This question is out of date
InterScan VirusWall is available as a
download from Trend Micro.
UC has a site license. The serial number for the license is
IVEF-9997-0258-6837-5455.
InterScan VirusWall locations on DOP Servers
To change the password, log on to the mail server
cd /etc/iscan
/usr/local/apache/bin/htpasswd .htpasswd admin
It might be worth turning off the virus scanner website, since the departmental scanner says it has problems.
To do this, do
mv /etc/rc2.d/S99IScanHttpd /etc/init.d/IScanHttpd
/etc/init.d/IScanHttpd stop
To start it up, do
/etc/init.d/IScanHttpd start
Manual Upgrade of Virus Pattern
The virus pattern gets updated every day.
Sometimes it is necessary to upgrade the virus pattern
by hand with a provisional virus pattern.
To do this, see the instructions at
http://www.trendmicro.com/download/pattern.asp
- Go to the local iscan website and note the pattern
number under "Pattern Update".
- Download the latest file from
http://www.trendmicro.com/ftp/products/pattern/cpr/
- Untar it in
/etc/iscan
cd /etc/iscan
tar -xf /tmp/ptnNN.tar
- Restart the scanner by going to the local iscan
website, go to "Turn On/Turn Off", click on "Off"
then click on "On".
- Go to "Pattern Update" and verify that the
version number was bumped up.
Unfortunately, the Interscan VirusWall update does not
work under Solaris 10, so we wrote
/usr/local/adm/trendpatternupdate:
#!/bin/sh
# Sadly, Trend Micro's update does not work under Solaris 10.
#
# If you use this, update root's crontab to look like:
# #0 * * * * /etc/iscan/prescan.cgi
# 30 * * * * /bin/csh -c "/usr/local/adm/trendpatternupdate" > /tmp/trendpatt
ernupdate.log 2>&1
# Download the latest pattern tar file
updateURL=`lynx -dump http://www.trendmicro.com/download/viruspattern.asp | gr
ep http://www.trendmicro.com | grep ".tar" | awk '{print $2}'`
cd /tmp
# wget -nv means "turn off verboseness, without being quiet."
wget -nv $updateURL
tarfile=/tmp/`basename $updateURL`
maillog=/tmp/trendpatternupdate_mail.txt
echo "Downloaded $tarfile:" > $maillog
echo "`ls -l $tarfile`" >> $maillog
# Check to what we last updated to.
lastpatternfile=`ls -1tr /etc/iscan/lpt*vpn.[0-9]* | tail -1`
lastpatternnumber=`echo $lastpatternfile | awk '{print substr($0,length($0)-2,
3)}'`
newpatternnumber=`basename $updateURL | awk '{print substr($0,4,3)}'`
# Only update if we have to
if [ "$lastpatternnumber" = "$newpatternnumber" ]; then
cat $maillog
echo "$0: patterns are the same: ($lastpatternnumber == $newpatternnumber)
, no need to restart"
rm -f $tarfile
exit
fi
echo "$0: Updating from $lastpatternnumber to $newpatternnumber" >> $maillog
# Untar and restart the daemon
cd /etc/iscan
tar -xf $tarfile
/etc/rc2.d/S99ISmaild stop
sleep 1
shouldBeEmpty=`/bin/ps -ef | grep /etc/iscan/isdelvd | grep -v grep`
if [ "x$shouldBeEmpty" != "x" ]; then
echo "$0: WARNING: /etc/rc2.d/S99ISmaild stop failed to stop, isdelvd is s
till running" >> $maillog
echo "$shouldBeEmpty" >> $maillog
fi
/etc/rc2.d/S99ISmaild start
shouldNotBeEmpty=`/bin/ps -ef | grep /etc/iscan/isdelvd | grep -v grep`
if [ "x$shouldNotBeEmpty" = "x" ]; then
echo "$0: WARNING: /etc/rc2.d/S99ISmaild failed to start, run" >> $maillog
echo "/etc/rc2.d/S99ISmaild by hand" >> $maillog
fi
echo "Restarted isdelvd:" >> $maillog
echo "$shouldNotBeEmpty" >> $maillog
/usr/ucb/Mail -s "Trend Pattern Update: `basename $updateURL" root < $maillog
cat $maillog
rm -f $tarfile
This script runs every hour, downloads the latest
file and then restarts the daemon if necessary.
InterScan VirusWall Upgrade Instructions
The upgrade instructions are fairly similar to the
complete installation instructions below
InterScan VirusWall Installation instructions
Note:If you are running Sendmail 8.13 or later,
you may need to mess with MSP.
See http://kb.trendmicro.com/solutions/search/main/search/solutionPrint.asp?solutionID=15724
- Go to the
Trend Micro DOWNLOAD website
and choose "InterScan VirusWall".
- Download the Solaris version, not the
"Solaris - Sendmail version"
- If prompted, Go to the "Already a customer" box and enter the first 6 characters of the serial number to download the file.
- Untar the file into /home/tools/viruswall.
There is a PDF manual included in the download, which you should read over
to plan how to install it. The following notes are what I have done to
install it initially on gigascale.
- The installation script will ask for the full 24-character string serial number to unlock the software.
IVEF-9997-0258-6837-5455
-
As root, run the installation script:
% cd /home/tools/viruswall
% ./isinst
- Un-select FTP, HTTP subsystems to install, leaving just
Base System, CGI Admin system, and E-Mail system.
- When prompted, specify the iscan home directory as /export/home/iscan,
instead of default /home/iscan.
- Don't start up on exit of isinst.
-
Edit /etc/iscan/S99ISmaild, changing all instances of "ps" to "/bin/ps".
-
Set up the home directory for the user, iscan:
-
% cd /home
% ln -s /export/home/iscan .
% cd /home/iscan
% mkdir logs
% chown iscan.iscan logs
% mkdir virus
% chown iscan.iscan virus
Fix iscan's password and home directory:
-
Edit /etc/passwd, changing iscan's home directory
from /export/home/iscan to /home/iscan.
-
Edit /etc/shadow and replace the password field for iscan
with a copy of the password field for www.
Fix the SSL certificate for the admin web application:
Bring up the administration web tool at
https://www.gigascale.org:8443/interscan.
-
As delivered, the user ID is "admin", and the password is "admin".
-
Click "Change Password" and change the password to match www's password.
-
Click "Configuration" in the left margin.
-
Check the box by "E-Mail Scan" to enable it.
-
Click the "Configuration" button by "E-Mail Scan".
-
Select the "Daemon mode" radio button, instead of "Command mode".
Leave port number as 10025.
-
Change "Email scan log file location" to "/home/iscan/logs/log".
-
In the "Notifications:" subsection, uncheck
"Warning to recipients" and "Warning to sender"
-
In the "Action on Viruses:" subsection, change "Quarantine Directory:"
setting to "/home/iscan/virus".
-
In the "Miscellaneous" subsection, change the "Temporary directory location"
to "/export/home1/tmp".
-
Select "Source relay check:" so as to avoid
Open Relay problems.
-
Leave the rest of the page w/ default settings.
-
Click "Apply" at the bottom.
-
Go back to the "E-Mail Scan" Configuration page, and click
"Additional Email Options" button.
-
Change local domain to "
localhost #127.0.0.1
#128.32.48.209 #128.32.48.160 #128.32.48.161
gigascale.eecs.berkeley.edu gigascale.org chess.eecs.berkeley.edu
embedded.eecs.berkeley.edu"
-
Click "Apply" at the bottom.
-
Click "Administration" link in left margin.
Change both log file locations to "/home/iscan/logs/log".
Click "Apply".
-
Click "Turn On/Off" in the left margin, and click the "On" button.
Restart sendmail:
On Solaris:
% /etc/rc2.d/S88sendmail stop
% /etc/rc2.d/S88sendmail start
On Linux:
% /etc/init.d/sendmail stop
% /etc/init.d/sendmail start
Test virus scanning by sending an email with the a test attachment obtainable
at
http://www.trendmicro.com/vinfo/testfiles.
If you send a test virus, you will likely need
to turn off virus checking on the sending machine.
Also, carefully check the headers of the email
message and the virus log on the server to be sure
that relay.eecs is not intercepting the virus
before it gets to gigascale
You can also try pasting the following uuencoded
version of eicar.com into a message
begin 755 eicar.com.uu
M6#5/(5 E0$%06S1<4%I8-30H4%XI-T-#*3=])$5)0T%2+5-404Y$05)$+4%.
95$E625)54RU415-4+49)3$4A)$@K2"H-"C=]
end
Make sure that the machine is not configured to
be and Open Relay
by
Note that you can also edit etc/iscan/intscan.ini
and add relay ip addresses by hand, then
restart sendmail as above. You may also need to
restart the webserver, otherwise the java apps might
not see the changes.
In mh on doppler, I needed to edit
/opt/nmh-1.0.4/etc/mts.conf
# List of smtp servers to try if using smtp support
servers: localhost
so that users on the clients could use mh to
send email to domains outside of eecs.
chylands at yahoo.com: post: unexpected response; [RPLY] 554 <>... Relay operation rejected
send: message not delivered to anyone
Another thing to try would be the smart server
entry in sendmail.cf
How do we scan for viruses?InterScan VirusWall, from
Trend Micro,
is the software we use to
screen all mail handled by gigascale for viruses, as it is
received.
It runs as a daemon process, called isdelvd,
that listens to port 25, the default port for sendmail.
It checks any attachments to mail messages for various kinds of viruses.
If any are found, it removes the virus from the attachment if possible,
or else removes the attachment altogether, saving it in a quarantine
directory, /home/iscan/virus.
It then adds text to the message saying what it did
(if any virus was found),
and sends the message on to sendmail, which now listens
to port 10025, to be delivered to the recipient.
InterScan VirusWall has a web-based administration tool, at
https://www.gigascale.org:8443/interscan.
It prompts for an ID and password.
The ID is "admin",
and the password is www's password.
There is a PDF manual for it, which is in the infrax forum
article,
InterScan VirusWall Manual.
Allen also has a hard copy of the manual.
Log files
InterScan VirusWall logs information to
/home/iscan/logs/log.<date> as it processes email
messages.
Information about viruses it detects is logged to
/home/iscan/logs/virus.log.<date>.
Updates
The software automatically gets "pattern" updates from Trend Micro
once a week for recognizing the latest viruses.
The scheduling of these updates is configurable from the administration
tool, and updates can be done manually.
Problems with local mail
It looks like commands like
Mail -v postmaster
Don't work.
cxh@bennett 33% Mail -v postmaster
Subject: A test to postmaster
Body Message
.
EOT
cxh@bennett 34% postmaster... Connecting to [127.0.0.1] via relay...
220-InterScan Version 3.81-Build_1098 $Date: 11/24/2005 15:38:0005$: Ready
220 bennett.EECS.Berkeley.EDU ESMTP Sendmail 8.13.6/8.12.9; Wed, 17 Dec 200
8 11:16:40 -0800 (PST)
>>> EHLO bennett.EECS.Berkeley.EDU
250-bennett.EECS.Berkeley.EDU Hello localhost [127.0.0.1], pleased to meet
you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-DELIVERBY
250 HELP
>>> VERB
250 2.0.0 Verbose mode
>>> MAIL From: SIZE=78
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
050 ... aliased to root
503 Need RCPT (recipient)
050 root... aliased to cxh@eecs.berkeley.edu, marys@eecs.berkeley.edu
250 2.1.5 ... Recipient ok
>>> RSET
250 2.0.0 Reset state
/home/eecs/cxh/dead.letter... Saved message in /home/eecs/cxh/dead.letter
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 bennett.EECS.Berkeley.EDU closing connection
The secret is that the IScan log file
12/17/2008 11:16:40 smtp[11790]: smtp[133]: << 503 Need RCPT (recipient)(By ISUX)
The message likely comes from ISSMTP/IScan.SMTP/issmtpd, or at least the strings
command shows that
503 Need MAIL before RCPT
(By ISUX)
orcpt=
ORCPT anti-relay skipped - [
check rcpt:
orcpt=
ORCPT anti-relay skipped -- [
554 <
>... Relay operation rejected
original server timeout/disconnect while waiting RCPT command response.
RCPT command Response (
): Not add recipient address(
) in the list.
rset
helo
which indicates that the mail is being rejected because
of a problem with RCPT, such as the fact that we
are not accepting mail that does not have a domain.