Mail Protection for Enterprises. User's Guide. Antivirus Antispyware Antispam. Copyright 2006 SOFTWIN

Mail Protection for Enterprises User's Guide Antivirus Antispyware Antispam Copyright 2006 SOFTWIN

BitDefender Mail Protection for Enterprises BitDefender Mail Protection for Enterprises User's Guide SOFTWIN Published 2006.06.16 Version 1.0.2176 Copyright 2006 SOFTWIN Legal Notice All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from an authorized representative of SOFTWIN. The inclusion of brief quotations in reviews may be possible only with the mention of the quoted source. The content can not be modified in any way. Warning and Disclaimer. This product and its documentation are protected by copyright. The information in this document is provided on an as is basis, without warranty. Although every precaution has been taken in the preparation of this document, the authors will not have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work. This book contains links to third-party Websites that are not under the control of SOFTWIN, therefore SOFTWIN is not responsible for the content of any linked site. If you access a third-party website listed in this document, you will do so at your own risk. SOFTWIN provides these links only as a convenience, and the inclusion of the link does not imply that SOFTWIN endorses or accepts any responsibility for the content of the third-party site. Trademarks. Trademark names may appear in this book. All registered and unregistered trademarks in this document are the sole property of their respective owners, and are respectfully acknowledged.

BitDefender Mail Protection for Enterprises As every cat owner knows, nobody owns a cat.

BitDefender Mail Protection for Enterprises

BitDefender Mail Protection for Enterprises Table of Contents License and Warranty......................................... xi Preface...................................................... xv 1. Conventions used in this book................................... xv 1.1. Typographical conventions.................................. xv 1.2. Admonitions............................................ xvi 2. The book structure........................................... xvii 3. Request for Comments....................................... xviii Description and features... 19 1. Overview............................................... 21 1.1. Why BitDefender?........................................ 21 1.2. Data Security Division..................................... 22 1.3. SOFTWIN.............................................. 23 2. Product features........................................ 25 2.1. BitDefender Mail Protection for Enterprises...................... 25 2.2. Key Features............................................ 26 3. BitDefender architecture................................. 27 3.1. The core modules........................................ 27 3.2. The integration agents..................................... 29 3.2.1. Sendmail........................................... 29 3.2.2. qmail............................................. 29 3.2.3. Courier............................................ 30 3.2.4. CommuniGate Pro.................................... 30 3.2.5. SMTP Proxy........................................ 30 3.2.6. Postfix............................................ 31 4. The BitDefender Technology............................. 33 4.1. The BitDefender Antivirus.................................. 33 4.1.1. The Scanning Engines................................. 34 4.1.2. The Archive Logic.................................... 36 4.2. Antispam.............................................. 36 4.2.1. Neural networks..................................... 37 4.2.2. The Antispam Laboratory............................... 37 4.2.3. Signatures filter...................................... 37 4.2.4. Newsletters......................................... 38 4.2.5. Phishing........................................... 38 4.2.6. The Bayesian filter.................................... 38 v

BitDefender Mail Protection for Enterprises 4.2.7. Specialized filters.................................... 38 4.2.8. The black list / white list filter........................... 39 4.2.9. Antispam workflow................................... 41 Installation... 43 5. Prerequisites............................................ 45 5.1. System requirements...................................... 45 5.1.1. Hardware system requirements.......................... 45 5.1.2. Software system requirements........................... 46 5.1.3. Mail servers minimum required versions.................... 46 5.1.4. Additional Perl modules................................ 47 5.2. Package naming convention................................. 47 5.2.1. Linux convention..................................... 48 5.2.2. FreeBSD convention.................................. 48 6. Package installation..................................... 49 6.1. Getting BitDefender Mail Protection for Enterprises................ 49 6.2. Test the package for integrity............................... 49 6.2.1. Test the rpm and deb packages.......................... 49 6.2.2. Test the self-extractable archive......................... 50 6.2.3. Test the FreeBSD tbz packages.......................... 50 6.3. Install the package....................................... 51 6.3.1. Install the rpm package................................ 51 6.3.2. Install the deb package................................ 51 6.3.3. Install the self-extractable archive........................ 51 6.3.4. Install the FreeBSD package............................. 53 6.4. The installer............................................ 53 6.5. MTA integration......................................... 55 6.5.1. CommuniGate Pro.................................... 55 6.5.2. Courier............................................ 56 6.5.3. Sendmail Milter...................................... 57 6.5.4. qmail............................................. 57 6.5.5. Postfix............................................ 58 6.5.6. SMTP............................................. 59 7. Uninstall................................................ 61 7.1. Uninstall the rpm package.................................. 61 7.2. Uninstall the deb package.................................. 61 7.3. Uninstall using the self-extractable archive...................... 62 7.4. Uninstall the FreeBSD package.............................. 62 7.4.1. Uninstall a locally downloaded package.................... 62 7.4.2. Uninstall from the ports collection........................ 62 Using BitDefender... 65 vi

BitDefender Mail Protection for Enterprises 8. Configuration........................................... 67 8.1. Basic configuration....................................... 67 8.2. Group management....................................... 68 9. Start-up and Shut-down................................. 71 9.1. Start-up............................................... 72 9.2. Shut-down............................................. 72 9.3. Restart................................................ 73 10. Product registration.................................... 75 11. BitDefender status output.............................. 77 11.1. Process status......................................... 77 11.2. Basic information....................................... 78 11.3. Statistical report........................................ 79 12. Testing BitDefender.................................... 81 12.1. Antivirus test.......................................... 81 12.1.1. Infected email attachment............................. 82 12.1.2. Infected attached archive............................. 82 12.2. Antispam test.......................................... 83 13. Updates............................................... 85 13.1. Automatic update....................................... 85 13.1.1. Time interval modification............................. 85 13.1.2. Live! Update proxy configuration........................ 86 13.2. Manual update......................................... 86 13.3. PushUpdate........................................... 87 13.4. Patches.............................................. 87 14. BitDefender Remote Admin............................. 89 14.1. Status................................................ 89 14.1.1. Services.......................................... 89 14.1.2. License........................................... 90 14.1.3. About............................................ 90 14.2. Policies............................................... 90 14.2.1. Default Settings.................................... 90 14.2.2. Groups........................................... 92 14.2.3. Group settings..................................... 92 14.3. Quarantine............................................ 94 14.3.1. Mail Quarantine..................................... 94 14.3.2. Monitor Quarantine.................................. 95 14.4. Protocols............................................. 96 14.4.1. SMTP............................................ 96 14.4.2. CommuniGate Pro................................... 97 14.4.3. Courier........................................... 97 14.4.4. qmail............................................ 97 vii

BitDefender Mail Protection for Enterprises 14.4.5. Sendmail Milter..................................... 97 14.5. Maintenance........................................... 98 14.5.1. Registry.......................................... 98 14.5.2. Product Updates.................................... 98 14.5.3. Signature Updates................................... 98 14.5.4. Live! Update....................................... 98 14.6. Reports............................................... 99 14.6.1. Logging........................................... 99 14.6.2. Statistics......................................... 99 14.6.3. Notifications...................................... 100 15. SNMP............................................... 101 15.1. Introduction.......................................... 101 15.2. Installation........................................... 101 15.3. The NET-SNMP plugin................................... 102 15.3.1. Prerequisites...................................... 102 15.3.2. Configuration..................................... 102 15.3.3. Walking through the MIBs............................ 103 15.3.4. Get and set values................................. 103 15.4. The BitDefender Logger plugin............................. 104 15.4.1. Prerequisites...................................... 104 15.4.2. Configuration..................................... 105 15.4.3. Usage........................................... 107 15.5. Troubleshooting....................................... 108 Getting help... 109 16. Support.............................................. 111 16.1. Support department.................................... 111 16.2. On-line help.......................................... 111 16.2.1. BitDefender Knowledge Base.......................... 111 16.2.2. BitDefender Unix Servers Mailing List.................... 112 16.3. Contact information.................................... 113 16.3.1. Web addresses.................................... 113 16.3.2. Address......................................... 113 Appendices... 115 A. Supported antivirus archives and packs.................. 117 B. Alert templates........................................ 121 B.1. Variables.............................................. 121 B.2. Sample results......................................... 122 B.2.1. MailServer Alert.................................... 122 B.2.2. Sender Alert....................................... 124 B.2.3. Receiver Alert...................................... 125 viii

BitDefender Mail Protection for Enterprises B.2.4. KeyWillExpire Alert.................................. 126 B.2.5. KeyHasExpired Alert................................. 127 C. Footer templates...................................... 129 C.1. Variables............................................. 129 C.2. Sample results......................................... 130 C.2.1. Clean............................................ 130 C.2.2. Ignored........................................... 131 C.2.3. Disinfected........................................ 131 Glossary................................................... 133 ix

x BitDefender Mail Protection for Enterprises

License and Warranty License and Warranty IF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS DO NOT INSTALL THE SOFTWARE. BY INSTALLING OR USING THE SOFTWARE IN ANY WAY, YOU ARE INDICATING YOUR COMPLETE UNDERSTANDING AND ACCEPTANCE OF THE TERMS OF THIS AGREEMENT. This License Agreement is a legal agreement between you (either an individual or a single entity end user) and SOFTWIN SRL for use of the SOFTWIN software product identified above, which includes computer software and may include associated media, printed materials, and "online" or electronic documentation ("BitDefender"), all of which are protected by U.S. and international copyright laws and international treaty protection. By installing, copying, or otherwise using the BitDefender, you agree to be bound by the terms of this agreement. If you do not agree to the terms of this agreement, do not install or use the BitDefender; you may, however, return it to your place of purchase for a full refund within 30 days after your purchase. Verification of your purchase may be required. BitDefender LICENSE BitDefender is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The BitDefender is licensed, not sold. GRANT OF LICENSE. SOFTWIN SRL hereby grants you and only you the following non-exclusive license to use BitDefender: APPLICATION SOFTWARE. You may install and use one copy of the BitDefender, or any prior version for the same operating system, on a single computer terminal. The primary user of the computer on which the BitDefender is installed may make one additional (i.e. second) copy for his or her exclusive use on a portable computer. NETWORK USE. You may also store or install a copy of the BitDefender on a storage device, such as a network server, used only to install or run the BitDefender on your other computers over an internal network; however, you must purchase and dedicate a separate license for each separate computer terminal on which the BitDefender is installed or run from the storage device. A license for the BitDefender may not be shared or used concurrently on different computers xi

License and Warranty or computer terminals. You should purchase a license pack if you require multiple licenses for use on multiple computers or computer terminals. LICENSE PACKS. If you purchase a License Pack and you have acquired this License Agreement for multiple licenses of BitDefender, you may make the number of additional copies of the computer software portion of the BitDefender specified above as "Licensed copies." You are also entitled to make a corresponding number of secondary copies for portable computer use as specified above in the section entitled "Application Software". TERM OF LICENSE. The license granted hereunder shall commence on the date that you install, copy or otherwise first use BitDefender and shall continue only on the computer on which it is initially installed. UPGRADES. If the BitDefender is labeled as an upgrade, you must be properly licensed to use a product identified by SOFTWIN as being eligible for the upgrade in order to use the BitDefender. An BitDefender labeled as an upgrade replaces and/or supplements the product that formed the basis for your eligibility for the upgrade. You may use the resulting upgraded product only in accordance with the terms of this License Agreement. If the BitDefender is an upgrade of a component of a package of software programs that you licensed as a single product, the BitDefender may be used and transferred only as part of that single product package and may not be separated for use on more than one computer. COPYRIGHT. All right, title and interest in and to BitDefender and all copyright rights in and to the BitDefender (including but not limited to any images, photographs, logos, animations, video, audio, music, text, and "applets" incorporated into the BitDefender), the accompanying printed materials, and any copies of the BitDefender are owned by SOFTWIN SRL. The BitDefender is protected by copyright laws and international treaty provisions. Therefore, you must treat the BitDefender like any other copyrighted material except that you may install the BitDefender on a single computer provided you keep the original solely for backup or archival purposes. You may not copy the printed materials accompanying the BitDefender. You must produce and include all copyright notices in their original form for all copies created irrespective of the media or form in which BitDefender exists. You may not sub-license, rent, sell, or lease BitDefender. You may not reverse engineer, recompile, disassemble, create derivative works, modify, translate, or make any attempt to discover the source code for BitDefender. LIMITED WARRANTY. SOFTWIN SRL warrants that the media on which BitDefender is distributed is free from defects for a period of thirty days from the date of delivery of BitDefender to you. Your sole remedy for a breach of this xii

License and Warranty warranty will be that SOFTWIN SRL, at its option, may replace the defective media upon receipt of the damaged media, or refund the money you paid for BitDefender. SOFTWIN SRL does not warrant that BitDefender will be uninterrupted or error free or that the errors will be corrected. SOFTWIN SRL does not warrant that BitDefender will meet your requirements. SOFTWIN SRL HEREBY DISCLAIMS ALL OTHER WARRANTIES FOR BITDEFENDER, WHETHER EXPRESSED OR IMPLIED. THE ABOVE WARRANTY IS EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, WHETHER EXPRESSED OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. THIS WARRANTY GIVES YOU SPECIFIC LEGAL RIGHTS. YOU MAY HAVE OTHER RIGHTS, WHICH VARY FROM STATE TO STATE. DISCLAIMER OF DAMAGES. Anyone using, testing, or evaluating BitDefender bears all risk to the quality and performance of BitDefender. In no event shall SOFTWIN SRL be liable for any damages of any kind, including, without limitation, direct or indirect damages arising out of the use, performance, or delivery of BitDefender, even if SOFTWIN SRL has been advised of the existence or possibility of such damages. SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN NO CASE SHALL SOFTWIN SRL'S LIABILITY EXCEED THE PURCHASE PRICE PAID BY YOU FOR BITDEFENDER. The disclaimers and limitations set forth above will apply regardless of whether you accept or use, evaluate, or test BitDefender. IMPORTANT NOTICE TO USERS. THIS SOFTWARE IS NOT FAULT-TOLERANT AND IS NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUS ENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. THIS SOFTWARE IS NOT FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION, NUCLEAR FACILITIES, OR COMMUNICATION SYSTEMS, WEAPONS SYSTEMS, DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, OR ANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT IN DEATH, SEVERE PHYSICAL INJURY OR PROPERTY DAMAGE. GOVERNMENT RESTRICTED RIGHTS/RESTRICTED RIGHTS LEGEND. Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 or subparagraphs (c)(1) and (2) of Commercial Computer Software-Restricted Rights clause at 48 CFR 52.227-19, as applicable. Contact SOFTWIN SRL, at 5, F-ca de Glucoza str., 72322-Sect.2, Bucharest, Romania, or at Tel No: 40-21-2330780 or Fax:40-21-2330763. GENERAL. This Agreement will be governed by the laws of Romania and by the international copyright regulations and treaties. This Agreement may only be xiii

License and Warranty modified by a license addendum, which accompanies this Agreement or by a written document which has been signed, by both you and SOFTWIN SRL. This Agreement has been written in the English language only and is not to be translated or interpreted in any other language. Prices, costs and fees for use of BitDefender are subject to change without prior notice to you. In the event of invalidity of any provision of this Agreement, the invalidity shall not affect the validity of the remaining portions of this Agreement. BitDefender and BitDefender logos are trademarks of SOFTWIN SRL. Linux is a registered trademark of Linus Torvalds. All other trademarks are the property of their respective owners. xiv

Preface Preface This User's Guide is intended to all System Administrators who have chosen BitDefender Mail Protection for Enterprises as security solution for their Email Servers. The information presented in this book is suitable not only for computer literates, it is accessible to everyone who is able to do administrative tasks on a Linux or UNIX box. This book will describe for you BitDefender Mail Protection for Enterprises, the Company and the team who built it, will guide you through the installation process, will teach you how to configure it at the very detail. You will find how to use BitDefender Mail Protection for Enterprises, how to update, interrogate, test and customize it. You will learn how to integrate it with various software and how to get the best from BitDefender. We wish you a pleasant and useful lecture. 1. Conventions used in this book 1.1. Typographical conventions Several text styles are used in the book for an improved readability. Their aspect and meaning are presented in the table below. Appearance variable http://www.bitdefender.com <support@bitdefender.com> Description Variables and some numerical data are printed with monospaced characters. The URL links is pointing to some external location, on http or ftp servers. Emails are inserted in the text for contact information. Chapter 6 Package installation This is an internal link, towards some location (p. 49) inside the document. xv

Preface Appearance filename ENV_VAR emphasized quoted text command # command -parameter Description File and directories are printed using monospaced font. The environment variables are MONOSPACED CAPITALS. The emphasized text is specially marked to require your attention. The quoted text is provided as reference. Inline commands are printed using strong characters. Command examples are printed with strong monospaced characters in specially marked environment. The prompt can be one of the following. # $ The root prompt. You should be root in order to run this command. The normal user prompt. You do not need special privileges to run the command. screen output The screen output and code listings are printed with monospaced characters in specially marked environment. 1.2. Admonitions The admonitions are in-text notes, graphically marked, offering to your attention additional information related to the current paragraph. Note The note is just a short observation. Although you can omit it, the notes can provide valuable information, such as specific feature or a link to some related topic. xvi

Preface Important This requires your attention and is not recommended to skip over it. Usually, it provides non-critical but significant information. Warning This is critical information you should treat with increased caution. Nothing bad will happen if you follow the indications. You should read and understand it, because it describes something extremely risky. 2. The book structure The book consists of four parts, containing the major topics: Description and features, Installation, Usage and Getting help. Moreover, a glossary and UNIX manual pages are provided to clarify some different aspects of BitDefender, which could issue technical problems. Description and features. A short introduction to BitDefender. It explains who is BitDefender, who is SOFTWIN and Data Security Division. You are presented BitDefender Mail Protection for Enterprises, its features, the product components and the basics of the integration and the scanning mechanism. Installation. Step by step instructions for installing BitDefender on a system. Starting with the prerequisites for a successfully installation, you are guided through the whole installation process. Finally, the uninstall procedure is described in case you need to uninstall BitDefender. Using BitDefender. Description of basic administration and maintenance of BitDefender. You are presented the BitDefender configuration tools, how to get run-time information, how to test the antivirus efficiency, how to perform the updates and how to register the product. Getting help. Where to look and where to ask for help if something goes not so right. You are presented the Knowledge Base and offered the BitDefender and BitDefender partners contact information to call, if needed. Appendices. The Appendices present exhaustive information about configuration, email templates and in-depth discussions over tricky parts. Glossary. The Glossary tries to explain some technical and uncommon terms you will find in the pages of this book. xvii

Preface 3. Request for Comments We invite you to help us improve the book. We have tested and verified all of the information to the best of our ability, but you may find that features have changed (or even that we have made mistakes). Please write to tell us about any flaws you find in this book or how you think it could be improved, to help us provide you the best documentation possible. Let us know by sending an email to <documentation@bitdefender.com>. xviii

Description and features Description and features

Description and features

Overview Description and features 01 1. Overview BitDefender provides security solutions to satisfy the protection requirements of today's computing environment, delivering effective threat management for over 41 million home and corporate users in more than 100 countries. Designed to provide full protection for corporate network and systems, the BitDefender solution range comprises, beside antivirus protection, antispam, personal firewall and security management solutions. BitDefender also specializes in providing assistance with designing and establishing content security policies for corporate networks. BitDefender Professional was the third product of its kind in the world to receive ICSA certification for Windows XP and the first to be awarded for groundbreaking innovation by the European Commission and Academies. BitDefender Antivirus is certified by all the major reviewers in the antivirus field - ICSA Labs, CheckMark, CheckVir, TÜV and Virus Bulletin. BitDefender is headquartered in Bucharest, Romania and has offices in Tettnang, Germany, Barcelona, Spain and Florida, US. Website: http://www.bitdefender.com 1.1. Why BitDefender? Proven. Most reactive antivirus producer. BitDefender fast reactivity in case of computer virus epidemic was confirmed beginning with the last outbreaks of CodeRed, Nimda and Sircam, as well as Badtrans.B or other dangerous, fast-spreading malicious codes. BitDefender was the first to provide antidotes against these codes and to make them freely available on the Internet for all affected people. Now, with the continuous expansion of the Klez virus - in various versions immediate antivirus protection has become once more a critical need for any computer system. Innovative. Awarded for innovation by the European Commission and EuroCase. BitDefender has been proclaimed a winner of the European IST-Prize, awarded by the European Commission and by representatives of 18 academies in Europe. Now in its eighth year, the European IST Prize is a reward for groundbreaking products that represent the best of European innovation in information technology. 21

01 Description and features Overview Comprehensive. Covers every single point of your network, providing complete security. BitDefender security solutions for the corporate environment satisfy the protection requirements of today's business environment, enabling management of all complex threats that endanger a network, from a small local area to large multi-server, multi-platform WAN's. Your Ultimate Protection. The final frontier for any possible threat to your computer system. As virus detection based on code analysis has not always offered good results, BitDefender has implemented behavior-based protection, providing security against born-new malware. These are the costs that organizations want to avoid and what the security products are designed to prevent: Worm attacks Communication loss because of infected e-mails E-mail breakdown Cleaning and recovering systems Lost productivity experienced by end users because systems are not available Hacking, and unauthorized access that causes damage Some simultaneously developments and benefits can be accomplished by using the BitDefender security suite: Increase network availability by stopping the spread of malicious code attacks (i.e., Nimda, Trojan horses, DDoS). Protect remote users from attacks. Reduce administrative costs and deploys rapidly with BitDefender Enterprise management capabilities. Stop the spreading of malware through e-mail, using a BitDefender e-mail protection at the company's gateway. Temporarily or permanently block unauthorized, vulnerable, and expensive application connections. 1.2. Data Security Division Ever since the beginning, SOFTWIN's Data Security Division approached data protection in a specific manner, with the first intelligent update, requiring no user intervention, the first remote antivirus management through WAP technology or the first Personal Firewall to be integrated within an antivirus engines to provide complete response to today's complex security threats. 22

Overview Description and features 01 Born to provide full data security at all critical levels in today's business environment, Data Security Division aims to ensure the protection of systems against computer viruses, to do antivirus research, to develop new technologies for monitoring all possible ways to infect a system and, last but not least, to educate the IT&C public on the danger of computer viruses. BitDefender security solutions satisfy the protection requirements of today's business environment, enabling management of all complex threats that endanger a network, from a small local area to large multi-server, multi-platform WAN's. 1.3. SOFTWIN Bucharest-based SOFTWIN is the leading provider of complex software solutions and services in Romania. SOFTWIN focuses on providing software solutions and services that enable fast growing companies to solve critical business challenges and to capitalize on new business opportunities. SOFTWIN enables companies to focus on their core business and expand to new markets, by outsourcing non-core activities. SOFTWIN employs over 500 highly qualified professionals experienced in developing customized solutions and services. Since its establishment in 1990, SOFTWIN's average annual revenue has increased by +30%. SOFTWIN has 4 divisions, which also define the company's main business lines: Customer Relationship Management Business Information Solutions econtent Solutions Data Security Solutions SOFTWIN provides services and solutions to customers worldwide. Over 90% of the company's turnover is achieved from exports to the US and European Union. Using cutting edge technologies, SOFTWIN successfully developed over 500 software development projects, over 3,500 content structuring projects for international partners, having over 43 million data security solutions users in 80 countries worldwide and more than 1,500,000 client calls handled annually for CRM services. 23

01 Description and features Overview 24

Product features Description and features 02 2. Product features The acquisition and installation of an antivirus product for the company's mail server is the most efficient way of preventing the infection of a computer and the spreading of viruses inside the company, and outside the company as well through the most common way of communication, the e-mail. BitDefender Mail Protection for Enterprises is a secure content inspection solution which provides antivirus and antispam protection at the gateway level, scanning for known and unknown malware (viruses and spam) all inbound and outbound email traffic. This product integrates itself with the following mail servers: Sendmail (with libmilter support), qmail, Courier, CommuniGate Pro. BitDefender SMTP Proxy can be used as a content-scanning SMTP Proxy when a different mail server is installed (even on non-linux platforms, like Postfix, Lotus Domino and MS Exchange). Additionally, BitDefender Mail Protection for Enterprises features the antispam filter, offering several antispam technologies: an improved heuristic filter, bayesian filter, WhiteList and BlackList, URL Filter, Image and Multipurpose Filter. 2.1. BitDefender Mail Protection for Enterprises BitDefender Mail Protection for Enterprises is the solution SOFTWIN offers for a complete antivirus, antispyware and antispam filtering protection at the gateway level. The product is designed and implemented in a modular manner, thus it can easily adapt to any work environment. All the messages received by the server are scanned using the BitDefender scan engines. This technology detects all the viruses present in the attachments; BitDefender features built-in support for more than 80 packed files formats, including RAR, ZIP, ARJ, LZH, LHA, ACE, GZIP, TARGZ, JAR, UUE, MIME or CAB archives, no matter how they were created (self-extractable, multivolume, etc). If the message is clean, it will be sent to the mail recipient. In case an infection is found, it will be treated corresponding to the selected option (disinfection, deletion or isolation in the quarantine area) and alarm messages will be sent to the persons responsible for network security and management. 25

02 Description and features Product features 2.2. Key Features De-congestion of communication flows, sorting legit mails from malware and spam at the gateway level. The BitDefender AV engines featuring the B-HAVE technology. Proactive perimeter security against known and unknown viruses, Trojans, worms and spam. Mail archiving for backup and redundancy services. Perfect integration with email servers without downtime or additional changes into the company's infrastructure. Compatibility and stability ensured by the RedHat Ready certification. Five update technologies including ground-breaking Update Pushing directly from Softwin's servers, to minimize the vulnerability window, in case of virus outbreaks. SNMP support. Automatic and incremental update of virus definitions and scanning engines directly from BitDefender servers. Detailed logging system to reflect system activity, email traffic, found viruses, action taken against virused objects, update processes, license validity, notices and warnings. Fastest reaction time in response to new virus outbreaks, as reviewed by AV-Test, Virus Bulletin, PC-Welt and others. Web-based remote administration through a nice and easy console. Detailed statistics and reports regarding the number of scanned files, the infected files, the deleted and disinfected files. Custom message disclaimers for scanned emails, if found clean or infected. Custom alarm messages through email regarding critical events in BitDefender activity. Internal WatchDog to ensure the solution's uptime. 26

BitDefender architecture Description and features 03 3. BitDefender architecture BitDefender is a highly complex modular structure. It is made up of several central components and additional modules, each of them having assigned a specific task. The modules are loaded during BitDefender startup and enabled or not, according to the user's preferences. On a UNIX-like system, these components run as daemons, on one or multiple threads, and communicate with the others. 3.1. The core modules Listed by their file names, the core modules are represented in the following table. Module bdmond bdscand bdmaild bdregd Description The BitDefender Core Monitor is the supervisor of several BitDefender modules. When one of them crashes, the Core Monitor isolates the object causing the crash in a special quarantine directory, notifies the administrator and restarts the involved module. Thus, even if one process dies, the whole filtering activity is not disturbed, ensuring the continuous server protection. This is the BitDefender Scan Daemon. Its purpose is to integrate the scanning engines, receive scanning requests from several daemons, such as the mail daemon or the file daemon. It scans the objects, take the necessary actions and to sends back the object and the scanning results. The BitDefender Mail Daemon has the role of receiving scanning requests from the MTA integration agents. It calls the Scan Daemon to perform the scan, expecting the scanning results from it. Then it applies his actions and sends back the results to the MTA integration agent. The BitDefender Registry is made up of the bdregd program and a set of XML files, where it stores the BitDefender configuration. The daemon receives requests to read from and to write to the settings file, requests initiated by the other processes. The Registry can receive requests from other hosts too, using a secured tcp 27

03 Description and features BitDefender architecture Module Description connection on port 8138. All remote communication is done using SSL (Secure Socket Layer). This is only useful when you are using some Remote Admin Console, eventually running on some non-unix Operating System. If not, for security reasons, it is recommended to keep this feature disabled (it is disabled by default). Manually editing the Registry Even if the XML files are human-readable (and writable, too), you should never try to edit them manually. Due to their high complexity, the XML files should only be modified by the means of the provided configuration tools, such as the bdsafe command or the Remote Administration Consoles. bdlogd The BitDefender Logger is a complex component, handling all logging and notification actions of BitDefender. There are several types of logging, all of them realized by plugins. file logging: the data is sent to a normal log file, respecting a typical format. mail notification: alerts are sent by email to the server administrator or to the sender and the receivers of an email, on special events (such as infected email found). Real Time Virus and Spam Report: anonymous statistics are sent to BitDefender Labs to keep a map of malware activity and to detect outbreaks. SNMP: notifications can be sent through the SNMP protocol to designated hosts. bdlived The BitDefender Live! Update is the module responsible with updating the scanning engines and some other BitDefender components. The module runs continuously and periodically checks the update server. It can also be triggered manually or by the Update Pushing mechanism. More about Live! Update BitDefender Live! Update and the update process are described in Chapter 13 Updates (p. 85). 28

BitDefender architecture Description and features 03 3.2. The integration agents The message's body and attachments will be verified in order to detect the infected files and the back doors, trojans, worm files to prevent their spreading into the network. Only the clean messages will be delivered to the mail clients or will be further sent to the mail recipients outside the company. The infected messages are treated depending on the administrator's option, by disinfection, deletion or isolation in a certain location on the server, the quarantine zone. 3.2.1. Sendmail The Sendmail agent is the filtering solution for the Sendmail with Milter interface email server. Milter allows third-party programs to access mail messages through several call-backs. The incoming email will normally arrive to Sendmail, from local or remote machines. Through the milter interface, Sendmail allows the BitDefender agent to inspect the email. The agent calls the BitDefender core for scanning it and, after scanning, the results are passed through the milter interface back to Sendmail, which will deliver the message as usual, if there is something to deliver. 3.2.2. qmail Sendmail integration Inside the qmail MTA, qmail-queue is the central component. All the emails coming from local or remote senders are passing through this component. Therefore capturing the email traffic may be realized by capturing the traffic of qmail-queue. The remote or local incoming emails are first passed to the BitDefender qmail integration agent. This will send them to the BitDefender core for scanning and then to the original qmail-queue, which will deliver them as usual. From the qmail point-of-view, the filtering process is transparent. qmail integration 29

03 Description and features BitDefender architecture 3.2.3. Courier The central module of the Courier system is submit, an uniform mechanism for adding a message to the mail queue. Capturing its traffic is capturing server's traffic. The remote or local incoming emails are first passed to the BitDefender Courier integration agent, named bdcourier. This will pass them to the BitDefender core for scanning and then to the original submit, which will enqueue them as usual. From the Courier point-of-view, the filtering process is transparent. 3.2.4. CommuniGate Pro Courier integration The BitDefender integration agent should be incorporated by the CommuniGate Pro, using its own filtering mechanism, in order to receive the email traffic. The remote or local incoming emails are passed to the BitDefender CommuniGate Pro agent, registered as intrinsic filter. This will call the BitDefender core for scanning the emails and then passes them back to the MTA, which will process them as usual. 3.2.5. SMTP Proxy CommuniGate Pro integration The SMTP integration varies with each other MTA. Since we can not cover all possible variants, we can offer a short description of the integration and let you figure out how to apply it to your SMTP server. 30

BitDefender architecture Description and features 03 The incoming email will arrive on port 25 of the machine. On this port is not listening the original Mail Transport Agent, but a special BitDefender component, the SMTP Proxy module. On receiving the message, the BitDefender Agent will pass it to the SMTP Proxy integration BitDefender core for scanning. The core does the usual scanning and passes the results back to the agent. If found clean or if there is something to pass to the MTA, BitDefender SMTP Proxy agent contacts the MTA on the new port this is configured to listen on, by default 10025, and sends it the email, pretending to be coming from the original source. The whole filtering process is transparent to the Mail Transport Agent. 3.2.6. Postfix BitDefender and MTA on different machines BitDefender SMTP Proxy can be installed on one machine passing the scanned emails to the MTA, running on another machine. In this case, the MTA can listen on the default SMTP port, 25, as usual. The Postfix integration agent is virtual: there is no specific BitDefender component to perform the MTA integration. Instead, for Postfix you can use use the general SMTP Proxy agent, adequately configured. Briefly, the integration is made using the external, medium-weight, real-time Content Inspection method, as described in the Postfix integration original Postfix documentation. There are two Postfix processes running. The first one, listening on standard SMTP port, receives all the incoming traffic and does the usual email filtering. The second one, listening on a higher port, by default 10026, receives the email from the filter and sends it to the standard processing. In the middle, there is the BitDefender Postfix agent listening on another higher port, 10025 by default. It 31

03 Description and features BitDefender architecture receives all the traffic passed from the first process, passes it to the BitDefender core for scanning and finally sends the traffic to the second Postfix process. 32

The BitDefender Technology Description and features 04 4. The BitDefender Technology Behind the BitDefender Mail Protection for Enterprises product, behind the program binaries, configuration files and user interface, you will find the BitDefender technology: the powerful antivirus engines and antispam filters. 4.1. The BitDefender Antivirus This is an executive summary of the architecture, design and general structure of the BitDefender Antivirus. The BitDefender Antivirus System presents a pluggable and distributed architecture that is based on distinct scanning engines for different types of files and malware. Its distinct plug-ins can be loaded on-the-fly, one for each kind of malware, without reconfiguring the whole system or restarting it. Each type of malware is dealt with by a plug-in which can detect and possibly disinfect or clean the given malware type. As an example, the Antispyware modules were integrated into BitDefender 9 Internet Security right alongside the antivirus-specific ones. Plugins function sequentially (i.e. they take turns at checking each file), to detect malware like viruses, worms, trojans, exploits and also spyware. The plugin architecture is such that the plugins can pass messages between themselves. The modularized architecture used to build BitDefender has contributed to its ability to be used in a variety of environments ranging from embedded systems to workstations and high-end servers, in desktop, dedicated or generic server solutions. BitDefender Antivirus technology is integrated in a diverse range of products from: Data Becker, G Data, GFI, Hauri, Ipswitch, Laplink, Software 602, Bullguard, and others. BitDefender Antivirus is portable and platform independent, presenting compatibility at binary level for any IA32 based Operating Systems (such as: Windows, Linux, FreeBSD) and at the source code level for other OS's. An added side-benefit of having portable binaries is that the BitDefender Antivirus is effectively isolated and largely independent from the host OS, which makes the adding of detection routines a relatively straightforward process, which does not have to be repeated for each OS to deal with compatibility issues. 33

04 Description and features The BitDefender Technology The BitDefender Antivirus is differentiated into two main components. The Scanning Engines The Archive Logic 4.1.1. The Scanning Engines The scanning engines are comprised of modules which are continually being developed to offer full protection against all types of malware including, but not limited to: executable viruses, script viruses, macro viruses, backdoors, trojans, spyware, dialers, etc. Every virus family benefits from a dedicated scan engine which was designed in accordance with the class characteristics. High speed. Multi-threading architecture. Low memory consumption. 100% disinfection for In The Wild viruses as certified by ICSA Labs and Checkmark. BitDefender Antivirus System Proactive detection of viruses including various versions of very well known viruses such a as Win32.Bagle, Win32.Zafi, Win32.Sober. Using this technology BitDefender can detect suspicious activity common to P2P worms, E-mail worms, Antivirus Killer programs and many other. The optimized emulation procedure enables BitDefender to analyze the behavior of all files types in a virtual machine without significant performance impact. The scanning engines benefit from a number of technologies which have been implemented over time. Classic antivirus scanning (pattern matching) In February 2006, BitDefender had in its database over 270 thousand malware signatures (of which only 256 thousand were viruses and worms, and the rest as spyware). This is not to say, however, that BitDefender can detect 270 thousand pieces of malware the addition of generic signatures means that many related virus or spyware threats are described with one signature, so the actual number is much higher. The generic signatures can also help to protect against new variants of old malware. 34

The BitDefender Technology Description and features 04 Heuristic Scanning Heuristics in Virtual Environment (HiVE) combines a lot of different techniques to proactively detect malware. HiVE is the basis for: Behavior-based heuristics Generic detection routines Virtual Machine for VB scripts Virtual Machine for BAT/CMD scripts VB script emulator Virtual Machine for executable files (PE, MZ, COM, SYS, Boot Images) HiVE is by now thoroughly proven technology and is responsible for some spectacular results. According to independent German testing outfit AV-Test, BitDefender antivirus was capable to detect six out of six variants of the Zotob virus without the need for a signature update. The PC World test held in January current nominated BitDefender as the best antivirus where detection of new/unknown viruses is concerned. The HiVE technology also acts as a force multiplier for other, more traditional forms of defense. For example, files which emerge from the HiVE environment (OLE components, dropped executables, etc) are then filtered by the other modules, possibly even in a recursive manner (where they are afterwards returned to the HiVE component for a second opinion, or go straight into the more classical heuristic filters. In addition to content-based heuristics, which is now in wide use even among our competitors, HiVE implements behavior-based heuristics, which reduces false positives enormously and increases detection rates for new malware. Exploit detection code Special detection routines can (and have been) added to the BitDefender Antivirus to root out exploit code, such as the recent unpatched WMF exploit. Thus sometimes detection is available for worms using a new exploit long before the actual worms are written. 35

04 Description and features The BitDefender Technology 4.1.2. The Archive Logic The BitDefender Antivirus archive logic component is built around the concept of in-depth scanning, which means that it can be configured to scan embedded archives down to any depth, while still being relatively impregnable against zip bombs or other forms of DoS attack against itself. Generic unpacking for executables packed with new packers. 80% of new viruses appearing in the wild use some form of packing, but packing apps are legion, and more are created every day. Generic unpacking routines allow for variations in packing format, and so can unpack new or unknown types of packed files. Scanning support for over 18 types of archivers and more than 100 packers (including UPX, NeoLite, ASPack, PECrypt, pklite and self extractable files SFX) as well as the majority of installation packers and mail archive types. The BitDefender Antivirus has cleaning support for.zip, mail databases,.gzip,.cab and other types of archives. The archives are unpacked, files are checked, cleaned and then repacked. For a complete list of BitDefender supported archives, please see the Appendix Supported antivirus archives and packs (page 117). 4.2. Antispam BitDefender Antispam employs remarkable technological innovations and industry standard antispam filters to weed out spam before it reaches the user s Inbox. In our field, performance means high detection rates and very few false positives. That s why we have packed together 7 powerful filters. A central dispatcher analyzes each message on-the-fly and decides what filters must be employed, according to each message s characteristics. When the dispatcher has built enough confidence, it labels the message as spam, phishing or legitimate. Spam messages sell different things, have different contents, but some are very similar in aspect. That s why one of our filters is specialized in aspect analysis. It knows how certain spam categories look like, and it can detect new spam even though we don t know what it advertises, based mostly on its aspect. Even better, it can add confidence to the other filters conclusions, when they deal with known spam. Most of spam has at least some common traits: either the way the spammers tried to hide their tracks, the product they re advertising, some idiomatic 36

The BitDefender Technology Description and features 04 expressions ( Notice from PayPal account management ), or more sophisticated characteristics related to HTML code or mail headers. Our analysts have gathered hundreds of these traits (in our jargon we call them rules) and are adding more of them and refining old ones every day. These rules are needed for two very important filters: the Neural Net filter and the Signatures filter. 4.2.1. Neural networks When we create detection rules, our antispam analysts consider the spam messages that are available to us. Even though there are millions of them, it s impossible to consider each one thoroughly. That s why we ve created a powerful filter using a Neural Network (a concept borrowed from the field of Artificial Intelligence). The most important feature of the Neural Network (NNet) is that we have trained it in the Antispam Labs, allowing it to look at a lot of spam messages. Much like a child in school, it has learned to distinguish between spam and legit e-mails, and its formidable advantage is that it can recognize new spam by perceiving similarities (oftentimes very subtle) between the new messages it sees and the messages it has learned. This approach (both reactive and proactive) is similar the the heuristics used by antivirus products. 4.2.2. The Antispam Laboratory In the Antispam Lab we analyze spam from all over the world, gathered through special discreet trap addresses, and update our rules, signatures, NNet and databases accordingly. Most of the rules are hand picked or refined by experienced and knowledgeable analysts, and that ensures minimal false-positive rate and broad coverage of the spam types. 4.2.3. Signatures filter Another powerful filter is based on a quite simple idea. Oftentimes, spammers send a wave of several millions spams, most of them very similar. The differences between these messages are fairly small and are meant to fool antispam filters: random words or paragraphs, forged addresses etc. Having enough samples of a specific spam wave, the Antispam Lab analysts can extract the common features of such messages (both form and content-related) and publish a signature that accurately detects all messages of that type. This 37

04 Description and features The BitDefender Technology Signature filter practically has a zero false positives rate, because its signatures are aimed at very specific types of spam. 4.2.4. Newsletters Newsletters are a tough challenge for many Antispam solutions, because some of them can be easily confused with spam even by a human. Newsletters can significantly increase the false positives rate of a product. That s why this category was given special consideration: we ve designed a specific portion of our heuristics to detect newsletters. Once the antispam engine is convinced that the message is a newsletter, it will mark it as legit and thus make sure that it gets to the Inbox rather that the Junk folder. 4.2.5. Phishing Phishing is the most dangerous type of spam, and phishers (the villains who use these scams) go to great lengths to cover their tracks and make sure that their messages look as authentic as possible, fooling as many users as possible. And that s where our anti-phishing technology comes in: it detects their attempt to copy the look and feel, the disguises, the forgeries and the attempts to fool the user. 4.2.6. The Bayesian filter We know that not all of our users will agree with us when classifying a message as spam or legit. For instance, a doctor talking about Viagra with his patients will certainly need to customize its filters. That s why we ve added the Bayesian filter. Every user can train it by example, and make it learn what messages are spam and what messages are legit (from specific examples in the user s mailbox). After enough learning, the Bayesian filter is adapted to the specifics of legitimate and spam messages the user usually receives, and it becomes a powerful factor in the decision process. 4.2.7. Specialized filters Almost all spam links to a site: whether they want us to buy cheap Rolexes or enter our login and password on a fake Citibank site, they have a link. The URL filter detects these links and looks them up in a database created and maintained 38

The BitDefender Technology Description and features 04 (via update) by our lab. If a message links to a forbidden site, the odds are high that it s spam. Some messages have image attachments, and we have the Image filter to detect them and compare them to a database of known spam images, which is also maintained and updated by our lab. Some email users send and receive mail mostly in one or two languages. The Charset filter can be instructed to detect messages written in other languages (for instance Asian languages, or Cyrillic) and mark them as spam. This comes in handy when the user is certain that they will not receive mail in these languages. The American law demands that all sexually explicit advertisement e-mails be marked as such, with sexually explicit in their subject. BitDefender Antispam can detect and mark these messages as spam directly. 4.2.8. The black list / white list filter The black list / white list filter can be very useful when the user wants to block incoming messages from a certain sender (blacklist), or when the user wants to make sure that all messages from a friend or a newsletter arrive in the Inbox, regardless of their contents. The black list / white list filter is often called Friends / Spammers list. It can define allow or deny lists both for individual e-mail addresses, or for entire domain names (for instance all mail from any employee of bigcorporation.com). Add friends to the white list We recommend that you add your friends names and e-mail addresses to the white list. BitDefender will not block messages from those on the list; therefore, adding them ensures that legitimate messages get through. The two lists are plain text files, containing one entry per line. The entries may be usual email addresses or domain names, respecting the following format. Format user@domain.com user@domain.* user@*.com Description This format will match only the specified user from the specified domain. The mentioned user from any domain whose name is starting with the specified text will match. The user from any domain with.com suffix (for example) will match. 39

04 Description and features The BitDefender Technology Format *@domain.com *@domain.* *.com user@* user* Description This will match all users from the specified domain. All users from all domains starting with the mentioned text will match. This will match all users from all domains with.com suffix (for example). The specified user, from all domains, will match. This will match all users whose names start with the mentioned text, no matter of the domain. 40

The BitDefender Technology Description and features 04 4.2.9. Antispam workflow Whenever a message comes to BitDefender Antispam for analysis, it passes through some of the filters, in a given order. First of all, the sender address is analyzed to see if it qualifies for the blacklist or the whitelist. If so, the message is labeled accordingly (spam or legitimate) and the process stops. The charset and sexually explicit filter is used afterwards, and if the message is detected as either exotic or sexually explicit (by the label), it is categorized directly as spam and the analysis stops. BitDefender Antispam System The Image filter comes next: this is also a pass-or-fail test - if the message has a forbidden picture, it is labeled directly as spam. The URL follows with its own conclusions, and it can add a great deal of confidence towards the spam decision if it finds the message contains an URL from the database of known spam sites. The Bayesian filter is then called, and it returns a score. The higher the score, the greater the chance that the message is spam. It also returns a degree of 41

04 Description and features The BitDefender Technology confidence in its own decision (based on how much it has trained on spam and legitimate messages from the user s Inbox). Next comes the aspect filter, that extracts significant information about the message s appearance and compares it to a complex set of visual patterns that is has learned. This information will be used further in the analysis. The signature filter runs next, and it can decide whether the message is spam or legit by matching it with any known patterns. If the message is detected as spam or phishing, the process stops and the message is labeled as such. Last, but not least, comes the NNet filter, that analyzes all the message s features and returns a category (be it spam, phishing or legit), a score and a degree of confidence in its own decision. Finally, the results of the URL, Bayes and NNet filters are combined and weighted using a hand-tuned formula that also accounts for the filters degree of confidence in their own decisions. At the end, the algorithm returns a spam score, and eventually one of three categories (spam, phishing or legit). The filter s aggresivity is determined by a series of inputs: a score threshold and aggresivity suggestions for the filters and rules. 42

Installation Installation

Installation

Prerequisites Installation 05 5. Prerequisites BitDefender Mail Protection for Enterprises can be installed on package based Linux distributions (rpm or deb) and tbz based FreeBSD versions. Other distributions are supported by using a pseudo-package system, with the same functionality as the dedicated ones. These packages are bzip2 compressed tars and include all the necessary pre-install, post-install, pre-remove and post-remove scripts. The adequate package type should be installed according to the distribution. 5.1. System requirements Before installing BitDefender Mail Protection for Enterprises, you must verify that your system meets the following system requirements. 5.1.1. Hardware system requirements Processor type x86 compatible, minimum 800MHz, but do not expect a great performance in this case. An i686 generation processor, running at 1.4Ghz, would make a better choice. Memory The minimum accepted value is 128MB, recommended is 256MB, for a better performance. Free disk space The minimum free disk space to install and run BitDefender Mail Protection for Enterprises is 60MB. But the log and the quarantine directories will require more space, 200MB of free space would be welcome. Internet connection Although BitDefender Mail Protection for Enterprises will run with no Internet connection, the update procedure will require an active HTTP link, even through some proxy server. Therefore, for an up to date protection, the Internet connection is a MUST. 45

05 Installation Prerequisites 5.1.2. Software system requirements Linux requirements The Linux kernel should be 2.2, 2.4 or 2.6, the recommended one is 2.6, with support for a fast file system, which works well with multiple small files, such as ext3 or reiserfs. BitDefender requires glibc version 2.3.1, or newer, and libstdc++ from gcc 3.2.2 or newer. The supported Linux distributions are the next ones. RedHat enterprise Linux 3 or newer SuSE Linux Enterprise Server 9 or newer Suse Linux 8.2 or newer RedHat Linux 9 Fedora Core 1 or newer Debian GNU/Linux 3.1 or newer Slackware 9.x or newer Mandrake/Mandriva 9.1 or newer FreeBSD requirements The supported FreeBSD versions are 5.3-RELEASE and newer and 6.0-RELEASE and newer with compat5x. FreeBSD 4 is no longer supported. 5.1.3. Mail servers minimum required versions Sendmail version 8.12.1, with Milter interface Postfix any 2.x version qmail 1.03 version at least Courier 0.42.x versions at least CommuniGate Pro 4.18 version at least 46

Prerequisites Installation 05 SMTP any SMTP server able to listen on another port than 25 5.1.4. Additional Perl modules During the installation, the bdsafe tool requires some additional Perl modules. These modules could be provided by the currently installed Linux distribution and it is recommended to use them. If the distribution lacks the modules, you can always install them via CPAN. the Comprehensive Perl Archive Network. You will need an active Internet connection in order to select and download the files. The modules are the following. Term::ANSIColor File::Find File::Temp Start the perl CPAN shell. You have to be root to perform the installation. # perl -MCPAN -e shell If this is the first time you use the CPAN shell, you will be asked a lot of questions, including network preferences, such as selecting a mirror and configuring the connection through a proxy server. You should select the closest mirror and configure the networking according to your policy. Next, run the following command. cpan> install Term::ANSIColor cpan> install File::Find cpan> install File::Temp The module will be searched, downloaded, compiled and installed on your system. 5.2. Package naming convention BitDefender Mail Protection for Enterprises package is named considering the following scheme. 47

05 Installation Prerequisites 5.2.1. Linux convention The Linux packages name respect the following rule. BitDefender-mpe-{ver}.{os}.{arch}.{pkg}.run Variable {ver} {os} {arch} {pkg} Description This is the package version. For example, 2.0-1 is version 2, subversion 0, package build 1. The operating system is Linux. The architecture contains the processor class and gcc compiler version. i586 is the current development version. This refers to the package management tool used to install the files. This is one of rpm, deb or run. rpm uses the Red Hat Package Manager, deb uses the Debian package system and run is a self-extractable archive, the most portable method. Please install the appropriate package for your system, as described in the next chapters. 5.2.2. FreeBSD convention There are two FreeBSD packages named as following. bitdefender-common-{ver}.tbz bitdefender-mail-{ver}.tbz Where {ver} is the package version. For example, 2.0_1 is version 2, subversion 0, package build 1. 48

Package installation Installation 06 6. Package installation This chapter will explain you how to install BitDefender on a Unix-like system, such as Linux or FreeBSD. This is pretty straightforward: get the desired package, test it for integrity, then install it. 6.1. Getting BitDefender Mail Protection for Enterprises The package can be downloaded from BitDefender servers or it can be found on different distribution media, such as CD-ROM. When downloading for the BitDefender servers, you will be asked to fill in a form and you will receive an email to the address you have provided in this form. The email contains the download location. The Linux package come in three flavours. rpm for distributions using the RedHat Linux package management deb for distributions using Debian Linux packaging system tar, a self-extractable archive, suited for any other distribution The FreeBSD packages are tbz (.tar.bz) compressed archives, adequate for the FreeBSD starting from version 5. 6.2. Test the package for integrity Before you begin the installation process we recommend you to check the installation kit is not corrupted (this can happen sometimes, especially if you downloaded it). 6.2.1. Test the rpm and deb packages For an increased security, the rpm and deb packages are GPG signed. To test the packages integrity, you can verify their signature. First, you need to fetch the BitDefender Packages GPG key (key id: 0x0EC4FE05) from a key server, running the following command. 49

06 Installation Package installation # gpg --recv 0x0EC4FE05 --keyserver http://pgp.mit.edu Then, export the key to a local file: # gpg --armor --export 0x0EC4FE05 > bd-pack.key For the rpm packages, you have to import the key into rpm key ring, using the next command. # rpm --import bd-pack.key When you wish to check a rpm package, just issue a command similar to the following. You should get no error. # rpm --checksig BitDefender-*.rpm In case you are using the deb packages, you have to run only one command over the deb files. # dpkg-sig --verify BitDefender-*.deb 6.2.2. Test the self-extractable archive To check the integrity of the self-extractable archive, you need to run the following command and get the corresponding answer. #./BitDefender-mpe-{ver}.{os}.{arch}.{pkg}.run --check Verifying archive integrity... MD5 checksums are OK. All good. If you get a different answer, an error, please download the package again. 6.2.3. Test the FreeBSD tbz packages When installing the packages downloaded from the BitDefender servers, you shoud run md5sum on the packages and compare the output with the value from the md5sums file. This file is located in the same directory as the packages you have downloaded. 50

Package installation Installation 06 When installing from the ports collection, the integrity is automatically checked. 6.3. Install the package The installation process depends on the package type. There are different methods for rpm, deb and self-extractable archive, as well as several methods for FreeBSD. 6.3.1. Install the rpm package To install BitDefender Mail Protection for Enterprises on a RedHat based distribution, using the RedHat package manager, you have to run the following command. #./BitDefender-mpe-{ver}.{os}.{arch}.rpm.run 6.3.2. Install the deb package To install BitDefender Mail Protection for Enterprises on a Debian based distribution, using dpkg, you have to run the following command. #./BitDefender-mpe-{ver}.{os}.{arch}.deb.run 6.3.3. Install the self-extractable archive The self-extractable archive is a package containing all the required files for the installation. It is a shell script, embedding an archive, and can be given several parameters in the command line. Usually, for a normal installation, there are no parameters required, simply run the script. Run the self-extractable archive This package should be installed using the following command. #./BitDefender-mpe-{ver}.{os}.{arch}.tar.run 51

06 Installation Package installation This will unpack the BitDefender files (engines, core, etc.), the install and uninstall scripts, and will launch the installer, which, in turn, will install all the provided BitDefender components, as described in the next section. Additional parameters For the not-so-impatient user, the self-extractable archive provides some command line parameters, described in the following table. Parameter --help --info --list --check Description Prints the short help messages. This will print the archive information, such as the title, the default target directory, the embedded script to be run after unpacking, the compression method used, the uncompressed size, the packaging date. This option will print the content of the embedded archive. The listed files are the engines, the program binaries, the embedded documentation, the install and uninstall script along with their size and permissions. This is one of the most useful options, because it enables the user to verify the package integrity, as stated above. The integrity is checked comparing the embedded md5 checksum (generated during packaging) with the one computed the moment of checking. If they match, the output will be the following: MD5 checksums are OK. All good. If not, an error message will be shown, displaying the unequal stored and computed checksums, such as Error in MD5 checksums: X is different from Y --confirm --keep The user will be asked to confirm every step of the install process. By default, the archive content is extracted to a temporary directory, which will be removed after the embedded installer exits. Passing this parameter to the script will not remove the directory. 52

Package installation Installation 06 Parameter --target directory Description You can specify another directory to extract the archive to, if you don't want to use the default name. Note that this target directory will not be removed. --uninstall Run the embedded uninstaller script instead of the normal installer. For uninstalling, please read more in Chapter 7 Uninstall (p. 61). 6.3.4. Install the FreeBSD package To install BitDefender Mail Protection for Enterprises on a FreeBSD machine, you have two methods: you can install the packages you have downloaded from the BitDefender servers or you can install them from the ports collection. Install the downloaded packages To install the downloaded packages, run the next command in their directory. # pkg_add bitdefender-*-{ver}.tbz Install from the ports collection To install from the ports collection, you have to run the following commands to install the meta-port. # cd /usr/ports/security/bitdefender-mpe # make install clean 6.4. The installer After unpacking the archive, the installer is launched. This is a text based installer, created to run on very different configurations. Its purpose is to install the extracted packages to their locations and to make the first configuration of BitDefender Mail Protection for Enterprises, asking you few questions. To accept the defaults the installer offers (which is recommended), just press the ENTER key when prompted. First, the License Agreement is displayed. You are invited to read the full content by pressing the SPACE bar to advance one page or ENTER for one line a time. In 53

06 Installation Package installation order to continue the installation process, you must read and agree this License Agreement, by literally typing the word accept when prompted. Note that typing anything else or nothing at all means you do not agree the License Agreement and the installation process will stop. Next, if you are installing BitDefender Mail Protection for Enterprises on Linux using the self-extracting archive, the Installation directory is asked. The default is /opt and we will assume you go for it. The installer will create the directory /opt/bitdefender, which will be the top-level directory on BitDefender Mail Protection for Enterprises, containing several sub-directories, such as bin, etc, share or var. If the above-mentioned directory does not exist, you are asked whether the installer should create it, assuming the default yes. If you do not agree the directory to be created, the installer will stop. Next, on Linux, you are asked what integration agents to install. You can choose one or more from this list. 1. CommuniGate Pro 2. Courier 3. Sendmail Milter 4. qmail 5. SMTP Proxy (for Postfix or any other MTA) Please enter the corresponding numbers, when prompted, separated by empty spaces. For example, to install the integration agents for Sendmail Milter and qmail, enter 3 4. From this moment, the installer has acquired all the necessary information and will begin the install process. Basically, it will install the engines, the binaries and the documentation and will make the post-install configuration. This is a short list of its actions on your Linux system. Creates the bitdefender user and group and assigns the installation directory to it. Installs the manpages and configures the MANPATH accordingly. Appends to the dynamic library loader configuration file the path to the BitDefender libraries. Creates a symbolic link to the configuration directory in /etc. Integrates BitDefender in the system init scripts. Finally, BitDefender Mail Protection for Enterprises is started-up. 54

Package installation Installation 06 6.5. MTA integration After BitDefender Mail Protection for Enterprises has been installed, you have to integrate it in your Mail Transfer Agent. This means you have to redirect the email traffic through the BitDefender integration agents, for each message to be scanned. To do so, use the bdsafe(8) command. # bdsafe agent integrate qmail This will automatically integrate the BitDefender qmail agent into your qmail installation. Then, you should consider to enable it using the next command. # bdsafe agent enable qmail The following sections will present the integration details for some agents. You do not have to follow these instructions, the previous commands work just fine, but you might want to know how the integration is performed. 6.5.1. CommuniGate Pro For a manual integration of the BitDefender agent, please follow the next steps. 1. Open the CommuniGate administration interface: point your browser to the web-based management interface on the server (usually on port 8010: http://yourserver:8010/). 2. Go to Settings General (you will be required to login). 3. Go to the Helpers tab and look at Content Filtering. Do the following actions. check the Use Filter box enter BitDefender in the box Set the Log list to Problems Set Timeout to 2 minutes In the Program Path, enter /opt/bitdefender/bin/bdcgated Set Auto-Restart to 5 seconds press Update 4. Go to Rules in the Settings menu. 5. Enter BitDefender and press Create New. 6. Press the Edit button near the filter BitDefender. Do the following settings. look at the Data list and set it to Message Size set Operation to "greater than" 55

06 Installation Package installation set Parameter to 1 look at the Action list and set it to External Filter enter BitDefender in the Parameters box press Update BitDefender will now start scanning your incoming messages. 7. Restart BitDefender services. 8. Restart CommuniGate Pro. 6.5.2. Courier Find the user and group of the Courier processes. Common names are courier or daemon. Our example will assume the user is courier. Change the owner of bdcourier, the integration agent, and add bitdefender user to courier group. # chown courier:courier /opt/bitdefender/bin/bdcourier # gpasswd -a bitdefender courier Add courier in the list of users allowed to connect to bdregd, the BitDefender Registry. # bdsafe configure registry localusers add courier Stop Courier, since we are about to alter its internal mechanisms. Let's assume the Courier's submit can be found at /usr/lib/courier/libexec/courier/submit. Rename it and create a link to the BitDefender agent. # mv /usr/lib/courier/libexec/courier/submit /usr/lib/courier/libexec/courier/submit.courier # ln -s /opt/bitdefender/bin/bdcourier /usr/lib/courier/libexec/courier/submit Tell BitDefender where the original submit is. # bdsafe configure courier submitpath \ /usr/lib/courier/libexec/courier/submit.courier Now enable the agent and restart BitDefender. 56

Package installation Installation 06 # bdsafe agent enable courier 6.5.3. Sendmail Milter To integrate BitDefender in Sendmail milter MTA you have to either edit and rebuild sendmail.mc or add a line at the end of sendmail.cf. If you are not afraid to edit the macro file, add the next lines at the end of sendmail.mc, the Sendmail configuration macro file (usually found at /etc/mail/sendmail.mc or /etc/sendmail.mc). Then, you have to rebuild sendmail.cf. dnl # Added by BitDefender, do not remove! define(\`_ffr_milter', \`true') INPUT_MAIL_FILTER(\`BitDefender', \`S=unix:/var/run/BitDefender/bdmilterd.sock, F=T, T=S:10s;R:10s;E:10m') dnl # End of added lines After rebuilding sendmail.cf, it will contain these lines. #Added by BitDefender, do not remove! XBitDefender, S=unix:/var/run/BitDefender/bdmilterd.sock, F=T, T=S:10s;R:10s;E:10m O InputMailFilters=BitDefender #End of added lines Now, all you have to do is to restart Sendmail. 6.5.4. qmail For starters, modify the owner and rights of bdqmail. # chown qmailq:qmail /opt/bitdefender/bin/bdqmail # chmod 4711 /opt/bitdefender/bin/bdqmail Next, stop qmail-smtpd, according to your installation. Then, assuming you have qmail installed using the LWQ instructions, run the following commands as root. 57

06 Installation Package installation # mv /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue-real # ln -s /opt/bitdefender/bin/bdqmail /var/qmail/bin/qmail-queue You may also need to add the qmaild qmailq and qmails users to the list of local users allowed to connect to bdregd, the BitDefender registry. # bdsafe configure registry localusers add qmaild qmailq qmails 6.5.5. Postfix For Postfix MTA, you need to install the SMTP Proxy agent. First, you have to enable the bdsmtpd agent by running the next line. # bdsafe agent enable smtp Now, let's do some hand work. Open the Postfix main.cf configuration file (usually located at /etc/postfix/main.cf) with your favorite editor and add the following lines at the end. # BitDefender Mail Protection integration content_filter = smtp:127.0.0.1:10025 Next, open the master.cf file (usually located at /etc/postfix/master.cf) and add the following lines at the end. # BitDefender Mail Protection integration 127.0.0.1:10026 inet n - n - 10 smtpd -o content_filter Restart Postfix. According to your init scripts, run /etc/init.d/postfix restart or /etc/rc.d/rc.postfix restart. One more step: you have to configure BitDefender to talk to Postfix. Use the bdsafe command. # bdsafe configure postfix realserver 127.0.0.1:10026 # bdsafe configure postfix port 10025 58

Package installation Installation 06 Finally, restart BitDefender. 6.5.6. SMTP The SMTP integration varies with each other MTA. Please review the integration mechanism description from Section SMTP Proxy (page 30). So, you have to find out how to instruct the MTA to listen on a higher port, by default 10025. 59

06 Installation Package installation 60

Uninstall Installation 07 7. Uninstall If you ever need to remove BitDefender Mail Protection for Enterprises, there are several methods to do it, depending on the package type. Although the uninstallation process should work flawlessly, due to the high complexity of some agents integration it would be wise to perform an additional step before starting to uninstall. You should remove the agents integration form the MTA. Therefore, for each agent you have installed and integrated, run the next command. # /opt/bitdefender/bin/bdsafe agent disintegrate each_installed_agent Now you can start uninstalling BitDefender Mail Protection for Enterprises. 7.1. Uninstall the rpm package To uninstall BitDefender Mail Protection for Enterprises on a rpm package manager based distribution, you have to run the following commands. # rpm -e BitDefender-mail # rpm -e BitDefender-common 7.2. Uninstall the deb package To uninstall BitDefender Mail Protection for Enterprises using dpkg, on a deb package manager based distribution, you have to run the following commands. # dpkg -r BitDefender-mail # dpkg -r BitDefender-common 61

07 Installation Uninstall 7.3. Uninstall using the self-extractable archive You need the original self-extractable archive to perform the unistall. This is necessary since the program will automatically undo all the settings used for integration with the system. If you have the package, use the method described below. #./BitDefender-mpe-{ver}.{os}.{arch}.{pkg}.run --uninstall First, you are asked the installation directory. By default, it should be /opt, but if you have selected another one during the installation, you have to specify it when asked. The uninstall program will check whether the directory is correct. If there is something wrong, the uninstall will stop. When the uninstalling has ended, the system should be left in the same condition as found before installing. 7.4. Uninstall the FreeBSD package To uninstall the FreeBSD packages, you have two methods, according to the installation way. 7.4.1. Uninstall a locally downloaded package To uninstall the packages you have installed from a local download, run the next commands. # pkg_delete bitdefender-mail-{ver} # pkg_delete bitdefender-common-{ver} Or, using pkg_deinstall, part of sysutils/portupgrade, run the following. # pkg_deinstall bitdefender-mail bitdefender-common 7.4.2. Uninstall from the ports collection To uninstall the packages installed from the ports collection, you can use the previous method or run the following commands. 62

Uninstall Installation 07 # cd /usr/ports/security/bitdefender-mpe # make deinstall clean 63

07 Installation Uninstall 64

Using BitDefender Using BitDefender

Using BitDefender

Configuration Using BitDefender 08 8. Configuration Once BitDefender Mail Protection for Enterprises has been installed and integrated into Mail Transport Agent, it just works. But there are some settings to fine-tune yor installation that you might be interested in. 8.1. Basic configuration Here are some hints on fine tuning BitDefender Mail Protection for Enterprises. We will use the bdsafe tool for this. To check the configuration status of the mail daemon component, run this line. # bdsafe configure maildaemon There are several keys that might interest you. footerremoved, footerclean, footerignored This keys specifies the templates to be used for creating the footers that are to be added to the scanned email, when it has been found infected. pushupdate, pushupdateaction This allows you to enable or disable the PushUpdate feature and what to do with the PushUpdate email. PushUpdate For more information about this feature, please see Section PushUpdate (page 87). failureaction This key specifies the action to be performed when, for some reason, the scanning process fails. 67

08 Using BitDefender Configuration quarantine This key specifies the quarantine directory. Next, for each installed integration agent, there are some settings you can tune. For example, to set the real SMTP server for the SMTP Proxy agent, you can use the next command. The server and port should be replaced by the corresponding values. # bdsafe configure smtp realserver server:port 8.2. Group management The BitDefender Group Management component is used to manage users and settings as groups in a very flexible way. It can be easily integrated with any application requiring this feature. We will present you just some introductory commands, for detailed information, please see the bdgm(7) and bdsafe(8) manual pages. The users are defined according to their email address, as they are seen by the server internally. Several users define a group. The nice part is that you can specify various settings for each group, such as antivirus actions, templates to be used for notification and so on. There are two special groups: All and Default. The group All concentrates the settings for all users, as expected, and the Default group specifies the implied settings, if they are not defined in a certain group. We shall create a new one, add some users inside and apply some settings. First, a new group has to be created. Let's name it MyGroup and add an user identified by his email address: user1@domain.com. Later we can add some more. Open a terminal and run the following, as root. # bdsafe group insert MyGroup sender user1@example.com We should clarify some things, before proceeding to the next step. The bdsafe command is the main BitDefender configuration tool. It should be wise to have a look at the bdsafe(8) manual page, to get an idea about its options and usage. Second, the sender option will identify the users only as email senders. If you need to identify them as receivers, change it to recipients. 68

Configuration Using BitDefender 08 At this moment, we can list the groups and the users to check whether the previous command worked. Here is the command you should run. # bdsafe group list MyGroup Let's add a recipient user. # bdsafe group insert MyGroup recipient user2@example.com Now, we have a group and some users inside the group. Let's change the antivirus actions to disinfect;quarantine. We have to use the same bdsafe(8) command. Note the method we have used for escaping the string from the shell. # bdsafe group configure MyGroup antivirus actions \ 'disinfect\;quarantine' Or, maybe, you want to alter the spam threshold for the same group. # bdsafe group configure MyGroup antispam threshold 900 Let's use the Default group, too: by default, the email footers should not be appended. Here is the command. # bdsafe group configure Default addfooters false Eventually, you would like to remove the group. # bdsafe group remove MyGroup More from the manual pages As stated before, this is just an example. Please see bdgm(7) and bdsafe(8) manual pages for detailed information. 69

08 Using BitDefender Configuration 70

Start-up and Shut-down Using BitDefender 09 9. Start-up and Shut-down BitDefender Mail Protection for Enterprises should be integrated into the system init scripts, in order to start on system initialization and stop on system shut down. Once integrated, the server will be protected all the time, since all BitDefender services will be up and running. Normally, there is no need for the user to manually start or stop BitDefender, but there are administrative tasks when such actions might be necessary. In this chapter you will find how you can start and stop safely the BitDefender services, The bd(8) command The program bd(8), included in BitDefender programs, plays the role of init script. Among the many parameters it supports, there are the standard start, stop, restart, with obvious actions. The standard location of the program is /opt/bitdefender/bin/bd, in case of a standard straight-forward installation. If you have chosen a different installation directory, please use the correct path when calling this program. As init script, bd(8) is symbolically linked, by the install program, to the system specific init directory, such as /etc/init.d/bd (for System V type initscripts) or /etc/rc.d/rc.bd (for BSD type initscripts). Therefore, according to your distribution, the following commands are identical, doing the same thing in the same way. For example, they will start BitDefender. # /opt/bitdefender/bin/bd start - or - # /etc/init.d/bd start - or - # /etc/rc.d/rc.bd start - or - # service bd start For convenience, the program is always referred in this document using the first form, but remember you can use all the forms presented above. Use the one that fits you best. 71

09 Using BitDefender Start-up and Shut-down 9.1. Start-up In order to start BitDefender Mail Protection for Enterprises, you have to run the following command (for alternate forms, please see the note above). # /opt/bitdefender/bin/bd start The result will be similar to the next screen, provided as an example. Note that if you have more components installed, there will be more corresponding output lines. * Starting bdregd... [ ok ] * Starting bdlogd... [ ok ] * Starting bdscand... [ ok ] * Starting bdmaild... [ ok ] * Starting bdlived... [ ok ] * Starting bdmond... [ ok ] * Starting bdsmtpd... [ ok ] Please wait for all the services to be started up, the script will return to the shell when all processes have been initialized. If there are any errors while initializing, they will be reported. 9.2. Shut-down In order to shut down BitDefender Mail Protection for Enterprises, you have to run the following command (for alternate forms, please see the note above). # /opt/bitdefender/bin/bd stop The output will be similar to the following screen, provided as an example. Note that if you have more components installed and running, there will be more corresponding output lines. * Stopping bdsmtpd... [ ok ] * Stopping bdmond... [ ok ] * Stopping bdlived... [ ok ] * Stopping bdscand... [ ok ] 72

Start-up and Shut-down Using BitDefender 09 * Stopping bdmaild... [ ok ] * Stopping bdlogd... [ ok ] * Stopping bdregd... [ ok ] The processes will be shut down in the reverse order of the starting up. Please wait for all the services to be stopped, the script will return to the shell when there are no more running processes. If there are any errors while shutting down, they will be reported. 9.3. Restart A simple restart of all the BitDefender services can be realized running the following command (for alternate forms, please see the note above). # /opt/bitdefender/bin/bd restart The output is similar to those described above, first stop, then start, such as the following. The output can differ slightly in case more components are installed. * Stopping bdsmtpd... [ ok ] * Stopping bdmond... [ ok ] * Stopping bdlived... [ ok ] * Stopping bdscand... [ ok ] * Stopping bdmaild... [ ok ] * Stopping bdlogd... [ ok ] * Stopping bdregd... [ ok ] * Starting bdregd... [ ok ] * Starting bdlogd... [ ok ] * Starting bdscand... [ ok ] * Starting bdmaild... [ ok ] * Starting bdlived... [ ok ] * Starting bdmond... [ ok ] * Starting bdsmtpd... [ ok ] The processes will be shut down in the reverse order, then started up. Please wait for all the services to be stopped, then started, the script will return to the shell when the action is complete. If there are any errors while shutting down or starting up, they will be reported. 73

09 Using BitDefender Start-up and Shut-down 74

Product registration Using BitDefender 10 10. Product registration The product is delivered with a trial registration key valid for thirty days. At the end of the trial period, if you want to continue using the product, you have to provide a new license key. To check the license status, use the following command. # bdsafe license mail You will be presented the license type, status, the number of covered users and the remaining validity period. If you have a new license key, the next command will perform the registration for the installed daemon. # bdsafe license ABCDEF12345ABCDEF12345ABCDEF BitDefender Remote Admin BitDefender Remote Admin provides a convenient way to check the license status and use a new key you may have just acquired. Please see Section Status (page 89) for more information. 75

10 Using BitDefender Product registration 76

BitDefender status output Using BitDefender 11 11. BitDefender status output Since all of its components are daemons, BitDefender works in background, with little or even no output at all. One source of information about the actions of BitDefender are the logs, if enabled, but the instant real-time report can be obtained by using the built-in facilities of status and statistical reporting. 11.1. Process status A short description of all running processes and their process-id (PID) is available on running the following command. # /opt/bitdefender/bin/bd status Invocation of bd(8) command A short discussion about different forms of invoking the command bd(8) can be found in Chapter 9 Start-up and Shut-down (p. 71). The output is similar to the following screen. * bdregd (pid(s) 12748) running... for 0d 0h 15m 41s * bdlogd (pid(s) 12757) running... for 0d 0h 15m 41s * bdmond (pid(s) 13041) running... for 0d 0h 15m 38s * bdscand (pid(s) 12809) running... for 0d 0h 15m 41s * bdlived (pid(s) 13012) running... for 0d 0h 15m 39s * bdmaild (pid(s) 12828) running... for 0d 0h 15m 39s * bdsmtpd (pid(s) 13101) running... for 0d 0h 15m 38s Output on non-nptl systems On non-nptl systems, the output is slightly different. Instead on displaying only one thread, all the PIDs of all threads are shown. You should see the multiple process IDs for child threads. 77

11 Using BitDefender BitDefender status output 11.2. Basic information Using the text console, more information about the current status of BitDefender is available when issuing the following command: # /opt/bitdefender/bin/bd info Invocation of bd(8) command A short discussion about different forms of invoking the command bd(8) can be found in Chapter 9 Start-up and Shut-down (p. 71). The output will be similar to the next screen. BitDefender v2.0 on Linux cstroie 2.6.15-gentoo-r5 #1 SMP PREEMPT Mon Mar 27 21:18:46 EEST 2006 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz GNU/Linux Quarantine - bdmaild : 0 KB (0 files) in /opt/bitdefender/var/quarantine/bdmaild - bdmond : 0 KB (0 files) in /opt/bitdefender/var/quarantine/bdmond BitDefender Core Components BitDefender Agents - bdregd : 2.0.60316 - bdcgated : 2.0.51013 (disabled) - bdlogd : 2.0.60414 - bdcourier : 2.0.51114 (disabled) - bdlived : 2.0.60413 - bdmilterd : 2.0.60228 (disabled) - bdmond : 2.0.60414 - bdqmail : 2.0.51114 (disabled) - bdscand : 2.0.60404 - bdsmtpd : 2.0.60427 - bdmaild : 2.0.60413 - bdlived : 2.0.60413 Live Update - signatures : 396729 (as of Thu May 4 08:51:36 2006) - current status : idle - last check : Thu May 4 12:17:11 2006 - last update : Thu May 4 12:11:37 2006 BitDefender Registry Since this information is stored inside the BitDefender Registry, the bdregd daemon should be running in order to see all of it. If not, only a small part will be shown. The following information is displayed: 78

BitDefender status output Using BitDefender 11 The current version of BitDefender Mail Protection for Enterprises along with some system information. The quarantine status. The version of installed BitDefender Core Components and Integration Agents. The number of signatures, the time when BitDefender last checked for virus signatures update and the time when it actually updated its signatures. 11.3. Statistical report Statistical reports about BitDefender activity can be obtained when running the following command: # /opt/bitdefender/bin/bd stats Invocation of bd(8) command A short discussion about different forms of invoking the command bd(8) can be found in Chapter 9 Start-up and Shut-down (p. 71). The following screen should appear: +----------------------------------------------------------------------+ M A I L S t a t i s t i c s +-------+--------+--------+--------+--------+--------+--------+--------+ Scanned Infected Disinf. Quar. Rejected Ignored Dropped Spam --------+--------+--------+--------+--------+--------+--------+--------- 0 0 0 0 0 0 0 0 --------+--------+--------+--------+--------+--------+--------+--------- BitDefender Remote Admin The status and statistical information are available in BitDefender Remote Admin. Please see Section 14.6 Reports (p. 99) for more information. 79

11 Using BitDefender BitDefender status output 80

Testing BitDefender Using BitDefender 12 12. Testing BitDefender To make sure BitDefender is really working, you can test its antivirus and antispam efficiency using standard testing methods. Basically, you will send a special email to some account through the email server. You will receive the results (disinfected email, notifications or the email marked as SPAM). Alternately, you can watch the statistics, as described in Section 11.3 Statistical report (p. 79). Sending the email to another account The $USER parameter is used to send the email to your current account on local machine. If you wish to send the test emails to another recipient or to some remote email server, replace it with a real email address, but take care the emails will be classified as infected and spam. 12.1. Antivirus test You can verify that BitDefender Antivirus component works properly with the help of a special test file, known as EICAR Standard Anti-virus Test file. EICAR stands for the European Institute of Computer Anti-virus Research. This is a dummy file, detected by antivirus products. There is no reason to worry, because this file is not a real virus. All that EICAR.COM does when executed is to display the text EICAR-STANDARD-ANTIVIRUS-TEST-FILE and exit. The reason we do not include the file within the package is that we want to avoid generating any false alarms for those who use BitDefender or any other virus scanner. However, the file can be created using any text editor, provided the file is saved in standard MS-DOS ASCII format and is 68 bytes long. It might also be 70 bytes if the editor puts a CR/LF at the end. The file must contain the following single line: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Copy this line and save the file with any name and.com extension, for example EICAR.COM. You can keep the EICAR.COM in a safe place and test periodically the server protection. 81

12 Using BitDefender Testing BitDefender EICAR online resources You can visit the EICAR website at http://eicar.com/, read the documentation and download the file from one of the locations on the web page http://eicar.com/anti_virus_test_file.htm. 12.1.1. Infected email attachment For testing the email protection efficiency, create an email with your favorite email agent, attach the file EICAR.COM and send it to yourself through your email server. You will shortly receive the email disinfected, the notification emails as postmaster and, if configured, the emails addressed to sender and receiver stating about the virus found. Using the mail program, available on many Linux distributions, sending the email can be done in the following way. You can safely replace mail with mutt, if your mail does not support attachments. $ echo "EICAR test file." mail -s EICAR -a EICAR.COM $USER If your version of mail program does not support attachments, you can use the next command, where the email body is just the content of EICAR.COM file (since it is an ASCII file). BitDefender, scanning the entire email, will find it infected, will disinfect it and will notify the postmaster and, eventually, the sender and the receiver. $ mail -s EICAR $USER < EICAR.COM 12.1.2. Infected attached archive For testing the efficiency of the BitDefender MIME Packer component, create an archive containing the EICAR.COM file, then attach it to an email sent to yourself through the email server to test. For example, gzip the EICAR.COM file and attach the resulting archive. $ gzip --best EICAR.COM $ echo "EICAR test archive." mail -s EICAR -a EICAR.COM.gz $USER 82

Testing BitDefender Using BitDefender 12 You will shortly receive the email disinfected, the notification emails as postmaster and, if configured, the emails addressed to sender and receiver stating about the virus found. 12.2. Antispam test You can verify that BitDefender Antispam component works properly with the help of a special test, known as GTUBE. GTUBE stands for the Generic Test for Unsolicited Bulk Email. GTUBE provides a test by which you can verify that BitDefender filter is installed correctly and is detecting incoming spam. GTUBE online resources You can visit the GTUBE website at http://gtube.net/, read the documentation and download the sample RFC-822 format email from the locations on the web page. The test consists in entering the following 68-byte string, as one line, in the body of the email: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X When scanning the email, BitDefender must tag it as spam. Using the mail program, you can test BitDefender with the next command. You have to create a file, named GTUBE, containing on one line the above string. Then, run the following command. $ mail -s GTUBE $USER < GTUBE You will shortly receive the email marked as SPAM. The Subject and X-BitDefender-Spam headers will be: Subject: [spam] GTUBE X-BitDefender-Spam: Yes (100) 83

12 Using BitDefender Testing BitDefender 84

Updates Using BitDefender 13 13. Updates BitDefender was designed with capabilities for automatic update. At the present time, the risk of getting infected is high, both because new viruses appear and the existing ones keep on spreading. The email communication, which is more and more used, has become a final factor in spreading the infection from one user to another. This is why your antivirus must be kept up-to-date, by periodically checking the BitDefender servers for new updates. BitDefender update process is realized by Live! Update, a daemon which connects periodically to the BitDefender update server and checks whether new virus definitions, antispam updates and product upgrades are available. In case there are any, the daemon will download only the changed files, executing an incremental update and conserving the bandwidth. 13.1. Automatic update BitDefender Mail Protection for Enterprises is configured to update automatically each hour, through bdlived module. In case of a necessary update, before the specified interval expires, the daemon can be signaled to execute the update routine, manually. To trigger the on-demand check, one can issue following command, using bdsafe(8). # bdsafe update 13.1.1. Time interval modification To modify the time interval you will have to run the command bellow. You can change the update interval to the desired value, but no lower than 10 minutes. # bdsafe configure update checkinterval 7200 BitDefender Remote Admin The time interval can be modified using the BitDefender Remote Admin interface. Please see Section 14.5.4 Live! Update (p. 98) for more information. 85

13 Using BitDefender Updates 13.1.2. Live! Update proxy configuration If a proxy server is to be used to connect to the Internet, please run the following command, using your proxy server address and port. # bdsafe configure update proxysettings proxy:port Then, you have to enable the proxy usage by this command. # bdsafe configure update useproxy Y In order to deactivate the use of a proxy, run the following: # bdsafe configure update useproxy N BitDefender Remote Admin The proxy server can be specified using the BitDefender Remote Admin interface. Please see Section 14.5.4 Live! Update (p. 98) for more information. 13.2. Manual update There are two zip archives on the update server, containing the updates of the scanning engines and virus signatures: cumulative.zip and daily.zip. cumulative.zip is released every week on Monday and it includes all the virus definitions and scan engines updates up to the release date. daily.zip is released each day and it includes all the virus definitions and scan engines updates since the last cumulative and up to the current date. In order to update the product manually, you should follow the next steps. 1. Download the updates files. If it is Monday, please download the cumulative.zip and save it somewhere on your disk when prompted. Otherwise please download the daily.zip and save it on your disk. If this is the first time you update using the manual updates, please download the both archives. 2. Extract the updates. Extract the contents of the zip files to /opt/bitdefender/var/lib/plugins/ directory, overwriting the existing files with the newer ones if necessary. 86

Updates Using BitDefender 13 The order to extract the updates If you are using both cumulative.zip and daily.zip you will have to extract the content of the cumulative.zip first, then the contents of daily.zip. 3. Files owner and permissions. After extracting the zip archives, you must set the proper owner and permissions, by running the following commands. # chown bitdefender:bitdefender /opt/bitdefender/var/lib/plugins/* # chmod 644 /opt/bitdefender/var/lib/plugins/* 4. Restart BitDefender. Once updated, BitDefender should be restarted, using the following command. # /opt/bitdefender/bin/bd restart 13.3. PushUpdate PushUpdate is an ordered update launched by BitDefender servers in imminent situations, when a prompt update can save the server from allowing the infected emails to pass. This trigger is an email, sent to the address you have specified during the installation. BitDefender, while filtering the emails, will recognize it and will initiate the update process. Then, the email can be dropped or delivered, according to the Registry settings. 13.4. Patches Since the Live! Update module can update automatically only the virus definitions and some of the core libraries used by BitDefender, there is a small tool that can be used to update the whole BitDefender installation. BitDefender Swiss Army knife, bdsafe(8), the multipurpose tool, can be used for keeping BitDefender up to date by applying various patches that might appear after the product was released. It can be run directly by the system administrator to list, search, install or uninstall patches or it can be installed as a cron job to automatically install the patches as soon as they are released. 87

13 Using BitDefender Updates Patches are released to correct any bugs found or to add new features and they are grouped in the following categories: CRITICAL, SECURITY, NORMAL. Patches are labeled CRITICAL when they affect the normal behavior of the product. For example, if a new kernel is released, preventing the bdcored module to accomplish its job, then a CRITICAL patch will be released, correcting this issue. A patch is labeled SECURITY when it has the role to correct any security related issue. For example, if there is a bug which might permit an attacker to gain access to emails scanned by BitDefender, then a SECURITY patch will be released to fix this issue. Opposed to CRITICAL patches, which affect the BitDefender's normal behavior, SECURITY patches can fix the bugs that will not occur in friendly environment, if such one exists, usually. Patches labeled NORMAL are usually released to fix minor (cosmetic) bugs or to add some new features. For example, if BitDefender incorrectly formats an email header, a NORMAL patch will be released to fix this minor issue. 88

BitDefender Remote Admin Using BitDefender 14 14. BitDefender Remote Admin BitDefender Mail Protection for Enterprises can be configured using a web browser under any operating system, remotely. In order to do it, it is necessary to install on the server side the BitDefender Remote Admin module. Designed for Webmin, it can run as a Webmin module or as a standalone component with no Webmin requirement for operation. Additional Perl modules The BitDefender Remote Admin standalone module provides a SSL secured http connection. For this to work, you must have installed Net::SSLeay Perl module. Also, it is recommended, but not mandatory, to have installed the following modules too: MIME::Lite, Net::SMTP, Net::DNS. This modules are necessary to submit quarantined objects to BitDefender Labs. If they are not found, the submit function is unavailable. BitDefender Remote Admin provides a facile way to configure almost all the details of BitDefender Mail Protection for Enterprises. All you have to do is open your favorite web-browser and point it to the following location, for the standalone module: https://your.hostname:8139. Please note the https:// protocol is used. If you use the Webmin integration, the address is http://your.hostname:10000/bitdefender. A login form will appear, inviting you to type the username and password. Usually, the username is admin. 14.1. Status 14.1.1. Services On-line help BitDefender Remote Admin offers an on-line help. Whenever you think you do not understand the field meanings, the button actions or something sounds cryptic, click on Help to get support on current topic. Here are listed all the running BitDefender services along with the uptime, for the running services. If not, a second frame will list the stopped services. 89

14 Using BitDefender BitDefender Remote Admin The Start, Restart and Stop buttons can be used to start the non-running BitDefender services, restart all services and stop them. Please note these actions are not performed instantly, there could be a couple of seconds required to finish the action. On pressing any of the buttons, the screen changes, reporting the success or failure of the action on every BitDefender module. After pressing Stop, the two buttons are replaced with a single one, Start, in order to allow the user to start again the BitDefender services. Remember that the interface functionality is drastically reduced when the bdregd service is not running. 14.1.2. License You can check the license status and register BitDefender uing the License page. You will see the current serial number and the license status and, if you wish, you can enter a new key. Type the license key in the corresponding field, then click Submit to perform the registration process. If you mistype the license key you will be told so and you are invited to type it again. 14.1.3. About Here you will find a short message about the product, its features and the team who has created it. 14.2. Policies 14.2.1. Default Settings Antivirus The Antivirus section is responsible with the configuration and actions of the BitDefender Antivirus. The action to be taken when a virus or a suspicious object is found can be specified using the Action list. Use the Up and Down arrows to sort the list. Please note that not all actions in every list order are available, some of them will become inactive. BitDefender Mail Protection for Enterprises can add a header, a footer or a message disclaimer to an email in some cases. You can specify whether or not to write the disclaimers and headers to clean or infected messages, by checking or 90

BitDefender Remote Admin Using BitDefender 14 Antispam unchecking the corresponding checkbox. For every modification you make, do not forget to press the Apply button when finished. The Antispam section is responsible with the antispam filter configuration. You can enable or disable the entire Antispam module by enabling the Active checkbox, thus making available the following options. Each one of the filters can be enabled or disabled individually. The filters, in order of passing-through, are the following: White List / Black List The URL filter The Image filter The Bayesian filter The Heuristic filter The Multipurpose filter Furthermore, you can use the text box below to set up the Spam Threshold, the maximum allowed spam score for a message, prior to be considered SPAM. Next, you may configure the Antispam action. Only one action can be selected from the following. Ignore Quarantine Drop Reject If the emails are delivered, they can be applied two more actions: Modify subject action specifies whether the subject of the email message should be modified conforming to the Subject template field. Add email header will add a new header to all emails, by default X-BitDefender-Spam. The content of the header is created according to the header patterns, described in the next lines. The SpamStamp Header, by default X-BitDefender-SpamStamp, is a special feedback header, used by BitDefender Antispam specialists as feedback, when false negatives and positives are submitted to <spam_submission@bitdefender.com>. 91

14 Using BitDefender BitDefender Remote Admin The templates are used for creating the new subject of the spam emails and the new headers BitDefender will add to spam and non-spam emails. You can select the template files using the dedicated textboxes. After altering any of the options above, you should press the Apply button in order to accomplish the setup. Mail Forward Using the mail forward feature, you can enable the messages sending to another recipient. You can enable or disable this feature by selecting or unselecting the checkbox. The messages can be sent before or after scanning. This behaviour can be selected using the proper radio button. Next, you have to specify some more data, such as the SMPT server, the HELO string, the email sender and the recipient. When finished, press the Apply button. 14.2.2. Groups Using this section, you can add, edit and remove the groups. Also, you can change the groups order. To increase or decrease the priority of one or more groups, select the desired checkboxes and press the Up or Down buttons. To modify a group, click the Edit link. 14.2.3. Group settings Antivirus The group settings include the same settings as the Default section and adds two lists: senders and recipients. You can add email addresses, users and domains to these lists to define the group. When finished, press the Apply button. The Antivirus section is responsible with the configuration and actions of the BitDefender Antivirus. The action to be taken when a virus or a suspicious object is found can be specified using the Action list. Use the Up and Down arrows to sort the list. Please note that not all actions in every list order are available, some of them will become inactive. 92

BitDefender Remote Admin Using BitDefender 14 Antispam BitDefender Mail Protection for Enterprises can add a header, a footer or a message disclaimer to an email in some cases. You can specify whether or not to write the disclaimers and headers to clean or infected messages, by checking or unchecking the corresponding checkbox. For every modification you make, do not forget to press the Apply button when finished. The Antispam section is responsible with the antispam filter configuration. You can enable or disable the entire Antispam module by enabling the Active checkbox, thus making available the following options. Each one of the filters can be enabled or disabled individually. The filters, in order of passing-through, are the following: White List / Black List The URL filter The Image filter The Bayesian filter The Heuristic filter The Multipurpose filter Furthermore, you can use the text box below to set up the Spam Threshold, the maximum allowed spam score for a message, prior to be considered SPAM. Next, you may configure the Antispam action. Only one action can be selected from the following. Ignore Quarantine Drop Reject If the emails are delivered, they can be applied two more actions: Modify subject action specifies whether the subject of the email message should be modified conforming to the Subject template field. Add email header will add a new header to all emails, by default X-BitDefender-Spam. The content of the header is created according to the header patterns, described in the next lines. The SpamStamp Header, by default X-BitDefender-SpamStamp, is a special feedback header, used by BitDefender 93

14 Using BitDefender BitDefender Remote Admin Antispam specialists as feedback, when false negatives and positives are submitted to <spam_submission@bitdefender.com>. The templates are used for creating the new subject of the spam emails and the new headers BitDefender will add to spam and non-spam emails. You can select the template files using the dedicated textboxes. After altering any of the options above, you should press the Apply button in order to accomplish the setup. Mail Forward Using the mail forward feature, you can enable the messages sending to another recipient. You can enable or disable this feature by selecting or unselecting the checkbox. The messages can be sent before or after scanning. This behaviour can be selected using the proper radio button. Next, you have to specify some more data, such as the SMPT server, the HELO string, the email sender and the recipient. When finished, press the Apply button. 14.3. Quarantine The Quarantine is a special directory, unavailable for common users, where suspected files or emails are to be isolated for a future purpose. 14.3.1. Mail Quarantine The Mail Quarantine is the directory where infected or suspected files are isolated from the system. The default location can be modified using the text box from the interface. Enter the new location, then press the Apply button. Custom quarantine location If you wish to use another directory as quarantine, you should make sure to isolate the directory appropriately. At least, the quarantine should be owned by the bitdefender user and group and should have permissions 0700 (in octal). The quarantined objects can be sent to the BitDefender Lab for further investigation. You can modify the email address to be sent to, then press the Apply button to set the new address. 94

BitDefender Remote Admin Using BitDefender 14 A second frame allows a basic management of the quarantine. You are presented a list of the objects, which can span on multiple pages. Use the bottom navigation element to browse the pages and the top combobox to select how many objects to display per page. Press the Set button when you have selected a new number of objects to be displayed. By checking the checkboxes near each item (or the Apply to all checkbox to refer to all of them), you can select the items to apply an action on. The action can be one of Send to lab or Delete, to submit the object to the BitDefender Lab or to remove it. 14.3.2. Monitor Quarantine The monitor quarantine is an isolated directory storing all the objects that may cause problems to filters (malformed archives or emails, zip-bombs). Because of the process crashing risk, there is no option to scan them once more, only to delete them and to send them to the BitDefender Labs. Normally this quarantine should be empty, but, if there are some problematic files in this folder, you are advised to send them to BitDefender Labs for further analysis. Custom quarantine location If you wish to use another directory as quarantine, you should make sure to isolate the directory appropriately. At least, the quarantine should be owned by the bitdefender user and group and should have permissions 0700 (in octal). The quarantined objects can be sent to the BitDefender Lab for further investigation. You can modify the email address to be sent to, then press the Apply button to set the new address. A second frame allows a basic management of the quarantine. You are presented a list of the objects, which can span on multiple pages. Use the bottom navigation element to browse the pages and the top combobox to select how many objects to display per page. Press the Set button when you have selected a new number of objects to be displayed. By checking the checkboxes near each item (or the Apply to all checkbox to refer to all of them), you can select the items to apply an action on. The action can be one of Send to lab or Delete, to submit the object to the BitDefender Lab or to remove it. 95

14 Using BitDefender BitDefender Remote Admin 14.4. Protocols 14.4.1. SMTP For SMTP Proxy integration, there are some data to be specified, in order to allow BitDefender to scan all email traffic. The real SMTP server address and port used by BitDefender to send the emails to. By default the address is 127.0.0.1 and the port is 10025. The port BitDefender will listen on, by default 25. The connection timeout specifies how long BitDefender will wait for incoming data through an already established connection before closing it. The maximum number of incoming concurrent connections BitDefender will be able to handle. If the value entered is negative, all incoming connection will be refused. If the value is 0, the limit is disabled. The maximum size (in bytes) of the email messages passing through the SMTP Proxy. If a message is bigger than this limit it will be rejected. Network Domains This section contains the networks BitDefender relays email messages from. You must add the address in IPv4 dotted format to the list to instruct BitDefender to accept emails coming from them addresses, no matter of their destination. The Add button enables you to add one one domain at a time. For each domain there is the option to delete it, by selecting the checkbox, then clicking Remove. Email Domains The relay domains BitDefender will use to accept emails for, are configured in this section. For example, if your email server handles emails for the company1.com and company2.com domains, you must enter both domains in this section. If you have subdomains, you must specify them explicitly as subdomain1.company3.com, subdomain2.company3.com, etc. The Add button enables you to add one relay domain at a time. For each domain there is the option to delete it, by selecting the checkbox, then clicking Remove. 96

BitDefender Remote Admin Using BitDefender 14 Interfaces You can restrict BitDefender to listen only on some interfaces BitDefender, specified by their IP address. To add one address, fill the textbox and press the Add. To remove one, select the corresponding checkbox and press the Remove button. TO edit an address, type the new one in the same textbox it is displayed and press the Apply button. 14.4.2. CommuniGate Pro The installation directory is the full path to the CommuniGate Pro installation directory. The default is /var/communigate/. Maximum threads number specifies the maximum number of running threads (by default 5). BitDefender will reject more incoming connections if it is already handling the specified number of emails at once. 14.4.3. Courier This is the full path to the original Courier submit file, after being wrapped by BitDefender integration mechanism, in order to catch all the email traffic. By default, the path is /usr/lib/courier/libexec/courier/submit.courier. 14.4.4. qmail This is the full path to the original qmail-queue file, after being wrapped by BitDefender integration mechanism, in order to catch all the email traffic. By default, the path is /var/qmail/bin/qmail-queue-real. 14.4.5. Sendmail Milter This is the full path to a Unix socket, the integration agent should listen on. By default, the path is /var/run/bitdefender/bdmilterd.sock. 97

14 Using BitDefender BitDefender Remote Admin 14.5. Maintenance 14.5.1. Registry This section controls the way the BitDefender Registry communicates with other processes. Usually, there is no need to enable the listening on tcp (by default, the port is 8138). But you should enable it if you use other remote administration tools, such as the Windows management console. By default, BitDefender will listen on all interfaces. You can restrict this by entering some IP address in the corresponding text box and press the Add button. To remove an interface to listen on, select the corrensponding checkbox, then press the Remove button. 14.5.2. Product Updates The product updates are patches that might appear after the product was released. You are presented a list of the available patches and can select which of them are to be installed, by selecting the each one's checkbox. You can read a short description of each patch before deciding to install it or not. use the Update button to start installing the selected patches. 14.5.3. Signature Updates Here you will find the time of the last signature update, the last check and the total number of signatures known by the product. use the Refresh button to update the fields. 14.5.4. Live! Update For the update process to function properly you must enter a location the new virus definitions will be updated from. By default, the update server is http://upgrade.bitdefender.com. You can also modify the update interval, that BitDefender will use when checking for new updates. It can not be lesser than 10 minutes. If you change any of these fields you have to press the Apply button. 98

BitDefender Remote Admin Using BitDefender 14 It is possible to use a proxy server to get the updates. In this case, you must check the Use Proxy checkbox, fill the Proxy and Port fields accordingly, fill the User and Password fields if your proxy server requires authentication. Press the Apply button to submit the changes. If you want to enable the Update Pushing function, you have to select the corresponding checkbox. Thus, in case of any virus outbreak or an emergency update, you will receive a special email message. When scanning, BitDefender will recognize the email and will automatically start the update process. You can discard these messages or deliver them to the user's mailbox to keep a track of all pushed updates. You can use the Update Now to trigger an automatic check and, eventually, update (if there are any updates on the server). 14.6. Reports 14.6.1. Logging This section permits the customization of the logging process, realized by BitDefender logging module. If you enable the File logger, BitDefender will use a specified file to log all of its actions. You can change the location of the log file using the corresponding textbox. You can also see the log tail by using the View button from the Log tail frame. The number of lines to display can be set from the same frame, by default the last 10 lines are shown. 14.6.2. Statistics The statistical report table can be accessed in this section. There are information about scanned Files, Mail and Objects regarding their status and action taken: Scanned, Infected, Suspected, Disinfected, Deleted, Ignored, Quarantined, Denied, Dropped, Rejected, Spam. use the Refresh button to update the statistics. 99

14 Using BitDefender BitDefender Remote Admin 14.6.3. Notifications Mail notifications are simple email messages sent by BitDefender to system administrator to inform about special events or to the partners of an email communication to inform about malware found. All the notifications are to be sent through an email sever (an SMTP server). This could be any server, such as the one on the local machine or another installed on a remote machine. It will be used whenever BitDefender will need to inform the sender, receiver, postmaster or sysadmin about some special event. Usually, this is the local server, so the default setting could be 127.0.0.1:25, but in some cases it is better to use another server or port. For example, for an installation as SMTP proxy, sending the alert message to 127.0.0.1:25 will make BitDefender scan it, so it would be a better idea to send it directly to the real server on 127.0.0.1:10025 (or the port it is configured to listen on), to avoid the useless processing. Of course you could use an alternate email server, but make sure this one will relay emails coming from your host. Also you must enter the email address the message will be sent from. If you want to alert the sender or the receivers of an infected email message about the infection check the appropriate checkbox. Please consider the probability of fake sender, thus you will send the notification to no one or to an innocent person. Also, the recipient of the original message could consider spam your notification about an email he had not received. Therefore, these checkboxes are unchecked by default. You can notify the administrators, too. They could be the following: Postmaster Receives alerts when an infected email or file is found. Administrator Receives alerts about BitDefender license key expiring or other kind of errors related to BitDefender. After all changes are made, do not forget to press the Apply button. 100

SNMP Using BitDefender 15 15. SNMP 15.1. Introduction The SNMP support of BitDefender consists of two implementations: a SNMP plugin and a Logger plugin. The Net-SNMP plugin, is a module of the snmpd daemon (developed for the net-snmp package). It is loaded by the daemon and communicates with BitDefender Registry to gain read and write access to BitDefender settings. The second implementation, the Logger plugin, is just another module beside file logger, real-time virus and spam report module or mail notification module. It receives the same BitDefender events information as the others Logger Plugins and sends them to some remote host running the SNMP trap server, which, in turn, will process them (send to syslog, etc.). 15.2. Installation First, you will need the net-snmp package. It is your choice to install the distribution provided package or to compile it from the sources. Anyway, there are some things to mention. The parent directory of the snmpd.conf and snmptrapd.conf configuration files may vary. It could be /etc/snmp/, /usr/share/snmp/ or /usr/local/share/snmp/, according to the installation method (from pre-built package or from sources) and distribution. Try to locate it and note the full path, since we will need it later. Inside it there should be the mibs directory, where all the MIBS files are located. Note this one, too. The persistent data directory should be /var/net-snmp/ (this is the default location). Here you will find other snmpd.conf and snmptrapd.conf files. However, on certain distributions, this directory may be /var/lib/snmp/. Please find it before proceeding. 101

15 Using BitDefender SNMP 15.3. The NET-SNMP plugin As stated before, this is a plugin loaded by net-snmp, used to interrogate and, eventually, modify the BitDefender settings. 15.3.1. Prerequisites Let's start by verifying that you have the plugin. It should be located at /opt/bitdefender/var/lib/libbduxsnmp.so. And you will need one more thing: the mib file BITDEFENDER-MIB.txt that you should copy to the above mentioned mibs directory. 15.3.2. Configuration Before using it, we need to configure the snmpd daemon. Open /etc/snmp/snmpd.conf file with your favorite text editor (vi, right) and add the next lines at the end. The first one adds the user bitdefender (nothing to do with the bitdefender system user) and the second one specifies the module to load and maps it to the softwin branch. Make sure the path to the plugin is the right one. rwuser bitdefender dlmod softwin /opt/bitdefender/var/lib/libbduxsnmp.so Next, in the /var/net-snmp/snmpd.conf file you have to add the following line, if you plan to use SNMP version 3 protocol. I know, they say not to edit it, please do not listen to them. The passwords should be longer than 8 characters. If you use a short password the SNMP server will ignore the createuser directive. Make sure that the snmpd daemon is not running while you edit this. Kill it somehow. createuser bitdefender MD5 <authpass> DES <privpass> When you will start the snmpd daemon, this line will be replaced with a new one, with encrypted passwords. I think this would be enough. Let's start the snmpd daemon. Try service snmpd start, /etc/init.d/snmpd start or /etc/rc.d/rc.snmpd start, according to your distribution. 102

SNMP Using BitDefender 15 15.3.3. Walking through the MIBs Let's try something with our new SNMP module. Run this. A long line, indeed. # snmpwalk -v 3 -m ALL -u bitdefender -l authpriv -a MD5 \ -A <authpass> -x DES -X <privpass> localhost softwin I suppose you did not forget to use your own passwords, did you? BitDefender plugin works also with versions 1 and 2c, but you need the community string (which is public by default). For example, the following line uses the version 1. # snmpwalk -v 1 -m ALL -c public localhost softwin There are some graphical tools to play with. For example, the net-snmp package contains tkmib, a Tk-based SNMP client tool. You can find our module at.iso.org.dod.internet.private.enterprises.softwin, after loading the MIB, of course. With this plugin, you will be able to do the following. Monitor the BitDefender Daemons. Force an update via the cupdate key. Consult the global statistics. Consult the update related keys: last update, last check, update status and set the interval between to successive checks. Consult the number of signatures of the antivirus engine. Consult the license information: the license type, the number of users, the number of domains (reported to the total number of users and domains supported by the license). 15.3.4. Get and set values You can also get and set individual values in the tree, using this plugin. But you need to specify the read-only and read-write communities in /etc/snmp/snmpd.conf file. Add the following two lines. rocommunity public rwcommunity private 103

15 Using BitDefender SNMP Now, to get a value use this line. It will return the time between two consecutive updates. # snmpget -v 1 -m ALL -c public localhost checksecs.0 To set a value, for example to trigger an update, run this command. # snmpset -v 1 -m ALL -c private localhost cupdate.0 s "y" 15.4. The BitDefender Logger plugin The BitDefender Logger receives messages from various BitDefender components and presents them to the user in various formats. It can log the messages to a file, forward them by email to a designated address or, using this plugin, it can send them to a SNMP server. 15.4.1. Prerequisites You will need a working SNMP server installed on the same or on some other machine. Please take a look at the Troubleshooting section below, because there are some glitches you have be aware of. You will also need the following MIB files present in the mibs directory we have talked about before: BITDEFENDER-ALERTS-MIB.txt, BITDEFENDER-NOTIFY-MIB.txt and BITDEFENDER-TRAP-MIB.txt. Regarding the SNMP protocol version, you can use 1, 2c or 3 with the following notes. Alerts of TRAP type can be sent using the SNMP protocol versions 1 2c and 3. Alerts of INFORM type can be sent using the SNMP protocol versions 2c and 3. The protocol 3 needs the user and offers authentication and encryption. The protocols 1 and 2c need no user, they use the community string, which is public by default. 104

SNMP Using BitDefender 15 15.4.2. Configuration The messages sent to the SNMP server are received by the snmptrapd daemon. We need to configure it. But first, please make sure the SNMP services are not running. We need an username for SNMP version 3 protocol. If you like to use the version 1 or 2c, you do not need the user and you can skip over the following paragraphs. Let's use the same bitdefender username as above. Make sure there is this line in the /etc/snmp/snmpd.conf file. rwuser bitdefender Thus we specify this user will have read and write access, but it is not defined yet. Add this line at the end of the /var/net-snmp/snmptrapd.conf file and remember the passwords should be longer than 8 characters. If the file does not exist, just create it. createuser -e 0xBD224466 bitdefender MD5 <authpass> DES <privpass> If you plan to use the INFORM alerts, without need for the EngineID, you will have to add an user without specifying the EngineID. The user defined in the line above will not work, so add a new one. createuser bitdefender_inform MD5 <authpass> DES <privpass> Let's stop a while and explain this line. You are free to change anything in it with the only condition to reflect the changes in the BitDefender configuration. -e 0xBD224466 This is the EngineID. It is mandatory for alerts of TRAP type and optional for INFORM type. The alert type should be specified in /BDUX/LoggerDaemon/Plugins/SNMP/AlertType registry key. The EngineID must be specified also in the BitDefender registry at /BDUX/LoggerDaemon/Plugins/SNMP/SecurityEngineID key. If not used (it is optional when the alerts type is INFORM), the SecurityEngineID key must be empty. 105

15 Using BitDefender SNMP bitdefender This is the user to create for authenticated SNMP v3. The same name should be declared in the /etc/snmp/snmpd.conf (please read above) and in /BDUX/LoggerDaemon/Plugins/SNMP/SecurityName registry key. MD5 The authentication protocol (MD5 or SHA1) used for authenticated SNMP v3. The same value must be found in /BDUX/LoggerDaemon/Plugins/SNMP/AuthProto registry key. <authpass> Set the authentication pass phrase used for authenticated SNMP v3 messages. The same value must be found in /BDUX/LoggerDaemon/Plugins/SNMP/AuthProtoPass registry key. DES Set the privacy protocol (DES or AES) used for encrypted SNMP v3 messages. The same value must be found in /BDUX/LoggerDaemon/Plugins/SNMP/SecurityPrivProto registry key. <privpass> Set the privacy pass phrase used for encrypted SNMP v3 messages. The same value must be found in /BDUX/LoggerDaemon/Plugins/SNMP/SecurityPrivProtoPass registry key. This line will be replaced with another one, with encrypted passwords, when snmptrapd daemon is started. One more thing: you do not need to use all the parameters specified above for SNMP v3. You can use the authentication without encryption (the SecurityLevel key is authnopriv) or no authentication and no encryption (the SecurityLevel key is noauthnopriv). You have to modify the createuser line accordingly. This would be the user. Now, let's get back to the /etc/snmp/snmpd.conf file and added some more lines. You might find them already in your file, but commented out. Uncomment them and set the correct values. # trapsink: A SNMPv1 trap receiver trapsink localhost # trap2sink: A SNMPv2c trap receiver trap2sink localhost 106

SNMP Using BitDefender 15 # informsink: A SNMPv2c inform (acknowledged trap) receiver informsink localhost public # trapcommunity: Default trap sink community to use trapcommunity public # authtrapenable: Should we send traps when authentication # failures occur authtrapenable 1 I think this is the moment to start the snmpd and snmptrapd daemons. If you get an error, please review the configuration. 15.4.3. Usage Now you can test the SNMP server. Here are some commands you may start with. The first one will send TRAP alert that should be logged on syslog. Please note we use the EngineID. # snmptrap -e 0xBD224466 -v 3 -m ALL -u bitdefender -l authpriv \ -a MD5 -A <authpass> -x DES -X <privpass> localhost 42 \ coldstart.0 Another command sends an INFORM alert. In this case, there is no need to specify the EngineID and the user you have created must not have the EngineID. In our examples, we have created the bitdefender_inform user for this purpose. The alert will be logged on syslog too. # snmpinform -v 3 -m ALL -u bitdefender_inform -l authpriv -a MD5 \ -A <authpass> -x DES -X <privpass> localhost 42 \ coldstart.0 If you do not want to use the SNMP version 3 protocol, you can use the other two supported: 1 and 2c. In this case you do not need the username, all you have to know is the community string. This is public by default. For example, for version 2c, use this command. # snmptrap -c public -v 2c -m ALL localhost 42 coldstart.0 107

15 Using BitDefender SNMP If everything is all right and BitDefender is properly configured (that means the registry keys fit the SNMP server configuration), all you have to do is to enable the plugin (if not already enabled) and try it by sending emails through the MTA. You will shortly see the report on the syslog of the machine running the SNMP server. 15.5. Troubleshooting Due to some newly found bug in the net-snmp package, the TRAP feature is not working for net-snmp version 5.2.2 or newer with the SNMP version 3 protocol (but it works in version 5.2.1). This bug will hopefully be fixed by the net-snmp team soon. For more information, please see the discussion from the following thread: http://sourceforge.net/mailarchive/forum.php?thread_id=9098786&forum_id=4959. 108

Getting help Getting help

Getting help

Support Getting help 16 16. Support 16.1. Support department As a valued provider, SOFTWIN strives to provide its customers with an unparallel level of fast and accurate support. The Support Center listed below is continually being updated with the newest virus descriptions and answers to common questions, so that you obtain the necessary information in a timely manner. At SOFTWIN, dedication to saving its customers time and money by providing the most advanced products at the fairest prices has always been a top priority. Moreover, we think that a successful business is based on a good communication and a commitment to excellence in customer support. You are welcome to ask for support at <support@bitdefender.com> any time. For a prompt response, please include in your email as many details as you can about your BitDefender, about your system and describe the problem as accurate as possible. 16.2. On-line help 16.2.1. BitDefender Knowledge Base The BitDefender Knowledge Base is an online repository of information about BitDefender products. It stores, in an easily accessible format reports on the results of the ongoing technical support and bugfixing activities of the BitDefender support and development teams, along with more general articles about virus prevention, the management of BitDefender solutions and detailed explanations, and many other articles. The BitDefender Knowledge Base is open to the public and freely searchable. This welth of information is yet another way to provide BitDefender customers with the technical knowledge and insight they need. All valid requests for information or bug reports coming from BitDefender clients eventually find their way into the BitDefender Knowledge Base, as bugfix reports, workaround cheatsheets or informational articles to supplement product helpfiles. 111

16 Getting help Support The BitDefender Knowledge Base is available any time at http://kb.bitdefender.com. 16.2.2. BitDefender Unix Servers Mailing List BitDefender mailing lists bring the latest information regarding security, offer on-line technical support and provide the valuable feedback. They are grouped in the following categories. Technical Support. Product Announcements: bug-fixes, new features or versions, etc. Community feedback. Subscribe and Unsubscribe In order to join the BitDefender mailing lists, please undertake the following steps: Send a blank message to <unix-mailservers-subscribe@bitdefender.com> with the subject line subscribe. Confirm your subscription, for validating your email address, by redirecting or forwarding the received email from BitDefender to the same address, while leaving the message body unchanged. To unsubscribe from the mailing list, send an empty mail with the subject unsubscribe to <unix-mailservers-unsubscribe@bitdefender.com>, and follow the received instructions. Submit a message To post a message in the list, compose a new message and send it to <unix-mailservers@bitdefender.com>, with a subject line describing your topic and including all details in your message. Below are the guidelines and rules of the BitDefender discussion list: The official language of BitDefender mailing lists is English. The messages must be are plain text, instead of HTML or Rich Text. All mails should have a short descriptive Subject line, specifying the product you are referring to. Necessary details must be included in the messages so that other list members can fully understand the situation. 112

Support Getting help 16 The posts may be moderated by the BitDefender Customer Service Department, if the message does not conform to standard and common-sense policies. 16.3. Contact information Efficient communication is the key to a successful business. For the past 10 years SOFTWIN has established an indisputable reputation in exceeding the expectations of clients and partners, by constantly striving for better communications. Please do not hesitate to contact us regarding any issues or questions you might have 16.3.1. Web addresses Sales department: <sales@bitdefender.com> Technical support: <support@bitdefender.com> Unix Mail List: <unix-mailservers@bitdefender.com> Documentation: <documentation@bitdefender.com> Security reports: <security@bitdefender.com> Product web site: http://linux.bitdefender.com Product archives: http://download.bitdefender.com/linux Local distributors: http://www.bitdefender.com/partner_list BitDefender Knowledge Base: http://kb.bitdefender.com 16.3.2. Address Germany The BitDefender offices are ready to respond to any inquiries regarding their areas of operations, in matters both commercial and general. Their respective adresses and contacts are listed below. Softwin GmbH Karlsdorfer Straße 56 88069 Tettnang Technischer Support: <support@bitdefender.de> Vertrieb: <vertrieb@bitdefender.de> Phone: 07542/94 44 44 Fax: 07542/94 44 99 Product web site: http://www.bitdefender.de 113

16 Getting help Support Spain U.S.A Romania Constelación Negocial, S.L C/ Balmes 195, 2ª planta, 08006 Barcelona Soporte técnico: <soporte@bitdefender-es.com> Ventas: <comercial@bitdefender-es.com> Phone: +34 932189615 Fax: +34 932179128 Sitio web del producto: http://www.bitdefender-es.com BitDefender LLC 6301 NW 5th Way, Suite 3500 Fort Lauderdale, Florida 33308 Technical support: <support@bitdefender.us> Sales: <sales@bitdefender.us> Phone: 954 776 62 62, 800 388 80 62 Fax: 954 776 64 62, 800 388 80 64 Product web site: http://www.bitdefender.us SOFTWIN 5th Fabrica de Glucoza St. PO BOX 52-93 Bucharest Technical support: <suport@bitdefender.ro> Sales: <sales@bitdefender.ro> Phone: +40 21 2330780 Fax: +40 21 2330763 Product web site: http://www.bitdefender.ro 114

Appendices Appendices

Appendices

Supported antivirus archives and packs Appendices A A. Supported antivirus archives and packs BitDefender scans inside the most common type of archives and packed files, including, but not limited to the following. Supported archive types Ace Arc Arj bzip2 Cab Cpio (clean+delete) Gzip (clean+delete) Ha Imp Installation packers Inno (Inno Installer) Instyler VISE (viza.xmd) Mail archives Jar MS Compress Lha (lzx) Rar (including 3.0) Rpm (clean+delete) Tar (clean+delete) Z Zip (clean+delete) Zoo InstallShield (ishield.xmd) Nullsoft Installer (NSIS) Wise Installer Dbx (Outlook Express 5, 6 mailboxes) Mbx (Outlook Express 4 mailbox) Pst (Outlook mailboxes, supports clean and delete) Mime (base64, quoted printable, plain) supports clean and delete Mbox (plain mailbox - Linux and Netscape) Hqx (HQX is a format used for mail attachments on Mac) Uudecode Tnef (a Microsoft format in which some properties of the attachments are encoded, it can contain scripts) 117

A Appendices Supported antivirus archives and packs Supported packers Others ACProtect / UltraProtect PELock NT ASPack (all versions) Pencrypt (3.1, 4.0a, 4.0b) Bat2exec (1.0, 1.2, 1.3, 1.4, 1.5, 2.0) PePack (all versions) Yoda's Cryptor Perplex CExe PeShield Diet PeSpin DxPack Petite (all versions) Dza Pex Patcher PhrozenCrew PE Shrinker (0.71) ECLIPSE PkLite Exe32Pack (1.38) PKLITE32 (1.11) ExePack Polyene ExeStealth RelPack JdProtect Rjcrush (1.00, 1.10) Lzexe Shrinker (3.3, 3.4) Mew VgCrypt Molebox (2.2.3, 2.2.4, 2.2.5, 2.2.6,Stpe 2.2.8) Morphine Telock (all versions) Neolite T-pack PC/PE Shrinker 0.71 Ucexe PCPEC UPolyx PE Crypt 32 (1.02 (a,b,c) UPX (all versions) PE PACK\CRYPT WWPACK32 (1.0b9, 1.03, 1.12, 1.20) PeBundle Wwpack (3.01, 3.03, 3.04, 3.04PU, 3.05, 3.05PU) pecompact (up to 1.40 beta 3) Xcomor (0.99a, 0.99d, 0.99f (486), 0.99h, 0,99i) PeDiminisher Chm (contains html which can be infected) Iso (CD images) Pdf Rtf 118

Supported antivirus archives and packs Appendices A Mso (contains compressed OLE2 files, this way the macro s are saved in case a Doc is saved as html) Swf (extracts certain fields that contain various commands; these are scanned by other plug-ins, for ex: SDX) Bach (extracts debug.exe scripts on the basis of heuristic methods) Omf (object file) 119

A Appendices Supported antivirus archives and packs 120

Alert templates Appendices B B. Alert templates All alerts can be customized. BitDefender provides a template mechanism for generating the alert messages. These templates are plain text files containing the desired notice and certain variables, keywords, which will be replaced with their proper values during the alert generation. B.1. Variables The variables and their meaning are described in the table below. Variable ${BitDefender} ${RealSender} ${RealReceivers} ${HeaderSender} ${HeaderReceivers} ${Subject} ${Object} ${Action} ${Virus} ${Status} ${Days} Description This variable will be replaced with BitDefender string. The sender of the email, taken from MAIL FROM: SMTP command. The receivers of the email, taken from RCPT TO: SMTP command. The sender of the email, from the From: header of the email. The receivers of the email, from the To: and Cc: email headers. The subject of alert email. The object containing the malware. The action taken on the object. The virus name. The status of the object, one of Infected, Suspected, Unknown. The days until the key expiration. 121

B Appendices Alert templates The variable ${BitDefender} It is mandatory to include the variable ${BitDefender} in your custom template. If it is not found, the module will use the built-in template instead. These variables can be combined in any form inside the object lists in order to generate a custom template, no matter the language. By default, the templates are stored inside /opt/bitdefender/share/templates/language directory. For every supported language, there are subdirectory entries, such as en, ro, de, fr, hu, es. Inside the language subdirectories, there are the template files, suggestively named. Regarding the email alerts, the involved templates are the following: MailServerAlert.tpl, KeyHasExpiredAlert.tpl, KeyWillExpireAlert.tpl, ReceiverAlert.tpl and SenderAlert.tpl. The template name You do not have to keep the default file name or location. The only mandatory thing is to refer it accordingly inside the BitDefender Registry, under its corresponding key. B.2. Sample results Looking inside the above-mentioned files, one could get confused about their structure. Here are the defaults for the English language and possible results when generating the alerts. B.2.1. MailServer Alert This is the alert the postmaster will receive when an infected message is found. The variables that could be used are the next ones. ${RealSender} ${RealReceivers} ${HeaderSender} ${HeaderReceivers} ${Subject} ${Object} ${Action} ${Virus} ${Status} ${BitDefender} 122

Alert templates Appendices B The default template is the following. Subject: System info ${BitDefender} found an infected object in a message: Real sender: ${RealSender} Real receivers: ${RealReceivers} From: ${HeaderSender} To: ${HeaderReceivers} Subject: ${Subject} Virus: ${Virus} http://www.bitdefender.com/vfind/?q=${virus} Object: ${Object} Status: ${Status} Action: ${Action} Thank you for choosing ${BitDefender} http://www.bitdefender.com/ This will expand to the next message (provided as an example). Subject: System info BitDefender found an infected object in a message: Real sender: <sender@example.com> Real receivers: <receiver@example.com> From: The Sender <sender@example.com> To: The Receiver <receiver@example.com> Subject: klez Virus: Win32.Klez.A@mm http://www.bitdefender.com/vfind/?q=win32.klez.a@mm Object: /tmp/bdnp.milter.qf2aqw=>[subject: klez] Status: Infected Action: Deleted Thank you for choosing BitDefender http://www.bitdefender.com/ 123

B Appendices Alert templates B.2.2. Sender Alert This is the alert the sender of the original email will receive when an infected message is found coming from him. The variables that could be used are the next ones. ${RealReceivers} ${HeaderReceivers} ${Subject} ${Object} ${Action} ${Virus} ${Status} ${BitDefender} The default template is the following. Subject: Virus Warning! ${BitDefender} found an infected object in a message that was sent from your address Real receiver: ${RealReceivers} To: ${HeaderReceivers} Subject: ${Subject} Virus: ${Virus} http://www.bitdefender.com/vfind/?q=${virus} Object: ${Object} Status: ${Status} Action: ${Action} For more information about ${BitDefender} please visit http://www.bitdefender.com/ This will expand to the next message (provided as an example). Subject: Virus Warning! BitDefender found an infected object in a message that was sent from your address 124

Alert templates Appendices B Real receivers: <receiver@example.com> To: The Receiver <receiver@example.com> Subject: klez Virus: Win32.Klez.A@mm http://www.bitdefender.com/vfind/?q=win32.klez.a@mm Object: /tmp/bdnp.milter.qf2aqw=>[subject: klez] Status: Infected Action: Deleted For more information about BitDefender please visit http://www.bitdefender.com/ B.2.3. Receiver Alert This is the alert the receiver of the original email will get when an infected message is found addressed to him. The variables that could be used are the next ones. ${RealSender} ${HeaderSender} ${Subject} ${Object} ${Action} ${Virus} ${Status} ${BitDefender} The default template is the following. Subject: Virus warning! ${BitDefender} found an infected object in a message addressed to you: Real sender: ${RealSender} From: ${HeaderSender} Subject: ${Subject} Virus: ${Virus} http://www.bitdefender.com/vfind/?q=${virus} Object: ${Object} Status: ${Status} 125

B Appendices Alert templates Action: ${Action} For more information about ${BitDefender} please visit http://www.bitdefender.com/ This will expand to the next message (provided as an example). Subject: Virus warning! BitDefender found an infected object in a message addressed to you: Real sender: <sender@example.com> From: The Sender <sender@example.com> Subject: klez Virus: Win32.Klez.A@mm http://www.bitdefender.com/vfind/?q=win32.klez.a@mm Object: /tmp/bdnp.milter.qf2aqw=>[subject: klez] Status: Infected Action: Deleted For more information about BitDefender please visit http://www.bitdefender.com/ B.2.4. KeyWillExpire Alert This is the alert the system administrator will receive when the key license validity will expire in short time. The variables that could be used are the next ones. ${Days} ${BitDefender} The default template is the following. Subject: Registration info Your ${BitDefender} license will expire in ${Days} days! http://www.bitdefender.com 126

Alert templates Appendices B B.2.5. KeyHasExpired Alert This is the alert the system administrator will receive when the key license validity has expired. The variables that could be used are the next ones. ${BitDefender} The default template is the following. Subject: Registration Error Your ${BitDefender} license has expired! http://www.bitdefender.com 127

B Appendices Alert templates 128

Footer templates Appendices C C. Footer templates BitDefender supports full customization of footers appended to emails notifying the status of clean or infected and extra detailed information about the infection. These footers are user-configurable: based on templates, they include several keywords, named variables, which will be replaced by BitDefender notifying module with their corresponding values. C.1. Variables The variables and their meaning are described in the table below. Variable ${BitDefender} ${begin}, ${end} ${object} ${status} ${virus} ${action} Description This variable will be replaced with the BitDefender string. These are the markers of the boundary of the object list. Multiple object lists are allowed, provided they are not imbricated. The file or object found infected or suspected of being infected. The status of the object, one of Infected, Suspected, Unknown. The virus name. If you want to know more about the reported virus, use the Virus Enciclopedia. The action taken for the object. it can be one of Disinfected, Deleted, Quarantined, Dropped, Rejected, Ignored. Normally Dropped and Rejected should never appear, since these emails are lost. The variable ${BitDefender} It is mandatory to include the variable ${BitDefender} in your custom template. If it is not found, the module will use the built-in template instead. These variables can be combined in any form inside the object lists in order to generate a custom template, no matter the language. By default, the templates 129

C Appendices Footer templates are stored inside /opt/bitdefender/share/templates/language directory. For every supported language, there are subdirectory entries, such as en, ro, de, fr, hu, es. Inside the language subdirectories, there are the template files, suggestively named. Regarding the email footers, the involved template is bd.tpl. The template name You do not have to keep the default file name or location. The only mandatory thing is to refer it accordingly inside the BitDefender Registry, under its corresponding key. C.2. Sample results Looking inside the above-mentioned file, one could get confused about the structure. Here are the defaults for the English language and possible results when generating the footers. Text encoding To avoid strange output results, the text must be written using plain ASCII character set, since there is no charset encoding conversion. The default template is the next one. ------------------------------------------------------------- This mail was scanned by ${BitDefender} For more informations please visit http://www.bitdefender.com ${begin:virus} Found virus: Object: ${object} Name: ${virus} Status: ${status} Action: ${action} ${end} ------------------------------------------------------------- C.2.1. Clean When the message is clean, the footer will be this one. 130

Footer templates Appendices C ------------------------------------------------------------- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com ------------------------------------------------------------- C.2.2. Ignored When an infected email is found and the action was to ignore the object, the result is the following. ------------------------------------------------------------- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com Found virus: Object: (MIME part)=>(application)=>word/w97m.smac.d Name: W97M.Smac.D Status: Infected Action: Ignored ------------------------------------------------------------- C.2.3. Disinfected Finally, when an infected email was found and cleaned, the result is listed below. ------------------------------------------------------------- This mail was scanned by BitDefender For more informations please visit http://www.bitdefender.com Found virus: Object: (MIME part)=>(application)=>word/w97m.story.a Name: W97M.Story.A Status: Infected Action: Disinfected ------------------------------------------------------------- 131

C Appendices Footer templates 132

Glossary Glossary ActiveX ActiveX is a model for writing programs so that other programs and the operating system can call them. ActiveX technology is used with Microsoft Internet Explorer to make interactive Web pages that look and behave like computer programs, rather than static pages. With ActiveX, users can ask or answer questions, use push buttons, and interact in other ways with the Web page. ActiveX controls are often written using Visual Basic. Active X is notable for a complete lack of security controls; computer security experts discourage its use over the Internet. Archive A disk, tape, or directory that contains files that have been backed up. A file that contains one or more files in a compressed format. Backdoor A hole in the security of a system deliberately left in place by designers or maintainers. The motivation for such holes is not always sinister; some operating systems, for example, come out of the box with privileged accounts intended for use by field service technicians or the vendor's maintenance programmers. Boot sector A sector at the beginning of each disk that identifies the disk's architecture (sector size, cluster size, and so on). For startup disks, the boot sector also contains a program that loads the operating system. Boot virus A virus that infects the boot sector of a fixed or floppy disk. An attempt to boot from a diskette infected with a boot sector virus will cause the virus to become active in memory. Every time you boot your system from that point on, you will have the virus active in memory. 133

Glossary Browser Short for Web browser, a software application used to locate and display Web pages. The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer. Both of these are graphical browsers, which means that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, though they require plug-ins for some formats. Command line In a command line interface, the user types commands in the space provided directly on the screen using command language Cookie Within the Internet industry, cookies are described as small files containing information about individual computers that can be analyzed and used by advertisers to track your online interests and tastes. In this realm, cookie technology is still being developed and the intention is to target ads directly to what you've said your interests are. It's a double-edge sword for many people because on one hand, it's efficient and pertinent as you only see ads about what you're interested in. On the other hand, it involves actually "tracking" and "following" where you go and what you click. Understandably so, there is a debate over privacy and many people feel offended by the notion that they are viewed as a "SKU number" (you know, the bar code on the back of packages that gets scanned at the grocery check-out line). While this viewpoint may be extreme, in some cases it is accurate. Disk drive It's a machine that reads data from and writes data onto a disk. A hard disk drive reads and writes hard disks. A floppy drive accesses floppy disks. Disk drives can be either internal (housed within a computer) or external (housed in a separate box that connects to the computer). Download To copy data (usually an entire file) from a main source to a peripheral device. The term is often used to describe the process of copying a file from an online service to one's own computer. Downloading can also refer to copying a file from a network file server to a computer on the network. 134

Glossary E-mail Electronic mail. A service that sends messages on computers via local or global networks. Events An action or occurrence detected by a program. Events can be user actions, such as clicking a mouse button or pressing a key, or system occurrences, such as running out of memory. False positive Occurs when a scanner identifies a file as infected when in fact it is not. Filename extension The portion of a filename, following the final point, which indicates the kind of data stored in the file. Many operating systems use filename extensions, e.g. Unix, VMS, and MS-DOS. They are usually from one to three letters (some sad old OSes support no more than three). Examples include "c" for C source code, "ps" for PostScript, "txt" for arbitrary text. Heuristic A rule-based method of identifying new viruses. This method of scanning does not rely on specific virus signatures. The advantage of the heuristic scan is that it is not fooled by a new variant of an existing virus. However, it might occasionally report suspicious code in normal programs, generating the so-called "false positive". Internet Protocol (IP) A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets. Java applet A Java program which is designed to run only on a web page. To use an applet on a web page, you would specify the name of the applet and the size (length and width--in pixels) that the applet can utilize. When the web page is accessed, the browser downloads the applet from a server and runs it on the user's machine (the client). Applets differ from applications in that they are governed by a strict security protocol. For example, even though applets run on the client, they cannot read or write data onto the client's machine. Additionally, applets are further restricted so 135

Glossary that they can only read and write data from the same domain that they are served from. Macro virus A type of computer virus that is encoded as a macro embedded in a document. Many applications, such as Microsoft Word and Excel, support powerful macro languages. These applications allow you to embed a macro in a document, and have the macro execute each time the document is opened. Mail client An e-mail client is an application that enables you to send and receive e-mail. Memory Internal storage areas in the computer. The term memory identifies data storage that comes in the form of chips, and the word storage is used for memory that exists on tapes or disks. Every computer comes with a certain amount of physical memory, usually referred to as main memory or RAM. Non-heuristic This method of scanning relies on specific virus signatures. The advantage of the non-heuristic scan is that it is not fooled by what might seem to be a virus, and does not generate false alarms. Packed programs A file in a compression format. Many operating systems and applications contain commands that enable you to pack a file so that it takes up less memory. For example, suppose you have a text file containing ten consecutive space characters. Normally, this would require ten bytes of storage. However, a program that packs files would replace the space characters by a special space-series character followed by the number of spaces being replaced. In this case, the ten spaces would require only two bytes. This is just one packing technique - there are many more. Path The exact directions to a file on a computer. These directions are usually described by means of the hierarchical filing system from the top down. The route between any two points, such as the communications channel between two computers. 136

Glossary Polymorphic virus A virus that changes its form with each file it infects. Since they have no consistent binary pattern, such viruses are hard to identify. Port An interface on a computer to which you can connect a device. Personal computers have various types of ports. Internally, there are several ports for connecting disk drives, display screens, and keyboards. Externally, personal computers have ports for connecting modems, printers, mice, and other peripheral devices. In TCP/IP and UDP networks, an endpoint to a logical connection. The port number identifies what type of port it is. For example, port 80 is used for HTTP traffic. Report file A file that lists actions that have occurred. BitDefender maintains a report file listing the path scanned, the folders, the number of archives and files scanned, how many infected and suspicious files were found. Script Another term for macro or batch file, a script is a list of commands that can be executed without user interaction. Startup items Any files placed in this folder will open when the computer starts. For example, a startup screen, a sound file to be played when the computer first starts, a reminder calendar, or application programs can be startup items. Normally, an alias of a file is placed in this folder rather than the file itself. System tray Introduced with Windows 95, the system tray is located in the Windows taskbar (usually at the bottom next to the clock) and contains miniature icons for easy access to system functions such as fax, printer, modem, volume, and more. Double click or right click an icon to view and access the details and controls. Transmission Control Protocol/Internet Protocol (TCP/IP) Transmission Control Protocol/Internet Protocol - A set of networking protocols widely used on the Internet that provides communications across interconnected networks of computers with diverse hardware architectures 137

Glossary and various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Trojan A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer. The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy. Update A new version of a software or hardware product designed to replace an older version of the same product. In addition, the installation routines for updates often check to make sure that an older version is already installed on your computer; if not, you cannot install the update. BitDefender has it's own update module that allows you to manually check for updates, or let it automatically update the product. Virus A program or piece of code that is loaded onto your computer without your knowledge and runs against your will. Most viruses can also replicate themselves. All computer viruses are manmade. A simple virus that can copy itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems. Virus definition The binary pattern of a virus, used by the antivirus program to detect and eliminate the virus. Worm A program that propagates itself over a network, reproducing itself as it goes. It cannot attach itself to other programs. 138