Catching Viruses

Use the following three "virus" filters to modify how PureMessage handles virus-laden messages.

Note: The optional "PureMessage-Policy-Virus" package is required when using any of the following virus filters.

Example 1: Quarantine all external messages containing virus variants.

Use the "virus 1" filter to quarantine all external messages containing virus variants. The "virus 1" filter is a modification to the default policy filter found in Policy Script 2: Scan External Mail for Viruses. Unlike the default filter, the "virus 1" filter quarantines all messages containing virus variants. No attempt is made to clean infected messages. See the pmx_virus command in the pmx-policy manpage.

# attr NAME=virus 1
    # Quarantines all infected messages.
    if pmx_virus {
    pmx_quarantine "Virus";
    }

Description:

  • If the pmx_virus test detects a virus in the message:
    • The pmx_quarantine action sends the message to the PureMessage quarantine with the reason "Virus".

Where does this filter go?

The "virus 1" filter replaces the Policy Script 2: Scan External Mail for Viruses filter. Replacing this default policy filter with the "virus 1" filter ensures that:

  • The "virus 1" filter executes when messages from external hosts containing virus variants are detected.
  • All external messages containing virus variants are quarantined.
  • Subsequent PureMessage policy filters will always execute. (The "virus 1" filter does not contain a stop command that would otherwise end the policy script before other PureMessage filters execute.)

Example 2: Attempt to clean all internal messages containing virus variants.

Use the "virus 2" filter to clean all internal messages containing virus variants. The "virus 2" filter is a modification to the default policy filter found in Policy Script 1: Scan and Deliver Internal Messages. Unlike the default filter, the "virus 2" filter attempts to clean virus variants from all messages sent through internal hosts. The default policy rejects all internal mail containing viruses.

# attr NAME=virus 2
#
if pmx_virus {
    pmx_file "Virus";
    pmx_virus_clean "cantclean.tmpl";
    pmx_replace_header "Subject" "[PMX:VIRUS] %%SUBJECT%%";
    stop;
}

Description:

This filter attempts to clean the virus-laden message. If the message is successfully cleaned, it is sent to its original recipients. If the virus is not successfully cleaned, the infected part is replaced with the error template cantclean.tmpl. The "Subject" is marked with " [PMX:VIRUS] " to inform recipients that PureMessage found a virus.

Where does this filter go?

The "virus 2" filter replaces the Policy Script 1: Scan and Deliver Internal Messages filter. Replacing this default policy filter with the "virus 2" filter ensures that:

  • The "virus 2" filter executes when messages from internal hosts containing virus variants are detected.
  • All messages sent through internal hosts are cleaned if they contain virus variants.
  • Subsequent PureMessage policy filters never execute. (The "virus 2" filter contains a stop command which ends the policy script and prevents other PureMessage filters from executing.)

Example 3: Discard external messages containing specific viruses.

Use the "virus 3" filter to evaluate mail sent through external hosts and to discard messages containing either the "Klez" or "Sobig" variants. The "virus 3" filter is a modification to the default policy filter found in Policy Script 2: Scan External Mail for Viruses. Unlike the default filter, the custom "virus 3" filter searches for specific viruses using the pmx_virus_id command.

# attr NAME=virus 3
# Discards messages infected with Klez or Sobig variants.
# Attempts to clean messages infected with other variants.
if pmx_virus {
    if pmx_virus_id :matches ["*Klez*", "*Sobig*"] {
        discard;
        stop;
    }
    pmx_file "Virus";
    pmx_virus_clean "cantclean.tmpl";
    pmx_replace_header "Subject" "[PMX:VIRUS] %%SUBJECT%%";
}

Description:

  • The pmx_virus command tests the message for virus threats. If the test is "true", and the message contains a virus:
    • The pmx_virus_id test checks if the message contains either the "Klez" or "Sobig" variants. If either virus is found:
      • The message is discarded.
      • The stop command ends message processing.
    • The pmx_file action then copies the message to the quarantine with the reason "Virus".
    • The pmx_virus_clean action attempts to clean the virus from the message. If cleaning fails, the message is quarantined, and a message is sent to the recipient based on the specified failure template file, cantclean.tmpl.
    • The pmx_replace_header command prefixes the "Subject" header with [PMX:VIRUS]. The original "Subject" is added to the end of the header with the %%SUBJECT%% template variable.

Where does this filter go?

The "virus 3" filter replaces the "Policy Script 2: Scan External Mail for Viruses filter". Replacing this default policy filter with the custom "virus 3" filter ensures that:

  • The "virus 3" filter always executes when messages from external hosts containing specific virus variants are detected.
  • All external messages containing specific virus variants are discarded.
  • Subsequent PureMessage policy filters will always execute. (The "virus 3" filter does not contain a stop command that would otherwise end the policy script before other PureMessage filters execute.)