Virge 3.04rc3

Virge is mail 'scanner' written in C, which replaces/substitutes procmail for a while, checks the incoming mail, and then sends the m

Developer:   Vanja Hrustic       more software by author → Price:  0.00 License:   BSD License File size:   174K Language:    OS:    Rating:   0 /5 (0 votes) Your vote:   enlarge screenshot

Virge is mail 'scanner' written in C, which replaces/substitutes procmail for a while, checks the incoming mail, and then sends the mail to the procmail. It will check mail for viruses and/or attachment names. Check the FEATURES/README/NEWS files for more details. Virge requires Sendmail and (optionally) AVPDaemon, Sophie or Trophie (to check attachments for viruses).

Virge replaces temporarily procmail. When new mail comes in, Sendmail will pass the contents of the mail to Virge. At that point, Virge performs set of checks:

Checks if the mail has attachments. If it does not, it sends it to procmail for delivery.
If mail has attachments, Virge creates temporary directory, unpacks attachments there, and asks AVP/Sophie/Trophie to scan the temporary directory for viruses. Virge was created with 2 things in mind: performance and security. Because of performance issues, it was not feasible to use any 'command line scanners' like TrendMicro of McAfee ones.

AVP/Sophie/Trophie are instructed to scan attachments for viruses next. If it finds any viruses, mail is immediately 'isolated' in a directory not (hopefully) accessible to anyone except administrators.

If no viruses were found, Virge will then perform 'attachment' check, and see if any of the attachments are not allowed to be sent to the end user. A configuration file is consulted for list of extensions (or 'full' filenames) that should not be allowed in. If any such attachments were found, tricky part comes - Virge will *hopefully* properly "rewrite" the whole email, and strip the attachments that are not allowed. Small notice is attached at the end of the mail, with names of stripped attachments. Mail is also 'isolated', in case poor overworked sysadmin ever gets some free time to take a closer look.

IMPORTANT: Please, keep in mind that Virge will *NOT* rewrite & send mails when virus has been found. I will *NOT* implement any such features, since it doesn't make any sense (I haven't seen a mail with virus that actually had some 'valuable' content in it for many months - maybe even years).

If AVP/Sophie/Trophie are not available (daemon is down), Virge will still deliver mails and annoy admins through syslog messages. Attachment check is still performed.
Users for which no checks should be performed can also be configured. Location of the file can be specified in the configuration file.

Virge is definitelly trying to not let any lame script kiddies abuse it in any way. It is trying to resist to race conditions, buffer overflows, and similar neat tricks. No guarantees, of course, that there are no security problems in Virge.

Virge tries to be as fast as possible, and not waste CPU time or any other resources. It is still possible to make it perform even better, although I presume it would be in 1-5% range. Will take some more time later, and try to fix all the small performance problems.

And yes - Virge *is* fast. I have made a complete 'Virge V1' in Perl some time ago, but it was absolute failure. Although I tried to use as little modules as possible and make it as fast as possible... it was crap. 2 minutes after I started a script that sends 3-5 mails per second, I started wondering "Why the hell can't I login to the mailserver anymore?". Perl is nice, but it's not good for tools like this. Not at all (except if you have low traffic on your mailserver).

And Virge still needs a *lot* of testing. I have tried to test Virge with many different mail (MIME) formats and tried different tricks in order to bypass its 'decoding techniques' (in order to send a virus or .exe to users), but it handles things pretty well. There are cases, though, when it is possible to trick librfc2045 and send attachments that don't get 'caught', but those attachments are violating RFCs anyway. If your mail client is so stupid to decode invalid/malformed attachments/mails - you deserved it. Don't use stupid mail clients then. I'm not going to start adding all those crappy features into Virge that would let someone detect all possible tricks which can be used. Use good mail clients, don't rely on Virge to save you.

Here are some key features of "Virge":

Virge can check every incoming mail for attachments, and can remove attachments that are considered dangerous.

"Dangerous" can be defined:

email with specific kinds of attachments (e.g., .EXE, .COM, etc.)

email that contains a virus as identified by Sophie ( http://www.vanja.com )

email that contains a virus as identified by trophie ( http://www.vanja.com )

email that contains a virus as identified by AVPDaemon (http://www.avp.ch)

Any combination of the above.

Dangerous email can trigger:

rewriting that removes virus.

alert back to sender.

alert to recepient.

alert to system manager.

rewrite to remove virus.

All 'offending' mail messages can be isolated for later reviewing.

Written in C, so it is very fast, doesn't waste resources, and doesn't depend on a complicated perl installation (which is subject to breaking).

Notification can be sent (configurable) to sender/recipient of suspicious/infected mail. Templates can be used to define the layout of the mail.

Regular expressions can be used for filename matching

Virge was made with security in mind, and should be hard to abuse

Can be configured to fail open or fail closed if load on the machine goes too high.

Virge 3.0 designed for easy integration with Postfix

Requirements:

Sendmail (tested with 8.10.x, 8.11.x and 8.12.x)

Postfix (Virge integrates through SMTP filter feature)

Procmail (shouldn't be a problem if you are using Sendmail)

Sophie / Trophie / AVPDaemon (if you want to scan for viruses)

What's New in This Release:

Mails would be isolated after rewriting, in virge_checkrewrite(), which was plain wrong [virge.c]

messageID is modified now (random 8 digits + pid) [virge.c]

Time/date stamps added in event_log(), and are being printed in all logfiles. Added to debugging output as well.
tags the mail  for viruses  virge will  sophie trophie  are not  attachments that  email that  avp sophie  that contains  http www  any such  mail with  that are  

Download Virge 3.04rc3

 http://www.vanja.com/tools/virge/virge-3.04rc3.tar.bz2
 http://www.vanja.com/tools/virge/virge-3.04rc3.tar.gz

Authors software

Similar software

Virge 3.04rc3 (by Vanja Hrustic) Virge is mail 'scanner' written in C, which replaces/substitutes procmail for a while, checks the incoming mail, and then sends the m

Sophie 3.04rc2 (by Vanja Hrustic) Sophie is a daemon which uses 'libsavi' library from Sophos anti-virus vendor. On startup, Sophie initializes SAVI (Sophos Anti-Vi

AmAvIs 0.3.13 (by Christian Bricart) AMaViS-ng is a modular rewrite of amavisd and amavis-perl

qscan 0.1.2 (by Vaclav Vyvoda) qscan is a sendmail queue scanner designed to scan all incoming email for file attachments and rename any offending file attachments

protector 1.00.11 (by Chris Lowth) protector scans e-mail attachments in order to identify those that could (by nature of their type) contain viruses or other undesirab

Mikrop 1.2 (by Volkan YILDIRIM) Mikrop is a small, easy to install program for mail servers to scan incoming email

renattach 1.2.4 (by Jem Berkes) renattach is a mail filter that renames/deletes dangerous email attachments. renattach is a fast and efficient UNIX stream filter

CheckAttachments 0.5.1 (by Jack A. Shapiro) CheckAttachments is a Firefox extension that automatically checks E-Mail Attachments for Google G-mail, Yahoo! E-mail and MSN Hotmail

simscan 1.1 (by Kenh Jones) Simscan is a simple program that enables qmail-smtpd to reject viruses, spam, and block attachments during the SMTP conversation so t

POP3 Virus Scanner Proxy 0.4 (by Folke Ashberg) POP3 Virus Scanner Proxy is a full-transparent proxy daemon which scans all mails for viruses using third party scanners (built-in su

Other software in this category

GKrellM 2.2.10 (by Bill Wilson) GKrellM application is a GTK-based stacked monitor program that charts SMP CPUs, disks,

lm_sensors 2.10.1 (by Mark S.)

Loggerithim 7.0.1 (by gphat) Loggerithim is an extensible monitoring and remote management package

SmokePing 2.0.9 (by Tobias Oetiker) SmokePing is a delux latency measurement tool

Pipe Viewer 0.9.6 (by Andrew Wood)