This Manual describes management aspects of Dr.Web for UNIX Mail Servers anti-virus software designed for GNU/Linux and FreeBSD. The manual is designed for a person responsible for anti-virus protection and security ("Administrator" hereinafter).
Dr.Web for UNIX Mail Servers is an anti-virus solution designed to protect file servers running under GNU/Linux from viruses and other types of malicious software, and to prevent distribution of the threats designed for all popular operating systems including mobile platforms.
Dr.Web for UNIX Mail Servers provides you with the following features:
1. Detection and neutralization of threats. Searches for malicious programs (for example, viruses, including those that infect mail files and boot records, Trojans, mail worms) and unwanted software (for example, adware, joke programs, dialers).
The following methods are used for threat detection:
•Signature analysis, which allows detection of known threats
•Heuristic analysis, which allows detection of threats that are not present in virus databases
•Dr.Web Cloud service that collects up-to-date information about recent threats and sends it to Dr.Web products.
Note that the heuristic analyzer may raise false positive detections. Thus, objects that contain threats detected by the analyzer are considered “suspicious”. It is recommended that you choose to quarantine such files and send them for analysis to Doctor Web anti-virus laboratory.
Scanning at user’s request can be performed in two modes: full scan (scan of all file system objects) and custom scan (scan of selected objects: directories or files that satisfy specified criteria). Moreover, the user can start a separate scan of volume boot records and executables that ran processes that are currently active. In the latter case, if a malicious executable is detected, it is neutralized and all processes run by this file are forced to terminate.
2. Email message scanning. The product supports the following modes of email message scanning:
•Mode of an external filter connected to the mail server (MTA). The product can be integrated into any mail server that supports interfaces for the connection of external filters Milter, Spamd and Rspamd. In the external filter mode, upon an initiative of MTA, all emails that arrive to the mail server are sent via the conjugation interface to Dr.Web for UNIX Mail Servers and scanned. Depending on the capability of the interface, Dr.Web for UNIX Mail Servers, that operates as a filter, can:
▫Inform server of results of an email scanning. In this case mail server must independently process an email message according to received results (reject the delivery, add headers or modify email contents, if scanning result contains information about presence of threats).
▫Command the mail server to skip or reject an email message.
▫Modify an email message by adding the indicated headers or removing detected malicious or unwanted contents. Removed malicious contents are attached to the email message as an archive protected with a password. The recipient of the email message can request the password for unpacking the protected archive from the mail server administrator. If required, though not recommended, the administrator can configure the usage of the archives not protected with a password.
|
Sending of commands to the mail server and return of the modified email message are supported only by the Milter interface. Interfaces Spamd and Rspamd do not allow Dr.Web for UNIX Mail Servers to send servers commands and return the modified email message. One of two verdicts will be returned to the server: “email message is spam” or “email message is not spam”. In this case, for indirect modification of the rejected email message, you can use an action from the rules called REJECT <description>. Parameter <description>, if indicated, will be used as a header value Message‘, added by MTA to the email after the message about the scanning results.
Function of scanning of email messages for the signs of spam could be unavailable depending on the distribution. |
•Invisible proxy mode for mail protocols. In this mode, the product (using SpIDer Gate) implements the function of the proxy server embedded into the channel for sharing data between MTA and/or MUA transparently for the sharing parties and the function of the scanner of transmitted messages. The product can be transparently embedded into the main mail protocols: SMTP, POP3, IMAP. In this mode, and also depending on possibilities of the protocol it is embedded into, Dr.Web for UNIX Mail Servers can pass the email message to the recipient (it can be unmodified or have modifications in the form of added headers or repacked email message) or block its delivery, including the return of the correct protocol error to the sender or the recipient.
|
Mode of the transparent proxy is available only for GNU/Linux. |
Dr.Web for UNIX Mail Servers, depending on the distribution and settings, it executes the scanning of email messages:
▫Detection of malicious attachments that contain threats;
▫Search for links to malicious websites or websites from the unwanted categories;
▫Detection of signs of spam (both using the automatically updated rule base of spam filtering and the mechanism of checking the presence of sender’s address in the DNSxL black lists);
▫Compliance with the security criteria established by the administrator of the mail system independently (scanning of a body and headers of messages using regular expressions).
To check links to unwanted websites that can be present in email messages, the automatically updated databases of web resource categories is used. It is distributed along with Dr.Web for UNIX Mail Servers. Also, Dr.Web Cloud is requested to check the availability of information if the web source mentioned in the email message has been marked as malicious by other Dr.Web products.