5 Replies Latest reply on Sep 28, 2006 9:23 AM by acoliver

JBCS & ClamAV Antivirus

sappenin Sep 14, 2006 11:33 AM

All,

I've written some code that integrates ClamAV with JBCS to provide server-side antivirus protection, and thought I'd share it with the community. I'm putting together a page detailing how to install everything -- I'll post that shortly as well as the code I've written.

BACKGROUND
There are 3 components to JBCS Antivirus.

First is ClamAV, a server-based, opensource antivirus project, which can be downloaded from their site, and will need to be installed.

Second and third are 2 JBCS MBeans (and a small tidbit of config XML to integrate this into JBCS). The first is the ClamAV service MBean, which provides functionality that bridges JBCS/Java to the ClamAV daemon (running either locally or on a remote machine).

The second MBean is a JBCS Maillistener that can be plugged into any of the JBCS mailListenerChains.

Unfortunately, ClamAV is not Java, and it provides only 2 facilities to scan for viruses: 1.) Scan a file; 2.) Scan a binary STREAM over a socket.

PRESENT CONSIDERATIONS
My implementation uses the latter via a network stream. In my testing I have gotten everything working, although I am forced to scan a whole message at a time. So, for example, if a given message has 3 message bodies, but only one is infected, the code will basically just report back that a virus was found (it doesn't specify in which message body).

There is another set of functionality that I have implemented which allows ClamAV to check a single message body at a time, such that in the example above, a message with 3 bodies, and only 1 infected, would report back which MessageBody ids are infected. That way, the ClamAVMailListener code could lose the infected body but retain the UN-infected bodies. Unfortunately (again), in my testing of this, ClamAV does not detect a sample virus in this scenario. I beleive this because ClamAV is designed to be able to scan an entire message, not individual message components. Thus, if a Base64 encoded "attachment" is sent to clamAV without the rest of the contextual information found in a MIME message, ClamAV does not know to "inspect" the Base64 data, and thus a virus signature is not detected.

Once JBCS has better MIME message support (Andy alluded to forking the MIME4j code) I should be able to get a MimeBody part, decode the base64 attachment (if it exists), and send that to ClamAV. Thus, in version 2 of this plugin, we should be able to deal with infected message bodies individually.

MOVING FORWARD
For the moment, I would appreciate some information from the community as to how this should function:

1.) If a message has a single infection, but 1 or more uninfected message bodies, what should happen to the message?

2.) If a message has a single attachment that is infected, what should happen to the message? Should it bounce? Should it be "cleansed" (i.e., reset the subject, remove the infected body, and add a note in the message body saying that it was cleaned), or some other functionality?

Thanks!

David

1. Re: JBCS & ClamAV Antivirus

gohip Sep 15, 2006 12:21 AM (in response to sappenin)

very nice sappenin!

1. I think it would be a nice feature, that if a message had more than one body and a certain body was infected, you didnt just junk the whole email. And I think exchange follows along this route, at least to an extent, as it will block attachments, but not the body, or maybe it doesnt, as I have (knock on wood 3 times) never gotten avirus in the/an email.

It does have the capibility of blocking certain types of attachments $feature$, as it annoyingly does to me.

2. as with the above, you would probaly want some configurable interface (jboss-service.xml), that would allow an admin to configure, as with any virus scanner, it could be configured to do or attempt, any of what you described, I like your idea of cleansing and rewriting, that way, if you got a chain of emails bodies, within a single message, you could just rewrite the "cleansed" portion, notifying the end user

Guess you/I could just go on and on...

anyways, again, good job!
Actions
2. Re: JBCS & ClamAV Antivirus

sappenin Sep 22, 2006 7:14 PM (in response to sappenin)

Hey All,

I finally got aroud to documenting what I did to integrate ClamAV into JBCS. The write-up is here: http://www.sappenin.com/softwareblog/index.php/jboss-tutorials/using-clamav-with-jboss-collaboration-server-jbcs-15_pre1/

You can download the code I wrote from that page, but please note several issues with my implementation.

1.) My code requires the JBCS version that implements multiple MessageBody's for each message (I think this is 1.0 M5_Pre1, but I'm not sure as I've been running on the HEAD for some time now).

2.) If a virus is detected by ClamAV, then ALL message bodies are removed at present. There is functionality to configure the MailListener to only strip out infected bodies, but it won't work well until JBCS has better MIME support (any eta on that Andy?). See my write-up for more info on how to configure that.

Good luck, and I'd appreciate any feedback, source changes, etc. If somebody has commit access to JBCS and feels that these would be a good addition, then by all means feel free to add this source into the JBCS CVS.

David
Actions
3. Re: JBCS & ClamAV Antivirus

acoliver Sep 25, 2006 8:54 AM (in response to sappenin)

Hi David,

I'm very pleased! I'll be contacting you in more detail about integrating this when I'm back in the country (am in Germany ATM). In the meantime, can you also take a look at JASON as well? I started to but got tripped up in a few places. I'm nearly done with all the mime stuff.

-Andy
Actions
4. Re: JBCS & ClamAV Antivirus

gohip Sep 26, 2006 10:32 PM (in response to sappenin)

Too funny, I saw the JASON, and was like, what, what did I do, whose got to take a look at me? Then remembered what it was...slightly.
Actions
5. Re: JBCS & ClamAV Antivirus

acoliver Sep 28, 2006 9:23 AM (in response to sappenin)

Yes....depending on how you read that....it could have been very.....wrong.
Actions

Go to original post