Hi all!

I just managed to make Mercury32 (a mail server) scan all the incoming e-mail with a simple .cmd script and some settings inside the MTA.

I was wondering if anybody else has an interest in doing so, if that's the case I'll have ready a quick guide or something pretty soon.

Bye

Please make a guide and we will put it online here:
https://www.clamwin.com/content/category/4/22/89/

Mercury32 + ClamWin


Hi everybody.

This quick guide will hopefully explain how to set up Mercury32 (https://www.pmail.com https://www.pmail.com) to scan incoming mail for virii using ClamWin. Since we will be using the clamscan executable through a small batch file I assume you are at least slightly familiar with a text editor (notepad) and command line operation. I will also assume that you already have ClamWin (last version should be just fine) and Mercury32 installed and working.


BACKGROUND

I have ClamWin and Mercury installed and everything was working just fine, except sometimes virii just kept passing through to my users. Every user scans incoming email through ClamMail but this is highly inefficient, since it needs to download virus definitions for each client and is not so frequently updated. So i wondered what could be done to stop these messages or at least steer them to my mailbox instead of forwarding them to the users.


CMDLINES

Luckily, ClamWin is a front end to the command line scanner which does the real job: Clamscan. So the first thing I need is to have a simple DOS batch file that gracefully starts clamscan, sets the right paths to a log file, the virus definitions, the file to be checked and sets all the right options we wish to use in the process.

This is the simple batch file I use:





and here we are. The file is the same one I use when I need to check a PC coming in after some virus breakdown. YMMV but I found it effective.

Anyway, it needs to be crafted to the needs of Mercury32. I decided that I wanted to obtain the infected messages myself, but didn't need to leave temporary files (possibly infected ones) sitting around. Hence the "--remove" parameter, deleting tha scanned file if found infected. We can always get it back from the original message anyway.

Mecury32 allows to set up policies that can affect the transit of messages. This is done accessing the "Configuration - Mercury Core module..." window and the Policy tab.
Here we can use the dialog to make a policy that passes every attachment to our batch scanner.
Mercury uses "substitutions" to pass parameters to external routines working for him. So we need to know which ones to pass to our script.
This is a small excerpt from the Mercury32 help file, which you may probably already know:


Ok. So we need to tell our batch file to go looking for a certain file Mercury hands us, and eventually output his conclusions about it in some other log file Mercury will take and forward to the right people. And the options we need are ~X and ~R.

This is what the changed batch file should look like when you have modified it.




The only real difference being the additional parameter for the --log option. I kept for no real reason the --recursive option too, just in case. Maybe some more sofisticated version fo the script could reconstruct the name of the original attachment, in case it was found infected but still needed, but I
didn't cover that option at this time.

So, cut and paste in your favourite text editor the script, then adapt the paths to the executable and temporary directory and virus definitions, then save somewhere in the execution path of your installation. That is, unless you want to specify the full path in the policy we will be making shortly.

This fits just perfect to my italian Win2K installation, but again your mileage may vary.

And now to Mercury32 and the funny part.

MERCURY32

As I wrote before, we need to go "Configuration - Mercury Core Module..." and go to the Policy tab to make the necessary entry.
Click the "Add new task" button.

Step1. Fill some description for this task, I used "Antivirus Scan", very imaginative indeed... This will be included in the report from Mercury in case something is found.

Step2. Next you need to tell mercury the type of task this is to be. Choose "Run a program and examine the return code"

Step3. The fun part: here you are going to write in the commandline box the name of your batch file if you saved it in the path, or the full path and name if you saved it somewhere else. PLUS you have to leave a space, and insert the options "~X ~R"

So the final line should look like:



Then in the Result file box you insert ~R. Put flags in the fields: "This task requires attachment unpacking support" and "This task should be applied before any filtering rules".
I use the latter because I also have a filtering rule to steer the spam to my account, but if it's identified as spam and IS infected I don't want it to bypass the scan routine.

Step4. Finally we set the action if the task triggers. I use to forward the message to my account instead of the user. I can always send it after cleaning or simply delete it anyway, as usually the message IS the virus. "Forward the message to a local user" is the definition, and I specified my local user in the parameter box. There are also other three options, to delete the msg, to return it as undeliverable (possibly contributing to the spam anyway? no way) or to save it to a file and notify a user.

That's it. Click on OK high on the right of the task window and then OK again on the core module configuration.

If everything was set up good, you can try to send an EICAR test file to some local user or even to yourself, and see the notification from Mercury tell you this:



I noticed that after the first infected file found, the scanning process ends and the policy triggers, so if there's more than one attachment but only one is infected the message COULD be delivered to the user... But that would need rewriting the message in Mercury, which I don't know how to do...

Try it. It works for me, but it's been freshly done so suggestions for improvements are welcome.


Bye everybody
Vanni