                                           4                                    vFastScan Sweeper      %                           Version 3.1   E                           vFastScan is a facility to provide a highly ?                           performant interface between the PMDF H                           Conversion channel and the Sophos VSWEEP virusC                           detection engine on the OpenVMS platform.                                                           8                           Tom Wade t.wade@vms.eurokom.ie                                                                                     *                   ________________________                   2006-03-06G                This software is provided under license from EuroKom. No F                unauthorized use, copying or distribution is permitted.                     EuroKom Ltd ,                   A2, Nutgrove Business Park                   Rathfarnham                    Dublin 14                    Ireland &                   Tel: +353-1-296-9696&                   Fax: +353-1-296-9697,                   Mail: help.desk@eurokom.ie%                   Web: www.eurokom.ie   3                   OpenVMS is a trademark of HP Inc.   F                   PMDF is a trademark of Process Software Corporation.  6                   VSWEEP is a trademark of Sophos PLC.                     __________-                   Copyright 2006 EuroKom Ltd                        U                    __________________________________________________________________                       Contents   U                    __________________________________________________________________ U                    CHAPTER 1  INTRODUCTION                                        1-1   U                          ____________________________________________________________ U                          1.1   WHAT IS VFASTSCAN ?                                1-1   U                          ____________________________________________________________ U                          1.2   SUPPORTED PLATFORMS                                1-1   U                          ____________________________________________________________ U                          1.3   PERFORMANCE                                        1-1   U                          ____________________________________________________________ U                          1.4   ARCHITECTURE                                       1-1   U                          ____________________________________________________________ U                          1.5   SYMBIONT                                           1-2   U                          ____________________________________________________________ U                          1.6   CONVERSION SCRIPT                                  1-2   U                          ____________________________________________________________ U                          1.7   DEDICATED VIRUS SCANNING CHANNEL                   1-2   U                          ____________________________________________________________ U                          1.8   COMPATIBILITY WITH VSWEEP COMMAND                  1-2   U                          ____________________________________________________________ U                          1.9   REASONS TO USE THE CONVERSION CHANNEL              1-3   U                                1.9.1 Advantages of the Conversion Channel  ___    1-3   D                                1.9.2 Disadvantages of the ConversionU                                      Channel  ________________________________    1-3   E                                1.9.3 Advantages of the Virus Scanning U                                      Channel  ________________________________    1-3   H                                1.9.4 Disadvantages of the Virus ScanningU                                      Channel  ________________________________    1-4   U                          ____________________________________________________________ U                          1.10  COMBINING BOTH APPROACHES                          1-4   U                          ____________________________________________________________ U                          1.11  VFASTSCAN LITE                                     1-4   U                                1.11.1vFastScan Lite Support  _________________    1-5     U                                                                                   iii                          Contents           Q                __________________________________________________________________ Q                CHAPTER 2  INSTALLATION                                        2-1   Q                      ____________________________________________________________ Q                      2.1   INSTALLATION PROCEDURE                             2-1   Q                            2.1.1 Unpacking the ZIP Archive  ______________    2-1   Q                      ____________________________________________________________ Q                      2.2   LICENSE                                            2-2   Q                            2.2.1 Release Based Licenses  _________________    2-3   Q                            2.2.2 Date Based Licenses  ____________________    2-3   Q                            2.2.3 Loading the License  ____________________    2-3   Q                            2.2.4 Displaying the Current License  _________    2-3   Q                            2.2.5 Finding the Current Release Date  _______    2-3   Q                      ____________________________________________________________ Q                      2.3   MULTI PLATFORM SUPPORT                             2-4   Q                      ____________________________________________________________ Q                      2.4   PERFORMING AN UPGRADE                              2-4   Q                      ____________________________________________________________ Q                      2.5   DIRECTORY STRUCTURE                                2-4   Q                      ____________________________________________________________ Q                      2.6   SAMPLE VMSINSTAL SESSION                           2-5   Q                __________________________________________________________________ Q                CHAPTER 3  CONFIGURING VFASTSCAN                               3-1   Q                      ____________________________________________________________ Q                      3.1   LOCATION OF FILES                                  3-1   Q                            3.1.1 Sophos Logical Names  ___________________    3-1   Q                            3.1.2 Relocating Sophos Files  ________________    3-2 G                                  3.1.2.1 The Shareable Image file o 3-2   Q                      ____________________________________________________________ Q                      3.2   STARTING VFASTSCAN                                 3-2   Q                      ____________________________________________________________ Q                      3.3   THE LOGICAL NAME TABLE                             3-3   E                            3.3.1 Moving from Single System to Cluster Q                                  tables  _________________________________    3-4   Q                      ____________________________________________________________ Q                      3.4   DEFINING THE VFASTSCAN QUEUE                       3-4   Q                            3.4.1 Defining a single server queue  _________    3-4                   iv          Q                                                                          Contents           Q                            3.4.2 Defining more than one queue  ___________    3-4   Q                      ____________________________________________________________ Q                      3.5   STARTING THE SYMBIONT.                             3-5   Q                      ____________________________________________________________ Q                      3.6   THE SCAN COMMAND                                   3-5   Q                      ____________________________________________________________ Q                      3.7   RETURN CODES AND VIRUS NAME                        3-6   Q                      ____________________________________________________________ Q                      3.8   TESTING THE SCANNING                               3-6     Q                __________________________________________________________________ Q                CHAPTER 4  VFASTSCAN OPTIONS                                   4-1   Q                      ____________________________________________________________ Q                      4.1   OPTION FILES                                       4-1   Q                            4.1.1 Main Option File  _______________________    4-1   Q                            4.1.2 Queue Specific Option File  _____________    4-1   Q                      ____________________________________________________________ Q                      4.2   SPECIFYING OPTIONS                                 4-1   Q                      ____________________________________________________________ Q                      4.3   AUTO IDE DETECTION                                 4-2   Q                            4.3.1 Performance Impact  _____________________    4-2   Q                      ____________________________________________________________ Q                      4.4   VIRUS STATISTICS                                   4-2   Q                            4.4.1 Performance Impact  _____________________    4-3   Q                      ____________________________________________________________ Q                      4.5   LICENSE EXPIRATION ACTION                          4-3   Q                            4.5.1 Performance Impact  _____________________    4-3   Q                      ____________________________________________________________ Q                      4.6   SAVI FAILURE RECOVERY                              4-4   Q                            4.6.1 Performance Impact  _____________________    4-4   Q                      ____________________________________________________________ Q                      4.7   SAVI OPTIONS                                       4-5   Q                            4.7.1 SAVI Groups  ____________________________    4-5   Q                            4.7.2 Specifying SAVI options  ________________    4-5   Q                      ____________________________________________________________ Q                      4.8   SUPPORTED SAVI GROUPS                              4-5   Q                                                                                 v                          Contents           Q                      ____________________________________________________________ Q                      4.9   PAGE FILE QUOTA                                    4-7   Q                      ____________________________________________________________ Q                      4.10  CLUSTER CONSIDERATIONS                             4-7   Q                            4.10.1Licensing  ______________________________    4-7   Q                            4.10.2Logical Name Table  _____________________    4-8   Q                            4.10.3Statistics  _____________________________    4-8   Q                            4.10.4Load Balancing  _________________________    4-8   Q                __________________________________________________________________ D                CHAPTER 5  INTEGRATING VFASTSCAN INTO YOUR CONVERSIONQ                           SCRIPT                                              5-1   Q                      ____________________________________________________________ Q                      5.1   CONVERSION SCRIPT                                  5-1   Q                      ____________________________________________________________ Q                      5.2   TESTING A SINGLE CHANNEL FIRST                     5-1   Q                      ____________________________________________________________ Q                      5.3   CHANGES TO THE CONVERSION SCRIPT                   5-1   Q                            5.3.1 Failsafe Mode  __________________________    5-2   Q                      ____________________________________________________________ Q                      5.4   PERFORMANCE ISSUES                                 5-2   Q                      ____________________________________________________________ Q                      5.5   CONCURRENCY                                        5-3   Q                            5.5.1 ZIP and TNEF attachments  _______________    5-3   Q                      ____________________________________________________________ Q                      5.6   UPGRADING VSWEEP                                   5-3   Q                            5.6.1 After Upgrading VSWEEP  _________________    5-3   Q                __________________________________________________________________ Q                CHAPTER 6  THE VIRUS SCANNING CHANNEL                          6-1   Q                      ____________________________________________________________ Q                      6.1   USING THE SCAN CHANNEL FOR CONTENT FILTERING       6-1   Q                      ____________________________________________________________ Q                      6.2   IMPLEMENTATION                                     6-1   Q                      ____________________________________________________________ Q                      6.3   DEFINING THE CHANNEL                               6-1                   vi          Q                                                                          Contents           Q                      ____________________________________________________________ Q                      6.4   ACTIVATING THE CHANNEL                             6-2   Q                      ____________________________________________________________ Q                      6.5   SETTING THE VFASTSCAN QUEUE                        6-2   Q                      ____________________________________________________________ Q                      6.6   SCAN QUEUE ACTION                                  6-3   Q                      ____________________________________________________________ Q                      6.7   SCANNING FOR EMBEDDED MIME BLOBS                   6-3   Q                      ____________________________________________________________ Q                      6.8   VIRUS ACTIONS                                      6-4   Q                      ____________________________________________________________ Q                      6.9   SAMPLE MAPPING                                     6-5   Q                      ____________________________________________________________ Q                      6.10  VIRUS REFERENCE NUMBER                             6-5   Q                            6.10.1Node Identifier  ________________________    6-6   Q                      ____________________________________________________________ Q                      6.11  REPLACING FILES                                    6-6   Q                      ____________________________________________________________ Q                      6.12  USING THE CHANNEL FOR CONTENT FILTERING            6-6   Q                            6.12.1Forcing Virus Scanning  _________________    6-8   Q                      ____________________________________________________________ Q                      6.13  LOGGING                                            6-8   Q                            6.13.1Sample Log Records  _____________________    6-9   Q                      ____________________________________________________________ Q                      6.14  ARCHIVING BODYPARTS                                6-9   Q                            6.14.1Directory Locations  ____________________    6-9   Q                            6.14.2File Names  _____________________________   6-10   Q                      ____________________________________________________________ Q                      6.15  CHANNEL OPTIONS                                   6-10   Q                            6.15.1ARCHIVE_FLAGS  __________________________   6-10   Q                            6.15.2BLOB  ___________________________________   6-11   Q                            6.15.3LOG_FILE  _______________________________   6-11   Q                            6.15.4QUEUE  __________________________________   6-11   Q                            6.15.5HEADER_SCANNED  _________________________   6-11   Q                            6.15.6HEADER_INFECTED  ________________________   6-11   Q                            6.15.7HEADER_FILTERED  ________________________   6-12   Q                            6.15.8MIME_TABLE  _____________________________   6-12   Q                                                                               vii                          Contents           Q                            6.15.9REPLACE_TABLE  __________________________   6-12   Q                            6.15.1FILTER_ARCHIVE  _________________________   6-12   Q                            6.15.1VIRUS_ARCHIVE  __________________________   6-12   Q                            6.15.1SUBJECT  ________________________________   6-12   Q                __________________________________________________________________ Q                CHAPTER 7  THE VFASTSCAN API                                   7-1   Q                      ____________________________________________________________ Q                      7.1   DESCRIPTION                                        7-1   Q                      ____________________________________________________________ Q                      7.2   SCAN A FILE FOR VIRUSES                            7-1   Q                      ____________________________________________________________ Q                      7.3   OBTAINING SCANNING STATISTICS                      7-1   Q                      ____________________________________________________________ Q                      7.4   LINKING PROGRAMS                                   7-2   Q                      ____________________________________________________________ Q                      7.5   RETURN CODES AND CONSTANTS                         7-2   Q                            7.5.1 Special Considerations for C  ___________    7-2   Q                            7.5.2 Special Considerations for Macro32  _____    7-2   Q                      ____________________________________________________________ Q                      7.6   PRIVILEGES REQUIRED                                7-2   Q                      ____________________________________________________________ Q                      7.7   VFASTSCAN_SCAN_FILE                                7-3   Q                            7.7.1 Calling Sequence  _______________________    7-3   Q                            7.7.2 Arguments  ______________________________    7-3 3                                  7.7.2.1 file o 7-3 4                                  7.7.2.2 queue o 7-35                                  7.7.2.3 unused o 7-3 4                                  7.7.2.4 virus o 7-35                                  7.7.2.5 length o 7-4   Q                            7.7.3 Description  ____________________________    7-4   Q                            7.7.4 Return Values  __________________________    7-4   Q                      ____________________________________________________________ Q                      7.8   VFASTSCAN_GET_STATS                                7-4   Q                            7.8.1 Calling Sequence  _______________________    7-4                   viii          Q                                                                          Contents           Q                            7.8.2 Arguments  ______________________________    7-5 6                                  7.8.2.1 context o 7-55                                  7.8.2.2 unused o 7-5 4                                  7.8.2.3 queue o 7-55                                  7.8.2.4 length o 7-5 6                                  7.8.2.5 scanned o 7-57                                  7.8.2.6 infected o 7-5 5                                  7.8.2.7 failed o 7-5   Q                            7.8.3 Description  ____________________________    7-5   Q                            7.8.4 Return Values  __________________________    7-6   Q                __________________________________________________________________ Q                CHAPTER 8  MESSAGE CODES                                       8-1   Q                      ____________________________________________________________ Q                      8.1   INDIVIDUAL ERROR CODES                             8-1   Q                            8.1.1 BADIDE  _________________________________    8-1   Q                            8.1.2 BADNUM  _________________________________    8-1   Q                            8.1.3 BADOPT  _________________________________    8-2   Q                            8.1.4 BADRESFAIL  _____________________________    8-2   Q                            8.1.5 BADSAVI  ________________________________    8-2   Q                            8.1.6 COUNTED  ________________________________    8-3   Q                            8.1.7 IDECOUNT  _______________________________    8-3   Q                            8.1.8 IDENT  __________________________________    8-3   Q                            8.1.9 INITFAIL  _______________________________    8-3   Q                            8.1.10INVOPTVAL  ______________________________    8-4   Q                            8.1.11JBCERR  _________________________________    8-4   Q                            8.1.12LICENSE  ________________________________    8-4   Q                            8.1.13LITE  ___________________________________    8-4   Q                            8.1.14LOADDEF  ________________________________    8-5   Q                            8.1.15LOADOPT  ________________________________    8-5   Q                            8.1.16NEWIDE  _________________________________    8-5   Q                            8.1.17NOPAK  __________________________________    8-5   Q                            8.1.18NOPMDF  _________________________________    8-6   Q                            8.1.19OPTERRS  ________________________________    8-6   Q                            8.1.20PARSEFAIL  ______________________________    8-6   Q                            8.1.21QUESTART  _______________________________    8-7   Q                            8.1.22QUESTOP  ________________________________    8-7   Q                            8.1.23RANGERR  ________________________________    8-7   Q                            8.1.24RELOAD  _________________________________    8-7   Q                            8.1.25RESFAIL  ________________________________    8-7   Q                            8.1.26RESREFAIL  ______________________________    8-8   Q                            8.1.27RESTART  ________________________________    8-8   Q                            8.1.28SAVIDAT  ________________________________    8-8   Q                                                                                ix                          Contents           Q                            8.1.29SAVIDIS  ________________________________    8-8   Q                            8.1.30SAVIENA  ________________________________    8-9   Q                            8.1.31SAVITERM  _______________________________    8-9   Q                            8.1.32SAVIVER  ________________________________    8-9   Q                            8.1.33SAVOPTERR  ______________________________    8-9   Q                            8.1.34STATFAIL  _______________________________   8-10   Q                            8.1.35SYMBEXIT  _______________________________   8-10   Q                            8.1.36TOOMANYSAVI  ____________________________   8-10   Q                            8.1.37WRONGPMDF  ______________________________   8-11   Q                __________________________________________________________________ Q                APPENDIX A  SETTING UP A HOLD CHANNEL                          A-1   Q                      ____________________________________________________________ Q                      A.1   HOLD CHANNEL                                       A-1   Q                            A.1.1 Turning on Virus Scanning for p_hold  ___    A-1   Q                      ____________________________________________________________ Q                      A.2   TESTING VIRUS SWEEPING ON THIS CHANNEL             A-2                                                                   x                     Q                __________________________________________________________________           1       Introduction         Q                __________________________________________________________________   "        1.1     What is vFastScan ?  P                vFastScan is a facility to boost the performance of Sophos VSWEEPL                on the OpenVMS platform. It is primarily intended for systemsP                using the PMDF mailer, utilizing the facilities of VSWEEP via theI                Conversion channel, or a dedicated virus scanning channel.   Q                __________________________________________________________________   "        1.2     Supported Platforms  O                OpenVMS Alpha 7.2-1 to 7.3-2, OpenVMS VAX 7.2, OpenVMS IA64 8.3.   Q                __________________________________________________________________           1.3     Performance  J                The performance gain provided by vFastScan is considerable.N                Early tests showed an eightfold increase in scanning times overL                the DCL VSWEEP command, and boosts of up to 14 fold have beenM                reported. Even higher performance can be achieved by replacing M                the conversion channel by the dedicated virus scanning channel "                introduced in V3.0.  Q                __________________________________________________________________           1.4     Architecture   G                The vFastScan code consists of the following components:   L                   SAVISMB.EXE                 Server symbiont to perform the=                                               virus scanning.   P                   SCAN.EXE                    Front end program to enqueue filesK                                               to the symbiont for scanning.   E                   KOM_SCAN_MASTER.EXE         Virus scanning channel.   Q                   SYMBDEF.COM                 DCL definition of the SCAN command, C                                               and its return codes.   C                   FASTSCAN_STARTUP.COM        Startup command file.   E                   SETUP-QUEUES.TEMPLATE       Template file for Queue :                                               Definitions.  ;                   *.OBJ                       Object files.   O                   LINK.COM                    Command file to link EXE from the :                                               *.OBJ files.  F                   EICAR.DAT                   EICAR test pseudo-virus.  Q                   LOAD-IDE-VERSION.COM        Set logical for date of latest IDE.   N                   FASTSCAN_DEFS.*             Definition files for use of API.  Q                                                                               1-1                          Introduction             I                   FASTSCAN.PS                 Documentation in Postscript   I                   FASTSCAN.TXT                Documentation in Plain Text   C                   FASTSCAN*.HTML              Documentation in HTML   Q                __________________________________________________________________           1.5     Symbiont   M                The vFastScan engine is implemented as a server symbiont. This Q                means that the initialization phase of VSWEEP (i.e. the loading of P                the virus definitions and auxiliary IDE files) is performed once,M                when the server queue is started. Files that are queued to the O                server queue are scanned using the in-memory data structures set N                up by the initialization phase. You can initialize and start asO                many symbionts as you need (using a generic queue to feed them).   Q                __________________________________________________________________            1.6     Conversion Script  L                You can still use the PMDF conversion channel to extract MIMEQ                bodyparts and present them to VSWEEP for scanning. In place of the Q                VSWEEP command, the SCAN program is provided so that the vFastScan O                symbiont does the actual sweeping. The Scan program provides the N                calling DCL script with a return status code indicating whetherO                a virus was found or not. If a virus was found, the name of that M                virus is also returned. Thus the modifications required to the -                conversion script are minimal.   Q                __________________________________________________________________   /        1.7     Dedicated Virus Scanning Channel   J                Starting with V3.0, you have the option of using either theN                conversion channel, or the virus scanning channel supplied withK                vFastScan. This channel decomposes messages into constituent M                bodyparts, and virus scans each one. If no virus is found, the K                original message is passed through, otherwise the message is O                rebuilt with the infected parts replaced by warning messages (or =                if required, the entire message is discarded).   Q                __________________________________________________________________   0        1.8     Compatibility with VSWEEP Command  O                The vFastScan engine and the VSWEEP DCL command can both be used 3                on the same system at the same time.                       1-2         Q                                                                      Introduction         Q                __________________________________________________________________   4        1.9     Reasons to use the Conversion Channel  M                The decision whether to use a conversion script or a dedicated O                channel depends on a number of factors which are outlined below. O                If you are already using a conversion channel, it is recommended M                that you start by using vFastScan this way, as the changes you J                need to make are minimal, and the performance boost is veryO                significant. If you find you need further performance gains, you P                can then turn to the scanning channel after you have familiarized'                yourself with vFastScan.   *                ___________________________  3        1.9.1   Advantages of the Conversion Channel P                   o  The biggest performance boost is obtained by switching fromM                      a VSWEEP command to a SCAN command. Thus you get most of O                      the performance gain for very modest modifications to your                       script.  N                   o  No change to PMDF configuration files or mapping files is                      required.  L                   o  If your conversion script is doing more than just virusO                      sweeping, you do not lose this functionality - your script K                      continues to do everything else the same way. Only the /                      VSWEEP command is changed.   *                ___________________________  6        1.9.2   Disadvantages of the Conversion Channel  M                   o  You still incur the overhead of process creation, as the P                      conversion channel must create subprocesses within which to(                      run the DCL script.  M                   o  You still have to maintain what may be a complicated DCL                       procedure.   *                ___________________________  7        1.9.3   Advantages of the Virus Scanning Channel   O                   o  Even more efficient, giving you greater performance gains.   (                   o  No DCL to maintain.  Q                   o  Ability to scan a bodypart for embedded MIME encoded 'Blobs' =                      that the conversion channel won't catch.   O                   o  Virus scanning channel can also remove unwanted attachment <                      types based on rules in mapping tables.  K                   o  The virus scanning channel can do some things that are O                      not possible within a conversion script context. The virus Q                      scanning channel offers the option of adding to or modifying J                      outer headers. For example, it can modify the messageM                      subject header to indicate that a virus was detected and L                      removed. A conversion script cannot do this because theM                      conversion channel will not allow it to modify the outer                       headers.   Q                                                                               1-3                          Introduction         *                ___________________________  :        1.9.4   Disadvantages of the Virus Scanning Channel  O                   o  Requires more initial configuration. You will need to make K                      changes to the PMDF_CONFIG_FILE and PMDF_MAPPING_FILE.   L                   o  The virus scanning channel is not customizable. It onlyM                      does virus scanning and removal of certain file types. A >                      conversion script is much more versatile.  Q                __________________________________________________________________   (        1.10    Combining both approaches  K                It is possible to use both a conversion script and the virus J                channel on the same machine. For example, you might want toK                use a conversion script for inbound mail, as this allows you K                to do additional processing of such mail (e.g. scan for spam L                or offensive text). On the other hand, for outbound mail, youP                might just want to virus scan it. By using suitable mapping tableQ                rules, you can direct incoming mail via the conversion channel and <                outgoing mail via the virus scanning channel.I                            ____________________ Note ____________________   A                            Although possible, it doesn't make any E                            sense to direct the same mail through both D                            channels. If conversion script processingG                            is required, it is more efficient to perform H                            virus scanning within the script than to passC                            the message through yet another channel.   Q                __________________________________________________________________           1.11    vFastScan Lite   Q                vFastScan Lite offers a subset of the full vFastScan functionality J                to any licensed PMDF machine without the need to purchase aL                separate vFastScan license. The following are the limitations!                of vFastScan Lite: N                   o  The Dedicated Virus Scanning Channel is not included. YouO                      can not run this channel without a full vFastScan license. O                      This limits you to using PMDF's native conversion channel.   L                   o  You are limited to one symbiont queue within a cluster.  P                The performance of vFastScan Lite is the same as a fully licensedQ                system that is configured to use only one symbiont queue, and does Q                not use the dedicated virus scanning channel. Note that this still P                provides a significant performance boost over the VSWEEP command,N                and will probably suffice for many small to middle sized sites.Q                vFastScan Lite mode is automatically selected if a valid vFastScan M                license is not loaded, but a valid PMDF or PMDF-MTA license is N                present. If you attempt to start a second queue on the cluster,P                it will exit with an SS$_NOLICENSE condition. The dedicated virusN                scanning channel will also terminate with the same code. If youP                wish to gain extra performance through additional symbiont queuesP                or the dedicated channel, you should obtain an evaluation license                 PAK from EuroKom.                  1-4         Q                                                                      Introduction         *                ___________________________  %        1.11.1  vFastScan Lite Support   M                No formal support is provided with vFastScan Lite. Help can be M                obtained by using the PMDF forum. Support is provided with the E                full vFastScan, or with temporary evaluation licenses.                                                                                               Q                                                                               1-5                      Q                __________________________________________________________________           2       Installation         Q                __________________________________________________________________   %        2.1     Installation Procedure   O                The installation of vFastScan uses the VMSINSTAL facility, which N                requires a suitably privileged account (preferably SYSTEM). TheK                installation procedure will create a directory and place the L                required files in it. The provided startup file will define aL                system logical FASTSCAN_DIR to point at this directory. ImageK                files are placed in a subdirectory of this directory (either L                [.VAX_EXE] or [.ALPHA_EXE]) and the logical FASTSCAN_EXE willK                be set to point at the appropriate subdirectory. The logical J                FASTSCAN_LOG will by default point at the same directory asH                FASTSCAN_DIR, and is where the log files will be written.  I                            ____________________ Note ____________________   E                            The installation procedure does not affect E                            existing PMDF conversion scripts, nor does F                            it interfere with the use of VSWEEP via theG                            DCL command. You can install vFastScan while E                            traditional virus scanning is in progress. C                            It is possible to run both vFastScan and H                            traditional VSWEEP simultaneously, but due toF                            some restrictions on file locations imposedH                            by OpenVMS and older versions of Sophos, someH                            relocation of the VSWEEP images or data filesC                            may be required if you are not currently F                            using the VSWEEP_MAIN_VDATA_DIR and VSWEEP_1                            AUX_DIR logical names.   *                ___________________________  (        2.1.1   Unpacking the ZIP Archive  J                   vFastScan is normally distributed in a ZIP archive (e.g.O                   FASTSCAN030.ZIP). Such an archive must be unzipped before the N                   resultant saveset file (e.g. FASTSCAN030.A) can be installedL                   using the VMSINSTAL procedure. If you have a ZIP file, you-                   should unzip it as follows:             Q                                                                               2-1                          Installation           3                    $ UNZIP :== $ddcu:[dir]UNZIP.EXE &                    $ UNZIP FASTSCAN030    Q                   where ddcu:[dir] is the location of the UNZIP.EXE image. If you P                   don't have a copy of UNZIP, you can get one from the anonymous.                   FTP server picard.eurokom.ie    I                            ____________________ Note ____________________   H                            It is important that the ZIP file be unzippedD                            on the OpenVMS machine. If you attempt toG                            unzip it another platform (e.g. Windows PC), F                            then the file structure of the saveset willE                            be lost, and VMSINSTAL will not be able to +                            install the kit.   Q                __________________________________________________________________           2.2     License  H                The use of vFastScan requires a license key. Unlike priorP                versions, this version of vFastScan uses the OpenVMS LMF (LicenseP                Management Facility) to manage license keys. If you are upgradingQ                from an earlier version of vFastScan you must ensure you obtain an O                LMF key before you perform the upgrade. If you have not received Q                one, contact EuroKom (see the page immediately following the title ,                page) or your local reseller.  I                            ____________________ Note ____________________   H                            The vFastScan license mechanism does not makeE                            use of any unique machine characteristics, A                            such as CPU serial numbers or ethernet A                            addresses. It also does not attempt to D                            communicate in any way over your network.F                            Note that earlier version LICENSE.TXT files/                            will no longer work.   Q                   There are two types of license, Release Based licenses and Date !                   Based licenses.                                       2-2         Q                                                                      Installation         *                ___________________________  %        2.2.1   Release Based Licenses   J                   A Release Based License entitles you to run a particularO                   release of vFastScan indefinitely. These keys have a "Release N                   Date" field, which refers to the release date built into theO                   software. As long as you don't try to upgrade the software to O                   a release date that is later than the license date, vFastScan P                   will continue to run after this date has passed (PMDF standard-                   licenses are of this type).   *                ___________________________  "        2.2.2   Date Based LicensesK                   A Date Based License will allow you to run any version of N                   vFastScan until the Date field specified on the license key.N                   These keys have a "Termination Date" field. After this date,O                   vFastScan will cease to operate. Evaluation licenses for many K                   products (including vFastScan and PMDF) are of this type.   *                ___________________________  "        2.2.3   Loading the LicenseC                   The license is loaded using the command procedure K                   SYS$UPDATE:VMSLICENSE.COM. This procedure will prompt for L                   the various fields. Once this has completed, check that itM                   is loaded using a SHOW LICENSE VFASTSCAN command. Note that I                   vFastScan license PAKs will load on either VAX or Alpha                    machines.   *                ___________________________  -        2.2.4   Displaying the Current License O                   Use the SHOW LICENSE VFASTSCAN to verify that the license has Q                   been loaded. When the symbiont starts, it will display the name P                   of the licensed organization in the queue description. Use the                   command   *                    $ SHOW QUEUE queue_name  N                   where queue_name is one of the server queues to see this. IfQ                   the license has expired, the queue will not start, and an error <                   message will be rewritten to the log file.  *                ___________________________  /        2.2.5   Finding the Current Release Date   O                   To verify the current release date of the symbiont, issue the 3                   ANALYZE/IMAGE command as follows:       Q                                                                               2-3                          Installation           H                    $ ANALYZE /IMAGE SYS$SYSTEM:SAVISMB.EXE /SELECT=IDENT4                    SYS$COMMON:[SYSEXE]SAVISMB.EXE;48"                    "V3.1 20080604"    N                This indicates Version 3.1 dated 2008-06-04 (04-JUN-2008). MakeE                sure your PAK has a release date no earlier than this.   Q                __________________________________________________________________   %        2.3     Multi Platform Support   M                The installation procedure will install image (.EXE) files for K                the current architecture, and if selected also for the other K                (VAX/Alpha/IA64) architecture. When the FASTSCAN_STARTUP.COM P                file is invoked after the installation, it will copy the symbiontM                image to SYS$SYSTEM, unless there is one there already that is N                of the same or later creation time. Thus if you want to supportP                a mixed architecture cluster, it is only necessary to install theN                software once. The first time it is started on the other nodes,O                a copy to SYS$SYSTEM will be performed, obviating the need for a <                postinstallation step on other cluster nodes.  Q                __________________________________________________________________   $        2.4     Performing an Upgrade  O                If the installation procedure detects that the logical FASTSCAN_ Q                DIR has been defined, it will perform an upgrade. It will load the Q                new files into the directory indicated by this logical, and rename L                any prior *.EXE files to *.EXE_OLD. It will replace FASTSCAN_L                STARTUP.COM but will not alter SETUP-QUEUES.COM if it exists.  Q                __________________________________________________________________   "        2.5     Directory Structure  P                The installation procedure will prompt you for a target directoryH                (if you are upgrading vFastScan, it will use the existingJ                directory) and will create this and two subdirectories. The"                subdirectories are:  7                   [.VAX_EXE]         OpenVMS VAX images   9                   [.ALPHA_EXE]       OpenVMS Alpha images   8                   [.IA64_EXE]        OpenVMS IA64 images  M                The .EXE files go into the appropriate subdirectories, and all A                other files are placed in the top level directory.                       2-4         Q                                                                      Installation         Q                __________________________________________________________________   '        2.6     Sample VMSINSTAL session   D                The following shows a typical installation procedure.  .                   EURO-$ @sys$update:vmsinstal  T                           OpenVMS AXP Software Product Installation Procedure V7.3-1  ,                   It is 6-SEP-2004 at 12:10.  A                   Enter a question mark (?) at any time for help.   P                   %VMSINSTAL-W-ACTIVE, The following processes are still active:                          _RTA2: '                          OpenVMS AXPert :                   * Do you want to continue anyway [NO]? YP                   * Are you satisfied with the backup of your system disk [YES]?X                   * Where will the distribution volumes be mounted: SYS$SYSDEVICE:[KITS]  \                   Enter the products to be processed from the first distribution volume set.&                   * Products: FASTSCANF                   * Enter installation options you wish to use (none):  ;                   The following products will be processed:   !                     FASTSCAN V3.1   J                           Beginning installation of FASTSCAN V3.1 at 12:10  H                   %VMSINSTAL-I-RESTORE, Restoring product save set A ...  a                   ******************************************************************************* a                   *                       E u r o K o m   Software                              * a                   *                                                                             * a                   *                      vFastScan  V 3.1                                       * a                   *******************************************************************************   ^                   This procedure will install the files necessary to run the vFastScan package\                   into a directory chosen by you.  The installation procedure will NOT startU                   vFastScan, nor will it interact in any way with your PMDF or Sophos ^                   software (it is not necessary to shutdown anything during the installation).  0                   * Do you wish to continue [Y]?  ^                   The installation procedure has detected a previous version of vFastScan, and^                   will perform an upgrade.  Before continuing, you should check the following:  F                   1.  All SAVISMB queues should be completely stopped.  Q                   2.  You have registered and loaded your vFastScan license using /                       SYS$UPDATE:VMSLICENSE.COM   ]                       Note that this version of vFastScan uses standard LMF license PAKs.  If ]                       you have not received an LMF PAK to replace your LICENSE.TXT you should ^                       discontinue the installation and contact EuroKom or your local reseller.  Q                                                                               2-5                          Installation           7                   * Do you wish to continue ? [NO]? YES O                   %FASTSCAN-I-WHICHEXE, OpenVMS Alpha images will be installed. S                   * Do you wish to install other architecture images as well ? [N]?   T                   You may wish to purge any files from a previous copy of vFastScan.X                   Answering "YES" to this question has no effect if you have not alreadyU                   installed a version of vFastScan nor will it affect any other files F                   (in particular Sophos VSWEEP or Process PMDF files).  S                   * Do you want to purge files replaced by this installation ? [Y]?   ^                   Documentation for vFastScan is available in Postscript, HTML and Plain text.  P                   * Do you want the documentation file in Postscript form ? [Y]?J                   * Do you want the documentation file in HTML form ? [Y]?K                   * Do you want the documentation in plain text form ? [N]?   8                           All questions have been asked.  b                   %VMSINSTAL-I-SYSDIR, This product creates system disk directory  SW$:[FASTSCAN].b                   %VMSINSTAL-I-SYSDIR, This product creates system disk directory  SW$:[FASTSCAN.A                   LPHA_EXE].  ^                   You should carefully read the file FASTSCAN_DIR:FASTSCAN.CHECKLIST to ensureH                   you complete the installation or upgrade successfully.  `                   %VMSINSTAL-I-MOVEFILES, Files will now be moved to their target directories...  J                           Installation of FASTSCAN V3.1 completed at 12:12  P                       Adding history entry in VMI$ROOT:[SYSUPD]VMSINSTAL.HISTORY  \                       Creating installation data file: VMI$ROOT:[SYSUPD]FASTSCAN031.VMI_DATA  [                   Enter the products to be processed from the next distribution volume set. "                   * Products: exit  ;                           VMSINSTAL procedure done at 12:12                                               2-6                     Q                __________________________________________________________________   $        3       Configuring vFastScan        Q                __________________________________________________________________            3.1     Location of Files  P                Most vFastScan files are placed in the FASTSCAN_DIR and FASTSCAN_K                EXE directories, however the symbiont image (SAVISMB.EXE) is I                copied to SYS$SYSTEM, as it is an OpenVMS requirement that K                symbionts be located in this directory (the copy is actually L                done when you execute the FASTSCAN_STARTUP procedure). SophosM                VSWEEP provides two optional logicals to locate the main virus P                definition files (VDL*.*) and the auxiliary IDE files (*.IDE). IfP                these logicals are not defined, the location defaults to the same:                directory as the image performing the scan.  *                ___________________________  #        3.1.1   Sophos Logical Names N                EuroKom strongly recommends that you use the VSWEEP logicals toH                locate the virus definition files. The logical names are:  B                   VSWEEP_MAIN_VDATA_DIR  location of VDL*.* files.  A                   VSWEEP_AUX_DIR         location of *.IDE files.   I                   LIBSAVI_AXP/LIBSAVI_   location of shareable image file !                   VAX/LIBSAVI_I64   O                   If you are already using these logicals with VSWEEP, then you M                   do not need to make any changes for vFastScan to be able to N                   locate them. If not, you should define the logicals with theP                   /EXECUTIVE and /SYSTEM qualifiers to point at the directory orQ                   directories containing these files (it is possible for a single :                   directory to contain both). For example:  W                    $ Define /system /exec VSWEEP_MAIN_VDATA_DIR DKA0:[VSWEEP]  ! VDL*.* R                    $ Define /system /exec VSWEEP_AUX_DIR DKA0:[VSWEEP]     ! *.IDER                    $ Define /system /exec LIBSAVI_AXP DKA0:[VSWEEP]LIBSAVI_AXP.EXE  K                   These definitions should also be placed in the SYSTARTUP_                    VMS.COM file.             Q                                                                               3-1          $                Configuring vFastScan        *                ___________________________  &        3.1.2   Relocating Sophos Files  N                   If you don't define the logical names, then you will have toN                   copy the VDL*.* and/or the *.IDE files elsewhere. The reasonO                   for this is that Sophos, in the absence of the logical names, L                   will assume the definition files are in the same directoryO                   as the image (.EXE) that is activating the sweep. For the DCL N                   VSWEEP command, it will expect to find them in the directoryN                   into which VSWEEP_AXP.EXE (or VSWEEP_VAX.EXE/VSWEEP_I64.EXE)O                   has been installed. Normal VSWEEP installations put all files J                   into a single directory, so this default works well. ForO                   vFastScan, the image that activates the sweep is SAVISMB.EXE. Q                   Since this is a symbiont, it must be located in SYS$SYSTEM, and P                   therefore in the absence of these logicals, it will expect theP                   VDL*.* and *.IDE files to also be in SYS$SYSTEM. Thus you willQ                   have to copy the VDL*.* and *.IDE files to SYS$COMMON:[SYSEXE], L                   and remember to repeat this every time you upgrade VSWEEP.M                   Since this effectively means maintaining two sets of Sophos L                   data, it is not as good a strategy as defining the logical                   names.I                            ____________________ Note ____________________   E                            If you use the logicals names VSWEEP_MAIN_ G                            VDATA_DIR and VSWEEP_AUX_DIR to point at the H                            VDL and IDE files respectively, vFastScan canD                            use the files in their current locations.$                _____________________'        3.1.2.1 The Shareable Image file   J                   The file LIBSAVI_AXP.EXE (or LIBSAVI_VAX.EXE or LIBSAVI_L                   I64.EXE) is the Sophos shareable library that contains theP                   routines used to scan for viruses (both the DCL VSWEEP commandJ                   and the vFastScan symbiont are linked to this file). ForL                   either SWEEP or vFastScan to work, the logical LIBSAVI_AXPM                   (or LIBSAVI_VAX or LIBSAVI_I64) must be defined to point at L                   this file, or the file must be copied into the SYS$LIBRARYO                   directory. Either will work, but EuroKom recommends using the                    logical name.   Q                __________________________________________________________________   !        3.2     Starting vFastScan   K                The installation procedure produces a startup file FASTSCAN_ K                STARTUP.COM in the FASTSCAN_DIR directory. This startup file K                should be called by the system startup procedure, and should L                be executed before any server queues are started. The command6                procedure performs the following tasks:Q                   o  Defines the system logicals FASTSCAN_DIR and FASTSCAN_LOG to O                      point at the directory in which the startup file currently                       resides.   L                   o  Defines the system logical FASTSCAN_EXE to point at theL                      subdirectory of FASTSCAN_DIR appropriate to the current"                      architecture.                  3-2         Q                                                             Configuring vFastScan           J                   o  Copies the appropriate SAVISMB image into the currentL                      machine's SYS$COMMON:[SYSEXE] directory (unless already                      there).  Q                   o  Installs the symbiont and SCAN images as known shared images P                      using the INSTALL facility (this is not essential, but does(                      boost performance).  L                   o  Checks that it can find the Sophos shareable image, and5                      exits with an error if it can't.   P                   o  Sets up the shared logical name table described in the next                      section.   N                   o  Loads into the table the date of the latest IDE file (see<                      the description of the AUTOIDE option).  L                   o  If it finds an old copy of SCAN.EXE in the FASTSCAN_DIRL                      directory, it renames it, and prints a warning message.  J                   o  Executes any commands in the file FASTSCAN_DIR:SETUP-N                      QUEUES.COM if it exists (unless the NOQUEUES argument has9                      been specified to FASTSCAN_STARTUP).   Q                __________________________________________________________________   %        3.3     The Logical Name Table   K                The startup file sets up a logical name table KOM_VIRUS_SCAN K                that is used by the symbiont to communicate the names of any O                viruses found back to the SCAN program. This is a shared logical N                name table. If you are running in a cluster environment and theJ                symbiont and the process running the SCAN program may be onN                different nodes, this must be a clusterwide table. In this caseG                invoke the startup procedure with the parameter CLUSTER.   =                    $ @DKA0:[FASTSCAN]FASTSCAN_STARTUP CLUSTER   Q                This will cause the table to be created under LNM$CLUSTER_TABLE as /                opposed to LNM$SYSTEM_DIRECTORY.   I                            ____________________ Note ____________________   C                            Clusterwide logical name tables are only ?                            supported on OpenVMS 7.2-1 or later.                 Q                                                                               3-3g         $                Configuring vFastScan        *                ___________________________  :        3.3.1   Moving from Single System to Cluster tables  M                   If you are changing from a single system logical name table M                   to a cluster wide table, you will need to explicitly deleteoN                   the old table first (or simply reboot) from each node in the*                   cluster. The command is:  H                    $ DEASSIGN /TABLE=LNM$SYSTEM_DIRECTORY KOM_VIRUS_SCAN  Q                __________________________________________________________________   +        3.4     Defining the vFastScan queue   K                The vFastScan queue is a server queue. You can define one oraN                more such queues. A server queue can only process one file at aP                time, so if you want to achieve job concurrency, you will need toN                define multiple server queues, and a single generic queue whichM                feeds the various server queues. This is similar in concept to N                the PMDF Process Symbiont described in the PMDF Manager Manual.P                Sample commands for setting up such queues are included in SETUP-                QUEUES.TEMPLATE.   *                ___________________________  -        3.4.1   Defining a single server queue_O                The command to define a single server queue called VIRUS_SWEEPER_                is:  I                    $ INITIALIZE /QUEUE /DEVICE=SERVER /ON=node:: /BASE=3- L                     /OWNER=[SYSTEM] /PROT=W /PROCESSOR=SAVISMB VIRUS_SWEEPER  K                   where node:: is the node on which the symbiont is to run.A  *                ___________________________  +        3.4.2   Defining more than one queue_  P                   The commands required to define two server queues and a single+                   generic master queue are:   I                    $ INITIALIZE /QUEUE /DEVICE=SERVER /ON=NODE:: /BASE=3-_N                     /OWNER=[SYSTEM] /PROT=W /PROCESSOR=SAVISMB VIRUS_SWEEPER_1I                    $ INITIALIZE /QUEUE /DEVICE=SERVER /ON=NODE:: /BASE=3-_N                     /OWNER=[SYSTEM] /PROT=W /PROCESSOR=SAVISMB VIRUS_SWEEPER_2E                    $ INITIALIZE /QUEUE /DEVICE=SERVER VIRUS_SWEEPER - -                     /OWNER=[SYSTEM] /PROT=W -_>                     /GENERIC=(VIRUS_SWEEPER_1,VIRUS_SWEEPER_2)  K                   where node:: is the node on which the symbiont is to run._                      3-4 _  _    Q                                                             Configuring vFastScan         Q                ___________________________________________________________________  %        3.5     Starting the Symbiont.   P                To start the symbiont, simply use a START command for each of the+                queues you have initialized:_  *                    $ START VIRUS_SWEEPER_1*                    $ START VIRUS_SWEEPER_2(                    $ START VIRUS_SWEEPER  N                   You can place the commands into the file FASTSCAN_DIR:SETUP-M                   QUEUEUS.COM if you want the queues to be initialized and/or P                   started at vFastScan startup. After they have started, examineM                   the queues using a SHOW QUE/FULL VIRUS* command. The queues !                   should be idle.a  I                            ____________________ Note ____________________   E                            You will notice that the START command for C                            the server queues seems quite slow. On a E                            heavily loaded system, it may even take up D                            to a minute. This is because the symbiontE                            is loading the virus definition files, and_D                            building an in memory data structure, andE                            only indicates the queue is started to the @                            Job Controller when this is complete.  Q                __________________________________________________________________           3.6     The SCAN Command1  M                The SCAN command provides command line access to the vFastScan P                engine. It is defined as a foreign command, activing the SCAN.EXEN                image in the directory specified by the installation procedure.,                The syntax of the command is:  T                    $ SCAN input_file [/QUEUE=queue_name] [/VIRUS_SYMBOL=symbol_name]  $                   The arguments are:  B                   o  input_file is the file that you wish to scan.  Q                   o  queue_name is the server or generic queue that the vFastScaniL                      engine is running on. If omitted, the queue defaults to#                      VIRUS_SWEEPER._  Q                   o  symbol_name is the DCL symbol that SCAN will set to the name O                      of the virus, if one is found. If omitted, the symbol name_,                      defaults to VIRUS_NAME.  O                The file SYMBDEF.COM defines the appropriate foreign command and 3                symbolic names for its return codes.-  Q                                                                               3-5-         $                Configuring vFastScan        Q                ___________________________________________________________________  *        3.7     Return Codes and Virus Name  N                The SCAN program sets the DCL status codes to one of the valuesP                defined by the symbols in SYMBDEF.COM. The symbol ESAVI__NOVIRDETN                indicates that the file does not contain any viruses (this is aM                success code, which will not result in a message when the scan_L                program completes). The symbol ESAVI__VIRDET indicates that aN                virus was found (this is a warning condition). In this case theO                DCL symbol VIRUS_NAME indicates the name of the virus found. The N                code ESAVI__SAVAPIERR indicates that the Sophos API returned anP                error code, which means that it was not able to scan the file. InO                this case the error string is returned in the symbol VIRUS_NAME._N                The most common cause of this code is a password protected fileO                (e.g. a ZIP archive). Note that the VSWEEP DCL command will alsoa'                fail to scan such files.   I                            ____________________ Note ____________________-  E                            If the file is clean, SCAN does not set or-8                            change the VIRUS_NAME symbol.  Q                __________________________________________________________________   #        3.8     Testing the Scanning   P                After you have executed the startup procedure, and the queues areM                running, you can test scanning some files using the following:   M                    $ @FASTSCAN_DIR:SYMBDEF  ! defines SCAN command and codes. 5                    $ SCAN  testfile /QUEUE=queue_name_(                    $ SHOW SYMBOL $STATUS+                    $ SHOW SYMBOL VIRUS_NAME_  Q                   where testfile is the file that you are scanning and queue_name O                   is the name of the generic or server queue (you can omit this_@                   qualifier if the queue name is VIRUS_SWEEPER).  O                   The file EICAR.DAT contains the Eicar pseudo virus, which can N                   be used for testing. Note that this is not a real virus, butN                   a string pattern that most antivirus products will recognizeP                   as a 'test' virus. It does not replicate or infect in any way,O                   however, if you regularly run a scan on all the files on your_L                   OpenVMS server, it may be flagged as a virus. If this is aP                   nuisance you can safely delete this file without affecting the.                   normal running of vFastScan.  P                   By using a VSWEEP command on a file, followed by an equivalentO                   SCAN on the same file, you can compare the relative speeds of8%                   the two approaches.                       3-6                     Q                __________________________________________________________________            4       vFastScan Options      K                There are several options that you can specify to modify the_N                default behavior of vFastScan. These can be specified in one or<                more Option files, which are described below.  Q                __________________________________________________________________2          4.1     Option Files_  M                When a symbiont queue starts, it first initializes the various_O                options to their default values. It then looks for the following #                files in this order:   *                ___________________________          4.1.1   Main Option File O                If the file FASTSCAN_DIR:OPTION.DAT is present, it is processed, P                and any options specified within are set to the values specified.  *                ___________________________  )        4.1.2   Queue Specific Option File K                After processing the OPTION.DAT file (if it is present), the K                symbiont then checks for FASTSCAN_DIR:queue-name_OPTION.DAT, N                where 'queue-name' is the name of the current queue. If optionsP                are specified in both files, the value in the queue specific file                 takes precedence.  Q                __________________________________________________________________   !        4.2     Specifying Options_  J                Options are specifed one per line, in the following format:                      option=value                    e.g.                    AUTOIDE=1  F                   Option names must be specified in full, and are caseL                   insensitive. Blank lines and lines starting with a comment.                   character ('!') are ignored.              Q                                                                               4-1                           vFastScan Options        Q                ___________________________________________________________________  !        4.3     Auto IDE Detection   J                Since IDE files are only read in when a queue starts, it isL                necessary to restart the queues when new IDE files are placedM                in VSWEEP_AUX_DIR. The Auto IDE option provides an alternative_P                mechanism, whereby the symbiont can reload the SAVI module if new#                IDE files are found.   ,                   Option Name        AUTOIDE  )                   Value Range        0, 1_  &                   Default            0  9                   If AUTOIDE=0, no IDE detection is done.   P                   If AUTOIDE=1, the symbiont will check the setting of a logicalM                   name before each scan. This logical name indicates the date N                   and time of the newest IDE file. If this value has increasedP                   since the last check, the symbiont will reload the SAVI beforeO                   scanning the file, thus enabling the latest set of IDE files._P                   The command procedure FASTSCAN_DIR:LOAD-IDE-VERSION.COM can beP                   used to set this logical name. This procedure checks the datesM                   of VSWEEP_AUX_DIR:*.IDE and sets the logical to reflect the_O                   date and time of the latest one. You will need to ensure that N                   this procedure is either run periodically, or every time you4                   add an IDE file to VSWEEP_AUX_DIR.  *                ___________________________  !        4.3.1   Performance Impact_  M                   This procedure involves a minimal overhead on the symbiont, P                   as it is only checking a logical name before each scan, ratherN                   than continually scanning through a directory which would beG                   the case if it were to check the actual files itself.   Q                __________________________________________________________________           4.4     Virus Statistics_  *                   Option Name        STATS  ,                   Value Range        0, 1, 3  &                   Default            0  E                   If STATS=0, no statistics information is generated.   N                   If STATS=1, each symbiont keeps count of the number of filesO                   scanned, and the number of viruses detected. The counters are M                   stored in memory, and are accessible via API calls (see the M                   chapter on vFastScan API). They are also written to the log_M                   file when the queue is stopped. The counters for each queue O                   are reset to zero when the queue starts, so they indicate the_N                   number of files scanned and viruses detected since the queue#                   was last started.                   4-2 _  _    Q                                                                 vFastScan Options           L                   If STATS=3, the action is the same as for STATS=1, but theN                   counters for each queue are saved when the queue is stopped,N                   and reloaded when that queue starts again. Thus the countersN                   indicate the number of files scanned and viruses found since.                   the queue was first started.  *                ___________________________  !        4.4.1   Performance ImpactH  K                   The counters are stored in a shared global section, which_M                   involves memory access, thus keeping overhead to a minimum.G  Q                ___________________________________________________________________  (        4.5     License Expiration Action  P                This option controls what action vFastScan will take if it cannot"                load a license key.  3                   Option Name        LICENSE_EXPIRE   1                   Value Range        STOP, REPORT   )                   Default            STOP   L                   If the symbiont cannot load a valid vFastScan license PAK,O                   it will write an error message into the log file, and set the B                   queue description to indicate a license failure.  M                   If the option is set to STOP, the symbiont will immediately H                   stop the queue and exit. No further processing will beM                   performed by the queue. This is what happens in versions of (                   vFastScan prior to 3.0  O                   If the option is set to REPORT, the symbiont will continue to M                   run. However, the SCAN command will always return the error M                   SS$_NOLICENSE every time a file is scanned. Your conversion K                   script could then check for this code, and fail over to a_!                   VSWEEP command.I  O                   It is more likely that this would be of use for sites using a6Q                   PAK with a termination date (such as an evaluation PAK). Rather_Q                   than have your queues just stop when the PAK expires, you might N                   prefer your script to fail over to VSWEEP when this happens.  *                ___________________________  !        4.5.1   Performance Impact   P                   There is no performance impact on normal vFastScan operations.H                   Obviously, if you fail over to VSWEEP there is a major%                   performance impact.c  Q                                                                               4-3_ _  _                     vFastScan Options        Q                __________________________________________________________________   $        4.6     SAVI Failure Recovery  G                This option controls how the symbiont behaves if certainAH                errors are returned by the SAVI. The SAVI will return theK                ESAVI__SAVAPIERR code in a variety of sitations, including a L                password protected ZIP file, a corrupted Office document etc.J                In nearly all of these cases, a VSWEEP command will produceM                an equivalent error message. The SAVI can also return resource O                failure codes, such as Out-Of-Memory or Out-Of-Disk. This option N                controls the response to these. For other types of failure, theN                symbiont returns the ESAVI__SAVAPIERR code to the SCAN command,I                where the user's conversion script can take what action is                 required.  -                   Option Name        SAVIFAIL   ,                   Value Range        0, 1, 2  &                   Default            0  M                   If SAVIFAIL=0, all ESAVI__SAVAPIERR codes are simply passed L                   back to the SCAN command. This is the behavior of previous%                   vFastScan versions.B  O                   If SAVIFAIL=1, the symbiont will attempt to restart the SAVI._L                   After reloading, the symbiont will scan the file again. IfN                   it still returns an out of resource error, the symbiont willJ                   return this code to the SCAN command, and write an errorM                   message to the log. It will then request the Job Controller *                   to restart the symbiont.  O                   If SAVIFAIL=2, the symbiont will attempt to restart the SAVI. O                   After reloading, the symbiont will scan the file again. If it_Q                   still returns an out of resource error, the symbiont will writeTG                   an error message to the log, stop the queue and exit._  *                ___________________________  !        4.6.1   Performance ImpactP  L                   No increased overhead should be encountered, except if theO                   symbiont's page file quota is too low, in which case it mightRO                   encounter a significant number of Out of Resource conditions, O                   in which case the repeated reloading of the SAVI would impact P                   performance. However, the alternative would either be allowingL                   files to pass unscanned, or (in the case of the conversionI                   script failing over to VSWEEP) an even bigger impact of 7                   repeated calls to the VSWEEP command._                        4-4         Q                                                                 vFastScan Options         Q                __________________________________________________________________           4.7     SAVI Options_  Q                The ENABLE and DISABLE options can be used to override vFastScan's N                choice of which scanning options it uses when calling the SAVI.P                These are roughly analogous to the VSWEEP command qualifiers, butG                they do not correspond one to one with these qualifiers.   *                ___________________________          4.7.1   SAVI GroupsK                As well as individual scan types (e.g. TNEF, Gzip), the SAVI-J                allows the caller to specify groups (such as the Archive orQ                Internet groups), which enable or disable sets of SAVI scan types. Q                Using groups has the advantage that when Sophos introduce new scan_P                types, they normally allocate them to existing groups, so that byN                turning on a whole group, vFastScan automatically benefits from9                the new scan type without any code change.   *                ___________________________  &        4.7.2   Specifying SAVI optionsP                The ENABLE and DISABLE options turn on and off the specified scanL                type or types. Both qualifiers can take a list of scan types,N                and you can specify multiple ENABLE and DISABLE qualifiers. TheO                order is important. You should first specify any group settings, 8                followed by the individual settings. e.g.  #                    ENABLE=ARCH,MIME                     DISABLE=TNEF_                    DISABLE=ZIP  Q                __________________________________________________________________   $        4.8     Supported SAVI Groups  7                The following SAVI groups are supported.   `                   Option     API string              Description                         Default                   Name  [                   ARCH       GrpArchiveUnpack        Archive and compressed formats      ON_  [                   SELFEXT    GrpSelfExtract          Self extracting formats             ON   [                   EXEC       GrpExecutable           Executable files                    ON   [                   INTERNET   GrpInternet             Formats found on the Internet       ON   [                   OFFICE     GrpMSOffice             Microsoft Office formats            ON   [                   MISC       GrpMisc                 Miscellanous formats                ON1  D                   The following individual scan types are supported.  w                   Option     API String                 Description                                  Groups     Default_  r                   ACCESS     Access                     Access Databases (MDB)                       OFFICE     ON  r                   ACTMIME    ActiveMimeHandling         Office Docs in ActiveMIME                    INTERNET   ON  r                   APPSING    AppleSingle                MAC single files                             ARCH       ON  Q                                                                               4-5_ _  _                     vFastScan Options            r                   ARJ        ArjDecompression           ARJ archives                                 ARCH       ON  r                   CMZ        CmzDecompression           CMZ archives                                 ARCH       ON  r                   VBA5       DecompressVBA5             Text part of VBA5                            OFFICE     ON  r                   DYNCOM     DynamicDecompression       Exes with dynamic compression                SELFEXT    ON  r                   ELF        Elf                        ELF binaries (Linux/BSD)                     EXEC       ON  r                   X86        Emulation                  16 bit X86 emulation                         EXEC       ON  r                   XLFORM     ExcelFormulaHandling       Excel Formulas (not MACROs)                  OFFICE     ON  s                   FULLMAC    FullMacroSweep             Older fallback mechanism                     none       OFFR  r                   FULL       FullSweep                  Full Sweeping                                none       ON  r                   GZIP       GZipDecompression          GZIP archives                                ARCH       ON  r                   MSHELP     HelpHandling               files embedded in MS HELP                    MISC       ON  r                   HQX        HqxDecompression           Binhex archives                              ARCH       ON  r                   HTML       Html                       optimize HTML scanning                       INTERNET   ON  r                   IGNTMP     IgnoreTemplateBit          scan EXEs without this bit on                none       ON  r                   JAVA       Java                       Java class files                             EXEC,INTERNON  r                   LHA        Lha                        LHA Archives                                 ARCH       ON  r                   LOOP       LoopBackEnabled            scan inside container files                  MISC       ON  r                   MBIN       MbinDecompression          MACBINARY archives                           ARCH       ON  r                   MIME       Mime                       decode MIME encodings                        INTERNET   ON  r                   CAB        MSCabinet                  MS CAB files                                 none       ON  r                   MSCOMP     MsCompress                 Microsoft Compression format                 ARCH       ON  r                   MACNS      NamespaceSupport           Handle MAC resource+data                     none       ON  r                   OF2001     Office2001Handling         Office 2001 (MAC) format                     OFFICE     ON  r                   DX095      OF95DecryptHandling        break Office95 encryption                    OFFICE     ON  r                   OFHTML     OleDataMsoHandling         HTML within MS Office                        OFFICE     ON  r                   ACCMAC     OleScriptHandling          Access Macros                                OFFICE     ON  r                   OLE2       OLE2Handling               MS OLE2 format                               OFFICE     ON  r                   OE         Outlook Express            Scan within Outlook Express mailboxes        OFFICE     ON  r                   PALM       PalmPilotHandling          PalmPilot viruses                            MISC       ON  r                   PDF        Pdf                        Enabled PDF interpretation module            MISC       ON  r                   EM32       PeEmulator                 32 bit executable emulator                   EXEC       ON  r                   WINPE      PEHandling                 Win32/PE in .EXE & .DLL files                EXEC       ON  r                   PPD        PowerPointEmbedded         files embedded in Powerpoint                 OFFICE     ON  r                   PPM        PowerPointMacroHandling    Powerpoint Macros                            OFFICE     ON  r                   PRJ        ProjectHandling            VBA macros in MS Project                     OFFICE     ON  r                   RAR        RarDecompression           RAR archives                                 ARCH       ON  r                   RTF        Rtf                        scan for objects embedded in .RTF            OFFICE,MISCON  r                   SCRAP      ScrapObjectHandling        scan inside SCRAP objects                    OFFICE     ON  r                   SFX        SfxArchives                optimize search of self extracting archs     ARCH,SELFEXON  r                   SRP        SrpStreamHandling          SRP data in Office                           OFFICE     ON                  4-6         Q                                                                 vFastScan OptionsC            r                   TAR        TarDecompression           TAR archives                                 ARCH       ON  r                   TNEF       TnefAttachmentHandling     MS TNEF attachments                          ARCH       ON  r                   UPX        Upx                        UPX compressed archives                      SELFEXT    ON  r                   UUE        UueDecompression           Decode UUENCODEd parts                       ARCH       ON  r                   VBA3       VBA3Handling               files embedded in VB applications            OFFICE     ON  r                   VBA5       VBA5Handling               files embedded in VB applications            OFFICE     ON  r                   VBE        Vbe                        embedded VB script                           INTERNET   ON  r                   VBF        Vbfiltering                increases detection of VBA plugins           INTERNET   ON  r                   VISIO      VisioFileHandling          MS Visio files                               OFFICE     ON  r                   WORDB      WordB                      Wordbasic files                              OFFICE     ON  r                   ZIP        ZipDecompression           ZIP archives                                 ARCH       ON  Q                __________________________________________________________________e          4.9     Page File Quota  L                If you see Out-of-Memory errors in the log file, the symbiontP                may require more page file space. The page file quota accorded toN                symbionts is taken from the page file quota assigned to the JobM                Controller. This in turn is calculated from the total mount of_O                page file space available to the system. If you need to increaseiQ                the page file quota of the symbiont, you will need to increase thee@                overall amount of page file space on your system.  Q                __________________________________________________________________s  %        4.10    Cluster Considerationsn  G                The use of vFastScan in a clustered environment is fullytJ                supported. There are some configuration issues that must beI                considered if you are going to run vFastScan on a cluster.u  *                ___________________________          4.10.1  LicensingI                You require a vFastScan license on each machine on which a_O                vFastScan symbiont is running. If you are running your vFastScan O                queues on one node, and you are submitting scans to it from PMDF J                conversion queues on other nodes, only the node running theM                symbiont needs to have a vFastScan license. If you are running L                the vFastScan dedicated scanning channel, a vFastScan licenseN                is required for both the node running the symbiont and the nodeO                running the channel program. Note that vFastScan must be started O                on any node that is running a conversion queue that submit files_J                for scanning, but it does not require a license to run thisM                part of the product (effectively the SCAN command). If you are P                licensing more than one node, you can either use separate licenseM                PAKs or a single combined PAK, provided it has enough units. A N                PAK requires one license unit for each machine it is licensing.M                The PAKs do not have the NO_SHARE option set, and the same PAK Q                will activate on either VAX or Alpha (the IA64 platform requires ae)                separate type of license).   Q                                                                               4-7                           vFastScan Options        *                ___________________________  !        4.10.2  Logical Name TablehO                VFastScan uses a shared logical name table, whereby the symbionttQ                can pass the names of viruses to the SCAN program. If a conversionsO                queue is to submit messages for scanning to a vFastScan symbiontiO                on another node, then this should be a clusterwide logical table_O                (note that clusterwide tables are not supported prior to OpenVMS J                7.2). To achieve this, provide the CLUSTER parameter to theL                FASTSCAN_STARTUP file on all cooperating nodes. Note that youN                can configure the conversion script so that it always hands theO                file to a symbiont on the same queue (using the /QUEUE qualifiernO                to the SCAN command). In such cases it is not necessary to use a !                clusterwide table.   *                ___________________________          4.10.3  StatisticsuK                If you enable the STATS option, the vFastScan symbionts willlI                maintain totals of files scanned and viruses detected on a M                per queue basis. This totals are stored in memory, in a GlobaloK                Section. Since such sections are specific to each nodes, any N                access to these figures (using the API) will only return valuesJ                for the current node. In a cluster environment, it would beN                necessary to make the API calls on each node on which vFastScan%                symbionts are running.   *                ___________________________          4.10.4  Load BalancingsK                You can load balance vFastScan queues across a cluster usingeQ                specific symbionts on each node, and a generic queue to feed them. O                The file SETUP-QUEUES.TEMPLATE gives examples of how to do this.                                                           4-8                     Q                __________________________________________________________________d  @        5       Integrating vFastScan into your Conversion Script      M                Up to this point, you have configured and tested the vFastScancQ                engine. You must also modify your conversion script to make use oftQ                vFastScan as opposed to the DCL VSWEEP interface. The instructionslO                in this chapter describe how to do this. If you intend using thetQ                dedicated virus scanning channel instead of the conversion script,t1                then you should skip this chapter.o  Q                __________________________________________________________________            5.1     Conversion Script  L                The conversion script is activated by COMMAND= clauses in theN                file PMDF_CONVERSION_FILE. The conversion channel will break upN                a message into its constituent MIME bodyparts, and for each oneO                spawn a subprocess running the conversion script. This mechanism N                will continue to be used for vFastScan. You will simply replaceB                the VSWEEP command in the script by a SCAN command.  Q                __________________________________________________________________   -        5.2     Testing a Single Channel First_  P                You may prefer to activate the vFastScan method for a single testN                channel first, before switching over all your virus checking toQ                this method. To do this, copy your standard conversion script to a,P                different file, and make the changes there. You can then activateI                this file for your test channel, while your other channelsgO                continue to use the DCL VSWEEP command. If you don't have a testuQ                channel, and would like to set one up, see the description of thisp                in Appendix A.s  Q                __________________________________________________________________n  /        5.3     Changes to the Conversion Script   J                Suppose your existing script has the following commands for                scanning:  7                    $ Vsweep = "$DKA1:[SWEEP]VSWEEP_AXP"n                    ...:                    $ !   Scan the input file using VSWEEP.                    $K                    $ Vsweep /fi /vr=(virusname) /vf='vnm_file' 'input_file'                     $P                    $ If SWEEP$_STATUS .eqs. "SWEEP$_VIRUS" then goto virus_foundM                    $ If SWEEP$_STATUS .eqs. "SWEEP$_CLEAN" then goto no_virus_L                    $ If SWEEP$_STATUS .eqs. "SWEEP$_INFO" then goto no_virusN                    $ If SWEEP$_STATUS .eqs. "SWEEP$_WARNING" then goto warning  H                then you would probably replace them with something like:  Q                                                                               5-1s         @                Integrating vFastScan into your Conversion Script            *                    $ @FASTSCAN_DIR:SYMBDEF                    ...G                    $ Scan 'input_file' ! note defaults for SCAN commands                    $H                    $ If $status .eq. ESAVI__VIRDET then goto virus_foundG                    $ If $status .eq. ESAVI__NOVIRDET then goto no_virussG                    $ If $status .eq. ESAVI__SAVAPIERR then goto warning     N                   Note that you also have to allow for the different ways thatL                   VSWEEP and SCAN return the name of the virus. VSWEEP aboveL                   outputs the name of the virus to the file indicated by theP                   symbol vnm_file, whereas SCAN sets the symbol virus_name to be(                   the name of the virus.  *                ___________________________          5.3.1   Failsafe Mode  M                   You can optionally have your script do a VSWEEP DCL commandeP                   if it gets an unexpected error from the SCAN command, allowingM                   it to fail over safely. EuroKom recommends that your scripteQ                   perform a VSWEEP if the SCAN command returns a SAVAPIERR returnl                   code.   I                            ____________________ Note ____________________   E                            The conversion script cannot instruct PMDF E                            to defer the message for later processing. D                            It is limited to telling PMDF to pass theG                            message intact, replace the current bodypartwG                            by something else (typically a virus warningDE                            template), reject (bounce) the message, oroD                            rename it to a .HELD file, which requiresD                            manual intervention before the message isG                            processed again. This is a limitation of the-H                            conversion channel, and affects both the SCAN1                            and VSWEEP approaches.   Q                ___________________________________________________________________  !        5.4     Performance Issues   J                The vFastScan engine was designed for fast performance. TheM                main performance gain is the fact that it is loading the virus P                definitions and building the in-memory data structures only once,L                whereas the VSWEEP command must load them each time a file isL                scanned. The actual scanning is performed within the symbiontM                process, and it passes the result back to the SCAN command for P                presentation to the conversion script. The logical name table wasO                used rather than mailboxes or global sections because the lattercP                two are not as easily adapted to a cluster environment. Note thatO                the logical name table is only used when a virus is found. Sincet                  5-2         Q                                 Integrating vFastScan into your Conversion Scripti          L                most scanned messages won't contain a virus, the logical nameO                overhead is only incurred in the minority of cases where a virusSM                is detected. In most other cases, the return 'clean' status in G                conveyed back to the SCAN command by the Job Controller.e  Q                __________________________________________________________________           5.5     Concurrency  O                You will not need a high degree of concurrency of server queues.iH                Note that the concurrency of conversion batch (or processN                symbiont) queues should not be less than the concurrency of theO                server symbionts. Normally they would be more, as the conversionlN                processes have more work to do (decomposing and rebuilding MIMEJ                messages). We recommend you start with a concurrency of twoP                server queues, and increase this if you see a continuous queue ofP                messages on the generic queue (and you have CPU cycles to spare).  *                ___________________________  '        5.5.1   ZIP and TNEF attachmentseM                The vFastScan engine will scan inside most archives (includingIM                ZIP) to detect whether any of the enclosed files are infected. M                If any of the files are found to be infected, it will return a K                SAVI__VIRDET return status, and the name of the virus found. K                Similarly, attachments encoded using Microsoft's proprietary$L                Transport Neutral Encoding Format (TNEF) will also be decodedO                and scanned. In neither case will the engine indicate which fileaP                in the archive contained the virus. By default, vFastScan enablesQ                searching inside all known archive groups. Check the Release Notes N                for both vFastScan and VSWEEP to verify if a particular archiveQ                type is known. You can enable and disable groups and/or individual K                archive types by specifying SAVI options in the Option File.e  Q                __________________________________________________________________I          5.6     Upgrading VSWEEP   M                You should ensure that the server queues are stopped while you_Q                are upgrading the Sophos VSWEEP software. Ideally, you should also P                stop the conversion queues, as this allows you to test the serverP                queues after the upgrade by issuing manual SCAN commands from DCL:                before the conversion queues are restarted.  *                ___________________________  %        5.6.1   After Upgrading VSWEEP N                After completing a VSWEEP upgrade, you should do the following:O                   o  If you INSTALL the LIBSAVI_AXP (or LIBSAVI_VAX) as a known P                      image, make sure you execute an INSTALL REPLACE LIBSAVI_AXP.                      (or LIBSAVI_VAX) command.  Q                   o  Remove old *.IDE files and replace them with the appropriate .                      set for your new version.  L                   o  If you are not using the VSWEEP_MAIN_VDATA_DIR logical,M                      delete the old VDL*.* files from SYS$COMMON:[SYSEXE] and <                      replace them with the new set of files.  Q                                                                               5-3     l    @                Integrating vFastScan into your Conversion Script          Q                   o  If you are not using the VSWEEP_AUX_DIR logical, do likewise @                      with the *.IDE files in SYS$COMMON:[SYSXE].    I                            ____________________ Note _____________________  B                            Since the Symbiont only reads the virusF                            data and IDE files when it starts up, it isF                            important to remember to restart the queuesE                            if any changes are made. In particular, iftF                            you add any IDE files to VSWEEP_AUX_DIR youC                            must issue a STOP/NEXT and START commandlD                            for each server queue, or make use of theG                            AUTOIDE option (see the chapter on vFastScaneF                            Options). You may stop and start each queueG                            individually (you don't need to stop all then>                            server queues before any restarts).                                                                                        5-4 T  i                Q                __________________________________________________________________   )        6       The Virus Scanning Channels      Q                The virus scanning channel offers an alternative to the conversion_M                channel when checking messages for viruses. This method offerslM                the advantage of being faster than conversion scripts, it does.N                not need to spawn a subprocess for each bodypart to be scanned.N                Using a channel program does not have the same flexibility as aM                DCL script, but the vFastScan channel provides several optionsoO                that can be used to customize its actions. The vFastScan channel_P                can also detect viruses in embedded chunks of Base64 'Blobs' thatD                are the result of incorrect MIME encoding boundaries.I                            ____________________ Note ____________________t  H                            The Virus Scanning Channel may not be used ifH                            your are running vFastScan in LITE mode (freeG                            license). You must have a full or evaluation F                            vFastScan license PAK loaded to make use of(                            this channel.  Q                ___________________________________________________________________  ;        6.1     Using the Scan Channel for Content Filteringt  O                As well as scanning for viruses, the channel can also be used tohQ                detect and remove undesirable or oversized attachments. The use of ?                the channel for this purpose is described later.   Q                __________________________________________________________________           6.2     ImplementationE  L                The virus scanning channel is implemented using the PMDF API,N                and executes just like a normal PMDF channel. You must add thisQ                channel to your PMDF configuration, and add entries to the MAPPINGhL                file to activate this channel. Like any PMDF channel, you canJ                control which batch (or process symbiont) queue it runs in.  Q                __________________________________________________________________e  #        6.3     Defining the Channelo  O                You must first define the channel within PMDF. Firstly, you mustUO                add a channel block to your PMDF_CONFIG_FILE (channel blocks areyK                in the second half of the file, after the first blank line).                      kom_scan#                   scan.mydomain.comf  G                   The channel name is called "kom_scan", and the domainlK                   associated with should be an unused subdomain of your ownsM                   domain. You can add other keywords to the first line if yourH                   wish (e.g. 'queue' to control which queue it runs in).  Q                                                                               6-1_ _  _    )                The Virus Scanning Channela          N                   The next step is to copy the file KOM_SCAN_CUSTOM_MASTER.COMK                   from the vFastScan directory into the PMDF_COM directory.h  K                    $ Copy FASTSCAN_DIR:KOM_SCAN_CUSTOM_MASTER.COM PMDF_COM:r    N                   This tells PMDF how to activate the supplied channel programI                   which will process mail messages in the KOM_SCAN queue.t  Q                ___________________________________________________________________  %        6.4     Activating the Channel   O                After defining the channel, you have to configure PMDF to direct M                mail to this channel. The way to do this is via the CONVERSION N                mapping in the PMDF_MAPPING_FILE. If you have used a conversionN                script before, you will remember that this is the mapping tableO                that controls which messages are diverted through the conversion P                channel. We will use the same mechanism, but will divert mail viaQ                the KOM_SCAN channel instead. For example, you may already have an Q                entry that directs all mail intended for the local (L) channel for =                conversion. This entry would be something likeo                     CONVERSION3                    In-Chan=*;Out-Chan=l;Convert Yes_  Q                   In this case, you would change it so that mail was diverted vias/                   the KOM_SCAN channel instead.                      CONVERSIOND                    In-Chan=*;Out-Chan=l;Convert Yes,CHANNEL=kom_scan    O                   When you do this, all messages destined for the local channel H                   will first pass through the kom_scan channel for virus                   scanning.f  Q                __________________________________________________________________   *        6.5     Setting the vFastScan Queue  P                If you vFastScan symbiont queue is not the default VIRUS_SWEEPER,L                then you will have to configure the kom_scan channel to issueP                SCAN commands to this queue instead. To do this, you will need toN                create an Option file for the channel. The option file is PMDF_D                TABLE:KOM_SCAN_OPTION.DAT. Create the following line:                              6-2         Q                                                        The Virus Scanning Channel           &                   QUEUE=FASTSCAN_QUEUE    L                where FASTSCAN_QUEUE is the name of the vFastScan symbiont orN                generic queue. You can specify many other options in this file,=                and these are described later in this chapter.   Q                __________________________________________________________________            6.6     Scan queue action  M                The channel program will break the message up into constituent M                parts, and scan them each for viruses. If the message is virus L                free, the message will be forwarded intact to the destinationQ                channel (you have the option to insert an additional this-message-rL                has-been-scanned header-see the section detailing the variousJ                options). If the message contains a virus, the channel willP                consult a PMDF mapping table to decide its action. If the mappingP                table does not exist, the channel will replace any infected partsH                by a default text, rebuild the message and forward it on.  Q                __________________________________________________________________   /        6.7     Scanning for Embedded MIME Blobso  K                A MIME 'Blob' is a chunk of Base64 encoded text that appearscH                within a message bodypart. Such occurrences are caused byQ                incorrect MIME headers, which result in the encoded text appearing O                within the message text rather than in its own defined bodypart.sP                Viruses such as Magister and SOBER have been seen to produce suchM                malformed messages. Ordinarily, these messages would appear toaP                the recipient user as Base64 chunks of text, and it would requireP                manual extraction and decoding to present a threat. However, someK                mail clients are reputed to be able to decode such malformed N                messages, and certainly some other virus checking programs haveK                triggered on receiving these messages, thus it is prudent to?O                check for these messages. If a MIME Blob is found, it is decodedoN                and scanned for viruses. If no virus is found, the Blob is leftJ                intact. If a virus is found, then the appropriate action isL                taken (e.g. discard the message or replace the whole bodypartL                with a warning message). There is a small performance penaltyN                as it involves an extra pass through each message bodypart, butL                extra virus scanning is only invoked if a Blob is found. NoteL                that detection of such Blobs will not occur in the ConversionP                channel, unless your DCL script takes steps to detect them withinN                the INPUT_FILE. Scanning for MIME Blobs is disabled by default.L                See the description of the BLOB option in the Channel Options#                section for details.e          Q                                                                               6-3s i  t    )                The Virus Scanning ChannelE        Q                __________________________________________________________________t          6.8     Virus Actions  O                The channel will consult the mapping table KOM_REPLACE_FILE (theIO                table name can be changed to something else if you prefer by the M                use of a suitable entry in the channel option file). The input (                string to the channel is:  U                    scanresult|agent|channel|type|subtype|filename|virus-name-or-errorO  6                The various fields are described below.  O                   o  scanresult is the string VIRUS if a virus was detected, or G                      the string CANTSCAN if the SAVI returned an error.e  O                   o  agent is the agent detecting the virus, which is currently                       SOPHOS.  M                   o  channel is the channel name to which the message will bei1                      enqueued if it is forwarded._  ;                   o  type is the MIME type of the bodypart.3  A                   o  subtype is the MIME subtype of the bodypart.l  :                   o  filename is the name of the bodypart.  N                   o  virus-name-or-error is either the name of the virus foundP                      (in the case of VIRUS) or the 8 digit hex error returned by2                      SAVI in the case of CANTSCAN.  J                The output string of the mapping can optionally specify theL                name of a text file that is to replace the infected bodypart.O                Alternatively, it can direct the channel to discard the message. N                The following mapping flags are supported on the output string:  M                   $Y                          Replace bodypart with specified_3                                               file.   P                   $N                          Do not replace file-leave bodypart5                                               intact.h  E                   $X                          Discard entire message.   L                   $A                          Archive a copy of the infected7                                               bodypart.o  K                If no action is specified, or if the file provided cannot be P                opened, the channel will replace the bodypart with the file PMDF_L                TABLE:VIRUS-DEFAULT.TXT. The archive flag is normally used inP                conjunction with either the $X or $Y directives, and is described"                in a later section.                  6-4 r  r    Q                                                        The Virus Scanning Channel         Q                __________________________________________________________________s          6.9     Sample MappingK  "                   KOM_REPLACE_FILE  P                         VIRUS|SOPHOS|L|*|*|*|WM*          $YPMDF_TABLE:VIRUS.TXT<                         VIRUS|SOPHOS|L|*|*|*|W32*         $XA                         CANTSCAN|SOPHOS|L|*|*|*|*0212     $YPMDF_ "                TABLE:ENCRYPTED.TXT<                         CANTSCAN|SOPHOS|L|*|*|*|*0225     $NA                         CANTSCAN|SOPHOS|L|*|*|*|*         $YPMDF_ !                TABLE:CANTSCAN.TXT   9                The entries in the table do the following:1  N                   1  If a virus whose name starts with WM is found, replace it-                      with the file VIRUS.TXT.   Q                   2  If any other virus is found, discard the message completely.h  N                   3  If the scan fails due to error *0212 (file is encrypted),1                      replace it by ENCRYPTED.TXT.y  Q                   4  If the scan fails due to error *0225 (part of a multi-volume 8                      archive), let the bodypart through.  N                   5  If the scan fails due to any other error, replace it with+                      the file CANTSCAN.TXT.i  M                Note that the VSWEEP command will produce the same results, sonK                your policy for deciding what gets through should be similartK                to how you would handle the return codes from VSWEEP in yourh!                conversion script.d  Q                __________________________________________________________________t  %        6.10    Virus Reference Number*  L                When the channel detects a virus (or a scan failure), it willM                generate a unique reference number. This number can be used in L                conjunction with the archive facility if you want to track orH                recover the bodypart. The Reference Number is of the form  %                    YYYYMMDD-XTTTTT-SSa                   e.g.%                    20041025-410234-00   M                where YYYYMMDD is the date, X is the Node Identifier, TTTTT is P                the number of seconds since midnight, and SS a sequence number toG                ensure the overall reference is unique within a cluster.V      Q                                                                               6-5  i  u    )                The Virus Scanning Channel_        *                ___________________________          6.10.1  Node Identifier  L                This single character value should be different for each nodeI                in the cluster. It can be specified by defining the systemsH                wide logical name FASTSCAN_NODE_ID or will default to theN                first character of the system root (e.g. if your SYS$SYSROOT isM                DKA0:[SYS3.], then the Node Identifier will default to 3. This ,                character may be non-numeric.  Q                __________________________________________________________________           6.11    Replacing Files  M                The file specified in the mapping table is used to replace the N                infected bodypart. The MIME headers for the new part are set toP                TEXT/PLAIN and the file name is set to VIRUS-REMOVED.TXT. You canM                include information about the bodypart being replaced by usingRL                directives starting with the "%" character. Any occurrence ofO                these directives in the file will be replaced by the appropriatee                string.  9                   Directive                   Replaced by   /                   %%                          %S  7                   %T                          MIME Type   :                   %S                          MIME Subtype  7                   %N                          File Names  >                   %I                          Reference Number  8                   %V                          Virus Name  <                   %L                          Length of file  @                The following is a sample virus replacement file.  4                    Acme Roadrunner Extermination Inc  T                   The Acme virus filter has removed the file %N (of size %L) because,                   it contained the %V virus.  V                   For further  information, contact the help desk at 555-1234, quoting%                   reference number %Ii  Q                __________________________________________________________________p  6        6.12    Using the Channel for Content Filtering  Q                In addition to removing viruses, the vFastScan channel can be usednN                to limit the sizes of certain attachment types, or to eliminateN                dangerous types altogether. Content Filtering is enabled if theN                PMDF mapping table KOM_MIME_TABLE exists (the name of the tableL                can be changed using a channel option). If this table exists,K                the channel will check each bodypart against it to determinedM                the maximum permitted size for this bodypart type. You can use P                a combination of MIME type/subtype and/or filename in the mapping)                entry. The table probe is:                   6-6 A  T    Q                                                        The Virus Scanning Channel_          0                    channel|type|subtype|filename    $                where the fields are:  3                   o  channel is the target channel.   +                   o  type is the MIME type.   1                   o  subtype is the MIME subtype.a  :                   o  filename is the name of the bodypart.  M                The string returned should be numeric, and will be interpretedrL                as the maximum size in VMS blocks permitted for the bodypart.P                Specifying a value of 0 will effectively treat all occurrences ofP                this file type as oversized, and specifying a value of -1 will beP                interpreted as any size permitted. If the attachment is less thanO                or equal to the size specified, the bodypart is allowed through. Q                If it is greater than the size specified, the channel will consult L                the KOM_REPLACE_FILE table to decide what action to take. The'                probe for this table is:r  5                    SIZE|channel|type|subtype|filename   L                The fields have the same value as for a Virus probe, but noteN                that the first field is SIZE rather than VIRUS or CANTSCAN. TheQ                same range of actions is available as before. You can specify a $YaP                along with a file name, and the channel will replace the bodypartN                with a text warning message. Alternatively you can specify a $XQ                directive which will cause the entire message to be discarded. ThedN                same "%" directives can be used within the file, apart from theN                %V which is undefined. The following is an example of a content                filtering table.                       KOM_MIME_TABLE3                         L|video|*|*          1000$Yi3                         L|*|*|*.MP*G         1000$Y 3                         L|*|*|*.AVI          1000$Yt2                         L|*|*|*.PIF          0$Y$V2                         L|*|*|*.EXE          0$Y$V3                         L|*|*|*              5000$Y   2                The above table does the following:  N                   1  Attachments with a MIME type of VIDEO are limited to 1000                      blocks.  Q                   2  Attachments with names of *.MP*G & *.AVI are limited to 1000.                      blocks.  Q                   3  Attachments with names *.EXE or *.PIF will not be allowed at                       all.e  Q                                                                               6-7  I  I    )                The Virus Scanning Channel           F                   4  All other attachments are limited to 5000 blocks.  *                ___________________________  %        6.12.1  Forcing Virus Scanning   O                Normally, if a file exceeds the permitted size it is not scanned K                for viruses, as it is going to be replaced. If you specify aiM                $V directive, the attachment will be scanned for viruses. If aIO                virus is found, the channel will treat this as an infection, andTN                probe the KOM_REPLACE_FILE table for a VIRUS entry. If no virusM                is found, it will probe the KOM_REPLACE_FILE for a SIZE entry. N                This is useful if you are implementing a policy whereby certainO                file types (e.g. .EXE) are not to be allowed through, but should_N                be replaced by a warning message to the recipient (by using theP                Archive function and the Reference Number, the excised attachmentP                can be manually retrieved). In the event of a virus outbreak, youO                don't want the recipient to receive hundreds of warning messages_L                telling him that the infected EXE files have been removed. ByP                using the $V directive, you can have messages with infected .EXEsP                discarded, and those with uninfected .EXEs forwarded on minus the$                dangerous attachment.  Q                __________________________________________________________________           6.13    Logging  P                The channel can optionally generate log records any time it findsN                a virus infection, or an attachment in contravention of contentO                filtering rules. The LOG_FILE option activates and specifies theSN                file name for this logging. If the file cannot be opened, a newQ                one is automatically created (the file is opened for shared write, Q                so multiple instances of the kom_scan channel within a cluster caneQ                run at the same time). The format of the log record is as follows: #                   o  Date and Time.   &                   o  Reference Number.  5                   o  Object Type (V=Virus, F=Filter).u  3                   o  Action (R=Replace, D=Discard).i  =                   o  Archive Flag (A=archived, blank if not).   '                   o  Mime Type/Subtype.   $                   o  Attachment Name  1                   o  Virus Name (for Virus type)._  #                   o  Envelope From._  !                   o  Envelope To.T                  6-8         Q                                                        The Virus Scanning Channelg        *                ___________________________  !        6.13.1  Sample Log Recordsh  K                The following are sample log records (for clarity, the lines N                are wrapped; in reality each record starts with a timestamp and"                occupies one line).  U                   2006-02-21 00:02:54 20060221-400174-00 VDA APPLICATION/OCTET-STREAMsZ                     interesting.doc.exe W32/Netsky-P somewhere@outthere.xxx victim@acme.ie  G                   2006-02-21 00:48:33 20060221-402913-00 FRA IMAGE/JPEGu=                     38.jpg ymjevkua@somewhere.com joe@acme.ie   M                The first record shows an .EXE file infected by Netsky-P being I                discarded. The second shows an oversized file 38.JPG being H                replaced by a warning message. In both cases, copies were                archived.  Q                __________________________________________________________________   "        6.14    Archiving Bodyparts  O                The channel can optionally save a copy of any attachment that iscO                oversized or infected. To archive an attachment, use the $A flag_/                in the KOM_REPLACE_FILE mapping.i  *                ___________________________  "        6.14.1  Directory LocationsH                You can configure separate directories for the archive ofN                attachments that are infected, or are removed by content filterN                rules. The former is specified by the option VIRUS_ARCHIVE, andM                the latter by the option FILTER_ARCHIVE. The argument to theseiN                options should be a device and directory specification. You canM                group attachments for each channel by using the string "%G" torB                stand for the channel name. For example, the option1                   VIRUS_ARCHIVE=DKA100:[VIRUS.%G]d  Q                would cause the channel to place infected attachments destined foreQ                the local (L) channel in DKA100:[VIRUS.L]. The channel will createnO                the directories automatically if they don't exist. The full listi!                of metastrings is:n  ;                   %G                          Channel name.   B                   %Y                          4 digit year number.  C                   %M                          2 digit month number.-  J                   %D                          2 digit day of month number.      Q                                                                               6-9i t  S    )                The Virus Scanning Channelt        *                ___________________________          6.14.2  File Namest  L                The File Name is set to the Reference Number generated by theM                channel program when the content filter rule or virus check islN                applied. The following files are created when a content rule is                applied:MJ                   o  .FILE contains the actual decoded attachment that was                      filtered.  H                   o  .HEADERS contains the outer headers of the message.  N                   o  .FNM contains information about the attachment (e.g. file"                      name & size).  E                The following files are created when a virus is found.   D                   o  .VIRUS contains the actual infected attachment.  H                   o  .HEADERS contains the outer headers of the message.  Q                   o  .VNM contains information about the virus (e.g. virus name).u  L                This can be modified slightly using the ARCHIVE_FLAGS option.  Q                __________________________________________________________________i          6.15    Channel Options  P                The following is a full list of the available options that can beD                specified in the file PMDF_TABLE:KOM_SCAN_OPTION.DAT.  *                ___________________________          6.15.1  ARCHIVE_FLAGSQ                The ARCHIVE_FLAGS option can be used to reduce the number of files_M                created in the virus or filter archive. By default three files M                are created for each attachment that is blocked: a copy of the O                attachment itself, the outer message headers, and an informationaO                file. You can reduce this to two files by having the informationeK                prepended to the top of the outer headers file. The value of_M                ARCHIVE_FLAGS is a bit mask expressed as a decimal number. Theq                 valid values are:  P                   0              create separate headers and info files for both*                                  archives.  M                   1              combine the headers and info files for virusF)                                  archive.I  N                   2              combine the headers and info files for filter)                                  archive.   L                   3              combine the headers and info files for both*                                  archives.                  6-10  i  r    Q                                                        The Virus Scanning ChannelT        *                ___________________________          6.15.2  BLOBo  K                Specifies that bodyparts should be scanned for embedded MIMEi                'Blobs'.t                     BLOB=1  O                   turns on Blob processing. The default is 0 which disables the O                   check. If Blob processing is enabled, any MIME Blobs detected Q                   within the bodypart are scanned for viruses. Note that for Blob.Q                   processing to be effective you must not disable MIME processingiP                   within the Symbiont option file (MIME processing is enabled by                   default).   *                ___________________________          6.15.3  LOG_FILE   I                   Specifies the log file to contain a list of filtered or L                   infected attachments. If omitted, no logging is performed.  *                ___________________________          6.15.4  QUEUEP                   Specifies the queue to which attachment scanning is submitted.L                   This is equivalent to the /QUEUE qualifier on the DCL SCANN                   command. This queue should be a vFastScan symbiont queue, orO                   a generic queue feeding vFastScan symbiont queue. The defaultf)                   queue is VIRUS_SWEEPER.   *                ___________________________          6.15.5  HEADER_SCANNED M                   This option specifies an RFC-822 header that is inserted byAM                   the channel program on every message that it processes. Forb                   example:  F                   HEADER_SCANNED=X-Scanned-By: vFastScan virus scanner  L                Headers starting with X- are guaranteed not to clash with anyK                headers defined by standards such as RFC-822. If omitted, no "                header is inserted.  *                ___________________________          6.15.6  HEADER_INFECTED  J                This option specifies an RFC-822 header that is inserted byN                the channel program if one or more viruses were detected in the$                message. For example:    Q                                                                              6-11. u  l    )                The Virus Scanning Channelp          ]                   HEADER_INFECTED=X-Virus-Detected: one or more viruses detected by vFastScanI    *                ___________________________          6.15.7  HEADER_FILTERED  N                This option specifies an RFC-822 header that is inserted by theQ                channel program if one or more attachments were removed by contenth)                filter rules. For example:n  X                   HEADER_FILTERED=X-Attachment-Blocked: attachments removed by vFastScan  *                ___________________________          6.15.8  MIME_TABLE_  O                Specifies the PMDF mapping table that is used for content filter 4                rules. The default is KOM_MIME_TABLE.  *                ___________________________          6.15.9  REPLACE_TABLEN                Specifies the PMDF mapping table that is used by the channel toM                decide on the action needed when an attachment is oversized or 9                infected. The default is KOM_REPLACE_FILE.   *                ___________________________          6.15.10 FILTER_ARCHIVE Q                Enables, and specifies the directory for, the archival of filtered_O                attachments. The argument should be a device and directory name, -                with an optional %G directive.e  *                ___________________________          6.15.11 VIRUS_ARCHIVEH                Enables, and specifies the directory for, the archival ofI                infected. attachments. The argument should be a device and =                directory name, with an optional %G directive.   *                ___________________________          6.15.12 SUBJECTO                Specifies a subject field that replaces the subject of a message N                when a virus has been detected. The new subject can include theM                old one by using the %S directive. For example, if you want to K                prepend the string [Virus Removed] to the existing line, use_  -                    SUBJECT=[Virus Removed] %S                       6-12s e  o                Q                __________________________________________________________________h           7       The vFastScan API        Q                __________________________________________________________________n          7.1     Description  O                The vFastScan API allows you to access the features of vFastScan =                within a program. API routines are provided to   -                   o  Scan a file for viruses.g  >                   o  Access the in-memory scanning statistics.  G                The routines may be used on either VAX or Alpha, and thesB                interfaces conform to the OpenVMS calling standard.  Q                __________________________________________________________________r  &        7.2     Scan a file for viruses  P                To Scan a file for viruses, call the VFASTSCAN_FILE routine. ThisO                is equivalent to the DCL SCAN command. The routine will return aiO                code indicating whether or not a virus is found, and if so, will L                return the name of the virus in one of the parameters. You doN                not need to call any set up or finish routine, and you may callO                this routine repeatedly for multiple files (once for each file). O                Currently the use of wildcards or file lists in a single call is                 not supported.   Q                __________________________________________________________________   ,        7.3     Obtaining Scanning Statistics  Q                Use the VFASTSCAN_GET_STATS routine to obtain scanning statistics.tN                If the statistics logging option is enabled, the symbionts willP                store the number of files scanned and the number of viruses foundK                in a global section. These numbers are stored on a per-queueaM                basis. You can retrieve this information by repeatedly callingeO                this routine. Each time, the routine will return the numbers for '                the next symbiont queue. I                            ____________________ Note ____________________s  G                            Statistics are specific to the current node._C                            In a cluster environment, each node will H                            store statistics for all queues on that node.E                            To obtain clusterwide statistics, you will G                            need to execute calls to VFASTSCAN_GET_STATS F                            on each node. Note that if the STATS optionE                            is set to zero (the default) no statisticso*                            will be logged.  Q                                                                               7-1f m                        The vFastScan API        Q                __________________________________________________________________i          7.4     Linking Programsd  P                Programs that call the vFastScan API routines must be linked withQ                the appropriate shareable image (FASTSCAN_EXE:FASTSCAN_SHR.EXE). AVP                linker option file is provided in FASTSCAN_EXE:FASTSCAN_LINK.OPT.  Q                __________________________________________________________________p  )        7.5     Return codes and constantsN  J                Symbolic values for the codes that the routines return, andK                any constants used in parameters are provided in a number of L                definition files. Your program should include the one that is,                appropriate to your language.  ,                   FASTSCAN_DEFS.FOR  Fortran  *                   FASTSCAN_DEFS.BAS  Basic  +                   FASTSCAN_DEFS.PAS  Pascale  ,                   FASTSCAN_DEFS.MAR  Macro32  &                   FASTSCAN_DEFS.H    C  (                   FASTSCAN_DEFS.COM  DCL  *                ___________________________  +        7.5.1   Special Considerations for Cs  L                C programs must be written so that they pass character stringN                arguments using VMS string descriptors, rather than the addressM                of a null terminated string. The CRTL contains suitable macros_8                allowing you to declare such descriptors.  *                ___________________________  1        7.5.2   Special Considerations for Macro32 K                Macro 32 programs do not include the FASTSCAN_DEFS.MAR file. L                This file defines a Macro _VSCANDEF which should be called atP                the top of the program source (in much the same way that you callQ                $SSDEF for system status codes). This gives access to the symbolicp                constants.a  Q                __________________________________________________________________   "        7.6     Privileges Required  M                The API routines do not turn on any privileges, so the calling P                program must run in an environment that will enable it to performP                the required operation. In order to scan a file, the program mustM                have read access to the file, and write (submit) access to thenM                symbiont queue to which it is submitting the scan request. For O                access to the statistics, it must have read access to the globalsM                section, which normally requires SYSPRV or a System UIC, alongn&                with SYSGBL privileges.                  7-2 _  _    Q                                                                 The vFastScan API         Q                __________________________________________________________________h  "        7.7     VFASTSCAN_SCAN_FILE  '                Scan a file for viruses.V  *                ___________________________          7.7.1   Calling SequencetN                   status = VFASTSCAN_FILE (file, queue, unused, virus, length)  Q                   _______________________________________________________________bQ                   Argument___Data_Type__________Access____Mechanism______________   D                   file       character string   read      descriptor  D                   queue      character string   read      descriptor  C                   unused     longword           read      referencea  D                   virus      character string   write     descriptor  Q                   length_____longword___________write_____reference______________c  *                ___________________________          7.7.2   Arguments  $                _____________________        7.7.2.1 file C                Name of the file which is to be scanned for viruses.   $                _____________________        7.7.2.2 queueO                Name of the symbiont queue which is to service the request. ThisVP                must be a vFastScan symbiont queue, or a generic queue that feeds)                vFastScan symbiont queues.   $                _____________________        7.7.2.3 unusedvN                Placeholder argument that is not currently used. This should beQ                the address of a longword that is initialized to zero, in order to P                avoid problems if this parameter is to be used in future versions                of vFastScan.  $                _____________________        7.7.2.4 virusQ                If the routine finds a virus, it will return the same of the virustQ                in this character string. If the API returns an error, the routineuN                will return an error message in this string. In all other cases8                the value of this parameter is undefined.      Q                                                                               7-3                           The vFastScan API        $                _____________________        7.7.2.5 length J                The number of characters returned in the virus argument, or<                undefined if no value was returned for virus.  *                ___________________________          7.7.3   DescriptionN                This routine will pass the file specified in the first argumentN                to the symbiont queue specified in the second. The routine willM                then wait until the symbiont has completed processing the file Q                and returned the result. The routine will set the virus and lengtheQ                parameters depending on the return code. Note that if the queue is P                stopped, the routine will wait until the queue is started and the4                job completed, or the job is deleted.  *                ___________________________          7.7.4   Return Values  ;                   ESAVI__NOVIRDET    no virus was detected.   :                   ESAVI__VIRDET      a virus was detected.  ?                   ESAVI__SAVAPIERR   a SAVI error was returned.b  =                   JBC$_NOSUCHQUE     illegal queue specified.   4                   RMS$_FNF           file not found.  =                   JBC$_NOSUCHQUE     illegal queue specified.   =                   SS$_NOPRIV         file cannot be accessed.i  Q                __________________________________________________________________   "        7.8     VFASTSCAN_GET_STATS  @                Return information about the scanning statistics.  *                ___________________________          7.8.1   Calling SequenceNO                   status = VFASTSCAN_GET_STATS (context, unused, queue, length,H,                   scanned, infected, failed)  Q                   _______________________________________________________________ Q                   Argument___Data_Type__________Access____Mechanism______________p  D                   context    longword           read/write reference  C                   unused     longword           write     referenceo  D                   queue      character string   write     descriptor  C                   length     longword           write     referenceE  C                   scanned    longword           write     referenceh  C                   infected   longword           write     reference   Q                   failed_____longword___________write_____reference______________S                  7-4         Q                                                                 The vFastScan APIC        *                ___________________________          7.8.2   Arguments  $                _____________________        7.8.2.1 contextQ                When calling this routine for the first time, this variable should P                be set to zero. Subsequent calls should provide the same variableQ                which will be modified as the routine steps through the statistics                 data structure.  $                _____________________        7.8.2.2 unused N                Placeholder argument that is not currently used. This should beQ                the address of a longword that is initialized to zero, in order to P                avoid problems if this parameter is to be used in future versions                of vFastScan.  $                _____________________        7.8.2.3 queueM                The routine will return the name of the next queue. SuccessiveoQ                calls to the routine will step through all vFastScan queues on theH                current node.  $                _____________________        7.8.2.4 length G                The number of characters returned in the queue argument.   $                _____________________        7.8.2.5 scanned9                The number of files scanned by this queue.   $                _____________________        7.8.2.6 infected <                The number of viruses detected by this queue.  $                _____________________        7.8.2.7 failed E                The number of times that the SAVI routines returned an                 ESAVI__SAVAPIER  *                ___________________________          7.8.3   DescriptionN                This routine returns the number of files scanned, the number ofL                viruses detected, and the number of failures returned by eachJ                vFastScan symbiont queue on the current node (if statisticsK                logging is enabled in the option file). This routine must besM                called repeatedly, each time returning the counters associated L                with a single queue, until it has indicated that there are noN                more queues. Note that in a cluster environment, you would needL                to execute this routine repeatedly on each node to return all                counters.  Q                                                                               7-5     S                     The vFastScan API        *                ___________________________          7.8.4   Return Values  A                   SS$_Normal         normal successful completionF                .  L                   SS$_Nomoreitems    no more queues (this is a success code)                .  ;                   SS$_Badcontext     illegal context value.p                                                                                                      7-6 T  A                Q                __________________________________________________________________           8       Message Codes      P                When a symbiont starts, it creates a log file in the FASTSCAN_DIRO                directory, using the name of the queue as the filename, and .LOG K                as the file type. The symbiont will log any errors, and manyeP                informational messages to this file, making it the first place toP                check when you suspect something is not right with your vFastScanH                setup. The messages are in the format of standard OpenVMSN                messages, and are listed below, together with an explanation ofQ                the circumstances that can lead to them. In some cases, additionalEO                codes returned by OpenVMS or SAVI procedures will be included to )                provide extra information.   Q                __________________________________________________________________   %        8.1     Individual Error Codes   I                The following are the alphabetical listing of error codes.   *                ___________________________          8.1.1   BADIDE_  #                   Severity:   Error_  F                   Text:       "SAVI could not load IDE file <filename>  L                   The Sophos API indicated that it had a problem with one ofO                   the IDE files in VSWEEP_AUX_DIR. The problem file is named. ArN                   similar problem would be encountered if you attempt to use aO                   VSWEEP command. The latter, however, gives a warning message.bP                   The symbiont will refuse to start rather than missing possible6                   viruses due to the faulty .IDE file.  N                   You should examine the IDE file in question. The most likelyL                   cause is that its file attributes are wrong. IDE files areP                   normally StreamLF files. Note that only the first problem file                   is reported.  *                ___________________________          8.1.2   BADNUM   #                   Severity:   Error   I                   Text:       "Value <value> for <option> is not numeric"   N                   The option <option> requires a numeric value, and <value> is                   not numeric.  N                   The previous LOADOPT message in the log file indicates whichL                   option file the symbiont was loading. Check this file, and9                   correct the corresponding option entry.t  Q                                                                               8-1                          Message Codes        *                ___________________________          8.1.3   BADOPTe  #                   Severity:   Error   8                   Text:       "Bad option <option_name>"  J                   A line in one of the option files is not a valid option.  N                   The previous LOADOPT message in the log file indicates whichL                   option file the symbiont was loading. Check this file, and9                   correct the corresponding option entry.d  *                ___________________________          8.1.4   BADRESFAILb  #                   Severity:   Fatal   F                   Text:       "SAVI resource failed - <resource_name>"  K                   An attempt to scan returned a resource failure on a retrysM                   attempt. This message is returned if the SAVIFAIL option ismP                   set to 2, and the attempt to scan the file failed twice (afterN                   the first failure, the symbiont would have reloaded the SAVIN                   before trying it again). The resource_name is either "Out ofM                   Disk" or "Out of Memory". The former indicates insufficientgP                   disk space needed for the creation of temporary files, and theP                   latter normally means the symbiont ran out of Page File Quota.  Q                   For disk resource failure, check the total amount of free spacehL                   on your system disk (or wherever SYS$SCRATCH is pointing).M                   For memory resource failures, you will need to increase the J                   pagefile quota for the symbiont. When the job controllerL                   starts a symbiont, it calculates the pagefile quota for itM                   based on its own. The pagefile quota for the Job ControllertP                   is based on the total amount of page file space available (seeO                   the file SYS$STARTUP:VMS$CONFIG-050_JOBCTL.COM for the actual P                   calculation). To increase the quota, increase the size of your;                   page files, or add a secondary page file.s  *                ___________________________          8.1.5   BADSAVI  #                   Severity:   Fatals  E                   Text:       "Bad SAVI option - option was <option>"n  P                   The specified SAVI option was included on an ENABLE or DISABLEK                   list in one of the option files. This is not a valid SAVIr                   option.i  N                   The previous LOADOPT message in the log file indicates whichL                   option file the symbiont was loading. Check this file, and9                   correct the corresponding option entry.s                  8-2 l       Q                                                                     Message Codese        *                ___________________________          8.1.6   COUNTED  )                   Severity:   Informations  K                   Text:       "Total of nn viruses detected out of nn files &                               scanned"  N                   If the STATS option is non-zero, then the symbiont will keepP                   track of the number of files scanned and viruses detected, andM                   will write this to the log file when it exits. If the STATSoO                   option is 1, these numbers give the count since the queue waseP                   started. If the STATS option is 3, the numbers are cumulative,N                   and indicate the count since the last time the counters were                   cleared.  *                ___________________________          8.1.7   IDECOUNTr  )                   Severity:   Information_  F                   Text:       "Using nn IDE files from VSWEEP_AUX_DIR"  K                   The symbiont provides information about how many files itnO                   has loaded from the VSWEEP_AUX_DIRECTORY. This information is Q                   provided when the queue starts and whenever it reloads the API. N                   Reloading the API is controlled by the AUTOIDE and SAVI_FAIL                   options.  *                ___________________________          8.1.8   IDENT  )                   Severity:   Informationm  F                   Text:       "vFastscan <version> release date <date>                "  O                   When the symbiont starts it identifies its version number andoL                   release date. This is mainly for providing information forO                   support purposes. The release date is important for licensingoP                   checks. If you have a PAK with a Release Date, the date on theN                   PAK must be the same or later than the date on this message.  *                ___________________________          8.1.9   INITFAIL   #                   Severity:   Fatalo  C                   Text:       "Failed to initialize SAVI <message>"   M                   The symbiont failed to start up the SAVI. The error message_3                   returned by the SAVI is included._  M                   There are many possible reasons for this. Most of them willSO                   also cause a VSWEEP command to fail, such as unable to locatenI                   virus definitions or the LIBSAVI shareable image. Check K                   that the VSWEEP command works. If it does, check that the K                   protections on Sophos files allow read and execute in the'N                   SYSTEM field (the first field of the UIC based protections).  Q                                                                               8-3S P  L                    Message Codes        *                ___________________________          8.1.10  INVOPTVAL  #                   Severity:   ErrorP  C                   Text:       "Invalid option <value> for <option>"r  O                   The option referred to has a limited set of valid values, and 6                   the one provided is not one of them.  *                ___________________________          8.1.11  JBCERR   #                   Severity:   FatalF  G                   Text:       "Error communicating with Job Controller"a  P                The symbiont encountered a problem trying to communicate with the                Job Controller.  P                   Check that the Job Controller is still running, and that otherL                   batch and printer queues are still operational, and can beN                   manipulated with SET QUEUE commands. If this error persists,J                   please report it to EuroKom or your local support agent.  *                ___________________________          8.1.12  LICENSE  )                   Severity:   InformationS  D                   Text:       "vFastScan licensed to <customername>"  O                   The customer name to whom the license was issued is containedeQ                   within the Token field of the license PAK. The customer name is P                   logged here, and is also displayed in the description field of!                   the queue name.a  *                ___________________________          8.1.13  LITE   )                   Severity:   InformationE  >                   Text:       "vFastScan running in LITE mode"  O                vFastScan was not able to load a valid license PAK, but was ablecP                to locate a PMDF license. In this case, it will run in LITE mode,0                permitting limited functionality.                      8-4 n  M    Q                                                                     Message Codesw        *                ___________________________          8.1.14  LOADDEF  )                   Severity:   Informationo  7                   Text:       "Loading default options"t  L                The symbiont sets the various options to their default values3                before looking for any option files.o  *                ___________________________          8.1.15  LOADOPT  )                   Severity:   Information   :                   Text:       "Loading option file <file>"  L                The symbiont has detected the specified option file, and will%                start to load options.   *                ___________________________          8.1.16  NEWIDE   )                   Severity:   Informationa  O                   Text:       "New IDE file(s) detected - SAVI reload required"m  N                   This message is only seen if the AUTOIDE option is set to 1.N                   Before each scan, the symbiont checks the value of a logicalQ                   name set by the LOAD-IDE-VERSION.COM command procedure. If thistN                   value has incremented since the last scan, the symbiont willM                   issue this message, and proceed to reload the Sophos API intC                   order to include the new IDE in the virus checks.d  *                ___________________________          8.1.17  NOPAK  #                   Severity:   Errord  P                   Text:       "Failed to locate valid license PAK for vFastScan"  H                   The symbiont failed to find the vFastScan license PAK.  K                   Check that the license PAK is loaded using a SHOW LICENSE M                   VFASTSCAN command. Note that this version of vFastScan useseP                   standard OpenVMS PAKs, and not the LICENSE.TXT file. DependingK                   on the setting of the LICENSE_EXPIRE option, the symbiont_J                   will either fail to start, or return SS$_NOLICENSE everyO                   time a SCAN command is issued. In either case, you cannot userQ                   vFastScan without a license PAK, unless you are running in LITEeM                   mode. If you get this message, then neither a vFastScan nort<                   PMDF/PMDF-MTA license PAK could be loaded.  P                   Contact EuroKom or your local reseller for a full or temporary                   license PAK.  Q                                                                               8-5  u                       Message Codes        *                ___________________________          8.1.18  NOPMDFC  %                   Severity:   Warning_  A                   Text:       "Failed to locate PMDF license PAK"   Q                   The symbiont checks for a PMDF or PMDF-MTA license PAK to check K                   that you have the appropriate license level. This message M                   indicates that it couldn't find a PMDF license, although it 5                   did find a valid vFastScan license.t  O                   This is a warning condition; vFastScan will continue normallyrQ                   in the absence of such a PAK. Although uncommon, it is possiblecN                   and fully supported to run a vFastScan symbiont on one node,P                   and PMDF conversion queues on another within the same cluster.O                   Your vFastScan license should match the rating of the highestsP                   PMDF license in the cluster that is using the symbiont queues.L                   The symbiont, however, has no way of knowing what licensesN                   are loaded on a remote node, hence the warning. Note that ifQ                   neither a PMDF nor vFastScan license is present, vFastScan will_&                   return a NOPAK code.  *                ___________________________          8.1.19  OPTERRS  #                   Severity:   Fatalu  G                   Text:       "Errors in option file - cannot continue"   O                   The symbiont has detected errors in one or more option files, 5                   and will therefore refuse to start.d  P                   Check the log file for the earlier messages that indicate what2                   the errors are and correct them.  *                ___________________________          8.1.20  PARSEFAIL  #                   Severity:   Error   ?                   Text:       "Failed to parse option <option>"w  O                   The symbiont could not parse the line in the option file intoPQ                   an option and value pair, most likely due to the absence of the                     "=" character.  N                   The previous LOADOPT message in the log file indicates whichL                   option file the symbiont was loading. Check this file, and9                   correct the corresponding option entry.                   8-6    p    Q                                                                     Message Codes         *                ___________________________          8.1.21  QUESTARTt  %                   Severity:   Success   :                   Text:       "Started queue <queue_name>"  P                   The symbiont indicates that the queue has started successfully4                   and will process files sent to it.  *                ___________________________          8.1.22  QUESTOP  %                   Severity:   Success   L                   Text:       "Received STOP request for queue <queue_name>"  M                   The symbiont has received a request from the Job Controller O                   to stop the queue and will exit normally. This is normally inI2                   response to a STOP/NEXT command.  *                ___________________________          8.1.23  RANGERR  #                   Severity:   Error   B                   Text:       "Value for <option> is out of range"  N                   The option specified requires numeric value within a certainN                   range, and the value provided while numeric, is outside this                   range.  N                   The previous LOADOPT message in the log file indicates whichL                   option file the symbiont was loading. Check this file, and9                   correct the corresponding option entry._  *                ___________________________          8.1.24  RELOAD   %                   Severity:   Successs  6                   Text:       "SAVI has been reloaded"  M                   The symbiont has successfully reloaded the Sophos API. SAVInM                   reloads are controlled by the SAVIFAIL and AUTOIDE options.   *                ___________________________          8.1.25  RESFAIL  %                   Severity:   Warnings  H                   Text:       "SAVI resource exhaused - <resource_type>"  P                   The symbiont received an out of resource error from the SophosO                   API when scanning a file. If the value of the SAVIFAIL option M                   is 0, the symbiont will return a SAVAPIERR code to the SCANgQ                   program, which then has the option of failing over to a VSWEEP._N                   If the value of SAVIFAIL is 1 or 2, the symbiont will reloadK                   the Sophos API and try again. If it fails after that, the O                   symbiont will return the SAVAPIERR to the SCAN program if the M                   SAVIFAIL option is 1, and will stop the queue completely if                     SAVIFAIL is 2.  Q                                                                               8-76    U                    Message Codes          K                   See the description of BADRESFAIL for possible actions tos                   take.t  *                ___________________________          8.1.26  RESREFAIL  %                   Severity:   Warnings  O                   Text:       "SAVI resource still exhausted - <resource_type>"_  N                   The symbiont already triggered a RESFAIL, and the retry alsoO                   failed. This message indicates that the SAVIFAIL option is 1,tG                   and the failure will be returned to the SCAN program.   L                   See the description of RESFAIL and BADRESFAIL for a fuller3                   description of resource failures.n  *                ___________________________          8.1.27  RESTART  )                   Severity:   Information_  H                   Text:       "Requesting restart of queue <queue_name>"  P                   The symbiont has requested that the Job Controller restart the>                   queue after the current symbiont has exited.  *                ___________________________          8.1.28  SAVIDAT  )                   Severity:   Information   ;                   Text:       "SAVI Release date is <date>"   M                   The symbiont provides information about the release date of O                   the Sophos virus library. This should be the same as the date 0                   indicated by a VSWEEP command.  *                ___________________________          8.1.29  SAVIDIS  )                   Severity:   Information   C                   Text:       "Disabled SAVI option <xoption_value> ,                               <SAVI_string>"  O                The symbiont has explicitly disabled a class of file types. This M                is because the option_value was included in a DISABLE command. Q                The SAVI_string is the formal SAVI name of the class that has been                 disabled.  Q                   By default, vFastScan enables all group types except disinfect,sH                   and all file types except those that Sophos explicitly.                   recommends against enabling.                  8-8 v  n    Q                                                                     Message Codes         *                ___________________________          8.1.30  SAVIENA  )                   Severity:   InformationM  B                   Text:       "Enabled SAVI option <xoption_value>,                               <SAVI_string>"  Q                   The symbiont has explicitly enabled a class of file types. ThiseP                   is because the option_value was included in a DISABLE command.O                   The SAVI_string is the formal SAVI name of the class that has                     been disabled.  Q                   By default, vFastScan enables all group types except disinfect,.H                   and all file types except those that Sophos explicitly.                   recommends against enabling.  *                ___________________________          8.1.31  SAVITERMd  #                   Severity:   Fatal_  L                   Text:       "Failed to shut down SAVI (code <code_value>)"  K                   The symbiont attempted to shutdown the Sophos API and got L                   a failure code. The failure code itself is included in the                   message.  P                   Please report any such errors to EuroKom or your local support                   center._  *                ___________________________          8.1.32  SAVIVER  )                   Severity:   Informatione  K                   Text:       "SAVI Version is <version>, Engine version isu(                               <version>"  P                   This is an informational message indicating the version numberP                   of the Sophos release, and the Sophos engine. These correspondC                   with the versions reported by the VSWEEP command.   *                ___________________________          8.1.33  SAVOPTERR  #                   Severity:   Errore  N                   Text:       "SAVI refused to enable/disable option <option>,+                               status=<msg>"i  N                   When trying to enable or disable a SAVI option, the reported6                   error code was returned by the SAVI.  P                   Please report any such errors to EuroKom or your local support                   center.6  Q                                                                               8-9p t  o                    Message Codes        *                ___________________________          8.1.34  STATFAILt  #                   Severity:   Fatalt  K                   Text:       "Failed to initialize STATS module - status =o%                               <code>"b  K                   If the STATS option is non zero, the symbiont attempts tosP                   create or map a global section in which to store the counters.N                   This initialization has failed, and the code returned by the-                   system service is provided.d  P                   Please report any such errors to EuroKom or your local support                   center._  *                ___________________________          8.1.35  SYMBEXITS  #                   Severity:   Fatal   N                   Text:       "Symbiont exiting due to unrecoverable error(s)"  O                   The symbiont cannot safely recover from a previous error, andc&                   will therefore exit.  P                   Check the log file for the messages that indicate the previous:                   errors, and take the appropriate action.  *                ___________________________          8.1.36  TOOMANYSAVI  #                   Severity:   Errorp  5                   Text:       "Too many SAVI options"n  P                   You have specified too many SAVI options in ENABLE and DISABLE                   commands.e  N                   The number allowed should be adequate for all defined types.I                   Check that you are not repeatedly enabling or disablingeL                   the same option in different lines or files. Repeating theJ                   same SAVI option in multiple lines is permitted (and mayJ                   be intended, for instance the OPTION.DAT might disable aI                   particular option, but some specific option files mighteL                   re-enable it), however you cannot exceed 60 enable/disable                   options.                        8-10  a  a    Q                                                                     Message Codese        *                ___________________________          8.1.37  WRONGPMDF  %                   Severity:   Warningo  G                   Text:       "PMDF license PAK (<value>) units exceedsn3                               vFastScan (<_value>)"n  K                   The symbiont will check the level of the PMDF or PMDF-MTA.L                   license PAK on this node for compatibility, and issue thisP                   warning if the PMDF PAK is of a higher band than the vFastScan                   PAK.  L                   vFastScan uses the same message banding and licensing thatM                   PMDF-MTA does. Your vFastScan license should be of at least_M                   the same rating as the PMDF one. This message suggests thatlQ                   you may be insufficiently licensed. Note that this is a warningeO                   message, and that vFastScan will continue to operate normallye#                   after issuing it.h  P                   Check that your license level is correct. If in doubt, contact1                   EuroKom or your local reseller.r                                                              Q                                                                              8-11                      Q                __________________________________________________________________   (        A       Setting up a Hold Channel      M                This appendix describes how you can set up a hold channel on aaO                PMDF system which enables you to examine messages as they appeardL                in the queue before being delivered. This is a useful generalJ                purpose tool, which allows you to troubleshoot all kinds ofM                PMDF problems. For example, if attachments are not arriving in-N                a readable manner, you can check the encoding used by examining1                the file while it is in the queue.   Q                __________________________________________________________________o          A.1     Hold Channele  K                A hold channel is one into which mail is enqueued, but neverdL                dequeued. The most straightforward way is to create a channelH                and mark it as 'slave' using the following entries in the                 PMDF_CONFIG_FILE:  6                   ! assuming the domain is company.com                   ! (                   hold.company.com $U@$D                   !                    ... &                   p_hold slave logging"                   hold.company.com  M                   This defines a PhoneNet (dialup) channel. The slave keywordsK                   indicates that PMDF expects the remote side to dial in to P                   download the file (it will never submit a job to MAIL$BATCH toO                   deliver it). Since there is no remote site, any messages sentoQ                   to hold.company.com will simply wait in the PMDF_QUEUE:[P_HOLD]BE                   directory until the Message Bouncer times them out.   *                ___________________________  3        A.1.1   Turning on Virus Scanning for p_holdo  P                   You will need to add an entry to the CONVERSION mapping in the,                   PMDF_MAPPING_FILE such as:                   CONVERSION                   ..._8                    In-Chan=*;Out-Chan=p_hold:Convert Yes                   ...           Q                                                                               A-1V S  T    (                Setting up a Hold Channel          N                   Finally ensure there is an entry in the PMDF_CONVERSION_FILEP                   that activates the new script. The best way to do this is copyO                   the entry that currently activates your virus script changing M                   the filename to the new one, and ensuring you have a clausetL                   'Out-Channel=p_hold;'. Ensure this new entry is before any?                   entry with a wildcard 'Out-Channel=*' clause.   Q                __________________________________________________________________h  5        A.2     Testing Virus Sweeping on This Channel0  O                You now have a situation where the test channel is using the new P                copy of your virus script, and your production channels are usingO                the original. First check that viruses are being detected by the P                current VSWEEP method by mailing a virus to the hold channel (youN                can verify from the Received: headers that the message has goneO                through conversion). You can now make changes to the new copy ofhN                the conversion script so that it uses vFastScan and repeat yourL                tests. When you are satisfied that it is working, simply copyN                the new changed conversion script onto the one old. You are now;                running vFastScan on your live mail traffic.t                                                                                A-2