Additional Anti Virus Engines
By default Baruwa Enterprise Editions runs the ClamAV Anti Virus engine at SMTP time. You can on a per domain basis change this behaviour to have Anti Virus checks run after you have accepted the message.
You can also ran additional Anti Virus Engines both at SMTP time within the MTA process and after accepting the message from within the scanner process.
The recommended approach is to ran Anti-Virus checks at SMTP time and reject the messages straight away.
The following Anti Virus Engines are supported.
| Name | SMTP Time Scanning | POST SMTP Time Scanning |
| ClamAV | Yes | Yes |
| Sophos | Yes | Yes |
| F-Secure | Yes | Yes |
| ESET | No | Yes |
| F-PROT | Yes | Yes |
| AVAST | Yes | Yes |
| Kaspersky Scan Engine | Yes | Yes |
Installation and Configuration
ClamAV
ClamAV is part of the base install and is configured to run by default at
SMTP time. If you want to perform scanning POST SMTP time then you need to
select the Clamav Daemon under virus checks in the BaruwaScanner settings
section of the interface.
Sophos
To install Sophos, download the Antivirus for Linux package from the
Sophos website. The software is free to download and use.
You need an additional 1GB of RAM to ran the Sophos Anti-Virus Engine.
Copy the tar file to the /usr/local/src directory on your server.
Follow the following steps to install and configure the software.
Extact the files from the tar file.:
tar xvf sav-linux-free-9.tgz
Run the setup script:
./sophos-av/install.sh
The script will prompt you for information as follows.:
Press <return> to display Licence. Then press <spc> to scroll forward.
Press enter, until you get to the bottom of the License text.:
Do you accept the licence? Yes(Y)/No(N) [N]
Type Y if you want to accept the license or N if not. If you enter
N then the script will exit.:
Where do you want to install Sophos Anti-Virus? [/opt/sophos-av]
Leave at the default and press enter.:
Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
Type N and press enter.:
Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s]
Press enter.:
Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s]
Type s if you want the supported version or f for the free version.:
Do you need a proxy to access Sophos updates? Yes(Y)/No(N) [N]
Press enter.
The script will perform the installation and setup. If all goes well you should get the following message:
Starting Sophos Anti-Virus daemon: [ OK ]
Installation completed.
At this point you are now ready to configure the software. To do so run the following:
/opt/sophos-av/bin/savconfig UINotifier false /opt/sophos-av/bin/savconfig EmailNotifier false /opt/sophos-av/bin/savconfig EnableOnStart false /opt/sophos-av/bin/savconfig UIttyNotification false /opt/sophos-av/bin/savconfig SendThreatEmail false /opt/sophos-av/bin/savconfig UpdatePeriodMinutes 30 /opt/sophos-av/bin/savconfig EmailDemandSummaryIfThreat false /opt/sophos-av/bin/savupdate /opt/sophos-av/bin/savdctl --daemon disable service sav-protect restart
Sophos Integration
There are two ways in which Sophos can be integrated into Baruwa Enterprise Edition:
Sophos SAVID is the most efficient way to integrate, however it is only available to Sophos paying customers. If you are not a paying customer then you need to select the Sophos Command line option.
Sophos SAVID
To enable the SAVID integration method, you need to download and install the
SAV Dynamic Interface Linux 64 bit package (Sophos account required).
Copy the tar file to the /usr/local/src directory on your server.
Follow the following steps to install and configure the software.
Extact the files from the tar file.:
tar xvf savdi-linux-64bit.tar
Run the install script:
cd savdi-install/ ./savdi_install.sh
Create the required directories:
mkdir /var/lib/savdid mkdir /var/run/savdid chmod 0700 /var/run/savdid chmod 0750 /var/lib/savdid
Create the group and user:
groupadd -r savdid useradd -r -g savdid -d /var/lib/savdid -s /sbin/nologin -c "Sophos savdid user" savdid
Change the directory ownership:
chown savdid.exim /var/lib/savdid chown savdid.savdid /var/run/savdid
Download and install configuration file:
cp /usr/local/savdi/savdid.conf /usr/local/savdi/savdid.conf.orig curl -o /usr/local/savdi/savdid.conf https://raw.githubusercontent.com/baruwa-enterprise/baruwa-misc/master/savdid.conf
Download and install the init script:
curl -o /etc/init.d/savdid https://raw.githubusercontent.com/baruwa-enterprise/baruwa-misc/master/savdid.init chmod +x /etc/init.d/savdid chkconfig savdid on
Startup the
SAVIDservice:service savdid start
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = sophie:/var/lib/savdid/savdid.sock malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFInstall and startup the update notification system:
yum install python-watcher -y chkconfig python-watcher on service python-watcher start
To enable POST SMTP Time Scanning, select the
Sophos SAVIDunder virus checks in the BaruwaScanner settings section of the interface.
Sophos Command line
Use the command line integration option if you are not a Sophos paying customer or if you want to do POST SMTP scanning.
Create a wrapper script for SMTP Time scanning:
cat > /usr/local/bin/sav-scan << 'EOF' #!/bin/bash # # Wrap the savscan /opt/sophos-av/bin/savscan -nb -sc -f -all -rec -ss -archive -loopback --no-follow-symlinks --no-reset-atime -tnef -mime -oe -pua -suspicious "$1" exit 0 EOF
Make the wrapper script executable:
chmod +x /usr/local/bin/sav-scan
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = cmdline:/usr/local/bin/sav-scan %s: found in file:'(.+)' malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFRestart baruwascanner for the above configuration to take effect:
service baruwascanner restart
To enable POST SMTP Time Scanning, select the
Sophosunder virus checks in the BaruwaScanner settings section of the interface.
F-Secure
To install F-Secure, download the Linux Server Security package from the
F-Secure website. This commercial software so you need to purchase a license.
If you do not have a license the software will work in evaluation mode for 30
days after which it will cease to function correctly.
You need an additional 1GB of RAM to ran the F-Secure Anti-Virus Engine.
Copy the tar file to the /usr/local/src directory on your server.
Follow the following steps to install and configure the software.
Extact the files from the tar file.:
tar xzvf fsls-11.00.79-rtm.tar.gz
F-Secure does not provide 64-bit packages so you need to install 32-bit compat packages:
yum install glibc.i686 libstdc++.i686
Run the setup script:
./fsls-11.00.79-rtm/fsls-11.00.79-rtm --command-line-only --auto standalone lang=en noremotewui nolocallogin nofirewall
Edit the
/etc/opt/f-secure/fssp/fssp.confconfiguration file and make the following changes:odsFileScanInsideMIME 1 odsFilePrimaryActionOnInfection 1 odsFileSecondaryActionOnInfection 2 odsAskQuestions 0 odsFollowSymlinks 1 daemonLogfileEnabled 1 daemonSocketMode 0660 socketpathGroup exim
Install the
fsavdinit script:cp /opt/f-secure/fssp/etc/fsavd /etc/init.d/ chmod +x /etc/init.d/fsavd chkconfig --add fsavd
Start the
fsavdservice:service fsavd start
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = fsecure:/tmp/.fsav-0 malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFRestart baruwascanner for the above configuration to take effect:
service baruwascanner restart
To enable POST SMTP Time Scanning, select the
F-Secure Daemonunder virus checks in the BaruwaScanner settings section of the interface.
ESET
To install ESET, download the ESET for Linux package from the ESET website.
This is commercial software so you need to purchase a license.
You need an additional 512Mb of RAM to ran the ESET Anti-Virus Engine.
ESET does not provide 64-bit packages so you need to install 32-bit compat packages:
yum install glibc.i686 libstdc++.i686
Install the ESET rpm package.
To enable POST SMTP Time Scanning, select the
ESETunder virus checks in the BaruwaScanner settings section of the interface.
F-PROT
There is a package available for F-PROT with in our repository. This is commercial software so you need to purchase a license.
To install the package run:
yum install f-prot -y
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = f-prot6d:127.0.0.1 10200 malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFTo enable POST SMTP Time Scanning, select the
F-prot Daemon 6under virus checks in the BaruwaScanner settings section of the interface.
AVAST
There is a package available for AVAST with in our repository. This is commercial software so you need to purchase a license.
Note
We are an authorized Avast reseller so you can purchase AVAST subscriptions through us at discounted list pricing.
To install the package run:
yum install avast -y
Install your license by copying it to
/etc/avast/license.avastlicon your Baruwa server.Start the Avast daemon:
service avast start
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = avast:/var/run/avast/scan.sock malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFTo enable POST SMTP Time Scanning, select the
Avastunder virus checks in the BaruwaScanner settings section of the interface.
Kaspersky Scan Engine
There is a package available for Kaspersky Scan Engine with in our repository. This is commercial software so you need to purchase a license.
To install the package run:
yum install kse -y
Install your license by copying it to the
/opt/kaspersky/ScanEngine/bindirectory on your Baruwa server.Start the Kaspersky Scan Engine daemon:
service kavhttpd restart
Add a custom MTA configuration overide for SMTP Time scanning (Skip if you want to scan after SMTP time):
cat >> /etc/exim/custom-acl_check_data.post << 'EOF' warn hosts = 127.0.0.1 add_header = X-Baruwa-Virus-Checks: bypassed, quarantine release drop set acl_m_av_scanner = kse:/var/run/kse/kse.sock malware = ${if and { \ {!eq {$sender_host_address}{127.0.0.1}} \ {eq {${perl{ip_in_network}{SAVDB}{$sender_host_address}}}{false}} \ {eq {${if forall{<, $recipients}{match{\ ${extract{smtp_av}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ {eq {${if forall{<, $recipients}{\ match{${extract{virus_checks}{${lookup{$item}cdb*@{/var/lib/baruwa/data/db/cleandata.cdb}}}{$value}{yes}}}{yes}}{yes}{no}}}{yes}} \ }{*}{0}} message = The message was rejected due to security policies - INFO_URL#mvi log_message = This message matched anti-virus signature [$malware_name] EOFTo enable POST SMTP Time Scanning, select the
Kaspersky Scan Engineunder virus checks in the BaruwaScanner settings section of the interface.