Antivirus filter

Discussion for developers using MailEnable.
Post Reply
Anlan
Posts: 32
Joined: Sat Feb 28, 2004 11:35 am

Antivirus filter

Post by Anlan » Fri Aug 26, 2005 8:11 pm

As an ME stress-user, I am a little unhappy about the integrated AV options. Actually there is nothing really bad with them but my feelings are mostly concerned about control over the AV scanning process.
I realize that for ME staff the main problem is to provide the widest range of command line scanners available and therefore relying on exit codes is the only option even if does not leave many choices on subsequent actions (delete message as a whole or quarantine it and then inform the recipient of the taken action).
IMHO AV scanning can bring a lot more of useful information and can (should) help recipients to understand better what's going on with their messages. But there is more ... as a fanatic Grisoft's AVG user I was disappointed about the uncertainity given by the reported exit codes (poiting out my finger strongly over archive files).
As a secondary fact (as we lead a small ISP) I wanted to reduce at minimum the number of calls we get in the office from users asking where some attachments have disappeared.
So i resolved building up our own AV filter and have it run as a pickup event for the MTA: relying on what the scanner really says instead of what the shelled command reports as an exit code.

As i said our pickup event actually relies on AVGScan.exe (Grisoft's AVG command line scanner) and currently supports these features:
  1. Detailed logging of the scanning process;
  2. Keeps original file extension (for attachments) so AV scanner can detect misleading extensions;
  3. Parser of scan report file generated by the command line scanner;
  4. Option to rename (.virus extension) infected attachments, delete or quarantine them (not the entire message). In our install we've created a quarantine area configured as an IIS virtual directory so we provide in each message which attachements has been quarantined with a unique URL to retrieve the infected attachment. An exaustive disclaimer which appears before download takes place informs the user that he is downloading the file "AT HIS OWN RISK";
  5. Logging facility for virus casualties: so u can trace how many viruses your system eats up and wich are the most frequent ones. This option can enable file logging or ODBC logging on mySQL database (so u can easily perform statistic queries on the log table);
  6. Template messages to inject on top of each scanned message (both in txt and html) about which actions were taken on infected attachment files;
  7. Basic controls over message structure to prevent known vulnerabilities: long subjects, no file name attachments, long file names attachments, double extensions on file names.
  8. Detection of password protected archives so you can inform recipient the attachment was not extensively scanned;
  9. Option to remove all the HTML part from the message body so the client will receive only pure, clean plain text (we really hate html emails :!: )
  10. Pure vb script file (nothing to install, not considering the av program itself);
I'd be glad to receive from interested users any suggestion about additional features to add in this filter related to messages security.
We'll also be glad to share this small piece of software with other ME's users: we're still in alpha with it but as it comes stable I will send the script filter to ME staff for them to publish in the download area. Hope they'll be so kind to do that as they already did in the past.

Thank you for your attention and thanks to ME for being a so flexible product.

Anlan
Posts: 32
Joined: Sat Feb 28, 2004 11:35 am

Post by Anlan » Thu Oct 06, 2005 12:09 pm

We've done some testing with this script and have passed about 500k messages.
Actually this filter does the following checks:
  • Optionally removes unwanted headers from messages : this feature is useful if you want to remove Read Receipt requests
  • Truncates message subject if it appears to be too long : you can set the max length thresold examining resource settings in the MeIsiPickup.Wsf file
  • Automatically removes attachment files which do not have a valid filename and appear to be of content-type "application/*"
  • Compacts attachments filenames to avoid delivery of messages with
    long far hidden risky extensions. ("document.txt .pif")
  • Optionally removes the HTMLBody from messages which also have a
    TextBody (I know .. we're paranoic !)
  • Optionally performs an antivirus scan and removes infected files
  • During AV scan process every password protected archive is reported in message as NOT SCANNED
If anyone is interested in testing it, please pm with your email address.
I will send you a copy of the script with detailed instructions about how set it up.

Bye

alberto
Posts: 12
Joined: Fri Mar 18, 2005 10:23 am

Post by alberto » Thu Oct 13, 2005 12:02 pm

I'm really interested in your script. Where is available?

tnx

Anlan
Posts: 32
Joined: Sat Feb 28, 2004 11:35 am

Post by Anlan » Thu Oct 13, 2005 12:40 pm

We have not published it yet under any website.
Send me your email address using private messages on this forum. I will send you a copy of the script.

Post Reply