virus scanners
I'm actually using NAI Netshield, and it caught my first couple of viruses yesterday. It basically quarantined the entire email as it came through... ie. the entire *.mai file was moved to quarantine... It's not as nice as it should be where just the attachment gets stripped and the actual message + warning is sent along to the user. But, at least it prevented some viruses from coming through. 
-
MailEnable
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
MailEnable's AV filter extracts all attachments to a scratch directory and parses them. It should not have deleted the MAI, and should have stripped out the attachment settings (As you indicated). We have not actually tested using Netshield. If you could post or mail the settings you are using - would be great.
MailEnable should pretty much accomodate any command line virus checker. A KB article will be published on those we have tested and the settings to use.
Thanks
MailEnable should pretty much accomodate any command line virus checker. A KB article will be published on those we have tested and the settings to use.
Thanks
Regards, Andrew
Dave... NAI's Netshield is not commandline. It's a virus scanning service that runs on Win2k/NT... it will basically watch file transactions, and if it catches something, it throws it into quarantine. It has no knowledge of the ME service that is running... and wouldn't know how to even interface it, unless I run the commandline version of McAfee VShield or something... Do you have any instructions for that by any chance?
Thanks,
Mike
Thanks,
Mike
-
Nigel
Ive been looking at this all day : the place Im working uses NAI products exclusively.
there is scan.exe located at c:\program files\common files\network associates\virusscan engine\4.0.xx\scan.exe - its installed with netshield and virusscan and can be used to scan files from the command line (as we are talking here)
The options can be looked up at the NAI website, or in your NAI documentation for the product. Its here also http://download.nai.com/products/media/ ... t45wag.pdf
Are you able to post what is needed to make the virusscanner work?
Im assuming that I would exclude the MailEnable Directories from the Scanner, and then use the command line scanner. As far as I was aware however there were only 2 supported products.
I will be playing with this tonight of course, but need to know how/answer so that I can recommend MailEnable to the company. I want to use it, and have approval in principle (7 sites) but need to be sure.
there is scan.exe located at c:\program files\common files\network associates\virusscan engine\4.0.xx\scan.exe - its installed with netshield and virusscan and can be used to scan files from the command line (as we are talking here)
The options can be looked up at the NAI website, or in your NAI documentation for the product. Its here also http://download.nai.com/products/media/ ... t45wag.pdf
Are you able to post what is needed to make the virusscanner work?
Im assuming that I would exclude the MailEnable Directories from the Scanner, and then use the command line scanner. As far as I was aware however there were only 2 supported products.
I will be playing with this tonight of course, but need to know how/answer so that I can recommend MailEnable to the company. I want to use it, and have approval in principle (7 sites) but need to be sure.
-
MailEnable
- Site Admin
- Posts: 4441
- Joined: Tue Jun 25, 2002 3:03 am
- Location: Melbourne, Victoria Australia
We only supply two settings for virus scanners in the current configuration - but the engine is designed to work with most command line virus scanners. To use additional A/V checkers (at this stage) requires editing the registry. We will update the installation kit to support more scanners in the near future.
How Antivirus Filtering Works:
If Antivirus support is enabled, messages are unpacked and scanned as they pass through the Mail Transfer Agent. (The MTA moves mail messages internally within MailEnable). When the MTA picks up a message from a connectors's queue, it unpacks it into a scratch directory and uses the command line specified in the MMC to scan each unpacked file. In most cases, command line virus checkers have the abiility to automatically delete files. If one of the scanned attachments of the message is deleted, the Antivirus filter assumes that it has a virus and when the message is reconstructed, it replaces the offending content with a note indicating that offending content was removed.
Both Sophos and F-Prot work this way. This is why their command lines are specified like:
This can be seen if you open the registry and access HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\{Virus Scanner Short Name}.
Note that the [AGENT] and [FILENAME] tokens in this registry setting are replaced by the path to the A/V Command Line Scanner and the attachment name (which is generated by the system).
The "-remove -s -nb -nc" part of this registry value is the part that will vary depending on the scanner application you are using.
You will notice this if you look at the Sophos and F-Prot examples that are provided.
Ensuring that the A/V app supports auto deletion is a little limiting. As a result there are registry setting that allow the use of the scanners dos error level or exit code.
The respective settings are:
A sample registry import file is outlined below:
You can copy this into notepad, save as a .reg file and import it using the registry editor. Once imported into the registy, you can edit the settings to those required by your anti-virus command line application.
How Antivirus Filtering Works:
If Antivirus support is enabled, messages are unpacked and scanned as they pass through the Mail Transfer Agent. (The MTA moves mail messages internally within MailEnable). When the MTA picks up a message from a connectors's queue, it unpacks it into a scratch directory and uses the command line specified in the MMC to scan each unpacked file. In most cases, command line virus checkers have the abiility to automatically delete files. If one of the scanned attachments of the message is deleted, the Antivirus filter assumes that it has a virus and when the message is reconstructed, it replaces the offending content with a note indicating that offending content was removed.
Both Sophos and F-Prot work this way. This is why their command lines are specified like:
."\"[AGENT]\" \"[FILENAME]\" -remove -s -nb -nc
This can be seen if you open the registry and access HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\{Virus Scanner Short Name}.
Note that the [AGENT] and [FILENAME] tokens in this registry setting are replaced by the path to the A/V Command Line Scanner and the attachment name (which is generated by the system).
The "-remove -s -nb -nc" part of this registry value is the part that will vary depending on the scanner application you are using.
You will notice this if you look at the Sophos and F-Prot examples that are provided.
Ensuring that the A/V app supports auto deletion is a little limiting. As a result there are registry setting that allow the use of the scanners dos error level or exit code.
The respective settings are:
Using your own Anti-virus Scanner:"Exit Code Enabled":0/1 - on/off
"Exit Codes": eg: 1 2 9: space delimited string containing application exit codes
"Exit Codes Error Inclusive" : 0/1 - on/off: used to configure whether the "Exit Codes" indicate errors or successes
A sample registry import file is outlined below:
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\Custom]
"Status"=dword:00000000
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" -remove -s -nb -nc"
"Antivirus Agent"="C:\\Program Files\\Virus Scanner\\CUSTOM.EXE"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="Custom"
"Program Info"="This is a template for new virus scanners."
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="1"Regards, Andrew
-
Nigel
-
Nigel
Well wouldnt you know it, Ive got it working.
It even does a nice little beep at the console when it hits a virus. If you dont want that you can add a /NOBEEP Parameter
You'll see I had to modify the Processing Order entry in Filters. Without this, the Scanner wouldnt load. Modified this, and it worked a treat.
It would be nice to see MailEnable have reporting options - Such as the ability to Send the Virus note back to the originator, and options to disable notifications and just drop the email. But later - this is awesome
Love your work anyway
OK - .reg file is as follows
_________________________________________________________
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVNAI,MEAVSOP,MEAVFPI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNAI]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /ALL /DEL"
"Antivirus Agent"="C:\\Program Files\\Common Files\\Network Associates\\VirusScan Engine\\4.0.xx\\scan.exe"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NAI Netshield and VirusScan"
"Program Info"="Network Associates VirusScan and Netshield Win32 Products"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="1"
Have Fun.
Nigel Veerhuis - nigelv@bigpond.net.au
It even does a nice little beep at the console when it hits a virus. If you dont want that you can add a /NOBEEP Parameter
You'll see I had to modify the Processing Order entry in Filters. Without this, the Scanner wouldnt load. Modified this, and it worked a treat.
It would be nice to see MailEnable have reporting options - Such as the ability to Send the Virus note back to the originator, and options to disable notifications and just drop the email. But later - this is awesome
Love your work anyway
OK - .reg file is as follows
_________________________________________________________
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVNAI,MEAVSOP,MEAVFPI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNAI]
"Status"=dword:00000001
"Antivirus Notification Message"="<<- Attachment was removed because it appears to contain a virus ->>"
"Antivirus Scratch Directory"="C:\\Program Files\\Mail Enable\\Scratch"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /ALL /DEL"
"Antivirus Agent"="C:\\Program Files\\Common Files\\Network Associates\\VirusScan Engine\\4.0.xx\\scan.exe"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="NAI Netshield and VirusScan"
"Program Info"="Network Associates VirusScan and Netshield Win32 Products"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="1"
Have Fun.
Nigel Veerhuis - nigelv@bigpond.net.au
-
Nigel
F-Prot doesn't scan files inside of zip file
I appears F-Prot doesn't scan files inside of zip file. Is it possible to configure ME so it will?
thanks, rpsmith
thanks, rpsmith
Interesting problem usuing the above settings. I was/am having an issue with this. It seems our SMTP services simply dies when the McAfee is selected, and the system resets it to the F-Prot. Once that happens I cannot get the service to start until I disable virus scanning. I am going to check teh entries to make sure I didn't do something stupid, but It's pretty straightforward.
Sophos is King
Not to change the subject but I was a previous user of Symantec anti-virus products until I saw the light. Sophos is by far the best anti-virus package around. It works on any and all OS platforms...All windows versions, DOS, All Windows Sever products, UNIX, Linux, you name it and it all works. The cost is reasonable, setup is easy both local and enterprize. There support is number 1 in the industry hands down!!! I get "to-the-second" virus identity updates...sometimes 3-5 a day...not like symantec's download meathod and not getting any updates sometimes for 1-2 weeks. It seems as though Sophos has got it together just like ME....great combo.
I administer a network of over 5000 nodes with Sophos clients running on each of them. Its well tested and they have the user in mind and not just profits like some of the other guys. I have had no problems what so ever with the integration of Sophos and ME. I have also yet to see anyone post any problems about it either.
If you were ever thinking of changing vendors or never really put much thought into changing...I would highly recommend Sophos to everyone...as well as ME.
I administer a network of over 5000 nodes with Sophos clients running on each of them. Its well tested and they have the user in mind and not just profits like some of the other guys. I have had no problems what so ever with the integration of Sophos and ME. I have also yet to see anyone post any problems about it either.
If you were ever thinking of changing vendors or never really put much thought into changing...I would highly recommend Sophos to everyone...as well as ME.
-
Nigel
Just for you use this from McAfee AV
I hope you test this and buy the product.
this for use dailyscan.zip from McAfee
url is: http://bin.mcafee.com/molbin/iss-loc/vs ... lyscan.zip
1 - step
insert this entries in regedit ( or copy past in notepad and save with extension .reg :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVNAI,MEAVSOP,MEAVFPI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNAI]
"Status"=dword:00000001
"Antivirus Notification Message"="your message for alert virus"
"Antivirus Scratch Directory"="C:\\vs2"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /ALL /DEL /report test /nodda /nomem"
"Antivirus Agent"="C:\\vs\\SCANPM.EXE"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="Test VirusScan"
"Program Info"="Network Associates VirusScan Win32 Products"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="1"
----end----
Now this scanpm.exe dont work with long names and i create a dir called "c:\vs2" for "Antivirus Scratch Directory" and "c:\vs" for Anti-Virus program.
this for use dailyscan.zip from McAfee
url is: http://bin.mcafee.com/molbin/iss-loc/vs ... lyscan.zip
1 - step
insert this entries in regedit ( or copy past in notepad and save with extension .reg :
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters]
"Processing Order"="MEAVNAI,MEAVSOP,MEAVFPI"
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Agents\MTA\Filters\MEAVNAI]
"Status"=dword:00000001
"Antivirus Notification Message"="your message for alert virus"
"Antivirus Scratch Directory"="C:\\vs2"
"Antivirus Parameters"="\"[AGENT]\" \"[FILENAME]\" /ALL /DEL /report test /nodda /nomem"
"Antivirus Agent"="C:\\vs\\SCANPM.EXE"
"Provider DLL"="MEAVGEN.DLL"
"Program Name"="Test VirusScan"
"Program Info"="Network Associates VirusScan Win32 Products"
"Exit Code Enabled"=dword:00000001
"Exit Codes Error Inclusive"=dword:00000001
"Exit Codes"="1"
----end----
Now this scanpm.exe dont work with long names and i create a dir called "c:\vs2" for "Antivirus Scratch Directory" and "c:\vs" for Anti-Virus program.
