HowTo: kav4sme

How can I integrate Kaspersky Anti-Virus (KAV) into the SME Server?

Klaus J. Mueller (kjm (at) internet-sicherheit.net)

v0.1d, 2004-01-21

Disclaimer

Use this documentation at your own risk. I will not accept any responsibility for any incorrect information within this document, nor for any damage it might cause when applied. It worked for me and it should work for you.

Current version

The most current version of this document can be obtained from http://internet-sicherheit.net/kav4sme-howto.html

Credits

Cheers to Christian Hofmann of the german distributor of KAV, Data Security, for helping me with his intimate knowledge of KAV and also to the e-smith respectively SME people!

Introduction

It's quite handy to have all your eMail - in- and outbound - automagically checked for viruses. This HowTo shows you how to integrate Kaspersky Anti Virus into the SME-Server.

Prerequisites

This HowTo is based (and tested) on SME-Server V5.5 and KAV engine V3.5.136 for Linux Server. You will obviously need a running installation of the SME-Server. This document should also work for SME-Server V5.1.x - can anyone confirm this?

Let the games begin!

What else do we need? Some Files (for which we create a directory to temporarily store them first):

    > mkdir /tmp/kav4sme/

Create the directories for KAV:

    > mkdir /opt/AVP
    > mkdir /opt/AVP/Bases
    > mkdir /opt/AVP/kavkeeper
    > mkdir /opt/AVP/keys
    > mkdir /opt/AVP/Tools

Now download the files and store them in /tmp/kav4es/:

kavselinux.tgz

Remark: The file is in a browseable ftp directory. In case this link should be dead you might want to check the directory and - if that fails - gimme a hint.

license key

To use KAV for an evaluation period you can use the test license key Data Security provides.

Remark: Don't even think about steal^H^H^H^H^H using the eval license for productional use - the reports will have a nice "This is the Trial version" stamp on it.

Now we go to our temp directory to unpack the files:

    > cd /tmp/kav4sme/
    > tar -xvzf *kavselinux.tgz   # (010810kavselinux.tgz at time of writing)

This will give us several files for different mail servers (sendmail, qmail, postfix and exim). As SME uses qmail, we're only interested in this one (don't mind the others):

    > tar -xvzf kavkeeper-qmail-linux-3.5.136.tgz # (engine 3.5, release 136 is current at time of writing)

Remark: An error message will appear. Why? Well, the guys at KAV attach some checksum data right to the end of the tgz-file. In their installer script (which - well - doesn't really look like a time-saver to me) they use this information to check the integrity of the files. That, of course, is a very good idea. We'll do without anyway. As mentioned before - I think all in all it's better to do the installation by hand. So, just ignore the message.

Now, let's unpack the workstation tools:

    > tar -xvzf kavwslinux.tgz

Remark: Again, an error message will appear. Be brave - ignore.

Grab the important files and put them in place:

    > cd /tmp/kav4sme/kavwslinux/
    > mv AvpUnix.ini defUnix.prf kav* /opt/AVP/
    > ln -s /opt/AVP/AvpUnix.ini /root/
    > mv *.key /opt/AVP/keys/
    > mv ../kavkeeper.ini /opt/AVP/kavkeeper/
    > mv Tools/checkurl /opt/AVP/Tools/
    > mv EtcScripts/cron/kavupdater.daily /etc/cron.daily/
    > mv EtcScripts/init.d/kavdaemon.rh7 /etc/init.d/kavdaemon.start
    > mv ../kavkeeper.8 /usr/man/man8/
    > mv Docs/man/*.8 /usr/man/man8/

Make sure, checkurl is known system wide:

    > ln -s /opt/AVP/Tools/checkurl /usr/bin

Create the links to automatically start the kavdaemon on system boot:

    > ln -s /etc/init.d/kavdaemon.start /etc/rc7.d/S80kavdaemon.start
    > ln -s /etc/init.d/kavdaemon.start /etc/rc7.d/K10kavdaemon.start

Modify the ini files

Open /opt/AVP/AvpUnix.ini in your favourite editor: (vi, joe, mc's editor) and change the following:

    BasePath=/opt/AVP/Bases
    KeysPath=/opt/AVP/keys
    UpdatePath=ftp://download.avp-de.com/updates/

At this stage you can test what you've done so far by firing up either the command line scanner or the daemon:

    > /opt/AVP/kavupdater.sh   # download virus-definition files first; otherwise the scanner won't really know, what to search for...
    > /opt/AVP/kavscanner      # if you're impatient you can cancel that at some stage by pressing <Ctrl-C>
    > /opt/AVP/kavdaemon

Both should work and - among other things - state, that they're running in trial mode. If they give you error messages: go back! Do your homework! You failed! (everyone getting caught in an endless loop here is allowed to send me mail.
Before you go any further you should be aware that the following steps will temporarily (well - if you're lucky) affect your mail system. Best idea is to shut down your mail system for now:

    > /etc/init.d/qmail stop

We want to integrate KAV into qmail and the mechanism for this is to rename the original "qmail-queue" file and replace it by one that incorporates the kavdaemon:

    > mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-que
    > mv /tmp/kav4sme/qmail-queue /var/qmail/bin/qmail-queue
    > chown qmailq:qmail /var/qmail/bin/qmail-queue

Use your editor to open /opt/AVP/kavkeeper/kavkeeper.ini and modify these entries:

    [kavdaemon]
    kavdaemonname=kav@yourdomain.comm     # well - you'll obviously want to replace the domain name; 
                                          # this entry determines the "from" address of virus detection mail messages
    [GROUP:DEFAULT]
    infectedaction=NOTIFY                 # send message to recipient, sender and admin
    infectednotify=virus@yourdomain.comm  # well - same thing - replace this!
                                          # this is where the admin mails go to
                                          # Remark: you can also set this to "root" which only makes sense
                                          # if you don't "forward administrative notices" to a local user!!!
                                          # If you do, you'll get a nice mail loop:
                                          # (mail -> scan for viruses -> infected -> notify admin -> forward to local user
                                          # -> scan for viruses -> infected -> ...
    attachinfected=no                     # don't attach the original mail message - even if it has been disinfected
                                          # why? Imagine a user getting a message "hey - user "foo" was going to send you mail that was infected with virus "bar"
                                          # you can find the message in the attachment"
                                          # well - is the virus really gone? I'm scared! ...
    [log]
    usesyslog=no

Remark: after modifying kavkeeper.ini you don't need to restart kavdaemon - changes become active instantaneously

Same thing with /opt/AVP/defUnix.prf:

    [Report]
    Report=Yes
    ReportFileName=/var/log/kavscan.rpt
    ReportFileLimit=Yes
    ReportFileSize=50000                   # maximum file size in kBytes

That's it!

Now, start kavdaemon:

    > /etc/init.d/kavdaemon.start start

And qmail also:

    > /etc/init.d/qmail start

Remark: Currently there is a newer version then 3.5.136 of the KAV engine available. According to H. Hofmann of Data Security, who have done excessive testing, the new version is not ready for productional use, yet.

Version history

v0.1 2002-11-08 initial release
v0.1a 2003-03-17 added the "kavupdater.sh" command to avoid error message when testing the scanner. Thanx to Tim Litwiller for bringing this to my attention!
v0.1b 2003-08-04 modified the URL of the key file on Datsec's server - appearantly they changed the file name but forgot to notify me ;-)
v0.1c 2003-11-17 updated outdated link (again) to a file on Datsec's server. Thanx to Quentin Gillet for notifying me! v0.1d 2004-01-21 some minor corrections