KASPERSKY LAB
Kaspersky Anti-Virus® 5.6
for Sendmail with Milter API
ADMINISTRATOR'S
MANUAL
KASPERSKY ANTI-VIRUS® 5.6 FOR SENDMAIL
WITH MILTER API
Administrator's manual
© Kaspersky Lab
http://www.kaspersky.com
Revision date: March 2006
Contents
CHAPTER 1. KASPERSKY ANTI-VIRUS® FOR SENDMAIL WITH MILTER API....... 6
1.1. What’s new in version 5.6 ..................................................................................... 7
1.2. Hardware and software system requirements ..................................................... 7
1.3. Licensing policies................................................................................................... 9
1.4. Distribution kit ........................................................................................................ 9
1.5. Help desk for registered users ............................................................................ 10
1.6. Adopted conventions........................................................................................... 10
CHAPTER 2. TYPICAL DEPLOYMENT SCENARIOS ............................................... 13
2.1. Installing Kaspersky Anti-Virus on the same server with your mail system ...... 13
2.2. Installing Kaspersky Anti-Virus on a dedicated server....................................... 16
2.3. Installing Kaspersky Anti-Virus as a filter (single or additional).......................... 18
2.4. Installing Kaspersky Anti-Virus as Milter filter for several Sendmail servers..... 18
CHAPTER 3. INSTALLATION AND UNINSTALLATION OF KASPERSKY ANTI-
VIRUS ......................................................................................................................... 21
3.1. Software installation on a server running Linux.................................................. 21
3.2. Software installation on a server running FreeBSD or OpenBSD..................... 22
3.3. Installation process.............................................................................................. 22
3.4. Post-install setup ................................................................................................. 23
3.5. Location of application files and directories ........................................................ 24
3.6. Software uninstall ................................................................................................26
3.7. Uninstallation process ......................................................................................... 26
CHAPTER 4. THE PRINCIPLES OF APPLICATION OPERATION........................... 28
4.1. General message processing algorithm............................................................. 28
4.2. Creating groups for message processing........................................................... 29
4.3. Message status ................................................................................................... 31
4.4. Assigning actions for mail messages ................................................................. 31
CHAPTER 5. PRESET PROTECTION PROFILES..................................................... 33
5.1. High overall security profile ................................................................................. 33
5.2. High effective security profile .............................................................................. 34
4 Kaspersky Anti-Virus® for Sendmail with Milter API
5.3. Optimal operation profile .....................................................................................35
5.4. Top performance mode....................................................................................... 35
CHAPTER 6. USING KASPERSKY ANTI-VIRUS FOR SENDMAIL WITH
MILTER API................................................................................................................ 37
6.1. Delivering disinfected messages to recipients ................................................... 37
6.2. Blocking infected messages ............................................................................... 39
6.3. Delivering protected messages........................................................................... 40
6.4. Sending notifications to senders, recipients, and administrator......................... 41
6.5. Filtering e-mail traffic by attachments ................................................................. 43
6.6. Updating the anti-virus database and application kernel ...................................44
6.7. Backing up e-mail messages.............................................................................. 45
CHAPTER 7. ADDITIONAL SETUP............................................................................. 47
7.1. Integrating the application into your mail system................................................ 47
7.2. Installing and uninstalling the Webmin module of Kaspersky Anti-Virus........... 50
7.3. Checking the configuration file syntax ............................................................... 51
7.4. Defining an e-mail scan policy ............................................................................ 52
7.5. Adjusting scan thoroughness.............................................................................. 52
7.6. Selecting objects to scan..................................................................................... 53
7.7. Selecting objects to be filtered and assigning actions........................................ 54
7.8. Configuring backup options................................................................................. 55
7.9. Configuring database and kernel module updates ............................................ 56
7.10. Customizing notifications................................................................................... 57
7.10.1. Notification templates .................................................................................60
7.10.2. Customizing notification templates ............................................................ 62
7.10.2.1. Macros.................................................................................................. 62
7.10.2.2. Iteration constructs............................................................................... 63
7.10.2.3. Scope of visibility for an iterative statement........................................ 64
7.10.2.4. Variables .............................................................................................. 65
7.10.2.5. Language syntax ................................................................................. 66
7.10.2.6. Notification macros for the application ................................................ 68
7.11. Reporting options .............................................................................................. 69
7.12. Parameters of update report generation .......................................................... 71
7.13. Statistics parameters......................................................................................... 73
7.14. Restarting Kaspersky Anti-Virus ....................................................................... 75
7.15. Managing the application from the command line ........................................... 76
Contents 5
7.16. Localization of displayed date and time format ................................................ 77
7.17. Additional informational header fields in messages......................................... 78
7.18. Troubleshooting................................................................................................. 78
7.19. Application control via SNMP............................................................................ 79
CHAPTER 8. USING LICENSES.................................................................................. 83
8.1. Viewing license key information.......................................................................... 84
8.2. License extension................................................................................................ 85
8.3. License key removal............................................................................................ 87
CHAPTER 9. COMPATIBILITY WITH OTHER KASPERSKY LAB
APPLICATIONS ......................................................................................................... 88
CHAPTER 10. VERIFYING PROPER OPERATION OF THE ANTI-VIRUS.............. 90
CHAPTER 11. FREQUENTLY ASKED QUESTIONS................................................. 92
APPENDIX A. ADDITIONAL INFORMATION.............................................................. 98
A.1. Application configuration file kavmilter.conf ....................................................... 98
A.2. Default group configuration file default.conf..................................................... 102
A.3. Error return codes ............................................................................................. 106
A.4. Keepup2date return codes ............................................................................... 108
A.5. Command line options for licensemanager ..................................................... 108
A.6. Licensemanager return codes.......................................................................... 109
A.7. Description of the MIB (Management Information Base) objects.................... 110
APPENDIX B. KASPERSKY LAB............................................................................... 113
B.1. Other Kaspersky Lab Products ........................................................................ 114
B.2. Contact Us......................................................................................................... 119
APPENDIX C. LICENSE AGREEMENT .................................................................... 121
CHAPTER 1. KASPERSKY ANTI-
VIRUS® FOR SENDMAIL
WITH MILTER API
Kaspersky Anti-Virus® for Sendmail with Milter API (hereinafter also referred to
as Kaspersky Anti-Virus, application) provides anti-virus protection for e-mail
traffic handled by Sendmail with Milter API running on a Linux/Unix server.
Kaspersky Anti-Virus running on a mail server will…
• Intercept incoming and outgoing e-mail messages handled by the server.
• Scan e-mail traffic for viruses using the anti-virus engine. The application
scans the entire message as well as message objects, including the
header, body, and attachment (depending on the anti-virus policy).
• Back up e-mail messages prior to performing any action related to antivirus protection, including blocking and rejecting messages. The
administrator can then restore original messages from these backup
copies.
• Handle infected objects of e-mail messages detected during the scan.
• Filter e-mail messages. This version of the product filters messages by
MIME type, size, and name of attachments.
• Notify the senders and administrators about the results of anti-virus
treatment and message filtering. The application may also send detailed
notifications using an external mail agent.
• Provide general statistics and reports on application performance.
The advanced features of Kaspersky Anti-Virus allow the administrator to
perform the following tasks:
• Configure the application from a remote location through the web
interface of the Webmin application.
• Customize templates for sending notifications to senders, recipients, and
administrators using a special language.
Kaspersky Anti-Virus® for Sendmail with Milter API
1.1. What’s new in version 5.6
Kaspersky Anti-Virus 5.6 for Sendmail with Milter API has these additional
features, compared to version 5.0:
• Simple processing rules for e-mails can be grouped, depending upon the
message’s senders and recipients, to provide complex processing.
• Additional options have been added for processing messages containing
suspicious objects
• Additional statistics are recorded for all messages processed by the
application.
• The SNMP protocol can be used to get read-only access to application
configuration and statistic data; the application can be configured to send
SNMP-traps when specific events occur.
1.2. Hardware and software system
requirements
For smooth operation of Kaspersky Anti-Virus, your mail server must meet the
following hardware and software requirements:
Minimum hardware requirements
• Intel Pentium 133 MHz processor or higher
• 32 MB RAM
• 100 MB available space on your hard drive (this amount does not include
space necessary for storing backup message copies).
Minimum hardware requirements
1
per day
(250-300 mail accounts (addresses)):
• Celeron (Mendocino) 400 MHz processor
• 512 MB RAM
for application operation:
for a mail server with about 800 MB of traffic
1
The following scheme is used to calculate daily traffic: average message size is 60 KB,
during 10-hour period, with 25 scan processes working in parallel, about 13200 messages
are processed, which totals to 800 MB.
8 Kaspersky Anti-Virus® for Sendmail with Milter API
• 100 MB of available space on your hard drive (for Kaspersky Anti-Virus
operation).
Optimal hardware requirements
:
• For a mail server with about 800 MB of traffic per day (250-300 mail
accounts (addresses)):
• 2xPentium Xeon 1,8 GHz processor
• 1 GB RAM
• 8 GB of available space on your hard drive (this amount does
not include space necessary for storing backup message
copies).
2
• For a mail server with about 400 MB of traffic per day
(100-150 mail
accounts (addresses)):
• Pentium III 900 MHz processor
• 512 MB RAM.
Software requirements:
• One of the following operating systems:
• Red Hat Enterprise Linux Advanced Server 4.
• Red Hat Linux 9.0.
• Fedora Core 3.
• SuSE Linux Enterprise Server 9.0.
• SuSE Linux Professional 9.2.
• Debian 3.1.
• Mandrakelinux 10.1.
• FreeBSD 4.10, 5.4.
• OpenBSD 3.6.
• Sendmail version 8.11.x or higher with Milter API (installed)
• Webmin program (www.webmin.com
) (installed) to manage Kaspersky
Anti-Virus from a remote location.
2
The following scheme is used to calculate daily traffic: average message size is 60 KB,
during 10-hour period, with 25 scan processes working in parallel, about 6600 messages
are processed, which totals to 400 MB.
Kaspersky Anti-Virus® for Sendmail with Milter API
• The following utilities should be installed in your system: bc, sed, tr, cut,
du, grep, awk.
1.3. Licensing policies
Kaspersky Anti-Virus’ licensing policies limit product use based on one of these
criteria:
• number of users protected by the application.
• e-mail traffic processed daily (MB/day).
Each type of licensing is also time-limited, typically for one or two years from the
date of purchase.
You can purchase only one type of the license, for example, by the amount of
daily email traffic.
The application has slightly different configuration parameters depending on the
type of license you have purchased. For instance, if the license is issued for a
certain number of users, you will have to create a list of addresses (domains)
for which the application will provide protection.
1.4. Distribution kit
You can purchase Kaspersky Anti-Virus for Sendmail with Milter API either from
our distributors or in our Internet-shop www.kaspersky.com
When purchasing a retail box, you will receive the following distribution kit:
• a sealed envelope with an installation CD (or a set of floppy disks)
containing software product files;
• аdministrator’s guide;
• license key written on the installation CD or a floppy disk;
• license agreement.
Before you unseal the envelope containing the CD (or floppy disks), be sure to
thoroughly review the license agreement.
When purchasing Kaspersky Anti-Virus in the Web-shop, you download the
product from Kaspersky Lab’s website. The distribution file contains the
application and the license key.
The License Agreement (LA) is a legal agreement between you (either an
individual or a single entity) and the manufacturer (Kaspersky Lab Ltd.)
.
10 Kaspersky Anti-Virus® for Sendmail with Milter API
describing the terms under which you may use the anti-virus product which you
have purchased.
Make sure to read the terms of the License Agreement!
If you do not agree to the terms of this LA, Kaspersky Lab is not willing to license
the software product to you and you should return the unused product to your
Kaspersky Anti-Virus dealer for a full refund, making sure the envelope with CD
(or diskettes) is sealed.
If you have unsealed the envelope, you have agreed to all the terms of the LA.
1.5. Help desk for registered users
Kaspersky Lab offers a large service package, enabling registered users to
efficiently use Kaspersky Anti-Virus.
If you register and purchase a subscription, you will be provided with the
following services for the period of your subscription:
• daily virus-definition database updates via e-mail;
• product upgrades;
• phone and e-mail advice on matters related to your software installation,
configuration and performance;
• information about new Kaspersky Lab products and new computer
viruses (for those who subscribe to our newsletter).
Kaspersky Lab does not give advice on the performance and use of
your operating system or various other technologies.
1.6. Adopted conventions
The text in this document is formatted in accordance with its meaning. The
table 1 below lists the conventions adopted for use in the text.
Kaspersky Anti-Virus® for Sendmail with Milter API
Style Purpose
Table 1. Conventions
Bold type
Note.
Attention!
In order to perform the
action,
1. Step 1.
2. …
Task, example
Solution
[key] – key purpose.
Text of information
messages and the command
line
Menu titles, menu items, window titles,
parts of dialog boxes, etc.
Additional information, notes.
Information that should be paid special
heed.
Description of procedure for user's steps
and possible actions.
Statement of problem, example for using
the software features.
Solution to a defined problem.
Command line keys.
Text of configuration files, informative
messages, and the command line.
CHAPTER 2. TYPICAL
DEPLOYMENT SCENARIOS
Kaspersky Anti-Virus can be rolled out using the following methods, depending
on the initial configuration of your mail system and specific needs of your
organization:
• on the same server your mail system is on: this scenario is used by
default if you have a configured Sendmail system on your server (see
section 2.1 on page 13).
• on a dedicated server: use this method if your mail server is under a high
load (see section 2.2 on page 16). In this case you can also use
Kaspersky Anti-Virus to process mail traffic of several Sendmail servers
(see section 2.4 on page 18).
Note that in both cases the application will function identically, regardless of the
deployment scenario you choose. They differ only in the method of interaction
between Kaspersky Anti-Virus and Sendmail.
To configure Kaspersky Anti-Virus, consider other Milter filters integrated into
your mail system. If you have such filters, you can install Kaspersky Anti-Virus
as:
• a single Milter filter;
• together with other Milter filters: if you have other mail filters, for example,
Kaspersky Anti-Spam (see section 2.3 on page 18).
The sections below describe each scenario in detail.
2.1. Installing Kaspersky Anti-Virus
on the same server with your
mail system
When describing the operation and configuration of Kaspersky AntiVirus in this guide, it is assumed that Kaspersky Anti-Virus has been
installed on the same server as your mail system.
Typical deployment scenarios 13
Kaspersky Anti-Virus processes incoming and outgoing mail as follows:
1. Email traffic forwarded from other servers or from users arrives at
Sendmail.
2. The mail system then forwards messages to Kaspersky Anti-Virus
through Milter API for anti-virus processing.
3. Kaspersky Anti-Virus scans and handles email messages and,
depending on the settings, sends them back through Milter API to the
mail system. The anti-virus application can generate and send
notifications using an external mail agent.
4. The mail system then routes mail traffic to either external mail servers
or mailboxes of local users.
During the installation on the same server with Sendmail, Kaspersky Anti-Virus
automatically makes the necessary changes to its own configuration and
configuration of Sendmail. If you want to specify custom parameters of the
socket to be used for interaction between Sendmail and Kaspersky Anti-Virus,
you will need to make the following changes:
• If you use sendmail.cf, add the following lines to the file:
#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},
{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}
XKAVMilter,
S=inet:<port>@<localhost>,F=T,T=S:10s;R:5m;E:5m
#kav-end
where <localhost> is the name or IP address of the local host; the
following values are possible: localhost, 127.0.0.1, IP address of the
server
<port> is a network socket port
For this configuration, it is recommended to use local unix socket. In order
to implement it, add the following strings to the sendmail.cf file:
#kav-begin: KAVMilter
14 Kaspersky Anti-Virus® for Sendmail with Milter API
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},
{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}
XKAVMilter,
S=unix:<socket_file_path>,F=T,T=S:10s;R:5m;E:5m
#kav-end
or
#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},
{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}
XKAVMilter,S=local:<socket_file_path>,F=T,T=S:10s;
R:5m;E:5m
#kav-end
where <socket_file_path> is the path to socket file.
• If you use sendmail.mc, add the following lines to this file:
dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',
`S=local:<socket_file_path>,
F=T,T=S:10m;R:15m;E:15m')dnl
dnl kav-end dnl
or
dnl kav-begin: KAVMilter dnl
Typical deployment scenarios 15
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',
`S=unix:<socket_file_path>,
F=T,T=S:10m;R:15m;E:15m')dnl
dnl kav-end dnl
where <socket_file_path> is the path to the socket file.
• In the [kavmilter.global] section of the kavmilter.conf configuration file,
make the following changes:
ServiceSocket=unix:<socket_file_path>
or
ServiceSocket=local:<socket_file_path>
where <socket_file_path> is a path to the socket file.
If you specify custom settings for the interaction socket, do not forget to
delete from the Sendmail configuration file those strings which were
automatically added by Kaspersky Anti-Virus during its installation.
2.2. Installing Kaspersky Anti-Virus
on a dedicated server
If your mail server’s load is consistently high, it is more reasonable to install
Kaspersky Anti-Virus on a dedicated server in order to avoid server malfunction,
because anti-virus processing of mail traffic consumes considerable server
resources.
If Kaspersky Anti-Virus is installed on a dedicated server, it operates as follows:
1. The email thread arrives at the mail server with Sendmail installed.
2. Sendmail then forwards messages to Kaspersky Anti-Virus through a
network socket.
3. The processed mail thread, together with anti-virus notifications, is sent
back to the mail system for further delivery.
If Kaspersky Anti-Virus is installed on a dedicated server, you must use a
network socket for email traffic to be received and delivered via Sendmail.
Configure Sendmail as follows:
• If you use sendmail.cf, add the following lines to this file:
#kav-begin: KAVMilter
16 Kaspersky Anti-Virus® for Sendmail with Milter API
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},
{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type}, {auth_authen},
{auth_ssf}, {auth_author}, {mail_mailer}, {mail_host},
{mail_addr}
O Milter.macros.envrcpt={rcpt_mailer}, {rcpt_host},
{rcpt_addr}
XKAVMilter,
S=inet:<port>@<ip_address>,F=T,T=S:10s;R:5m;E:5m
#kav-end
where <ip_address> is an IP address of the network socket, and
<port> is a network socket port.
• If you use sendmail.mc, add the following lines to this file:
dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',
`S=inet: <port>@<ip_address>,
F=T,T=S:10m;R:15m;E:15m')dnl
dnl kav-end dnl
where <ip_address> is an IP address of the network socket, and
<port> is a network socket port.
• In the [kavmilter.global] section of the Kaspersky Anti-Virus
configuration file, make the following changes:
ServiceSocket= inet: <port>@<ip_address>
where <ip_address> is an IP address of the network socket, and
<port> is a network socket port.
When Kaspersky Anti-Virus runs on a dedicated server it needs
sendmail-compatible mail agent to send notifications to the administrator.
Make sure you have symbolic link or binary file /usr/sbin/sendmail which
is used to send notifications.
Typical deployment scenarios 17
2.3. Installing Kaspersky Anti-Virus
as a filter (single or additional)
Kaspersky Anti-Virus can be installed as either a single filter or together with
other filters. If other mail filters have been installed on your system, you should
carefully define their sequence based on filter settings.
If you are installing Kaspersky Anti-Virus ahead of another filter, note that antivirus processing can affect the contents of the email thread: some elements of
email messages (headers, body, etc.) can be changed, notifications generated
by the anti-virus software can be added to the thread, and some messages can
be deleted or rejected for further processing. Therefore, another filter located
behind Kaspersky Anti-Virus will deal with a processed, and therefore altered,
email thread. Consider this factor when configuring filters behind the anti-virus
application. For example, you may exclude notifications generated by Kaspersky
Anti-Virus from filtering.
If you are installing Kaspersky Anti-Virus behind another filter, set the first filter to
forward the email thread to Kaspersky Anti-Virus via a socket.
In this case, Kaspersky Anti-Virus receives the email thread that has been
processed and changed by the first filter.
Configure Milter filters installed on your mail server as follows:
1. Configure Sendmail and Kaspersky Anti-Virus socket options as
described in section 2.1 on page 13.
2. Configure other mail filters installed on your mail server either behind or
ahead of the anti-virus software to transmit the email thread via a
respective socket.
2.4. Installing Kaspersky Anti-Virus
as Milter filter for several
Sendmail servers
Kaspersky Anti-Virus can be used to scan the traffic of several mail servers. This
scenario can provide anti-virus protection for a distributed mail system, but
account must be taken both of the application load caused by several mail
servers, and compliance with licensing conditions. If the license policy is based
on the number of accounts, the Kaspersky Anti-Virus configuration file should
specify the domains of all users whose mail traffic is processed by the protected
18 Kaspersky Anti-Virus® for Sendmail with Milter API
mail servers. If the license policy is based on e-mail traffic volume, the total mail
traffic of all servers must be less than the maximum specified by the license.
In this scenario, mail will be processed as follows:
1. The email traffic arrives at several mail servers with Sendmail installed.
2. Each server forwards its messages to Kaspersky Anti-Virus for anti-virus
processing, via a network socket.
3. After processing, Kaspersky Anti-Virus sends checked messages,
together with anti-virus notifications, back to the mail server for further
delivery.
To implement this scenario:
1. In the kavmilter.conf configuration file of Kaspersky Anti-Virus set
ServiceSocket parameter, as shown below:
ServiceSocket=inet:<port>@<ip_address>
where <port> is the network socket port, and <ip_address> is the IP
address, of the host.
2. Amend the configuration of all Sendmail servers which mail traffic will be
protected by Kaspersky Anti-Virus:
• If you use sendmail.cf file, add the following lines to this file:
#kav-begin: KAVMilter
O InputMailFilters=KAVMilter
O Milter.macros.connect=j, _, {daemon_name},
{if_name}, {if_addr}
O Milter.macros.helo={tls_version}, {cipher},
{cipher_bits}, {cert_subject}, {cert_issuer}
O Milter.macros.envfrom=i, {auth_type},
{auth_authen}, {auth_ssf}, {auth_author},
{mail_mailer}, {mail_host}, {mail_addr}
O Milter.macros.envrcpt={rcpt_mailer},
{rcpt_host}, {rcpt_addr}
XKAVMilter,
S=inet:<port>@<ip_address>,F=T,T=S:10s;R:5m;
E:5m
#kav-end
where <ip_address> is the IP address of the network socket
used for interaction with Kaspersky Anti-Virus, and <port> is
the network socket port.
Typical deployment scenarios 19
• If you use sendmail.mc, add the following lines to this file:
dnl kav-begin: KAVMilter dnl
define(`_FFR_MILTER', `true')dnl
INPUT_MAIL_FILTER(`KAVMilter',
`S=inet:<port>@<ip_address>,
F=T,T=S:10m;R:15m;E:15m')dnl
dnl kav-end dnl
where <ip_address> is the IP address of the network socket
used for interaction with Kaspersky Anti-Virus, and <port> is
the network socket port.
CHAPTER 3. INSTALLATION AND
UNINSTALLATION OF
KASPERSKY ANTI-VIRUS
Prior to beginning the installation of Kaspersky Anti-Virus for Sendmail with Milter
API, we recommend the following preparations for your system:
• Make sure that your system meets the hardware and software
requirements for installation of the Kaspersky Anti-Virus (please see
section 1.2 on page 7).
• Enter the system as superuser (root).
3.1. Software installation on a
server running Linux
There are two different installation packages of Kaspersky Anti-Virus supplied for
various for Linux distributions.
In order to start the installation of Kaspersky Anti-Virus from a .rpm
package, enter the following text in the command line:
# rpm –i <package_file_name>
In order to start the installation of Kaspersky Anti-Virus from a .deb
package, enter the following text in the command line:
# dpkg –i <package_file_name>
Installation and Uninstallation of Kaspersky Anti-Virus 21
3.2. Software installation on a
server running FreeBSD or
OpenBSD
The installation package for Kaspersky Anti-Virus is supplied in a .tar.gz package
for servers running FreeBSD or OpenBSD operating systems.
In order to start installing Kaspersky Anti-Virus from a .tar.gz package,
enter the following text in the command line:
# pkg_add <package_name>
3.3. Installation process
The procedure for installing Kaspersky Anti-Virus is automatic and not
interactive. If any of the installation steps cannot be performed, the administrator
must perform it after the installation is complete.
The install process for Kaspersky Anti-Virus for Sendmail with Milter API
performs the following steps automatically:
1. Creating a group and a user account named kav under which Kaspersky
Anti-Virus will operate.
2. Adding application settings to the /var/db/kav/applications.setup file that
is used to update the anti-virus database and program modules.
3. Defining domains (i.e., mailboxes of these domains) that will be
protected by Kaspersky Anti-Virus. The default domain is the system
domain, including all domains derived from the hostname (if they exist).
For example, if the hostname of the target server is
srv1.subdomain.example.com, then the mail accounts of the following
domains will also be protected: example.com, subdomain.example.com
and srv1.subdomain.example.com.
4. Registering the kavmilterd service in the startup system.
5. Searching and automatically editing the Sendmail configuration to
integrate it with the anti-virus filter.
Prior to making any configuration changes, you must back up the original
Sendmail configuration. You can use this backup configuration if
Kaspersky Anti-Virus is uninstalled.
22 Kaspersky Anti-Virus® for Sendmail with Milter API
After making configuration changes, Sendmail should be restarted so
that the changes take effect. If Sendmail is not rebooted during the
installation, the configuration changes will not be applied. The
corresponding information will be displayed on the console. You will
need to change the Sendmail configuration after Kaspersky Anti-Virus
installation. Otherwise, the mail traffic will not be filtered on the server.
6. Running the kavmilterd service (using kavmilterd init script) that initializes
the anti-virus filtration of mail traffic.
7. Registering a cron task for hourly checks of the backup storage size. By
default the size of the backup storage is 512 MB. If a check-up reveals
that the backup storage is more than 80% full, then the application
deletes the oldest messages until the summary size of the backup
messages becomes less than 80% of the storage size.
8. Forming links to reference information about Kaspersky Anti-Virus
performance. To display the information, use the man command.
9. Registering Kaspersky Anti-Virus module for Webmin, if you have
Webmin installed.
If you have Webmin of version older than 1.150 or changed the default
path to the installation directory for additional Webmin modules, the
following warnings might appear during the installation or when you run
the kavmilter-setup.sh с ключом –add-webmin-module script:
Warning: Installer is known to be broken.
Warning: will attempt to install module without it.
These warnings do not mean that the installation process goes wrong
but if they appear, make sure that the webmin management module is
installed correctly using the Webmin web interface.
3.4. Post-install setup
The installation of Kaspersky Anti-Virus involves automatic configuration of the
application and mail system. However, you should use the keepup2date.sh script
to register the cron update task after installation (see section 3.4 on page 23). It
is necessary to maintain actual state of the anti-virus database.
Also, perhaps, you may need to perform some post-installation tasks:
1. Install the license key if this has not been done during the installation. To
install the license key, enter, for example, the following in the command
line:
# ./licensemanager -a <file>
Installation and Uninstallation of Kaspersky Anti-Virus 23
where <file> - is a license key file name, and restart the application (for
details see section 7.14 on page 75).
2. Configure the Sendmail system to integrate it with the anti-virus filter (if
this has not been done during the installation) (see section 7.1 on page
47) and restart Sendmail.
3. Configure proxy server settings in the Kaspersky Anti-Virus configuration
file if you connect to the Internet through a proxy server (see Appendix A
on page 98). This is required to update the database and kernel
modules.
4. If necessary, perform additional configuration of the application (see
Chapter 7 on page 47).
5. Install the Kaspersky Anti-Virus module for Webmin to enable remote
management of the application, if that was not done automatically during
the installation (see section 7.2 on page 50).
3.5. Location of application files and
directories
The default paths for application files on a Linux server are as follows:
/etc/kav/5.6/kavmilter/ – directory containing application configuration files:
kavmilter.conf – configuration file containing runtime settings.
kavmilter.setup – configuration file added to applications.setup for
retrieving and installing updates;
groups.d/ – directory used to store group configuration files;
groups.d/default.conf – configuration file containing processing rules for
the default group;
init.d/kavmilterd – service script to control operation of the application;
The application also creates the symbolic link
/etc/init.d/kavmilterd which points to the control service script.
profiles/ – directory containing configurations of preset protection
profiles.
/opt/kav/5.6/kavmilter/man – directory containing manual pages.
/opt/kav/5.6/kavmilter/bin – directory containing application executable files,
such as kavmilter, keepup2date, and licensemanager.
/opt/kav/5.6/kavmilter/doc – directory containing application documentation.
24 Kaspersky Anti-Virus® for Sendmail with Milter API
/opt/kav/5.6/kavmilter/web – directory containing the kavmilter.wbm remote
management module for the Webmin program.
/var/db/kav/5.6/kavmilter/ – application directory that includes:
backup/ – message backup storage directory;
bases/ – directory storing the anti-virus database and kernel modules;
bases/backup/ – directory for storing backup copies of the anti-virus
database and kernel modules created prior to updating;
licenses/ – directory containing license keys for the application;
patches/ – directory containing application patches;
run/ – directory that stores the file with the application ID;
templates/ – directory for storing notification templates;
tmp/ – directory for the temporary files.
mibs/ – directory containing MIB files.
/var/log/kav/5.6/kavmilter – directory that contains report files which are
created if the application is configured to save reports to a file rather
than the system log.
The default locations for application files on servers running
OpenBSD / FreeBSD differ from those for Linux OS, as follows:
/usr/local/etc/kav/5.6/kavmilter/ – directory containing the application files for
FreeBSD.
or
/etc/kav/5.6/kavmilter/ – directory containing the application configuration
files for ОpenBSD.
/etc/kav/5.6/kavmilter/rc.d/kavmilterd (for OpenBSD) – service script to
control operation of the application;
/usr/local/man – directory containing manual pages.
/usr/local/share/kav/5.6/kavmilter/bin – directory containing application
executable files.
/var/db/kav/5.6/kavmilter/doc – directory containing application
documentation.
/usr/local/share/kav/5.6/kavmilter/web –
kavmilter.wbm remote management module for the Webmin program.
directory containing the
When Kaspersky Anti-Virus is installed on a server running FreeBSD, the
kavmilterd service script that controls the performance of the kavmilter
executable file is located in the /usr/local/etc/kav/5.6/kavmilter/rc.d/
directory. The application also creates a symbolic link to this script under
/usr/local/etc/rc.d/.
Installation and Uninstallation of Kaspersky Anti-Virus 25
3.6. Software uninstall
To uninstall Kaspersky Anti-Virus previously installed from a package you should
issue the following command:
• In order to remove Kaspersky Anti-Virus installed from a rpm package,
enter the following text in the command line:
# rpm -e <package_name>
• In order to remove Kaspersky Anti-Virus installed from a deb package,
enter the following text in the command line:
# dpkg –r <package_name>
To uninstall Kaspersky Anti-Virus from server running under OS Unix (FreeBSD
or OpenBSD) enter the following text in the command line:
# pkg_delete <package_name>
3.7. Uninstallation process
The procedure for uninstalling Kaspersky Anti-Virus is automatic, not interactive
and contains the following steps:
1. Removing the cron task of checking the backup storage from the
list of tasks for the kav user.
2. Removing the cron task for updating the anti-virus database and
anti-virus kernel modules from the list of tasks for the kav user.
3. Rolling back the Sendmail configuration changes you made to
integrate it with the anti-virus filter. Restart the mail system to make
the previous configuration effective.
4. Stopping the kavmilterd service. From this moment, anti-virus
filtration of mail traffic will be disabled.
5. Rolling back the registration of the kavmilterd service in the system:
in Sys V systems, the links to the rc.d must be removed; in
FreeBSD-based systems, the links to a script corresponding to this
service are removed, in OpenBSD-based systems, the rc.local file
should be edited.
6. Rolling back the registration of Kaspersky Anti-Virus application
with the system: the corresponding section is removed from
/var/db/kav/applications.setup.
7. Deleting the kav user from the system.
26 Kaspersky Anti-Virus® for Sendmail with Milter API
8. Removing the links to the reference information about the
application.
9. Deleting temporary files or directories created during Kaspersky
Anti-Virus performance.
10. Deleting the Kaspersky Anti-Virus package: all directories, files of
the application, and the anti-virus database included in the
distribution kit, are removed. Reports, configuration files and
backup directories will not be removed.
11. Removing Kaspersky Anti-Virus module for Webmin, if it was
installed.
Because the kavuser user is deleted during application uninstallation
but some files that belong to this user (configuration files, log files)
remain on the system, this might cause errors related to the validity of
access rights of the new kavuser user that is created during
reinstallation. To solve this problem, specify the necessary read and
write rights for these files.
CHAPTER 4. THE PRINCIPLES
OF APPLICATION
OPERATION
This chapter explains how the application functions, the interaction between its
components, and how to correctly configure it.
4.1. General message processing
algorithm
When a server with Sendmail and Kaspersky Anti-Virus installed receives an
email message, it processes the message using this algorithm:
1. Sendmail passes the message to Kaspersky Anti-Virus via the Milter API.
2. If an administrator has created additional groups, Kaspersky Anti-Virus
defines the list of groups which match the message addresses, and
chooses the group with the highest priority. The message will be
processed according to the rules defined in that group. For details of how
to create groups, see section 4.2 on page 29.
3. If there are no additional groups or if the message addresses do not
match any of the existing groups, the message will be processed
according to the default rules described in the default.conf file.
4. If backup rules are specified for the group used to process the message
(see section 7.8 on page 55), a copy of the original message is stored in
the specified location.
5. The message is processed, using anti-virus scanning, filtering, curing
infected objects, headers addition, etc. according to the group rules.
6. The processed message is then passed via the Milter API back to
Sendmail for further delivery to recipient(s).
28 Kaspersky Anti-Virus® for Sendmail with Milter API
4.2. Creating groups for message
processing
A group is a set of processing rules to be applied to certain messages. Each
group contains a list of senders and / or recipients defining which messages are
processed according to the group rules.
When a message is received, the application searches through the list of
addresses for each group. If a matching combination of the sender/recipient
addresses is found, the rules defined for this group will be applied to the email
message. If the sender/recipient addresses belong to several groups, the
application will use the group with the highest priority.
Each group’s settings are specified in a separate file with a .conf extension.
These files are stored in /etc/kav/5.6/kavmilter/group.d/ directory for
Linux / OpenBSD distributions and in /usr/local/etc/kav/5.6/kavmilter/group.d/
directory for FreeBSD distributions. This is the default location for the
default.conf file describing the Default group; these group rules are applied to
any messages which do not belong to other groups.
Parameters in group configuration file are located in the following sections:
• [group.definition] contains parameters defining the group name, the list
of senders and recipients and the group priority;
• [group.settings] contains parameters defining the scan policy and
whether the application should append additional information to each
message;
• [group.actions] contains parameters defining the processing rules for
detected objects according to their status;
• [group.filter] contains parameters defining the filtering rules for mail
objects;
• [group.notifications] contains parameters defining notifications rules
pertaining to discovered objects with a certain status;
• [group.backup] – contains parameters defining messages backup rules.
If any parameter of a group is not defined, the parameter’s default value from the
default.conf file will be used.
To create a new group:
1. Create a new .conf file in the group.d directory.
The principles of application operation 29
2. Specify comma-separated lists of sender and recipient addresses
using the Senders and Recipients parameters. For example:
[group.definition]
Senders=re:.*@other\.domain\.com
Recipients=user1@site1.local
Recipients=re:.*@site2\.local
means that the rules of this group will be applied to all messages,
which were send from any user of other.domain.com domain to
any user of site2.local domain or to user1@site1.local email
address.
You can use POSIX regular expressions to specify
senders’ / recipients’ mask.
To specify a regular expression use the prefix re:.
If either the Recipients or Senders parameter is not included in the
group description, the default value "
instead
. At least one of the Senders or Recipients parameters
must be specified.
3. Specify the priority of the group with the Priority parameter. If the
message sender/recipient address belongs to several groups it will
be processed using the rules of the group with the highest priority.
The maximum priority value is 2147483647.
*" (all addresses) will be used
Do not use the same priority for several
groups.
4. Specify the processing rules for the new group.
If you have created other groups, the application will process messages
according to the following algorithm:
1. The message address(es) are compared with addresses in the
groups created by the administrator. If the recipient / sender pair of
addresses is found in a specific group, the rules defined for that
group will be applied to the message.
If a sender/recipient address fits the address ranges of
several groups, the rules of the group with the highest
priority will be used.
30 Kaspersky Anti-Virus® for Sendmail with Milter API
2. If the message addresses are not found in any group created by the
administrator, the message will be processed according to the rules
of the Default group, contained in the default.conf file.
4.3. Message status
Following an anti-virus scan a status is assigned to the message which may
have one of the following values:
• clean – no malicious code was found in the message (or part of it).
• error – the message (or part of it) is corrupted and an error occurred
while scanning it.
• protected – the message (or part of it) is protected with a password or
other means of protection. Therefore, it was skipped during anti-virus
scanning.
• infected – the message (or part of it) contains malicious code (code
sample is available in the anti-virus database or it was detected by the
heuristic code analyzer).
• suspicious – the message (or part of it) contains suspicious code (it can
be a new unknown virus or a modification of a known one).
If disinfection of an infected object has failed, the object is assigned the
CureFailed status. If disinfection is successful the object is assigned the CURED
status.
The message status determines the action to be applied to the message. The
possible actions to be applied to messages are defined by the parameters
DefaultAction, SuspiciousAction, ProtectedAction, and ErrorAction which
are located in the [group.actions] section of the group configuration file.
Possible actions are described in the next section.
4.4. Assigning actions for mail
messages
The range of possible actions to be applied to messages / objects is as follows:
• warn – replace the infected message with a warning about a detection of
an object containing a virus;
• cure – disinfect the infected object in the message. If disinfection fails,
delete the object and add the corresponding notification to the message;
The principles of application operation 31
• drop – delete the message without delivering it to the recipient;
• reject – reject the message and return the corresponding error code to
the sender;
• skip – deliver the message to the recipient without treatment;
• delete – delete the infected object and add a corresponding notification to
the message.
• noscan – do not scan message for viruses.
Setting the noscan value will turn off anti-virus protection.
The action to be applied to messages / objects as the default action is defined by
the DefaultAction parameter in the [group.action] section. By default, the
application tries to disinfect all infected messages and their objects.
Select skip or delete (the ProtectedAction parameter) as actions to be applied
to password-protected objects
.
For messages that generated a scan error, select warn, skip, or delete (the
ErrorAction parameter).
For messages that contain suspicious objects, select warn, drop, reject, skip or
delete (the SuspiciousAction parameter).
CHAPTER 5. PRESET
PROTECTION PROFILES
The Kaspersky Anti-Virus distribution kit includes four additional
configuration profiles which ensure different protection levels for your mail server.
In Linux and OpenBSD distributions you will find these
profiles in the /etc/kav/5.6/kavmilter/profiles directory, and in FreeBSD they are in
the /usr/local/etc/kav/5.6/kavmilter/profiles directory. Each profile is stored in a
separate directory and contains two configuration files, kavmilter.conf and
default.conf which define application settings and default message processing
rules.
• high_overall_security – configuration profile that provides a high overall
protection for your e-mail traffic (see section 5.1 on page 33).
• high_av_accuracy – configuration profile that provides maximum
protection for your e-mail traffic (see section 5.2 on page 34).
• default – configuration profile that provides optimal balance between
protection level and performance efficiency. With this configuration, the
application does not significantly affect other processes running on the
server (see section 5.3 on page 35). The default application configuration
files is a copy of this files.
• high_scan_speed – configuration file that provides high scanning and
processing speed by reducing the application functionality (see
section 5.4 on page 35).
To use one of these profiles, you should replace the configuration files
kavmilter.conf (stored in /etc/kav/5.6/kavmilter/ directory for Linux / OpenBSD
distributions and in /usr/local/etc/kav/5.6/kavmilter/ directory for FreeBSD
distributions) and default.conf (stored in /etc/kav/5.6/kavmilter/groups.d/ directory
for Linux / OpenBSD distributions and in /usr/local/etc/kav/5.6/kavmilter/groups.d/
directory for FreeBSD distributions) with the ones from the necessary profile
directory. The application should then be restarted.
These protection profiles are described in more detail below.
5.1. High overall security profile
This profile offers the most comprehensive protection of your mail traffic. In this
mode, the application provides notification to senders, recipients, and
administrator regarding scan results. This profile includes the following functions:
Preset protection profiles 33
• The application scans e-mail messages using a combined scan policy:
each message is first scanned for viruses as a whole and then each
message object is scanned separately, regardless of whether infected
objects are found or not.
• E-mail messages are filtered by MIME type. The application filters both
e-mails which have references to external objects (message/external-
body type), and e-mails which have parts of the attached object
(message/partial type), and deletes them.
• A backup copy and an information file are created for every message that
undergoes anti-virus processing or filtering.
• The application deletes all infected, suspicious and protected objects in
the messages without trying to cure them.
• If the message contains objects which scan returns an error, its content
will be replaced with a warning.
• Notifications regarding the actions applied to the message or its objects
are sent to the recipient and administrator.
• All application messages and events are logged in the report.
5.2. High effective security profile
Compared with High Overall Security profile, High Effective Security profile
provides enhanced anti-virus protection because the application tries to cure
infected objects and deletes them only if they are not curable. Less information is
recorded in the application report. The profile has the following characteristics:
• E-mail messages are scanned using a combined scan policy: each
message is first scanned for viruses as a whole, and then each message
object is scanned separately, regardless of whether infected objects are
found or not.
• E-mail messages are filtered by MIME type. The application filters e-mails
which have references to external objects (message/external-body type)
and deletes them.
• A backup copy and information file are created for every message that
undergoes anti-virus processing.
• All infected messages and their objects are subject to anti-virus
processing. If disinfection fails, the message or a part of it will be deleted.
• All suspicious and password protected objects of mail messages, and
objects which scan returned an error, are deleted. The application sends
notifications regarding deleted messages or objeсts.
34 Kaspersky Anti-Virus® for Sendmail with Milter API
• Notifications about the actions applied to the message or its objects are
sent to the recipient and administrator.
• All application messages and events, except for debugging information,
are logged in the report.
5.3. Optimal operation profile
This profile provides the optimal balance between anti-virus protection level and
scan speed. This profile has the following characteristics:
• E-mail messages are scanned using a combined scan policy: each
message is first scanned for viruses as a whole, and then each message
object is scanned separately, regardless of whether infected objects are
found or not.
• E-mail messages are filtered by MIME type. The application filters e-mails
which have references to external objects (message/external-body type)
and deletes them.
• A backup copy and information file are created for every message that
undergoes anti-virus processing.
• All infected messages and their objects are subject to anti-virus
processing. If disinfection fails, the message or a part of it will be deleted.
• All suspicious and password protected objects of mail messages, and
also objects which scan returned an error, are deleted. The application
creates corresponding notifications regarding deleted messages (objects),
substituting the notifications for the original objects.
• Notifications regarding actions applied to the message or its objects are
sent to the recipient, but not to the administrator and sender .
• All application messages and events, except for debugging information,
are logged in the report.
5.4. Top performance mode
This profile provides maximum application performance, at some cost to the
reliability of anti-virus protection. The profile has the following characteristics:
• Each e-mail message is scanned as a whole and then, if it is identified as
infected, each message object is scanned separately.
• Message object filtering is disabled.
Preset protection profiles 35
• A backup copy is created for every message that undergoes anti-virus
processing, but no information file is created.
• All messages containing infected objects are deleted.
• All suspicious objects of mail messages, and also objects which scan
returned an error, are deleted.
• Protected objects are skipped during scanning.
• Notifications about the actions applied to the message or its objects are
sent only to the recipient, and not to the administrator or sender.
• Critical events, information messages, and error messages are logged in
the report.
CHAPTER 6. USING KASPERSKY
ANTI-VIRUS FOR SENDMAIL
WITH MILTER API
The main function of Kaspersky Anti-Virus is to secure the mail traffic on your
mail server against viruses. However, you can significantly extend the application
functionality to better meet the needs of your company by using it for filtering email by attachments, backing up e-mail traffic, etc.
This chapter describes the most important tasks that can be implemented using
the application. For details on the advanced features of Kaspersky Anti-Virus,
please refer to Chapter 7 on page 47.
Note that the examples below consider only the configuration that is
directly related to implementing the tasks described. The solutions
provided for each task describe task configuration only by editing the
configuration file. Remote management options using Webmin are not
discussed in the documentation.
Most of the examples below require that the application be reconfigured and
rebooted to apply recent changes (see section 7.14 on page 75).
6.1. Delivering disinfected messages
to recipients
The main role of Kaspersky Anti-Virus is to scan and disinfect e-mail messages
using the anti-virus database.
If the application detects an infected message (message object) and fails to
disinfect it, we recommend sending an appropriate notification to the recipient of
this message.
Task
: Scan all incoming messages and attachments for viruses, and try
to disinfect infected messages and their objects. If disinfection fails,
delete the infected object, replacing it with a corresponding notification.
Send the notification to the recipient. Log all information concerning
messages in the system log. Record statistics of messages, viruses,
and resources in XML file.
Using Kaspersky Anti-Virus for Sendmail with Milter API 37
To perform the task, configure the application as follows:
1. Set the following parameters in the default.conf configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
DefaultAction=cure
[group.notifications]
EnableNotifications=on
NotifyRecipients=infected
MessageDir=/var/db/kav/5.6/kavmilter/templates/
MessageSubject=Anti-virus notification message
2. Set the following parameters in the kavmilter.conf configuration file:
[kavmilter.engine]
ScanArchives=yes
ScanPacked=yes
ScanCodeanalyzer=yes
[kavmilter.log]
LogFacility=syslog
LogOption=scan.all
[kavmilter.statistics]
TrackStatistics=all
DataFormat=xml
DataFile=/var/log/kav/5.6/kavmilter/
statistics.data
38 Kaspersky Anti-Virus® for Sendmail with Milter API
6.2. Blocking infected messages
You can block messages using several methods: the administrator can either
delete an infected message without notifying the recipient beforehand or return
an error code to the sender as if it were sent by the mail agent.
Task
: Block infected e-mail messages, delete them, and notify the
administrator of such events.
To perform the task, configure the application as follows:
1. Set the following parameters in the default.conf configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
DefaultAction=drop
[group.notifications]
EnableNotifications=on
SendmailPath=/usr/sbin/sendmail
NotifyAdmin=infected
AdminAddresses=admin@localhost
UseCustomTemplates=on
AdminSubject=Anti-virus notification message
2. Set the following parameters in the kavmilter.conf configuration file:
[kavmilter.engine]
ScanArchives=yes
ScanPacked=yes
ScanCodeanalyzer=yes
Task
: Reject infected messages from the sender, return an error code
to the sender, and notify the administrator of the actions.
Using Kaspersky Anti-Virus for Sendmail with Milter API 39
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=message
[group.actions]
DefaultAction=reject
[group.notifications]
EnableNotifications=on
SendmailPath=/usr/sbin/sendmail
NotifyAdmin=infected
AdminAddresses=admin@localhost
UseCustomTemplates=on
AdminSubject=Anti-virus notification message
6.3. Delivering protected messages
Sometimes an e-mail message cannot be scanned for viruses because it is
password protected or encrypted. The administrator must be sure of the user’s
ability to disinfect the message if it turns out to be infected.
Task
: Deliver protected messages even if they are infected; notify the
administrator of such messages.
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
ProtectedAction=skip
[group.notifications]
EnableNotifications=on
SendmailPath=/usr/sbin/sendmail
40 Kaspersky Anti-Virus® for Sendmail with Milter API
NotifyAdmin=all
AdminAddresses=admin@localhost
UseCustomTemplates=on
AdminSubject=Anti-virus notification message
6.4. Sending notifications to
senders, recipients, and
administrator
You can set Kaspersky Anti-Virus to send notifications upon virus detection.
Recipient and sender addresses for sending notifications are inherited from the
original e-mail message.
The administrator addresses must be specified for the AdminAddresses
parameter of the [group.notifications] section.
To enable sending notifications, set the following parameters in the default.conf
configuration file:
[group.notifications]
EnableNotifications=on
NotifySender=infected
NotifyRecipients=infected
NotifyAdmin=infected
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
MessageSubject=Anti-virus notification message
You can customize the format of notifications. For more detail about
this, see section 7.8 on page 55.
Below, we consider several examples of how to configure notifications.
: Notify the recipient and administrator about rejected messages
Task
containing a virus (action for infected objects – reject). The sender must
receive an error code about an undeliverable mail as if it was sent by
the mail agent.
Using Kaspersky Anti-Virus for Sendmail with Milter API 41
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
DefaultAction=reject
[group.notifications]
EnableNotifications=on
NotifySender=infected
NotifyRecipients=infected
NotifyAdmin=infected
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
RejectReply=Message rejected because it contains
malware
: Notify the recipient and administrator about messages containing
Task
protected objects which have been skipped during anti-virus processing
(action for protected objects – skip).
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
ProtectedAction=skip
[group.notifications]
EnableNotifications=on
NotifyRecipients=protected
NotifyAdmin=protected
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
42 Kaspersky Anti-Virus® for Sendmail with Milter API
MessageSubject=This message was NOT scanned by KAV!
: Inform the recipient, sender, and administrator about filtered
Task
messages. Insert an additional header with information about the
application into any mail message scanned by Kaspersky Anti-Virus.
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
AddXHeader=yes
[group.actions]
DefaultAction=cure
[group.filter]
IncludeName=.*\.txt
FilteredNameAction=skip
[group.notifications]
EnableNotifications=on
NotifySender=filtered
NotifyRecipients=filtered
NotifyAdmin=filtered
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
MessageSubject=Anti-Virus notification message
SendmailPath=/usr/sbin/sendmail
UseCustomTemplates=on
6.5. Filtering e-mail traffic by
attachments
The application can filter e-mail messages by attachment name, attachment
MIME type, and attachment size.
Using Kaspersky Anti-Virus for Sendmail with Milter API 43
Task
: Deliver messages with attachments which size is below 500 Kb
without additional treatment. Delete messages with attached files which
names contain loveletter. Notify the recipient and administrator about
the actions performed by the application.
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
DefaultAction=cure
[group.filter]
IncludeSize=<=500KB
FilteredSizeAction=skip
IncludeName=.*loveletter.*
FilteredNameAction=delete
[group.notifications]
EnableNotifications=on
NotifyRecipient=filtered
NotifyAdmin=all
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
MessageSubject=Anti-virus notification message
SendmailPath=/usr/sbin/sendmail
UseCustomTemplates=on
6.6. Updating the anti-virus
database and application
kernel
After the installation you should register the cron update task with
keepup2date.sh script. It is necessary to maintain actual state of the anti-virus
44 Kaspersky Anti-Virus® for Sendmail with Milter API
database and anti-virus engine. Updating is performed every hour after
Kaspersky Anti-Virus is installed on the server.
If you want to update the components earlier than at the scheduled time, use the
keepup2date.sh script supplied with the distribution package.
To configure updating manually, enter the following string in the
command line:
# ./keepup2date.sh –run
It is not recommended to use keepup2date binary file to update the
application.
6.7. Backing up e-mail messages
Before applying any actions to messages or their objects, we strongly
recommend that you back up messages before repairs are attempted as a data
safety precaution.
Task
: Scan e-mail traffic for viruses and disinfect all infected objects.
Delete the objects that cannot be disinfected. Upon every attempt to
disinfect or delete a message, create backup copy of it with a full
description. Notify the recipient and administrator about the performed
actions.
To perform the task, set the following parameters in the default.conf
configuration file:
[group.settings]
ScanPolicy=combined
[group.actions]
DefaultAction=cure
[group.backup]
BackupPolicy=info
BackupOption=cured, deleted
BackupDir=/var/db/kav/5.6/kavmilter/backup
[group.notifications]
EnableNotifications=on
Using Kaspersky Anti-Virus for Sendmail with Milter API 45
NotifyRecipient=infected
NotifyAdmin=all
AdminAddresses=admin@localhost
MessageDir=/var/db/kav/5.6/kavmilter/templates/
MessageSubject=Anti-virus notification message
SendmailPath=/usr/sbin/sendmail
UseCustomTemplates=on
CHAPTER 7. ADDITIONAL
SETUP
This section describes in detail additional setup of Kaspersky Anti-Virus
functionality. Unlike the settings made during the installation process (please see
section 3.3 on p. 22) which are required and essential for product functioning,
additional setup is performed at the administrator's discretion. Those settings
extend product functionality and allow its adjustment for operation in accordance
with your corporate security policy.
7.1. Integrating the application into
your mail system
If the application has not been integrated with Sendmail during installation, use
kavmilter-setup.sh, a special utility for integrating Kaspersky Anti-Virus with your
mail system. Sendmail needs to be restarted after you make necessary
configuration changes. You can also roll back to the previous Sendmail
configuration if needed.
Use the following command line options:
–sendmail-cf <file> – use an alternative CF Sendmail configuration file.
–sendmail-mc <file> – use an alternative MC Sendmail configuration file.
–add-filter – change the Sendmail configuration file.
–del-filter – roll back to the previous Sendmail configuration and cancel the
latest changes.
–check-filter – check whether the kavmilter filter has been added to
Sendmail configuration. If the filter has been successfully added, the
console will display yes; otherwise the value will be no.
–set-filter <action> – specify further actions to be performed by Sendmail if
the kavmilter filter is unavailable (specified limits have been exceeded, a
cold restart has occurred, etc.). These actions are recorded in the mail
system configuration in the filter definition section. Here are some
possible actions:
tempfail – the client connection shall fail with error 451 (for example,
451 4.7.1 Please try again later);
reject – any incoming messages shall be rejected. The error return
code is 554 (for example, 554 Not accepting messages);
Additional setup 47
pass – skip email messages (or forward them to another filter) even if
they remained unprocessed by kavmilter. This action poses an
additional risk for users;
–add-service – register kavmilter as a service.
–del-service – cancel registration of kavmilter as a service and roll back the
changes in configuration files.
–check-service – check whether kavmilter is registered as a service and
was started at operation system startup. If the filter has been registered
and started, the console will display yes; otherwise, the value will be no.
–add-product – add the application configuration file kavmilter.setup to the
/var/db/kav/applications.setup that is used to retrieve updates.
–del-product – delete the application configuration file kavmilter.setup from
/var/db/kav/applications.setup.
–check-product – check whether the application configuration file
kavmilter.setup has been added to /var/db/kav/applications.setup. If the
file has been added, you will see yes on the console; otherwise, you will
see no on the console.
–add-webmin-module – add kavmilter module (included in the package) to
the Webmin modules directory and grant the access to it for the
superuser (root).
–del-webmin-module – remove kavmilter module from the Webmin
modules directory, and rollback all changes in the Webmin configuration
concerned with kavmilter.
–default-domains – specify the domain name and add the domain and all
its subdomains to the application configuration file as the value of the
LicensedUsersDomains parameter. This command line option is
available only if you use the license limited by the number mail
addresses (please see section 1.3 on page 9 for details on licensing
policies). For example, if the domain name is dep1.example.com, then,
the mail accounts of the following domains will be processed by
Kaspersky Anti-Virus: dep1.example.com and example.com.
–add-user – create kav user (if it was not created);
–del-user – delete kav user (if it was created).
–set-key <key_file_name> – register license key.
–trial-key <key_file_name> – register trial license key.
Sendmail can use the generated sendmail.cf file or the sendmail.mc file as an
application configuration file. Therefore, the file, where the information about the
kavmilter filter will be added, is selected automatically, based on the following
considerations and under the following conditions:
48 Kaspersky Anti-Virus® for Sendmail with Milter API
• If the sendmail.mc file does not exist or the value of the SENDMAIL_CF
environment variable is sendmail.cf or the binary m4 file has not been
found, the sendmail.cf file will serve as the configuration file.
• If the value of the SENDMAIL_MC environment parameter is
sendmail.mc, the application will use sendmail.mc as the mail system
configuration file. The INPUT_MAIL_FILTER directive that defines the use
of kavmilter as the mail filter is added to the configuration file.
• If both of these configuration files exist and the environment variable does
not strictly specify the use of one of these files, the sendmail.mc file is
used as the configuration file.
If you are running OpenBSD, the Sendmail default configuration file is
localhost.cf. Kaspersky Anti-Virus makes changes to this configuration file.
Note that if you work under OpenBSD and run Sendmail using another
configuration file (–С option) or run Sendmail using command line
options or only –bd option, Sendmail will be started using sendmail.cf
as its configuration file.
In order to define strictly the Sendmail configuration file, use the following
command line options:
–sendmail-cf <path_to_file> – specify the different sendmail.cf file to add
and delete the modification concerned with using kavmilter filter or
checking it's status;
–sendmail-mc < path_to_file > – specify the different sendmail.mc file to
add or delete the modification concerned with using kavmilter filter or
checking it's status.
Two command line options above are used only with –add-filter, –del-filter and
–check-filter options.
For example, to use different configuration file sendmail.cf and add into it the
modification concerned with using kavmilter filter enter the following in the
command line:
# –sendmail-cf <path_to_sendmail.cf> –add-filter
If the specified configuration file is not found, the application will return the error
code and add, delete or check operation will be canceled.
If you specified both –sendmail-cf and –sendmail-mc options, the application
will use mc-file.
Additional setup 49
7.2. Installing and uninstalling the
Webmin module of Kaspersky
Anti-Virus
You can configure Kaspersky Anti-Virus settings and stop/start anti-virus tasks
from a remote location using web-based interface of Webmin application. To
enable remote management, you should install the Webmin application, install
the Kaspersky Anti-Virus module for Webmin, and configure the application.
For instructions on how to install Webmin, refer to the documentation
for this product.
To install the Kaspersky Anti-Virus module for Webmin, follow these steps:
1. Connect to web-interface of Webmin application using your browser.
2. Select Webmin Configuration and open the Webmin Modules
configuration section.
3. In the Install Module section, select installation from file (from local
file) and specify the full path to kavmilter.wbm, the Kaspersky Anti-Virus
module for Webmin in the corresponding field.
For Linux, the module is located in:
/opt/kav/5.6/kavmilter/web/kavmilter.wbm;
for FreeBSD and OpenBSD, the module is located in:
/usr/local/share/kav/5.6/kavmilter/web/kavmilter.wbm.
4. Click Install Module From File.
As the result, the KAV for Milter module will be added to the Others tab.
After installation, open the module (Others Æ KAV for Milter), switch to the
Module Config tab and check whether the paths to the main Kaspersky
Anti-Virus files and directories are specified correctly.
Then, you can set up operation of the Anti-Virus with the Webmin application.
For example, using Webmin, you can limit access to the Anti-Virus by setting up
user passwords (about Webmin settings, see the documentation for this
product).
50 Kaspersky Anti-Virus® for Sendmail with Milter API
Note that this document describes configuration options for Kaspersky
Anti-Virus only by editing the configuration file. Configuration and
launch of tasks using the Webmin module are not discussed, as the
module interface structure is similar to the order of sections and options
in the application configuration file.
To get help on configuration options available in Webmin, refer to the
Webmin help system. Click the ? button in the upper right corner of the
Webmin configuration section to open the help system.
To uninstall the Kaspersky Anti-Virus module for Webmin, follow these steps:
1. Connect to web-interface of Webmin application using your browser.
2. Select Webmin Configuration and switch to the Webmin Modules
configuration section.
3. In the Delete Module section, select KAV for Milter and click the
Delete Selected Modules button.
To reinstall the Kaspersky Anti-Virus module for Webmin, first uninstall it, and
then install it again.
If you are reinstalling the module, all paths to the main Kaspersky AntiVirus files and directories listed on the Module Config tab will be saved
automatically.
7.3. Checking the configuration file
syntax
You are advised to check modifications to the configuration files before you
reload the application. To perform the check, run the kavmilter executable file
with the –t command line option. This executable is stored in the directory
/opt/kav/5.6/kavmilter/bin for Linux distributions, and in
/usr/local/share/kav/5.6/kavmilter/bin for OpenBSD / FreeBSD distributions.
If the configuration files contain no errors, the following line will be displayed on
the server console:
Config OK !
If the check reveals errors, the corresponding error description will appear on the
server console, for example:
Error(2) in section
[group.settings] key "scanpolicy": enum value is not found
Additional setup 51
7.4. Defining an e-mail scan policy
Using Kaspersky Anti-Virus, the mail server administrator can customize the antivirus protection of incoming and outgoing e-mail messages by defining scan
policies.
There are two types of policies:
• message – scan the entire message for viruses, regardless of its
separate objects (header, body, attachment). This policy also aims to
detect viruses that infect and corrupt MIME messages.
If the message is flagged as clean during the scan, its separate objects
won't be analyzed. It will be delivered to the recipient. This policy
guaranties faster scanning of the clean message than a combined policy
(see below).
If the message is flagged as infected and the preset action for such
messages is cure or delete, the application will subsequently analyze all
message objects.
• combined – scan both the entire message and then, regardless of the
scan results, analyze all message objects for viruses (header, body, and
attachment).
You can achieve faster message processing using message policy only
if you do not use it together with object filtration (see section 6.5 on
p. 43).
To analyze separate message objects, the application first breaks the message
down into individual components, scans each component separately, and then
restores the message integrity.
The message policy is less strict, and, hence, requires less time and resources.
The combined policy provides the most thorough analysis of e-mail messages.
The type of the policy is defined by the ScanPolicy parameter in the
[kavmilter.global] section.
7.5. Adjusting scan thoroughness
The mail server administrator can adjust the level of anti-virus protection,
including the following settings:
• Enable or disable the heuristic code analyzer for scanning messages.
The heuristic analyzer is a powerful tool for detecting modified malicious
code that is similar to a known virus signature, i.e., it recognizes new
52 Kaspersky Anti-Virus® for Sendmail with Milter API
viruses that are not yet in the database. The use of heuristic technology is
defined by the ScanCodeAnalyser parameter in the [kavmilter.engine]
section.
• Set the time the application will use to scan a message or a message
object.
The maximum scan time (in seconds) for a message or a message object
is specified by the MaxScanTime parameter and is ten seconds by
default. If the application fails to scan the object within this time, it will
assign Error status to such object.
• Define the number of objects which can be simultaneously scanned for
viruses.
The administrator can limit the number of simultaneous scan requests by
specifying the MaxScanRequests parameter. The default value is zero
(unlimited). Use this limitation only if anti-virus scanning has a significant
impact on the server.
7.6. Selecting objects to scan
During anti-virus processing of server mail traffic, the application scans all mail
attachments for viruses.
Since scanning archives and compressed executables requires significant time
and server resources, the administrator can decide whether to enable or disable
the analysis of such files for viruses.
It is not recommended to disable this option, since it will significantly
decrease protection level.
Scan options for archives and compressed executables are defined by the
ScanArchives and ScanPacked in the [kavmilter.engine] section. By default,
the application scans these types of files.
Attention! The application is unable to detect viruses in password
protected archives! This attachment is flagged as Protected and further
actions applied to it are defined by the ProtectedAction parameter of
the [group.actions] section.
Additional setup 53
7.7. Selecting objects to be filtered
and assigning actions
In addition to processing e-mails and scanning them for viruses, you can filter
them. The filtering procedure analyzes message objects and can be performed
according to MIME type, name, and size of attachments.
Note that this version of the application analyzes message
attachments by headers only during filtration! The contents of
attachments are not analyzed.
Below, we discuss all filtering criteria in more detail:
• To enable message filtering, you MUST SPECIFY AT LEAST ONE NAME
OR SIZE OF ATTACHMENTS as the value of the IncludeMime
IncludeName and IncludeSize parameters.
• The type of message objects from the mass of the IncludeMime,
IncludeName and IncludeSize objects to be excluded from filtering (for
example, those that cannot potentially contain viruses or other malicious
code) must be specified as the values of the ExcludeMime,
ExcludeName and ExcludeSize parameters in the [group.filter] section.
All other types of attachments will be filtered and appropriately handled.
If you want to specify several values for filtration parameters, list them
separating the entries with commas. E.g.:
IncludeName=.*\.doc, .*\.exe
For filtered objects you can assign the following actions (the
FilteredMimeAction, FilteredNameAction, and FilteredSizeAction
parameters):
• delete – delete an object from the message and add corresponding
notification to the message;
• skip – leave the message as it is and forward it to the mail system for
further delivery. In this case, the corresponding information will be
recorded in the application report;
• drop – delete the message without sending it to the recipient;
• reject – reject the message and return the corresponding error code to
the sender;
• warn – replace the message content with a warning about detection of
objects corresponding to filtering criteria;
54 Kaspersky Anti-Virus® for Sendmail with Milter API
• rename – rename the attachment using the following rules: if the filtered
file has any extension, then it will be replaced with the vir extension, if the
file has no extension, then the vir extension will be added to the file. This
action can only be applied to the objects filtered by name
(FilteredNameAction parameter).
7.8. Configuring backup options
Backing up messages is an advanced feature of Kaspersky Anti-Virus. Before
applying any action to original messages, you can back them up in a special
storage. This is a data safety precaution because you can always restore the
original information if needed.
The following backup policies are available:
• message – create only a backup copy of the original message.
• info – create a copy of the original message and an information file
(default policy).
• none – do not back up messages.
To define backup options, specify the action as the value of the BackupPolicy
parameter of the [group.backup] section.
Messages with the following statuses can be backed up:
• cured – messages to be disinfected;
• deleted – messages containing objects to be deleted during the anti-virus
processing;
• dropped – messages that will be deleted without sending to the recipient;
• rejected – rejected messages;
• warning – messages which content should be replaced with a warning;
• renamed – messages containing objects that will be filtered (by MIME
type) or renamed;
• all – all the above types of messages.
To define the messages that will be backed up, specify the corresponding value
for the BackupOption parameter, for example:
BackupOption=deleted
BackupOption=dropped
All backup copies are stored in the directory defined by the BackupDir
parameter, and, as was noted above, can also have an additional information
Additional setup 55
file. This file contains information about the sender and recipient, the action
applied to the original message, etc.
When Kaspersky Anti-Virus is active, the backup storage can be quickly filled.
The storage needs to be periodically cleaned of old and unnecessary backups.
This can be done using a special utility, backup-sweeper.sh, included into the
distributions package. The utility registered with the system as a cron task after
the installation can:
• distribute backup copies in special folders within the storage named as
year-month-date;
• check the storage size and notify the administrator when it becomes
critical;
• delete the oldest folders with backup copies.
For this utility, the following command line options are available:
–install – create the cron task for this utility under a default user account;
–uninstall – delete the cron task for this utility under a default user account;
–user – launch the process under user account other than kav;
–size – define the maximum size of the backup storage. The default size is
512 Mb;
–warn-only – ignore the specified maximum storage size; write in log file
about the current storage size;
–path – Change the location of the backup storage by specifying the full
path to the new location.
By default the backup storage size is 512 MB. Use –size option to set another
backup storage size when you register cron task. For example:
# ./backup-sweeper.sh –install –size 200MB
If the cron task is already created with another backup storage size settings,
delete it using –uninstall option and then install new cron task with the new
settings.
7.9. Configuring database and kernel
module updates
If you have registered cron task with the keepup2date.sh script, updates will be
performed every hour after Kaspersky Anti-Virus is installed on the server.
As an updating source, the application uses Kaspersky Lab update servers
defined by the UpdateServerUrl configuration parameter.
56 Kaspersky Anti-Virus® for Sendmail with Milter API
If you connect to the Internet using a proxy server, do not forget to
specify its IP address as the value of the ProxyAddress parameter in
the [updater.options] section of the kavmilter.conf configuration file.
If you want to use a local folder as an update source, set the
UseUpdateServerUrl parameter to yes, UseUpdateServerUrlOnly to yes and
specify the full path to the update storage folder (UpdateServerUrl parameter).
Before updating, the application always creates a back up copy of the database
and kernel modules so that you can easily roll back to them if updating fails. The
backup storage is defined by the BackUpPath parameter. Thus, you can always
roll back to the previous version of the anti-virus database and restore earlier
program modules.
If you want to configure general parameters, such as the user name under which
updating starts, or perform it manually, use the keepup2date.sh script and the
following command line options:
–install – create the cron task for the utility under the default user account;
–prompt-install – in interactive mode create the cron task for launching the
updater;
–uninstall – delete the cron task for the utility under the default user
account;
–run – start updating the anti-virus database and the kernel. If updating fails,
the application will roll back to the previous anti-virus database and
modules that were active before updating;
–stop (or –end) – stop all running updater instances.
–rollback – force an anti-virus database rollback to the latest successful
update version.
The –rollback key can be used when the application works
incorrectly with the updated databases and it is necessary to
get back to an older version.
–user – specify another user account, differing from the default one, under
which the utility will run on the server.
7.10. Customizing notifications
Notification is an e-mail message containing a description of the processed
message that is sent to the recipient, sender, or server administrator.
In addition to the description of e-mail messages, the notification also contains
descriptions of objects that were deleted for any reason from the message.
Additional setup 57
You can also attach the original email message to the notification. New email
notifications containing only notification text must be created for the administrator
and sender.
All notifications that can be customized by the administrator fall into one of the
following two groups:
• Standard notification is based on a unified template or on different
templates. This notification is sent:
• to the recipient using Milter API. A new message is not created
in this case; the notification text is simply added to the
processed message.
• to the administrator and / or sender by the external mail agent,
Sendmail. A new notification message is created and the
original message can be attached to it. Usually this kind of
notification is used to inform the administrator of a drop or
reject action.
If you install the application on a dedicated server,
you should install Sendmail agent on that server too.
The application will use the agent to send
notifications for the administrator and sender.
• Special notification for the administrator is sent to the administrator in
case of emergency, for example, if a critical error occurs during Anti-Virus
performance. This kind of notification is also sent by the external mail
agent, Sendmail.
See section 7.10.2 on page 62 on how to customize notification
templates.
The [group.notifications] section of the group configuration file contains all
notification options.
To create a list of events, at occurrence of which the notifications are formed,
use the following parameters: NotifySender, NotifyRecipients and
NotifyAdmin. You can set the following values for these parameters:
• Infected – give notice about a message that was flagged as Infected and
one of the following actions was applied to it: reject, drop, warn, cure, or
delete.
• Suspicious – give notice about a message that was flagged as
Suspicious and one of the following actions was applied to it: reject,
drop, warn or delete.
58 Kaspersky Anti-Virus® for Sendmail with Milter API
• Protected – give notice about a message that is protected, and, hence,
skipped from scanning. Because of the message status, the following
actions are performed: delete or skip.
• Error – send notifications about a message that generated a scan error or
is corrupted. One of the following actions could be performed: warn,
delete, or skip.
• Filtered – give notice about a filtered message that underwent one of the
following actions: delete, skip, or rename.
• All – give notice about all the above events.
• None – disable the notification.
If you want the application to send notifications about several assigned
statuses, set the values for NotifySender, NotifyRecipients or
NotifyAdmin parameters as follows:
NotifySender=filtered
NotifySender=infected
Special notifications to the administrator are generated if any of the following
events occurs:
• Discard – detection of an e-mail message which has been assigned the
Infected status upon anti-virus scanning with subsequent application of
reject or drop action to it.
• Fault – a critical error in the operation of the application.
• Update – receipt of updates to the anti-virus databases.
• License expiration – one week (three days or one day) remains before
the license validity period expires.
• License terms violation – a violation of the license agreement terms has
occurred (the limitations on daily traffic volume or the number of e-mail
accounts have been exceeded).
The application informs about license expiry or violation of license agreement
automatically, no additional setup is required for the notifications; they cannot be
disabled by administrators.
In order to enable sending of special notifications to administrators about
Discard, Fault and Update events, assign a corresponding value to the
NotifyAdmin parameters.
Notification of the administrator about the Fault and Update events can
be specified only in the default properties of the group.
Additional setup 59
The language of notification depends on the encoding specified in the
configuration file (Charset parameter of the [group.notifications] section of the
group configuration file).
To create an English notification text, perform the following steps:
1. assign the following values to the parameters below:
[group.notifications]
Charset=us-ascii
TransferEncoding=8bit
2. create a notification template in the English language.
7.10.1. Notification templates
The following templates can be used to create notifications (the templates are
stored in the directory defined by the MessageDir parameter of the group
configuration file):
• Template for notifications about deleted objects – text added to the
original message if one of the message parts is deleted during anti-virus
processing or filtering. This text might contain a macro describing the
reasons for deletion. The following templates are available:
• part_infected_deleted – text replacing the object that was
deleted after an unsuccessful disinfection attempt;
• part_filtered_deleted – text replacing the MIME object that was
deleted based on MIME object filtration results;
• part_suspicious_deleted – text replacing the object that was
detected as suspicious and deleted.
• part_filtered_rename – text that replaces an original email
object, renamed as the result of filtering;
• part_protected_deleted – text replacing an object that was
deleted because it was protected and therefore could not be
scanned for viruses;
• part_error_deleted – text replacing the object that generated a
scan error and was therefore deleted.
• Standard notification template – text of the notification that is sent to
the sender, recipient, and administrator using Milter API. This text might
contain a macro describing the reasons for deletion. The following
templates are available:
60 Kaspersky Anti-Virus® for Sendmail with Milter API
• message_default_notify – text sent by default to the recipient,
sender, and administrators about the actions applied to the
message;
• message_infected_warn – text that replaces the infected
message;
• message_suspicious_warn – text that replaces the message
containing suspicious objects;
• message_filtered_warn – text that replaces the filtered e-mail
message;
• message_error_warn – text that replaces a message that
generated a scan error;
• message_disclaimer – text, added to all processed and
generated messages. By default this template includes the
following notification: "This message has been scanned by
Kaspersky Anti-Virus. For more information please see
http://www.kaspersky.com
".
• Detailed notification template – text notifying a person interested in
knowing more about the anti-virus processing of an e-mail message.
There are separate templates for notifications sent to the recipient,
sender, and administrator. Set the UseCustomTemplates parameter to
on in order to use these templates. The following templates are available:
• message_sender_notify – text of the notification sent to the
sender about actions applied to the original message;
• message_recipients_notify – text of the notification sent to the
recipient about actions applied to the original message;
• message_admin_notify – text of the notification sent to the
administrator about actions applied to the original message.
• Special administrator notification template – text added to special
notifications sent upon critical events that require administrator’s special
attention. The following templates are available:
• message_admin_discard – text notifying the administrator that
the original message will not be delivered (reject or drop);
• message_admin_update – the text used to notify the
administrator about receipt of updates to the anti-virus
databases for the application;
• message_admin_fault – text notifying the administrator that a
critical error has occurred while scanning the message.
Additional setup 61
• Text notifying the administrator about the license expiration
date. Notifications are sent three times: a week before the
license expiration, in three days, and on the expiration date.
The notification text or sending options cannot be customized.
• Administrator notification about a violation of the license
agreement (the limitations on daily traffic volume or the number
of e-mail accounts have been exceeded) will be generated and
sent automatically. Administrators cannot edit the notification
text or control its dispatch.
When the application is started, the presence of all the above templates
is verified. If even one of these templates is missing, the application will
return an error.
The application also verifies that the size of each template does not
exceed 8 KB.
7.10.2. Customizing notification templates
Kaspersky Anti-Virus gives users the flexibility to customize the default
notification templates that will be sent to administrators, senders, and recipients.
The templates are customized using a special notification language.
The template language is a set of control statements and macros.
Below, we consider the rules of this language, its syntax and examples of use in
detail
.
7.10.2.1. Macros
A macro is a substitution element used in email notification templates. In a
notification text created using a template, the macro is replaced with a certain
value.
The syntax for macros is %macro_name%.
If a macro name contains ‘%’, it should be screened (see section 7.10.2.5 on
page 66).
Several values can be assigned to a macro. In this case, the simple input of
"%macro_name%" will output the last assigned value.
To assign several values to one macro, use iterative statements.
62 Kaspersky Anti-Virus® for Sendmail with Milter API
7.10.2.2. Iteration constructs
An iteration construct (IC) is the main element of the template language.
The syntax for an iteration construct is
<FOR INAME IOP IVALUE>BODY</FOR>
where:
<FOR – the beginning of IC definition. The < symbol that is not the
beginning of an IC definition should be screened (see section 7.10.2.5
on page 66);
INAME – IC name in the format 1*(nchar)*(nchar); the maximum length is
64 bytes;
IOP – comparison operation in the format == | !=; the maximum length is 2
bytes;
IVALUE – value of IC in the format 1*(vchar)*(vchar); the maximum length
is 4096 bytes. IC values only work in double quotes. When comparing
with a value that contains a quotation mark, use the relevant screening
escape symbol (see section 7.10.2.5 on page 66). Example:
<FOR _macro_name_parent_ == "\"_value_1\"
> – end of IC definition and the beginning of iterator body. The < symbol that
is not the end of IC definition must be hidden (see section 7.10.2.5 on
page 66);
BODY – iterator body in the format *(char);
</FOR> – end of the iterator body definition. The < symbol that is not the
end symbol of the iterator body definition must be screened (see
section 7.10.2.5 on page 66);
… – separator in the format *( )*(\t)
nchar – characters from set a-z, A-Z, 0-9, -, _
vchar –symbols from set nchar, *, ?
char – – symbols from the set of values 32 – 255
Example of an iteration construct:
<FOR _macro_name_ == "*">%_macro_name_%</FOR>
">
When executing this construct, the parser transforms the above command into
the condition constructs:
<FOR _macro_name_ == "_value_1"
<FOR _macro_name_ == "_value_2"
<FOR _macro_name_ == "_value_3"
>%_macro_name_%</FOR>
>%_macro_name_%</FOR>
>%_macro_name_%</FOR>
Additional setup 63
<FOR _macro_name_ == "_value_N">%_macro_name_%</FOR>
These condition constructs are parsed sequentially.
Thus, iteration constructs are used to distinguish both the single and multiple
values of a macro.
For example, if the macro %FILTERNAME% has the values of KAVFilter1,
KAVFilter2, KAVFilter3, and SimpleFilter, then
the construct:
<FOR FILTERNAME == "KAVFilter1"
will produce the text:
KAVFilter1
the construct:
<FOR FILTERNAME `= "KAVFilter?"
will produce the text:
KAVFilter1, KAVFilter2, KAVFilter3
the construct:
<FOR FILTERNAME != "KAVFilter2"
will produce the text:
KAVFilter1, KAVFilter3, SimpleFilter
the construct:
<FOR FILTERNAME != "KAV*"
>%FILTERNAME%, </FOR>
>%FILTERNAME%</FOR>
>%FILTERNAME%, </FOR>
>%FILTERNAME%, </FOR>
will produce the text:
SimpleFilter,
7.10.2.3. Scope of visibility for an iterative
statement
Any iteration construct can have sub-macros, which values are defined within the
scope of visibility for the parent construct only. Iterative statements can be used
not only to output particular values of particular macros, but also to define the
scope of visibility of sub-macros.
64 Kaspersky Anti-Virus® for Sendmail with Milter API
The scope of visibility of a sub-macro is defined by the start and end tags of the
condition construct:
<FOR _macro_name_parent_ ==
"_value_1">%_macro_name_child_%</FOR>
In the above example, the scope of the macro %_macro_name_parent_%
includes all sublevels (between the FOR tags) if the macro value is overridden
.
7.10.2.4. Variables
Variables provide better flexibility in customizing templates using the Template
language.
A variable can be defined within the specified scope of flexibility as follows:
<DEF _var_name_ = "_const_value_"/>
This variable can be used further as a usual macro without any limitations.
The syntax for a variable definition statement is as follows:
<DEF VNAME VOP VVALUE/>
where:
<DEF – beginning of variable definition statement. The < symbol that is not
the beginning of the statement must be screened (see section 7.10.2.5
on page 66);
VNAME – variable name in the format 1*(nchar)*(nchar); the maximum
length is 64 bytes;
VOP – assignment operation in the format =; the length is 1 byte;
VVALUE – variable value in the format 1*(vchar)*(vchar); the maximum
length is 4096 bytes. The value only works in double quotes. If
compared with a value that has a quote mark inside, use the screening
escape symbol (see section 7.10.2.5 on page 66). Example:
<DEF _value_name_ = "\"_value_1\"
> – end of the variable definition statement. The > symbol that is not the end
of the variable definition must be screened (see section 7.10.2.5 on
page 66). Unlike the FOR statement, the DEF statement has no body.
Therefore, the tag end bracket should notify the parser that the end tag
is missing.
… – separator in the format
nchar – symbols from set a-z, A-Z, 0-9, -, _
vchar – symbols from set nchar, *, ?
*( )*(\t)
"/>
Additional setup 65
If a variable is redefined in its scope, a new value will be substituted after each
redefinition. Thus, the statement:
<DEF __NAME__= "NAME_1
value: %__NAME__%.
<DEF __NAME__= " NAME _2"/>Now you will see the
second value: %__NAME__%.
will be output as:
Now you will see the first value: NAME_1.
Now you will see the second value: NAME_2.
A variable can have a macro as its value.
<DEF _var_name_ = "%_macro_name_%
In this case, the parser will first substitute a macro for a variable and then it will
replace the macro with its value in the current scope.
"/>Now you will see the first
"/>
7.10.2.5. Language syntax
Special symbols
%
<
>
</
/>
\
==
marks a macro. The macro should be between two symbols "%".
Example: %VIRUSNAME%
opening bracket of a tag.
Example: <FOR FILTERNAME == "KAVFilter1">
closing bracket of a tag.
Example: <FOR FILTERNAME == "KAVFilter1">
opening bracket of an end tag.
Example: </FOR>
closing bracket of the end tag for a construct without a body.
Example: <DEF __NAME __= "NAME_1"/>
escape symbol. Instructs the parser to treat the following special
character as a plain one. Example: \%VIRUSNAME\%
equal sign: a coincidence in mask or value.
Example: <FOR FILTERNAME == "KAVFilter1">
Example: <FOR FILTERNAME == "KAVFilter*">
66 Kaspersky Anti-Virus® for Sendmail with Milter API
!=
*
?
#
Reserved keywords
FOR Iteration construct definition.
DEF
Predefined macros
%CRLF% Line feed macro (CR+LF)
unequal sign: a non-coincidence in mask or value
Example: <FOR FILTERNAME != "KAVFilter1">
Example: <FOR FILTERNAME != "KAVFilter*">
Unlimited length of all possible values. It is used only inside tags in
comparison with templates.
Example
All possible one-character values. It is used only inside tags in
comparison with templates.
Example: <FOR FILTERNAME == "KAVFilter?">
Comment; the parser ignores all characters after ‘#’ till the end of
line.
Example: <FOR FILTERNAME = "KAVFilter1">
Variable definition (statement without an end tag). Example:
__NAME__= "NAME_1"/>
: <FOR FILTERNAME == "KAV*">
.
<DEF
%TAB% Tab macro
The processing is performed within a global section (no statement is needed) or
within a condition construct:
<FOR KAV_LANGUAGE == "5.0"> ... </FOR>
Escape sequences
The following sequences can be used to present special characters in the
template language:
• To output the ‘\’ symbol in the template text, enter ‘\\’ .
• If a line is ended with ‘\’, it will be interpreted as a string continued on the
following line. Additionally, an escape symbol at the end of the line screens
the following EOL which otherwise would exist in the generated message.
Such a line is concatenated with the following one during processing before
Additional setup 67
any other actions performed by the parser. This situation is handled
independently by either the escape sequence being met inside a tag or
outside a tag. See item 1 above if you want to place a ‘\’ at the end of line.
• To output the ‘%’ symbol into the template text, use ‘\%’.
• To output the ‘/’ symbol into the template text, use ‘\/’.
• To output the ‘<’ symbol into the template text, use ‘\<’.
• To output the ‘>’ symbol into the template text, use ‘\>’.
• To output the ‘#’ symbol into the template text, use: ‘\#’.
The template language is case sensitive. The number of spaces or tab
symbols (either their presence or absence) between the language
constructs is not regulated. Reserved keywords must be separated
either by white space characters or by the special symbols.
7.10.2.6. Notification macros for the application
Macros can be used in notification templates for either entire messages or their
parts. Using macros, you can customize notifications to include additional
information on the properties of an original message or object or about actions
applied to them.
The administrator can use the following macro in notifications concerning entire
messages:
%CLIENT_ADDR% – remote address of the mail client.
%SENDER_ADDR% – sender address.
%RECPT_ADDR% – recipient address.
%HEADERS% – message header.
%BK_ACTION% – actions applied to the message that caused a backup
copy to be created (if the application is configured to back up
messages).
%BK_LOCATION% – full path to the backup storage (if the storage exists).
%ACTION_LIST% – list containing information about the message and its
object and a list of actions applied to them. The information is output in
the following format:
<status> <action> <information>
for each processed part of the message.
In notifications related to deleted objects from a message, the following macro
can be used:
%STATUS% – object status assigned as the result of scanning or filtering.
68 Kaspersky Anti-Virus® for Sendmail with Milter API
%ACTION% – action applied to the object based on its status.
%INFO% – information related to the following actions performed:
• list of detected viruses (malicious software) – for infected
objects;
• error code description – for objects that generated a scan error;
• MIME type or attachment name – for filtered objects.
The macros must be specified in the text of notification templates.
7.11. Reporting options
Kaspersky Anti-Virus performance results are logged in the application report.
You can store results either in the system log or a separate file (defined by the
LogFacility parameter of the [kavmilter.log] section in the kavmilter.conf
configuration file).
The report contains records about:
Events related to application functionality – all events that occur during
application performance, for example, results of message scans.
Events not related to the application functionality – all events that are not
directly caused by application performance but provide important
information. This information can be the size of the backup storage,
application errors, license policy events, etc.
The administrator can decide what information will be included into the report
and determine the detail level of the selected data for each.
The types of data and their detail levels are discussed below.
The following information can be logged in the report:
• config – records about the application configuration;
• scan – information about scan results and actions performed;
• backup – data related to backing up e-mail messages;
• app – system messages about application initialization, signals, and
processes;
• notification – messages regarding dispatch of notifications;
• all – all the above types of data.
Each of these categories can be assigned a special detail level:
• critical – critical events that interrupt application operation;
Additional setup 69
• error – errors that can be fatal or non-fatal for application operation;
• warning – events that reflect unusual situations during application
performance; it is useful for the administrator to be aware of such
situations;
• notice – events related to the application business logics;
• info – general information concerning the application functionality;
• debug – debugging messages;
• all – all the above levels.
You can combine the information categories and their detail levels. For example,
if you want to record all information related to backing up messages, enter the
following parameter value into the [kavmilter.log] section in kavmilter.conf
configuration file:
LogOption=backup.all
To log only configuration errors, type the following:
LogOption=config.error
To prevent some information from logging, type, for example, the following:
LogOption=-scan.debug
The minus before a combination means that this category will be excluded from
logging. The remaining information will be logged.
You can also use three alternative forms for specifying detail level (see table 2 ).
Table 2. Alternative recording forms
Symbolic Literal Numerical
debug D 9
activity A 4
Info I 3
warning W 2
Error E 1
Fatal F 0
70 Kaspersky Anti-Virus® for Sendmail with Milter API
The following values, for example, can be used:
LogOption = backup.W
LogOption = config.E
LogOption = scan.0
LogOption = -scan.9
Because the log file size grows rapidly, it is recommended to use log file rotation
option to avoid creation of long log files which are hard to analyze
(LogRotate=on).
In this mode, when the report file grows and reaches RotateSize, it is copied to
kavmilter.<number>.log and the initial log truncates to zero. The application will
continue to record new information to kavmilter.log.
Thus the application will generate files kavmilter.1.log, kavmilter.2.log, etc. The
RotateRounds keyword specifies how many rotation rounds can occur. When
the RotateRounds number of rotations is reached, the application starts writing
over the oldest files.
For example, when RotateSize=1048576 and RotateRounds=10 then
kavmilter.1.log, kavmilter.2.log etc. will be created, each 1048576 bytes. After
kavmilter.10.log is created and it has reached 1048576 bytes, kavmilter.1.log is
overwritten on the next rotation, and so on.
7.12. Parameters of update report
generation
Updating results are logged in a report that can be saved to the system log or as
a separate file ( ReportFileName parameter of the [updater.report] section in
kavmilter.conf configuration file).
You can adjust the amount of output information by changing the report detail
level.
The detail level is a number that defines the degree of specialization of
information related to components’ operation. Each next level includes data of all
previous levels and some additional information.
The report detail levels are listed in the table 3.
Additional setup 71
Table 3. Report detail levels
Level Level name Meaning
0 Fatal Errors Only information regarding critical errors (that
terminate the program due to impossibility of
executing an action). For example, the component
is infected, or scanning, database loading, or
license key loading failed.
1 Errors Information about other errors that may or may not
lead to application shutdown, for example, file scan
errors.
2 Warning Notifications about errors that may lead to the
application shutdown (license key expiration
warning, out-of-disk-space warning, etc.).
3 Info, Notice Important informational messages, such as
whether a component is running or inactive, the
path to the configuration file, latest changes in scan
area, database updates, license keys, statistics
summary.
4 Activity Messages on scanning of files according to the
report detail level.
9 Debug All debug messages.
Information regarding fatal errors that occur during component operation is
output regardless of the preset detail level. The default level is 3.
To define the report level, set the ReportLevel parameter of the
[updater.report] section to the desired value.
The reports of any detail level are displayed as:
[date time level_of_detail] STRING
where:
[date time level_of_detail] is the parameter generated by the
system. It contains the date and time (in the format set by the
administrator) and the report detail level (the first letter of the detail
level).
72 Kaspersky Anti-Virus® for Sendmail with Milter API
The format of time and date representation can be changed
in the [locale] section of the configuration file.
STRING – a line of the report.
While running the application update cron task keepup2date.sh.log file is created
in /var/log/kav/5.6/kavmilter/. This file contains a report about execution of
keepup2date.sh script.
7.13. Statistics parameters
During the operation, application can record general statistics based on
performance results and detailed statistics of any processed message. General
statistics includes:
• E-mail statistics provides general information related to e-mail traffic,
including the number of incoming messages scanned by the anti-virus
application, the number of protected or corrupted messages, and the
overall size of all messages.
• Resource statistics contains information about resources consumed by
scanning and processing e-mail messages. Here the application records
the total amount of mail traffic, average scan time for a single message,
etc.
• Virus statistics displays information on the last ten detected viruses and
IP addresses from which most viruses were received.
To determine what type of general statistics you want to record, set the
TrackStatistics parameter in the [kavmilter.statistics] section of the
kavmilter.conf configuration file to one of the following values:
• none – do not record application statistics;
• message – record message statistics;
• resources – record resource statistics;
• viruses – record virus statistics;
• all – record statistics for messages, resources, and viruses.
General statistics can be saved in text format or xml format (defined by the
DataFormat parameter of the [kavmilter.statistics] section).
The full path to the statistics file is defined by the DataFile parameter.
In order to create a file that will contain detailed statistical data about all
processed messages, specify the value for the parameter
Additional setup 73
MessageStatistics=file name|TCP-socket that defines the path to the local file
or network socket.
To reduce I/O operations while gathering statistics, the application uses
internal buffering. As a result, the application provides first statistical
information in twenty seconds after it has processed first sixty-five
mails.
Each line in the generated statistics file will contain data about each processed
object using the following format:
<Time>\t<Size>\t<Sender>\t<Recipients>\t<Verdict>\t
<Virus(es)\t<IP>\t<ID>
The table 4 contains descriptions of each parameter. If a parameter is optional,
the corresponding field in the report line may remain blank.
Table 4. Statistics parameters
Symbolic name Value Note
Time Record creation time
Size Record size
Sender Sender’s email address
Recipients Email addresses of
recipients. Several
addresses can be listed.
Verdict(s) List of statuses assigned
after the anti-virus scan.
Virus(es) List of viruses.
IP IP-address of the host from
Optional
Optional
which the message was
received.
ID Message ID.
Optional
Use an empty line as the parameter value of MessageStatistics if you do not
want the application to record detailed statistics.
74 Kaspersky Anti-Virus® for Sendmail with Milter API
7.14. Restarting Kaspersky AntiVirus
Occasionally events occur which necessitate that the application is restarted:
these include configuration changes and application errors. Depending on the
situation, the following methods may be used:
• Configuration changes.
For new changes to take effect, you need to restart Kaspersky Anti-Virus
using the kavmilter service script. The configuration file with the most
recent changes will be reloaded.
To control the application, use the following command line options:
start – check whether Kaspersky Anti-Virus is running (using the
process ID). If the application is running, the kavmilter script is
stopped. If the application is not yet running, the kavmilter script
starts and checks for the necessary changes in the Sendmail
configuration required for successful integration of the mail system
with the anti-virus scanner. If these configuration changes are
made, the anti-virus filter is initiated. A return code of 0 means that
the filter has successfully started.
stop – check whether Kaspersky Anti-Virus is running (using the
process ID). If the application is running, the SIGTERM signal is
executed. If the application does not start within three seconds,
SIGKILL is executed. A return code of 0 means that the application
has been stopped.
restart – stop and start the application again, according to the
procedure initiated by the stop and start options.
reload – restart the application configuration and the anti-virus
database, using the SIGUSR1 signal.
bases – reload only the anti-virus database, and check the license key
validity;
status – check whether Kaspersky Anti-Virus is running (using the
process ID) and output the application status on the console. If the
application is running, the return code is 0; if it is not running, the
return code is 1.
stats – write kavmilter statistics data to the predefined file.
check – check whether Kaspersky Anti-Virus is running. The procedure
is similar to using the status option, but the application status is not
output to the console. The return codes are the same.
• Problems encountered during application operation.
Additional setup 75
If you encounter problems when working with the application, for
example, I/O errors, library errors, etc., use the watchdog utility included
in the distribution kit. This utility is installed on your computer together
with Kaspersky Anti-Virus.
The watchdog utility produces a descendant process to control the parent
process. If the application encounters a conflict and stops, the watchdog
utility restarts the application.
The maximum number of restarts induced by watchdog is defined by the
WatchdogMaxRetries parameter in the [kavmilter.global] section. To
disable this parameter, set it to –1.
The use of the watchdog utility is regulated by the –f command line
option. If this option is specified when the application is loaded, watchdog
is disabled.
The anti-virus database is reloaded immediately after updating. No
manual application restart is needed. The automatic restart of the
application is defined by the PostUpdateCmd parameter in the
[updater.options] section.
7.15. Managing the application from
the command line
Kaspersky Anti-Virus is managed from the command line using kavmilter control
file (stored by default in /opt/kav/5.6/kavmilter/bin in Linux distributions and
/usr/local/share/kav/5.6/kavmilter/bin in OpenBSD / FreeBSD distributions) with
the following
–h – display help information to console;
–v – display the application version to console;
–t – check the application configuration and verify the configuration
–f – run the application and work with the current console (do not switch to
–s <socket> – define the socket for data transfer; the format of the
–u <user > – start the application with the rights of the user <user> (for
command line options:
operability; display error messages to console;
background mode after startup);
<socket> parameter is as follows:
inet:port@ip-addr – use a network socket working via the port and the
address ip-addr.
local:/socket/file/path – use a local socket.
example, with the root user rights). By default, the application is started
with the rights of the kav user;
76 Kaspersky Anti-Virus® for Sendmail with Milter API
–g <group> – start the application with the rights of the user group <user>
(for example, with the root user group rights). By default, the application
is started with the rights of the kav user group;
–c <file> – use the file <file> as the configuration file (default configuration
file is /etc/kav/5.6/kavmilter/kavmilter.conf);
–r <command> – execute one of the following commands:
reload – reload the application configuration file and the anti-virus
databases; all changes and updates will take effect after restart;
bases – reload only anti-virus database and check the license key
validity;
stats – write general application statistics to the file defined by the
DataFile parameter;
stop – stop the application (stop filtering).
–p <pid_file> – use specified <pid_file> instead of
/var/db/kav/5.6/kavmilter/run/kavmilter.pid which is used by default.
7.16. Localization of displayed date
and time format
While operating, Kaspersky Anti-Virus compiles reports for each of its
components as well as various notifications for users and administrators. Such
information is always supplemented with the date and time of its output.
By default Kaspersky Anti-Virus uses the date and time formats corresponding to
the strftime standard:
%H:%M:%S – format of time output (hh.mm.ss).
%d/%m/%y – format of date output.(dd.mm.yy).
The administrator may change the date and time format. Localization of formats
is performed in the [locale] section of the kavmilter.conf configuration file. You
can define the following formats:
%I:%M:%S %P – for time output in twelve-hour format (TimeFormat
parameter).
%y/%m/%d and %m/%d/%y – for date output (DateFormat parameter)
(yy.mm.dd and mm.dd.yy respectively).
Additional setup 77
7.17. Additional informational
header fields in messages
The application enables some supplementary information to be added to mail
messages as header fields using one of two separate methods:
• Addition of an extension header field to mail message
The information may indicate the application version, the date when the
anti-virus database was last updated, the time and result of message
scanning (determined by the AddXHeaders parameter in the
[group.settings] section of the group configuration file).
Header format:
X-Anti-Virus: <product name and version>, bases: <date
of the last update to anti-virus databases in YYYYMMDD
format> #<the number of records in AV databases>,
check: <scan date in YYYYMMDD format> <scanning status
or not_checked>
For example:
X-Anti-Virus:
Milter API 5.6.0.0, bases: 20050301 #102746, check:
20041210 clean
Kaspersky Anti-Virus for Sendmail with
• Addition of disclaimer text to mail message body
The information will be added as plain text; it may contain any statement
generated in accordance with the security policy (or other rules) of a
specific organization, and is specified by the AddDisclaimer parameter in
the [group.settings] section. The default message text notifies that the
message has been scanned by Kaspersky Anti-Virus. Upon the
administrator’s demand the application can modify the information format
(e.g., generate disclaimer message as a HTML text).
7.18. Troubleshooting
The application distribution kit includes the troubleshooter.sh script which allows
you to troubleshoot the application operation. Using this script, you can also
report serious bugs and problems to the Kaspersky Lab’ Technical Support.
In order to use this script, you should have uuencode utility installed in
your system.
78 Kaspersky Anti-Virus® for Sendmail with Milter API
The information you want to send to Technical Support is compressed and can
be encrypted using an open part of the PGP key included into the application
distribution kit. You can encrypt files to be sent using any third-party pgp or gpg
utility (not supplied with the application).
Use the following command line options:
–h – display all command line options for the troubleshooter.sh script;
–report – enable non-interactive operation mode (the default mode is
interactive). If there are any problems requiring assistance from the
user, the application will use default values to generate the report.
–check – automatically check application operation, configuration, and
related issues that may cause problems with Anti-Virus functionality;
–to email – send requests about encountered problems to another address
other than Kaspersky Lab Teсhnical Support;
–from addr – specify the message sender’s address different from the
default one. By default, the application uses <username>@<hostname>
address;
–key id – determine the PGP/GnuPG key for encrypting the archive with
information to be sent to the Technical Support. If you set a filename
with this option, the application will use the first key contained in this file
to encrypt the message.
7.19. Application control via SNMP
Beginning with version 5.6, the application offers read-only access to the
following information via the SNMP protocol:
• product configuration – parameters from all sections of the application‘s
configuration files, including group configuration files;
• operational statistics – comprehensive statistics about the application’s
operation.
In order to access application statistics via SNMP, the application must
be configured to collect these statistics (see section 7.13 on page 73).
The application supports the SNMP protocol, v1, v2, and v3.
The information that can be accessed over SNMP is determined by the
SNMPServices parameter, located in the [kavmilter.snmp] section of the
kavmilter.conf configuration file. This parameter can take the following values:
сonfig – application configuration information;
Additional setup 79
statistics – operational statistics;
admin – administrative information that contains:
1. the date when the application was started, in ISO 8601 format;
2. the time (in seconds) that has elapsed since the application
started;
update – application update information that includes:
3. the date of the last check for an update, in ISO 8601 format;
4. the status of the last update which can be:
o updated – successful update, new anti-virus databases
were installed;
o not-needed – update completed correctly, but no new files
were needed;
o error – update process has failed;
o rolled-back – update was successful, but anti-virus
database was corrupted so a rollback was performed;
o unknown – the last update status could not be determined.
5. the date of the last successful update, in ISO 8601 format;
6. the number of signatures in the anti-virus database currently in
use;
• the date in ISO 8601 format when the last update was released.
all – all information described above;
none – do not offer any information over SNMP.
Kaspersky Anti-Virus employs an SNMP subagent that interacts with the SNMP
master agent via AgentX protocol. The AgentX protocol parameters are located
in the [kavmilter.agentx] section of the kavmilter.conf configuration file, and are
as follows:
• Socket – interaction socket; you can use a local file or network socket as
shown in the example:
Socket=/var/agentx/master
or
Socket=localhost:705
• Timeout – time-out (in seconds) for an AgentX request. The default value
is 5.
80 Kaspersky Anti-Virus® for Sendmail with Milter API
• Retries – number of retries for an AgentX request. The default value is
10. If this parameter is not set, the application will use value 5.
• PingInterval – time interval (in seconds) between subagent attempts to
connect to master agent if it becomes disconnected.
You can use any SNMP agent that supports the AgentX protocol as a master
agent. The following section gives a configuration example for NET-SNMP agent,
in which the application subagent uses local socket to connect to NET-SNMP.
You are advised to use NET-SNMP version 5.1.2 or higher which
correctly implements the AgentX protocol.
To configure the master agent, please perform these steps:
1. Add the following lines to the snmpd.conf configuration file:
master agentx
AgentXSocket /var/agentx/master
AgentXPerms 770 770 root kav
rocommunity public localhost
trapsink localhost
2. Add the following lines to the snmp.conf configuration file:
mibdirs +/var/db/kav/5.6/kavmilter/mibs
mibs all
where the path /var/db/kav/5.6/kavmilter/mibs specifies the default
directory where the MIB files for Kaspersky Anti-Virus are stored. If the
application was installed into another directory, change this path
accordingly.
3. Restart NET-SNMP.
You will find more information about NET-SNMP at http://www.netsnmp.org/. For more information about snmpd.conf and snmp.conf
configuration files, please see the corresponding manual pages.
The product OIDs are accessible under the following branch:
1.3.6.1.4.1.23668.1126
or, in symbolic form:
.iso.org.dod.internet.private.enterprises.kaspersky.kavmilter
Additional setup 81
This node contains the following groups:
• сonfig – application configuration parameters, including groups
configuration, divided into sections as in configuration files.
• stats – statistical information about processed messages, resources in
use and detected viruses.
• update – application update information.
• admin – administrative information (application start time, errors etc.).
To get parameter values for objects in the config.Groups section, use
the Walk method instead of Get.
The Administrator can also set the application to send SNMP-traps in case of
specific events. The SNMPTraps parameter, in the [kavmilter.snmp] section of
the kavmilter.conf configuration file, determines the events which should trigger
the sending of SNMP traps by the application. The possible values are:
сonfig – a SNMP-trap is sent when the configuration or the databases
are reloaded (ConfigReloaded trap and BasesReloaded trap).
admin – a SNMP-trap is sent when the application starts or stops
(ProductStart trap, ProductStop trap) or has a fatal error
(ProductError trap). Additionally, if the AlertThreshold parameter
value is not set to zero, an SNMP-trap will be sent if the percentage
of infected messages found during the last hour exceeds the
specified value (OutbreakAlert trap). An OutbreakAlert trap will be
sent every hour since the threshold was exceeded until the
percentage of infected messages falls below the defined limit.
update – a SNMP-trap is sent when the application update is performed
(UpdateStatus trap) or the anti-virus database is older than five
days (ObsoleteBases trap).
all – SNMP-trap is sent when any of the above described events
occurs.
none – no SNMP-traps are sent.
If you use NET-SNMP master agent, you should start snmptrapd
daemon to receive traps.
CHAPTER 8. USING LICENSES
The license key grants you the right to use the product. It contains all the
necessary information related to the license you have purchased, such as
license type, expiration date, distributor information, etc.
The license key for Kaspersky Anti-Virus is issued for a certain period (as a rule,
it is one year from the purchase date) and is limited by either the daily mail traffic
processed by the application or the number of protected email addresses. In the
latter case, the application scans email traffic for the domains specified in the
application configuration file and for the servers on which the application is
installed.
When the Kaspersky Anti-Virus license expires, the application will continue its
operation, but it will be unable to further update its anti-virus databases. The
Anti-Virus will continue to cure infected objects, but it will use its old databases.
Besides the right to use the product during the period of license validity, you are
entitled to the following:
• round-the-clock technical support;
• hourly updates of the anti-virus databases;
• software updates (patches);
• new software versions (upgrades);
• timely notifications about new viruses.
These benefits also expire with the license. Kaspersky Anti-Virus will continue
scanning your server mail traffic, but it will only use the anti-virus database that
was current at the time that the license expired. The updating function will be
unavailable. If you try to update the database manually, the application will stop
working.
Therefore, it is very important to periodically check the information contained in
the license key and keep track of its expiry date.
If your license is limited by mail traffic, it provides protection only of a certain
amount of daily mail traffic specified in the license key. If daily mail traffic
exceeds the license limit, the administrator will be prompted for the need to
purchase a license for the amount of extra traffic.
If your license is issued for the specified numbers of mail addresses, it will
extend to all addresses of the domains listed in the kavmilter.conf configuration
file (LicensedUsersDomains parameter) and to all addresses of the server on
which Kaspersky Anti-Virus is installed (the server addresses do not belong to
Using licenses 83
the domain). If number of mail addresses exceeds license limit, the administrator
will be prompted to purchase a license for the amount of extra traffic.
You must specify the main domain as well as all subdomains of this domain. To
list several domains and subdomains, you can use regular expressions with the
following syntax:
re: domain-regexp
where:
re: is a prefix that defines the regular expression;
domain-regexp is a POSIX regular expression that specifies the sender’s
domain or the recipient’s domain.
8.1. Viewing license key information
You can review information about installed license keys in the logs produced by
the kavmilter component since both of them load the information from the license
keys during start.
In addition, Kaspersky Anti-Virus contains a special licensemanager component,
which enables you not only to review more detailed information about the keys
but also retrieve some analytical data.
All the information may be output to the server console or viewed remotely from
any computer on your network through the Webmin interface.
In order to review the information about all installed license keys enter
the following in the command line:
# ./licensemanager –s
The following information will be output to the server console:
Kaspersky license manager for Linux. Version
5.6.0.0/RELEASE #19 Copyright (C) Kaspersky Lab,
1997-2005.
Portions Copyright (C) Lan Crypto
License info:
Product name: Kaspersky Anti-Virus for Sendmail
Milter API Traffic Distribution 1 year Expiration
date: 17-02-2006, expires in 211 days
Active key info:
84 Kaspersky Anti-Virus® for Sendmail with Milter API
Product name: Kaspersky Anti-Virus for Sendmail
Milter API Traffic Distribution 1 year
Key file 000843FF1.key
Type: Commercial
Expiration date: 17-02-2006
Serial: 0038-000466-000843F
In order to review information about an installed license key enter, for
example, the following text in the command line:
# ./licensemanager -k 00053E3D.key
The following information will be output to the server console:
Kaspersky license manager for Linux. Version
5.6.0.0/RELEASE #19 Copyright (C) Kaspersky Lab,
1997-2005.
Portions Copyright (C) Lan Crypto
Product name: Kaspersky Anti-Virus for Sendmail
Milter API Traffic Distribution 1 year
Creation date: 18-11-2004
Expiration date: 17-02-2006
Serial 0038-000466-000843F
Type: Commercial
Count: 20000
Lifespan: 365
8.2. License extension
Extending your license to use Kaspersky Anti-Virus restores all the functions of
the software. In addition, you will be granted further access to services listed in
section Chapter 8 on p. 83.
The period of license validity depends on the type of licensing that you selected
when purchasing the software (typical period of validity for the license to use
Kaspersky Anti-Virus is one year).
Using licenses 85
In order to extend your license to use Kaspersky Anti-Virus for
Sendmail with Milter API, you will need to:
contact the company where you purchased the software and obtain an
extension for your license to use Kaspersky Anti-Virus.
or:
extend the license duration directly through Kaspersky Lab by sending a
message to the Sales Department (sales@kaspersky.com
) or fill out an
appropriate form at the E-Store section of our site
(www.kaspersky.com). After payment you will receive a license key sent
to the e-mail address, indicated in your order form.
The license key purchased has to be installed using the licensemanager utility
(LicensePath parameter of the application configuration file).
In order to install a new license key, perform the following actions:
1. At the command prompt, enter the following:
# ./licensemanager -a 00053E3D.key
The following information will be output to the server console:
Kaspersky license manager. Version 5.6.0.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2005.
Key file 00053E3D.key is successfully registered
2. Restart the application using the following command:
# /etc/kav/5.6/kavmilter/init.d/kavmilterd restart
(for Linux)
# /usr/local/etc/kav/5.6/kavmilter/rc.d/kavmilterd
restart
(for FreeBSD)
# /etc/kav/5.6/kavmilter/rc.d/kavmilterd restart
(for OpenBSD)
We recommend updating your anti-virus databases after the procedure.
If you wish to install a new license key before the current one expires, you can
install it as a reserved key. A reserved key begins working when the subscription
period of the active key expires. The period of a reserved key validity is
calculated from the moment of its activation.
86 Kaspersky Anti-Virus® for Sendmail with Milter API
A reserved key is installed using the standard method, similar to the installation
of the active key. After that, a license key information request will output data to
the server console pertaining both to the active and the reserved keys.
8.3. License key removal
In order to remove your active key enter, for example, the following text
in the command line:
# ./licensemanager –da
The following information will be output to the server console:
Kaspersky license manager. Version 5.6.0.0/RELEASE
Copyright (C) Kaspersky Lab. 1998-2005.
Active key was successfully removed
If you delete an active key and you have a reserved one installed, both
keys will be deleted as a result of that operation.
In order to remove your reserved key enter, for example, the following
text in the command line:
# ./licensemanager –dr
The following information will be output to the server console:
Kaspersky license manager for Linux. Version
5.6.0.0/RELEASE #19 Copyright (C) Kaspersky Lab,
1997-2005.
Portions Copyright (C) Lan Crypto
License key was successfully removed
CHAPTER 9. COMPATIBILITY
WITH OTHER KASPERSKY
LAB APPLICATIONS
Kaspersky Anti-Virus 5.6 for Sendmail with Milter API does not cause any
compatibility problems when running concurrently with the following Kaspersky
Lab applications for Unix/Linux platforms:
• Kaspersky Anti-Virus 5.0.3-0 for Samba Servers.
• Kaspersky Anti-Virus 5.5-2 for Linux Workstation.
• Kaspersky SMTP-Gateway 5.5 for Linux/Unix Maintenance Pack 1.
When using a Kaspersky Lab application for Unix/Linux that has the real-time
protection component kavmonitor, note that the Sendmail message queue is
stored on a hard disk and, when a queued message is accessed, kavmonitor
intercepts this message. If the message is infected or contains suspicious code,
the kavmonitor component will block this message and prevent it from delivering.
To avoid this problem, we advise that you exclude the Sendmail queue directory
from the kavmonitor scan area.
During installation of Kaspersky Anti-Virus for Sendmail with Milter API on the
same server that Kaspersky Anti-Virus for Unix/Linux is on, the kavmilter module
is registered in the kavmonitor module using a special script. After the
registration, the kavmilter module receives "permission" from kavmonitor to filter
Sendmail messages.
To filter email messages, Kaspersky Anti-Virus for Sendmail with Milter API
creates a temporary file in the specified directory on the disk. The kavmonitor
module intercepts this file to perform anti-virus processing. If the file is flagged as
infected, the kavmonitor component will block this message and prevent
Kaspersky Anti-Virus for Sendmail from filtering it (signal mlfi_abort).
To avoid the problem, we recommend that you exclude the directory for
Kaspersky Anti-Virus for Sendmail temporary files from the kavmonitor scan
area.
The temporary file directory is defined by the TempDir parameter in the
[kavmilter.global] section.
88 Kaspersky Anti-Virus® for Sendmail with Milter API
You should also exclude directory where Sendmail stores users' mailboxes as
well as backup directories of Kaspersky Anti-Virus from the kavmonitor scan
area.
Backup directories are defined for each group by BackupDir parameter
in the [group.backup] section.
CHAPTER 10. VERIFYING
PROPER OPERATION OF
THE ANTI-VIRUS
When the installation and setup of Kaspersky Anti-Virus are complete, we
recommend checking the settings and correct operation of the application using
a test "virus" and modifications thereof.
The test "virus" has been developed by (The European Institute for
Computer Anti-Virus Research) specifically for the purpose of verification of the
anti-virus software operation.
The test "virus" IS NOT A VIRUS and contains no code that may harm your
computer. However, most products of anti-virus vendors identify it as a virus.
Never use real viruses to test the operation of your anti-virus
application!
The test "virus" can be downloaded from the official site of EICAR at:
http://www.eicar.org/anti_virus_test_file.htm. If you have no Internet access, you
can create a test "virus" manually. To do so enter the line below in any text editor
and save the file as eicar.com:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
The file that you downloaded from the EICAR site or created in a text editor as
described above, contains the body of a standard test "virus". The anti-virus
application will detect it, flag it as Infected and perform the specified action for
objects with this status.
To test the application's response to other types of objects, modify the body of
the standard test "virus" by adding one of the prefixes below (see table 5).
You can verify the proper operation of Kaspersky SMTP-Gateway
using modifications of the EICAR "virus" only if your anti-virus
databases were last updated on or after October 24, 2003, or have the
cumulative updates for October 2003.
90 Kaspersky Anti-Virus® for Sendmail with Milter API
Table 5. Modifications of test "virus"
Prefix Object type
No prefix,
standard test
Infected. An error occurs during disinfection. The object will
then be deleted.
“virus"
CORR–
SUSP–
WARN–
ERRO–
CURE–
Corrupted.
Suspicious (unknown virus code).
Warning (modified code of a known virus).
Error.
Curable. The object will be disinfected and the text in the
infected file will be changed to CURE.
DELE–
Infected. The object will be deleted automatically.
The first column of the table contains the prefixes that should be added to the
beginning of the line in the standard test "virus" file (e.g.
DELE–X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*).
After adding a prefix to the test “virus”, save it to a file with another name, for
example eicar_dele.com; assign names to all the modified “viruses” in the same
manner.
The second column contains the types of objects identified by the anti-virus
application after you added a prefix. The actions for each type of object are
defined by the application's settings customized by the administrator.
It is recommended that you test the operation of your anti-virus
application for both incoming and outgoing mail, in message bodies and
attachments. To test the detection of viruses in message bodies, paste
the text of either the standard or modified "virus" into a message body.
CHAPTER 11. FREQUENTLY
ASKED QUESTIONS
This chapter contains a detailed discussion of questions most frequently asked
by our users regarding the installation, configuration and operation of Kaspersky
Anti-Virus for Sendmail with Milter API.
Question
products of other vendors?
No. We recommend uninstalling anti-virus products of other vendors
prior to installation of Kaspersky Anti-Virus to avoid software conflicts.
Question
server performance, noticeably loading the CPU?
Virus detection is a computationally intensive mathematical problem
requiring structural analysis, checksum calculation and mathematical
data conversions. Processor time is therefore the main resource
consumed by the application, and each new virus added to the antivirus database increases the overall scanning time. This is a necessary
sacrifice for the security and safety of your data.
Other anti-virus products speed up scanning by excluding both viruses
which are less easily detectable or less frequent in the geographic
location of the anti-virus vendor, and file formats that require
complicated analysis (e.g. PDF) from their databases.
In contrast, Kaspersky Lab believes that the purpose of its products is to
establish real and complete security for its users.
Kaspersky Anti-Virus gives its users maximum protection. Experienced
users can accelerate anti-virus scanning to the detriment of overall
security by disabling scanning of various file types, but we do not
recommend doing so for users who want the best protection.
For maximum user protection, Kaspersky Anti-Virus recognizes more
than 700 formats of archived and compressed files. This is essential for
anti-virus security, because harmful executable code may be hidden
inside files of any recognized format.
: Is it possible to use Kaspersky Anti-Virus with anti-virus
: Why does Kaspersky Anti-Virus cause a certain decrease in
92 Kaspersky Anti-Virus® for Sendmail with Milter API
Question
work without it?
: Why do I need the key file? Will my Kaspersky Anti-Virus
No, Kaspersky Anti-Virus does not work without a license key.
If you are still deciding whether or not to purchase Kaspersky Anti-Virus,
we can provide you with a temporary key file (trial key) which will only
work either for two weeks or for a month. When this period expires, the
key will be blocked.
Question
: What happens when the license expires?
After expiration of the license, Kaspersky Anti-Virus will continue
operating, but updating of the anti-virus databases will be disabled. The
Kaspersky Anti-Virus will continue cleaning infected objects but only
using the old anti-virus databases.
If such a situation arises, notify your system administrator and contact
the company where you have purchased Kaspersky Anti-Virus or
Kaspersky Lab directly for license renewal.
Question: What are the daily updates for?
A few years ago viruses were transmitted on floppy disks, and adequate
computer protection could be achieved by installation of an anti-virus
application followed by rare updates to its anti-virus database. However,
recent virus epidemics spread around the world in several hours, and
anti-virus protection with old databases may be helpless against a new
threat. In order to resist new viruses, you should update the anti-virus
databases every hour.
Every year Kaspersky Lab increases the frequency of its updates issued
for the anti-virus databases. Currently they are updated every hour.
Question
and higher?
: What are the changes to the updating service of version 5.0
The Kaspersky Lab 5.0 product suite features a new updating service
which has been developed in accordance with the requests of our
users. It automates the whole updating procedure, from the preparation
of updates in Kaspersky Lab to the moment that relevant files are
updated on clients' computers.
Frequently asked questions 93
Advantages of the new updating service include:
• Ability to resume downloading of files after disconnection. Upon
reconnection only files which have not been downloaded are
retrieved.
• Cumulative updates are now half the size. A cumulative update
contains the whole anti-virus database, therefore its size
exceeds considerably the size of typical updates. The new
service employs a special technology which allows using
already existing anti-virus database for a cumulative update.
• Accelerated downloading from the Internet. Kaspersky
Anti-Virus picks up a Kaspersky Lab's updates server located in
your region. Furthermore, servers are allocated according to
their performance, so you will not be sent to an overloaded
server while there is another idle server available.
• Use of key «black lists». Unlicensed and illegal users of
Kaspersky Anti-Virus are now prevented from using the
updating service. Licensed users therefore do not suffer from
inability to contact overloaded updates’ servers.
• Corporate enterprises can now create a local updates' server.
This feature is designed for organizations where a single LAN
unites computers protected by Kaspersky Lab products. Any
computer on the LAN can be turned into an updates’ server that
retrieves updates from the Internet and shares them with the
other networked computers.
Question
: Can an intruder deliberately replace the anti-virus database?
Every anti-virus database has a unique signature verified by Kaspersky
Anti-Virus products while accessing the database. If the signature does
not correspond to the one assigned at the Kaspersky Lab, or the date of
the database is later than that of the license expiry, Kaspersky
Anti-Virus will not use it.
Question: Are the Х architecture processors supported (PowerPC,
SPARC, Alpha, PA-RISC etc.)?
The current version of the product does not support processors of those
types.
94 Kaspersky Anti-Virus® for Sendmail with Milter API
Question
: Will the Kaspersky Anti-Virus work with my Linux distribution?
Kaspersky Anti-Virus has been tested with the following distributions:
• Red Hat Enterprise Linux Advanced Server 4.
• Red Hat Linux 9.0.
• Fedora Core 3.
• SuSE Linux Enterprise Server 9.0.
• SuSE Linux Professional 9.2.
• Debian 3.1.
• Mandrakelinux 10.1.
• FreeBSD 4.10, 5.4.
• OpenBSD 3.6.
and Kaspersky Anti-Virus packages have been compiled specifically for
those distributions.
If your distribution is 100% compatible with a supported one
(for example, ASPLinux is compatible with Red Hat Linux),
then the probability of critical problems is very low.
Users of distributions that are not included into the list supported by
Kaspersky Lab may experience incorrect product operation. This is
determined first of all by the operating system specifics. For example,
your OS distribution may use a different library version or its system
initialization scripts may have a non-standard location. In such cases,
Kaspersky Lab Technical Support will be unable to help you.
Question: Kaspersky Anti-Virus for Sendmail with Milter API does not
work on FreeBSD 5.4 when using SNMP plug-in.
On FreeBSD 5.4 if you enable SNMP plug-in, you might get an error
regarding nss_dns.so.1 library. This problem refers to using from libc
incorrect entries in /etc/nsswich.conf file. In order to fix this problem
please do the following:
a. disable the startup script /etc/rc.d/nsswitch, with, for example,
the following command:
# chmod a-x /etc/rc.d/nsswitch
Frequently asked questions 95
b. rename or delete /etc/nsswitch.conf file.
Question
: The application does not work. What should I do?
First, check if a solution for your problem is provided in this
documentation, especially in this section or on our website.
In addition, we recommend that you apply for support to the distributor
from whom you purchased Kaspersky Anti-Virus or write to our
Technical support service (support@kaspersky.com
) or to the address
contained in the license key information.
To make sure your request is answered as soon as possible, follow
these suggestions:
The following steps will facilitate prompt processing of your inquiry:
1. In the message header, specify your operating system, the name
of Kaspersky Lab product you are experiencing problems with, and
briefly describe the problem. For example:
SuSE Linux 9.2 Professional, Kaspersky Anti-Virus 5.6 for
Sendmail with MilterAPI, updating of the anti-virus databases
does not function.
2. Compose your messages in plain text format.
3. At the beginning of the message, specify the exact versions of the
operating system and Kaspersky Anti-Virus distribution package
and provide the number of your license key file.
4. Clearly describe the problem in brief. Keep in mind that, when
reading your mail, the technical support service officers do not yet
know about your problem. They can only help after fully
understanding and reproducing it.
5. Send the following data, packed into one archive, to the Technical
Support Service:
• All configuration files of your mail transfer agent (MTA)
• Log file of the mail system
• Log file produced by Kaspersky Anti-Virus
• your license key file.
6. Make sure to specify in your mail if your computer system contains
any of the following:
• a very old or very new processor, or more than one processor
96 Kaspersky Anti-Virus® for Sendmail with Milter API
• less than 64 MB or more than 2 GB of RAM.
7. Specify the approximate amount of daily traffic and whether or not
the server has peak loads.
You can also use the troubleshooter.sh script to determine the reason of the
problem and to communicate with our Technical support service (see
section 7.18 on page 78).
APPENDIX A. ADDITIONAL
INFORMATION
A.1. Application configuration file
kavmilter.conf
This appendix provides a detailed explanation of every section of the
kavmilter.conf configuration file which contains the general settings of Kaspersky
Anti-Virus.
The [kavmilter.global] section contains general parameters required for
application startup and operation:
RunAsUid – account user name which priveleges are used to run the
application.
RunAsGid – name of the group which priveleges are used to run the
application.
ServiceSocket – the local or network socket which is used by Kaspersky
Anti-Virus to interact with Sendmail. For example:
inet:<port>@<ip-address>
where inet means that a network socket is used; <port> defines the
port of interaction; <ip-address> defines the IP-address of the socket.
local:<path_to_socket>
where local means that a local socket is used; <path_to_socket>
defines the path to the local socket;
If a local socket is used be aware that only the user under
which account the application runs, has write permissions for
the socket file and the socket directory.
MilterTimeout – timeout for communication via Milter API between
Sendmail and Kaspersky Anti-Virus. If no data / commands is send
during the time specified here, Kaspersky Anti-Virus will close
connection to Sendmail.
WatchdogMaxRetries – maximum number of retries to restart Kaspersky
Anti-Virus using watchdog. The value of –1 corresponds to the unlimited
number of retries.
TempDir – the directory storing temporary files.
98 Kaspersky Anti-Virus® for Sendmail with Milter API
LicensedUsersDomains – list of domains containing accounts which
should be protected, according to the licensing scheme of Kaspersky
Anti-Virus for Sendmail with Milter API. This option is available only if
your license is issued for a certain number of mail addresses.
The [kavmilter.snmp] section contains parameters defining the interaction with
application via the SNMP protocol:
SNMPServices=config|statistics|admin|update|all|none – application
information that can be accessed over SNMP.
You can set several values for this parameter as shown in the following
example:
SNMPServices=config
SNMPServices=admin
SNMPTraps=config|admin|update|all|none – list of events which trigger a
notification to administrator via SNMP-traps.
AlertThreshold=0…100 – threshold percentage of infected messages in all
messages scanned during the last hour which when exceeded will
trigger an SNMP-trap sent by the application (in case the SNMPTraps
parameter is set to admin).
The [kavmilter.agentx] section contains the AgentX protocol parameters for the
SNMP subagent.
Socket – the socket which is used to interact via AgentX protocol; both local
and network socket can be specified here.
Timeout – timeout (in seconds) for requests sent to master agent.
Retries – number of attempts for requests sent to master agent.
PingInterval – time interval (in seconds) between attempts by the subagent
to connect to the master agent, if the connection fails.
The [kavmilter.engine] section includes parameters defining the scanning
procedure:
MaxScanRequests – the maximum number of requests for scanning
messages. If the parameter is 0, the number of requests is unlimited.
MaxScanTime – the maximum time, in seconds, which the application can
spend scanning a single object (a message or a message object). If the
value is exceeded, the application returns an error.
ScanArchives=yes|no – scan archives. To disable this mode, set the
parameter to no.
ScanPacked=yes|no – scan packed executables. To disable this mode, set
the parameter to no.
Appendix A 99
ScanCodeanalyzer=yes|no – scan using a heuristic code analyzer to
detect malicious programs, virus modifications, and unknown viruses.
To disable this mode, set the parameter to no.
UseAVBasesSet=standart|extended – the set of anti-virus databases
which the application will use to scan messages. The extended set
contains all the signatures contained in the standart set together with
signatures for potentially dangerous programs, such as: adware, remote
administration software, network scanners, virus simulators and others.
The [kavmilter.log] section includes reporting options:
LogFacility – file that will store application reports.
LogFilepath – path to the report file. This parameter is ignored if the system
log is selected for logging reports.
LogOption= internal|scan|config|backup|all – category of messages and
events to be recorded in the report.
Each category of messages logged in the report can have several detail
levels: debug, info, notice, warning, error, critical, or all.
You can combine both message types and detail levels as follows:
LogOption=backup.all
LogOption=config.error
LogOption=scan.all
LogOption=-scan.debug
The "–" prefix before a combination means that this information will be
skipped while logging.
LogRotate=yes|no – enable report file rotation mode (is used only if
LogFacility=file). To disable this mode set this parameter to no.
RotateSize
– report file size in bytes. When it is reached, a new report file is
created.
RotateRounds – number of report files created during rotation. When this
number is reached, the application starts to overwrite the oldest one.
Use RotateSize and RotateRounds parameters only if you
have set LogRotate to yes.
The [kavmilter.statistics] section includes statistics options:
TrackStatistics=message|resources|viruses|all|none – enable statistic
recording.
DataFormat=text|xml – statistic file format.
DataFile – full path to the file that stores statistics.
100 Kaspersky Anti-Virus® for Sendmail with Milter API
MessageStatistics – file that is used to store detailed information about all
scanned messages. Leave the parameter value blank if you do not want
the statistical data to be logged.
The [path] section contains parameters that define the paths to critical
directories.
BasesPath – full path to the anti-virus database.
LicensePath – full path to the directory where license keys are stored.
The [locale] section contains options for displaying the date and time in the
reports and statistics.
DateFormat=%d-%m-%Y – date format displayed in the report.
TimeFormat=%H:%M:%S – time format displayed in the report.
The [updater.path] section defines the directories used for updating.
UploadPatchPath – full path to the directory containing updates to the anti-
virus kernel.
BackUpPath – full path to the directory for backup storage of the anti-virus
database and kernel modules.
PidFile – path to the pid file used to avoid simultaneous execution of several
keepup2date utility instances. If this parameter is missing, the pid file
will not be created and the check will not be performed.
AVBasesTestPath – full path to the avbasestest utility which is used to
check the integrity of the anti-virus database. If updates are not corrupted,
they are copied from the temporary folder to the directory storing the antivirus database.
The application runs the avbasestest utility automatically. You do not
need to start it manually.
The [updater.options] section contains parameters defining update options.
KeepSilent=yes|no – defines whether the application should display a
report about an update to the console. If set to yes, reports are not sent
to the console.
UseUpdateServerUrl=yes|no – defines whether the application should use
the URL defined by UpdateServerUrl parameter as the update source.
UpdateServerUrl – the address of the server used as a source for updating
the database and kernel modules.
UseUpdateServerUrlOnly=yes|no – defines whether the application should
use only the URL specified by UpdateServerUrl to update the
database. If this option is set to no, then whenever updating from the
Loading...