Virus filtering with ze-filter

You can use ze-filter to filter virus in two ways :

  • using its internal scanner to detect what we call X-FILES.
  • using an external virus scanner (such as ClamAV clamd).

The idea behind detecting X-FILES is that ALL virus must execute some code in order to infect a computer and propagate. So, if you can detect all messages with embedded code inside, you can detect all virus. This is not really true, as someone can send you a message with just a reference to some place (e.g. a link to a web server) from where the virus will really be downloaded.

ze-filter calls X-FILE all kind of files being able to have some embedded executable code. An X-FILE can be defined by its its name, its file extension, its MIME type or some combination of them.

Detecting X-FILES has some advantages over analyzing file contents :

  • X-FILES detection is just based on some external characteristics of the attached file (e.g., its file extension). So it's much faster than analysing file contents.
  • No maintenance operations required, as XFILES detection doesn't depend on virus signature databases.
  • New virus are immediately detected (for the same reason).

On the other hand, some users may want to send legitimate executable code, which will be blocked by X-FILES checking. The easier workaround is to change the file extension to some safe one, change file extension from .exe to .zzz.

Another inconvenient of X-FILES detection is that some virus can come embedded on Microsoft Word macros. As long as you can't include .doc extension to X-FILES definition, these kind of virus can't be detected. But, on the other side, this virus are more and more rare. The workaround to this is to always have some virus protection installed on user computers. Either way, mail isn't the only way of getting infected and your computer ought to be protected against virus propagating by to other protocols (web, …).

You can define your own list of X-FILES file extensions or simply use the existing ones provided as a basis. ze-filter comes configured with a list of file extensions defined by Microsoft as being Unsafe Files

Configuring ze-filter to detect X-FILES

Enabling X-FILES detection

This is done at /etc/ze-filter/ze-filter.cf file.

XFILES                     OK
#    OK        - X-FILES detection is disabled
#    REJECT    - reject message at SMTP session
#    DISCARD   - accept the message but silently discard it
#    NOTIFY    - send a notification message
#    X-HEADER  - accept the message but add a tag to "Subject" header
 
XFILE_SAVE_MSG             YES
# When set to YES, messages containing X-FILES are quarantined at spool directory
 
XFILE_SUBJECT_TAG
# Tag to be prepended to "Subject" header on messages containing X-FILES

Defining X-FILES at run time

You can define X-FILES at /etc/ze-filter/ze-xfiles !

#  Syntax :
#  MIME;conditions   FILENAME
# where
#  MIME       ::=    ( [!]MIMETYPE | ALL [;sizeof=min,max] )
#  FILENAME   ::=    (regular expression | TAG)
#  TAG        ::=    ( DEFAULT | TNEF | CLSID )
# Examples :
#
# default X-FILES definition
ALL                     DEFAULT
# All zip files whose mime type is different from x-zip-compressed
!x-zip-compressed       \.zip$
# All zip files which filename (without extension) is less than 16 characters long
ALL                     ^.{0,15}\.zip$
# All messages with attached zip files, whose size is smaller than 250000 bytes
ALL;size=0,250000       \.zip$
# CLSID and TNEF files
ALL                     TNEF
ALL                     CLSID
# RFC 2046 tricky messages
message/partial         ALL
message/external        ALL 
To check how X-FILES are defined at run time, type :
$ ze-filter -t xfiles
->   ALL                        0/      0 : DEFAULT
->   ALL                        0/      0 : TNEF
->   ALL                        0/      0 : CLSID
->   message/partial            0/      0 : ALL
->   message/external           0/      0 : ALL

Defining X-FILES at compile time

Default X-FILES are defined at aux/xfiles.def included inside ze-filter distribution. You can edit this file to add your own definitions or remove others. File extensions defined at this files correspond to the DEFAULT file extensions used at /etc/ze-filter/ze-xfiles configuration file.

Changes in this file must be done before launching software configuration and compilation.

_ORIGIN_                MS-UNSAFE
.ade                    Microsoft Access project extension 
.adp                    Microsoft Access project 
.bas                    Microsoft Visual Basic class module 
...
  1. To check how X-FILES were defined at compile time, type :
$ ze-filter -x
  Ext   ORIGIN       File Type
  ------------------------------------------------------
  ade   MS-UNSAFE    Microsoft Access project extension
  adp   MS-UNSAFE    Microsoft Access project
  app   OFFICE2000   Visual FoxPro Application
...

Configuring ze-filter with an external virus scanner

It's possible to tell ze-filter to contact an external program to scan messages for virus or anything else.

To do so, install a “scan server” listening on some inet/unix socket.

At the moment, ze-filter is able to use two external virus scanners:

  1. clamd - this is a very fast virus scanner. See below for instructions on how to use it.
  2. user defined scanner - this is a simple interface allowing users to define their own filter, if features proposed by ze-filter aren't enough. This interface may be used to connect a real antivirus scanner.

You'll find an example of an user filter at contrib/user-filter directory. This example is known to be used with McAfee and Trendmicro virus scanners.

It's a server launched by inetd or xinetd. ze-filter talks to the server using an internal protocol. You can extend this example to handle almost any external file scanner.

But the restriction is that using this external scanner may be much more slower than the internal ze-filter scanner, and are not recommended for very huge mail servers.

If you want to use external scanners with huge mail servers, the server will not fork and should preload all the data it needs to scan message files.

Communication with an external scanner is done by the following options:

Enabling an external scanner

# SCANNER_ACTION
#     VALUES :  OK  REJECT  NOTIFY  DISCARD
SCANNER_ACTION             OK
 
# SCANNER_SOCK
#     Communication socket between ze-filter and external scanner
SCANNER_SOCK               local:/var/run/ze-filter/scanner.sock
# or
SCANNER_SOCK               inet:2002@localhost
 
# SCANNER_PROTOCOL
#     Protocol
#     VALUES:  INTERNAL  CLAMAV
SCANNER_PROTOCOL           INTERNAL
 
# SCANNER_SAVE
#     Shall messages be quarantined???
#     VALUES:  NO  YES
SCANNER_SAVE               YES

Configuring ze-filter with ClamAV clamd

First, you must get and install the latest ClamAV tarball from http://www.clamav.net.

Previous releases of ze-filter allowed to link it against libclamav. This feature was removed as the filter is more robust if the filter front-end and the virus scanner are isolated.

To use ze-filter with clamd, configure ze-filter (ze-filter.cf) with the following lines :

SCANNER_ACTION             NOTIFY
SCANNER_SOCK               inet:3310@localhost
SCANNER_PROTOCOL           CLAMAV
SCANNER_SAVE               YES
  • ze-filter passes the path to the message to be scanned by clamd. So, in order to grant access to ze-filter message spool, clamd must be running as the same user id as ze-filter : smmsp, by default.
  • As a consequence, you have toadjust some file rights in order to clamd be able to run. Mainly, if clamd is running as, e.g., smmsp, this user should have these rights, at least (path names are for our site) :
LogFile              /opt/clamav/log/clamd.log      WRITE ACCESS
PidFile              /opt/clamav/var/run/clamd.pid  WRITE ACCESS
DatabaseDirectory    /opt/clamav/db                 READ  ACCESS

Don't forget to configure these options in clamd configuration file (clamav.conf) :

User        smmsp
ScanMail
TCPSocket   3310
TCPAddr     127.0.0.1

Quarantine Management

# CLEANUP_INTERVAL
#     Quarantine directory clean-up interval
CLEANUP_INTERVAL           21600
 
# QUARANTINE_MAX_AGE
#     Quarantine
QUARANTINE_MAX_AGE         86400
 
# XFILE_SAVE_MSG
#     Shall quarantine messages containing X-Files ?
XFILE_SAVE_MSG             YES
 
# SCANNER_SAVE
#     Shall messages be quarantined ???
SCANNER_SAVE               YES

Quarantine files will be put in /var/spool/ze-filter for 1 day here (86400). It's usefull for debugging. Here we activated quarantine for xfiles.

mx0:~# ll /var/spool/ze-filter/
total 196
-rw------- 1 smmsp smmsp  3427 2008-02-28 23:19 47C7335B.000.0000.xfile
-rw------- 1 smmsp smmsp 63925 2008-02-29 12:39 47C7EF06.001.0000.xfile
-rw------- 1 smmsp smmsp    67 2008-02-29 13:43 47C7FDAE.000.0000
-rw------- 1 smmsp smmsp 56947 2008-02-29 14:02 47C8024C.000.0000.xfile
-rw------- 1 smmsp smmsp 51345 2008-02-29 14:02 47C8024D.000.0000.xfile
-rw------- 1 smmsp smmsp    53 2008-02-29 14:53 47C80E69.001.0000

Quarantine Management - Ideas & Wishes ...

doc/virus/start.txt · Last modified: 2018/02/09 17:02 (external edit)
CC Attribution-Noncommercial-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0