INSTALL INSTRUCTIONS for using NAI's McAfee Command Line Scanner with MIMEDefang by Kevin A. McGrail (kmcgrail@pccc.com) Maintained at: http://www.pccc.com/downloads/ Step 1: Ordering McAfee Licenses Obtaining McAfee's licensed command line scanner is not easy. The hard part is ordering it if you don't have a Grant # already with McAfee, tell them to put "new license" in the internal text of the order. As of January 2005, the products you want are: CDW P/N 641958 MCL VSCL PERP+W/24X7 11-25 Minimum order is 11 and the cost should be approximately $13 each for 2 years of licensing. CDW handled this order above and beyond the call of duty and the sales rep was excellent. Therefore, get licensed by calling/emailing David Krawczyk @ CDW. His contact information is: Direct: 877-837-9660 Direct Local: 312-705-5072 Fax: 312-705-6572 Email: davikra@cdw.com Thanks to David and Dee Taylor for their efforts with this! NOTE: A careful reading of the license and a lengthy debate on MIMEDefang's mailing list leads us to say that the licenses are per user. We run the MIMEDefang milter as a single user, hence only one license needed. Step 2: Obtaining the Virus Scan Software Once you place your order, you will get a Grant PDF in a few days. This PDF has the URL to download newer versions of the software currently, https://secure.nai.com/us/forms/downloads/upgrades/login.asp. Going to this site and entering your Grant # will now give you a licensed binary. Step 3: Install the software The software installation was a simple matter of untarring and running ./install-uvscan. I accepted all defaults which installed the product in /usr/local/uvscan and made a symbolic link to /usr/local/bin/uvscan. Special Steps for RedHat 9 The McAfee Virus Scanner doesn't run correctly under RedHat 9 due to a linking problem. The solution according to NAI is to Force the dynamic linker to look at /lib/libc.so.6 before anything else. To do this, set the LD_PRELOAD environment variable to point to /lib/libc.so.6 before a scan is executed. Example: LD_PRELOAD=/lib/libc.so.6 uvscan -v /home/myuser/myfiles Possible Solution #1 (Easy): This most likely requires a modification of the mimedefang.pl. At the moment, we believe the following will work but has NOT been tested: modify line 2110 in /usr/local/bin/mimedefang.pl to say: run_virus_scanner("LD_PRELOAD=/lib/libc.so.6" . $Features{'Virus:NAI'} . " --noboot --mime --secure --allole $path 2>&1", "Found"); Definite Solution #2 (Harder): Use a "wrapper" script to call uvscan. David F. Skoll has written one provided here call rh9-uvscan. cd /usr/local/bin wget http://www.peregrinehw.com/downloads/MIMEDefang/rh9-uvscan chmod u+x rh9-uvscan add a line before line 2110 in /usr/local/bin/mimedefang.pl to say: $Features{'Virus:NAI'} = '/usr/local/bin/rh9-uvscan'; Original NAI Link: https://knowledgemap.nai.com/phpclient/viewKDoc.aspx?externalID=KB_NAI31418&sliceID=&docID=KC.KB_NAI31418&url=kb/kb_nai31418.xml&dialogID=152376&docType=DOC_KnowledgeBase&userType=3&iterationID=1&sessionID=Anonymous|1768269092&userID=&docName=Solution%20ID%20NAI31418%20-%20VirusScan%20for%20Unix%20does%20not%20run%20on%20Red%20Hat%20Linux%209&sourceKmap=&viewFrom=Main Source of Original Solution: http://www.sng.ecs.soton.ac.uk/mailscanner/serve/cache/153.html #NOTE: This Changes Was Added to MIMEDefang Natively And Is No Longer Needed # #Step 4: Enable MIME Scanning # #If you didn't modify mimedefang.pl above, you should now. Thanks to Lucas Albers for pointing this out! #Add the --mime switch to detect MIME encoded virus's. # # modify line 2121 in /usr/local/bin/mimedefang.pl to have --mime: # # run_virus_scanner($Features{'Virus:NAI'} . " --noboot --mime --secure --allole $path 2>&1", "Found"); Step 5: Keeping the Virus Scanner DAT files up to Date Why McAfee still fails to provide automated tools for downloading updates across their product line still baffles me. Luckily, Bas Rijniersce has written a tool specifically for the job. # INSTALL NAI VirusScan DAT/Engine file updater # HOMEPAGE: http://freshmeat.net/projects/naiupdt/ # # Version 0.4 mkdir /tmp/MD20031010/ cd /tmp/MD20031010/ wget http://www.peregrinehw.com/downloads/MIMEDefang/naiupdt-0.4.tar.gz cd /usr/src tar zxvf /tmp/MD20031010/naiupdt-0.4.tar.gz cd naiupdt-0.4/ cp naiupdt.pl /etc/cron.daily/ cd /etc/cron.daily chmod u+x naiupdt.pl rm -rf /tmp/MD20031010/ NOTE: If you have a CDROM drive, uvscan will try and scan the boot record of the drive. If there is no CDROM in the drive, this can cause quite a delay. Using the parameter --noboot tells uvscan not to check all of the boot sectors for virii. You might want to edit line 352 in naiupdt.pl to say: open (VIRUS, "$binary --noboot $datdir/eicar.com 2>&1 |"); NOTE 2: There is a bug in naiupdt.pl caused by DAT zips from McAfee that have the wrong permissions. To fix this, edit your naiupdt.pl, and add these lines starting at line 319: print("Fixing DAT file permissions ..\nchmod 755 $datdir/*.dat .. ") if ($verbose >= 5); $res = system("cd $datdir; chmod 755 *.dat > /dev/null 2>&1"); if ($res != 0) { print "FAIL\n\n" if ($verbose >= 3); print "DAT file permission change failed .. Change manually\n\n" if ($verbose >= 1); exit(2); } Step 5: Making MIMEDefang use the Virus Scanner MIMEDefang does NOT detect virus scanners at run-time but rather at compile time. However, MIMEDefang should find uvscan automatically during the configure process. Therefore, it's best to install your virus scanner and then MIMEDefang. NOTE: If you already have MIMEDefang installed, you'll need to delete the config.cache in the source directory, reconfigure, recompile and reinstall.