======================================================================
XMail-AV for Win32 in .NET 1.1
Version: 1.5.1867.17360
Released: 2005-Feb-10
Written by:
Jason J Ellingson
jason@ellingson.com
http://ellingson.com
======================================================================
HISTORY
======================================================================
1.5.1867.17360 - 2005-Feb-10
----------------------------
Added - Added a "debug" option. If you place the word "debug" at the
end of the filter line, it will create a very verbose debug
file at "C:\AV-Debug.log". See below for example. Format is:
date/time [tab] identifier [tab] process status
Change- Improved detection of certain errors.
1.4.1793.35282 - 2004-Nov-28
----------------------------
Added - Now works with F-Prot for DOS (f-prot.exe). Still not as fast
as F-Prot for Windows (highly recommended).
Fixed - Sometimes couldn't read the report file.
1.3.1786.19892 - 2004-Nov-21
----------------------------
Added - Logging now enabled. If you currently log SMTP events ("-Sl"
command in MAIL_CMD_LINE in Registry), then you will see an
AV-yyyymmdd000000 log file in your XMail logs folder. It is
in same format as SMTP-yyyymmdd0000 logs with the following
two exceptions: 1) The status message column shows the reject
message sent to the remote computer and 2) SMTP logs show zero
byte size for rejected messages, where I show the size of the
infected message. -- That way you can calculate how much
bandwidth was wasted on infected messages.
Change- Even though it was already lightning fast, I rewrote the
code to be even faster!
Change- The executable is now XMail-AV.exe
1.2.1775.12629 - 2004-Nov-10
----------------------------
Added - Now works with Sophos Anti-Virus (SAV32CLI.EXE). Again, if
want to run more than one antivirus, then place a filter
command for each one in your filters.post-data.tab file. See
my example below and included.
1.1.1772.304 - 2004-Nov-07
--------------------------
Added - Now works with any version of McAfee VirusScan for Win32
(SCAN.EXE). If you want to run both McAfee and F-Prot, then
place two filter commands in your filters.post-data.tab file.
See my example below and included.
1.0.1771.14343 - 2004-Nov-06
----------------------------
Fixed - Should work for ANY version of F-Prot for Windows (fpcmd.exe).
Added - Rejection message now includes the file and virus name.
1.0.1757.37661 - 2004-Oct-23
----------------------------
Initial release.
======================================================================
TESTED ON
======================================================================
Windows 2000 server SP4
.NET Framework 1.1 and 1.1 SP1
XMail Server 1.20
F-Prot for Windows 3.15a, 3.15b, 3.16 and 3.16a
F-Prot for DOS 3.15
McAfee VirusScan for Win32 v4.32.0 / v4.3.20 / v4.3.2
(depends on which version string you look at)
Sophos Anti-Virus Version 3.87.0 [Win32/Intel]
======================================================================
NOTICE
======================================================================
This is not currently open-source, but will be in the near future.
Please, provide me with credit if you include it in any product.
Also, please let me know if you are using it and/or distributing it.
I just want to know if my work is of any use to anyone. Otherwise, I
won't bother.
======================================================================
INSTRUCTIONS
======================================================================
1) Place the "xmail-av.exe" file anywhere you want to have it run
from. I chose c:\mailroot\bin\ on my server as it seemed like a good
place. Others like to put filter exe's in a c:\mailroot\filters\bin
folder. That sounds like a good idea too... either way... it doesn't
matter.
2) Place the commands to run xmail-av.exe into the
filters.post-data.tab on your mail server. If you don't have any
filters there already, then feel free to modify the one I provided.
Make an entry for each antivirus you wish to run. Make sure you have
a return at the end of the line or the filter won't run!
Format is simple:
"XMAIL-AV.EXE LOCATION"[TAB]"@@FILE"[TAB]"AV FOLDER"[RETURN]
so in my case:
"C:\MailRoot\bin\xmail-av.exe" "@@FILE" "C:\Program Files\FSI\F-Prot"
"C:\MailRoot\bin\xmail-av.exe" "@@FILE" "C:\NAI"
"C:\MailRoot\bin\xmail-av.exe" "@@FILE" "C:\Program Files\Sophos SWEEP for NT"
or if you wish to record debugging code to "C:\AV-Debug.log", then:
"C:\MailRoot\bin\xmail-av.exe" "@@FILE" "C:\Program Files\FSI\F-Prot" "debug"
3) Test it! Best place to go is:
http://www.declude.com/Articles.asp?ID=99
Just test against the "eicarplain" virus. Some of the other ones
won't be "detected"... don't worry, it's not that your antivirus is
missing them. It is because they aren't correct tests. They were
specially engineered to make Declude's antivirus look more impressive.
======================================================================
WHAT IS IT DOING?
======================================================================
Basically, it first checks to see if it should enable logging.
Then checks to be sure it can find the message file.
Then checks to see if it can find "fpcmd.exe" (F-Prot for Windows),
"scan.exe" (McAfee), "sav32cli.exe" (Sophos), or "f-prot.exe" (F-Prot
for DOS) in your antivirus directory.
Then scans the file for the virus dumping a text report into the
antivirus directory (uses tickcount for filename to prevent
duplicates).
Parses the report for file name and virus name.
Deletes the report file.
If there was a virus, tells XMail to reject the message by sending:
"554 Transaction failed " + filename and virus name to the sending
SMTP server and delete the message.
If there was a problem with anything... the message is passed along.
(In case you misconfigured something)
======================================================================
FUTURE PLANS
======================================================================
Add AVG and ClamAV as supported antivirus products.
======================================================================
SUPPORT
======================================================================
Feel free to contact me via email if you have any questions, comments,
or suggestions.