AntiVirusINSTALL - INSTALL file for the Anti-Virus Plugin for DansGuardian.
Created by James A. Pattie (james@pcxperience.com)
(c) 2002-2003 by Xperience, Inc. (http://www.xperienceinc.com/)
Licensed under the GPL.
07/29/2003 Version 4.2 for DansGuardian 2.7
This documents how to add Anti-Virus scanning to the DansGuardian project.
REQUIREMENTS:
perl 5.6.1 or 5.8.0
DansGuardian 2.7.1-4
dansguardian-virus-scripts 1.05
Mail::Sender 0.8.00
Download the latest Dansguardian-Virus-Scripts tarball or rpm package from
http://www.pcxperience.org/dgvirus/. These scripts come from the MailScanner
project. Also, some of the code that is integrated into DansGuardian is from
the MailScanner package. See the MailScanner site for any installation notes
regarding your Anti-Virus product. http://www.mailscanner.info/
If installing from the tarball, copy the usr/lib/DGVirus directory structure
to /usr. If installing from rpm, you need to install before the
DansGuardian-Virus package.
Download the tarball or our rpm of Mail::Sender 0.8.00 from CPAN or the support
directory. This needs to be installed before installing DansGuardian.
Download the source to DansGuardian 2.7.1-4. Now you need to patch the source.
gunzip DansGuardian-2.7.1-4-AntiVirus-4.2.patch.gz
You can either build manually:
tar xvzf DansGuardian-2.7.1-4.source.tar.gz
cd DansGuardian-2.7.1-4
patch -p1 < ../DansGuardian-2.7.1-4-AntiVirus-4.2.patch.gz
This assumes you have the patches in the same directory as the source
tarball for DansGuardian 2.7.1-4.
Now read the INSTALL file and follow the steps to build DansGuardian.
Or you can build an rpm from the included DGVirus.spec file:
cp DansGuardian-2.7.1-4.source.tar.gz /usr/src/redhat/SOURCES
cp DansGuardian-2.7.1-4-AntiVirus-4.2.patch /usr/src/redhat/SOURCES
cp linux.in-rpmfixup.patch /usr/src/redhat/SOURCES
cp DGVirus.spec /usr/src/redhat/SPECS
cd /usr/src/redhat/SPECS
rpmbuild -bb DGVirus.spec
first install the DansGuardian-Virus-Scripts support package:
rpm -Uvh DansGuardian-Virus-Scripts-1.05-1.noarch.rpm
next install the perl-Mail-Sender package:
rpm -Uvh perl-Mail-Sender-0.8.00-1.i386.rpm
now install the newly created DansGuardian package:
rpm -Uvh ../RPMS/i386/DansGuardian-Virus-4.2-1.i386.rpm
VIRUS Engine Configuration:
To enable your virus scanner (if not F-Prot and it's not installed in
/usr/local/f-prot) then you need to edit virusscanner.conf in the dansguardian
configuration directory. This file also has other options that can be tweaked,
though not all options are currently being used.
NOTE:
Currently, once this patch is applied, all content (html/text, etc.) other than
SSL connections are scanned by default. If you want to disable the virus
scanning code, modify the generated dansguardian.conf file and change
on to off for the virusscan option.
If a virus is detected, an HTML document stating that fact will be sent to the
browser. In the event that you were downloading a big file, you might have the
first couple of bytes of the file in question already downloaded, and so the
HTML error document will be appended to it.
If downloading and saving to disk, always check to make sure that the resulting
file is what you were expecting.
The Virus scanning code will log, via syslog, the scanning messages and output
the results of any virus found messages.
F-Prot is the anti-virus engine I'm testing. The other virus programs that
MailScanner supports have been converted but since I don't own them I haven't
tested the code yet. If you own one of the other engines I would appreciate
any help in debugging the code and getting it supported.
I have had confirmation that the Sophos code works.
I have added code provided by G.H.J. Dorssers to make the AntiVir virus scanner
work, but it is totally unsupported by me. You will have to modify
virusscanner.conf and change 'Minimum Code Status' from supported to unsupported
along with the Virus Scanner and Sweep values.
2002/12/17 - I now rely on the DansGuardian-Virus-Scripts package I'm creating
from the MailScanner 4.x release for virus wrapper scripts. This is now in
/usr/lib/DGVirus and the names of the virus wrapper scripts are slightly
different. If things break after an upgrade, check to make sure you are
pointing at the right file.
2002/11/27 - Postmaster will now always receive an email when a virus is
detected. If squid is requiring proxy authentication, then the detected user
will also get an email (as long as virusscanner.conf is properly configured).
I recommend using pam_auth (provided with squid) and configuring to use whatever
authentication mechanism that PAM provides that you have easily available to
specify valid users where their username is also a valid email address user.
Any emails generated to users, will have the Mail Domain value appended to them
as follows: user@MailDomain where user is the detected username.
Quarantining of the infected files is now available and will store the files in
the following format:
prefix/dgvirus/quarantine/DATE/USER/<url>/FILE
where prefix/dgvirus/quarantine is user defined in virusscanner.conf,
DATE is todays date in YYYYMMDD format,
USER is the detected users name or no-user if proxy auth disabled,
<url> is the url with any & escaped,
FILE is the temporary file DansGuardian uses in format fileXXXXXX
01/13/2003 - A status file is now generated that will allow the user to see the
status of large files being downloaded. The status files are stored in the
DownloadDir directory under status and are grouped by the IP address of the
client or the detected user name (no-user if none detected). This grouping is
configurable in virusscanner.conf.
Ex: DownloadDir = /tmp/dgvirus,
Temp file = fileXYZ123,
User Name = james,
Status File = /tmp/dgvirus/status/james/fileXYZ123
If grouping by IP and the IP was 10.0.0.2, then
Status File = /tmp/dgvirus/status/10.0.0.2/fileXYZ123
The status file will be deleted when the file is done downloading or the file
transfer is canceled or on any other error condition.
The status file is locked via flock, so any monitoring scripts should acquire
a LOCK_SH before reading from the file to make sure that they get complete data.
The output format is:
started: Start TimeStamp
last: Last Updated TimeStamp
url: url
file: name of temporary file
fileLength: # bytes in file
bytesDownloaded: # bytes currently downloaded
user: detected user name
userIP: IP of browser
Changelog:
4.0 - Ported 2.2 forward into the 2.7.1-0 tree.
4.1 - Added optional simultaneous write to client socket, activated by
tricklelength variable in dansguardian.conf.
Added firsttrickledelay and followingtrickledelay variables in
dansguardian.conf.
(Code by Aecio F. Neto (afn@harvest.com.br) - Harvest Consultoria (http://www.harvest.com.br)
4.2 - Added optional parameter to not scan sites and urls in exception lists.
(Code by Aecio F. Neto (afn@harvest.com.br) - Harvest Consultoria (http://www.harvest.com.br)