Post.Office Support: Index
Post.Office recommends using McAfee's Virex 7 to scan messages after they are received by Post.Office, but before they are delivered to the individual user mail boxes.
These scripts, created by Euregio.Net, are designed to manage the execution of Virex 7 on Post.Office systems. The scripts are run using a cron job or through a daemon. They provide a range of scanning levels that can work directly on the message content and attachment file names, with or without Virex 7.
A cron job is executed every minute which scans the server with the Virex command line scanner for new messages since the last execution of the script. A daemonized version of the script is also available which scans the mailbox directory continously for new messages.
It sounds rather simple compared to other (expensive) anti-virus systems but it's quite effective. Development and testing of this script took more than 100 hours. It's been running without any major problems on our production mail server since late August 2003.
The script also uses some other methods to discovered unwelcome file attachments ( .lnk, .bat, .chm, .cmd, .vxd, .pif, .scr, .hta, .jse, .vbs ). This gives you a pretty good protection against any new viruses which are not yet covered by the Virex DAT files (virus definitions). When there are attachments with a suffix of .exe, .com, .dll or .zip then the subject line of the message is rewritten to alert the user that there is a potentially dangerous attachment in the message.
Attention Panther Users
It's been reported that there are some problems running these scripts on MacOS X 10.3.x (Panther). I still have to install a test server running Panther to find out what's going on. The scripts do work on MacOS X 10.2.x (Jaguar) without any problems. By the way, I'm currently testing the next version of the anti-virus scripts which also work with ClamAV (an open source anti-virus solution).
Current version: 0.8 - updated 11th February 2004
Here are the features of the script:
And best of all, there is an online configurator/wizard for the script which allows you to set your preferred configuration without having to wade through code of my shell script.
This script has been tested on MacOS X 10.2.x and is currently running a our mail server (MacOS X 10.2.8) without any problems.
Virex and the vscanx command line scanners are not provided in this script. You have to get a copy of Virex either through your McAfee or included with your .Mac subscription.
munpack is a small utility that can be used to
extract attachments from an e-mail message which makes scanning a bit
easier for Virex. This is optional for the virexscript but can provide
better scanning results. You can get the munpack binary through the
Communigate Virusscan script: CGVirusscan. Download CGVirusscan, extract the archive and then copy the munpack binary to
/usr/local/bin/ on your server.
Unix "munpack" utility (© Copyright 1993,1994 by Carnegie Mellon University, All Rights Reserved)
Here's a quick installation guide:
mv /virexscript.txt ~/virexscript.sh
chmod 755 virexscript.sh
chown root:wheel virexscript.sh
mkdir -p /tmp/virex
munpackon your server if you want to use it
mkdir -p /quarantine
/etc/crontab) to execute the virexscript.sh every minute
echo "*/1 * * * * root ~root/virexscript.sh > /dev/null 2>&1" >> /etc/crontab
Make sure to read the rest of this page as well and if the anti-virus system is working for you, please support the development by donating something... :-)
Here's a list of files and folders that are being used by the script. This information is provided just for your information, so you know what is going where.
mailboxdir=`grep "MailboxDir" /etc/post.office.conf | cut -d "=" -f 2`
Since verison 0.8 it's possible to run the script as a daemon/background process. This will check your mailbox directory continuously instead of just once per minute. The script should be able to scan 99% of the messages.
The very first version checked the whole mailbox directory on every execution. That took too much time when there were lots of messages. Therefore I looked for a way to only scan any new messages. Using a cron job for your anti-virus solution is not 100% ideal because new messages could arrive and being downloaded while the script is still running.
The e-mail that arrives between the start of the scanning process and the next execution of the scanning process could contain a virus and get downloaded before the system has a chance to scan it. Personally, I think this little risk is worth having when the rest of the messages are being checked for viruses.
As this anti-virus script is being used on our production server, I
discovered some minor problems with the Virex command line scanner: it
was unable to check some kind of messages because they used a special
encoding mechanism. Eventually, I found out how to use
munpack to extract the attachments first from the messages and then scan them with virex.
Sometimes, munpack also has problems with e-mail messages and it could get stuck. I'v already put some limits into the script (maximum execution time of 5 minutes) which should prevent this kind of problems, but if you notice that your server becomes slow, just type this at the command line prompt:
ps -ax | grep munpack | grep -v "grep munpack"
This returns the currently running munpack process with its process ID number. To terminate that process, type:
kill -9 <processID>
Following attachment suffixes are moved to the quarantine directory if that option is enabled:
.lnk .bat .chm .cmd .vxd .pif .scr .hta .jse? .shm .shb .vbe .vbs .vbx .wsf .wsh
Message subjects are prepended with
[Careful: Attachment] when they contain any attachments with these suffixes:
.exe .com .shs .dll .zip
Messages with attachments that match any of the names listed in the virus.list file are also moved to the quarantine directory. This is useful for well-know viruses which have suffixes of .exe, .zip, .com, .dll that would otherwise only get the subject line changed.
Current version: 0.8 - updated 11th February 2004
Version: 0.7 - updated 26th January 2004
A little personal anti-virus history:
During the 80's and the early 90's our family business was running Mactivity/Macclub Benelux. It was the largest Mac User Group in Europe with more than 16,000 members in more than 20 countries. One of its services was the "free anti-virus update". It allowed people from around the world to send a self-addressed envelope to our company and receive the latest version of the then popular Disinfectant anti-virus tool by John Norstad. Our address was even listed in the Disinfectant documentation so people always knew where to get the latest version for free. There was also a commercial variant of the service: for a small yearly fee, our company sent out a disk containing Disinfectant as soon as a new version was released. At that time I made a lot of friends and pen pals from around the world whom I got to know through the anti-virus update service.
I've written some anti-virus software of my own during the past decades. When the first HyperCard virus appeared in 1991, I wrote the first vaccine for it. We called the virus "Musidenn" but other anti-virus companies later called it "MerryXmas". The first version of my antidote removed the virus from HyperCard stacks -- it was distributed to all the members of Mactivity and also included on the anti-virus update disks. Later versions where more advanced and included a checksum-based protection for all stacks -- making them immune to other viruses as well. That functionality was included in my PowerMenus developer tools for HyperCard which received a 3 mice rating from ZiffNet (a Ziff-Davis publishing division).
In 20 years of using Macintosh computers I've only had 1 virus infection on my computers which was immediately detected by Disinfectant.
In recent years, I've spend a lot of time fighting against viruses on our mail servers. It was the first time I had to deal with Windows viruses. My first scripts scanned our sendmail servers and blocked virus senders. Since we installed Post.Office on MacOS X I've been developing various tools to fight viruses on that platform.
More information about myself is available on our corporate site... (scroll down that page for the English information)