Virge 3.04rc3 review

Download
by rbytes.net on

Virge is mail 'scanner' written in C, which replaces/substitutes procmail for a while, checks the incoming mail, and then sends the m

License: BSD License
File size: 174K
Developer: Vanja Hrustic
0 stars award from rbytes.net

Virge is mail 'scanner' written in C, which replaces/substitutes procmail for a while, checks the incoming mail, and then sends the mail to the procmail. It will check mail for viruses and/or attachment names. Check the FEATURES/README/NEWS files for more details. Virge requires Sendmail and (optionally) AVPDaemon, Sophie or Trophie (to check attachments for viruses).

Virge replaces temporarily procmail. When new mail comes in, Sendmail will pass the contents of the mail to Virge. At that point, Virge performs set of checks:

Checks if the mail has attachments. If it does not, it sends it to procmail for delivery.
If mail has attachments, Virge creates temporary directory, unpacks attachments there, and asks AVP/Sophie/Trophie to scan the temporary directory for viruses. Virge was created with 2 things in mind: performance and security. Because of performance issues, it was not feasible to use any 'command line scanners' like TrendMicro of McAfee ones.

AVP/Sophie/Trophie are instructed to scan attachments for viruses next. If it finds any viruses, mail is immediately 'isolated' in a directory not (hopefully) accessible to anyone except administrators.

If no viruses were found, Virge will then perform 'attachment' check, and see if any of the attachments are not allowed to be sent to the end user. A configuration file is consulted for list of extensions (or 'full' filenames) that should not be allowed in. If any such attachments were found, tricky part comes - Virge will *hopefully* properly "rewrite" the whole email, and strip the attachments that are not allowed. Small notice is attached at the end of the mail, with names of stripped attachments. Mail is also 'isolated', in case poor overworked sysadmin ever gets some free time to take a closer look.

IMPORTANT: Please, keep in mind that Virge will *NOT* rewrite & send mails when virus has been found. I will *NOT* implement any such features, since it doesn't make any sense (I haven't seen a mail with virus that actually had some 'valuable' content in it for many months - maybe even years).

If AVP/Sophie/Trophie are not available (daemon is down), Virge will still deliver mails and annoy admins through syslog messages. Attachment check is still performed.
Users for which no checks should be performed can also be configured. Location of the file can be specified in the configuration file.

Virge is definitelly trying to not let any lame script kiddies abuse it in any way. It is trying to resist to race conditions, buffer overflows, and similar neat tricks. No guarantees, of course, that there are no security problems in Virge.

Virge tries to be as fast as possible, and not waste CPU time or any other resources. It is still possible to make it perform even better, although I presume it would be in 1-5% range. Will take some more time later, and try to fix all the small performance problems.

And yes - Virge *is* fast. I have made a complete 'Virge V1' in Perl some time ago, but it was absolute failure. Although I tried to use as little modules as possible and make it as fast as possible... it was crap. 2 minutes after I started a script that sends 3-5 mails per second, I started wondering "Why the hell can't I login to the mailserver anymore?". Perl is nice, but it's not good for tools like this. Not at all (except if you have low traffic on your mailserver).

And Virge still needs a *lot* of testing. I have tried to test Virge with many different mail (MIME) formats and tried different tricks in order to bypass its 'decoding techniques' (in order to send a virus or .exe to users), but it handles things pretty well. There are cases, though, when it is possible to trick librfc2045 and send attachments that don't get 'caught', but those attachments are violating RFCs anyway. If your mail client is so stupid to decode invalid/malformed attachments/mails - you deserved it. Don't use stupid mail clients then. I'm not going to start adding all those crappy features into Virge that would let someone detect all possible tricks which can be used. Use good mail clients, don't rely on Virge to save you.

Here are some key features of "Virge":
Virge can check every incoming mail for attachments, and can remove attachments that are considered dangerous.
"Dangerous" can be defined:
email with specific kinds of attachments (e.g., .EXE, .COM, etc.)
email that contains a virus as identified by Sophie ( http://www.vanja.com )
email that contains a virus as identified by trophie ( http://www.vanja.com )
email that contains a virus as identified by AVPDaemon (http://www.avp.ch)
Any combination of the above.
Dangerous email can trigger:
rewriting that removes virus.
alert back to sender.
alert to recepient.
alert to system manager.
rewrite to remove virus.
All 'offending' mail messages can be isolated for later reviewing.
Written in C, so it is very fast, doesn't waste resources, and doesn't depend on a complicated perl installation (which is subject to breaking).
Notification can be sent (configurable) to sender/recipient of suspicious/infected mail. Templates can be used to define the layout of the mail.
Regular expressions can be used for filename matching
Virge was made with security in mind, and should be hard to abuse
Can be configured to fail open or fail closed if load on the machine goes too high.
Virge 3.0 designed for easy integration with Postfix

Requirements:
Sendmail (tested with 8.10.x, 8.11.x and 8.12.x)
Postfix (Virge integrates through SMTP filter feature)
Procmail (shouldn't be a problem if you are using Sendmail)
Sophie / Trophie / AVPDaemon (if you want to scan for viruses)

What's New in This Release:
Mails would be isolated after rewriting, in virge_checkrewrite(), which was plain wrong [virge.c]
messageID is modified now (random 8 digits + pid) [virge.c]
Time/date stamps added in event_log(), and are being printed in all logfiles. Added to debugging output as well.

Virge 3.04rc3 search tags