This Manual describes aspects of configuring components of Dr.Web for UNIX Mail Servers designed for GNU/Linuxand FreeBSD. The Manual is intended for a person responsible for anti-virus protection and configuration of networks (hereinafter referred to as "Administrator").
Dr.Web for UNIX Mail Servers is designed to protect servers running on OSes of GNU/Linux family and FreeBSD from viruses and other types of malicious software, and to prevent distribution of threats designed for different platforms.
Main features of Dr.Web for UNIX Mail Servers:
1.Detection and neutralization of threats. Scans for malicious programs of all possible types (various viruses, including those that infect mail files and boot records, trojans, mail worms, and so on) and unwanted software (adware, joke programs and dialers).
Threat detection methods:
•signature analysis—a scan method allowing to detect known threats registered in virus databases;
•heuristic analysis—a set of scan methods allowing to detect threats that are not known yet;
•using Dr.Web Cloud service, which collects up-to-date information about recent threats and sends it to various products of Doctor Web.
Note that the heuristic analyzer may raise false-positive detections of legitimate software. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to the Doctor Web anti-virus laboratory.
Scanning the file system at user request can be performed in two modes: full scan (scanning all file system objects) and custom scan (scanning selected objects—directories or files that satisfy specified criteria). Moreover, the user can start a separate scan of volume boot records and executables that spawned currently active processes. In the latter case, if a malicious executable is detected, it is neutralized and all processes spawned by this file are forced to terminate.
2.Email message scanning. The product supports the following modes of email message scanning:
•Mode of an external filter connected to the mail server (MTA). The product can be integrated with any mail server that supports interfaces for connection of external filters Milter, Spamd and Rspamd. In the filter mode, upon an initiative of MTA, all emails that arrive to the mail server are sent via the conjugation interface to Dr.Web for UNIX Mail Servers and scanned. Depending on the capabilities of the interface, Dr.Web for UNIX Mail Servers operating as a filter can:
▫Inform the server of email scanning results. In this case the mail server must independently process an email message according to received results (reject the delivery, add headers or modify email contents, if scanning result contains information about presence of threats).
▫Instruct the mail server to skip or reject an email message.
▫Modify an email message by adding the indicated headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as an archive protected with a password. The recipient of the email message can request the password for unpacking the protected archive from the mail server administrator. If required, though not recommended, the administrator can configure the usage of the archives not protected with a password.
|
Sending commands to the mail server or returning a modified email message is supported only by the Milter interface. Spamd and Rspamd interfaces do not allow Dr.Web for UNIX Mail Servers to send servers commands and return the modified email message. One of two verdicts will be returned to the server: “email message is spam” or “email message is not spam”. In this case, for indirect modification of the rejected email message, you can use an action from the rules called REJECT<description>. The <description> parameter, if indicated, will be used as the Message header value added by the MTA to the message after scanning results. |
•Invisible proxy mode for mail protocols. In this mode, the product (using SpIDer Gate) acts as a proxy server embedded into the channel for sharing data between MTA and/or MUA transparently for the sharing parties and as a scanner of transmitted messages. The product can be transparently embedded into the main mail protocols: SMTP, POP3, and IMAP. In this mode, and also depending on capabilities of the protocol it is embedded into, Dr.Web for UNIX Mail Servers can pass the email message (either unmodified or having modifications in the form of added headers or after repacking) to the recipient or block its delivery, including the return of a valid protocol error to the sender or the recipient.
|
The transparent proxy mode is available only for GNU/Linux. |
Dr.Web for UNIX Mail Servers, depending on the distribution and settings, runs the following checks of email messages:
▫Detection of malicious attachments that contain threats;
▫Search for links to malicious websites or websites from the unwanted categories;
▫Detection of spam traits (both using the automatically updated rule base of spam filtering and the mechanism of checking the presence of a sender’s address in DNSxL black lists);
▫Compliance with the security criteria established by the administrator of the mail system independently (scanning of a body and headers of messages using regular expressions).
To scan links to unwanted websites, that can be present in email messages, the automatically updated databases of web resource categories bundled with Dr.Web for UNIX Mail Servers is used. Moreover, Dr.Web Cloud is requested to check the availability of information if the web source mentioned in the email message has been marked as malicious by other Dr.Web products.