[Mimedefang] Virus notification to virus administrator

Discussion:

jan hugo prins

2016-01-07 11:25:43 UTC

Hi,

I'm currently trying to replace amavisd-new with mimedefang, but one
thing is currently really stopping me from going on.
We have a requirement to send a notification to an internal security
list for all virusses detected including a scanner report, and a
quarantine location for the mimepart. The only thing I can find is a
action_discard when a virus has been found and everything I find on the
internet suggests that it is not possible to send any notification.

We _don't_ want to bounce a notification to the sender of the orriginal
message because this is almost always faked.

Does anyone have a working sollution for this?

Jan Hugo Prins

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roari

Dianne Skoll

2016-01-07 12:20:43 UTC

Permalink

On Thu, 7 Jan 2016 12:25:43 +0100

Post by jan hugo prins
We have a requirement to send a notification to an internal security
list for all virusses detected including a scanner report, and a
quarantine location for the mimepart.

Well, that's trivial. MIMEDefang's filter is Perl, so just call out to
Sendmail to send the notification. Or use any of a number of CPAN modules
to compose and send the notification email.

Post by jan hugo prins
The only thing I can find is a
action_discard when a virus has been found and everything I find on
the internet suggests that it is not possible to send any
notification.

Really?? It's Perl. It's a Turing-complete language, so you can do whatever
you want from within your filter.

Regards,

Dianne.
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin.co

Juergen Kleff

2016-01-07 12:28:09 UTC

Permalink

Hej,

Post by jan hugo prins
Hi,
I'm currently trying to replace amavisd-new with mimedefang, but one
thing is currently really stopping me from going on.
We have a requirement to send a notification to an internal security
list for all virusses detected including a scanner report, and a
quarantine location for the mimepart. The only thing I can find is a
action_discard when a virus has been found and everything I find on
the internet suggests that it is not possible to send any
notification.
We _don't_ want to bounce a notification to the sender of the
orriginal message because this is almost always faked.

action_bounce() does not bounce to the (possibly faked) sender-adress,
but to the sending mail-server.

Post by jan hugo prins
Does anyone have a working sollution for this?

what about action_quarantine_entire_message(), which also sends a mail
to the mimedefang-admin, and action_notify_administrator()? And there
is add_recipient() and delete_recipient(), which might be useful in
your case.

hth a bit ...
JÃŒrgen

Post by jan hugo prins
Jan Hugo Prins

jan hugo prins

2016-01-07 15:31:12 UTC

Permalink

Hoi,

Post by Juergen Kleff
Hej,
what about action_quarantine_entire_message(), which also sends a mail
to the mimedefang-admin, and action_notify_administrator()? And there
is add_recipient() and delete_recipient(), which might be useful in
your case.

Adding the action_quarantine_entire_message() and enabling
send_quarantine_notifications() in filter_end results indeed
in a message being put in Quarantine and a notification of
this message to the administrator.

I'm also able to get the virus name into the quarantine message.
But it seems that the variable $VirusScannerMessages stays empty.

In mimedefang.pl I have found the options that are being used
when scanning files and I tested them against an EICAR test file
and this gives the following result:

[***@mailserver /]# clamscan -r --stdout --no-summary --infected
~jprins/eicarcom2.zip
/home/jprins/eicarcom2.zip: Eicar-Test-Signature FOUND

[***@mailserver /]# fpscan --report --archive=5 --scanlevel=4
--heurlevel=3 ~jprins/eicarcom2.zip

F-PROT Antivirus version 6.2.1.4252 (built: 2008-04-28T16-56-20)
FRISK Software International (C) Copyright 1989-2007

Engine version: 4.4.4.56
Virus signatures: 2016010706416ffdec6f95d46145bb42aebd7efc8a31
(/usr/local/f-prot/antivir.def)

[Found virus] <EICAR_Test_File (exact, not disinfectable)>
/home/jprins/eicarcom2.zip->eicar_com.zip->eicar.com
[Contains infected objects] /home/jprins/eicarcom2.zip

Results:

Files: 1
Skipped files: 0
MBR/boot sectors checked: 0
Objects scanned: 3
Infected objects: 1
Files with errors: 0
Disinfected: 0

Running time: 00:01

I would have expected to see this output in $VirusScannerMessages.

Jan Hugo Prins

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roarin

Matt Garretson

2016-01-20 20:51:11 UTC

Permalink

Post by jan hugo prins
I would have expected to see this output in $VirusScannerMessages.

According to the mimedefang-filter manpage, that variable is only
accessible in filter_begin, filter, filter_multipart and filter_end.
Are you trying to access it in another context?

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list ***@lists.roaringpenguin.com
http://lists.roaringpenguin