What anti-virus solutions?

O

ozzi4648

Guest
I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;)
 

Vital

Active Member
Nov 17, 2001
37
0
306
Undoubtedly this is interesting! As an alternative, i'm experimenting with Kaspersky AntiVirus Protection, let's see, if this thing will work with exim.
 

NEMON

Registered
Sep 4, 2001
3
0
301
Most of the antivirus softwares for Linux are way too expensive.

To get a Free Opensource Antivirus software I may suggest you to grab a copy from

http://freshmeat.net/redir/clamav/29355/url_tgz/clamav-0.51.tar.gz

Once you are done downloading that -

Do the following steps :-

groupadd clamav
useradd -g clamav -s /bin/false -c &Clam AntiVirus& clamav

tar zxpvf clamav-0.51.tar.gz
cd clamav-0.51
./configure
make
make install

Everything will go smooth and clamv antivirus will be installed in

/usr/loca/bin/

To update your virus defination issue the following command.

./freshclamv

Autoupdate Virus Def

touch /var/log/clam-update.log
chmod 644 /var/log/clam-update.log
chown clamav /var/log/clam-update.log

freshclam -d -c 2 -l /var/log/clam-update.log

It will check for a new database 2 times a day. Please add this line to your startup scripts. The other way is to use the cron daemon. You have to add a similar line to the crontab of root or clamav:

0 8 * * * /usr/local/bin/freshclam --quiet -l /var/log/clam-update.log

As you are done installing Clamv Antivirus Scanner. Next step you need is to grab a copy of Amavis Mail Scanner for incoming and outgoing emails.

tar zxpvf amavis-perl-11.tar.gz
cp clamav-x.yz/support/amavis/clamavis.patch amavis-perl-11
cd amavis-perl-11
patch -p1 & clamavis.patch
find . -exec touch 01010000 {} \;

http://www.amavis.org/dist/perl/amavis-perl-11.tar.gz

tar zxpvf amavis-perl-11.tar.gz
cd amavis-perl-11
./configure
make
make install

Once you issue make install command it will ask you to install few softwares in your server dont worry nothing will got messed up in your server as I am using Above virus scanner in my server.

If you are missing few software

Decompressors and Decoders

-uudecode
-compress
-gunzip
-unzip
-unarj
-unrar
-xbin
-LHArc
-bunzip2
-zoo
-arc
-freeze
-tnef

You might need to get
zoo
arc
tnef
freeze

Cos thats what Amavis ask me to install so you can grab of a copy of those from

http://www.rpmfind.net and search for those above software but make sure you will download the one which reflects your server version like if you are running RH 7.2 then you have to get a zoo software for RH 7.2 i386

And install them on your server by using

rpm -Uvh zoo.rpm

Issue that above command to all the missing softwares on your servers . now you are done with that part too.

Next Step

Perl Modules :-

perl -MCPAN -e shell

install Unix::Syslog
install Convert::UUlib
install Convert::TNEF
install Compress::Zlib
install Archive::Tar
install Archive::Zip
install G/GB/GBARR/MailTools-1.15.tar.gz
install MIME::Tools
install Bundle::libnet

Once you are done with above then the final step you need to do is :-

Install the Amavis software
And issue the following commands and if you dont get any file missing error then it means you are done installing that.

cd amavis-perl-11
./configure
make
make install

Thats all for above part

pico /etc/mail/sendmail.mc

dnl
dnl Change Mlocal to use AMaViS-Perl
define(`LOCAL_MAILER_PATH', `/usr/sbin/amavis')dnl
define(`LOCAL_MAILER_ARGS', CONCAT(`amavis $f $u /usr/bin/',
LOCAL_MAILER_ARGS))dnl
dnl please set the path to your procmail accordingly!
dnl the following works only with sendmail 8.10.x or above
MODIFY_MAILER_FLAGS(`LOCAL', `-m')dnl

m4 /etc/mail/sendmail.mc & /etc/sendmail.cf

That should be it...

to run clamd antivirus you need to remove # from clamd.conf some where in /usr/local/share

This was done on sendmail server, with no exim. But I think it should be the same thing.

I also have send the same thing to bdraco day ago.
 
O

ozzi4648

Guest
[quote:7f68466380][i:7f68466380]Originally posted by NEMON[/i:7f68466380]

Most of the antivirus softwares for Linux are way too expensive.
[/quote:7f68466380]

Mailscanner is free, much better then Amavis, and i can get a RAV anti-virus license for less than $30.00 per server.;)
 

ecoutez

Well-Known Member
May 23, 2002
152
0
316
AMaViS-NG is a better choice

If you're going the AMaViS route, the -NG version is a better choice. It integrates fairly easily as well.

I had promised to get some docs together, but this is still somewhat incomplete. Here's what I do have though...

Start by downloadig amavis-ng:
http://sourceforge.net/projects/amavis

Relevent Readme included in the tarball:
doc/README.exim-perl

AntiVirus Scanner - my personal preference is uvscan:
McAfee Download:
McAfee VirusScan Command Line Scanner for... Linux (4.16)
http://www.mcafeeb2b.com/naicommon/buy-try/try/products-evals.asp
register and download vlnx416e.tar.Z


Now we need to update the DAT file and install the program to do so via cron
uvupdate:
http://main.psi.com.br/~julio/uvscan/
read and follow uvupdate INSTALL file - select experimental or not
Add symbolic link from /etc/cron.daily/uvupdate to your installed uvupdate program

edit /etc/exim.conf:
edit out # message_filter = /etc/antivirus.exim
insert...
message_filter = /etc/exim/amavis.filter
message_filter_user = mail
message_filter_group = mail
deliver_load_max = 3
queue_only_load = 4

I elected to also edit this value:
deliver_queue_load_max = 5


copy /root/src/amavis-ng/amavis-ng-0.1.3.1/doc/exim/exim.filter to /etc/exim/amavis.filter

insert line at top of /etc/exim.pl:
do '/usr/share/amavis/amavis-filter.pl';

cpan install File::MMagic
cpan install Config::IniFiles
cpan install MIME::Tools (mine was up-to-date)
cpan install Convert::TNEF
cpan install Convert::UUlib
cpan instlal Compress::Zlib (MINE WAS UP-TO-DATE)
cpan install Archive::Tar (was up to date)


Also may be desired (no guarantee that these are the latest though...)
* unrar ftp://speakeasy.rpmfind.net/linux/contrib/libc6/i386/unrar-3.0-1.i386.rpm
* zoo http://ftp.task.gda.pl/linux/RPMS/redhat/libc6/contribs/i386/zoo-2.10-7.i386.html
* arc ftp://speakeasy.rpmfind.net/linux/contrib/libc6/i386/arc-5.21e-6.i386.rpm
* lha http://www.redhat.com/swr/i386/lha-1.14i-4.i386.html
* unarj http://www.redhat.com/swr/i386/unarj-2.43-10.i386.html


Then install amavis-ng:
make;make install


cp /root/src/amavis-ng/amavis-ng-0.1.3.1/etc/amavis.conf /etc/

edit /etc/amavis.conf with your fav. editor:
- enable EximPerl (line 11) and at least one scanner (I use NAI) -- FSP is FILE::Scan Perl module (free and installed)
- enable extractor modules which are installed
- select headers
- unpack directory - I use /tmp/amavis/ chmod 755, chown mail.mail

In the [notify] section, I recommend not selecting a local domain at all. This appears to work best in my testing:
;; local domain = .*example\.com

- set admin mail addresses to/from
- check path for virusscan program and external compression programs

- /etc/amavis.conf file must be in /etc/amavis/ ... I added a symbolic link to take care of this. It may work with amavis.conf only in /etc/amavis/ but I have not had a chance to test that.

The only problem with this is if/when CPanel updates Exim. In the past, the exim.conf would be overwritten, but the past few updates seem to have preserved the config file. :) However, you also need to ensure that the first line of your exim.pl doesn't get wiped out. chattr could help here.

- Jason
 
B

bdraco

Guest
http://layer1.cpanel.net/exim+virusscan.tar.gz

If you use this, exim should keep the config between updates
 

macian

Member
Oct 17, 2002
12
0
151
mailscanner

[quote:2be2348ca4][i:2be2348ca4]Originally posted by ozzi4648[/i:2be2348ca4]

I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;) [/quote:2be2348ca4]

yeah... i would definately be interested in setting something like that up on my server... a quick howto would be great...
 
O

ozzi4648

Guest
[quote:3066a60aae][i:3066a60aae]Originally posted by macian[/i:3066a60aae]

[quote:3066a60aae][i:3066a60aae]Originally posted by ozzi4648[/i:3066a60aae]

I had to laugh when i saw the anti-virus solutions built into Exim, or if you can call it that. Really, what are they thinking. We have Mailscanner running on all our boxes using RAV with that latest db updated on a daily basis. Our server catch hundreds of virus across 22 boxes on a daily basis. This is really what we are aiming to do with our Cpanel box. Anyone interested in a HOWTO? Give me awhile and let me see what i can whip up. ;) [/quote:3066a60aae]

yeah... i would definately be interested in setting something like that up on my server... a quick howto would be great...[/quote:3066a60aae]

Still working on this. When its working correctly i will post a howto. All i have to say is its harder to implament with Exim than with Sendmail.
 
B

bdraco

Guest
wget http://layer1.cpanel.net/exim+virusscan.tar.gz
tar xfzv exim+virusscan.tar.gz
cd exim+virusscan
sh install
 
O

ozzi4648

Guest
[quote:30c41a186e][i:30c41a186e]Originally posted by bdraco[/i:30c41a186e]

wget http://layer1.cpanel.net/exim+virusscan.tar.gz
tar xfzv exim+virusscan.tar.gz
cd exim+virusscan
sh install[/quote:30c41a186e]

No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
Thanks for your suggestion.
 

moronhead

Well-Known Member
Aug 12, 2001
706
0
316
[quote:ca0a8b7aac][i:ca0a8b7aac]Originally posted by ozzi4648[/i:ca0a8b7aac]

[quote:ca0a8b7aac][i:ca0a8b7aac]Originally posted by bdraco[/i:ca0a8b7aac]

wget http://layer1.cpanel.net/exim+virusscan.tar.gz
tar xfzv exim+virusscan.tar.gz
cd exim+virusscan
sh install[/quote:ca0a8b7aac]No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
Thanks for your suggestion.[/quote:ca0a8b7aac]
I believe Nick was replying to a comment made by ecoutez about exim.conf. You must be so pre-occupied with your own &best& solution that you obviously don't bother either paying attention to or reading other members' posts.

Well, you can keep paying for your scanner; that's your choice. I can't see anything wrong with the step-by-step solutions recommended by nemon and ecoutez where you pay zilch, and you'd still get equally reasonable results!
 
O

ozzi4648

Guest
I have completed the integration of Mailscanner+Rav Anti-virus+Exim on our Cpanel server, working great. Already had many many viruses caught. Here is one.

The following e-mail messages were found to have viruses in them:

Sender: &[email protected]&
IP address: 61.254.68.111
Recipient: [email protected]
Subject: (±¤°í) ȨÆäÀÌÁöÁ¦ÀÛ ¼îÇθôÁ¦ÀÛ Çѱ¹ÀÎÅͳݹðÅ©
MessageID: 182Zfo-0002ES-00
Report: Possible Microsoft security vulnerability attack

--
MailScanner
Email Virus Scanner

and another

The following e-mail messages were found to have viruses in them:

Sender: &[email protected]&
IP address: 218.234.58.180
Recipient: [email protected]
Subject: (±¤°í)¿©·¯ºÐÀ» ¹é¾ç ´ÜdzÃàÁ¦¿¡ ÃÊ´ëÇÕ´Ï´Ù.(Commercial)
MessageID: 182Zex-0002Db-00
Report: Possible Microsoft security vulnerability attack

--
MailScanner
Email Virus Scanner

Here is what you will see in your /var/log/maillog when a virus is detected.

Oct 18 09:07:40 srv08 mailscanner[5991]: Scanning 1 messages, 12566 bytes
Oct 18 09:07:42 srv08 mailscanner[5991]: Detected Microsoft-specific exploits in 182Zex-0002Db-00
Oct 18 09:07:43 srv08 mailscanner[5991]: Found 1 viruses in messages 182Zex-0002Db-00
Oct 18 09:07:43 srv08 mailscanner[5991]: Scanned 1 messages, 12566 bytes in 0 seconds
Oct 18 09:07:43 srv08 mailscanner[5991]: Saved entire message to /var/spool/MailScanner/quarantine/20021018/182Zex-0002Db-0$
Oct 18 09:07:43 srv08 mailscanner[5991]: Notified [email protected] about 1 infections
Oct 18 09:07:44 srv08 mailscanner[5991]: Scanning 1 messages, 921 bytes
Oct 18 09:07:45 srv08 mailscanner[5991]: Scanned 1 messages, 921 bytes in 0 seconds
Oct 18 09:08:30 srv08 mailscanner[5991]: Scanning 1 messages, 10595 bytes
Oct 18 09:08:34 srv08 mailscanner[5991]: Detected Microsoft-specific exploits in 182Zfo-0002ES-00
Oct 18 09:08:34 srv08 mailscanner[5991]: Found 1 viruses in messages 182Zfo-0002ES-00
Oct 18 09:08:34 srv08 mailscanner[5991]: Scanned 1 messages, 10595 bytes in 0 seconds
Oct 18 09:08:34 srv08 mailscanner[5991]: Saved entire message to /var/spool/MailScanner/quarantine/20021018/182Zfo-0002ES-0$
Oct 18 09:08:34 srv08 mailscanner[5991]: Notified [email protected] about 1 infections
Oct 18 09:08:35 srv08 mailscanner[5991]: Scanning 1 messages, 907 bytes
Oct 18 09:08:36 srv08 mailscanner[5991]: Scanned 1 messages, 907 bytes in 0 seconds

There are documents on the net trying to explain how to integrate Mailscanner with Exim but as usual they DONT work or there is some vital piece of information missing from them and of course the author of Mailscanner is of very little help.

I will post my HOWTO as soon as i have time to write it up.

For those who are in a hurry and wish integration, please contact us for more information.
 
O

ozzi4648

Guest
[quote:c8a4922127][i:c8a4922127]Originally posted by moronhead[/i:c8a4922127]

[quote:c8a4922127][i:c8a4922127]Originally posted by ozzi4648[/i:c8a4922127]

[quote:c8a4922127][i:c8a4922127]Originally posted by bdraco[/i:c8a4922127]

wget http://layer1.cpanel.net/exim+virusscan.tar.gz
tar xfzv exim+virusscan.tar.gz
cd exim+virusscan
sh install[/quote:c8a4922127]No thanks! Mailscanner is a much better soltuions and it runs on 22 of our other servers catching hundreds of infected email daily! Our virus signature db's are updated daily on all our servers and we are using RAV not some generic catch-me-if-you-can solution.
Thanks for your suggestion.[/quote:c8a4922127]
I believe Nick was replying to a comment made by ecoutez about exim.conf. You must be so pre-occupied with your own &best& solution that you obviously don't bother either paying attention to or reading other members' posts.

Well, you can keep paying for your scanner; that's your choice. I can't see anything wrong with the step-by-step solutions recommended by nemon and ecoutez where you pay zilch, and you'd still get equally reasonable results![/quote:c8a4922127]

Your message was simply not worth reply!
 

moronhead

Well-Known Member
Aug 12, 2001
706
0
316
[quote:2db986bb76][i:2db986bb76]Originally posted by ozzi4648[/i:2db986bb76]

Your message was simply not worth reply![/quote:2db986bb76]I just stated the facts.

I wasn't expecting a reply!
 

dandanfireman

Well-Known Member
PartnerNOC
May 31, 2002
117
0
316
Hey Nick. I got this when installing:

Writing /usr/lib/perl5/site_perl/5.6.1/i686-linux/auto/AMAVIS/.packlist
# Install Exim filter script
install -D -m644 amavis-filter \
/usr/bin/../share/amavis/amavis-filter
# Install magic cookie file
install -D -m644 magic.mime \
/usr/bin/../share/amavis/magic.mime
# Install AMaViS main script
install -D -m755 amavis /usr/bin/amavis
install -D -m4755 -omail -gmail qmail-queue.amavis \
/usr/bin/../sbin/qmail-queue.amavis
install -D -m755 amavis-milter/amavis-milter \
/usr/bin/../sbin/amavis-milter
install: cannot stat `amavis-milter/amavis-milter': No such file or directory
make: *** [pure_install] Error 1
`amavis.conf' -& `/etc/amavis/amavis.conf'
`antivirus.clam.exim' -& `/etc/antivirus.clam.exim'
exim (pid 19703 16993 10259) is running...
 

Omar

Well-Known Member
Jul 30, 2002
82
0
156
I'm still slightly confused as to what is included in that file:

Is it an updated version of Exim + virus-scanner, or just a virus scanner add-on?

What's the difference between this new virus scanner and the one that Exim is using already on cpanel servers?

Thanks

- Omar