Building an E-mail Virus Detection System for Your Network

I noticed a problem with the scanmail and daysumm scripts. If the script doesn't catch a virus all day, daysumm and cron both report the number of emails correctly, but the number of virii always comes up blank. It reads "there were viruses today" not "there were 0 viruses today". I'm using bash 2.05a, I modified the script slightly and now it works. I added the following to both daysumm and scanmail (before it decides to not continue if there is no mail).

# Show a zero if no viruses have been found and

# no virus file is created

zerocheck=$((`cat $etc/virus-log.$date`+0))

if [ $zerocheck -eq 0 ]; then

export virus_total=0

fi

It's kinda rudimentary and returns an error if the file virus-log.$date has yet to be made (the error is cat failing to find the file), but it works and correctly reports a zero. I'm not sure how to clean it up so if you have any suggestions I'd be interested.

Krondor (krondor_99@yahoo.com)

P.S. I also noticed that in daysumm if no emails were processed in one day then it says

the number of emails were:

similar to the problem in reporting the number of viruses, I'm assuming the patch above could be modified to accurately report email.

Thanks for a mostly Good article...

A couple of points....

You assumed that everyone was running a bash2 script and called the list of spooled mail into an array. Bash V2 is required for an array.

A better option would have to use the more generic approach so any bash shell would work "out of the archive" (such as echo `ls * >>SOMETEMPFILE) then use a standard for loop to scan each one in turn (for MAIL in `cat SOMETEMPFILE`; do......)

Mandrake 8.1 fails to run the uvscan program due to an undefined symbol....

It is not due to the library dependencies ( ldconfig -l |less and search for required libs shows them all.)

So... I went about searching for another linux virus scanner with even better licence than that one....

I found a suitable candidate at http://www.f-prot.com They have available a BETA version for linux that is statically linked ( in most cases, a better option cause it should work on most systems).

I will be implementign a simple wget script to get the updated definitions from this site and manage them in a simialr manner to what you presented.

As I chose to run postfix and not sendmail ( I didn't have 2 spare years to learn sendmail!!) and the postfix sendmail wrapper fails to run without the mail system running.

So, I chose to run postfix on a high port and comment out the sendmail -q line of the scanmail script (near the end).

( postfix users, in the /etc/postfix/master.cf find the line that is like

smtp inet n - n - - smtpd

and change smtp in the first column to a high port such as 2525 )

Hope these comments help others to easily set up a mail scanner in their gateway without giving up.

bob@norcom.net.au

While this looks like an interesting project I decided to try out MailScanner. It accomplishes the same thing for a linux server and is a supported application. I had it up in running in only a few minutes. It doesn't require any config changes to sendmail and installs with an rpm.

Currently it supports McAfee or Sophos but more virus packages will be added in the next release.

This is definitely a pretty slick setup but I'm wondering why a script was needed. Doesn't the virus scanner have the ability to check all incoming and outgoing mail for viruses before processing?

Well, it's good idea to use H+BEDV Team products: AntiVir for Linux and AVMailGate to protect file- and email server from virus attacks. But these products have some problems with old versions of Linux, glibc/libc5. They are free.

Another cool things are KAV - Kaspersky Anti-Virus and KAVKeeper for sendmail/qmail. Installation and configuration of these products is not so clear, but it works good enough. The last products is not free...

Running it now, i'm protecting my email users from any viruses...

We are currently testing MailScanner (also free). It will only run a mailserver using sendmail or Exim. It will use a commercial virusscanner Sophos or McAfee. The installation is real simple. I had it up and running in 30 min.

http://www.sng.ecs.soton.ac.uk/mailscanner/

You need to have a version of Bash capable of doing arrays. Grab the latest off of metalab to be safe.

Also, add the -i switch to the grep calls to make the searches case insensitive.

Great article, I'm trying this right now (sinds last night 03:30 AM ;-) in our company gateway/firewall. Do you think about setting up a site about this? It should be worth it!

Some minor notes:

You should leave out the extra space after '/var/spool/smtpd/' in the line "mkdir -p /var/spool/smtpd/ {etc,bin,incoming,outgoing,quarantine}" (for enhanced easy of copy/paste ;).

The scanmail script doesn't work on the Bash 1.14 that was installed with RedHat 6.2. Had to install Bash2, maybe you could note that in the instructions. :-)

The files in "ftp://ftp.ssc.com/pub/lj/listings/issue92/4882.tgz" are DOS style CR-LF-ed. It wasn't much fun to convert that to Unix style.

Great stuff and thanks!

Thimo Jansen

:-( uvscan doesn't work in debian/woody. It generates a "uvscan: error while loading shared libraries: libstdc++.so.2.8: cannot open shared object file: No such file or directory" error.

Even after running ldconfig as root

An alternative way is to use Amavis (www.amavis.org) plus a virus scanner. It works for me nicely.