- added some comments in BUGS
- changed version numbering in tarball, now conform to GNU
- Version 0.2.0pre1 (08. Dec 1998)
- switched to GNU-AutoConfig
- droped security fix from 0.1.1 in favour to "zipsecure" and "securetar"
- H&BEDV AntiVir/X scanner added
- enhanced logging via syslogd
- many fixes more
- Version 0.1.1 (28. Jan 1998)
- untar and unzip is now done by user "nobody" -> security fix
- ${virusmaildir} (default /root/virus) is now created
- Logfile is now REALLY created in specified log-directory
- Version 0.1.0 (17. Jan 1998)
- first official release
- assigned a package name "AMaViS - A Mail Virus Scanner"
- package maintenance assigned to Christian Bricart with official email adress amavis@aachalon.de and official Website at http://aachalon.de/AMaViS/
- minor recoding of scanmails
- installation enhancements
- initial, unsupported base version
- never released officially to the public
- original code done by Mogens Kjaer, Carlsberg Laboratory, mk@crc.dk
- Modified by Jürgen Quade, Softing GmbH, quade@softing.com
latest changes 20. Jul 1999 amavis@aachalon.de