Improved Virus Scan Notification

Discussions on webmail and the Professional version.
Post Reply
Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Improved Virus Scan Notification

Post by Kiliman » Thu Jan 29, 2004 9:20 pm

I'm just about finished with a new script that does the following:

1) Better MIME support. This filter now handles embedded messages (content-type: message/rfc822) unlike the built-in virus filter.

2) Better performance. This filter calls the scanner one time for the entire message using wildcard *.ATT. This means the scanner only has to load the DAT files once instead of multiple times per bodypart in the built-in filter.

3) Better logging and notification. Here are some sample notifications:

Subject: Virus Notification: Found the W32/Mydoom.a@MM virus !!!
VIRUS NOTIFICATION:

Message ID: 48904882203A4E239582CF9A93991.MAI
Received: from pegasus.cc.ucf.edu ([132.170.240.30]) by mx.volcanictech.com with MailEnable ESMTP; Wed, 28 Jan 2004 14:19:59 -0500
Sender: [SMTP:postmaster@pegasus.cc.ucf.edu]
Recipient: [SMTP:dave@volcanictech.com]
From: "Mail Delivery System" <MAILER-DAEMON@pegasus.cc.ucf.edu>
To: "dave@volcanictech.com" <dave@volcanictech.com>
Subject: Undelivered Mail Returned to Sender
Date: 1/28/2004 2:23:11 PM

SCAN RESULTS:

Body Part 1: text/plain >>> No virus found
Body Part 2: text/plain >>> No virus found
Body Part 3: application/octet-stream (file.zip.renamed) >>> Found the W32/Mydoom.a@MM virus !!!

Scan Time: 1.101563 seconds
Subject: Virus Notification: Found the W32/Swen@MM virus !!!
Message ID: C70B88C85E1F48CCB2BDFEA1678C84.MAI
Received: from smtp.prodigy.net.mx ([148.235.52.30]) by mx.volcanictech.com with MailEnable ESMTP; Wed, 28 Jan 2004 23:18:54 -0500
Sender: [SMTP:bigtwin@prodigy.net.mx]
Recipient: [SMTP:michael@volcanictech.com]
From: "MS Corporation Program Security Center" <eoewnbab-bjgvvrl@advisor.com>
To: "Consumer" <dzhv@advisor.com>
Subject: Newest Net Security Update
Date: 1/28/2004 11:21:26 PM

SCAN RESULTS:

Body Part 1: text/plain >>> No virus found
Body Part 2: text/html >>> No virus found
Body Part 3: image/gif >>> No virus found
Body Part 4: image/gif >>> No virus found
Body Part 5: application/x-msdownload (installation65.exe) >>> Found the W32/Swen@MM virus !!!

Scan Time: 1.210938 seconds
NOTE: This currently supports McAfee Virus Scan only. I have not tested it on other scanners.

I'm still debugging it, but if anyone has suggestions, please let me know.

Originally, the From: and To: lines above were taken only from the message header. I added Sender: and Recipient: from the message command file. This gives a better indication of where the message was supposed to go.

Also, I make no attempt to clean the email. If it contains a virus, the message gets deleted. The recipient is not notified either. Since most viruses are automated, it would simply add to the junk mail we get.

Let me know what you think. Thanks!

Kiliman

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Post by Kiliman » Thu Jan 29, 2004 11:24 pm

I posted my first version at:

http://www.volcanictech.com/files/mailenable/

You can email me at michael@volcanictech.com if you have any questions.

Good luck!

Kiliman

Christian L
Posts: 62
Joined: Tue Jan 27, 2004 9:36 am
Location: Sweden

McAfee 8.0?

Post by Christian L » Tue Feb 17, 2004 10:12 am

Thought I should try your solution, and bought the McAfee AV. The version I got was 8.0 and now I can't find any scan.exe-file in any directory. Is it changed?

/Christian

Christian L
Posts: 62
Joined: Tue Jan 27, 2004 9:36 am
Location: Sweden

Great....

Post by Christian L » Tue Feb 17, 2004 10:21 am

Well, It seems I bought the home edition...great. Is this the correct product to use?

http://shop.nai.com/dr/v2/ec_MAIN.Entry ... _ID=108970

/Christian

Christian L
Posts: 62
Joined: Tue Jan 27, 2004 9:36 am
Location: Sweden

This one must be the one

Post by Christian L » Tue Feb 17, 2004 10:27 am

Maybe this one? I just love how they bundle their AV products....

http://shop.nai.com/dr/v2/ec_MAIN.Entry ... _ID=108970

This must be the one, right?

Christian

Kiliman
Posts: 279
Joined: Mon Feb 03, 2003 2:44 pm
Location: Chesapeake, VA

Post by Kiliman » Tue Feb 17, 2004 12:22 pm

I got the command line scanner from CDW. See this post.

http://forum.mailenable.com/viewtopic.php?t=3200

I think I paid $16 for a 1 year license.

Kiliman

Christian L
Posts: 62
Joined: Tue Jan 27, 2004 9:36 am
Location: Sweden

Automatic updates?

Post by Christian L » Tue Feb 17, 2004 5:59 pm

Ok, I finally got it working with this download. Thanks!

Where did you buy just the scanner and does it download new virus definitions automatically?

/C

nalor
Posts: 4
Joined: Fri Apr 30, 2004 8:55 pm

Post by nalor » Fri Apr 30, 2004 9:10 pm

I tried Kilimans vbs today and had some problems because of the space character in the path to my mail enable directory (c:\programme\mail enable\).

I changed the following to allow pathnames with spaces:

FUNCTION ScanAttachments:
Set exec = shell.exec(agentPath & " " & Chr(34) & scratchPath & Chr(34) & " /ALL /ANALYSE /NOBOOT /NOMEM /UNZIP /SILENT /REPORT " & Chr(34) & reportPath & Chr(34))

And I insert the following at line 126 (below the line " ' Make sure scratchPath exists") because CreateFolder can't create 2 folders (one beneath the other) in one step. So it is neccesary that "scratch" is created before the subfolder for the specific email.

If Not fso.FolderExists(dataPath & "\Scratch") Then
fso.CreateFolder(dataPath & "\Scratch")
End If

This just checks if "scratch" exists and creates it when it doesn't.

After this small modifications it works like a charm :D

Thanks to Kiliman for his great script!

Roland

Post Reply