AntiVirus Filter Download
The AntiVirus Filter requires that Microsoft XML 3.0 or XML 4.0 be installed on the system where the mail server is running. If this is the first time using this version of the filter, run registry editor and check for the existence of the key "HKLM\Software\Classes\Msxml2.domdocument.3.0" or "HKLM\Software\Classes\Msxml2.domdocument.4.0". If at least one is not present, you should first install XML 3.0 or XML 4.0 from http://www.microsoft.com/xml/.
Refer to the README.TXT file included in the specific distribution for instructions on installing and uninstalling the filter.
Version 1.1.3
for
Merak Mail (ASCII Version for
Windows 95/98/ME/NT/2000/XP)
for
Microsoft Exchange 2000
Known Issues
|
|
While internal support was added for eset NOD32, it was discovered that NOD32 does not process MIME encoded attachments, so NOD32 is ineffective in identifying viruses until this filter can extract attachments prior to scanning. Specific documentation is not being provided for the NOD32 implementation until this feature is added. |
|
|
The filter must be configured as a static filter in Merak Mail versions prior to v5.2.1 to utilize the new filter interface. If configured as a content filter, the old interface is used and information, such as SMTP error codes and messages, cannot be passed back to Merak Mail by the filter. Merak v5.2.1 and later uses the new filter interface for both static and content filter DLL's. |
Revision History
| Version 1.1.3, 29 October2003 | |
|
|
Some boundary header lines were not parsed properly resulting in attachments not being separated, which could result in some base64-encoded attachments not being scanned in their decoded state. |
|
|
Exchange 2000: <copy> operation now performed using multibyte character set to aid in redelivery by dropping email into pickup directory. Unicode files were not accepted in the pickup directory. |
|
|
Add 2 retries on SMTP connection failures when trying to process <email> nodes; additional error information logged. |
|
|
Fixed buffer overflow in SMTP mailer related to a large list of recipients. |
|
|
Fixed buffer overflow in <copy> processing related to a large list of recipients. |
| Version 1.1.2, 5 August 2003 | |
|
|
Fixed creation of URL-safe and Filename-safe macro substitutions when high ASCII characters are present (128-255). |
| Version 1.1.1, Private release | |
|
|
Added macro {source:bytecount} that expands into the number of bytes of the source email file. |
| Version 1.1.0, 7 November 2002 | |
|
|
Added high resolution time information to log lines. |
|
|
Added macros for time of day. |
|
|
Reorganized common code shared with the Mail Content filter DLL. |
|
|
Added log <option> type copy to control logging of copied files. |
|
|
Added attribute enabled to <option> node to selectively enable/disable log options without removing the declaration. |
|
|
All macros can now be accessed as HTML-safe text using ".html" at the end of the macro name. |
|
|
All macros can now be accessed as URL-safe text using ".url" at the end of the macro name. |
|
|
All macros can now be accessed as filename-safe text using ".file" at the end of the macro name. |
|
|
Added log <option> type result buffer to control logging of raw result buffer returned to mail server. |
| Version 1.0.7, 15 October 2002 | |
|
|
Buffer overflow fixed that occurred when a large TO header line was encountered, such as in emails sent to large mailing lists that haven't hidden the recipients. Buffer was used for macro substitution of {header:to}. This was causing the SMTP service to terminate. |
|
|
Update macro substitution code to allocate buffers based on required size rather than over allocate a fixed buffer and risk an overflow. |
| Version 1.0.6, 10 October 2002 | |
|
|
XML 4.0 supported if available on the system. |
| Version 1.0.5, 9 October 2002 | |
|
|
Added support for Grisoft AVG anti-virus software. Attribute type in a <scanner> node is set to "avg" to specify the proper parsing methods and external process options. |
|
|
Added attribute extractmime in <scanner> nodes to specify the MIME email should have all elements extracted into separate files before processing by the antivirus scanner (extraction only partially implemented; does not affect any supported scanners. This is for future support of additional scanners.) |
|
|
The McAfee VirusScan scanner was originally tested with scan.exe v4.16.0. An earlier version, v4.14.0, was identified that uses a slightly different report format. This older version format is now supported by the filter. |
|
|
Added {mailfiletempfile} macro expansion for full name of temporary file in temporary directory when original email file is copied first before scanning. |
|
|
Added {virus:scanner} macro expansion for the name of the virus scanner that detected a virus. |
| Version 1.0.4, 9 October 2002 | |
|
|
Added {header:x-apparently-from} macro expansion to emails. Some services such as AOL add this header line to all emails based on the logged-on user, so this often is the real source of a virus email in cases where the from address is randomly chosen by a virus. The suggested use of this macro is as an additional "to" attribute for emails sent to the sender of the infected source email. If there is no "x-apparently-from" header, this macro expands to nothing. It is safe to include empty email addresses in the "to", "cc" and "bcc" attributes; they are ignored. |
|
|
Added support for multiple <scanner> nodes. |
|
|
Added support for eset NOD32 anti-virus software. Attribute type in a <scanner> node is set to "nod32" to specify the proper parsing methods and external process options. |
|
|
Added node <currentdir> in <scanner> nodes to specify starting directory of external process. |
|
|
Added attribute usetempdir to <scanner> node to specify the email being scanned must be moved to a temporary directory for the scanner to process (for scanners that require an entire directory be scanned and do not provide support for scanning a single file). Macro {mailfiletempdir} expands into this temporary directory name. |
|
|
Added log <option> types interface and interface buffer to log information about the interface used to call the filter and the raw data passed using the interface. |
|
|
<log> options were not reinitialized prior to reloading configuration when configuration changes were detected. |
|
|
Attribute enabled added to <scanner> node, so scanner can be enabled/disabled without removing the entire configuration of it. |
|
|
Added XML data for email header, SMTP envelope and antivirus scanner results to HTTP post for <http> node processing. |
|
|
Added {likely-sender} macro expansion. The value will be the x-apparently-from header if present, otherwise the MAIL FROM SMTP envelope data will be returned. |
|
|
Internal changes to how macros are processed. |
|
|
Added {header:subject}, {header:to} and {header:from} macro expansion. |
|
|
Added node <tempdir> in <scanner> nodes to specify temporary directory used for report files (overrides Windows temporary directory, which is normally used if this node were not present). |
|
|
Added support for F-Prot Antivirus for DOS. Attribute type in a <scanner> node is set to "f-prot" to specify the proper parsing methods and external process options. Use of <tempdir> is recommended to explicitly specify a short temporary path because of command line length limitations on DOS programs. Feedback is appreciated. |
| Version 1.0.3, 20 September 2002 | |
|
|
Added {reportfile} macro expansion to <attach> node in email attachments so that the original virus scan report captured from the email scanner can be emailed as an attachment. |
|
|
Corrected format of "Content-Disposition" header on attachments in email (it was missing an ending double-quote). |
| Version 1.0.2, 19 September 2002 | |
|
|
Added more error trapping in the new SMTP mailer code to protect against unexpected problems causing the filter to end prematurely without returning the proper result to Merak Mail. (Note, the problem this was to address was later confirmed to be an issue with connectivity to the SMTP server, not with filter code, though this fix will prevent server connectivity issues from interfering in the future.) |
| Version 1.0.1, 19 September 2002 | |
|
|
Extensive email support added as an optional action in a <result> node. Unlimited emails can be defined. Each email can have any number of body elements and attachments. The sample configuration includes a multipart/alternative format email with both text/plain and text/html body parts. The text/html part includes two embedded graphic images. The sample emails are sent to the original recipients and to the sender upon detection of a virus and includes the virus name and header information. |
| Version 1.0.0, 17 September 2002 | |
|
|
Initial release supporting McAfee VirusScan. No email support is included. |