About a month ago, a request was made for Sophie's remote scan support. Well I've finally gotten around to it. This code is beta code (as I haven't had much testing), and should be treated as such. I would appreciate some others testing it with other versions of Sophie and libsavi. Its been tested with Sophie 1.44 and libsavi.so.2.2.03.083 and all I can say is it works for me :).
A few notes before you go plugging it in somewhere:
1) Large files suck. By default, Sophie 1.x has a timeout of 300 seconds.
The name "timeout" is a sort of misnomer as it really is a child process's
maximum time to live. If a scan takes longer than 300 seconds, the child is
killed. So, what happens when it takes longer than 5 minutes to transfer a
file _and_ scan? Well Sophie kills the child, but qmail-scanner-queue
keeps holding on. Eventually, qmail-scanner-queue's internal alarm goes off
and "temporary fails" the message. To remedy this I suggest the following:
a) Determine a policy on the maximum e-mail message size. Make sure
your SMTP server will NOT allow messages any bigger than this maximum.
b) Test to see how long it takes to transfer a file over and (I wrote a
testing program, and is available upon request)
c) Reconfigure sophie with --with-timeout= with a good estimate of the
result from b. Don't forget to tack on some extra time for periods of
unexpected network lag, server load, etc.
2) This module has a configuration section. Now this may change when Jason
Haar adds it to qmail-scanner-queue project. He may not add it all, that's
his prerogative. It is written so one can add it manually. See the below
for installation.
3) Adding network support for Sophie gives attackers one more port to
attack. Firewall wisely.
4) I've written this to scan every file. The first Sophie support I wrote
for unix-domain sockets stops on the first file it finds infected. This is,
in my opinion, acceptable behavior, as Sophie itself was written just to see
if a file is infected, as well as the fact that the message is stopped
whether qmail-scanner-queue finds 1 virus or 1000 viruses. Not to mention,
the possibility of an e-mail message having multiple viruses is plenty slim,
and as long as you catch 1, its all good. However, since you can't just
give a path to the remotely-running version of Sophie, you have to send a
file request one at a time. So this makes it possible to scan each file
individually, whether a previous file was infected or not. If the general
consensus is to stop after the first infection is found, I can change the
code to act that way.
5) I'm sure there's more issues, but we'll cross those bridges when we get
to 'em.
Ok, now the fun part:
Adding this on is easy and you don't have to reconfigure qmail-scanner-queue
to do it.
1) BACK UP THE ORIGINAL qmail-scanner-queue.pl FILE. Don't come crying to
me if you skip this step.
2) (optional) Edit /etc/services. Add "sophnet 4009/tcp" to it somewhere.
Change the port as necessary, but the default is port 4009. Since I used
IO::Socket::INET, this gives me the option to first check /etc/services for
the appropriate service port number, and fall back on the default 4009 port
if its not found.
3) Save sophnet.pl somewhere and edit the configuration setting.
# CONFIGURATION
# Remote host - Host that is running Sophie
$remhost = "localhost";
# Report port - Port number to use.
$remport = "sophnet(4009)";
# Block size
$blksize = 5120;
# END CONFIGURATION
Change $remhost (using localhost w/ sophienet is rather silly, but hey, do
what you want) to the server that's running the remote version of Sophie.
Change $remport only if you configure Sophie to use some other port. Even
then, editing /etc/services instead of changing this setting is preferred.
Change it to $remport = 4009; if you want to skip the look up altogether.
This may help speed things up a miniscule amount but will help heavily
loaded servers.
Change $blksize to some number. $blksize is there because sophienet has to
send the file to the remote host. sysread()'ing the file all at once is
painful and uses a lot of memory (read a whole 16MB at once, you'll use 16MB
more of memory). So instead, the code was written to send the file in
chunks. Recommended setting is either the default, or a best estimate on
the average size of attachments. If you most regularly get 32KB
attachments, setting this to 32768 would save on disk I/O. If you have so
much physical RAM that its bleeding out of the case, set it higher. The
testing program, again, available upon request, can be used to experiment
this setting.
4) See step 1 if you decided to skip it
5) Copy sophnet.pl to the END of qmail-scanner-queue.pl.
ex: cat sophnet.pl >> qmail-scanner-queue.pl
6) Edit qmail-scanner-queue.pl and look for a line like:
#Array of virus scanners used must point to subroutines
my @scanner_array=("sophie_scanner");
Add "sophienet_scanner" to the list (or if you're daring, replace the
existing one):
#Array of virus scanners used must point to subroutines
my @scanner_array=("sophienet_scanner", "sophie_scanner");
7) Save qmail-scanner-queue.pl and watch your SMTPD logs closely. If you
have any problems, save the error messages, and restore the backup copy you
should've made in step 1.
Enjoy, and feedback is welcome.
John Narron | "Sacrifice, they always say
Network Administration | Is a sign of nobility
CDS/CDSinet, LLC | But where does one draw the line
http://www.cdsinet.net | In the face of injury?"
(660) 886 4045 | - Queensryche
sophnet.pl
Description: Perl program
