I realize that for ME staff the main problem is to provide the widest range of command line scanners available and therefore relying on exit codes is the only option even if does not leave many choices on subsequent actions (delete message as a whole or quarantine it and then inform the recipient of the taken action).
IMHO AV scanning can bring a lot more of useful information and can (should) help recipients to understand better what's going on with their messages. But there is more ... as a fanatic Grisoft's AVG user I was disappointed about the uncertainity given by the reported exit codes (poiting out my finger strongly over archive files).
As a secondary fact (as we lead a small ISP) I wanted to reduce at minimum the number of calls we get in the office from users asking where some attachments have disappeared.
So i resolved building up our own AV filter and have it run as a pickup event for the MTA: relying on what the scanner really says instead of what the shelled command reports as an exit code.
As i said our pickup event actually relies on AVGScan.exe (Grisoft's AVG command line scanner) and currently supports these features:
- Detailed logging of the scanning process;
- Keeps original file extension (for attachments) so AV scanner can detect misleading extensions;
- Parser of scan report file generated by the command line scanner;
- Option to rename (.virus extension) infected attachments, delete or quarantine them (not the entire message). In our install we've created a quarantine area configured as an IIS virtual directory so we provide in each message which attachements has been quarantined with a unique URL to retrieve the infected attachment. An exaustive disclaimer which appears before download takes place informs the user that he is downloading the file "AT HIS OWN RISK";
- Logging facility for virus casualties: so u can trace how many viruses your system eats up and wich are the most frequent ones. This option can enable file logging or ODBC logging on mySQL database (so u can easily perform statistic queries on the log table);
- Template messages to inject on top of each scanned message (both in txt and html) about which actions were taken on infected attachment files;
- Basic controls over message structure to prevent known vulnerabilities: long subjects, no file name attachments, long file names attachments, double extensions on file names.
- Detection of password protected archives so you can inform recipient the attachment was not extensively scanned;
- Option to remove all the HTML part from the message body so the client will receive only pure, clean plain text (we really hate html emails )
- Pure vb script file (nothing to install, not considering the av program itself);
We'll also be glad to share this small piece of software with other ME's users: we're still in alpha with it but as it comes stable I will send the script filter to ME staff for them to publish in the download area. Hope they'll be so kind to do that as they already did in the past.
Thank you for your attention and thanks to ME for being a so flexible product.