OS/2 eZine - http://www.os2ezine.com
Spacer
May 16, 2002

Do you have an OS/2 product or service you'd like to advertise?


Advanced Virus Filtering with Weasel

A few issues ago I talked about a simple filter I wrote for the mail server Weasel to scan incoming emails for viruses using 'Norman Virus Control (NVC)' (click here (http://www.os2ezine.com/20020216/page_7.html) to read this article.)

Now this filter has been enhanced so that the mail server automatically sends warning messages to both the sender and the addressee when a virus is detected.

Installation

You need to have Weasel 1.40 or higher installed for the filter to work. You can download Weasel from the following URL : http://eepjm.newcastle.edu.au/os2/weasel.html. You can download the complete filter package from the ftp server (ftp://os2ezine:filter@celkunststoffen.khlim.be) of Cel Kunststoffen.

You need to install the following software and copy some files into the mailroot directory of Weasel.

Norman Virus Control version 5.x More information about this can be found here (http://www.norman.no/products_nvc_os2.shtml). This software needs to be installed on your system and kept uptodate.
filter.cmd This is the actual filter written in REXX. This file must be copied into the mailroot directory.
filtermailinfo This is the basic warning message that is sent to the addressee of the infected email. You can change this according to your own wishes. 'filter.cmd' will add some more details (e.g. from who the mail is probably coming from, which virus has been detected, ...) to this message before it is being sent. This file must be copied into the mailroot directory.
filtermailwarning This is the basic warning message that is sent to the sender of the infected email. You can change this according to your own wishes. 'filter.cmd' will add some more details (e.g. which virus has been detected, ...) to this message before it is being sent. This file must be copied into the mailroot directory.
qmail.cmd This is a REXX script developed by Peter Moylan, the author of Weasel, that allows you to place a message in the forward queue of Weasel so that Weasel can send it out. More information about this can be found on the following URL : http://eepjm.newcastle.edu.au/os2/waccess.html.

Now configure the filter in the Weasel Setup program.

Don't forget to check the option 'Serialize filter operations'.

Create an email account 'Contaminated'. All infected emails will be copied into this account so that you can examine them more closely if you want to.

Usage

When an infected email is sent to you and processed by Weasel, you'll receive a warning message of your mail server like this:
This is an automated email message. Please don't reply.
The mail server of Cel Kunststoffen has intercepted an email
addressed to you that contained a virus by using Norman Virus
Control for OS/2.
Following information has been extracted from this email and may
help you identify the sender so that you can warn him that his
PC is infected.
-- Server info --
Arrived at server from :  John.Bijnens@celkutstoffen.khlim.be
The server has already sent a warning email to this user
-- Info from infected email --
Return-Path :  John.Bijnens@celkutstoffen.khlim.be
Reply-To    :  -
From        :  -
Date        :  Mon, 15 Apr 2002 01:00:08 +0200 (MET DST)
For         :  jbijnens
Subject     :  -
-
Virusname :  'W32/Magistr.A@mm'

It can take a while (about 5 minutes) before the warning message is actually sent by Weasel after the filter has been executed. The sender of the infected email will receive a warning message like this one:

This is an automated email message. Please don't reply.
The mail server of Cel Kunststoffen has intercepted an email from you
addressed to one of our accounts that is infected by a virus by using
Norman Virus Control for OS/2.
Please check your PC for the occurrence of the following virus.
(Make sure your virusscanner is updated to the latest level)
Detected virus : 'W32/Magistr.A@mm'

Remark

If you experience problems with Norman Virus Control v5.x for OS/2, i.e. that the command line utility nvcc.exe doesn't work properly and gives warnings on completely innocent files, you need an update of the file Nlog5.dll. This file can be found in the directory \norman\nvc\bin. Normally this should have been distributed through the automatic internet updates of Norman. If this is not the case (you can verify this by checking the file size and the date/time stamps of the file: 24/04/02 16:05 66.198 31 Nlog5.Dll) you can also download it from our ftpserver (ftp://os2ezine:filter@celkunststoffen.khlim.be/nlog5.dll).


John Bijnens is a CAM/CAM engineer in the KHLim - Dep. IWT (http://celkunststoffen.khlim.be) which is some kind of technical university in Belgium. He gives training in Pro/E and also writes CNC postprocessors (all development is done on OS/2.)

This article is courtesy of www.os2ezine.com. You can view it online at http://www.os2ezine.com/20020516/page_5.html.

Copyright (C) 2002. All Rights Reserved.