Exim and Antivirus

This page is now out of date and is no longer being updated. It’s left here for posterity, or until I can be bothered to take it down

Following on from the rather annoying W32.Novarg.A mass mailing worm; purple now has global MIME and anti virus filtering.

To do this, I installed the Exim patch Exiscan that extends the functionality of Exim to include content filtering (I believe it’s now built into later versions of Exim). Exiscan can directly link into a number of third party anti virus programs (some of which of free and open source if you’re into that sort of thing).

A HOWTO is a little pointless given the excellent guide from Tim Jackson, but I have it setup as follows:

Exiscan is only used for MIME/AV scanning and not for spam filtering (spamassassin is used later on)
SA-Exim is not used
ClamAV is used alongside FreshClam to keep the definitions updated (note I use local sockets rather than binding to localhost)

The relevant lines from the check data ACL:

#!!# ACL that is used after the DATA command
check_message:

require verify = header_sender

deny message = This message has been rejected because it has an attachment (ending in .$found_extension)\n with potentially executable content.\n\n This form of message is often used by email viruses and worms.\n If you meant to send this file then please package it up in a zip file and resend it.\n\n
demime = bat:com:exe:pif:prf:scr:vbs

deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *

 

accept