Kaspersky Lab Anti-Virus 5.6 ADMINISTRATOR GUIDE

KASPERSKY LAB

Kaspersky Anti-Virus® 5.6
for Sendmail with Milter API

ADMINISTRATOR'S
MANUAL

KASPERSKY ANTI-VIRUS® 5.6 FOR SENDMAIL

WITH MILTER API

Administrator's manual

© Kaspersky Lab

http://www.kaspersky.com

Revision date: March 2006

Contents

CHAPTER 1. KASPERSKY ANTI-VIRUS® FOR SENDMAIL WITH MILTER API....... 6

1.1. What’s new in version 5.6 ..................................................................................... 7

1.2. Hardware and software system requirements ..................................................... 7

1.3. Licensing policies................................................................................................... 9

1.4. Distribution kit ........................................................................................................ 9

1.5. Help desk for registered users ............................................................................ 10

1.6. Adopted conventions........................................................................................... 10

CHAPTER 2. TYPICAL DEPLOYMENT SCENARIOS ............................................... 13

2.1. Installing Kaspersky Anti-Virus on the same server with your mail system ...... 13

2.2. Installing Kaspersky Anti-Virus on a dedicated server....................................... 16

2.3. Installing Kaspersky Anti-Virus as a filter (single or additional).......................... 18

2.4. Installing Kaspersky Anti-Virus as Milter filter for several Sendmail servers..... 18

CHAPTER 3. INSTALLATION AND UNINSTALLATION OF KASPERSKY ANTI-

VIRUS ......................................................................................................................... 21

3.1. Software installation on a server running Linux.................................................. 21

3.2. Software installation on a server running FreeBSD or OpenBSD..................... 22

3.3. Installation process.............................................................................................. 22

3.4. Post-install setup ................................................................................................. 23

3.5. Location of application files and directories ........................................................ 24

3.6. Software uninstall ................................................................................................26

3.7. Uninstallation process ......................................................................................... 26

CHAPTER 4. THE PRINCIPLES OF APPLICATION OPERATION........................... 28

4.1. General message processing algorithm............................................................. 28

4.2. Creating groups for message processing........................................................... 29

4.3. Message status ................................................................................................... 31

4.4. Assigning actions for mail messages ................................................................. 31

CHAPTER 5. PRESET PROTECTION PROFILES..................................................... 33

5.1. High overall security profile ................................................................................. 33

5.2. High effective security profile .............................................................................. 34

4 Kaspersky Anti-Virus® for Sendmail with Milter API

5.3. Optimal operation profile .....................................................................................35

5.4. Top performance mode....................................................................................... 35

CHAPTER 6. USING KASPERSKY ANTI-VIRUS FOR SENDMAIL WITH

MILTER API................................................................................................................ 37

6.1. Delivering disinfected messages to recipients ................................................... 37

6.2. Blocking infected messages ............................................................................... 39

6.3. Delivering protected messages........................................................................... 40

6.4. Sending notifications to senders, recipients, and administrator......................... 41

6.5. Filtering e-mail traffic by attachments ................................................................. 43

6.6. Updating the anti-virus database and application kernel ...................................44

6.7. Backing up e-mail messages.............................................................................. 45

CHAPTER 7. ADDITIONAL SETUP............................................................................. 47

7.1. Integrating the application into your mail system................................................ 47

7.2. Installing and uninstalling the Webmin module of Kaspersky Anti-Virus........... 50

7.3. Checking the configuration file syntax ............................................................... 51

7.4. Defining an e-mail scan policy ............................................................................ 52

7.5. Adjusting scan thoroughness.............................................................................. 52

7.6. Selecting objects to scan..................................................................................... 53

7.7. Selecting objects to be filtered and assigning actions........................................ 54

7.8. Configuring backup options................................................................................. 55

7.9. Configuring database and kernel module updates ............................................ 56

7.10. Customizing notifications................................................................................... 57

7.10.1. Notification templates .................................................................................60

7.10.2. Customizing notification templates ............................................................ 62

7.10.2.1. Macros.................................................................................................. 62

7.10.2.2. Iteration constructs............................................................................... 63

7.10.2.3. Scope of visibility for an iterative statement........................................ 64

7.10.2.4. Variables .............................................................................................. 65

7.10.2.5. Language syntax ................................................................................. 66

7.10.2.6. Notification macros for the application ................................................ 68

7.11. Reporting options .............................................................................................. 69

7.12. Parameters of update report generation .......................................................... 71

7.13. Statistics parameters......................................................................................... 73

7.14. Restarting Kaspersky Anti-Virus ....................................................................... 75

7.15. Managing the application from the command line ........................................... 76

Contents 5

7.16. Localization of displayed date and time format ................................................ 77

7.17. Additional informational header fields in messages......................................... 78

7.18. Troubleshooting................................................................................................. 78

7.19. Application control via SNMP............................................................................ 79

CHAPTER 8. USING LICENSES.................................................................................. 83

8.1. Viewing license key information.......................................................................... 84

8.2. License extension................................................................................................ 85

8.3. License key removal............................................................................................ 87

CHAPTER 9. COMPATIBILITY WITH OTHER KASPERSKY LAB

APPLICATIONS ......................................................................................................... 88

CHAPTER 10. VERIFYING PROPER OPERATION OF THE ANTI-VIRUS.............. 90

CHAPTER 11. FREQUENTLY ASKED QUESTIONS................................................. 92

APPENDIX A. ADDITIONAL INFORMATION.............................................................. 98

A.1. Application configuration file kavmilter.conf ....................................................... 98

A.2. Default group configuration file default.conf..................................................... 102

A.3. Error return codes ............................................................................................. 106

A.4. Keepup2date return codes ............................................................................... 108

A.5. Command line options for licensemanager ..................................................... 108

A.6. Licensemanager return codes.......................................................................... 109

A.7. Description of the MIB (Management Information Base) objects.................... 110

APPENDIX B. KASPERSKY LAB............................................................................... 113

B.1. Other Kaspersky Lab Products ........................................................................ 114

B.2. Contact Us......................................................................................................... 119

APPENDIX C. LICENSE AGREEMENT .................................................................... 121

CHAPTER 1. KASPERSKY ANTI-

VIRUS® FOR SENDMAIL
WITH MILTER API

Kaspersky Anti-Virus® for Sendmail with Milter API (hereinafter also referred to
as Kaspersky Anti-Virus, application) provides anti-virus protection for e-mail
traffic handled by Sendmail with Milter API running on a Linux/Unix server.

Kaspersky Anti-Virus running on a mail server will…

• Intercept incoming and outgoing e-mail messages handled by the server.

• Scan e-mail traffic for viruses using the anti-virus engine. The application

scans the entire message as well as message objects, including the
header, body, and attachment (depending on the anti-virus policy).

• Back up e-mail messages prior to performing any action related to anti­virus protection, including blocking and rejecting messages. The
administrator can then restore original messages from these backup
copies.

• Handle infected objects of e-mail messages detected during the scan.

• Filter e-mail messages. This version of the product filters messages by

MIME type, size, and name of attachments.

• Notify the senders and administrators about the results of anti-virus
treatment and message filtering. The application may also send detailed
notifications using an external mail agent.

• Provide general statistics and reports on application performance.

The advanced features of Kaspersky Anti-Virus allow the administrator to
perform the following tasks:

• Configure the application from a remote location through the web
interface of the Webmin application.

• Customize templates for sending notifications to senders, recipients, and
administrators using a special language.

Kaspersky Anti-Virus® for Sendmail with Milter API

1.1. What’s new in version 5.6

Kaspersky Anti-Virus 5.6 for Sendmail with Milter API has these additional
features, compared to version 5.0:

• Simple processing rules for e-mails can be grouped, depending upon the
message’s senders and recipients, to provide complex processing.

• Additional options have been added for processing messages containing
suspicious objects

• Additional statistics are recorded for all messages processed by the
application.

• The SNMP protocol can be used to get read-only access to application
configuration and statistic data; the application can be configured to send
SNMP-traps when specific events occur.

1.2. Hardware and software system
requirements

For smooth operation of Kaspersky Anti-Virus, your mail server must meet the
following hardware and software requirements:

Minimum hardware requirements

• Intel Pentium 133 MHz processor or higher

• 32 MB RAM

• 100 MB available space on your hard drive (this amount does not include

space necessary for storing backup message copies).

Minimum hardware requirements

1

per day

(250-300 mail accounts (addresses)):

• Celeron (Mendocino) 400 MHz processor

• 512 MB RAM

for application operation:

for a mail server with about 800 MB of traffic

1

The following scheme is used to calculate daily traffic: average message size is 60 KB,
during 10-hour period, with 25 scan processes working in parallel, about 13200 messages
are processed, which totals to 800 MB.

8 Kaspersky Anti-Virus® for Sendmail with Milter API

• 100 MB of available space on your hard drive (for Kaspersky Anti-Virus
operation).

Optimal hardware requirements

:

• For a mail server with about 800 MB of traffic per day (250-300 mail
accounts (addresses)):

• 2xPentium Xeon 1,8 GHz processor

• 1 GB RAM

• 8 GB of available space on your hard drive (this amount does

not include space necessary for storing backup message
copies).

2

• For a mail server with about 400 MB of traffic per day

(100-150 mail

accounts (addresses)):

• Pentium III 900 MHz processor

• 512 MB RAM.

Software requirements:

• One of the following operating systems:

• Red Hat Enterprise Linux Advanced Server 4.

• Red Hat Linux 9.0.

• Fedora Core 3.

• SuSE Linux Enterprise Server 9.0.

• SuSE Linux Professional 9.2.

• Debian 3.1.

• Mandrakelinux 10.1.

• FreeBSD 4.10, 5.4.

• OpenBSD 3.6.

• Sendmail version 8.11.x or higher with Milter API (installed)

• Webmin program (www.webmin.com

) (installed) to manage Kaspersky

Anti-Virus from a remote location.

2

The following scheme is used to calculate daily traffic: average message size is 60 KB,
during 10-hour period, with 25 scan processes working in parallel, about 6600 messages
are processed, which totals to 400 MB.

Kaspersky Anti-Virus® for Sendmail with Milter API

• The following utilities should be installed in your system: bc, sed, tr, cut,
du, grep, awk.

1.3. Licensing policies

Kaspersky Anti-Virus’ licensing policies limit product use based on one of these
criteria:

• number of users protected by the application.

• e-mail traffic processed daily (MB/day).

Each type of licensing is also time-limited, typically for one or two years from the
date of purchase.

You can purchase only one type of the license, for example, by the amount of
daily email traffic.

The application has slightly different configuration parameters depending on the
type of license you have purchased. For instance, if the license is issued for a
certain number of users, you will have to create a list of addresses (domains)
for which the application will provide protection.

1.4. Distribution kit

You can purchase Kaspersky Anti-Virus for Sendmail with Milter API either from
our distributors or in our Internet-shop www.kaspersky.com

When purchasing a retail box, you will receive the following distribution kit:

• a sealed envelope with an installation CD (or a set of floppy disks)
containing software product files;

• аdministrator’s guide;

• license key written on the installation CD or a floppy disk;

• license agreement.

Before you unseal the envelope containing the CD (or floppy disks), be sure to
thoroughly review the license agreement.

When purchasing Kaspersky Anti-Virus in the Web-shop, you download the
product from Kaspersky Lab’s website. The distribution file contains the
application and the license key.

The License Agreement (LA) is a legal agreement between you (either an
individual or a single entity) and the manufacturer (Kaspersky Lab Ltd.)

.

10 Kaspersky Anti-Virus® for Sendmail with Milter API

describing the terms under which you may use the anti-virus product which you
have purchased.

Make sure to read the terms of the License Agreement!

If you do not agree to the terms of this LA, Kaspersky Lab is not willing to license
the software product to you and you should return the unused product to your
Kaspersky Anti-Virus dealer for a full refund, making sure the envelope with CD
(or diskettes) is sealed.

If you have unsealed the envelope, you have agreed to all the terms of the LA.

1.5. Help desk for registered users

Kaspersky Lab offers a large service package, enabling registered users to
efficiently use Kaspersky Anti-Virus.

If you register and purchase a subscription, you will be provided with the
following services for the period of your subscription:

• daily virus-definition database updates via e-mail;

• product upgrades;

• phone and e-mail advice on matters related to your software installation,

configuration and performance;

• information about new Kaspersky Lab products and new computer
viruses (for those who subscribe to our newsletter).

Kaspersky Lab does not give advice on the performance and use of
your operating system or various other technologies.

1.6. Adopted conventions

The text in this document is formatted in accordance with its meaning. The
table 1 below lists the conventions adopted for use in the text.

Kaspersky Anti-Virus® for Sendmail with Milter API

Style Purpose

Table 1. Conventions

Bold type

Note.

Attention!

In order to perform the
action,

1. Step 1.

2. …

Task, example

Solution

[key] – key purpose.

Text of information
messages and the command
line

Menu titles, menu items, window titles,
parts of dialog boxes, etc.

Additional information, notes.

Information that should be paid special
heed.

Description of procedure for user's steps
and possible actions.

Statement of problem, example for using
the software features.

Solution to a defined problem.

Command line keys.

Text of configuration files, informative
messages, and the command line.

CHAPTER 2. TYPICAL

DEPLOYMENT SCENARIOS

Kaspersky Anti-Virus can be rolled out using the following methods, depending
on the initial configuration of your mail system and specific needs of your
organization:

• on the same server your mail system is on: this scenario is used by
default if you have a configured Sendmail system on your server (see
section 2.1 on page 13).

• on a dedicated server: use this method if your mail server is under a high
load (see section 2.2 on page 16). In this case you can also use
Kaspersky Anti-Virus to process mail traffic of several Sendmail servers
(see section 2.4 on page 18).

Note that in both cases the application will function identically, regardless of the
deployment scenario you choose. They differ only in the method of interaction
between Kaspersky Anti-Virus and Sendmail.

To configure Kaspersky Anti-Virus, consider other Milter filters integrated into
your mail system. If you have such filters, you can install Kaspersky Anti-Virus
as:

• a single Milter filter;

• together with other Milter filters: if you have other mail filters, for example,

Kaspersky Anti-Spam (see section 2.3 on page 18).

The sections below describe each scenario in detail.

2.1. Installing Kaspersky Anti-Virus
on the same server with your
mail system

When describing the operation and configuration of Kaspersky Anti­Virus in this guide, it is assumed that Kaspersky Anti-Virus has been
installed on the same server as your mail system.

Typical deployment scenarios 13

Kaspersky Anti-Virus processes incoming and outgoing mail as follows:

1. Email traffic forwarded from other servers or from users arrives at
Sendmail.

2. The mail system then forwards messages to Kaspersky Anti-Virus
through Milter API for anti-virus processing.

3. Kaspersky Anti-Virus scans and handles email messages and,
depending on the settings, sends them back through Milter API to the
mail system. The anti-virus application can generate and send
notifications using an external mail agent.

4. The mail system then routes mail traffic to either external mail servers
or mailboxes of local users.

During the installation on the same server with Sendmail, Kaspersky Anti-Virus
automatically makes the necessary changes to its own configuration and
configuration of Sendmail. If you want to specify custom parameters of the
socket to be used for interaction between Sendmail and Kaspersky Anti-Virus,
you will need to make the following changes:

• If you use sendmail.cf, add the following lines to the file:

#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},

{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},

{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},

{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}

O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}

XKAVMilter,
S=inet:<port>@<localhost>,F=T,T=S:10s;R:5m;E:5m

#kav-end

where <localhost> is the name or IP address of the local host; the
following values are possible: localhost, 127.0.0.1, IP address of the
server

<port> is a network socket port

For this configuration, it is recommended to use local unix socket. In order
to implement it, add the following strings to the sendmail.cf file:

#kav-begin: KAVMilter

14 Kaspersky Anti-Virus® for Sendmail with Milter API

O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},

{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},

{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},

{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}

O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}

XKAVMilter,
S=unix:<socket_file_path>,F=T,T=S:10s;R:5m;E:5m

#kav-end

or

#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},

{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},

{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},

{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}

O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}

XKAVMilter,S=local:<socket_file_path>,F=T,T=S:10s;
R:5m;E:5m

#kav-end

where <socket_file_path> is the path to socket file.

• If you use sendmail.mc, add the following lines to this file:

dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',

`S=local:<socket_file_path>,
F=T,T=S:10m;R:15m;E:15m')dnl

dnl kav-end dnl

or

dnl kav-begin: KAVMilter dnl

Typical deployment scenarios 15

define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',

`S=unix:<socket_file_path>,
F=T,T=S:10m;R:15m;E:15m')dnl

dnl kav-end dnl

where <socket_file_path> is the path to the socket file.

• In the [kavmilter.global] section of the kavmilter.conf configuration file,
make the following changes:

ServiceSocket=unix:<socket_file_path>

or

ServiceSocket=local:<socket_file_path>

where <socket_file_path> is a path to the socket file.

If you specify custom settings for the interaction socket, do not forget to
delete from the Sendmail configuration file those strings which were
automatically added by Kaspersky Anti-Virus during its installation.

2.2. Installing Kaspersky Anti-Virus
on a dedicated server

If your mail server’s load is consistently high, it is more reasonable to install
Kaspersky Anti-Virus on a dedicated server in order to avoid server malfunction,
because anti-virus processing of mail traffic consumes considerable server
resources.

If Kaspersky Anti-Virus is installed on a dedicated server, it operates as follows:

1. The email thread arrives at the mail server with Sendmail installed.

2. Sendmail then forwards messages to Kaspersky Anti-Virus through a
network socket.

3. The processed mail thread, together with anti-virus notifications, is sent
back to the mail system for further delivery.

If Kaspersky Anti-Virus is installed on a dedicated server, you must use a
network socket for email traffic to be received and delivered via Sendmail.

Configure Sendmail as follows:

• If you use sendmail.cf, add the following lines to this file:

#kav-begin: KAVMilter

16 Kaspersky Anti-Virus® for Sendmail with Milter API

O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},

{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},

{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},

{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}

O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}

XKAVMilter,
S=inet:<port>@<ip_address>,F=T,T=S:10s;R:5m;E:5m

#kav-end

where <ip_address> is an IP address of the network socket, and

<port> is a network socket port.

• If you use sendmail.mc, add the following lines to this file:

dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',

`S=inet: <port>@<ip_address>,
F=T,T=S:10m;R:15m;E:15m')dnl

dnl kav-end dnl

where <ip_address> is an IP address of the network socket, and

<port> is a network socket port.

• In the [kavmilter.global] section of the Kaspersky Anti-Virus
configuration file, make the following changes:

ServiceSocket= inet: <port>@<ip_address>

where <ip_address> is an IP address of the network socket, and

<port> is a network socket port.

When Kaspersky Anti-Virus runs on a dedicated server it needs
sendmail-compatible mail agent to send notifications to the administrator.

Make sure you have symbolic link or binary file /usr/sbin/sendmail which
is used to send notifications.

Typical deployment scenarios 17

2.3. Installing Kaspersky Anti-Virus
as a filter (single or additional)

Kaspersky Anti-Virus can be installed as either a single filter or together with
other filters. If other mail filters have been installed on your system, you should
carefully define their sequence based on filter settings.

If you are installing Kaspersky Anti-Virus ahead of another filter, note that anti­virus processing can affect the contents of the email thread: some elements of
email messages (headers, body, etc.) can be changed, notifications generated
by the anti-virus software can be added to the thread, and some messages can
be deleted or rejected for further processing. Therefore, another filter located
behind Kaspersky Anti-Virus will deal with a processed, and therefore altered,
email thread. Consider this factor when configuring filters behind the anti-virus
application. For example, you may exclude notifications generated by Kaspersky
Anti-Virus from filtering.

If you are installing Kaspersky Anti-Virus behind another filter, set the first filter to
forward the email thread to Kaspersky Anti-Virus via a socket.

In this case, Kaspersky Anti-Virus receives the email thread that has been
processed and changed by the first filter.

Configure Milter filters installed on your mail server as follows:

1. Configure Sendmail and Kaspersky Anti-Virus socket options as
described in section 2.1 on page 13.

2. Configure other mail filters installed on your mail server either behind or
ahead of the anti-virus software to transmit the email thread via a
respective socket.

2.4. Installing Kaspersky Anti-Virus
as Milter filter for several
Sendmail servers

Kaspersky Anti-Virus can be used to scan the traffic of several mail servers. This
scenario can provide anti-virus protection for a distributed mail system, but
account must be taken both of the application load caused by several mail
servers, and compliance with licensing conditions. If the license policy is based
on the number of accounts, the Kaspersky Anti-Virus configuration file should
specify the domains of all users whose mail traffic is processed by the protected

18 Kaspersky Anti-Virus® for Sendmail with Milter API

mail servers. If the license policy is based on e-mail traffic volume, the total mail
traffic of all servers must be less than the maximum specified by the license.

In this scenario, mail will be processed as follows:

1. The email traffic arrives at several mail servers with Sendmail installed.

2. Each server forwards its messages to Kaspersky Anti-Virus for anti-virus
processing, via a network socket.

3. After processing, Kaspersky Anti-Virus sends checked messages,
together with anti-virus notifications, back to the mail server for further
delivery.

To implement this scenario:

1. In the kavmilter.conf configuration file of Kaspersky Anti-Virus set
ServiceSocket parameter, as shown below:

ServiceSocket=inet:<port>@<ip_address>

where <port> is the network socket port, and <ip_address> is the IP
address, of the host.

2. Amend the configuration of all Sendmail servers which mail traffic will be
protected by Kaspersky Anti-Virus:

• If you use sendmail.cf file, add the following lines to this file:

#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},

{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},

{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type},

{auth_authen}, {auth_ssf}, {auth_author},
{mail_mailer}, {mail_host}, {mail_addr}

O Milter.macros.envrcpt={rcpt_mailer},
{rcpt_host}, {rcpt_addr}

XKAVMilter,
S=inet:<port>@<ip_address>,F=T,T=S:10s;R:5m;
E:5m

#kav-end

where <ip_address> is the IP address of the network socket
used for interaction with Kaspersky Anti-Virus, and <port> is
the network socket port.

Typical deployment scenarios 19

• If you use sendmail.mc, add the following lines to this file:

dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',

`S=inet:<port>@<ip_address>,
F=T,T=S:10m;R:15m;E:15m')dnl

dnl kav-end dnl

where <ip_address> is the IP address of the network socket
used for interaction with Kaspersky Anti-Virus, and <port> is
the network socket port.

CHAPTER 3. INSTALLATION AND

UNINSTALLATION OF
KASPERSKY ANTI-VIRUS

Prior to beginning the installation of Kaspersky Anti-Virus for Sendmail with Milter
API, we recommend the following preparations for your system:

• Make sure that your system meets the hardware and software
requirements for installation of the Kaspersky Anti-Virus (please see
section 1.2 on page 7).

• Enter the system as superuser (root).

3.1. Software installation on a
server running Linux

There are two different installation packages of Kaspersky Anti-Virus supplied for
various for Linux distributions.

In order to start the installation of Kaspersky Anti-Virus from a .rpm
package, enter the following text in the command line:

# rpm –i <package_file_name>

In order to start the installation of Kaspersky Anti-Virus from a .deb
package, enter the following text in the command line:

# dpkg –i <package_file_name>

Installation and Uninstallation of Kaspersky Anti-Virus 21

3.2. Software installation on a
server running FreeBSD or
OpenBSD

The installation package for Kaspersky Anti-Virus is supplied in a .tar.gz package
for servers running FreeBSD or OpenBSD operating systems.

In order to start installing Kaspersky Anti-Virus from a .tar.gz package,
enter the following text in the command line:

# pkg_add <package_name>

3.3. Installation process

The procedure for installing Kaspersky Anti-Virus is automatic and not
interactive. If any of the installation steps cannot be performed, the administrator
must perform it after the installation is complete.

The install process for Kaspersky Anti-Virus for Sendmail with Milter API
performs the following steps automatically:

1. Creating a group and a user account named kav under which Kaspersky
Anti-Virus will operate.

2. Adding application settings to the /var/db/kav/applications.setup file that
is used to update the anti-virus database and program modules.

3. Defining domains (i.e., mailboxes of these domains) that will be
protected by Kaspersky Anti-Virus. The default domain is the system
domain, including all domains derived from the hostname (if they exist).
For example, if the hostname of the target server is
srv1.subdomain.example.com, then the mail accounts of the following
domains will also be protected: example.com, subdomain.example.com
and srv1.subdomain.example.com.

4. Registering the kavmilterd service in the startup system.

5. Searching and automatically editing the Sendmail configuration to
integrate it with the anti-virus filter.

Prior to making any configuration changes, you must back up the original
Sendmail configuration. You can use this backup configuration if
Kaspersky Anti-Virus is uninstalled.

22 Kaspersky Anti-Virus® for Sendmail with Milter API

After making configuration changes, Sendmail should be restarted so
that the changes take effect. If Sendmail is not rebooted during the
installation, the configuration changes will not be applied. The
corresponding information will be displayed on the console. You will
need to change the Sendmail configuration after Kaspersky Anti-Virus
installation. Otherwise, the mail traffic will not be filtered on the server.

6. Running the kavmilterd service (using kavmilterd init script) that initializes
the anti-virus filtration of mail traffic.

7. Registering a cron task for hourly checks of the backup storage size. By
default the size of the backup storage is 512 MB. If a check-up reveals
that the backup storage is more than 80% full, then the application
deletes the oldest messages until the summary size of the backup
messages becomes less than 80% of the storage size.

8. Forming links to reference information about Kaspersky Anti-Virus
performance. To display the information, use the man command.

9. Registering Kaspersky Anti-Virus module for Webmin, if you have
Webmin installed.

If you have Webmin of version older than 1.150 or changed the default
path to the installation directory for additional Webmin modules, the
following warnings might appear during the installation or when you run
the kavmilter-setup.sh с ключом –add-webmin-module script:

Warning: Installer is known to be broken.
Warning: will attempt to install module without it.

These warnings do not mean that the installation process goes wrong
but if they appear, make sure that the webmin management module is
installed correctly using the Webmin web interface.

3.4. Post-install setup

The installation of Kaspersky Anti-Virus involves automatic configuration of the
application and mail system. However, you should use the keepup2date.sh script
to register the cron update task after installation (see section 3.4 on page 23). It
is necessary to maintain actual state of the anti-virus database.

Also, perhaps, you may need to perform some post-installation tasks:

1. Install the license key if this has not been done during the installation. To
install the license key, enter, for example, the following in the command
line:

# ./licensemanager -a <file>

Installation and Uninstallation of Kaspersky Anti-Virus 23

where <file> - is a license key file name, and restart the application (for
details see section 7.14 on page 75).

2. Configure the Sendmail system to integrate it with the anti-virus filter (if
this has not been done during the installation) (see section 7.1 on page

47) and restart Sendmail.

3. Configure proxy server settings in the Kaspersky Anti-Virus configuration
file if you connect to the Internet through a proxy server (see Appendix A
on page 98). This is required to update the database and kernel
modules.

4. If necessary, perform additional configuration of the application (see
Chapter 7 on page 47).

5. Install the Kaspersky Anti-Virus module for Webmin to enable remote
management of the application, if that was not done automatically during
the installation (see section 7.2 on page 50).

3.5. Location of application files and
directories

The default paths for application files on a Linux server are as follows:

/etc/kav/5.6/kavmilter/ – directory containing application configuration files:

kavmilter.conf – configuration file containing runtime settings.
kavmilter.setup – configuration file added to applications.setup for

retrieving and installing updates;

groups.d/ – directory used to store group configuration files;

groups.d/default.conf – configuration file containing processing rules for

the default group;

init.d/kavmilterd – service script to control operation of the application;

The application also creates the symbolic link

/etc/init.d/kavmilterd which points to the control service script.

profiles/ – directory containing configurations of preset protection

profiles.

/opt/kav/5.6/kavmilter/man – directory containing manual pages.
/opt/kav/5.6/kavmilter/bin – directory containing application executable files,

such as kavmilter, keepup2date, and licensemanager.

/opt/kav/5.6/kavmilter/doc – directory containing application documentation.

24 Kaspersky Anti-Virus® for Sendmail with Milter API

/opt/kav/5.6/kavmilter/web – directory containing the kavmilter.wbm remote

management module for the Webmin program.

/var/db/kav/5.6/kavmilter/ – application directory that includes:

backup/ – message backup storage directory;
bases/ – directory storing the anti-virus database and kernel modules;
bases/backup/ – directory for storing backup copies of the anti-virus

database and kernel modules created prior to updating;

licenses/ – directory containing license keys for the application;
patches/ – directory containing application patches;
run/ – directory that stores the file with the application ID;
templates/ – directory for storing notification templates;
tmp/ – directory for the temporary files.

mibs/ – directory containing MIB files.

/var/log/kav/5.6/kavmilter – directory that contains report files which are

created if the application is configured to save reports to a file rather
than the system log.

The default locations for application files on servers running
OpenBSD / FreeBSD differ from those for Linux OS, as follows:

/usr/local/etc/kav/5.6/kavmilter/ – directory containing the application files for

FreeBSD.
or
/etc/kav/5.6/kavmilter/ – directory containing the application configuration

files for ОpenBSD.
/etc/kav/5.6/kavmilter/rc.d/kavmilterd (for OpenBSD) – service script to

control operation of the application;

/usr/local/man – directory containing manual pages.
/usr/local/share/kav/5.6/kavmilter/bin – directory containing application

executable files.
/var/db/kav/5.6/kavmilter/doc – directory containing application

documentation.

/usr/local/share/kav/5.6/kavmilter/web –

kavmilter.wbm remote management module for the Webmin program.

directory containing the

When Kaspersky Anti-Virus is installed on a server running FreeBSD, the
kavmilterd service script that controls the performance of the kavmilter
executable file is located in the /usr/local/etc/kav/5.6/kavmilter/rc.d/
directory. The application also creates a symbolic link to this script under

/usr/local/etc/rc.d/.

Installation and Uninstallation of Kaspersky Anti-Virus 25

3.6. Software uninstall

To uninstall Kaspersky Anti-Virus previously installed from a package you should
issue the following command:

• In order to remove Kaspersky Anti-Virus installed from a rpm package,
enter the following text in the command line:

# rpm -e <package_name>

• In order to remove Kaspersky Anti-Virus installed from a deb package,
enter the following text in the command line:

# dpkg –r <package_name>

To uninstall Kaspersky Anti-Virus from server running under OS Unix (FreeBSD
or OpenBSD) enter the following text in the command line:

# pkg_delete <package_name>

3.7. Uninstallation process

The procedure for uninstalling Kaspersky Anti-Virus is automatic, not interactive
and contains the following steps:

1. Removing the cron task of checking the backup storage from the
list of tasks for the kav user.

2. Removing the cron task for updating the anti-virus database and
anti-virus kernel modules from the list of tasks for the kav user.

3. Rolling back the Sendmail configuration changes you made to
integrate it with the anti-virus filter. Restart the mail system to make
the previous configuration effective.

4. Stopping the kavmilterd service. From this moment, anti-virus
filtration of mail traffic will be disabled.

5. Rolling back the registration of the kavmilterd service in the system:
in Sys V systems, the links to the rc.d must be removed; in
FreeBSD-based systems, the links to a script corresponding to this
service are removed, in OpenBSD-based systems, the rc.local file
should be edited.

6. Rolling back the registration of Kaspersky Anti-Virus application
with the system: the corresponding section is removed from
/var/db/kav/applications.setup.

7. Deleting the kav user from the system.

26 Kaspersky Anti-Virus® for Sendmail with Milter API

8. Removing the links to the reference information about the
application.

9. Deleting temporary files or directories created during Kaspersky
Anti-Virus performance.

10. Deleting the Kaspersky Anti-Virus package: all directories, files of
the application, and the anti-virus database included in the
distribution kit, are removed. Reports, configuration files and
backup directories will not be removed.

11. Removing Kaspersky Anti-Virus module for Webmin, if it was
installed.

Because the kavuser user is deleted during application uninstallation
but some files that belong to this user (configuration files, log files)
remain on the system, this might cause errors related to the validity of
access rights of the new kavuser user that is created during
reinstallation. To solve this problem, specify the necessary read and
write rights for these files.

CHAPTER 4. THE PRINCIPLES

OF APPLICATION
OPERATION

This chapter explains how the application functions, the interaction between its
components, and how to correctly configure it.

4.1. General message processing
algorithm

When a server with Sendmail and Kaspersky Anti-Virus installed receives an
email message, it processes the message using this algorithm:

1. Sendmail passes the message to Kaspersky Anti-Virus via the Milter API.

2. If an administrator has created additional groups, Kaspersky Anti-Virus
defines the list of groups which match the message addresses, and
chooses the group with the highest priority. The message will be
processed according to the rules defined in that group. For details of how
to create groups, see section 4.2 on page 29.

3. If there are no additional groups or if the message addresses do not
match any of the existing groups, the message will be processed
according to the default rules described in the default.conf file.

4. If backup rules are specified for the group used to process the message
(see section 7.8 on page 55), a copy of the original message is stored in
the specified location.

5. The message is processed, using anti-virus scanning, filtering, curing
infected objects, headers addition, etc. according to the group rules.

6. The processed message is then passed via the Milter API back to
Sendmail for further delivery to recipient(s).

28 Kaspersky Anti-Virus® for Sendmail with Milter API

4.2. Creating groups for message
processing

A group is a set of processing rules to be applied to certain messages. Each
group contains a list of senders and / or recipients defining which messages are
processed according to the group rules.

When a message is received, the application searches through the list of
addresses for each group. If a matching combination of the sender/recipient
addresses is found, the rules defined for this group will be applied to the email
message. If the sender/recipient addresses belong to several groups, the
application will use the group with the highest priority.

Each group’s settings are specified in a separate file with a .conf extension.
These files are stored in /etc/kav/5.6/kavmilter/group.d/ directory for
Linux / OpenBSD distributions and in /usr/local/etc/kav/5.6/kavmilter/group.d/
directory for FreeBSD distributions. This is the default location for the
default.conf file describing the Default group; these group rules are applied to
any messages which do not belong to other groups.

Parameters in group configuration file are located in the following sections:

• [group.definition] contains parameters defining the group name, the list
of senders and recipients and the group priority;

• [group.settings] contains parameters defining the scan policy and
whether the application should append additional information to each
message;

• [group.actions] contains parameters defining the processing rules for
detected objects according to their status;

• [group.filter] contains parameters defining the filtering rules for mail
objects;

• [group.notifications] contains parameters defining notifications rules
pertaining to discovered objects with a certain status;

• [group.backup] – contains parameters defining messages backup rules.

If any parameter of a group is not defined, the parameter’s default value from the

default.conf file will be used.

To create a new group:

1. Create a new .conf file in the group.d directory.

The principles of application operation 29

2. Specify comma-separated lists of sender and recipient addresses
using the Senders and Recipients parameters. For example:

[group.definition]

Senders=re:.*@other\.domain\.com
Recipients=user1@site1.local
Recipients=re:.*@site2\.local

means that the rules of this group will be applied to all messages,

which were send from any user of other.domain.com domain to
any user of site2.local domain or to user1@site1.local email
address.

You can use POSIX regular expressions to specify

senders’ / recipients’ mask.

To specify a regular expression use the prefix re:.

If either the Recipients or Senders parameter is not included in the

group description, the default value "
instead

. At least one of the Senders or Recipients parameters

must be specified.

3. Specify the priority of the group with the Priority parameter. If the
message sender/recipient address belongs to several groups it will
be processed using the rules of the group with the highest priority.
The maximum priority value is 2147483647.

*" (all addresses) will be used

Do not use the same priority for several
groups.

4. Specify the processing rules for the new group.

If you have created other groups, the application will process messages
according to the following algorithm:

1. The message address(es) are compared with addresses in the

groups created by the administrator. If the recipient / sender pair of
addresses is found in a specific group, the rules defined for that
group will be applied to the message.

If a sender/recipient address fits the address ranges of
several groups, the rules of the group with the highest
priority will be used.

30 Kaspersky Anti-Virus® for Sendmail with Milter API

2. If the message addresses are not found in any group created by the

administrator, the message will be processed according to the rules
of the Default group, contained in the default.conf file.

4.3. Message status

Following an anti-virus scan a status is assigned to the message which may
have one of the following values:

• clean – no malicious code was found in the message (or part of it).

• error – the message (or part of it) is corrupted and an error occurred

while scanning it.

• protected – the message (or part of it) is protected with a password or
other means of protection. Therefore, it was skipped during anti-virus
scanning.

• infected – the message (or part of it) contains malicious code (code
sample is available in the anti-virus database or it was detected by the
heuristic code analyzer).

• suspicious – the message (or part of it) contains suspicious code (it can
be a new unknown virus or a modification of a known one).

If disinfection of an infected object has failed, the object is assigned the
CureFailed status. If disinfection is successful the object is assigned the CURED
status.

The message status determines the action to be applied to the message. The
possible actions to be applied to messages are defined by the parameters
DefaultAction, SuspiciousAction, ProtectedAction, and ErrorAction which
are located in the [group.actions] section of the group configuration file.
Possible actions are described in the next section.

4.4. Assigning actions for mail
messages

The range of possible actions to be applied to messages / objects is as follows:

• warn – replace the infected message with a warning about a detection of
an object containing a virus;

• cure – disinfect the infected object in the message. If disinfection fails,
delete the object and add the corresponding notification to the message;