Using Sendmail and AMaViS to Halt Virus Distribution

by F. William Lynch

Unlike days past where viruses were primarily spread through sneaker-net distribution of floppy disks, most modern viruses are spread via e-mail. Advanced scripting languages for the Windows platform coupled with the relative insecurity of certain Windows mail clients have increased the ranks of the virus, worm, and other mal-ware authors. Fortunately, most Unix servers and mail systems can halt the spread of such mal-ware. This tutorial will focus on integrating the AMaViS (0.2.1) anti-virus cleanser with Sendmail 8.9.1b, the default mail server shipped with Solaris 7. However, the setup and configuration procedures are very similar on Linux and xBSD.

Background on AMaViS
AMaViS is an acronym for “A Mail Virus Scanner”. The software itself is basically a GPL’ed shell script wrapper for a number of different anti-virus scanning packages. Despite the low version number, AMaViS has actually been around for several years and is quite stable. The 0.2.1 release described in this tutorial is the final release of the shell scripted engine. Newer engines have been written in perl, but these packages are substantially different than the shell script engine and lack mature documentation. By default, the recipient will not be notified that a virus was intercepted, but this tutorial will describe how to configure recipient notification.

Viruses are detected by AMaViS as they pass through Sendmail. Each message attachment is uudecoded, un-mimed, and decompressed as necessary and then passed through the third party virus scanning tool. If no viruses are found, the message is passed on transparently to its intended recipient. However, if any of the attachments is found to contain a virus, this message is quarantined in /var/virusmails/root and a message is sent to the sender as well as the system administrator that a virus was discovered. Unfortunately, the AMaViS package has no way to automatically disfect the attachment and pass it along to the recipient at this time. The user and administrator would need to cooperate to extract the intended message and attachments from the quarantine.

The anti-virus scanners supported by AMaViS include Network Associates (McAfee), AntiVir/X, Sophos Sweep, Kaspersky Lab AntiViral Toolkit Pro, Cybersoft VFind, Trend Micro FileScanner, CAI InnoculateIT, and F-Secure AV. AMaViS is not limited to using only one anti-virus package either. For the paranoid, AMaViS could be configured to scan every attachment with each of the eight packages specified above. This tutorial is limited in scope only to the Network Associates (McAfee) anti-virus package because it is one of the easiest to configure and maintain.

Additionally, AMaViS supports Sendmail, qmail, Postfix, and Exim as mail transport agents, though this tutorial will only describe Sendmail.

Pre-Requisite Software

Perhaps the most daunting task in setting up AMaViS is locating all of the software and tools necessary for its operation. Because AMaViS is primarily intended for use with the Linux operating system a Solaris administrator will need to install a number of tools that do not come standard with the Solaris operating system. Each of the following tools or packages will be required before the installation of AMaViS can begin. Packages should be installed in the order listed.

Perl
If not already installed, this package from ibiblio should be adequate.

libgdbm
The libgdbm library is also needed by AMaViS, although it is not checked for by the configure script for AMaViS. Also from ibiblio.

Maildrop
Only a portion of Maildrop called reformime is needed by AMaViS to decode MIME attachments. Read more about Maildrop here.

TNEF
The tnef package, available from here is needed to decode MS-TNEF encoded attachments that are encapsulated by Microsoft mail servers.

Procmail
Another commonly used local delivery agent is procmail available from www.procmail.org. Mail that passes through AMaViS is actually delivered by procmail.

McAfee VirusScan
This virus scanning engine actually performs all the back-end work for AMaViS. A 30-day fully functional evaluation version can be downloaded from this link. After 30 days, if you continue to use this product, you should register it according to the license that accompanies the package. Pricing is available from the vendor on a per-user basis. You can also use this package to scan files located on Samba shares if desired.

AMaViS

Finally, once the previous components have been installed, AMaViS v0.2.1 can be downloaded from www.amavis.org.

Pre-Installation Configuration

As stated previously, while it works perfectly well with Solaris, AMaViS is intended primarily for use with Linux, so users of Solaris will need to make some minor adjustments prior to running the configure script for AMaViS.

whoami command
AMaViS looks for a “whoami” binary, which doesn’t exist on Solaris. As a workaround issue these two commands as root:

                                                                       # echo "who am i" >> /usr/bin/whoami                                            # chmod 755 /usr/bin/whoami                                                     

file command
AMaViS prefers to have a “file” command that supports the “-b” option, which is not available under Solaris. Furthermore, the site specified in the documentation to download such a file no longer exists. You will need to comment out this section of the configure script for AMaViS. See this post from the AMaViS mailing list archives for more details.

tar command
Because the version of tar that ships with Solaris 7 does not remove the leading slash ( / ) character from tar archives, this represents a minimal security hole. AMaViS builds it’s own “securetar” wrapper for tar so this issue is moot. However, it will still be necessary to comment out this section of the AMaViS configuration script. Or, optionally install GNU tar from the ibiblio archives.

At this point, AMaViS is ready to be compiled under Solaris 7. Proceed using the standard methods to compile and install the software.

Post-Installation Configuration

Modifying the Sendmail Configuration
Before Sendmail will begin scanning mail attachments for viruses, some configuration changes will need to be made. First, backup the existing Sendmail configuration, then edit the /etc/mail/sendmail.cf file and make the following changes.

Find and comment out the section that looks like this:

                                                                       Mlocal, P=/usr/lib/mail.local, F=lsDFMAw5:/|@qfSmn9, S=10/30, R=20/40,               T=DNS/RFC822/X-Unix,                                                            A=mail.local -d $u                                                         

Then, add in the following:

                                                                       Mlocal, P=/usr/sbin/scanmails, F=lsDFMAw5:/|@SPfhn, S=10/30, R=20/40,           
    T=DNS/RFC822/X-Unix,                                                        
    A=scanmails -Y -a $h -d $u                                                  

Next, modify the /etc/mail/aliases file to change the address that receives the virus alerts if desired. By default, this is the root account, but it should always be an account whose mail is read by a human on a regular basis.
Sendmail will need to be restarted by sending it a HUP signal before these changes will take effect. Use the following commands to do this:

                                                                           # ps -ef | grep sendmail                                                            root 13733     1  0   May 03 ?        0:00 /usr/lib/sendmail -bd -q15m          root 16605 16573  0 18:16:43 pts/0    0:00 grep sendmail                    # kill -HUP 13733                                                               

Updating Virus Definitions
A virus scanner is only as useful as its most recent virus definition updates. Therefore, it is necessary to update the virus definition files as often as possible in order to prevent outbreaks of the most recently released strains.

McAfee releases frequent, almost daily updates to its virus definition files. The virus definition files which come with the engine are certainly several months out of date. Thus, the author has written this script to automatically update the virus definition files. Several other sample scripts are available in the AMaViS documentation, but all of these require additional software packages to be installed. The script available from the author is a simple Korn shell script that does not require any additional software to be used. This script should be saved as /usr/local/uvscan/update.sh with ownership of 755.

It may also be desirable to run this script from to download new virus definition updates nightly. To do this, issue the “crontab -e” command as root and add the following line:

                                                                           15 2 * * * /usr/local/uvscan/update.sh > /dev/null 2>&1                         

This will update the virus definition files every morning at 2:15am. Since the script’s output is not important, it is destroyed. Meanwhile, the actual virus definition updates are logged to /usr/local/uvscan/update.log

Notifying Users of Quarantined Messages
By default, if a user receives a piece of mail with an infected attachment the user receives no notification that a message was even sent. To prevent users from incorrectly assuming that the mail system is losing their mail when an infected document is attached it is desirable to let the user know what really happened. To do this, open up /usr/sbin/scanmails in a text editor and change the line “notifyuser=no” to “notifyuser=yes”.

Creating a New Mail Log (optional)

By default, mail system logs are stored in the file /var/log/syslog. Because other applications and daemons may also log to this logfile this would be a good time to create a log file for mail only. To do so, edit /etc/syslog.conf and change the line

                                                                       mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)     

to

                                                                           mail.debug                      ifdef(`LOGHOST', /var/log/maillog, @loghost)    

Then touch the /var/log/maillog file and send a HUP signal to the syslog daemon like this:

                                                                           # touch /var/log/maillog                                                        # ps -ef | grep syslog                                                              root   146     1  0   May 03 ?        0:03 /usr/sbin/syslogd                    root 16609 16573  1 18:22:55 pts/0    0:00 grep syslog                      # kill -HUP 146                                                                 

Testing the Virus Scanner
To validate the installation of AMaViS, it’s necessary to send a pattern through the mail system that matches a known virus pattern. Before sending a live virus though the system, it’s best to start out with the EICAR test pattern. EICAR is not really a virus, it’s just a test pattern used by most virus scanning software to simulate a positive match. To test against the EICAR pattern use the following procedure.

First, create an EICAR file like this:

                                                                       echo "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" >> eicar.com                                                                        

Then, e-mail this file to an e-mail address on the system. You will notice the following message in your maillog:

                                                                       # grep VIRUS /var/log/maillog                                                                                                                                   May  3 13:28:40 sparcie.houseofsharkdog.org scanmails[13929]: FOUND VIRUS IN    MAIL from fwl@alcatraz.houseofsharkdog.org to fwl                               

Also, e-mails will be sent to the virusalert alias and the account that sent the eicar.com file as an attachment.
The original sender will see the following message:

(Note: the system the mail was sent from in this example was not configured to receive mail, therefore messages from other systems may be dissimilar to the example).

                                                                       Return-Path:                                                              Received: (from root@localhost)                                                 
        by sparcie.houseofsharkdog.org (8.9.1b+Sun/8.9.1) id OAA14270;                  Thu, 3 May 2001 14:29:53 -0600 (MDT)                                    Date: Thu, 3 May 2001 14:29:53 -0600 (MDT)                                      Message-Id: <200105032029.OAA14270@sparcie.houseofsharkdog.org>                 From: postmaster                                                                To: fwl@alcatraz.houseofsharkdog.org                                            Subject: VIRUS IN YOUR MAIL TO fwl                                              
                                                                                                   V I R U S  A L E R T                                                                                                                           Our viruschecker found a VIRUS in your email to "fwl".                                   We stopped delivery of this email!                                                                                                                       Now it is on you to check your system for viruses                                                                                                             For further information about this viruschecker see:                                         http://amavis.org/                                                       AMaViS - A Mail Virus Scanner, licenced GPL                                                                                                                                                                                                                                                                             For your reference, here are the headers from your email:                                                                                                       ------------------------- BEGIN HEADERS -----------------------------           Return-Path:                                  Received: from alcatraz.houseofsharkdog.org (alcratraz.house.sharkdog.org       [192.168.1.1])                                                                          by sparcie.houseofsharkdog.org (8.9.1b+Sun/8.9.1) with ESMTP id         OAA14217        for ; Thu, 3 May 2001          14:29:30 -0600 (MDT)                                                            Received: (from fwl@localhost)                                                          by alcatraz.houseofsharkdog.org (8.10.1/8.10.1) id f43DIqr26025                 for fwl@sparcie; Thu, 3 May 2001 06:18:52 -0700 (MST)                   Date: Thu, 3 May 2001 06:18:11 -0700                                            From: FWL                                     To: fwl@sparcie.houseofsharkdog.org                                             Subject: Test E-mail                                                            Message-ID: <20010503061811.B25165@alcatraz.houseofsharkdog.org>                Mime-Version: 1.0                                                               Content-Type: multipart/mixed; boundary="/WwmFnJnmDyWGHa4"                      Content-Disposition: inline                                                     User-Agent: Mutt/1.2.5i                                                         X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)           -------------------------- END HEADERS ------------------------------                                                                                           

The virusalert alias will receive the following detailed message:


>From MAILER-DAEMON Sat May 5 12:09:53 2001 Date: Sat, 5 May 2001 12:09:53 -0600 (MDT) From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA X-IMAP: 0988921958 0000000028 Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. >From root Thu May 3 13:22:25 2001 Return-Path: Received: (from root@localhost) by sparcie.houseofsharkdog.org (8.9.1b+Sun/8.9.1) id NAA13786; Thu, 3 May 2001 13:22:09 -0600 (MDT) Date: Thu, 3 May 2001 13:22:09 -0600 (MDT) Message-Id: <200105031922.NAA13786@sparcie.houseofsharkdog.org> From: postmaster To: virusalert Subject: FOUND VIRUS IN MAIL from fwl@alcatraz.houseofsharkdog.org to fwl X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/) Status: O X-Status: X-Keywords: X-UID: 1 The attached mail has been found to contain a virus Originally /usr/sbin/scanmails -f fwl@alcatraz.houseofsharkdog.org -Y -a -d fwl The mail has been stored as /var/virusmails/root/virus-20010503-13740 xxxxxxxxxxxxxxxxxxThu May 3 13:22:01 MDT 2001xxxxxxxxxxxxxxxxxxxxxxx scanmails (0.2.1) called -f fwl@alcatraz.houseofsharkdog.org -Y -a -d fwl FROM: fwl@alcatraz.houseofsharkdog.org TO: fwl maxlevel: 0 Contents of /var/tmp/scanmails13740/unpacked /var/tmp/scanmails13740/unpacked: total 10 drwxr-xr-x 3 root root 512 May 3 13:22 . drwx------ 3 root root 512 May 3 13:22 .. -rw-r--r-- 1 root root 46 May 3 13:22 988917721.13758-0.sparcie.houseofsharkdog.org drwxr-xr-x 2 root root 512 May 3 13:22 SFX -rw-r--r-- 1 root root 70 May 3 13:22 eicar.com /var/tmp/scanmails13740/unpacked/SFX: total 4 drwxr-xr-x 2 root root 512 May 3 13:22 . drwxr-xr-x 3 root root 512 May 3 13:22 .. Scanning /var/tmp/scanmails13740/unpacked/* Scanning file /var/tmp/scanmails13740/unpacked/988917721.13758-0.sparcie.houseofsharkdog.org Scanning file /var/tmp/scanmails13740/unpacked/eicar.com /var/tmp/scanmails13740/unpacked/eicar.com Found: EICAR test file NOT a virus. Summary report on /var/tmp/scanmails13740/unpacked/* File(s) Total files: ........... 2 Clean: ................. 1 Possibly Infected: ..... 1 Thank you for choosing to evaluate VirusScan from Network Associates. This version of the software is for Evaluation Purposes Only and may be used for up to 30 days to determine if it meets your requirements. To license the software, or to obtain assistance during the evaluation process, please call (408) 988-3832. If you choose not to license the software, you need to remove it from your system. All use of this software is conditioned upon compliance with the license terms set forth in the README.TXT file. H+BEDV AntiVir scanstatus0 is: 0 Mcafee scanstatus1 is: 0 Dr. Solomon (old) scanstatus2 is: 0 Dr. Solomon (new) scanstatus3 is: 0 Sophos Sweep scanstatus4 is: 0 NAI Virus Scan 4.x scanstatus5 is: 13 KasperskyLab AVP scanstatus6 is: 0 KasperskyLab AVPDaemonClient scantatus7 is: 0 F-Secure Antivirus scanstatus8 is: 0 Trend Micro FileScanner scanstatus9 is: 0 CyberSoft vfind scanstatus10 is: 0 CAI InoculateIT (inocucmd) scanstatus11 is: 0 Virus FOUND Sent notification to virusalert

After the cleartext EICAR has been sent through the system, continue to experiment by sending the same file through after it has been uuencoded, zipped, or gzipped.

Once the EICAR tests return satisfactory results, one could further experiment by sending actual virus code through the system. Be certain to update the virus definition files before doing so, however. Virus code is easy to locate by searching for “virus source code” on Google. For example, this link is the source code for the ILOVEYOU virus. The test configuration described here discovered this virus without any difficulty.

Advanced Applications
While this tutorial is intended to get the reader started with AMaViS on Solaris, there are many advanced features not covered. For example, many other types of compression utilities can be configured to assist in the decoding and scanning of compressed attachments. For more details, please refer to the AMaViS documentation.

Summary
Configuring Sendmail to scan for viruses isn’t a difficult task, it just takes some time. Using the McAfee anti-virus scanner and the AMaViS tools, system
administrators can help prevent virus outbreaks by halting their proliferation before any damage can be caused.

About the Author
William Lynch is a technology consultant in Denver, CO. He spends every waking hour either in front of a computer, practicing martial arts or watching hockey.