Antivirus for sendmail
Petr Rehor

INTRODUCTION

This patch was developed on FreeBSD/sendmail and employs an antivirus program AntiViral Toolkit Pro for Unix.

It can be used under every system, when Avp for Unix or other antivirus programs run. If other antivirus program is used, you can use only the Antivirus.Scanner option, because AvpDaemon has proprietary communication protocol. Antivirus program must return zero for successful antivirus check, and non-zero value for any other event. Antivirus program must be able to process check of mail body (UUENCODE, MIME, archived and compressed attachments). Output of antivirus program is appended to response mail if viruses were detected.

HISTORY

• May 30 2005 - Development stopped
  Development of check_virus is stopped. You can use amavisd-new with amavisd-milter instead it.
  
  
• Mar 24 2004 - check_virus-1.23-8.11.7.diff (MD5)
  Feature: Handle new return code Modified virus detected introduced in Kaspersky Antivirus 4.X.
  Bugfix: properly sanitize MIME headers for application/pkcs7-mime and application/x-pkcs7-mime (bugfix to bugfix to bugfix :-).
  
  
• Oct 7 2003 - check_virus-1.22-8.11.7.diff
  Version for sendmail-8.11.7.
  Bugfix: check_virus contain also security fixies for ALARM signal and address parsing.
  Bugfix: properly configure smrsh work directory on FreeBSD.
  
  
• Jun 5 2003 - check_virus-1.21-8.11.6.diff
  Bugfix: Doesn't call sanitize_mime_miltipart() for application/x-pkcs7-mime (bugfix to bugfix :-). Thanks to Vladimir Solnicky.
  
  
• Nov 29 2001 - check_virus-1.20-8.11.6.diff
  Version for sendmail 8.11.6 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  Feature: when started, sendmail prints info about check_virus configuration.
  Feature: Enhanced information about message in virus detection output (From, To, Subject).
  Bugfix: Doesn't print message subject in virus detection output when it's not defined. Thanks to Andreas Johann.
  Bugfix: Doesn't call sanitize_mime_miltipart() for MIME Content-Type application/pkcs7-mime, application/x-pkcs7-mime, application/pkcs10, application/x-pkcs10. Thanks to Alexandr Filenkov.
  Bugfix: Problem with uninitialized variable in collect() when message don't have a body. Thanks to Alexandr Filenkov.
  
  
• Jun 20 2001 - check_virus-1.19-8.11.4.diff
  Version for sendmail 8.11.4 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  Bugfix: Doesn't call sanitize_mime_multipart() for MIME Content-Type message/partial. Thanks to Ivan D. Didenko.
  
  
• Apr 22 2001 - Redesign of installation section
  
  
• Apr 21 2001 - check_virus-1.18-8.11.3.diff
  Version for sendmail 8.11.3 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  Feature: Added Antivirus.IgnoreCorruptedMail configuration option. Idea from Yuri Vorobyev.
  Bugfix: Better handling of large message from AvpDaemon. Thanks to Luiz Felipe Silva.
  Bugfix: Print EF_VIRUS flags if e->e_flags will be printed on debug. Thanks to Luiz Felipe Silva.
  Bugfix: Restore EF_VIRUS_OK flag when mail is running from queue. Thanks to Luiz Felipe Silva.
  Bugfix: Install sendmail to /usr/libexec/sendmail on FreeBSD 4.x.
  WARNING: If you use previous version of check_virus on FreeBSD 4.x, be sure that /usr/sbin/sendmail is a symbolic link to /usr/sbin/mailwrapper.
  
  
• Jan 8 2001 - check_virus-1.17-8.11.2.diff
  Version for sendmail 8.11.2 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  
  
• Dec 5 2000 - Added link to Ebola from PLDaniels Int.
  Ebola is a antivirus scanning daemon system which offers to improve considerably the performance of virus scanning systems which require ondemand scanning from various antivirus engines.
  
  
• Dec 4 2000 - check_virus-1.16-8.11.1.diff
  Bugfix: Last MIME boundary delimiter must be followed by two hyphens in sanitize_mime_multipart().
  Bugfix: Doesn't call sanitize_mime_multipart() for MIME Content-Type text/plain.
  
  
• Nov 25 2000 - check_virus-1.15-8.11.1.diff
  Bugfix: MIME Content-Type must be multipart/*, otherwise mail body file contain only encoded data without MIME header and virus scanner check it as ASCII text.
  Bugfix: Doesn't report unsafe socket when file not exist.
  
  
• Nov 14 2000 - check_virus-1.14-8.11.1.diff
  Bugfix: Compile check_virus_daemon() portion only on platforms with domain sockets.
  Bugfix: Proper parameters at connect() to AvpDaemon for comaptibility with Linux.
  Bugfix: Check AvpDaemon socket security if DontBlameSendmail=safe.
  
  
• Nov 10 2000 - check_virus-1.13-8.11.1.diff
  Version for sendmail 8.11.1 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  Bugfix: updated installation section on this page.
  Bugfix: fixed some broken links on this page.
  
  
• Nov 10 2000 - check_virus-1.12-8.11.0.diff
  Version for sendmail 8.11.0 and Avp 3.0 build 135 or newer for Linux/FreeBSD.
  Feature: Changed syslog format to be conformable to other ruleset= events.
  WARNING: Empty mail queue before upgrade to this version!
  
  
• Nov 10 2000 - Kaspersky Lab release Avp 3.0 build 135 for Linux/FreeBSD
  Added information about Avp 3.0 build 135 for Linux/FreeBSD.
  
  
• Apr 12 2000 - Buy Avp from Online Store
  Added link to Kaspersky Lab Online Store.
  
  
• Apr 2 2000 - check_virus-1.11-8.9.3.diff
  Bugfix: Fix wrong parameters for avp_exit_code. Thanks to Taras Zlydnev.
  
  
• Mar 10 2000 - check_virus-1.10-8.9.3.diff
  Feature: Virus alert information text can be stored in sendmail.hf. This text is included to virus alert message after antivirus scanner output. Idea from Brad Dameron.
  
  
• Mar 7 2000 - check_virus-1.9-8.9.3.diff
  Bugfix: Fix src/readcf.c code when compiled without MAP_REGEX.
  Bugfix: Patch check_virus-1.8-8.9.3.diff generated without -kk (with $Id...$ in diffs).
  
  
• Mar 7 2000 - Added link to AvpUpdate from Serg Oskin
  AvpUpdate is a program for automated updating of antiviral database via network.
  
  
• Mar 5 2000 - Added link to Virus scanner wrapper from Alberto U. Begliomini
  This wrapper is intended for use with antivirus which don't check MIME files.
  
  
• Mar 1 2000 - Installation instructions for other operating systems
  Added installation instructions for other operating systems.
  
  
• Mar 1 2000 - check_virus-1.8-8.9.3.diff
  Feature: Configuration options Antivirus.AlertToRecipients and Antivirus.PassSuspiciousMail are pattern controlled like Antivirus.PassInfectedMail. Idea from Andrew Speer.
  Bugfix: Conditional compiling option CHECK_VIRUS is now enabled by default.
  Bugfix: read(2) function don't guarantees to read the number of bytes requested if the descriptor don't references a normal file. Thanks to Alex Zhilyakov.
  
  
• Jan 13 2000 - check_virus-1.7-8.9.3.diff
  Bugfix: Use errstring() instead sys_errlist[] for compatibility with other operating systems. Thanks to Alberto Begliomini.
  
  
• Jan 10 2000 - check_virus-1.6-8.9.3.diff
  Bugfix: Minor mistake in setoption()/read.cf. Thanks to Vadim Kozlov.
  
  
• Jan 4 2000 - check_virus-1.5-8.9.3.diff
  Feature: Added configuration option Antivirus.PassSuspiciousMail. Idea from Yuri Vorobyev.
  Feature: Redesigned configuration options.
  
  
• Jan 2 2000 - check_virus-1.4-8.9.3.diff
  Patch is generated from CVS tree.
  Bugfix: Properly handled Avp exit code 8 - Corrupted objects were found.
  Bugfix: Name of AntivirusScaner is logged instead message file name when viruses were found.
  
  
• Dec 27 1999 - check_virus-1.3-8.9.3.diff
  Bugfix: Added case insensitivity for Antivirus.PassInfectedMail if MAP_REGEX don't used.
  
  
• Dec 25 1999 - check_virus-1.2-8.9.3.diff
  Feature: Added configuration option Antivirus.PassInfectedMail. Idea from Yuri Vorobyev.
  
  
• Dec 21 1999 - check_virus-1.1-8.9.3.diff
  For use with release version of Avp for Unix.
  Feature: Improved logging facility.
  
  
• Dec 8 1999 - Kaspersky Lab release Avp for BSDI
  
  
• Nov 25 1999 - Kaspersky Lab release Avp for Linux and Avp for FreeBSD
  
  
• Oct 25 1999 - check_virus-1.0-8.9.3.diff
  Initial public release for Avp for Linux beta.
  
  

ANTIVIRAL TOOLKIT PRO FOR UNIX

Avp for FreeBSD or Linux from Kaspersky Lab contain three components:

• Avp is antivirus scanner for one-shot check.
  
  
• AvpDaemon is antivirus scanner daemon. Unlike Avp, the AvpDaemon is able to essentially minimize scanning time, because it loads its virus database in memory only once when started.
  
  
• AvpUpdater is virus database updater.
  
  
• Supported Unix platforms are Linux, FreeBSD and BSDI.
  
  

HOW IT WORKS

Antivirus check is performed in checkcompat(envelope, to) function in src/conf.c. This function is called for each recipients of each mail.

First, Antivirus.Daemon or Antivirus.Scanner scans mail. It returns EX_OK for successful check, EX_DATAERROR if virus is found, or EX_TEMPFAIL for any fail.

Result of antivirus check is stored in sendmail's internal mail envelope. When mail has a multiple recipients or is processed from the queue, the cached information is used instead of the again run of antivirus scanner for the same mail.

If a virus is found, the mail without its body is returned to the sender, and the event is written to the syslog. Also the postmaster and recipients can be notified. The returned mailcontains verbose output of antivirus scanner about the type of virus.

In the case of fail this event is written to the syslog and mail is deferred. It is processed from the queue until fail is over or mail is returned as undeliverable. If confCOPY_ERRORS_TO is defined in sendmail.mc, the postmaster will be notified too.

INSTALLATION

Installation instructions for sendmail:

• Install your favourite antivirus
  
  For installation of Avp on FreeBSD see next section.
  
  
• Apply check_virus patch
  
  fetch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.3.tar.gz
  fetch http://www.decros.cz/~reho/check_virus/check_virus-1.18-8.11.3.diff
  tar xvfz sendmail.8.11.3.tar.gz
  cd sendmail-8.11.3
  patch -p1 < ../check_virus-1.18-8.11.3.diff
  
  
• Make and install sendmail
  
  make
  make install
  
  
• Restart sendmail
  
  kill `cat /var/run/sendmail.pid`
  /usr/sbin/sendmail -bd
  
  

Installation instructions for Avp on FreeBSD:

• Install Avp:
  
  mkdir /usr/local/avp
  cd /usr/local/avp
  fetch ftp://ftp.avp.ru/products/avp_unix/freebsd/4X/avp-ServerSuit-3.0.135-FreeBSD-4.x.tgz
  tar xfz avp-ServerSuit-3.0.135-FreeBSD-4.x.tgz
  tar xfz avp-WorkstationSuit-3.0.135-FreeBSD-4.x.tgz
  rm *.tgz
  rm +*
  mv avpbsd.8.gz avp.8.gz
  mv *.8.gz /usr/local/man/man8
  mv AVP/* .
  rmdir AVP
  fetch http://www.decros.cz/~reho/check_virus/mirror.conf
  cd /usr/local/bin
  fetch http://www.decros.cz/~reho/check_virus/avp
  chmod ugo+x avp
  fetch http://www.decros.cz/~reho/check_virus/avptuner
  chmod ugo+x avptuner
  cd /usr/local/bin
  fetch http://www.decros.cz/~reho/check_virus/avpdaemon
  chmod ugo+x avpdaemon
  fetch http://www.decros.cz/~reho/check_virus/avpupdater
  chmod ugo+x avpupdater
  cd /usr/local/etc/rc.d
  fetch http://www.decros.cz/~reho/check_virus/avpdaemon.sh
  chmod ugo+x avpdaemon.sh
  
  
• Install Avp for FreeBSD License
  
  Purchase license for Avp for FreeBSD and install it to /usr/local/avp/AvpUnix.key.
  
  TIP: You may try use Avp for Linux Workstations in Linux emulation which is much more cheeper.
  
  
• Configure Avp
  
  cd /usr/local/avp
  fetch http://www.decros.cz/~reho/check_virus/AvpUnix.ini
  fetch http://www.decros.cz/~reho/check_virus/defUnix.prf
  
  IMPORTANT: AvpBSDDaemon scan files only in directory tree presented in defUnix.prf directive List with * prefix. For files in other directories AvpBSDDaemon always say OK.
  
  
• Download Avp virus datavase (you need mirror or wget installed)
  
  cd /usr/local/avp
  mkdir database
  cd /etc/periodic/daily
  fetch http://www.decros.cz/~reho/check_virus/800.avp-update
  chmod ugo+x 800.avp-update
  ./800.avp-update
  
  
• Start AvpDaemon
  
  /usr/local/etc/rc.d/avpdaemon.sh start
  
  

CONFIGURATION

WARNING: When antivirus options are configured in /etc/mail/sendmail.cf, then non-patched sendmail can't be run.

Configure your sendmail:

• Add to your sendmail.mc file these lines (or add the 'O' directives directly into /etc/mail/sendmail.cf)
  
  define(`confCOPY_ERRORS_TO',`postmaster')dnl
  LOCAL_CONFIG
  O Antivirus.Daemon=/var/run/AvpCtl
  O Antivirus.Scanner=/usr/local/avp/AvpBSD -I0 -Y
  O Antivirus.AvpCompatible=true
  O Antivirus.AlertToRecipients=.*@(.*\.)*my.domain
  O Antivirus.PassInfectedMail=root .*@avp.ru
  O Antivirus.PassSuspiciousMail=.*@(.*\.)*my.domain
  
  
• Restart sendmail
  
  kill -HUP `cat /var/run/sendmail.pid`
  
  

Configuration options:

• Antivirus.Daemon
  Path to AvpDaemon socket.
  
  
• Antivirus.Scanner
  Path to Avp or other antivirus scanner binary.
  
  
• Antivirus.AvpCompatible
  If it is set to true, check_virus expect Avp extended return codes from Antivirus.Scanner program. Otherwise check_virus expect zero value for successful antivirus check, and non-zero value for any other event.
  
  
• Antivirus.AlertToRecipients
  Virus alert can be delivered to recipients too. It may use form user for local users, user@some.domain for other users, .*@some.domain for all users from selected domain or .*@ for all local users.
  
  If sendmail is compiled with MAP_REGEX, Antivirus.AlertToRecipients accept regular expressions and form .*@ for all local users (it is treated as ^[a-z0-9_\+\-\.]*$). Each regular expression must match whole mail address (it is treated as ^regular-expression$). Usernames are checked after aliasing in case insensitive mode.
  
  
• Antivirus.PassInfectedMail
  Pass infected mail to selected users. It use the same form as Antivirus.AlertToRecipients.
  
  Infected mail is passed to recipients as an attachment of standard error message from MAILER-DAEMON.
  
  
• Antivirus.PassSuspiciousMail
  Pass suspicious mail to recipients. It use the same form as Antivirus.AlertToRecipients.
  
  Suspicious mail contain suspicious or corrupted objects (see Avp return codes). Suspicious mail is passed to recipients as an attachment of standard error message from MAILER-DAEMON.
  
  
• Antivirus.IgnoreCorruptedMail
  Ignore corrupted mail. It use the same form as Antivirus.AlertToRecipients.
  
  Corrupted mail contain corrupted objects - Avp can't properly extract attachments from mail (see Avp return codes). Corrupted mail is passed to recipients without any notifications.
  

Customize virus alert information text:

• Edit your help file /etc/mail/helpfile and customize lines begin with virus
  
  You may add, edit or delete this lines. Lines must begin with virus keyword.
  
  IMPORTATNT: Between keyword virus and text must be TAB !
  

LICENSING

This code is Copyright © Petr Rehor, 1999, 2000, 2001. I reserve all rights to this code and accompanying files. Since this code is closely tied to sendmail, its licensing policies are the same as for sendmail. See the sendmail's LICENSE.

DISCLAIMER/LIMITATION OF LIABILITY

THIS SOFTWARE IS PROVIDED BY PETR REHOR "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PETR REHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

RELATED LINKS

• Kaspersky Lab in Russia
• Kaspersky Lab in USA
• Kaspersky Lab Online store
• Ebola powerful virus scanner wrapper for Linux.
• Virus scanner wrapper for check_virus from Albero U. Begliomini
• AvpUpdate from Serg Oskin
• AMaViS - A Mail Virus Scanner
• Inflex - Electronic Mail Scanning System
• Virus encyclopedia
• Security Portal
• Computer Virus Myths
• Linux Ticker - Feature: Viruses on Unix systems
• John Dvorak of PC Magazine Online recommends AntiViral Toolkit Pro

CONTACT INFO

See How to reach me.

Home, Top