General Virus Info

Overview

Control and Prevention is the first phase of dealing with the outbreak of an email virus. This involves trapping the virus such that it cannot spread any further throughout the email system.

Cleanup and Elimination is the second phase of dealing with the outbreak of an email virus. This involves removing from your system those email messages which have infected message parts.

Regardless of which version of PMDF you have, you want to make sure that you have the current images for that version from our anonymous FTP area. See the fine print for details.

Another strategy for control and prevention is to setup a system-wide filter file which will discard messages that contain a suspicious phrase. This is only a stop-gap strategy because it only catches messages containing the specific phrases you filter for.

It is strongly recommended to use a real virus scanner in all cases, as in the long run the target phrases will morph over time.

Using the conversion channel

Virus scanning with the PMDF conversion channel has a full discussion of its own. That discussion is at located at

vsweep.html

Using a system-wide filter file

Sites running versions of PMDF prior to PMDFV5.2 cannot apply a system wide filter file as this feature was not available prior to PMDFV5.2. Such sites will have to use the conversion channel strategy.

Sites running PMDF V5.2 or later can setup a system-wide mailbox filter which discards messages containing suspicious phrases. This can be a used as a stop gap until a virus scanner is installed or until that site has received updated virus detection libraries from their virus scanning software vendors.

See the chapter "Mail Filtering and Access Control" in the PMDF System Manager's Guide for complete documentation.Examples of using the mailbox filter web CGI may also be found in the PMDF User's Guide.

You should also ensure that your site is running with the most current libpmdf.so image (UNIX), PMDFSHR.EXE image (OpenVMS). or libpmdf.dll image (Windows NT). Again, see the fine print.

Generating the Filter File

1. Create a system-wide mailbox filter via PMDF's Mailbox Filters Web page, located at the URL:

   http://host:7633/mailbox_filters/

   where host is the name of your PMDF system.

2. Select the "Discard Phrases" menu item from the "Change my Discard Filters" menu.

3. When challenged for a username and password, enter "@" for the username and supply the password for the PMDF account.

4. In the New word or Phrase input field, enter the target phrase and click the Add button.

5. Finally, click the Submit button to generate the filter file.
   

By default, messages discarded via a mailbox filter are immediately deleted from the system. To have mailbox filter discarded messages temporarily retained on the PMDF system for later deletion, first add a filter_discard channel to your PMDF configuration:

filter_discard notices 7
FILTER-DISCARD

with the notices channel keyword specifying the length of time (normally number of days) to retain the "discarded" messages before deleting them. Then set the option FILTER_DISCARD=2 in the PMDF option file. (The value 2 indicates that discarded messages should be sent to the filter_discard channel; the value 1 which is the default indicates that discarded messages should be immediately deleted.)

Once this is in place, be sure to do the normal housekeeping tasks such as rebuilding your compiled configuration (if you have one) and restarting your dispatcher.

Cleanup

After you have reinforced your system so as to reject messages that contain viruses, there may still be some messages that were undelivered but which did not get checked.

If you are using the conversion channel strategy, and have updated your virus scanning software, you can simply move all those message files into the conversion queue area and resynch your PMDF queue cache database.

You could also elect to delete the current set of files that are not yet delivered that appear to be infected. If that is what you want to do then:

Cleanup instructions for PMDF 6.0 users

You can use the new qclean utility:

$ pmdf qclean /subject=aaa/min_length=bbb/content=ccc/min_length=ddd/hold
(VMS)

or

# pmdf qclean -subject=xxx/min_length=bbb/content=ccc/min_length=ddd -hold
(Solaris/Unix/WinNT)

where:
'aaa' is the subject string
'bbb' is the length of the subject string
'ccc' is the content string
'ddd' is the length of the content string

The default is /hold ( or -hold ) but you could also use /delete (or -delete)

Cleanup instructions for versions prior to PMDF 6.0

For the files that are currently on your system, you could get into the on-disk queue area and manually delete the files that have this virus in it. (Maybe you could even have a batch job or shell script search for this string and delete the files).

The Fine Print

• No patches are required for PMDF v6.1, v6.1-1, and v6.2. (PMDF v5.2 and v6.0 are no longer supported by Process Software.)

• In PMDF V6.0 mailbox filtering applies to phrases in the Subject: header as well as the message body. Mailbox filter files may be created and modified via the web interface. Mailbox filter files may be created and modified manually also. However sites cannot switch between methods, they have to standardize on a single method for handling mailbox filter files.

• In PMDF V5.2 mailbox filtering applies to phrases in the Subject: header only. Mailbox filter files can only be created and modified using the web interface.