AntiVirusINSTALL - INSTALL file for the Anti-Virus Plugin for DansGuardian. Created by James A. Pattie (james@pcxperience.com) (c) 2002 by Xperience, Inc. (http://www.xperienceinc.com/) Licensed under the GPL. 02/05/2003 Version 1.3 for DansGuardian 2.4.6-8 This documents how to add Anti-Virus scanning to the DansGuardian project. REQUIREMENTS: perl 5.6.1 or 5.8.0 DansGuardian 2.4.6-8 dansguardian-virus-scripts 1.04 Mail::Sender 0.8.00 Download the latest dansguardian-virus-scripts tarball or rpm package from http://www.pcxperience.org/dgvirus/. These scripts come from the MailScanner project. Also, some of the code that is integrated into DansGuardian is from the MailScanner package. See the MailScanner site for any installation notes regarding your Anti-Virus product. http://www.mailscanner.info/ If installing from the tarball, copy the usr/lib/DGVirus directory structure to /usr. If installing from rpm, you need to install before the dansguardian-virus package. Download the tarball or our rpm of Mail::Sender 0.8.00 from CPAN or the support directory. This needs to be installed before installing DansGuardian. Download the source to DansGuardian 2.4.6-8. Now you need to patch the source. gunzip DansGuardian-2.4.6-8-AntiVirus-1.3.patch.gz gunzip DansGuardian-2.4.6-8-logrotation.patch.gz You can either build manually: tar xvzf DansGuardian-2.4.6-8.source.tar.gz cd DansGuardian-2.4.6 patch -p1 < ../DansGuardian-2.4.6-8-AntiVirus-1.3.patch patch -p1 < ../DansGuardian-2.4.6-8-logrotation.patch This assumes you have the patches in the same directory as the source tarball for DansGuardian 2.4.6-8. Now read the INSTALL file and follow the steps to build DansGuardian. Make sure you install the Mail::Sender package. Or you can build an rpm from the included DGVirus.spec file: cp DansGuardian-2.4.6-8.source.tar.gz /usr/src/redhat/SOURCES cp DansGuardian-2.4.6-8-AntiVirus-1.3.patch /usr/src/redhat/SOURCES cp DansGuardian-2.4.6-8-logrotation.patch /usr/src/redhat/SOURCES cp linux.in-rpmfixup.patch /usr/src/redhat/SOURCES cp DGVirus.spec /usr/src/redhat/SPECS cd /usr/src/redhat/SPECS rpm -bb DGVirus.spec first install the DansGuardian-Virus-Scripts support package: rpm -Uvh DansGuardian-Virus-Scripts-1.04-1.noarch.rpm next install the perl-Mail-Sender package: rpm -Uvh perl-Mail-Sender-0.8.00-1.i386.rpm now install the newly created DansGuardian package: rpm -Uvh ../RPMS/i386/DansGuardian-Virus-1.3-1.i386.rpm VIRUS Engine Configuration: To enable your virus scanner (if not F-Prot and it's not installed in /usr/local/f-prot) then you need to edit virusscanner.conf in the dansguardian configuration directory. This file also has other options that can be tweaked, though not all options are currently being used. NOTE: Currently, once this patch is applied, all content (html/text, etc.) other than SSL connections are scanned by default. If you want to disable the virus scanning code, modify the generated dansguardian.conf file and change on to off for the virusscan option. If a virus is detected, an HTML document stating that fact will be sent to the browser. In the event that you were downloading a big file, you might have the first couple of bytes of the file in question already downloaded, and so the HTML error document will be appended to it. If downloading and saving to disk, always check to make sure that the resulting file is what you were expecting. The Virus scanning code will log, via syslog, the scanning messages and output the results of any virus found messages. F-Prot is the anti-virus engine I'm testing. The other virus programs that MailScanner supports have been converted but since I don't own them I haven't tested the code yet. If you own one of the other engines I would appreciate any help in debugging the code and getting it supported. I have had confirmation that the Sophos code works. I have added code provided by G.H.J. Dorssers to make the AntiVir virus scanner work, but it is totally unsupported by me. You will have to modify virusscanner.conf and change 'Minimum Code Status' from supported to unsupported along with the Virus Scanner and Sweep values. 2002/11/01 - I now rely on the dansguardian-virus-scripts package I'm creating from the MailScanner 4.x release for virus wrapper scripts. This is now in /usr/lib/DGVirus and the names of the virus wrapper scripts are slightly different. If things break after an upgrade, check to make sure you are pointing at the right file. 2002/11/27 - Postmaster will now always receive an email when a virus is detected. If squid is requiring proxy authentication, then the detected user will also get an email (as long as virusscanner.conf is properly configured). I recommend using pam_auth (provided with squid) and configuring to use whatever authentication mechanism that PAM provides that you have easily available to specify valid users where their username is also a valid email address user. Any emails generated to users, will have the Mail Domain value appended to them as follows: user@MailDomain where user is the detected username. Quarantining of the infected files is now available and will store the files in the following format: prefix/dgvirus/quarantine/DATE/USER//FILE where prefix/dgvirus/quarantine is user defined in virusscanner.conf, DATE is todays date in YYYYMMDD format, USER is the detected users name or no-user if proxy auth disabled, is the url with any & escaped, FILE is the temporary file DansGuardian uses in format fileXXXXXX 01/13/2003 - A status file is now generated that will allow the user to see the status of large files being downloaded. The status files are stored in the DownloadDir directory under status and are grouped by the IP address of the client or the detected user name (no-user if none detected). This grouping is configurable in virusscanner.conf. Ex: DownloadDir = /tmp/dgvirus, Temp file = fileXYZ123, User Name = james, Status File = /tmp/dgvirus/status/james/fileXYZ123 If grouping by IP and the IP was 10.0.0.2, then Status File = /tmp/dgvirus/status/10.0.0.2/fileXYZ123 The status file will be deleted when the file is done downloading or the file transfer is canceled or on any other error condition. The status file is locked via flock, so any monitoring scripts should acquire a LOCK_SH before reading from the file to make sure that they get complete data. The output format is: started: Start TimeStamp last: Last Updated TimeStamp url: url file: name of temporary file fileLength: # bytes in file bytesDownloaded: # bytes currently downloaded user: detected user name userIP: IP of browser Changelog: 1.0rc1 - initial release. Added the perl parser code from MailScanner (heavily modified) to DansGuardian 2.4.5-2. 1.0rc2 - All non text/html data is now written to disk immediately instead of keeping in memory. This provides a great speed advantage when dealing with very large file streams. This is only done if the virus scanning code is enabled. The virus scanning code can be disabled via the virusscan config option in dansguardian.conf. 1.0rc3 - Patched in changes from MailScanner 3.22-12 for the F-Prot scanner. Added install notes about configuring the Virus Engine to use in this file. Applied some security fixes from the MailScanner project in regards to logging. Improved error handling and debug output in the TrickleBuffer and VirusScanner modules. Added support for AntiVir virus scanner provided by G.H.J. Dorssers. 1.0rc4 - Created rpm spec file so you can make an rpm of the DansGuardian software with the AntiVirus patches applied. I'm also including the patch for my logrotation enhancement in the spec file. Bundling and refering to the dansguardian-virus-scripts package for all the virus wrapper scripts from MailScanner. This means you no longer need to download and install the MailScanner package to get them. Adding support to be able to specify file extensions and mime types that should not be virus scanned. 1.0 - Fixed the issue where a site that was exceptioned that you were trying to do https to would just timeout. This was because I was trying to virus scan the CONNECT instead of ignoring it. Added quarantine support. See notes for more details. Added support to email the postmaster and potentially the user when a virus is detected. There are new configuration options that allow you to configure this functionality. Mail Server Mail Domain Mail Type Local Postmaster This feature relies on the Mail::Sender package from CPAN. An rpm is available from the support directory. You can now specify the directory that DansGuardian will download the temporary files to before it scans them. By default it is still /tmp/dgvirus. We recommend you have as much available space as the biggest files you will be attempting to download. /var/tmp/dgvirus may be a better location if /var is bigger than / or /tmp. The config option is Download Dir The Quarantine Dir now defaults to /var/www/html/dgvirus/quarantine. Improved the F-Prot Output handling so it actually reports the found Infection value and does not ouput Infection: whatever unless the file being scanned was an archive and it found an infection in file(s) in the archive. 1.1 - Updated the virus support scripts to 1.01. Adding the IP address of the client to the postmaster report. Cleaned up the email format that postmaster sees. Updated F-Prot scanner code. Improved the rpm packages and changed the name to be DansGuardian from dansguardian so that it conforms to the current standard. 1.2 - Added status file support so that the user can monitor the status of their downloads. Updated F-Prot and F-Secure scanner code. Updated the virus support scripts to 1.02. Included a sample monitor.pl script for monitoring downloads. 1.3 - Updated the logrotation patch to add a sleep 2 after killing dansguardian. Added ClamAV support. Updated the virus support scripts to 1.03 from MailScanner 4.13-3. Fixed a memory allocation bug. Updated the virus support scripts to 1.04 from MailScanner 4.14-9.