ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic

How many people wants that guide?
Count me in!
 50%  [ 1 ]
Naaah, no way!
 50%  [ 1 ]
Total Votes : 2

Integrating ClamWin and Mercury32

Joined: 12 Jul 2006
Posts: 10
Location: Italy
Reply with quote
Hi all!

I just managed to make Mercury32 (a mail server) scan all the incoming e-mail with a simple .cmd script and some settings inside the MTA.

I was wondering if anybody else has an interest in doing so, if that's the case I'll have ready a quick guide or something pretty soon.

View user's profileSend private message
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Please make a guide and we will put it online here:
View user's profileSend private message

Joined: 12 Jul 2006
Posts: 10
Location: Italy
Reply with quote
Mercury32 + ClamWin

Hi everybody.

This quick guide will hopefully explain how to set up Mercury32 ( to scan incoming mail for virii using ClamWin. Since we will be using the clamscan executable through a small batch file I assume you are at least slightly familiar with a text editor (notepad) and command line operation. I will also assume that you already have ClamWin (last version should be just fine) and Mercury32 installed and working.


I have ClamWin and Mercury installed and everything was working just fine, except sometimes virii just kept passing through to my users. Every user scans incoming email through ClamMail but this is highly inefficient, since it needs to download virus definitions for each client and is not so frequently updated. So i wondered what could be done to stop these messages or at least steer them to my mailbox instead of forwarding them to the users.


Luckily, ClamWin is a front end to the command line scanner which does the real job: Clamscan. So the first thing I need is to have a simple DOS batch file that gracefully starts clamscan, sets the right paths to a log file, the virus definitions, the file to be checked and sets all the right options we wish to use in the process.

This is the simple batch file I use:


@echo off
"c:\Programmi\ClamWin\bin\clamscan.exe" --log=".\scanlog.txt" --database="C:\Documents and Settings\All Users\.clamwin\db" --remove --recursive --no-summary --infected --tempdir="c:\temp" %1

and here we are. The file is the same one I use when I need to check a PC coming in after some virus breakdown. YMMV but I found it effective.

Anyway, it needs to be crafted to the needs of Mercury32. I decided that I wanted to obtain the infected messages myself, but didn't need to leave temporary files (possibly infected ones) sitting around. Hence the "--remove" parameter, deleting tha scanned file if found infected. We can always get it back from the original message anyway.

Mecury32 allows to set up policies that can affect the transit of messages. This is done accessing the "Configuration - Mercury Core module..." window and the Policy tab.
Here we can use the dialog to make a policy that passes every attachment to our batch scanner.
Mercury uses "substitutions" to pass parameters to external routines working for him. So we need to know which ones to pass to our script.
This is a small excerpt from the Mercury32 help file, which you may probably already know:

Commandline substitutions

When you create a Mercury policy, one of the things you must provide is a commandline: this is the command that Mercury asks the Windows operating system to execute to test your policy conditions: it consists of the name of a program, and any optional parameters that program needs to run. You can imbed certain special characters in the commandline you enter in the Mercury policy editor - when Mercury runs your command, it will replace the special characters with the proper values they represent. This process is called substitution.

You can use the following special characters in your policy commandlines:

~X Is replaced by the name of the file containing the data to test (so, if your policy requires
attachment unpacking, this will be the name of the file containing the specific attachment it is to
~A Is replaced by the name of a file containing the entire text of the message; if your policy task
modifies the data of the jobs it examines (see above) then this is the only file it may modify.
~R Is replaced by the name of the result file (see above)
~S Is replaced by the name of the sentinel file (see above)
~F Is replaced by the "original" filename for the attachment as stored in the message
~Z Is replaced by the extension-part only of the "original" filename for the attachment, as stored
in the message.
~Y Is replaced by the current year expressed as two digits.
~M Is replaced by the current month expressed as two digits
~D Is replaced by the current day of the month, expressed as two digits
~W Is replaced by the current week of the year, expressed as two digits

The date substitutions are provided largely to allow you to do simple archiving of mail: they can be used
to construct file or directory names as required.

Ok. So we need to tell our batch file to go looking for a certain file Mercury hands us, and eventually output his conclusions about it in some other log file Mercury will take and forward to the right people. And the options we need are ~X and ~R.

This is what the changed batch file should look like when you have modified it.


@echo off
"c:\Programmi\ClamWin\bin\clamscan.exe" --log="%2" --database="C:\Documents and Settings\All

Users\.clamwin\db" --remove --recursive --no-summary --infected --tempdir="%userprofile%\impostazioni

locali\temp" %1

The only real difference being the additional parameter for the --log option. I kept for no real reason the --recursive option too, just in case. Maybe some more sofisticated version fo the script could reconstruct the name of the original attachment, in case it was found infected but still needed, but I
didn't cover that option at this time.

So, cut and paste in your favourite text editor the script, then adapt the paths to the executable and temporary directory and virus definitions, then save somewhere in the execution path of your installation. That is, unless you want to specify the full path in the policy we will be making shortly.

This fits just perfect to my italian Win2K installation, but again your mileage may vary.

And now to Mercury32 and the funny part.


As I wrote before, we need to go "Configuration - Mercury Core Module..." and go to the Policy tab to make the necessary entry.
Click the "Add new task" button.

Step1. Fill some description for this task, I used "Antivirus Scan", very imaginative indeed... This will be included in the report from Mercury in case something is found.

Step2. Next you need to tell mercury the type of task this is to be. Choose "Run a program and examine the return code"

Step3. The fun part: here you are going to write in the commandline box the name of your batch file if you saved it in the path, or the full path and name if you saved it somewhere else. PLUS you have to leave a space, and insert the options "~X ~R"

So the final line should look like:


c:\winnt\clam2.cmd ~X ~R

Then in the Result file box you insert ~R. Put flags in the fields: "This task requires attachment unpacking support" and "This task should be applied before any filtering rules".
I use the latter because I also have a filtering rule to steer the spam to my account, but if it's identified as spam and IS infected I don't want it to bypass the scan routine.

Step4. Finally we set the action if the task triggers. I use to forward the message to my account instead of the user. I can always send it after cleaning or simply delete it anyway, as usually the message IS the virus. "Forward the message to a local user" is the definition, and I specified my local user in the parameter box. There are also other three options, to delete the msg, to return it as undeliverable (possibly contributing to the spam anyway? no way) or to save it to a file and notify a user.

That's it. Click on OK high on the right of the task window and then OK again on the core module configuration.

If everything was set up good, you can try to send an EICAR test file to some local user or even to yourself, and see the notification from Mercury tell you this:

Notice of policy exception from XXXXXXXXX:

The attached message has caused a mail server policy exception and is being
referred to you for action.

Message sender: <vanni>
Name of policy entry: Antivirus Scan

The policy's task generated the following diagnostic information explaining
why this message caused an exception:

------------ Start of result file -------------------

Scan started: Wed Jul 12 15:21:40 2006

XXXXX\MERCURY\Scratch\5D601C6A.TMP: Eicar-Test-Signature FOUND
XXXXX\MERCURY\Scratch\5D601C6A.TMP: Removed

------------ End of result file ---------------------

Depending on the policy module that raised the exception, you may need to
exercise caution if opening the attached message.


I noticed that after the first infected file found, the scanning process ends and the policy triggers, so if there's more than one attachment but only one is infected the message COULD be delivered to the user... But that would need rewriting the message in Mercury, which I don't know how to do...

Try it. It works for me, but it's been freshly done so suggestions for improvements are welcome.

Bye everybody
View user's profileSend private message
Integrating ClamWin and Mercury32
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

 Reply to topic