Post.Office Server Scanning Extension

Post.Office Support: Index

How this script works
Features
System Requirements
Installation
Files and Folders being used
Minor Problems & Troubleshooting
Unwelcome attachment names
History

Post.Office recommends using McAfee's Virex 7 to scan messages after they are received by Post.Office, but before they are delivered to the individual user mail boxes.

These scripts, created by Euregio.Net, are designed to manage the execution of Virex 7 on Post.Office systems. The scripts are run using a cron job or through a daemon. They provide a range of scanning levels that can work directly on the message content and attachment file names, with or without Virex 7.

How this script works

A cron job is executed every minute which scans the server with the Virex command line scanner for new messages since the last execution of the script. A daemonized version of the script is also available which scans the mailbox directory continously for new messages.

It sounds rather simple compared to other (expensive) anti-virus systems but it's quite effective. Development and testing of this script took more than 100 hours. It's been running without any major problems on our production mail server since late August 2003.

Different scanning options can be turned on or off by editing a few variables at the top of the anti-virus script

The script also uses some other methods to discovered unwelcome file attachments ( .lnk, .bat, .chm, .cmd, .vxd, .pif, .scr, .hta, .jse, .vbs ). This gives you a pretty good protection against any new viruses which are not yet covered by the Virex DAT files (virus definitions). When there are attachments with a suffix of .exe, .com, .dll or .zip then the subject line of the message is rewritten to alert the user that there is a potentially dangerous attachment in the message.

Attention Panther Users

It's been reported that there are some problems running these scripts on MacOS X 10.3.x (Panther). I still have to install a test server running Panther to find out what's going on. The scripts do work on MacOS X 10.2.x (Jaguar) without any problems. By the way, I'm currently testing the next version of the anti-virus scripts which also work with ClamAV (an open source anti-virus solution).

Current version: 0.8 - updated 11th February 2004

added the possibility to daemonize the script to continuously scan the mailbox directory
made some changes to the internal workings of the script to allow for the daemon option
fixed a small logging bug
added a log rolling option to roll logs daily

Features

Here are the features of the script:

New in version 0.8: possibility to run the script as a daemon to continuously scan the mail directory instead of running the script through a cronjob.

runs the Virex command line scanner through a cron job
uses grep to check for suspicious attachment names and move them to a quarantine folder
rewrites subject lines to "[Careful: Attachment]" for attachments you allow but which still look suspicious
works without Virex to just block messages based on attachment names

runs through a cron job every minute and makes sure that long running scans don't interfere with each other (only one scan at a time)
only scans new messages that arrived since the last execution (the initial run will scan your whole mailbox directory and therefore takes some time)
it's possible to use munpack to extract attachments before scanning them
rewrites the message subject when a suspicious suffix is found but you still want to allow those attachments (currently .exe, .com, .dll, .shs, .zip)
allows you to enable/disable various scanning options
allows you to exclude certain mailboxes from scanning
moves messages with suspicious attachments to a quarantine folder
you can limit the maximum file size of messages to be scanned (large messages rarely contain a virus)
automatically checks for the mailbox directory location (allowing for custom Post.Office installations)
uses a separate file with common virus attachments that might not be removed by Virex
maintains its own log file so you see what's going on

And best of all, there is an online configurator/wizard for the script which allows you to set your preferred configuration without having to wade through code of my shell script.

System Requirements

MacOS X 10.2.x with Post.Office
Virex 7.x (optional)
munpack (optional)
root access on your server

This script has been tested on MacOS X 10.2.x and is currently running a our mail server (MacOS X 10.2.8) without any problems.

Virex and the vscanx command line scanners are not provided in this script. You have to get a copy of Virex either through your McAfee or included with your .Mac subscription.

munpack is a small utility that can be used to extract attachments from an e-mail message which makes scanning a bit easier for Virex. This is optional for the virexscript but can provide better scanning results. You can get the munpack binary through the Communigate Virusscan script: CGVirusscan. Download CGVirusscan, extract the archive and then copy the munpack binary to /usr/local/bin/ on your server.

Installation

Here's a quick installation guide:

use the online configurator to adapt the script for your system or download the default script
(You won't need to edit the script in a text editor afterwards.)
copy the virexscript.txt file to the top level of your server
copy the virus.list file to the top level of your server if you want to use it
open your Terminal application
/Applications/Utilities/Terminal.app
change to the root user by typing the following after root#
su -
move virexscript.txt from the top level to the root home directory
mv /virexscript.txt ~/virexscript.sh
go to the root home directory
cd ~root
change the file permissions of virexscript.sh to make it executable
chmod 755 virexscript.sh
change the file ownership of virexscript.sh
chown root:wheel virexscript.sh
create a temporary directory for Virex to store extracted attachments
mkdir -p /tmp/virex
install munpack on your server if you want to use it
(see System Requirements)
create a "quarantine" folder on the top level of your server to store messages with unwelcome attachments
mkdir -p /quarantine
run the virexscript for the first time manually
./virexscript.sh
This will take some time as it checks all files in your mailbox directory for a first time. It will also show any errors that could occur. After the first run, the script will only verify the newest files since the last execution.
Append your list of cron jobs ( /etc/crontab ) to execute the virexscript.sh every minute
echo "*/1 * * * * root ~root/virexscript.sh > /dev/null 2>&1" >> /etc/crontab
Careful: be sure it says " >> /etc/crontab" as this will append the cron job at the end of the crontab file. If there is just a single > it will overwrite the whole crontab file.
You can also edit your crontab file manually with your favorite command line editor by putting
*/1 * * * * root ~root/virexscript.sh > /dev/null 2>&1
at the end of that file.
All done. The script now executes every minute and scans your mailbox directory for new viruses.
It wasn't all that hard, was it?

Make sure to read the rest of this page as well and if the anti-virus system is working for you, please support the development by donating something... :-)

Files and Folders being used

Here's a list of files and folders that are being used by the script. This information is provided just for your information, so you know what is going where.

The name of the script:
virexscript="/var/root/virexscript.sh"
The path to your virex command line scanner:
virexpath="/usr/local/vscanx/vscanx"
The Post.Office Mailbox directory. It's taken from the Post.Office configuration file but can be changed manually.
mailboxdir=`grep "MailboxDir" /etc/post.office.conf | cut -d "=" -f 2`
usually this is results in mailboxdir="/var/spool/mailbox"
The quarantine directory which is used to store messages with unwelcome attachments
quarantine="/quarantine/"
The virus list file which contains common virus names or other unwelcome attachment names. Usually you should keep it at an easy location as you might want to edit it frequently when you discover new viruses or unacceptable attachments
viruslist="/virus.list"
The location of munpack (when installed) usually is
munpack="/usr/local/bin/munpack"
When munpack is used, temporary files are usually stored in
/tmp/virex/****message-id****/
The reference file with the time-stamp of the last execution is
virextime="/tmp/virex.time"
The temporary file list of new files since the last execution is
scanlist="/tmp/virex.list"
The log file of this virus script is written to the standard log directory
virexlog="/var/log/virex.log"

Some minor problems

Slight chance of viruses slipping through

Since verison 0.8 it's possible to run the script as a daemon/background process. This will check your mailbox directory continuously instead of just once per minute. The script should be able to scan 99% of the messages.

The very first version checked the whole mailbox directory on every execution. That took too much time when there were lots of messages. Therefore I looked for a way to only scan any new messages. Using a cron job for your anti-virus solution is not 100% ideal because new messages could arrive and being downloaded while the script is still running.

Example:

15:37:00 - cron job launches virexscript.sh
15:37:01 - virexscript.sh created a list of all new files since the last execution
15:37:02 - virexscript.sh starts scanning the new files
15:37:02 - a new message for John Doe arrives and is stored in his mailbox
15:37:03 - John Doe downloads his new e-mail
15:37:04 - virexscript.sh finishes

The e-mail that arrives between the start of the scanning process and the next execution of the scanning process could contain a virus and get downloaded before the system has a chance to scan it. Personally, I think this little risk is worth having when the rest of the messages are being checked for viruses.

Some quirks with munpack and Virex

As this anti-virus script is being used on our production server, I discovered some minor problems with the Virex command line scanner: it was unable to check some kind of messages because they used a special encoding mechanism. Eventually, I found out how to use munpack to extract the attachments first from the messages and then scan them with virex.

Sometimes, munpack also has problems with e-mail messages and it could get stuck. I'v already put some limits into the script (maximum execution time of 5 minutes) which should prevent this kind of problems, but if you notice that your server becomes slow, just type this at the command line prompt:

ps -ax | grep munpack | grep -v "grep munpack"

This returns the currently running munpack process with its process ID number. To terminate that process, type:

kill -9 <processID>

Unwelcome Attachment Names

Following attachment suffixes are moved to the quarantine directory if that option is enabled:

.lnk
.bat
.chm
.cmd
.vxd
.pif
.scr
.hta
.jse?
.shm
.shb
.vbe
.vbs
.vbx
.wsf
.wsh

Message subjects are prepended with [Careful: Attachment] when they contain any attachments with these suffixes:

.exe
.com
.shs
.dll
.zip

Messages with attachments that match any of the names listed in the virus.list file are also moved to the quarantine directory. This is useful for well-know viruses which have suffixes of .exe, .zip, .com, .dll that would otherwise only get the subject line changed.

History

Current version: 0.8 - updated 11th February 2004

added the possibility to daemonize the script to continuously scan the mailbox directory
made some changes to the internal workings of the script to allow for the daemon option
fixed a small logging bug
added a log rolling option to roll logs daily

Version: 0.7 - updated 26th January 2004

fixed rewrite subject bug
changed logging for better overview and Virex status
added debug log option to write more information to the log file
updated the virus.list file to handle the MyDoom/Novarg Virus

A little personal anti-virus history:

During the 80's and the early 90's our family business was running Mactivity/Macclub Benelux. It was the largest Mac User Group in Europe with more than 16,000 members in more than 20 countries. One of its services was the "free anti-virus update". It allowed people from around the world to send a self-addressed envelope to our company and receive the latest version of the then popular Disinfectant anti-virus tool by John Norstad. Our address was even listed in the Disinfectant documentation so people always knew where to get the latest version for free. There was also a commercial variant of the service: for a small yearly fee, our company sent out a disk containing Disinfectant as soon as a new version was released. At that time I made a lot of friends and pen pals from around the world whom I got to know through the anti-virus update service.

I've written some anti-virus software of my own during the past decades. When the first HyperCard virus appeared in 1991, I wrote the first vaccine for it. We called the virus "Musidenn" but other anti-virus companies later called it "MerryXmas". The first version of my antidote removed the virus from HyperCard stacks -- it was distributed to all the members of Mactivity and also included on the anti-virus update disks. Later versions where more advanced and included a checksum-based protection for all stacks -- making them immune to other viruses as well. That functionality was included in my PowerMenus developer tools for HyperCard which received a 3 mice rating from ZiffNet (a Ziff-Davis publishing division).

In 20 years of using Macintosh computers I've only had 1 virus infection on my computers which was immediately detected by Disinfectant.

In recent years, I've spend a lot of time fighting against viruses on our mail servers. It was the first time I had to deal with Windows viruses. My first scripts scanned our sendmail servers and blocked virus senders. Since we installed Post.Office on MacOS X I've been developing various tools to fight viruses on that platform.

More information about myself is available on our corporate site... (scroll down that page for the English information)