Additional Anti Virus Engines

By default Baruwa Enterprise Editions runs the ClamAV Anti Virus engine at SMTP time. You can on a per domain basis change this behaviour to have Anti Virus checks run after you have accepted the message.

You can also ran additional Anti Virus Engines both at SMTP time within the MTA process and after accepting the message from within the scanner process.

The recommended approach is to ran Anti-Virus checks at SMTP time and reject the messages straight away.

The following Anti Virus Engines are supported.

Name SMTP Time Scanning POST SMTP Time Scanning
ClamAV Yes Yes
Sophos Yes Yes
F-Secure Yes Yes
ESET No Yes
F-PROT Yes Yes
AVAST Yes Yes
Kaspersky Scan Engine Yes Yes

Installation and Configuration

ClamAV

ClamAV is part of the base install and is configured to run by default at SMTP time. If you want to perform scanning POST SMTP time then you need to select the Clamav Daemon under virus checks in the BaruwaScanner settings section of the interface.

Sophos

To install Sophos, download the Antivirus for Linux package from the Sophos website. The software is free to download and use.

You need an additional 1GB of RAM to ran the Sophos Anti-Virus Engine.

Copy the tar file to the /usr/local/src directory on your server.

Follow the following steps to install and configure the software.

  • Extact the files from the tar file.:

    tar xvf sav-linux-free-9.tgz
    
  • Run the setup script:

    ./sophos-av/install.sh
    
  • The script will prompt you for information as follows.:

    Press <return> to display Licence. Then press <spc> to scroll forward.
    

Press enter, until you get to the bottom of the License text.:

Do you accept the licence? Yes(Y)/No(N) [N]

Type Y if you want to accept the license or N if not. If you enter N then the script will exit.:

Where do you want to install Sophos Anti-Virus? [/opt/sophos-av]

Leave at the default and press enter.:

Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]

Type N and press enter.:

Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s]

Press enter.:

Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]

Type s if you want the supported version or f for the free version.:

Do you need a proxy to access Sophos updates? Yes(Y)/No(N) [N]

Press enter.

The script will perform the installation and setup. If all goes well you should get the following message:

Starting Sophos Anti-Virus daemon:                         [  OK  ]
Installation completed.
  • At this point you are now ready to configure the software. To do so run the following:

    /opt/sophos-av/bin/savconfig UINotifier false
    /opt/sophos-av/bin/savconfig EmailNotifier false
    /opt/sophos-av/bin/savconfig EnableOnStart false
    /opt/sophos-av/bin/savconfig UIttyNotification false
    /opt/sophos-av/bin/savconfig SendThreatEmail false
    /opt/sophos-av/bin/savconfig UpdatePeriodMinutes 30
    /opt/sophos-av/bin/savconfig EmailDemandSummaryIfThreat false
    /opt/sophos-av/bin/savupdate
    /opt/sophos-av/bin/savdctl --daemon disable
    service sav-protect restart
    

Sophos Integration

There are two ways in which Sophos can be integrated into Baruwa Enterprise Edition:

Sophos SAVID is the most efficient way to integrate, however it is only available to Sophos paying customers. If you are not a paying customer then you need to select the Sophos Command line option.

Sophos SAVID

To enable the SAVID integration method, you need to download and install the SAV Dynamic Interface Linux 64 bit package (Sophos account required).

Copy the tar file to the /usr/local/src directory on your server.

Follow the following steps to install and configure the software.

  • Extact the files from the tar file.:

    tar xvf savdi-linux-64bit.tar
    
  • Run the install script:

    cd savdi-install/
    ./savdi_install.sh
    
  • Create the required directories:

    mkdir /var/lib/savdid
    mkdir /var/run/savdid
    chmod 0700 /var/run/savdid
    chmod 0750 /var/lib/savdid
    
  • Create the group and user:

    groupadd -r savdid
    useradd -r -g savdid -d /var/lib/savdid -s /sbin/nologin -c "Sophos savdid user" savdid
    
  • Change the directory ownership:

    chown savdid.exim /var/lib/savdid
    chown savdid.savdid /var/run/savdid
    
  • Download and install configuration file:

    cp /usr/local/savdi/savdid.conf /usr/local/savdi/savdid.conf.orig
    curl -o /usr/local/savdi/savdid.conf https://raw.githubusercontent.com/baruwa-enterprise/baruwa-misc/master/savdid.conf
    
  • Download and install the init script:

    curl -o /etc/init.d/savdid https://raw.githubusercontent.com/baruwa-enterprise/baruwa-misc/master/savdid.init
    chmod +x /etc/init.d/savdid
    chkconfig savdid on
    
  • Startup the SAVID service:

    service savdid start
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = sophie:/var/lib/savdid/savdid.sock
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • Install and startup the update notification system:

    yum install python-watcher -y
    chkconfig python-watcher on
    service python-watcher start
    
  • To enable POST SMTP Time Scanning, select the Sophos SAVID under virus checks in the BaruwaScanner settings section of the interface.

Sophos Command line

Use the command line integration option if you are not a Sophos paying customer or if you want to do POST SMTP scanning.

  • Create a wrapper script for SMTP Time scanning:

    cat > /usr/local/bin/sav-scan << 'EOF'
    #!/bin/bash
    #
    # Wrap the savscan
    /opt/sophos-av/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback --no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious "$1"
    exit 0
    EOF
    
  • Make the wrapper script executable:

    chmod +x /usr/local/bin/sav-scan
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = cmdline:/usr/local/bin/sav-scan %s: found in file:'(.+)'
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • Restart baruwascanner for the above configuration to take effect:

    service baruwascanner restart
    
  • To enable POST SMTP Time Scanning, select the Sophos under virus checks in the BaruwaScanner settings section of the interface.

F-Secure

To install F-Secure, download the Linux Server Security package from the F-Secure website. This commercial software so you need to purchase a license. If you do not have a license the software will work in evaluation mode for 30 days after which it will cease to function correctly.

You need an additional 1GB of RAM to ran the F-Secure Anti-Virus Engine.

Copy the tar file to the /usr/local/src directory on your server.

Follow the following steps to install and configure the software.

  • Extact the files from the tar file.:

    tar xzvf fsls-11.00.79-rtm.tar.gz
    
  • F-Secure does not provide 64-bit packages so you need to install 32-bit compat packages:

    yum install glibc.i686 libstdc++.i686
    
  • Run the setup script:

    ./fsls-11.00.79-rtm/fsls-11.00.79-rtm --command-line-only --auto standalone lang=en noremotewui nolocallogin nofirewall
    
  • Edit the /etc/opt/f-secure/fssp/fssp.conf configuration file and make the following changes:

    odsFileScanInsideMIME 1
    odsFilePrimaryActionOnInfection 1
    odsFileSecondaryActionOnInfection 2
    odsAskQuestions 0
    odsFollowSymlinks 1
    daemonLogfileEnabled 1
    daemonSocketMode 0660
    socketpathGroup exim
    
  • Install the fsavd init script:

    cp /opt/f-secure/fssp/etc/fsavd /etc/init.d/
    chmod +x /etc/init.d/fsavd
    chkconfig --add fsavd
    
  • Start the fsavd service:

    service fsavd start
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = fsecure:/tmp/.fsav-0
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • Restart baruwascanner for the above configuration to take effect:

    service baruwascanner restart
    
  • To enable POST SMTP Time Scanning, select the F-Secure Daemon under virus checks in the BaruwaScanner settings section of the interface.

ESET

To install ESET, download the ESET for Linux package from the ESET website. This is commercial software so you need to purchase a license.

You need an additional 512Mb of RAM to ran the ESET Anti-Virus Engine.

  • ESET does not provide 64-bit packages so you need to install 32-bit compat packages:

    yum install glibc.i686 libstdc++.i686
    
  • Install the ESET rpm package.

  • To enable POST SMTP Time Scanning, select the ESET under virus checks in the BaruwaScanner settings section of the interface.

F-PROT

There is a package available for F-PROT with in our repository. This is commercial software so you need to purchase a license.

  • To install the package run:

    yum install f-prot -y
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = f-prot6d:127.0.0.1 10200
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • To enable POST SMTP Time Scanning, select the F-prot Daemon 6 under virus checks in the BaruwaScanner settings section of the interface.

AVAST

There is a package available for AVAST with in our repository. This is commercial software so you need to purchase a license.

Note

We are an authorized Avast reseller so you can purchase AVAST subscriptions through us at discounted list pricing.

  • To install the package run:

    yum install avast -y
    
  • Install your license by copying it to /etc/avast/license.avastlic on your Baruwa server.

  • Start the Avast daemon:

    service avast start
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = avast:/var/run/avast/scan.sock
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • To enable POST SMTP Time Scanning, select the Avast under virus checks in the BaruwaScanner settings section of the interface.

Kaspersky Scan Engine

There is a package available for Kaspersky Scan Engine with in our repository. This is commercial software so you need to purchase a license.

  • To install the package run:

    yum install kse -y
    
  • Install your license by copying it to the /opt/kaspersky/ScanEngine/bin directory on your Baruwa server.

  • Start the Kaspersky Scan Engine daemon:

    service kavhttpd restart
    
  • Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):

    cat >> /etc/exim/custom-acl_check_data.post << 'EOF'
      warn    hosts         = 127.0.0.1
              add_header    = X-Baruwa-Virus-Checks: bypassed, quarantine release
      drop    set acl_m_av_scanner = kse:/var/run/kse/kse.sock
              malware       = ${if and { \
                                      {!eq {$sender_host_address}{127.0.0.1}} \
                                      {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \
                                      {eq {${if forall{<, $recipients}{match{\
                                          ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                      {eq {${if forall{<, $recipients}{\
                                          match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \
                                  }{*}{0}}
              message       = The message was rejected due to security policies - INFO_URL#mvi
              log_message   = This message matched anti-virus signature [$malware_name]
    EOF
    
  • To enable POST SMTP Time Scanning, select the Kaspersky Scan Engine under virus checks in the BaruwaScanner settings section of the interface.