VIRGE 3.04rc3 - README

Virge is a general-purpose attachment scanner. Virge can scan incoming
email messages to see if they are good or not. Good messages are
delivered. Bad messages are dropped, with alerts optionally being sent
to the sender and/or recepient of the mail messages.

Most users will want to use Virge to scan for viruses. Instead, it
takes incoming email, seperates out each attachment, and scans each
attachment for known viruses using one (or more) of four anti-virus
systems:

- AVP Daemon ( http://www.avp.ch/ )
- Sophie ( http://www.vanja.com/tools/ ) <- requires Sophos SAVI library
- Trophie ( http://www.vanja.com/tools/ ) <- required TrendMicro library
- Virge's own file-type checking system. (rejects .exe, .com, etc.)

Virge has two modes of operation:

- As a delivery filter. Instead of delivering to /bin/mail, you can
  have your email system deliver to Virge. Virge will then scan the
  email message and hand off the message to procmail for delivery.

- As an SMTP filter. In this mode, you can use Virge to scan all email
  reaching your system before it reaches your mail system. You can
  also use the SMTP filter for easy integration with Postfix.


Virge 3.0 is a based on Virge 2.08 developed by TK. This version by
Simson L. Garfinkel

Virge 2.08 source code was 4398 lines, 127,670 characters long
(exclusive of the rfc2045 and rfc822 and libnum libraries).


HOW VIRGE WORKS (this is from old V2.08 release - FIXME)

First of all, Virge replaces procmail. When new mail comes in, Sendmail
will pass the contents of the mail to Virge. At that point, Virge
performs set of checks:

* Checks if the mail has attachments. If it does not, it sends it
  to procmail for delivery.

* If mail has attachments, Virge creates temporary directory, unpacks
  attachments there, and asks AVP/Sophie/Trophie to scan the temporary
  directory for viruses. Virge was created with 2 things in mind:
  performance and security. Because of performance issues, it was not
  feasible to use any 'command line scanners' like TrendMicro of McAfee
  ones.

  Anyway - AVP/Sophie/Trophie are instructed to scan attachments for
  viruses next. If it finds any viruses, mail is immediately 'isolated'
  in a directory not (hopefully) accessible to anyone except
  administrators.

  If no viruses were found, Virge will then perform 'attachment' check,
  and see if any of the attachments are not allowed to be sent to the
  end user. A configuration file is consulted for list of extensions
  (or 'full' filenames) that should not be allowed in. If any such
  attachments were found, tricky part comes - Virge will *hopefully*
  properly "rewrite" the whole email, and strip the attachments that
  are not allowed. Small notice is attached at the end of the mail,
  with names of stripped attachments. Mail is also 'isolated', in case
  poor overworked sysadmin ever gets some free time to take a closer
  look.

  IMPORTANT: Please, keep in mind that Virge will *NOT* rewrite & send
  mails when virus has been found. I will *NOT* implement any such
  features, since it doesn't make any sense (I haven't seen a mail
  with virus that actually had some 'valuable' content in it for many
  months - maybe even years).

* If AVP/Sophie/Trophie are not available (daemon is down), Virge will
  still deliver mails and annoy admins through syslog messages.
  Attachment check is still performed.

* Users for which no checks should be performed can also be configured.
  Location of the file can be specified in the configuration file.

* Virge is definitelly trying to not let any lame script kiddies abuse
  it in any way. It is trying to resist to race conditions, buffer
  overflow, and similar neat tricks. No guarantees, of course, that
  there are no security problems in Virge.

* Virge tries to be as fast as possible, and not waste CPU time or
  any other resources. It is still possible to make it perform even
  better, although I presume it would be in 1-5% range. Will take some
  more time later, and try to fix all the small performance problems.

And yes - Virge *is* fast. I have made a complete 'Virge V1' in Perl
some time ago, but it was absolute failure. Although I tried to use
as little modules as possible and make it as fast as possible... it
was crap. 2 minutes after I started a script that sends 3-5 mails
per second, I started wondering "Why the hell can't I login to the
mailserver anymore?". Perl is nice, but it's not good for tools like
this. Not at all (except if you have low traffic on your mailserver).

And Virge still needs a *lot* of testing. I have tried to test Virge
with many different mail (MIME) formats and tried different tricks in
order to bypass its 'decoding techniques' (in order to send a virus or
.exe to users), but it handles things pretty well. There are cases,
though, when it is possible to trick librfc2045 and send attachments
that don't get 'caught', but those attachments are violating RFCs
anyway. If your mail client is so stupid to decode invalid/malformed
attachments/mails - you deserved it. Don't use stupid mail clients
then. I'm not going to start adding all those crappy features into
Virge that would let someone detect all possible tricks which can be
used. Use good mail clients, don't rely on Virge to save you.

Refer to 'INSTALL' file for installation instructions.
