SoftlabsAV Code
Status: Abandoned
Brought to you by:
roal
Menu
▾
▴
Tree [r82] / History
| File | Date | Author | Commit |
|---|---|---|---|
| etc | 2009-05-25 | roal | [r81] 'clamscan.cron' shell script: Cleanup in time f... |
| testcases | 2007-08-20 | roal | [r54] ensure mimencode decodes quoted-printable encod... |
| ReadMe.txt | 2009-05-26 | roal | [r82] SoftlabsAV 0.9.5 release |
| gpl-3.0.txt | 2007-08-19 | roal | [r52] license updated to GPL version 3 |
| history.txt | 2009-05-26 | roal | [r82] SoftlabsAV 0.9.5 release |
Read Me
SoftlabsAV
Simple and efficient virus protection at the incoming mail server.
http://softlabsav.softlabs.net/
Manual
======
Version 0.9.5
Release date: 2009-05-26
________
Contents
1. About this software
2. How it works
3. Virus types
4. Requirements
5. Installation
1. Place the SoftlabsAV files into its installation directory
2. Modify or add procmail's main run commands file
3. Plug SoftlabsAV into procmail
6. Logging of found viruses
7. The 'clamscan.cron' cronjob shell script
8. License
9. Credits
10. History of version changes (ChangeLog)
11. Feedback
______________________
1. About this software
SoftlabsAV is a generic anti-virus filter for incoming mail servers on
Unix. It is driven by the widely used "procmail" Mail Delivery Agent (MDA).
In addition, it plugs to the ClamAV anti-virus scanner (clamscan) and
scans for viruses, phishings and possible phishings.
SoftlabsAV has been designed with security, efficiency and simplicity in
mind. It is free and open source.
_______________
2. How it works
A set of procmail recipes isolates mails with an attached potential virus
into a quarantine directory. Directly infectious attachments as well as
packed viruses (UU encoded or inside a Zip or Rar archive, including
encrypted ones) will all be detected. Both "Base64" and "Quoted-Printable"
Transfer-Encodings are supported. Encoded file names are also supported.
Suspicious attachments will be classified and extracted into directories
representing its virus type. ClamAV's clamscan will then scan the
attachment to prove if it is in fact a virus. In addition, potential
malicious mails that do not necessarily have an attachment (such as HTML
mails) will also be scanned (as raw mbox file). Per default, ClamAV will
scan each entire mail as mbox file if it could not identify a virus within
an attachment or if no potential malicious content has been unveiled.
Once ClamAV has been proven a mail to be infected, the mail will be
removed, along with its extracted attachment (if it contained one). That
behaviour can be changed through a configuration file if preferred.
The name of each found virus will be logged, beside other useful data.
Results will be written into a handy viruses log file, within the mail's
header (by adding a 'X-Virus-Filter' header field) and into procmail's log
file.
______________
3. Virus types
7 virus main types are distinguished:
EXE, UUE, ZIP, EZIP, RAR, ERAR and MBOX types.
+ EXE types: Directly attached infectious files (mainly Executables, but may
also include non-executable malicious files such as JPEG images)
+ UUE types: Infectious files packed inside UU encoded attachments
+ ZIP types: Infectious files inside attached Zip archives
+ EZIP types: Infectious files inside encrypted (password protected) Zip
archives
+ RAR types: Infectious files inside attached Rar archives
+ ERAR types: Infectious files inside encrypted (password protected) Rar
archives
+ MBOX types: Mails that have been scanned by ClamAV as entire mbox file.
Include phishings and possible phishings.
A potential infectious EXE type file will be detected if it has a "bad
extension" (checked case-insensitively). Currently, there are the following
bad extensions set per default: bat, chm, cmd, com, cpl, exe, hta, pif, scr,
vbe, vbs and jpg (including jpeg). If necessary, the list of bad extensions
can be extended easily in the configuration file.
The main virus types are divided into sub-types, each representing either
one of those bad extensions or being a special case:
If an extracted ZIP or RAR archive cannot be opened by its unpacker program,
it is considered as broken and represents the virus type "ZIP.Broken" or
"RAR.Broken", respectively. Similar, if an extracted potential UU encoded
attachment has been found not to be valid UU encoded, it represents the
virus type "UUE.Broken".
MBOX types include HTML mails (representing the "MBOX.Html" virus type)
and - unless turned off in the configuration file - Non-HTML mails
(representing the "MBOX.SCAN_ALL" virus type).
Thus, there are possible virus types of
EXE.bat, EXE.chm, ..., EXE.exe, ..., EXE.jpg, UUE.bat, ..., UUE.Broken,
ZIP.bat, ..., ZIP.Broken, ..., MBOX.Html, MBOX.SCAN_ALL and so on.
Per default, each quarantined mailbox folder is a separate file in mbox
format. The file's named follows the scheme 'ID_TYPE.EXT.virus'. ID is
the mail's ID (for details see section 6 below), TYPE is one of the 7 main
virus types mentioned above and EXT is the extension corresponding to the
sub-type mentioned above. An example for a possible file name is
"20070901-183928.525212_EXE.bat.virus".
If the quarantined mailbox folders have been configured to be in maildir
format, they are directories following the scheme '.ID_TYPE_EXT_virus',
where the dot within the ID has been replaced by an underline.
_______________
4. Requirements
SoftlabsAV will run on all Unix like operating systems, such as GNU/Linux,
Mac OS X, FreeBSD, Solaris. In this description examples may be given
especially for Red Hat (RH) / Fedora based Linux systems, such as
RH Enterprise Linux 5 (RHEL5) or CentOS 5, referred here as
"Red Hat Linux based" platforms.
The following programs must be available:
+ procmail and formail
The 'procmail' version must be at least 3.20, however, the latest
version (3.22) is recommended. It has been released back in 2001,
so there should really be no reason to still use an even older
version. The version number will be returned by executing
procmail LOG='"$PROCMAIL_VERSION"' /dev/null < /dev/null; echo
and should be "3.22" in the best case. If you try to run SoftlabsAV
with an older procmail version than 3.20, it will not do anything
except delivering all mails unfiltered and quitting. However, the
reason of quitting will be written into the log file.
'formail' is part of the "procmail" package, so it should be available
as well. Executing
formail -v 2>&1 | sed q
should return "formail v3.22 2001/09/10"
if you have the latest procmail package installed.
+ ClamAV
The 'clamscan' component of ClamAV (Clam AntiVirus) in version 0.95 or higher
is required. On RHEL5 with the "rpmforge-release" package installed (see above),
you can install the "clamav" package using
yum --enablerepo rpmforge install clamav
Executing
clamscan --stdout -V | sed -e 's/.*\/ //' -e 's/\/.*//'
should return something like "ClamAV 0.95.1" (when using the latest version,
as of release time of SoftlabsAV 0.9.5).
For other Unix systems, visit ClamAV's website at
http://www.clamav.net/
The 'freshclam' component should be configured to check for new virus
signature databases hourly (24 checks per day).
NOTE: If there is no supported 'clamscan' version available on your system,
all mails will be delivered, including possible infected ones! The warning
"[ClamAV ERROR!]" will be prepended to each mail's subject and a message
will be added to the "X-Virus-Filter" header. In addition, error messages
will be written into both the procmail log file and SoftlabsAV's own viruses
log file.
If you cannot yet run ClamAV 0.95 or higher, you could use SoftlabsAV 0.9.3
instead, which supports the ClamAV versions 0.91 up to 0.94.2.
+ mimencode
'mimencode' originally was part of the "metamail" package, which is no
more available for many current operating systems. However, the
"xemacs" (or "xemacs-common") package, which is actively maintained and
available for many operating systems, contains mimencode as a binary called
'mmencode'. The installation of the "xemacs" package on a current Fedora
system should work using
yum install xemacs
or on RHEL5 with Scott A. Hughes' "sahughes" repo configured using
yum --enablerepo sahughes install xemacs
In recent Red Hat Linux based systems, the 'mmencode' binary is part of the
"xemacs-common" package:
rpm -ql xemacs-common | grep mmencode
Symlink the resulting file to 'mimencode' into a directory available via
PATH:
ln -s /usr/lib/xemacs-21.5-b27/i686-redhat-linux/mmencode /usr/bin/mimencode
As a simple test, executing
echo OK | mimencode | mimencode -u
should return "OK".
+ UnZip
The 'unzip' program is required to support Zip archives. Executing
unzip -Z | sed -e '1!d' -e 's/ o.*//'
should return "ZipInfo 2.42" if you have the latest UnZip version
(5.52 as of release time of SoftlabsAV 0.9.5) installed.
The "unzip" package is usually pre-installed on most Unix systems. More
information may be available on that project's homepage at
http://www.info-zip.org/UnZip.html
NOTE: If 'unzip' does not exist on your system (or its execution fails),
all mails with an attached Zip archive will not be fully processed by
SoftlabsAV! In that case, the warning "[Possible VIRUS!]" will be
prepended to the mail's subject and the "X-Virus-Filter" header will include
"WARNING: Executing of 'unzip' failed - Attached ZIP archive may contain a virus!".
The attachment will be considerd as a "ZIP.Broken" virus type and could still
be detected by ClamAV.
+ UnRar
The 'unrar' program is required to support Rar archives. On RHEL5 with the
"rpmforge-release" package installed (see http://dag.wieers.com/rpm/FAQ.php),
you can install the "unrar" package using
yum --enablerepo rpmforge install unrar
Executing
unrar | sed -e '2!d' -e 's/ f.*//'
should return something like "UNRAR 3.80 beta 2" if you have a current
"unrar" package installed.
A list of some available Unix ports may be available at
http://www.rarlab.com/rar_add.htm
NOTE: If 'unrar' does not exist on your system (or its execution fails),
all mails with an attached Rar archive will not be fully processed by
SoftlabsAV! In that case, the warning "[Possible VIRUS!]" will be
prepended to the mail's subject and the "X-Virus-Filter" header will include
"WARNING: Executing of 'unrar' failed - Attached RAR archive may contain a virus!".
The attachment will be considerd as a "RAR.Broken" virus type and could still
be detected by ClamAV.
+ sed, date, test, file, ls, mkdir, mv, rm, id
These utilities are part of every Unix system. If they are not available
on your system, you probably are on the wrong platform.
_______________
5. Installation
Although installing SoftlabsAV is very easy, it is intended to be done only by
experienced Unix SysAdmins because the person who does the installation must
login as root.
First ensure that all requirements are satisfied (see chapter 4 above). The
installation is basically a three-step procedure:
5.1 Place the SoftlabsAV files into its installation directory
--------------------------------------------------------------
First, unpack the distributed BZip2 compressed Tar archive by executing
tar -xjf SoftlabsAV-<VERSION>.tar.bz2
directly on the target Unix system. '<VERSION>' has to be replaced by the
package's real version number.
It is recommended to use the same file and directory structure as given
here.
SoftlabsAV's installation directory resides within the '/etc/procmailrcs'
directory. So check if that directory exists on your target system and
create it if it doesn't. Then copy the entire 'SoftlabsAV' directory found
in this package into the server machine's '/etc/procmailrcs' directory,
recursively. The files' permissions should be fine as they are within the
distributed archive: 0644 for files and 0755 for directories.
Finally, you should have the following file structure on the server machine:
+ etc (the server's '/etc' directory)
|
+ procmailrcs
|
+ SoftlabsAV SoftlabsAV installation directory
|
+ inc SoftlabsAV include files' ('av_*.inc') directory
| |
| | av__ver.inc
| |
| | av_b64.inc
| |
| | av_bq.inc
| |
| | av_bq-multi.inc
| |
| | av_broken.inc
| |
| | av_cat.inc
| |
| | av_clamcheck.inc
| |
| | av_clamscan.inc
| |
| | av_const.inc
| |
| | av_decode.inc
| |
| | av_exe.inc
| |
| | av_ext.inc
| |
| | av_formail.inc
| |
| | av_html.inc
| |
| | av_lc.inc
| |
| | av_log.inc
| |
| | av_length.inc
| |
| | av_match.inc
| |
| | av_mbox.inc
| |
| | av_mid.inc
| |
| | av_mkdir.inc
| |
| | av_print.inc
| |
| | av_qpr.inc
| |
| | av_rar.inc
| |
| | av_rm.inc
| |
| | av_snr.inc
| |
| | av_split.inc
| |
| | av_uue.inc
| |
| | av_v320.inc
| |
| | av_zip.inc
|
| antivirus.conf SoftlabsAV configuration file
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| antivirus.rc SoftlabsAV main Run Commands file
None of these files except the configuration file should be modified!!!
If you want to transfer some of these files directly (unpacked) from or to
another computer, only do so using FTP's binary mode, to ensure keeping
their Unix-style line endings.
Take a look inside the configuration file, to see if you want to modify
some settings.
5.2 Modify or add procmail's main run commands file
---------------------------------------------------
The SoftlabsAV main Run Commands file
('/etc/procmailrcs/SoftlabsAV/antivirus.rc')
is intended to be called by the main (global) procmail Run Commands file,
'/etc/procmailrc'. This package also ships this file. If there does not yet
reside one on your server machine, use the shipped one; otherwise, be sure
to copy the marked essential parts of the shipped etc/procmailrc file into
your own one!
The shipped procmailrc file is divided into three sections:
1. Built-in Environment variables
2. Definitions of used constants. Do not change!
3. SoftlabsAV specific section
The interface between procmailrc and Softlabs AntiVirus is the last setting
in section 3 of the procmailrc file:
INCLUDERC = '/etc/procmailrcs/SoftlabsAV/antivirus.rc'
which is commented out per default. Leave it commented out until you have
tested the antivirus filter for a while to work fine for you, as explained
below.
5.3 Plug SoftlabsAV into procmail
---------------------------------
After you have finished the two installation steps above, test if it has
been successful. For this purpose, first plug SoftlabsAV into procmail
*only for you as user* and check procmail's verbose log for a while.
To do so, be sure that a user specific procmail run commands file
exists in the home directory for you as a normal user (*not* as root).
That file's location must be '~/.procmailrc'. Add the follwing entries
into it:
VERBOSE = 'on'
INCLUDERC = '/etc/procmailrcs/SoftlabsAV/antivirus.rc'
After some EXE and ZIP viruses have been sent to your account, check your
procmail log file and the viruses log file (see below) for any errors. If
you find one, try to fix it, of course. You may come across an error due to
unsufficient file permissions, for example. Also, you should (almost) never
see a log entry like
Executing "test -r /var/spool/mail/adam_TRASH/viruses/EXE/file.exe"
that contains spaces within the string after 'Executing '. There should
be commas instead of that spaces, like this:
Executing "/usr/bin/test,-r,/var/spool/mail/adam_TRASH/viruses/EXE/file.exe"
SoftlabsAV has been developed with much care to avoid any possible
overhead *and* being robust and secure.
You should also have observed that a "viruses" directory has been created
under the av_TRASHDIR, containing at least one sub directory.
Finally, after everything went fine for a while (it is recommended to test
it for at least one day), go ahead and enable Softlabs AntiVirus for all users
(except for those defined in av_DISABLE_USERS of the configuration file).
To do so, uncomment the INCLUDERC line of the main procmailrc file, as mentioned
in chapter 5.2 above.
___________________________
6. Logging of found viruses
When a mail has been considered to contain a VIRUS, PHISHING or
Possible PHISHING, or when the clamscan virus scanner exited with
an error, information about the scanned file will be logged
into a viruses log file. Its location can be specified by the
'av_VIRUSES_LOGFILE' configuration setting - the default file name is
"viruses.log". This log file is designed to be both clearly human
readable and easily machine readable. Each line consists of 8 TAB
separated fields (columns). These fields are:
(1) The mail's ID. This is an unique number created by SoftlabsAV, that
will be increased for each processed mail. It always begins with the
mail's processing date and time with an accurancy of to the second, in
the format "YYYYMMDD-hhmmss". Then, it is followd by a dot and either
6-digits microseconds (if supported by the OS), or 5-digits Process-ID.
(2) The user the mail should have been sent to. Depending on the
av_LOG_USER configuration setting, this can either be the user's name
or its numerical user ID, or left empty.
(3) Virus type (one of the those classified in chapter 3 above).
For easier reading by humans, this filed is aligned to always place
the dot at the same position.
(4) Result of the clamscan virus scanner, including the virus name (if one
was found). In addition, the version of ClamAV and its daily virus
database is given.
Examples:
VIRUS FOUND: PUA.Scanner.Angryscan (ClamAV 0.95.1/9350)
PHISHING FOUND: Phishing.Heuristics.Email.SpoofedDomain (both scan methods) (ClamAV 0.95.1/9350)
Possible PHISHING FOUND: Phishing.Heuristics.Email.SpoofedDomain (ClamAV 0.95.1/9350)
(5) The file size of the attachment or the MBOX file, respectively (in bytes).
This filed is also right aligned and thus may be prefixed by (1 to 3)
space characters.
(6) The original attachment's file name, enclosed within double quotes
(since the file name may contain several spaces). In case of a
MBOX type, "(no attachment)" will be printed.
(7) The file type description of the attachment or the MBOX file,
respectively (may contain several words).
(8) The MIME type of the mail's part containg the potential infected
attachment. In case of a MBOX type, the entire mail's MIME type
will be printed.
Here are some examples of lines found in a viruses log file
(resorted by detected virus type):
EXE virus types:
---------------
20080417-165704.039273 504 EXE.exe VIRUS FOUND: Trojan.Downloader-31055 (ClamAV 0.91.2/6813) 11776 "photo.exe" MS Windows PE 32-bit Intel 80386 GUI executable not relocatable application/octet-stream
UUE virus types:
---------------
20060224-105944.794936 500 UUE.scr VIRUS FOUND: Worm.VB-9 (ClamAV 0.88/1301) 134053 "Video_part.mim" uuencoded or xxencoded text application/x-msdownload
ZIP virus types:
---------------
20080510-142216.763827 502 ZIP.scr VIRUS FOUND: Trojan.Dropper-6823 (ClamAV 0.91.2/7083) 38162 "ssaver.zip" Zip archive data application/zip
EZIP virus types:
----------------
20081008-001116.955372 500 EZIP.exe VIRUS FOUND: Trojan.Downloader-zippwd-5 (ClamAV 0.94/8393) 76313 "bill9.zip" Zip archive data application/zip
RAR virus types:
---------------
20080623-192404.661805 500 RAR.exe VIRUS FOUND: PUA.Packed.NPack-2 (ClamAV 0.91.2/7545) 66243 "Rechnung.rar" RAR archive data application/rar
ERAR virus types:
----------------
20051202-044115.549329 500 ERAR.chm VIRUS FOUND: Trojan.Spy.Goldun.A-rarpwd (ClamAV 0.87.1/1200) 19723 "clients.rar" RAR archive data APPLICATION/OCTET-STREAM
MBOX virus types:
----------------
20090525-182216.960009 507 MBOX.Html PHISHING FOUND: Phishing.Heuristics.Email.SpoofedDomain (both scan methods) (ClamAV 0.95.1/9390) 8308 "(no attachment)" ASCII mail text text/html
20080906-003904.184343 504 MBOX.Html Possible PHISHING FOUND: Phishing.Heuristics.Email.HexURL (ClamAV 0.91.2/8170) 6000 "(no attachment)" ASCII mail text text/html
20080713-210924.969030 504 MBOX.SCAN_ALL VIRUS FOUND: Email.PornTeaser (ClamAV 0.91.2/7705) 60080 "(no attachment)" ASCII mail text (Non-HTML)
20080805-052613.971207 504 MBOX.SCAN_ALL VIRUS FOUND: Email.Phishing.DblDom-92 (ClamAV 0.91.2/7941) 2099 "(no attachment)" ASCII mail text (Non-HTML)
In addition, an entry will be written into procmail's log file, containing
the virus main type (as described in chapter 3 above), the MIME type,
the attached file name (in archived attachments, along with the
file name inside the archive) and ClamAV's result.
___________________________________________
7. The 'clamscan.cron' cronjob shell script
This package also includes a 'sh' shell script that scans the entire file
system for viruses with ClamAV's clamscan. It is intended to be run
automatically once a day, as a cronjob. Per default, the result will be
emailed to the system's root once the scan has finished. It does the same
version check on clamscan as SoftlabsAV itself, ensuring to have the
required minimum version installed and calling clamscan with the
appropriate options, depending on its version.
Copy the 'clamscan.cron' file found in the 'etc/cron.daily' directory of
this package into the server machine's '/etc/cron.daily' directory and
test-run it. You may want to look into it and edit some settings within
its configuration section.
You can also use this script without having the SoftlabsAV procmail
filter installed, for an automatic daily full scan. In that case, uncomment
the configuration line
SCANDIR_FIRST=''
__________
8. License
Copyright (C) 2004-2009 Robert Allerstorfer
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
A copy of the GNU General Public License (GPL), version 3 (29 June 2007)
in plain text format is included in this package as "gpl-3.0.txt"
(taken from http://www.gnu.org/licenses/gpl-3.0.txt). The GPL should also
be available online at
http://www.gnu.org/licenses/gpl.html
__________
9. Credits
Thanks go out to (in alphabetical order):
+ Tomasz Kojm for his great ClamAV open source anti-virus scanner
(http://www.clamav.net/)
+ James Lick - the author of "clamassassin" (http://drivel.com/clamassassin/)
+ Nancy McGough for her "Procmail Quick Start" tutorial, available at
http://www.ii.com/internet/robots/procmail/qs/
which was the place where I got my feet wet in starting with procmail
+ Ruud H.G. van Tol for his continued useful suggestions and his fabulous
"just procmail" collection, published at
http://www.xs4all.nl/~rvtol/procmail/
+ everybody who gave constructive feedback to the project
_________________________________________
10. History of version changes (ChangeLog)
Please refer to the file "history.txt".
____________
11. Feedback
If you have constructive suggestions or found a bug, join the open-source
community and share your opinions. Your contribution may propably become
part of this project. Please feel free to post feedback of any flavour into
the project's open discussion forum at
http://sourceforge.net/forum/forum.php?forum_id=360141
You can find this link, along with all other useful informations regarding
SoftlabsAV, at the official project homepage
http://softlabsav.sourceforge.net/
