bitdefender free antispam for mailservers unix

FREE ANTISPAM FOR MAILSERVERS

User's guide

BitDefender Free Antispam for Mail ServersUser's guide

Publication date 2010.10.06

Copyright© 2010 BitDefender

BitDefender Free Antispam for Mail Servers

She came to me one morning, one lonely Sunday morningHer long hair flowing in the mid-winter windI know not how she found me, for in darkness I was walkingAnd destruction lay around me, from a fight I could not win


Table of ContentsEnd User Software License Agreement ................................ viiiPreface ..................................................................... xii

1. Conventions used in this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii1.1. Typographical conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii1.2. Admonitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

2. Book structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv3. Request for Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Description ....................................................... 11. Features and Benefits ................................................ 2

1.1. Key Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.2. Key Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2. BitDefender architecture ............................................. 42.1. The core modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2. The integration agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2.2.1. Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.2. qmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.3. Courier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.4. CommuniGate Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.5. SMTP Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.6. Postfix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Installation ........................................................ 93. Prerequisites ......................................................... 10

3.1. System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.1. Hardware system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.2. Software system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.1.3. Mail servers minimum required versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.2. Package naming convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.2.1. Linux convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2.2. FreeBSD convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4. Package installation ................................................ 134.1. Getting BitDefender Free Antispam for Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . 134.2. Install the package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.2.1. Install the Linux packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134.2.2. Install the FreeBSD packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.2.3. Install the language package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.3. The installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

iv


5. Uninstall .............................................................. 205.1. Uninstall the rpm package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.2. Uninstall the deb package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.3. Uninstall the ipk package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205.4. Uninstall the tbz package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Getting Started ................................................. 226. Start-up and Shut-down ............................................ 23

6.1. Start-up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.2. Shut-down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246.3. Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

7. BitDefender Status Output ......................................... 267.1. Process Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267.2. Basic Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267.3. Statistical Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

8. MTA Integration ...................................................... 288.1. CommuniGate Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

9. Basic Configuration ................................................. 309.1. View Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309.2. Edit Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Advanced Usage ............................................... 3210. Configuration ....................................................... 33

10.1. Group Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3310.1.1. Adding and Editing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3310.1.2. Integration with LDAP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3510.1.3. The Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3610.1.4. Group Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

10.2. Antivirus settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4310.3. Antispam settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

10.3.1. X-Junk-Score Header for CommuniGate Pro Integration . . . . . . . . . . . . . . . 5110.4. Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

10.4.1. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5410.5. The BitDefender Logger Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

10.5.1. The Logger Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5810.6. Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

11. Product Registration ............................................... 6312. Testing BitDefender ................................................ 64

12.1. Antivirus Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6412.1.1. Infected Email Attachment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

v


12.1.2. Infected Attached Archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6512.2. Antispam Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

13. Updates ............................................................. 6713.1. Automatic Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

13.1.1. Time Interval Modification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6713.1.2. Live! Update Proxy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

13.2. Manual Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6913.3. PushUpdate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6913.4. Patches and New Product Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Remote Management ......................................... 7114. BitDefender Remote Admin ....................................... 72

14.1. Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7214.2. Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

14.2.1. Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7314.2.2. License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7414.2.3. About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

14.3. Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7714.3.1. Configuring Group Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

14.4. Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8614.4.1. Malware Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8614.4.2. Spam Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8814.4.3. Deferred Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

14.5. Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9214.5.1. Antispam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9314.5.2. Spam Submissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9314.5.3. SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

14.6. Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9514.6.1. Live! Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9514.6.2. Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9614.6.3. Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9714.6.4. Global Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

14.7. Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9914.7.1. Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9914.7.2. Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

14.8. Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10114.8.1. File Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10214.8.2. Mail Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

15. SNMP .............................................................. 10415.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10415.2. The SNMP Daemon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10415.3. The BitDefender Logger Plugin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

15.3.1. Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

vi


15.3.2. Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10615.3.3. Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

15.4. Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Getting Help .................................................. 11016. Support ............................................................ 111

16.1. Support department . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11116.2. On-line help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

16.2.1. BitDefender Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11116.2.2. BitDefender Unix Servers Mailing List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

16.3. Online Forum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11316.4. Contact information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

16.4.1. Web Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11316.4.2. BitDefender Offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Appendices ................................................... 116A. Supported antivirus archives and packs ....................... 117B. Alert templates .................................................... 119

B.1. Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119B.2. Sample results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

B.2.1. MailServer Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120B.2.2. Sender Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122B.2.3. Receiver Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124B.2.4. KeyWillExpire Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126B.2.5. KeyHasExpired Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

C. Footer templates .................................................. 128C.1. Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128C.2. Sample results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

C.2.1. Clean . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130C.2.2. Ignored . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130C.2.3. Disinfected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Glossary .................................................................. 132

vii


End User Software License AgreementIF YOU DO NOT AGREE TO THESE TERMS AND CONDITIONS DO NOT INSTALLTHE SOFTWARE. BY SELECTING "I ACCEPT", "OK", "CONTINUE", "YES" OR BYINSTALLING OR USING THE SOFTWARE IN ANY WAY, YOU ARE INDICATINGYOUR COMPLETE UNDERSTANDING AND ACCEPTANCE OF THE TERMS OFTHIS AGREEMENT.

These Terms cover BitDefender Corporate Solutions and Services for Companieslicensed to you, including related documentation and any update and upgrade of theapplications delivered to you under the purchased license or any related serviceagreement as defined in the documentation and any copy of these items.

This License Agreement is a legal agreement between you (either an individual or alegal person) and BITDEFENDER for use of BITDEFENDER's software productidentified above, which includes computer software and services, and may includeassociatedmedia, printedmaterials, and "online" or electronic documentation (hereafterdesignated as "BitDefender"), all of which are protected by international copyright lawsand international treaties. By installing, copying or using BitDefender, you agree to bebound by the terms of this agreement. If you do not agree to the terms of thisagreement, do not install or use BitDefender.

BitDefender License. BitDefender is protected by copyright laws and internationalcopyright treaties, as well as other intellectual property laws and treaties. BitDefenderis licensed, not sold.

GRANT OF LICENSE. BITDEFENDER hereby grants you and only you the followingnon-exclusive, limited, non-transferable and royalty-bearing license to use BitDefender.

APPLICATION SOFTWARE. You may install and use BitDefender, on as manycomputers as necessary with the limitation imposed by the total number of licensedusers. You may make one additional copy for back-up purpose.

SERVER USER LICENSE. This license applies to BitDefender software that providesnetwork services and can be installed on computers that provide network services.You may install this software on as many computers as necessary within the limitationimposed by the total number of users to which these computers provide networkservices. This limitation refers to the total number of users that has to be less than orequal to the number of users of the license.

DESKTOP USER LICENSE. This license applies to BitDefender software that can beinstalled on a single computer and which does not provide network services. Eachprimary user may install this software on a single computer and may make one

End User Software License Agreement viii


additional copy for backup on a different device. The number of primary users allowedis the number of the users of the license

TERMOF LICENSE. The license granted hereunder shall commence on the purchasingdate of BitDefender and shall expire at the end of the period for which the license ispurchased.

EXPIRATION. The product will cease to perform its functions immediately uponexpiration of the license.

UPGRADES. If BitDefender is labeled as an upgrade, you must be properly licensedto use a product identified by BITDEFENDER as being eligible for the upgrade in orderto use BitDefender. A BitDefender labeled as an upgrade replaces and/or supplementsthe product that formed the basis for your eligibility for the upgrade. You may use theresulting upgraded product only in accordance with the terms of this LicenseAgreement. If BitDefender is an upgrade of a component of a package of softwareprograms that you licensed as a single product, BitDefender may be used andtransferred only as part of that single product package and may not be separated foruse by more than the total number of licensed users. The terms and conditions of thislicense replace and supersede any previous agreements that may have existedbetween you and BITDEFENDER regarding the original product or the resultingupgraded product.

COPYRIGHT. All rights, titles and interest in and to BitDefender and all copyright rightsin and to BitDefender (including but not limited to any images, photographs, logos,animations, video, audio, music, text, and "applets" incorporated into BitDefender),the accompanying printed materials, and any copies of BitDefender are owned byBITDEFENDER. BitDefender is protected by copyright laws and international treatyprovisions. Therefore, you must treat BitDefender like any other copyrighted material.You may not copy the printed materials accompanying BitDefender. You must produceand include all copyright notices in their original form for all copies created irrespectiveof the media or form in which BitDefender exists. You may not sub-license, rent, sell,lease or share the BitDefender license. You may not reverse engineer, recompile,disassemble, create derivative works, modify, translate, or make any attempt to discoverthe source code for BitDefender.

LIMITEDWARRANTY. BITDEFENDERwarrants that themedia on which BitDefenderis distributed is free from defects for a period of thirty days from the date of deliveryof BitDefender to you. Your sole remedy for a breach of this warranty will be thatBITDEFENDER, at its option, may replace the defective media upon receipt of thedamaged media, or refund the money you paid for BitDefender. BITDEFENDER doesnot warrant that BitDefender will be uninterrupted or error free or that the errors will

End User Software License Agreement ix


be corrected. BITDEFENDER does not warrant that BitDefender will meet yourrequirements.

EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, BITDEFENDERDISCLAIMS ALL OTHERWARRANTIES, EXPRESS OR IMPLIED, WITH RESPECTTOTHEPRODUCTS, ENHANCEMENTS,MAINTENANCEORSUPPORTRELATEDTHERETO, OR ANY OTHER MATERIALS (TANGIBLE OR INTANGIBLE) ORSERVICESSUPPLIEDBYHIM. BITDEFENDERHEREBYEXPRESSLYDISCLAIMSANY IMPLIED WARRANTIES AND CONDITIONS, INCLUDING, WITHOUTLIMITATION, THE IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSE, TITLE, NON-INTERFERENCE, ACCURACY OF DATA,ACCURACY OF INFORMATIONAL CONTENT, SYSTEM INTEGRATION, ANDNON-INFRINGEMENTOF THIRDPARTYRIGHTS by filtering, disabling, or removingsuch third party's software, spyware, adware, cookies, emails, DOCUMENTS,advertisements or the like, WHETHER ARISING BY STATUTE, LAW, COURSE OFDEALING, CUSTOM AND PRACTICE, OR TRADE USAGE.

DISCLAIMEROFDAMAGES. Anyone using, testing, or evaluating BitDefender bearsall risk to the quality and performance of BitDefender. In no event shall BITDEFENDERbe liable for any damages of any kind, including, without limitation, direct or indirectdamages arising out of the use, performance, or delivery of BitDefender, even ifBITDEFENDER has been advised of the existence or possibility of such damages.

SOME STATES DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITYFOR INCIDENTALORCONSEQUENTIALDAMAGES, SOTHEABOVE LIMITATIONOR EXCLUSION MAY NOT APPLY TO YOU.

IN NOCASESHALL BITDEFENDER'S LIABILITY EXCEEDTHEPURCHASEPRICEPAID BY YOU FOR BITDEFENDER. The disclaimers and limitations set forth abovewill apply regardless of whether you accept to use, evaluate, or test BitDefender.

IMPORTANT NOTICE TO USERS. THIS SOFTWARE IS NOT FAULT-TOLERANTAND IS NOT DESIGNED OR INTENDED FOR USE IN ANY HAZARDOUSENVIRONMENT REQUIRING FAIL-SAFE PERFORMANCE OR OPERATION. THISSOFTWARE IS NOT FOR USE IN THE OPERATION OF AIRCRAFT NAVIGATION,NUCLEAR FACILITIES, OR COMMUNICATION SYSTEMS, WEAPONS SYSTEMS,DIRECT OR INDIRECT LIFE-SUPPORT SYSTEMS, AIR TRAFFIC CONTROL, ORANY APPLICATION OR INSTALLATION WHERE FAILURE COULD RESULT INDEATH, SEVERE PHYSICAL INJURY OR PROPERTY DAMAGE.

GENERAL. This Agreement will be governed by the laws of Romania and byinternational copyright regulations and treaties. The exclusive jurisdiction and venueto adjudicate any dispute arising out of these License Terms shall be of the courts ofRomania.

End User Software License Agreement x


Prices, costs and fees for use of BitDefender are subject to change without prior noticeto you.

In the event of invalidity of any provision of this Agreement, the invalidity shall notaffect the validity of the remaining portions of this Agreement.

BitDefender and BitDefender logos are trademarks of BITDEFENDER. All othertrademarks used in the product or in associated materials are the property of theirrespective owners.

The license will terminate immediately without notice if you are in breach of any of itsterms and conditions. You shall not be entitled to a refund from BITDEFENDER orany resellers of BitDefender as a result of termination. The terms and conditionsconcerning confidentiality and restrictions on use shall remain in force even after anytermination.

BITDEFENDER may revise these Terms at any time and the revised terms shallautomatically apply to the corresponding versions of the Software distributed with therevised terms. If any part of these Terms is found void and unenforceable, it will notaffect the validity of rest of the Terms, which shall remain valid and enforceable.

In case of controversy or inconsistency between translations of these Terms to otherlanguages, the English version issued by BITDEFENDER shall prevail.

Contact BITDEFENDER, at Preciziei Boulevard, no. 24,West Gate Building H2, groundfloor, 6th district, Bucharest, Romania, or at Tel No: 40-21-2330780 orFax:40-21-2330763, e-mail address: [email protected]

End User Software License Agreement xi


mailto:[email protected]

PrefaceThis User's guide is intended for all System Administrators who have chosenBitDefender Free Antispam for Mail Servers as security solution for their Email Servers.The information presented in this book is suitable not only for computer literates, it isaccessible to everyone who is able to do administrative tasks on a Linux or UNIX box.

This book will describe for you BitDefender Free Antispam for Mail Servers, theCompany and the team who built it, it will guide you through the installation process,teach you how to configure it to the very detail. You will find out how to use BitDefenderFree Antispam for Mail Servers, how to update, interrogate, test and customize it. Youwill learn how to integrate it with various software and how to get the best fromBitDefender.

We wish you a pleasant and useful reading.

1. Conventions used in this book1.1. Typographical conventions

Several text styles are used in the book for an improved readability. Their aspect andmeaning are presented in the table below.

DescriptionAppearanceVariables and some numerical data are printedwith monospaced characters.

variable

The URL links point to some external location,on http or ftp servers.

http://www.bitdefender.com

Emails are inserted in the text for contactinformation.

[email protected]

This is an internal link, towards some locationinside the document.

Chapter 4 “Package installation” (p.13)

File and directories are printed usingmonospaced font.

filename

Environment variables are MONOSPACEDCAPITALS.

ENV_VAR

Preface xii




DescriptionAppearanceEmphasized text specially marked to call yourattention.

emphasized

Provided as reference.“quoted text”Inline commands are printed using strongcharacters.

command

Command examples are printed in strongmonospaced characters in a specially marked# command -parameter

environment. The prompt can be one of thefollowing.

#The root prompt. You should be root in orderto run this command.

$The normal user prompt. You do not needspecial privileges to run the command.

Screen output and code listings are printed inmonospaced characters in a specially markedenvironment.

screen output

It refers to a man page.bdlogd(8)

1.2. AdmonitionsAdmonitions are in-text notes, graphically marked, offering additional informationrelated to the current paragraph.

NoteThe note is just a short observation. Although you can omit them, notes can providevaluable information, such as a specific feature or a link to some related topic.

ImportantThis requires your attention and it is not recommended to skip it. Usually, it providesnon-critical but significant information.

Preface xiii


WarningThis is critical information you should treat with increased caution. Nothing bad willhappen if you follow the indications. You should read and understand it, because itdescribes something extremely risky.

2. Book structureThe book consists of four parts, containing the following major topics: Description andfeatures, Installation, Usage and Getting help. Moreover, a glossary and UNIX manualpages are provided to clarify different aspects of BitDefender, which could causetechnical problems.

Description. A short introduction to BitDefender. It explains who is BitDefender, andthe Data Security Division. You are presented BitDefender Free Antispam for MailServers, its features, the product components and the basics of the integration andthe scanning mechanism.

Installation. Step by step instructions for installing BitDefender on a system. Startingwith the prerequisites for a successful installation, you are guided through the wholeinstallation process. Finally, the uninstall procedure is described in case you need touninstall BitDefender.

Getting Started. Description of basic administration and maintenance of BitDefender.Advanced Usage. You are presented the BitDefender configuration tools, how toget run-time information, how to test antivirus efficiency, how to perform updates andhow to register the product.

Remote Management. You will learn how to make the best of BitDefender remotely,by using several remote administration tools.

Getting Help. Where to look and where to ask for help if something goes not so right.You are presented the Knowledge Base and offered the BitDefender and BitDefenderpartners contact information to call, if needed.

Appendices. The Appendices present exhaustive information about configuration,email templates and in-depth discussions over tricky parts.

Glossary. The Glossary tries to explain some technical and uncommon terms youwill find in the pages of this book.

Preface xiv


3. Request for CommentsWe invite you to help us improve the book. We have tested and verified all of theinformation to the best of our ability, but you may find that features have changed (oreven that we have made mistakes). Please write to tell us about any flaws you find inthis book or how you think it could be improved, to help us provide you the bestdocumentation possible.

Let us know by sending an email to [email protected].

Preface xv



Description

1


1. Features and BenefitsComprehensive antimalware protection for UNIX-based Mail Servers. Designedfor UNIX-based mail servers, BitDefender Free Antispam for Mail Servers bringstogether proactive antispam, antiphishing and content filtering technologies to securethe mail traffic of companies and Service Providers.

1.1. Key Features● Fast and easy deployment● Easy integration with your current mail services● Compatible with most major e-mail platforms● Multiple layers of antispam filtering● Content and attachment filtering● Intuitive program interface● Available in both 32-bit and 64-bit versions

1.2. Key Benefits● Compatibility

Includes dedicated agents for automatic integration with several of the mostpopular mail transfer agents such as Sendmail (milter), Postfix, Courier, qmailand CommuniGate ProFully complies with FHS (Filesystem Hierarchy Standard), operating in acompletely non-intrusive mannerEnsures compatibility with all major Unix-based platforms due to its rpm, deb andgeneric .tar.run packages

● Increased Business ProductivityReducesmail traffic and saves network resources due to its extensive antimalwareprotection capabilitiesThrough its optimized scanning process, increases mail delivery speed andreduces server workloadImproves the IT manager's productivity and prevents the loss of confidentialinformation by filtering all mail passing through the mail server based on:

– content (subject line, body, sender, recipient) and attachment

– the criteria defined for the existing user groupsProvides a highly efficient multi-layered antispam protection system which:

Features and Benefits 2


– reduces mail traffic by accurately classifying messages as spam, phishing orlegitimate

– blocks unsolicited mail based on several filters, among which:

● the Bayesian Filter, which you can train to learn the specifics of spam e-mailreceived by your server

● the Real-time Blackhole List (RBL) filter, which identifies spam based onmailservers' reputation as spam senders

– Allows configuring antispam filter sensitivity by setting very demanding orrelaxed thresholds for each user group

Provides WBL (White List/ Blacklist) support, allowing you to set a list of trustedand untrusted addresses based on which to respectively "always accept" or"always reject" mail

● Increased UsabilityAllows you to filter mail traffic more flexibly, leveraging antispam, content andattachment filtering policies for different groups or usersGenerates detailed statistics and reports related to the solution's activitySends customizable e-mail notifications about its activityAllows you to remotely configure mail protection through its management toolsA dedicated command line interface allows performing post-install configurationand administration tasksCan isolate dangerous or restricted mail in a quarantine zone to be dealt withlaterThe quarantine area is searchable based upon regular expressions, sender,recipient, date and causeAllows performingmanagement actions via SNMP bymeans of its SNMPDaemonPlug-inCan send administration alerts to three different hosts, through the SNMP Loggerplug-in

Features and Benefits 3


2. BitDefender architectureBitDefender is a highly complex modular structure. It is made up of several centralcomponents and additional modules, each of them having assigned a specific task.The modules are loaded during BitDefender startup and enabled or not, according tothe user's preferences. On a UNIX-like system, these components run as daemons,on one or multiple threads, and communicate with the others.

2.1. The core modulesListed by their file names, the core modules are represented in the following table.

DescriptionModuleThe BitDefender Core Monitor is the supervisor of several BitDefendermodules. When one of them crashes, the Core Monitor isolates the

bdmond

object causing the crash in a special quarantine directory, notifies theadministrator and restarts the involved module. Thus, even if oneprocess dies, the whole filtering activity is not disturbed, ensuringcontinuous server protection.This is the BitDefender Scan Daemon. Its purpose is to integrate thescanning engines, receive scanning requests from several daemons,

bdscand

such as the mail daemon or the file daemon. It scans the objects, takesthe necessary actions and sends back the object and the scanningresults.The BitDefender Mail Daemon has the role of receiving scanningrequests from the MTA integration agents. It calls the Scan Daemon

bdmaild

to perform the scan, expecting the scanning results from it. Then itapplies its actions and sends back the results to the MTA integrationagent.The BitDefender Registry is made up of the bdregd program and aset of XML files, where it stores the BitDefender configuration. The

bdregd

daemon receives requests to read from and to write to the settings file,requests initiated by the other processes. The Registry can receiverequests from other hosts too, using a secured tcp connection on port8138. All remote communication is done using SSL (Secure SocketLayer). This is only useful when you are using some Remote AdminConsole, eventually running on some non-UNIX Operating System. If

BitDefender architecture 4


DescriptionModulenot, for security reasons, it is recommended to keep this featuredisabled (it is disabled by default).

Manually editing the RegistryEven if the XML files are human-readable (and writable, too), youshould never try to edit them manually. Due to their high complexity,the XML files should only be modified by means of the providedconfiguration tools, such as the bdsafe command or the RemoteAdministration Consoles.

The BitDefender Logger is a complex component, handling all loggingand notification actions of BitDefender. There are several types oflogging, all of them realized by plugins.

bdlogd

● file logging: the data is sent to a normal log file, respecting a typicalformat.

● mail notification: alerts are sent by email to the server administratoror to the sender and the recipients of an email, on special events(such as infected email found).

● Real Time Virus and Spam Report: anonymous statistics are sentto BitDefender Labs to keep a map of malware activity and to detectoutbreaks.

● SNMP: notifications can be sent through the SNMP protocol todesignated hosts.

The BitDefender Live! Update is the module responsible with updatingthe scanning engines and some other BitDefender components. The

bdlived

module runs continuously and periodically checks the update server.It can also be triggeredmanually or by the Update Pushingmechanism.

More about Live! UpdateBitDefender Live! Update and the update process are described inChapter 13 “Updates” (p. 67).

bdsnmpd accepts SNMP GET and SET messages related toBitDefender registry keys. Thus, an authorized user is able to readand modify some of the BitDefender configuration settings remotely.

bdsnmpd



2.2. The integration agentsThe message body and attachments will be verified in order to detect infected filesand back door, trojan, worm files to prevent their spreading into the network.

Only clean messages will be delivered to the mail clients or will be further sent to themail recipients outside the company. Based on the administrator's option, infectedmessages are disinfected, deleted or isolated in a certain location on the server, thequarantine zone.

2.2.1. SendmailThe Sendmail agent is the filtering solution for the Sendmail with Milter interface emailserver. Milter allows third-party programs to access mail messages through severalcall-backs.

Sendmail integration

The incoming email will normally arrive to Sendmail,from local or remote machines. Through the milterinterface, Sendmail allows the BitDefender agent toinspect the email. The agent calls the BitDefender coreto scan it and, after scanning, the results are passedthrough the milter interface back to Sendmail, which willdeliver the message as usual, if there is something todeliver.

2.2.2. qmailInside the qmail MTA, qmail-queue is the central component. All the emails comingfrom local or remote senders pass through this component. Therefore email trafficcan be captured by capturing the traffic of qmail-queue.

qmail integration

Remote or local incoming emails arefirst passed to the BitDefender qmailintegration agent. This will sendthem to the BitDefender core forscanning and then to the originalqmail-queue, which will deliver themas usual. From the qmailpoint-of-view, the filtering process istransparent.



2.2.3. CourierThe central module of the Courier system is submit, an uniform mechanism whichads messages to the mail queue. Capturing its traffic is capturing the server's traffic.

Courier integration

Remote or local incoming emails arefirst passed to the BitDefenderCourier integration agent, namedbdcourier. This will pass them on tothe BitDefender core for scanningand then to the original submit,which will enqueue them as usual.From the Courier point-of-view, thefiltering process is transparent.

2.2.4. CommuniGate ProThe BitDefender integration agent should be incorporated by the CommuniGate Pro,using its own filtering mechanism, in order to receive the email traffic.

CommuniGate Pro integration

Remote or local incoming emails are passed to theBitDefender CommuniGate Pro agent, registered asintrinsic filter. This will call the BitDefender core toscan the emails and then pass them back to the MTA,which will process them as usual.

2.2.5. SMTP ProxyThe SMTP integration varies with each other MTA.Since we can not cover all possible variants, we canoffer a short description of the integration and let you figure out how to apply it to yourSMTP server.

SMTP Proxy integration

The incoming email will arrive on port25 of the machine. On this port it is notthe original Mail Transport Agent thatis listening, but a special BitDefendercomponent, the SMTP Proxy module.On receiving the message, theBitDefender Agent will pass it to theBitDefender core for scanning. The coredoes the usual scanning and passes



the results back to the agent. If found clean or if there is something to pass to theMTA, BitDefender SMTP Proxy agent contacts the MTA on the new port this isconfigured to listen on, by default 10025, and sends the email, as if coming from theoriginal source. The whole filtering process is transparent to the Mail Transport Agent.

BitDefender and MTA on different machinesBitDefender SMTP Proxy can be installed on one machine passing the scanned emailsto the MTA, running on another machine. In this case, the MTA can listen on the defaultSMTP port, 25, as usual.

2.2.6. PostfixThe Postfix integration agent is virtual: there is no specific BitDefender component toperform the MTA integration. Instead, for Postfix you can use the general SMTP Proxyagent, adequately configured.

Postfix integration

Briefly, the integrationis made using thee x t e r n a l ,m e d i u m - w e i g h t ,real-time ContentInspection method, asdescribed in theoriginal Postfixdocumentation. Thereare two Postfix processes running. The first one, listening on the standard SMTP port,receives all the incoming traffic and does the usual email filtering. The second one,listening on a higher port, by default 10026, receives the email from the filter andsends it to the standard processing. In the middle, there is the BitDefender Postfixagent listening on another higher port, 10025 by default. It receives all the trafficpassed from the first process, passes it to the BitDefender core for scanning and finallysends the traffic to the second Postfix process.



Installation

9


3. PrerequisitesBitDefender Free Antispam for Mail Servers can be installed on package-based Linuxdistributions (rpm or deb) and tbz based FreeBSD versions. Other distributions aresupported by using the ipkg package system, with the same functionality. The packagesinclude all the necessary pre-install, post-install, pre-remove and post-remove scripts.The adequate package type should be installed according to the distribution.

3.1. System RequirementsBefore installing BitDefender Free Antispam for Mail Servers, you must verify thatyour system meets the following system requirements:

3.1.1. Hardware system requirementsProcessor type

x86 compatible, minimum 800MHz, but do not expect great performance in thiscase. An i686 generation processor, running at 1.4Ghz, would make a betterchoice.

MemoryThe minimum accepted value is 128MB (recommended is at least 256MB, for abetter performance).

Free disk spaceThe minimum free disk space to install and run BitDefender Free Antispam forMail Servers is 60MB. But the log and the quarantine directories will require morespace - 200MB of free space would be welcome.

Internet connectionAlthough BitDefender Free Antispam for Mail Servers will run with no Internetconnection, the update procedure will require an active HTTP link, even throughsome proxy server. Therefore, for an up to date protection, the Internet connectionis a MUST.

3.1.2. Software system requirementsLinux requirements

The Linux kernel should be at least 2.6.18.

Prerequisites 10


BitDefender requires glibc version 2.3.1, or newer, and libstdc++ from gcc4 or newer.

The supported Linux distributions are the next ones:● RedHat enterprise Linux 3 or newer● SuSE Linux Enterprise Server 9 or newer● Suse Linux 8.2 or newer● RedHat Linux 9● Fedora Core 1 or newer● Debian GNU/Linux 3.1 or newer● Slackware 9.x or newer● Mandrake/Mandriva 9.1 or newer● Gentoo 1.4 or newer

FreeBSD requirements:The supported FreeBSD versions are 5.4-RELEASE or newer.

The FreeBSD older versions are no longer supported.

3.1.3. Mail servers minimum required versionsSendmail

version 8.12.1, with Milter interface

Postfixany 2.x version

qmail1.03 version at least

Courier0.42.x versions at least

CommuniGate Pro4.1.1 version at least

SMTPany SMTP server able to listen on another port than 25

3.2. Package naming conventionThe BitDefender Free Antispam for Mail Servers package is named considering thefollowing scheme:

Prerequisites 11


3.2.1. Linux conventionLinux packages are named according to the following rule.

BitDefender-Antispam-{ver}-{os}-{arch}.{pkg}.run

DescriptionVariableThis is the package version. For example, 2.1-1 is version 2, subversion1, package build 1.

{ver}

The operating system is Linux, with GCC 4.x compiler.{os}

The architecture contains the processor class. i586 and amd64 are thecurrent versions.

{arch}

This stands for the package management tool name. Therefore, it is rpmfor Red Hat Manager, deb for Debian and ipk for IPKG.

{pkg}

3.2.2. FreeBSD conventionThere are two FreeBSD packages, namely:

bitdefender-common-{ver}.tbzbitdefender-antispam-{ver}.tbz

Where {ver} is the package version. For example, 2.1_1 is version 2, subversion 1,package build 1.

Prerequisites 12


4. Package installationThis chapter explains how to install BitDefender on a Unix-like system, such as Linuxor FreeBSD. This is pretty straightforward: get the desired package, test it for integrity,then install it.

4.1. Getting BitDefender Free Antispam for MailServers

The package can be downloaded from the BitDefender servers or it can be found ondifferent distributionmedia, such as CD-ROM.When downloading from the BitDefenderservers, you will be asked to fill in a form and you will receive an email on the addressyou have provided in this form. The email contains the download location.

The Linux packages come in three flavours:

● rpm for distributions using the RedHat Linux package management● deb for distributions using Debian Linux packaging system● ipk for any other distribution using IPKG, the Itsy Package Management System

The FreeBSD packages are tbz (.tar.bz) compressed archives, adequate for FreeBSDstarting from version 5.

4.2. Install the packageThere is a common installation method for rpm, deb and ipk, as well as severalmethods for FreeBSD.

4.2.1. Install the Linux packagesThe packages should be installed using the following command:

# sh BitDefender-Antispam-{ver}-{os}-{arch}.{pkg}.run

This will unpack the BitDefender packages, according to the package type, and installthem using the packagemanager. The packages contain the BitDefender files (engines,core, etc.), the install and uninstall scripts.

Package installation 13


Let's take some examples.

To install BitDefender Free Antispam for Mail Servers on a RedHat based distributionyou have to run the following command:

# sh BitDefender-Antispam-{ver}-{os}-{arch}.rpm.run

To install BitDefender Free Antispam for Mail Servers on a Debian based distributionyou have to run the following command:

# sh BitDefender-Antispam-{ver}-{os}-{arch}.deb.run

The ipk version of the archive will install the ipkg tools on the system and will usethem to install the .ipk packages.

To install BitDefender Free Antispam for Mail Servers on any Linux distribution, usingipkg, you have to run the following command:

# sh BitDefender-Antispam-{ver}-{os}-{arch}.ipk.run

Additional parametersFor the not-so-impatient user, the self-extractable archive provides some commandline parameters, described in the following table:

DescriptionParameterPrints the short help messages.--help

This will print the archive information, such as the title, the defaulttarget directory, the embedded script to be run after unpacking, the

--info

compression method used, the uncompressed size, the packagingdate.This option will print the content of the embedded archive. The listedfiles are the engines, the program binaries, the embedded

--list

documentation, the install and uninstall script along with their sizeand permissions.This is one of the most useful options, because it enables the userto verify package integrity, as stated above. The integrity is checked

--check



DescriptionParametercomparing the embedded md5 checksum (generated duringpackaging) with the one computed at the time of the check. If theymatch, the output will be the following:

MD5 checksums are OK. All good.

If not, an error message will be shown, displaying the non-matchingstored and computed checksums, as follows:

Error in MD5 checksums: X is different from Y

The user will be asked to confirm every step of the install process.--confirm

By default, the archive content is extracted to a temporary directory,which will be removed after the embedded installer exits. Addingthis parameter to the script will not remove the directory.

--keep

You can specify another directory to extract the archive to, if youdon't want to use the default name. Note that this target directorywill not be removed.

--targetdirectory

Run the embedded uninstaller script instead of the normal installer.--uninstall

4.2.2. Install the FreeBSD packagesThe packages should be installed using the following command:

# sh BitDefender-Antispam-{ver}-{os}-{arch}.tbz.run

This will unpack the BitDefender packages, according to the package type, and installthem using the packagemanager. The packages contain the BitDefender files (engines,core, etc.), the install and uninstall scripts.

Additional parametersFor the not-so-impatient user, the self-extractable archive provides some commandline parameters, described in the following table:



DescriptionParameterPrints the short help messages.--help

This will print the archive information, such as the title, the defaulttarget directory, the embedded script to be run after unpacking, the

--info

compression method used, the uncompressed size, the packagingdate.This option will print the content of the embedded archive. The listedfiles are the engines, the program binaries, the embedded

--list

documentation, the install and uninstall script along with their sizeand permissions.This is one of the most useful options, because it enables the userto verify package integrity, as stated above. The integrity is checked

--check

comparing the embedded md5 checksum (generated duringpackaging) with the one computed at the time of the check. If theymatch, the output will be the following:

MD5 checksums are OK. All good.

If not, an error message will be shown, displaying the non-matchingstored and computed checksums, as follows:

Error in MD5 checksums: X is different from Y

The user will be asked to confirm every step of the install process.--confirm

By default, the archive content is extracted to a temporary directory,which will be removed after the embedded installer exits. Addingthis parameter to the script will not remove the directory.

--keep

You can specify another directory to extract the archive to, if youdon't want to use the default name. Note that this target directorywill not be removed.

--targetdirectory

Run the embedded uninstaller script instead of the normal installer.--uninstall



4.2.3. Install the language packageYou have the possibility to choose the language you are familiar with at install time.By doing so, the help messages, error messages, etc. will be displayed in accordancewith your choice.

To install the language package on your computer, you just have to run the followingcommand:

# sh BitDefender-Antispam-langpack-{ver}-{os}-\{arch}.{pkg}.run

It automatically detects the language of the system locale via the LANG environmentvariable.

The language localization files will be placed under the following directory:/opt/BitDefender/share/locale/[lang]/.

A link pointing to /opt/BitDefender/share will be made as/usr/share/bitdefender.

However, if you are dissatisfied with the chosen language, you can configure thisoption, setting another language to display in. This can be done either by changingthe value of the LANG variable or by using a configuration key together with bdsafetool.

This is the command you should run if you have decided to use bdsafe tool.

# bdsafe lang LL_CC.UTF-8

LL stands for language code (ISO 639) and CC for country code (ISO 3166). Forexample, if you want to set the language to display in to be Romanian, run thecommand:

# bdsafe lang ro_RO.UTF-8

ImportantYour terminal must support UTF-8 encoding.



If you didn't install the language pack in the first place, just install it through the packagemanager any time you like.

4.3. The installerAfter unpacking the archive, the installer is launched. This is a text based installer,created to run on very different configurations. Its purpose is to install the extractedpackages to their locations and to make the first configuration of BitDefender FreeAntispam for Mail Servers, while asking you few questions. To accept the defaultconfiguration the installer offers (which is recommended), just press the ENTER keywhen prompted.

First, the License Agreement is displayed. You are invited to read the full content bypressing the SPACE bar to go to the next page or ENTER for one line a time. In orderto continue the installation process, you must read and agree to this LicenseAgreement, by literally typing the word accept when prompted. Note that typinganything else or nothing at all means you do not agree to the License Agreement andthe installation process will stop.

Next, you are asked what integration agents to install. You can choose one or morefrom this list.

1. CommuniGate Pro2. Courier3. Postfix4. qmail5. Sendmail-Milter6. SMTP Proxy - works with any Mail Transfer Agent

Please enter the corresponding numbers, when prompted, separated by empty spaces.For example, to install the integration agents for Sendmail Milter or qmail, enter 3 or4.

The next question regards the RBL feature. You will be asked to specify the DNSserver and one or more RBL servers.

At this point, the installer has acquired all the necessary information and it will beginthe install process. Basically, it will install the engines, the binaries and thedocumentation and it will make the post-install configuration. This is a short list of itsactions on your Linux or FreeBSD system:



● Creates the bitdefender user and group and assigns the installation directory toit.

● Installs the manpages and configures the MANPATH accordingly.● Appends to the dynamic library loader configuration file the path to the BitDefenderlibraries.

● Creates a symbolic link to the configuration directory in /etc.● Integrates BitDefender in the system init scripts.● Finally, BitDefender Free Antispam for Mail Servers is started-up.



5. UninstallIf you ever need to remove BitDefender Free Antispam for Mail Servers, there areseveral methods to do it, depending on the package type.

5.1. Uninstall the rpm packageTo uninstall BitDefender Free Antispam for Mail Servers on an rpm package managerbased distribution, you have to run the following commands:

# rpm -e BitDefender-antispam# rpm -e BitDefender-common

5.2. Uninstall the deb packageTo uninstall BitDefender Free Antispam for Mail Servers using dpkg, on a deb packagemanager based distribution, you have to run the following commands:

# dpkg -r BitDefender-antispam# dpkg -r BitDefender-common

5.3. Uninstall the ipk packageTo uninstall BitDefender Free Antispam for Mail Servers using ipkg, you have to runthe following commands:

# ipkg-cl remove bitdefender-antispam# ipkg-cl remove bitdefender-common

NoteThe ipkg command must be run from the following location: /opt/ipkg/bin/

Uninstall 20


5.4. Uninstall the tbz packageTo uninstall BitDefender Free Antispam for Mail Servers you can either use pkg_deletecommand, by running the folowing commands:

# pkg_delete bitdefender-antispam-{ver}# pkg_delete -r bitdefender-common-{ver}

NoteReplace {ver} with the version of package returned by the pkg_info command.

Or, using pkg_deinstall, part of sysutils/portupgrade, run the following command:

# pkg_deinstall

bitdefender-antispam

bitdefender-common

Alternative uninstallYou can also uninstall the product this way:

# BitDefender-Antispam-{ver}-{os}-{arch}.{pkg}\.run --uninstall

Uninstall 21


Getting Started

22


6. Start-up and Shut-downBitDefender Free Antispam for Mail Servers should be integrated into the system initscripts, in order to start at system initialization and stop at system shut down. Onceintegrated, the server will be protected all the time, since all BitDefender services willbe up and running. Normally, there is no need for the user to manually start or stopBitDefender, but there are administrative tasks when such actions might be necessary.In this chapter you will find how you can safely start and stop the BitDefender services.

The bd(8) commandThe program bd(8), included in BitDefender programs, plays the role of init script. Amongthe many parameters it supports, there are the standard start, stop, restart,with obvious actions. The standard location of the program is/opt/BitDefender/bin/bd, in case of a standard straight-forward installation.If you have chosen a different installation directory, please use the correct path whencalling this program.As init script, bd(8) is symbolically linked, by the install program, to the system specificinit directory, such as /etc/init.d/bd (for System V type initscripts) or/etc/rc.d/rc.bd (for BSD type initscripts). Therefore, according to your distribution,the following commands are identical, doing the same thing in the same way. Forexample, they will start BitDefender.

# /opt/BitDefender/bin/bd start- or -

# /etc/init.d/bd start- or -

# /etc/rc.d/rc.bd start- or -

# service bd start

For convenience, the program is always referred to in this document using the first form,but remember you can use all the forms presented above. Use the one that fits youbest.

6.1. Start-upIn order to start BitDefender Free Antispam for Mail Servers, you have to run thefollowing command (for alternate forms, please see the note above).

Start-up and Shut-down 23


# /opt/BitDefender/bin/bd start

The result will be similar to the screen provided as an example below. Note that if youhave more components installed, there will be more corresponding output lines.

* Starting bdregd ... [ ok ]* Starting bdlogd ... [ ok ]* Starting bdscand ... [ ok ]* Starting bdmaild ... [ ok ]* Starting bdlived ... [ ok ]* Starting bdmond ... [ ok ]* Starting bdsmtpd ... [ ok ]

Please wait for all the services to be started up. The script will return to the shell whenall processes have been initialized. If there are any errors while initializing, they willbe reported.

6.2. Shut-downIn order to shut down BitDefender Free Antispam for Mail Servers, you have to runthe following command (for alternate forms, please see the note above).

# /opt/BitDefender/bin/bd stop

The output will be similar to the following screen, provided as an example. Note thatif you have more components installed and running, there will be more correspondingoutput lines.

* Stopping bdsmtpd ... [ ok ]* Stopping bdmond ... [ ok ]* Stopping bdlived ... [ ok ]* Stopping bdscand ... [ ok ]* Stopping bdmaild ... [ ok ]* Stopping bdlogd ... [ ok ]* Stopping bdregd ... [ ok ]

The processes will be shut down in the reverse order of the start up. Please wait forall the services to be stopped. The script will return to the shell when there are no



more running processes. If there are any errors while shutting down, they will bereported.

6.3. RestartA simple restart of all the BitDefender services can be done by running the followingcommand (for alternate forms, please see the note above).

# /opt/BitDefender/bin/bd restart

The output is similar to those described above.

* Stopping bdsmtpd ... [ ok ]* Stopping bdmond ... [ ok ]* Stopping bdlived ... [ ok ]* Stopping bdscand ... [ ok ]* Stopping bdmaild ... [ ok ]* Stopping bdlogd ... [ ok ]* Stopping bdregd ... [ ok ]* Starting bdregd ... [ ok ]* Starting bdlogd ... [ ok ]* Starting bdscand ... [ ok ]* Starting bdmaild ... [ ok ]* Starting bdlived ... [ ok ]* Starting bdmond ... [ ok ]* Starting bdsmtpd ... [ ok ]

The processes will be shut down in reverse order, then started up. Please wait for allthe services to be stopped, then started. The script will return to the shell when theaction is complete. If there are any errors while shutting down or starting up, they willbe reported.



7. BitDefender Status OutputSince all of its components are daemons, BitDefender works in the background, withlittle or even no output at all. One source of information about the actions of BitDefenderare the logs, if enabled. Instant real-time reports can be obtained by using the built-infacilities of status and statistical reporting.

7.1. Process StatusA short description of all running processes and their process-id (PID) is available onrunning the following command.

# /opt/BitDefender/bin/bd status

Invocation of bd(8) commandA short discussion about different forms of invoking command bd(8) can be found inChapter 6 “Start-up and Shut-down” (p. 23).

Output on non-NPTL systemsOn non-NPTL systems, the output is slightly different. Instead on displaying only onethread, all the PIDs of all threads are shown. You should see the multiple process IDsfor child threads.

7.2. Basic InformationUsing the text console, more information about the current status of BitDefender isavailable when issuing the following command:

# /opt/BitDefender/bin/bd info


BitDefender RegistrySince this information is stored inside the BitDefender Registry, the bdregd daemonshould be running in order to see all of it. If not, only a small part will be shown.

BitDefender Status Output 26


The following information is displayed:

● The current version of BitDefender Free Antispam for Mail Servers along with somesystem information.

● The quarantine status.● The version of installed BitDefender Core Components and Integration Agents.● The number of signatures, the time when BitDefender last checked for virussignatures updates and the time when it actually updated its signatures.

7.3. Statistical ReportStatistical reports about BitDefender activity can be obtained when running the followingcommand:

# /opt/BitDefender/bin/bd stats


BitDefender Status Output 27


8. MTA IntegrationAfter BitDefender Free Antispam for Mail Servers has been installed, you have tointegrate it in your Mail Transfer Agent. This means you have to redirect the emailtraffic through the BitDefender integration agents, for each message to be scanned.To do so, use the bdsafe(8) command.

# bdsafe agent integrate [MTA]

This will automatically integrate the BitDefender agent into your MTA installation. Then,you should consider enabling it by using the command:

# bdsafe agent enable [MTA]

The Mail Transfer Agent can be one of the following:

● cgate● courier● milter● postfix● qmail● smtp

8.1. CommuniGate ProFor a manual integration of the BitDefender agent, please follow these steps:

1. Open the CommuniGate administration interface: point your browser to theweb-based management interface on the server (usually on port 8010:http://yourserver:8010/).

2. Go to Settings→ General (you will be required to login).3. Go to theHelpers tab and look atContent Filtering. For CommuniGate Pro version

4, do the following actions:● Check the Use Filter box● Enter BitDefender in the textbox● Set the Log list to Problems● Set Timeout to 2 minutes● In the Program Path, enter /opt/BitDefender/bin/bdcgated

MTA Integration 28


● Set Auto-Restart to 5 seconds● Press UpdateFor CommuniGate Pro version 5, the method is slightly different:● Enable the filter using the drop-down combo● Enter BitDefender in the corresponding textbox● Set the Log Level to Problems● Set Timeout to 2 minutes● In the Program Path textbox, enter /opt/BitDefender/bin/bdcgated● Set Auto-Restart to 5 seconds● Press Update

4. Go to Settings→ Mail→ Rules tab.5. Enter BitDefender and press Create New or Add Rule, in version 5.6. Press the Edit button next to the BitDefender filter. Do the following settings:

● look at the Data list and set it to Message Size● Set Operation to "greater than"● Set Parameter to 1● Look at the Action list and set it to External Filter● Enter BitDefender in the Parameters box● Press UpdateBitDefender will now start scanning your incoming messages.

7. Restart the BitDefender services.8. Restart CommuniGate Pro.

MTA Integration 29


9. Basic Configuration9.1. View Settings

After you have installed the BitDefender Free Antispam for Mail Servers it may be agood idea to understand how security policies work. The first thing to remember isthat security policies apply to groups.

By default you are dealing with one group only, referred to as All, containing theentire list of users, both senders and receivers. At the same time, there is a specialgroup, the Default group, that specifies the implied settings, if they are not otherwisespecified in a certain group.

NoteFor detailed information about adding and editing groups, see Section 10.1.1 “Addingand Editing Groups” (p. 33)and, of course, the bdsafe(8) manual pages.

Naturally, the second thing to do is to have a look at the default security settings. Runthis command as root.

# bdsafe group configure Default

NoteFor detailed information about the default settings, see Section 10.1.3 “The DefaultSettings” (p. 36).

9.2. Edit SettingsOf course you can customize a certain group to meet your needs, by changing itssettings. In this way, the new settings will have higher precedence over the defaultones. For example, let's suppose you want to add a group named Secretary. Runthese commands as root.

# bdsafe group insert Secretary \recipient:[email protected]

Basic Configuration 30


# bdsafe group priority Secretary 4

NoteThe group priority will be 4. To understand what group priority is all about, please seethe Section 10.1.4 “Group Priority” (p. 40).

And you want that your secretary never misses a mail, even if it looks like spam. Thebdsafe command for ignoring spam for the Secretary group is the following.

# bdsafe group configure Secretary \antispam actions ignore

Or maybe you want to enable the Asian characters filter in order to cut down theamount of spam originating from Far East. Run this command as root.

# bdsafe mail antispam charsets \asian enable

To check the configuration status of the mail daemon component, run this line.

# bdsafe mail

NoteFor a full description of BitDefender settings you must take a look to the manual pages.

Basic Configuration 31


Advanced Usage

32


10. ConfigurationOnce BitDefender Free Antispam for Mail Servers has been installed and integratedinto the Mail Transport Agent, it just works. But there are some settings to fine-tuneyour installation that you might be interested in.

10.1. Group ManagementThe BitDefender GroupManagement component is used to manage users and settingsas groups in a very flexible way. It can be easily integrated with any application requiringthis feature. We will present you just some introductory commands. For detailedinformation, please see the bdsafe(8) manual pages.

10.1.1. Adding and Editing GroupsThe users are defined according to their email address, as they are seen by the serverinternally. Several users define a group. The nice part is that you can specify varioussettings for each group, such as antivirus actions, templates to be used for notificationand so on.

There are two special groups: All and Default. The All group concentrates thesettings for all users, as expected, and the Default group specifies the impliedsettings, if they are not defined in a certain group.

We shall create a new one, add some users and apply some settings.

First, a new group has to be created. Let's name it MyGroup and add an user identifiedby his email address: [email protected]. Later we can add some more. Open aterminal and run the following, as root.

# bdsafe group insert MyGroup sender:[email protected]

We should clarify some things, before proceeding to the next step. The bdsafecommand is the main BitDefender configuration tool. It would be wise to have a lookat the bdsafe(8) manual page, to get an idea about its options and usage.

Second, the sender option will identify the users only as email senders. If you needto identify them as receivers, change it to recipients.

At this moment, we can list the groups and the users to check whether the previouscommand worked. Here is the command you should run.

Configuration 33


# bdsafe group list MyGroup

Let's add a recipient user.

# bdsafe group insert MyGroup recipient:[email protected]

Now, we have a group and some users inside the group. Let's change the antivirusactions to disinfect;quarantine. We have to use the same bdsafe(8) command.Note the method used for the string to escape the shell.

# bdsafe group configure MyGroup antivirus actionsonvirus \'disinfect;quarantine'

NoteThe Antivirus component is not enabled in BitDefender Free Antispam for Mail Servers.

Or, maybe, you want to alter the spam threshold for the same group.

# bdsafe group configure MyGroup antispam aggressivity 9

Let's use the Default group, too: by default, the email footers should not be appended.Here is the command.

# bdsafe group configure Default addfooters N

Next, you can use the mail forward feature, enabling message sending to anotherrecipient. In order to do this, run this command as root.

# bdsafe group configure GROUP_NAME \smtpforward smtpip [IP_ADDRESS]

Eventually, you will want to remove the group.

# bdsafe group remove MyGroup

Configuration 34


10.1.2. Integration with LDAP serverThe process of creating groups can be easily simplified when you integrate theBitDefender Free Antispam for Mail Servers with a LDAP (Lightweight Directory AccessProtocol) server. The bdsafe command can be used to access and import groups andusers from the LDAP server.

To access the respective LDAP server you must follow these steps:

1.# bdsafe ldap configure server "ldap://example.test.ro:8000"

This command will set the address of the respective LDAP server. The url argumentmust follow the syntax: ldap://server:port.

2.# bdsafe ldap configure basedn \

"ou=Test,ou=Test Team,dc=example1,dc=example2"

This command will set the top level of the LDAP directory tree. The replaceableargument represents the distinguished name of the LDAP entry (see RFC 1779 -A String Representation of Distinguished Names for more details).

3.# bdsafe ldap configure user "test\example1"

This command is used to set the LDAP username.

For the Active Directory servers, the user can also have the domain\user syntax.Either quote user names or just escape the backslash.

4.# bdsafe ldap configure passwd set

This command is used to set the LDAP password. After running it, just type thepassword.

To import a group from the respective LDAP server you must follow these steps:

1.# bdsafe ldap group list

This command is used to display all LDAP groups.2.

# bdsafe ldap group list "Group_Name"

Configuration 35


The users of the Group_Name group will be displayed.3.

# bdsafe ldap group import "Group_Name" "senders"

The command is used to automatically add a group identical with the one from theLDAP server. In the above-mentioned examples, the group members are addedas senders. Of course, they can also be added as recipients.

10.1.3. The Default SettingsTo have a look at the default security settings, run this command as root.

# bdsafe group configure Default

The output will be similar with the one below.

Configuration for 'addfooters', group 'Default':addfooters = 'Y'

Configuration for 'smtpforward', group 'Default':enable = 'N'when = 'BeforeScan'smtphelo = ''smtpfrom = ''smtprcpt = ''smtpip = '127.0.0.1'smtpport = ''

Configuration for 'antivirus', group 'Default':enable = 'Y'addheaders = 'Y'headername = 'X-BitDefender-Scanner'actionsonriskware = 'copy-to-quarantine;reject'actionsonsuspected = 'copy-to-quarantine;reject'actionsonvirus = 'copy-to-quarantine;reject'pipeprogram = ''pipeprogramarguments = ''

Configuration for 'antispam', group 'Default':enable = 'Y'addheaders = 'Y'

Configuration 36


modifysubject = 'Y'aggressivity = '0'actions = 'move-to-quarantine'whitelist = '/opt/BitDefender/etc/as_wlist'blacklist = '/opt/BitDefender/etc/as_blist'headername = 'X-BitDefender-Spam'stampheadername = 'X-BitDefender-SpamStamp'headertemplateham = '/opt/BitDefender/share/templates/ham.tpl'headertemplatespam = '/opt/BitDefender/share/templates/spam.tpl'subjecttemplate = '/opt/BitDefender/share/templates/subject.tpl'usebwfilter = 'Y'usebayesfilter = 'Y'useheurfilter = 'Y'useimgfilter = 'Y'usemultifilter = 'Y'usepbayesfilter = 'Y'userblfilter = 'Y'useurlfilter = 'Y'usesignfilter = 'Y'pipeprogram = ''pipeprogramarguments = ''

Configuration for 'contentfilter', group 'Default':enable = 'Y'rules = '/opt/BitDefender/etc/cf/Default-cf.conf'maxrules = '1000'administrator = ''smtpserver = ''

Each settings will be explained in the following table.

ValueSettingY if it is enabled, N if it is disabled. Adda new footer to all mails or not.

AddFooters

Y if you forward mails to another mailserver, N if SmtpForward is disabled.

SmtpForward/Enable

Shows if the mail messages are to beforward to another mail server beforeor after scanning.

SmtpForward/When

Configuration 37


ValueSettingShows the other mail server HELOprotocol command.

SmtpForward/SMTP_HELO

Shows the other mail server MAILFROM protocol command.

SmtpForward/SMTP_FROM

Shows the other mail server RCPT TOprotocol command.

SmtpForward/SMTP_RCPT_TO

Shows the other mail server IP address.SmtpForward/SMTP_IP

Shows the other mail server port.SmtpForward/SMTP_PORT

Y if the antivirus module is enabled, Nif it is disabled.

Antivirus/Enable

Y if it is enabled, N if it is disabled. Adda new header to all mails or not.

Antivirus/AddHeaders

Shows the default antivirus header.Antivirus/HeaderName

Lists the actions to be taken whenriskware message is found.

Antivirus/ActionsOnRiskware

Lists the actions to be taken whensuspected message is found.

Antivirus/ActionsOnSuspected

Lists the actions to be taken when virusinfected message is found.

Antivirus/ActionsOnVirus

Shows the full path to the program topipe the mail to.

Antivirus/PipeProgram

Shows the corresponding argument thepipe program accepts.

Antivirus/PipeProgramArguments

Y if the antispam module is enabled, Nif the antispam module disabled.

Antispam/Enable

Y if it is enabled, N if it is disabled. Adda new header to all mails or not.

Antispam/AddHeaders

Y if it is enabled, N if it is disabled.Specifies whether the subject of the

Antispam/ModifySubject

email message should be modifiedconforming to the Subject templatefield or not.

Configuration 38


ValueSettingSets up the antispam Aggressivitylevel. It goes from 0 (minimum trust in

Antispam/Aggressivity

antispam score returned by theBitDefender filters) up to 9 (maximumtrust).Lists the actions to be taken when spammessage is found.

Antispam/Actions

Shows the path to the white listconfiguration file.

Antispam/WhiteList

Shows the path to the black listconfiguration file.

Antispam/BlackList

Shows the default spam header.Antispam/StampHeaderName

Shows the path to the ham headertemplate file.

Antispam/HeaderTemplateHam

Shows the path to the spam headertemplate file.

Antispam/HeaderTemplateSpam

Shows the path to the subject templatefile.

Antispam/SubjectTemplate

Y if the antispam Black/While list filteris enabled, N if it is disabled.

Antispam/Engines/UseBWFilter

Y if the antispam Bayesian filter isenabled, N if it is disabled.

Antispam/Engines/UseBayesFilter

Y if the antispam heuristic filter isenabled, N if it is disabled.

Antispam/Engines/UseHeurFilter

Y if the antispam image filter is enabled,N if it is disabled.

Antispam/Engines/UseIMGFilter

Y if the antispam multi-filter is enabled,N if it is disabled.

Antispam/Engines/UseMultiFilter

Y if the antispam pre-trained Bayesianfilter is enabled, N if it is disabled.

Antispam/Engines/UsePBayesFilter

Configuration 39


ValueSettingY if the antispam RBL (Real-timeBlackhole List) filter is enabled, N if it isdisabled.

Antispam/Engines/UseRblFilter

Y if the antispam URL filter is enabled,N if it is disabled.

Antispam/Engines/UseURLFilter

Y if the antispam signatures filter isenabled, N if it is disabled.

Antispam/Engines/UseSignFilter

Shows the full path to the program topipe the mail to.

Antispam/PipeProgram

Shows the corresponding argument thepipe program accepts.

Antispam/PipeProgramArguments

Y if the content filtering is enabled, N ifit is disabled.

ContentFilter/Enable

Shows the location of the content filterconfiguration file.

ContentFilter/Rules

Shows the maximum number of rulesthat can be loaded from the content filterconfiguration file.

ContentFilter/MaxRules

Shows the user to be notified aboutblock or allow emails based on analysisof their content.

ContentFilter/Administrator

Shows the hostname and port in caseyou want to forward mails based on

ContentFilter/SMTPServer

analysis of their content to another mailserver.

The default security settings apply to the All group and to any new created group.

10.1.4. Group PriorityThe group priority attribute, when properly used, can be a very useful instrument. Atthe same time, if it remains not completely understood can cause some issues.

Let's take a simple example. Suppose you have created 7 groups: Marketing, HR,Secretary, Admin, Technical, Finance, Dangerous. Besides those groups,

Configuration 40


remember you are already dealing with the All group, containing the entire list ofusers, both senders and receivers, and a special group, the Default one.

For every group you configured some customised settings: let's say a relaxed antispampolicy for the Secretary, Admin and Marketing groups, and a more aggressiveone for the HR, Finance and Technical groups. Furthermore, you needed acollection of viruses and spam messages for your security tests, and set BitDefenderto ignore malware and illicit messages for the Dangerous group.

Each group was created with a specified priority. For example, the Secretary groupwas created with priority 4.

NoteRemember that the All group has by default the 1 priority (the highest priority).

For the sake of discussion, let's suppose that the group priority situation is the following.

PriorityGroup1All

2Dangerous

3Marketing

4Secretary

5Admin

6HR

7Technical

8Finance

In this case, the first security policy to be applied is that corresponding to the Allgroup, let's say one that disinfects viruses and deletes spam messages. The secondone to be applied is the policy corresponding to the Dangerous group and so on.

So, what do you think of your spam messages and virus infected files collection? Youwill get almost nothing, because the All group policy applies first.

To change this situation, you have to set the 1 priority for the Dangerous group. Todo this, run this command as root.

Configuration 41


# bdsafe group priority Dangerous 1

The group priority order will be now the following one.

PriorityGroup1Dangerous

2All

3Marketing

4Secretary

5Admin

6HR

7Technical

8Finance

Naturally, a good idea would be to change the All group priority to 8, to notcompromise the other security policies. Run this command as root.

# bdsafe group priority All 8

The group priority order will be now the following one.

PriorityGroup1Dangerous

2Marketing

3Secretary

4Admin

5HR

6Technical

7Finance

8All

Configuration 42


Please notice that it make sense that the Marketing, Secretary and Admingroups, with a relaxed antispam security policy, to have precedence over the HR,Technical and Finance groups, with a more aggressive one.

More from the manual pagesAs stated before, these are just simple examples. Please see the bdsafe(8) manualpages for detailed information.

10.2. Antivirus settingsBitDefender antivirus engines detects not only viruses, but also other potentiallymalicious applications like riskware (programs that might be executed or misused byother malware) and suspected files ( containing possible malware; these are usuallysubmitted to the AV Lab for further analysis).


You can customize your antimalwares settings. By using bdsafe command, you canchoose the actions to be performed on every type of malware.

● actionsonvirus● actionsonriskware● actionsonsuspected

For example, if you want to delete (or move to quarantine, whenever removing is notpossible) every suspected object found, run this line as root.

# bdsafe group configure GROUP_NAME \antivirus actionsonsuspected "delete;move-to-quarantine"

Actions orderNot all actions in every order are available; For instance, you cannot set the first actionto be Delete and the second one to be Disinfect: it doesn't make sense!

Now, let's have a look at the entire list of possible actions.

Configuration 43


DisinfectTo remove themalware from the infected attachment (or any other mail componentthat can be used to send malware). If successful, the mail is passed to the nextplugin (if any) or forwarded. Otherwise, the next action is executed.

DeleteTo remove the attachment or other mail component that contains the malware.If successful, the mail is passed to the next plugin (if any) or forwarded. Otherwise,the next action is executed.

When the mail is completely deleted, a replacement letting the recipient knowwhat happened will be generated.

Move-to-quarantineTo move the mail to quarantine. If the action fails, an error message line is writtento the log.

After this action is taken, the mail will either be dropped (the default action) orrejected.

Copy-to-quarantineTo copy the mail to quarantine. If the action fails, an error message line is writtento the log.

Drop (the default action)To send the message to the mail transport agent (MTA) to drop the mail. This isthe default action. Thus, the final action will always be Drop, unless you decideotherwise.

This action prohibits the mail from passing. The MTA will return no response tothe sender.

RejectTo send the message to the mail transport agent (MTA) to reject the mail.

This action prohibits the mail from passing. However, the MTA will send back arejection message.

IgnoreTo send the message to the mail transport agent (MTA) to forward the mail.

Pipe to programTo pipe the mail to a given program.

Using the command lineAll these actions can also be configured by using the bdsafe tool. For a full descriptionof these settings you must take a look to the bdsafe(8) manual pages.

Configuration 44


For instance, to pipe all riskwares to the submit.sh program, run this command as root.

# bdsafe group configure GROUP_NAME \antivirus actionsonriskware pipeprogram \/usr/local/bin/submit.sh

10.3. Antispam settingsBitDefender Antispam employs remarkable technological innovations and industrystandard antispam filters to weed out spam before it reaches the user's Inbox.

In our field, performance means high detection rates and very few “false positives”.To achieve this goal we have packed together powerful antispam filters. These arethe entire antispam filters, in the pass-through order.

The Multipurpose filterThe Multipurpose filter is a generic name for GTUBE (an antispam test) and twospecialized filters: the Charset filter and the Sexually explicit filter.

GTUBE, the Generic Test for Unsolicited Bulk Email, is an antispam test similarto EICAR antivirus test. The test consists in entering a special 68-byte string inthe message body of an e-mail in order to be detected as spam. Its role is tocheck the product functionality to see if the filters are correctly installed and detectthe incoming spam.

The Charset filter can be instructed to detect messages written in other languages(for instance Asian languages, or Cyrillic) and mark them as spam. This comesin handy when the user is certain that they will not receive mail in these languages.

The American law demands that all sexually explicit advertisement e-mails bemarked as such, with “sexually explicit” in their subject. The Sexually explicit filtercan detect and mark these messages as spam directly.

NoteThe GTUBE is the first filter to come to action, while the specialized filters followafter the black list / white list filter.

The Black list / White list filterThe black list / white list filter can be very useful when the user wants to blockincoming messages from a certain sender (blacklist), or when the user wants tomake sure that all messages from a friend or a newsletter arrive in the Inbox,

Configuration 45


regardless of their contents. The black list / white list filter is often called “Friends/ Spammers list”. It can define allow or deny lists both for individual e-mailaddresses, or for entire domain names (for instance all mail from any employeeof bigcorporation.com).

Add friends to the white listWe recommend that you add your friends names and e-mail addresses to thewhite list. BitDefender will not block messages from those on the list; therefore,adding them ensures that legitimate messages get through.

The two lists are plain text files, containing one entry per line. You can find thesetext files (as_wlist and as_blist) in this location: /opt/BitDefender/etcThe entries may be usual email addresses or domain names, respecting thefollowing format.

DescriptionFormatThis format will match only the specified user from thespecified domain.

[email protected]

The mentioned user from any domain whose name startswith the specified text will match.

user@domain.*

The user from any domain with a .com suffix (for example)will match.

user@*.com

This will match all users from the specified domain.*@domain.com

All users from all domains starting with the mentioned textwill match.

*@domain.*

This will match all users from all domains with a .com suffix(for example).

*.com

The specified user, from all domains, will match.user@*

This will match all users whose names start with thementioned text, no matter of the domain.

user*

ImportantThe changes are not effective until you restart BitDefender

Configuration 46


The RBL filterRBL stands for “Real time Black List” or “Real time Blackhole List”. TheBitDefender implementation uses the DNSBL protocol and RBL servers to filterspam based on mail server's reputation as spam sender.

The mail server address is extracted from the email header and checked forvalidity. If the address belongs to a private class (10.0.0.0/8 or192.168.0.0/16) or it is not relevant, it will be ignored.

A DNS check will be performed on the domain d.c.b.a.rbl.example.com,where d.c.b.a is the reversed IP address of the server and rbl.example.comis the RBL server. If the DNS replies that domain is valid, it means that the IP islisted in the RBL server and a certain server score is provided. This score cantake values from 0 to 100, according to the server confidence (trust level), whichyou are free to configure.

The query is performed for every RBL server in the list and the score returned byeach one is added to the intermediate score. When reaching 100, no more queriesare performed.

Finally, a spam score is computed from the RBL servers score and added to theglobal email's spam score.

You can easily configure the RBL nameservers for the Mail daemon, by runningthis command.

# bdsafe mail antispam rbl nameservers [add|remove] [host]

You can also configure the RBL servers for the Mail daemon, by running thiscommand.

# bdsafe mail antispam rbl servers [add|remove] host:[weight]

The value of the weight parameter can be between 0(minimum trust level) and100(maximum trust level).

The Image filterSomemessages have image attachments, and we have the Image filter to detectthem and compare them to a database of known spam images, which is alsomaintained and updated by our lab.

The new image filter combines old techniques from CBIR (Content Based ImageRetrieval) with a new special image distance specifically designed for spam

Configuration 47


pictures called SID (Spam Image Distance). It also learns histograms (graphsthat displays the number of pixels at each color value within an image or region)met in spam images and then quickly identifies them at the user. The Image filteris trained by BitDefender Antispam Labs and updated several times a day in orderto provide high-accuracy and spam detection rate.

To find out more about the Image filter, just read the Fighting Image Spamwhitepaper.

The URL filterAlmost all spam links to a site: whether they want us to buy cheap Rolexes orenter our login and password on a fake Citibank site, they have a link. The URLfilter detects these links and looks them up in a database created and maintained(via update) by our lab. If a message links to a “forbidden” site, the odds are highthat it's spam.

The Bayesian filterWe know that not all of our users will agree with us when classifying a messageas spam or legit. For instance, a doctor talking about Viagra with his patients willcertainly need to customize his filters. That's why we've added the Bayesian filter.

Every user can train it by example, and make it learn what messages are spamand what messages are legit (from specific examples in the user's mailbox). Afterenough learning, the Bayesian filter is adapted to the specifics of legitimate andspam messages the user usually receives, and it becomes a powerful factor inthe decision process.

You can train the bayesian filter with spam samples, by running this command.

# bdsafe bayes spam [file1] [file2] [dir1] [dir2]

Let's take an example.

# bdsafe bayes spam /home/test/viagra.eml /home/test/porn

You can also easily train the bayesian filter with ham samples, by running thiscommand.

# bdsafe bayes ham [file1] [file2] [dir1] [dir2]

You can create a bayesian filter dictionary backup, by running this command.

Configuration 48


http://www.bitdefender.com/files/Main/file/BitDefender_-_Fighting_Image_Spam.pdf

# bdsafe bayes backup [directory]

To restore the bayesian filter dictionary, run this command.

# bdsafe bayes restore [directory]

To reset the bayesian filter dictionary, run this command.

# bdsafe bayes reset [noask]

The noask parameter is used to prevent bdsafe from prompting for confirmation.

The Pretrained Bayesian filterWhile the Bayesian filter is user-trained, this filter is pretrained by the BitDefenderAntispam Lab and updated periodically.

You can help improve the pretrained filter by submitting spam messages to ourAntispam Lab. The submission process works as follows:

1. A spam e-mail is delivered to a user

2. The user forwards the e-mail as an attachment to a predefined POP3 e-mailaccount that BitDefender periodically checks

3. BitDefender retrieves the e-mail and feeds it to the Bayes dictionary

ImportantE-mails retrieved by BitDefender are erased from the Inbox.

To configure spam submissions, you have to edit the BitDefender registry. Followthese steps:

1. Enable/disable the submission module by running the following command:

# bdsafe registry setkey \$BDMLD/SpamSubmit/Enable Y/N

2. Set the POP3 host:

Configuration 49


# bdsafe registry setkey$BDMLD/SpamSubmit/Host [host_address:port]

3. Enable/disable SSL encryption:

# bdsafe registry setkey $BDMLD/SpamSubmit/UseSSL Y/N

4. If required, enter the user names of the POP3 accounts to which spam andham are sent:

# bdsafe registry setkey \$BDMLD/SpamSubmit/SpamUser [user_name]

# bdsafe registry setkey \$BDMLD/SpamSubmit/HamUser [user_name]

5. Enter the passwords for the POP3 accounts (if required):

# bdsafe registry setkey \$BDMLD/SpamSubmit/SpamPass [password]

# bdsafe registry setkey \$BDMLD/SpamSubmit/HamPass [password]

6. Set the time interval at which BitDefender will check the account for e-mails:

# bdsafe registry setkey \$BDMLD/SpamSubmit/Timeout [seconds]

ImportantSpammessages must be forwarded as attachments to e-mails no larger than 8MB.

Configuration 50


The NeuNet filterWhen we create detection rules, our antispam analysts consider the spammessages that are available to us. Even though there are millions of them, it'simpossible to consider each one thoroughly. That's why we've created a powerfulfilter using a Neural Network (a concept borrowed from the field of ArtificialIntelligence).

Themost important feature of the Neural Network (NeuNet) is that we have trainedit in the Antispam Labs, allowing it to look at a lot of spam messages. Much likea child in school, it has learned to distinguish between spam and legit e-mails,and its formidable advantage is that it can recognize new spam by perceivingsimilarities (oftentimes very subtle) between the new messages it sees and themessages it has learned. This approach (both reactive and proactive) is similarto the heuristics used by antivirus products.

Once you install BitDefender Free Antispam for Mail Servers all these antispam filtersare enabled. Of course, you can set up your desired number of active filters, by usingthe bdsafe command. For example, to enable / disable the image filter, run the followingline as root.

# bdsafe group configure \MyGroup antispam useimgfilter [value]

NoteThe new value might be Y, to enable the filter, or N, to disable it.

For a full description of these antispam settings you must take a look to the bdsafe(8)manual pages.

10.3.1. X-Junk-ScoreHeader for CommuniGate Pro IntegrationWhen integrated with CommuniGate Pro, BitDefender can add the X-Junk-Scoreheader to filtered e-mails. CommuniGate Pro uses the value of the X-Junk-Scoreheader to perform certain actions on the processed e-mails.

NoteFor more information about the X-Junk-Score header, please refer to the CommuniGatePro documentation.

To enable the X-Junk-Score header, run the following command:

Configuration 51


# bdsafe group configure GROUP_NAME antispam cgatecompat Y

To apply the configuration changes, run the following command:

# bdsafe reloadsettings

10.4. Content FilteringSometimes you just need to block or allow emails based on analysis of their content,rather than other criteria. BitDefender offers support for this kind of operation.

To create, modify or delete content filtering rules you have to run one of the followingbdsafe commands.

# bdsafe group configure GROUP_NAME contentfilter add \{priority} {name} {type} {header_name} \{condition} {value} {action} {notify}

ValueArgumentheader, body, attachment-name, attachment-type, attachment-size,mailsize

type

exists, !exists, match, !match, greater-than, !greater-thancondition

a positive number (of bytes), a regular expressionvalue

ignore, drop, reject, replace, copy-to-quarantine, move-to-quarantineaction

none, administrator, admin, sender, recipientsnotify

The command above adds a new content filter rule.

# bdsafe group configure GROUP_NAME contentfilter modify \{rule_priority_number} {field_name=field_value}

Configuration 52


ValueArgumentpriority, enabled, name, type, header_name, condition, value, action,notify

field_name

The command above modifies a rule, field by field.

# bdsafe group configure GROUP_NAME contentfilter dump \{rule_priority_number}

The command above lists all existing rules for the specified group. If you add a numberas argument the rule with that priority number will be displayed only.

# bdsafe group configure GROUP_NAME contentfilter delete \{rule_priority_number}

The command above deletes the rule with the specified priority number.

# bdsafe group configure GROUP_NAME contentfilter enable \{boolean_value} {rule_priority_number}

The command above enables/disables content filtering for a certain group. If you adda number as argument the rule with that priority number will be enabled/disabled only.

# bdsafe group configure GROUP_NAME contentfilter priority \{old_priority_number} {new_priority_number}

The command above changes the priority of a certain rule.

# bdsafe group configure GROUP_NAME contentfilter rules \{path_to_file}

The command above lists the group content filter configuration file location. If you adda path_to_file argument, this command sets the group content filter configurationfile to the specified location.

Configuration 53


# bdsafe group configure GROUP_NAME contentfilter maxrules \{number}

The command above sets the maximum number of rules that can be loaded from thegroup content filter configuration file.

# bdsafe group configure GROUP_NAME \contentfilter htmldisarm Y

The commmand above enables the HTML disarm feature for a group. This feature isdesigned to remove potentially malicious code like JavaScript or Visual Basic frome-mails with HTML content.

10.4.1. ExamplesLet's take some examples to illustrate the power content filtering offers.

1.# bdsafe group configure GROUP_NAME \

contentfilter add 0 MyRule header "Subject" "match" \"porn" "drop" "none"

This will add the content filter rule, named MyRulewith 0 priority (the most important)to GROUP_NAME. The rule says: when the word porn is found within the Subjectpart of the header, the respective mail will be dropped and nobody will be notified.


contentfilter add 1 Salary body "match" \"salar.*" "drop" "admin"

This will add the content filter rule, named Salarywith 1 priority to GROUP_NAME.When applied, this rule means that emails containing in their body words likesalary, salaries, salarry, salariess, salariu will be dropped andthe administrator will be notified.

The lesson to be learn is this: if it is a must that emails containing sensitiveinformation (like salary data, personal salary reports) to be filtered accordingly, justset a rule for them. A good idea would be to use regular expressions. The tablebelow will provide you with some examples.

Configuration 54


DescriptionExampleYou could use this to match either Honor or Honour.The question mark makes the preceding token in theregular expression optional.

Honou?r

You could use this to match either Drink or Drankor Drunk. By using this kind of regular expression

Dr[iau]nk

(character class) one out of several characters willbe matched only.You could use this to match 5 MAR 2005 or 3 MAR2008 or 9 MAR 2007 and so on. By using a hyphen

[0-9]\sMAR\s200[5-8]

inside a character class one out of a specified rangeof characters will be matched only. The \s sign willmatch a space.You could use this to match Isue or Issue orIssues or Issssuess and so on. The + sign will

Is+ues*

match one or more times the preceding token. The* sign will match zero or more times the precedingtoken.You could use this to match 30 EUR or 35EUR or023213 EUR or any string starting with a digit,

^[0-9]+EUR

followed by EUR string. The ^ sign represents thestart of the string to be matched.You could use this tomatch [email protected] [email protected] or [email protected]

[^\s]*@example.com

and so on. The ^ sign inside brackets matches anycharacter that is not the following token. In theabove-mentioned example, [^\s]* will match anynon-whitespace character.You could use this to match List-Id: aNYstringexample.com or List-ID: example.com and so

L̂ist-I[dD]:\s.*example.com

on. The ^ sign represents the start of the string to bematched. The \s sign will match a space. The [dD]expression means either d or D will be matched. The.* expression means any sign will be matched.

Configuration 55


NoteDo not to forget to escape with a backslash the metacharacters (the square or roundbrackets, the backslash, the caret, the dollar sign, the period, the vertical bar symbol,the question mark, the asterisk, the plus sign).


contentfilter add 2 BigMail attachment-size \"greater-than" "10000" "drop" "none"

This will add the content filter rule, named BigMail with 2 priority toGROUP_NAME. When applied, this rule means that if the size of a certainattachment is greater than 10000 bytes, the email containing the respectiveattachment will be dropped and nobody will be notified.


contentfilter modify 0 "priority=3" "name=porn rule"

This will change the MyRule (0 priority) from the old priority 0 to new priority 3.The new name of this rule will be "porn rule".


contentfilter priority 1 0

This will change the Salary rule of GROUP_NAME from old priority 1 to newpriority 0 (the most important rule; it will be applied first of all).


contentfilter dump

This will list the content filter rules of GROUP_NAME together with their priorities.


contentfilter delete 4

This will delete the content filter rule of GROUP_NAME with priority 4.

Configuration 56



contentfilter enable N 4

This will disable the content filter rule of GROUP_NAME with priority 4.

10.5. The BitDefender Logger DaemonThe BitDefender Logger Daemon (bdlogd) allows you to get a full picture of the othersdemons activity, as it receives logging messages from the other modules and passesthem to the logger plugins.

Either a local socket (Unix domain socket) or a TCP/IP socket will be used to implementcommunication among different modules of BitDefender while the communicationamong the Logger Daemon and its plugins is based on API (Application ProgrammingInterface).

bdlogd was designed with a plugins parallel execution philosophy in mind. In short,this means that each plugin will run on its own individual thread. The result is that theslower plugins will no longer disturb the faster ones (like filelog).

To manage the configuration of the Logger Daemon and the associated plugins youwill use the bdsafe command. You will be provided below with a list of common settingsfor bdlogd.The general syntax for the bdlogd daemon and plugins configuration is the followingone:

# bdsafe logger configuration [parameters ...]

# bdsafe logger plugin configuration [parameters ...]

The BasePathTo specify the fully-qualified name of a directory from which bdlogd will attempt toload plugins, run the following line as root:

# bdsafe logger basepath [value]

Configuration 57


10.5.1. The Logger PluginsThe BitDefender Logger Daemon supports the following plugins:

● The Filelog Plugin● The SMTP Plugin● The SNMP Plugin

The Filelog PluginThe bdlogd receives messages from the other modules and send them to the otherplugins, for instance the filelog plugin. By default, the filelog plugin settings are thefollowing:

● bdlived.info=/opt/BitDefender/var/log/update.log● bdmaild.info=/opt/BitDefender/var/log/mail.log● *.error=/opt/BitDefender/var/log/error.log● bdlived.error=/opt/BitDefender/var/log/update.log● *.license=/opt/BitDefender/var/log/license.log● bdmaild.virus=/opt/BitDefender/var/log/virus.log● bdmaild.spam=/opt/BitDefender/var/log/spam.log

It means that, for example, all error-related information, coming from all BitDefenderdaemons, will be found in this location: /opt/BitDefender/var/log/error.log.

However, you can fully customize the daemon and message type and also the filepaths where the file logger writes the messages, by using the bdsafe command. Inorder to do this, please run the following line as root:

# bdsafe logger file path message_type [value]

The message_type argument must follow the syntax: daemon.type.

daemonIt can take the following values: * (i.e. all daemons), bdmaild, bdfiled, bdlogd,bdscand, bdmond, bdlived

typeIt can take the following values: * (i.e. all types), info, error, license, debug, virus,spam

Configuration 58


You can also enable or disable the entire filelog plugin or just a certain type of message.In order to do this, run these commands as root.

# bdsafe logger file disable message_type

# bdsafe logger file enable message_type

NoteFor a full description of the filelog settings you must take a look to the bdsafe(8) manualpages.

The SMTP log pluginOne of the main characteristics of the bdlogd plugins is the fact that they are easilyand extremely configurable, by using the bdsafe command. Certainly, the SMTP logplugin makes no exceptions to the above-mentioned feature. You can find out theplugin status, enable / disable it, set a connection timeout, alert senders and receivers,choose a template or only a header, etc.

Let's take some examples.

If you want to find out the SMTP log plugin status (enable / disable, for the entire pluginor just for a certain type of messages) run the next line as root.

# bdsafe logger smtp status message_type

The message_type argument must follow the syntax: daemon.type.

daemonIt can take the following values: * (i.e. all daemons), bdmaild, bdfiled, bdlogd,bdscand, bdmond, bdlived, bdsmtpd

typeIt can take the following values: * (i.e. all types), info, error, license, debug, virus,spam

To sent a notification to the receivers of an infected email, run this command.

# bdsafe logger smtp alertrecv value

Configuration 59


NoteFor a full description of the SMTP log settings you must take a look to the bdsafe(8)manual pages.

The SNMP log pluginBy using the bdsafe command, you can get the SNMP log plugin status, enable/disable it, set the port number where notification will be sent, set a connection timeout,etc.

For example, to set the port number where notification will be sent, run this commandas root.

# bdsafe logger snmp port value

NoteFor a full description of the SNMP log settings you must take a look to the bdsafe(8)manual pages.

10.6. QuarantineThe Quarantine is a special directory (or directories), unavailable for common users,where infected or suspected files or emails are to be isolated for a future purpose.Some BitDefender Daemons (bdmaild, bdfiled and bdmond) add files to Quarantine.The administrator can list and search these files, delete, restore or resend all files thatmatch the given pattern by using the bdsafe command.To find out information about Quarantine directories, run this command as root.

# bdsafe quarantine status [quarname]

If the optional quarname parameter is specified bdsafe will display information onthat directory only.

To display all files from the quarname directory, run this line.

# bdsafe quarantine list [quarname]

Searching the Quarantine is also very easy. All you have to do is to run this line.

Configuration 60


# bdsafe quarantine search [quarname] [field] [pattern]

The field parameter can take one of the following value:

● sender● recipient● subject● uuid

NoteYou can use wild-card (*) with the pattern parameter (except for the uuid).

To search the specified quarantine directory and copy, move or delete all files thatmatch the specified pattern, run this command.

# bdsafe quarantine copy [quarname] [field] [pattern]

# bdsafe quarantine move [quarname] [field] [pattern]

# bdsafe quarantine delete [quarname] [field] [pattern]

The field parameter can take one of the following value:

● sender● recipient● subject● uuid

NoteYou can use wild-card (*) with the pattern parameter.

In case you want to resend all files that match the given pattern via the SMTP server,run this line.

# bdsafe quarantine resend [quarname] \[field] [pattern] server[:port] [crlfmagic]

Configuration 61


The optional crlfmagic parameter can take any value. The effect of addind thisparameter is the following one: bdsafe will actively replace all end-of-line sequencesin the file with \r\n.

To handle the Quarantine configuration, run this command.

# bdsafe quarantine configure [quarname] [parameter] [value]

parameter can take one of the following value:

maxentriesIt refers to the maximum number of files allowed in Quarantine.

In this case, the value parameter must be a positive integer.

maxsizeIt refers to the maximum size of Quarantine allowed.

In this case, the value parameter must be a string describing the maximum sizeof the Quarantine directory. For example, 1m512k specifies that the maximumsize is 1.5 megabytes (g is for gigabytes, m for megabytes, k for kilobytes and bfor bytes).

ttlTime-to-live (ttl) refers to a certain time that, when exhausted, would cause themail to be discarded from Quarantine.

In this case, the value parameter must be a string describing the maximumamount of time a file can remain in Quarantine before being deleted. For example,1w2d specifies that the maximum amount of time a file may remain in thequarantine is one week and two days (w is for weeks, d for days, h for hours, mfor minutes, s for seconds).

Configuration 62


11. Product RegistrationThe product is delivered with a trial registration key valid for thirty days. At the end ofthe trial period, if you want to continue using the product, you have to provide a newlicense key.

To check the license status, use the following command.

# bdsafe license antispam

You will be presented with the license type, status, the number of covered users andthe remaining validity period.

If you have a new license key, the following command will perform the registration ofthe installed daemon.

# bdsafe license antispam ABCDE12345ABCDE12345

Product Registration 63


12. Testing BitDefenderTo make sure BitDefender is really working, you can test its antivirus and antispamefficiency using standard testing methods. Basically, you will send a special email tosome account through the email server. You will receive the results (disinfected email,notifications or the email marked as SPAM).

Sending the Email to Another AccountThe $USER parameter is used to send the email to your current account on the localmachine. If you wish to send the test emails to another recipient or to some remoteemail server, replace it with a real email address, but take care the emails will beclassified as infected and spam.

12.1. Antivirus TestYou can verify that the BitDefender Antivirus component works properly by the helpof a special test file, known as the EICAR Standard Anti-virus Test file. EICAR standsfor the European Institute of Computer Anti-virus Research. This is a dummy file,detected by antivirus products.

There is no reason to worry, because this file is not a real virus. All that EICAR.COMdoes when executed is display the text EICAR-STANDARD-ANTIVIRUS-TEST-FILEand exit.

The reason we do not include the file within the package is that we want to avoidgenerating any false alarms for those who use BitDefender or any other virus scanner.However, the file can be created using any text editor, provided the file is saved instandard MS-DOS ASCII format and is 68 bytes long. It might also be 70 bytes if theeditor puts a CR/LF at the end. The file must contain the following single line:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Copy this line and save the file with any name and .COM extension, for exampleEICAR.COM. You can keep the EICAR.COM in a safe place and periodically test theserver protection.

EICAR online resourcesYou can visit the EICAR website at http://eicar.com/, read the documentation anddownload the file from one of the locations on the web pagehttp://eicar.com/anti_virus_test_file.htm.

Testing BitDefender 64


http://eicar.com/

http://eicar.com/anti_virus_test_file.htm

12.1.1. Infected Email AttachmentTo test the email protection efficiency, create an email with your favorite email agent,attach the file EICAR.COM and send it to yourself through your email server. You willshortly receive the email disinfected, the notification emails that are supposed to reachyou, the postmaster, and, if configured, the emails informing the sender and the receiverabout the virus found.

Using the nail program, available on many Linux distributions, sending the email canbe done in the following way. You can safely replace nail with mutt, or any othercommand that supports attachments.

$ echo "EICAR test file." | nail -s EICAR -a EICAR.COM $USER

If your mail program does not support attachments, you can use the followingcommand, where the email body is just the content of the EICAR.COM file (since it isan ASCII file). Having scanned the entire mail, BitDefender will find it infected, disinfectit and notify the postmaster and, eventually, the sender and the receiver.

$ mail -s EICAR $USER < EICAR.COM

12.1.2. Infected Attached ArchiveTo test the efficiency of the BitDefender MIME Packer component, create an archivecontaining the EICAR.COM file, then attach it to an email sent to yourself through theemail server to test. For example, gzip the EICAR.COM file and attach the resultingarchive.

$ gzip --best EICAR.COM$ echo "EICAR test archive." | nail -s EICAR \-a EICAR.COM.gz $USER

You will shortly receive the disinfected email, the notification emails that are supposedto reach you, the postmaster, and, if configured, the emails informing the sender andthe receiver about the virus found.



12.2. Antispam TestYou can verify that the BitDefender Antispam component works properly by the helpof a special test, known asGTUBE. GTUBE stands for theGeneric Test for UnsolicitedBulk Email. GTUBE provides a test by which you can verify that the BitDefender filteris installed correctly and it detects incoming spam.

GTUBE online resourcesYou can visit the GTUBE website at http://gtube.net/, read the documentation anddownload the sample RFC-822 format email from the locations on the web page.

The test consists of entering the following 68-byte string, as one line, in the body ofthe email:

XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

When scanning the email, BitDefender must tag it as spam.

Using any mail program, you can test BitDefender with the following command. Youhave to create a file, named GTUBE, containing the above string in one line. Then, runthe following command.

$ nail -s GTUBE $USER < GTUBE

You will shortly receive the email marked as SPAM. The Subject andX-BitDefender-Spam headers will be:

Subject: [SPAM] GTUBE [SPAM]

X-BitDefender-Spam: Yes (100)



http://gtube.net/

13. UpdatesBitDefender was designed with capabilities for automatic update. At present, the riskof getting infected is high, both because new viruses appear and because the existingones keep on spreading. Email communication, which is more and more used, hasbecome a final factor in spreading infections from one user to another. This is whyyour antivirus must be kept up-to-date, by periodically checking the BitDefender serversfor new updates.

The BitDefender update process is realized by Live! Update, a daemon which connectsperiodically to the BitDefender update server and checks whether new virus definitions,antispam updates and product upgrades are available. In case there are any, thedaemon will download only the changed files, executing an incremental update andsaving bandwidth.

To find out the current configuration settings for the global proxy and the Live! Updateservice, run the following command.

# bdsafe live

13.1. Automatic UpdateBitDefender Free Antispam for Mail Servers is configured to update automaticallyeach hour, through the bdlived module. In case of a necessary update, before thespecified interval expires, the daemon can be signaled to execute the update routine,manually. To trigger the on-demand check, one can issue the following command.

# bdsafe live forceupdate

NoteA minimum of five minutes must elapse from the last forced update.

13.1.1. Time Interval ModificationTo modify the time interval you will have to run the command bellow. You can changethe update interval to the desired value, in seconds. The new value must be an integerbetween 3600 (seconds, 1 hour) and 86400 (seconds, 24 hours).

Updates 67


http://upgrade.bitdefender.com

# bdsafe live checkinterval [new_value]

13.1.2. Live! Update Proxy ConfigurationIf a proxy server is to be used to connect to the Internet, you can set/get your proxyserver address and port by using the following command.

# bdsafe live globalproxy host [new_host]

Whitout the optional [new_host] parameter, this command displays the current proxyhost only, in case there is a proxy host. To change the host, you must add the[new_host] parameter, following this syntax: host[:port]

However, you have to enable proxy usage by this command.

# bdsafe live globalproxy enabled Y

In order to deactivate the use of a proxy, run the following:

# bdsafe live globalproxy enabled N

For proxy servers that require authentication, the server administrator can set the userdomain, name and the associated password via the following commands:

# bdsafe live globalproxy user [new_user]

# bdsafe live globalproxy domain [new_domain]

# bdsafe live globalproxy password [new_password]

The BitDefender Live! Daemon does not immediately load the settings modified viathe bdsafe command. So, a good idea would be to run the following command, toapply the configuration changes.

# bdsafe live reloadsettings

Updates 68


13.2. Manual UpdateThere is one zip archive on the update server, containing the updates of the scanningengines and virus signatures: cumulative.zip.

● cumulative.zip is released every week on Monday and it includes all the virusdefinitions and scan engines updates up to the release date.

In order to update the product manually, you should follow these steps.

1. Download the update file. Please download cumulative.zip and save itsomewhere on your disk when prompted.

2. Extract the updates. Extract the contents of the zip file to the/opt/BitDefender/var/lib/scan/Plugins/ directory, overwriting the existingfiles with the newer ones if necessary.

3. Files owner and permissions. After extracting the zip archive, you must set theproper owner and permissions, by running the following commands.

# chown bitdefender:bitdefender \/opt/BitDefender/var/lib/Plugins/*

# chmod 644 /opt/BitDefender/var/lib/Plugins/*

4. Restart BitDefender. Once updated, BitDefender should be restarted, using thefollowing command.

# /opt/BitDefender/bin/bd restart

13.3. PushUpdatePushUpdate is an ordered update launched by BitDefender servers in imminentsituations, when a prompt update can save the server from allowing the infected emailsto pass.

The trigger is an email, sent to the address you have to specify onhttp://www.bitdefender.com/site/Products/pushUpdates/. BitDefender, while filteringthe emails, will recognize it and will initiate the update process.

Updates 69


ftp://ftp.bitdefender.com/pub/updates/bitdefender_v7/cumulative.zip



http://www.bitdefender.com/site/Products/pushUpdates/

13.4. Patches and New Product VersionsSince the Live! Update module can update automatically only the virus definitions andsome of the core libraries used by BitDefender, there is a small tool that can be usedto update the whole BitDefender installation.

BitDefender Swiss Army kniFE, bdsafe(8), the multipurpose tool, can be used to keepBitDefender up to date by applying various patches that might appear after the productwas released. It can be run directly by the system administrator to list, search, installor uninstall patches or it can be installed as a cron job to automatically install patchesas soon as they are released.

Patches are released to correct any bugs found or to add new features and they aregrouped in the following categories: CRITICAL, SECURITY, NORMAL.

● Patches are labeledCRITICALwhen they affect the normal behavior of the product.For example, if a new kernel is released, preventing the bdcored module toaccomplish its job, then a CRITICAL patch will be released, correcting this issue.

● A patch is labeled SECURITY when it has the role of correcting any security relatedissue. For example, if there is a bug which might permit an attacker to gain accessto emails scanned by BitDefender, then a SECURITY patch will be released to fixthis issue. As opposed to CRITICAL patches, which affect BitDefender's normalbehavior, SECURITY patches can fix the bugs that will not normally occur in afriendly environment, if such one exists.

● Patches labeled NORMAL are usually released to fix minor (cosmetic) bugs or toadd some new features. For example, if BitDefender incorrectly formats an emailheader, a NORMAL patch will be released to fix this minor issue.

New product versions may bring new features and functionalities. It is recommendedto install upgraded versions when they become available.

Administrators are notified about releases of new patches and new product versionsvia automated e-mails, as well as through the BitDefender Remote Admin interface.Notifications contain all the relevant information regarding the release, such as newfeatures, bug fixes and installation instructions.

Updates 70


Remote Management

71


14. BitDefender Remote AdminBitDefender Free Antispam for Mail Servers can be configured remotely by using aweb browser under any operating system. In order to do this, it is necessary to installon the server side the BitDefender Remote Admin module.

BitDefender Remote Admin is an intuitive management interface. This managementtool for UNIX-based product helps you remotely configure any settings in a singleinterface and lets you check the current status of the product (detailed statistics andupdate information).

When installing BitDefender Remote Admin, you will be asked to enter a bind addressfor the Remote Admin server. For security reasons, by default, BitDefender RemoteAdmin listens for incoming connections on 127.0.0.1 (port 8139) and allowsincoming connections from 127.0.0.1 only, as well. If you want to be able to remotelyconfigure BitDefender, set the address to 0.0.0.0:8139 (listening on all interfaces).

Also as part of the installation you can set a password for the default administratoraccount. If you choose not to, the default password admin will be used.

Once the installation is completed, use the bdcertgen.sh script located in/opt/BitDefender/bin/ to indicate your domain name and generate an opensslcertificate file. It is highly recommended to enable ssl (secure sockets layer)connections when using remote administration, somake sure you have the Net::SSLeayperl module installed.

To start BitDefender Remote Admin, run the following command:

# /opt/BitDefender/bin/bdradmin start

After any modification to the configuration, you have to manually restart BitDefenderRemote Admin by running the following command:

# /opt/BitDefender/bin/bdradmin restart

14.1. Getting StartedOnce you have setup BitDefender Remote Admin, you can remotely configure almostall BitDefender settings. All you have to do is open your favorite web-browser and

BitDefender Remote Admin 72


point it to the following location, for the standalone module:http://your.domain.name:8139. The following login form will appear:

Login

To login for the first time, use the default user account.

NoteTo change the default password, after logging in click administrator on the upperleft-hand corner of the interface and type the new password in the provided textboxes.

The following sections of this document describe how to configure BitDefender usingBitDefender Remote Admin.

14.2. Status14.2.1. Services

To open this section, go to Status and select Services.



http://your.domain.name:8139

Services

Here you can see a list of all BitDefender services and their current status. You canstart, stop or restart the services by clicking the corresponding buttons.

NoteThese actions are not performed instantly, a couple of seconds may be required forthem to finish.

14.2.2. LicenseTo open this section, go to Status and select License.



License

Here you can check the license status and register BitDefender.

Click Enter new license key, type the license key in the corresponding textbox andclick Apply to perform the registration process. If you mistype the license key, themessage Invalid key will be displayed and you will have to type it again.You can also create a BitDefender account or login to an existing one to have accessto technical support, keep your license keys safe, recover your lost license keys andtake advantage of special offers and promotions.

To create a BitDefender account, select Create a new BitDefender account andprovide the required information. The data you provide here will remain confidential.

● E-mail address - type in your email address.● Password - type in a password for your BitDefender account.

NoteThe password must be at least four characters long.

● Re-type password - type in again the previously specified password.



● First name - type in your first name.● Last name - type in your last name.● Country - select the country you reside in.

Click Apply to finish.

NoteUse the provided email address and password to log in to your account athttp://myaccount.bitdefender.com.

To successfully create an account you must first activate your email address. Checkyour email address and follow the instructions in the email sent to you by theBitDefender registration service.

14.2.3. AboutTo open this section, go to Status and select About.

About

This section displays a short description, the version number and the list of componentsfor every BitDefender product installed.



http://myaccount.bitdefender.com

14.3. PoliciesWhen dealing with security policies you want to stay organised, work more efficientlyand spend less time. To easily manage groups and enforce group security policiesgo to Policies and select Mail.

Policies

The list of groups is displayed in this window in order of their priority. To change thepriority of a group, simply drag it up or down the list and drop it in the desired position.

To create a new group, click the New button, enter the group name and click Add tosave the new group. To remove a group, click the Delete button corresponding to it.

14.3.1. Configuring Group PoliciesYou can edit the security policies for a group by clicking the Configure buttoncorresponding to that group.



Configure Policies

The current settings are displayed for the selected group. You canmanage the sendersand recipients included in the group, configure the Antivirus, Antispam, Content Filterand Mail Forward.

Manage Groups● Sender - to edit the list of email senders included in the group, click thecorresponding Configure button.Here you can see the list of senders currently assigned to the group. To add a newemail address to the group, click the New button, enter the address (wildcards areaccepted) and clickAdd. To remove a sender from the list, select the correspondingcheckbox and click Delete. Click OK to save the changes to the group.

● Recipient - to edit the list of email recipients included in the group, click thecorresponding Configure button.Here you can see the list of recepients currently assigned to the group. To add anew email address to the group, click the New button, enter the address (wildcardsare accepted) and click Add. To remove a recipient from the list, select the



corresponding checkbox and click Delete. Click OK to save the changes to thegroup.

Add footer - select the checkbox to enable the display of a message in the footer ofemails which informs the recipients that the message was scanned by BitDefender.

AntivirusThe settings of the Antivirus module are displayed in this section. To edit the settings,click Configure.


Antivirus

● To enable the antivirus scanning of emails, select the corresponding checkbox.

● BitDefender Free Antispam for Mail Servers can add a header to scanned emails.To enable headers, select the corresponding checkbox.

● Select the checkboxes next to the actions you want to be taken on viruses,suspected objects and riskware:



DisinfectRemove themalware from the infected attachment (or any other mail componentthat can be used to send malware). If successful, the mail is passed to the nextplugin (if any) or forwarded. Otherwise, the next action is executed.

DeleteRemove the attachment or other mail components that contain the malware. Ifsuccessful, the mail is passed to the next plugin (if any) or forwarded. Otherwise,the next action is executed.

When the mail is completely deleted, a replacement letting the recipient knowwhat happened will be generated.

Move to quarantineMove the mail to quarantine. If the action fails, an error message line is writtento the log.


Copy to quarantineCopy the mail to quarantine. If the action fails, an error message line is writtento the log.

Drop (the default action)Send the message to the mail transport agent (MTA) to drop the mail. This isthe default action. Thus, the final action will always be Drop, unless you decideotherwise.

This action prohibits the mail from passing. The MTA will return no responseto the sender.

RejectSend the message to the mail transport agent (MTA) to reject the mail.

This action prohibits the mail from passing. However, the MTA will send backa rejection message.

IgnoreSend the message to the mail transport agent (MTA) to forward the mail.

● Select the checkboxes next to the actions you want to be taken on passwordprotected attachments:Copy to quarantine

Copy the mail to quarantine. If the action fails, an error message line is writtento the log.



Move to quarantineMove the mail to quarantine. If the action fails, an error message line is writtento the log.


Drop (the default action)Send the message to the mail transport agent (MTA) to drop the mail. This isthe default action. Thus, the final action will always be Drop, unless you decideotherwise.

This action prohibits the mail from passing. The MTA will return no responseto the sender.

RejectSend the message to the mail transport agent (MTA) to reject the mail.

This action prohibits the mail from passing. However, the MTA will send backa rejection message.

IgnoreSend the message to the mail transport agent (MTA) to forward the mail.

To save the changes, click OK.

AntispamThe Antispam settings are displayed in this section. To edit the settings, clickConfigure.



Antispam

● To enable the antispam filter, select the corresponding checkbox.

● To set the antispam Aggressivity level, use the corresponding drop-down list. Thescale goes from 0 (minimum trust in antispam score returned by the BitDefenderfilters) up to 9 (maximum trust). Choosing 0might increase the amount of unsolicitedemails, while choosing 9 might increase the amount of false positives.

● Add headerswill add new headers to all mails (by default X-BitDefender-Spam).The SpamStamp Header, by default X-BitDefender-SpamStamp, is a specialfeedback header, used by BitDefender Antispam specialists as feedback, whenfalse negatives and positives are submitted to [email protected].

● Select Modify subject to modify the subject of the email messages conforming tothe Subject template field.

● Select the actions to be taken by the antispam filter:Copy to QuarantineMove to QuarantineDropRejectIgnore




● Each of the antispam filters can be enabled or disabled individually. Select thecheckboxes corresponding to the filters you want to enable:Bayes FilterPretrained Bayes FilterBlack/White List FilterHeuristic FilterImage filterRBL filterIP RBL filterMultipurpose filter (Asian and Cyrillic charsets)URL filterSignatures filterFuzzy filterSURBL filterSQMD filter

● Using the textboxes provided, you can add friends and spammers to theWhite Listand Black List respectively. The entries may be usual email addresses or domainnames (one entry per line), respecting the following format:

DescriptionFormatThis format will match only the specified user from thespecified domain.

[email protected]

The mentioned user from any domain whose name startswith the specified text will match.

user@domain.*

The user from any domain with a .com suffix (for example)will match.

user@*.com

This will match all users from the specified domain.*@domain.com

All users from all domains starting with the mentioned textwill match.

*@domain.*

This will match all users from all domains with a .com suffix(for example).

*.com

The specified user, from all domains, will match.user@*

This will match all users whose names start with thementioned text, no matter of the domain.

user*




Content FilterThe Content filter settings are displayed in this section. To edit the settings, clickConfigure.

Content filter

To enable the content filter or add a header to filtered emails, select the correspondingcheckboxes.

To remove potentially malicious code from emails containing HTML content, selectthe Disarm HTML checkbox.

The content filtering rules are listed in order of their priority under Rules. To changethe priority of a rule, simply drag it up or down the list and drop it in the desired position.

Select a rule and click Delete to remove it, Enable/Disable to enable/disable it, orEdit to configure the rule settings.To create a new content filtering rule, click the New button and follow these steps:

1. Enter the rule name.



2. Select the rule type. This will indicate the part of the email the content filtering rulewill apply to: the header, the body, the mail size or the attachment (its name, typeor size).

3. Select who will receive a notification from BitDefender when a message matchingthe rule is detected: nobody (no notification is sent), the administrator, therecepient(s) or the sender.

4. Set the rule formula. The rule type will appear automatically in the If textbox. Selectan expression from the adjoining drop-down list and enter a value for it in the textbox.To complete the formula, select an action from the then drop-down list: ignore,drop, reject, replace, copy to quarantine or move to quarantine.

5. Click OK to save the rule.


SMTP ForwardThe mail forward settings are displayed in this section. To edit the settings, clickConfigure.

SMTP forward



To enable message forwarding to another recipient, select the corresponding checkbox.

Next, specify the necessary information:

● IP / hostname● Hello message● From - the sender● To - the destination account● When - select from the drop-down list if you want the mails to be forwarded beforeor after being scanned

To save the changes, click OK.After you are done configuring the policies for a group, click the Apply button to applythe changes.

14.4. QuarantineThe Quarantine is a special directory, unavailable for common users, where suspectedfiles or emails are to be isolated for a future purpose.

Quarantined objects are safeWhen the virus is in Quarantine it can't do any harm, because it cannot be executed orread.

14.4.1. Malware QuarantineTo open this section, go to Quarantine and select Malware.



Malware Quarantine

The Malware Quarantine is the directory where infected or suspected files are isolatedfrom the system. The quarantine settings, status and contents are displayed in thiswindow.

You can editMalware Quarantine Rotation Conditions by clicking theModify buttonand editing the textboxes corresponding to the following criteria:

● Maximum size - set a size limit for the quarantine directory. If you type just a number,the limit will be set in bytes. By adding k, m or g after the number you can set thesize in Kilobytes, Megabytes or Gigabytes respectively.

● Maximum file count - set the maximum number of files the quarantine can containat one time.

● Maximum time in quarantine - set the maximum period of time a file can spendin the quarantine. If you type just a number, the limit will be set in seconds. By addingm, h, d or w after the number you can set the time period in minutes, hours, days orweeks respectively.

To disable a condition, type 0 in its corresponding box. Click the Apply button to savethe changes.



The contents of the quarantine are listed on the lower part of the window. For eachitem the UUID, time of quarantine, sender, recipients and subject are provided. Youcan use the following tools to easily browse and manage the quarantine:

● Edit filters - helps you filter the list of displayed items using the following criteria:Size - display items of certain file sizesTime of quarantine - display items added to the quarantine within a certain timeinterval

Original file name - display items with certain file namesIP address - display items originating from certain IP addresses

Status - display items infected by certain categories of malwareSender - display items originating from certain email addresses

Recipients - display items delivered to certain email addressesSubject - display items delivered in emails with certain subjectsInfection - filter items based on infection information:– Virus - display items affected by certain viruses– Status - display items with certain infection statuses– Performed action - display items that have been subjected to certain actionsby the scanner

– Infected object - display items that are found in certain locations.Select the filtering options and click Apply to use them on the list.

● Rebuild the list - refresh the list of quarantined files.● Delete selected - remove the selected items from the quarantine.

● Download selected - select quarantine items and download them to a location ofyour choice.

● You can choose howmany items are to be displayed per page by selecting a numberfrom the Entries per page drop-down list.

14.4.2. Spam QuarantineTo open this section, go to Quarantine and select Spam.



Spam Quarantine

This is where you will find the spam messages. The quarantine settings, status andcontents are displayed in this window.

You can edit Spam Quarantine Rotation Conditions by clicking the Modify buttonand editing the textboxes corresponding to the following criteria:

● Maximum size - set a size limit for the quarantine directory. If you type just a number,the limit will be set in bytes. By adding k, m or g after the number you can set thesize in Kilobytes, Megabytes or Gigabytes respectively.


● Maximum time in quarantine - set the maximum period of time a file can spendin the quarantine. If you type just a number, the limit will be set in seconds. By addingm, h, d or w after the number you can set the time period in minutes, hours, days orweeks respectively.

To disable a condition, type 0 in its corresponding box. Click the Apply button to savethe changes.



The contents of the quarantine are listed on the lower part of the window. For eachitem the UUID, time of quarantine, sender, recipients and subject are provided. Youcan use the following tools to easily browse and manage the quarantine:

● Edit filters - helps you filter the list of displayed items using the following criteria:Size - display items of certain file sizesTime of quarantine - display items added to the quarantine within a certain timeinterval

Original file name - display items with certain file namesIP address - display items originating from certain IP addresses

Sender - display items originating from certain email addresses

Recipients - display items delivered to certain email addressesSubject - display items delivered in emails with certain subjectsSPAM Stamp - display items with certain SpamStamp header values

Select the filtering options and click Apply to use them on the list.


● Download selected - download the selected quarantine items to a location of yourchoice.


14.4.3. Deferred QuarantineTo open this section, go to Quarantine and select Deferred.



Deferred Quarantine

The Deferred Quarantine is an isolated directory storing all the objects that may causeprocess crashing (for instance, malformed archives or zip-bombs). The quarantinesettings, status and contents are displayed in this window.

You can editDeferred Quarantine Rotation Conditions by clicking theModify buttonand editing the textboxes corresponding to the following criteria:

● Maximum size - set a size limit for the quarantine directory. If you type just anumber,the limit will be set in bytes. By adding k, m or g after the number you canset the size in Kilobytes, Megabytes or Gigabytes respectively.


● Maximum time in quarantine - set the maximum period of time a file can spendin the quarantine. If you type only a number, the limit will be set in seconds. Byadding m, h, d or w after the number you can set the time period in minutes, hours,days or weeks respectively.

To disable a condition, type 0 in its corresponding textbox. Click the Apply button tosave the changes.



The contents of the quarantine are listed on the lower part of the window. For eachitem the UUID, time of quarantine, agent and for agent are provided. You can use thefollowing tools to easily browse and manage the quarantine:

● Edit filters - helps you filter the list of displayed items using the following criteria:Size - display items that have certain file sizesTime of quarantine - display items added to the quarantine within a certain timeinterval

Original file name - display items with certain file namesAgent - display items quarantined by certain BitDefender modules (i.e. bdmond)For agent - display quarantine items detected by certain BitDefender modules

Select the filtering options and click Apply to use them on the list.


● Download selected - download the selected quarantine items to a location of yourchoice.


14.5. ComponentsTo open this section, go to Components and select Mail.



Components

To allow sending anonymous reports about the viruses and spam found on your serverto the BitDefender Lab, select the Realtime reporting checkbox. This way you canhelp BitDefender identify new viruses and spam and find quick remedies for them.

14.5.1. AntispamTo mark messages written in Asian or Cyrillic characters as spam, select thecorresponding checkboxes.

To clear the RBL cache, click the Flush button.

The RBL servers that are currently configured are listed under RBL Servers.To add a new server, click New and enter the server name and the trust level (a valuebetween 0 and 100) in the corresponding textboxes. Click Add to add the server tothe list.

14.5.2. Spam SubmissionsBy allowing users to submit spam messages to the BitDefender Lab you can helpimprove the pretrained Bayesian filter.



In order to use this feature, you have to configure its settings:

● Enable spam submissions by selecting the corresponding checkbox● Enter the POP3 host● Enable/disable SSL by selecting the corresponding checkbox● Set the time interval at which BitDefender will check the account for emails● Enter the user name and, if required, the password for the SPAM and HAM useraccounts

14.5.3. SMTPFor SMTP Proxy integration, you have to specify the following information in order toallow BitDefender to scan all email traffic:

● The real SMTP server address and port used by BitDefender to send the emails.By default the address is 127.0.0.1 and the port is 10025.

● The port BitDefender will listen on. By default, the port is 25.● The connection timeout specifies how long BitDefender will wait for incoming datathrough an already established connection before closing it.

Type the connection timeout value in seconds. For instance, if you type 60 and nodata is transmitted across the already established connection for 60 seconds,BitDefender will abort the connection. When the value is 0, no timeout connectionis enforced.

● The threads represent the maximum number of incoming concurrent connectionsBitDefender will be able to handle. If the value entered is negative, all the incomingconnection will be refused. When the value is 0, no threads limit is enforced.

● The maximum size of the email messages that will pass through the SMTP Proxy.If a message size surpasses this limit, the email message will be rejected. Whenthe value is 0, no size limit is enforced. All the files, regardless of their size, will bescanned.

NetworksThis section contains the networks BitDefender relays email messages from. Youmust add the address in IPv4 dotted format to the list to instruct BitDefender to acceptemails coming from these addresses, no matter of their destination.

The New button enables you to add one domain at a time. For each domain there isthe option to delete it by selecting the checkbox and then clicking Delete.



DomainsThe relay domains BitDefender will use to accept emails for are configured in thissection. For example, if your email server handles emails for the company1.com andcompany2.com domains, you must enter both domains in this section. If you havesubdomains, you must specify them explicitly as subdomain1.company3.com,subdomain2.company3.com, etc.

The New button enables you to add one relay domain at a time. For each domainthere is the option to delete it by selecting the checkbox and then clicking Delete.

Listen onYou can set a limit to the interfaces BitDefender listen on, specified by their IP address.To add an address, click New, fill in the textbox and click Add. To remove an address,select the corresponding checkbox and click the Delete button.

14.6. Maintenance14.6.1. Live! Update

To open this section, go to Maintenance and select Live! Update.



Live! Update

The Live! Update window provides information regarding the general update settingsand update status, the malware signatures version and number of signatures and theBitDefender Remote Admin version.

The default update server is http://upgrade.bitdefender.com and the default updateinterval is 1 hour. To use a different server or set a different time interval betweenupdates, enter the new information in the corresponding textbox and click Apply.Click the Update Now! button to trigger an automatic check and, possibly, update (ifthere are any updates on the server).

14.6.2. PatchesTo open this section, go to Maintenance and select Patches. Patches might appearafter the product is released. This is where you are provided with a list of availablepatches and a short description for each of them.

Choose which patches to install by selecting the checkbox next to them and click theUpdate button to start installing the selected patches.



http://upgrade.bitdefender.com

ImportantIt is highly recommended to install product patches as soon as they are available.

14.6.3. UsersTo open this section, go to Maintenance and select Users.

Users

This is where you can create and manage BitDefender Remote Admin user accounts.

Existing users appear in the user list. To view the permissions of a user, click Showdetailed permissions. To edit the credentials or permissions for a user, click theModify button next to that user. To remove a user, click the Delete button.To create a new user, click Add user.



Add New User

Fill in the necessary account information: the user name, the user's full name andaccount password and set the permissions by selecting their correspondingcheckboxes. Click the Add user button to finish.

14.6.4. Global ProxyTo open this section, go to Maintenance and select Global Proxy.



Global Proxy

This is where you can enter the proxy server settings.

If a proxy server is used to connect to the Internet, select the Enabled checkbox.

Enter the server address and port in the Host textbox. If authentication is required,you also have to enter the user name, password and domain in the correspondingtextboxes.

Click Apply to save the settings.

14.7. ReportsThis section offers the possibility to obtain statistical data regarding product activityas well as showing helpful charts for information related to memory consumption anddaemons activity.

14.7.1. StatisticsTo open this section, go to Reports and select Statistics.



Statistics

The statistical report table can be accessed in this section. Here you can findinformation about scanned objects regarding their status and the action taken: Scanned,Infected, Disinfected, Quarantined, Rejected, Spam, Ignored, Dropped, Piped, Filtered.

Use the Reset button to clear the statistics.

14.7.2. ChartsTo open this section, go to Reports and select Charts.



Charts

Here you can find two types of charts which you can select from the Chart typedrop-down list:

● Resource Usage - provides information related tomemory consumption and daemonsactivity

● Mail Statistics - provides information regarding actions taken on scanned objects

You can set which daemons' activity and which actions are to be displayed by selectingthe corresponding checkboxes.

The charts can be customized by selecting different sizes from the Chart sizedrop-down list and different time intervals from the Interval drop-down list.

14.8. LoggingThis section allows the customization of the logging process, realized by theBitDefender logging module.



14.8.1. File LoggingTo open this section, go to Logging and select File Logging.

File Logging

By default, you will be provided with a list of logging rules. For each rule you can seethe component (daemon) it applies to, the rule type, the location of the log file and thestatus. Enable/disable a rule by selecting the status from the corresponding drop-downlist.

Let's say you enable the Error messages for [Any] component rule. This means thatall error-related information, coming from all BitDefender daemons, will be found inthis location: /opt/BitDefender/var/log/error.log. Of course, you can easilymodify the location by editing the File name textbox.If you want to add a new rule, select the component it applies to and the rule type fromthe corresponding drop-down lists, type the location of the file into the File nametextbox and click Add this rule.To complete the setup, click the Apply button. To use the default rule set, click theRevert button.



14.8.2. Mail AlertsTo open this section, go to Logging and select Mail Alerts.

Mail Alerts

Mail alerts are simple email messages sent by BitDefender to the system administratorto inform him or her about special events or to the partners of an email communicationto inform them about malware found.

By default, you will be provided with a list of logging rules. For each rule you can seethe component (daemon) it applies to, the rule type, the email address and the status.Enable/disable a rule by selecting the status from the corresponding drop-down list.

If you want to add a new rule, select the component it applies to and the rule type fromthe corresponding drop-down lists, type the email address(es) the alerts should besent to into the Email addresses textbox and click Add this rule.To complete the setup, click the Apply button. To use the default rule set, click theRevert button.



15. SNMP15.1. Introduction

The SNMP (Simple Network Management Protocol) support of BitDefender consistsof two implementations: a SNMP daemon and a Logger plugin.

The SNMP daemon is a custom implementation of a snmpd service. It exports aminimal set of features to allow interrogation of BitDefender.

The second implementation, the Logger plugin, is just another module besides thefile logger, real-time virus and spam report module or mail notification module. Itreceives the same BitDefender events information as the others Logger Plugins andit sends them to some remote host running the SNMP trap server, which, in its turn,will process them (send to syslog, etc.).

15.2. The SNMP DaemonAs stated before, this is a daemon which allows the user to interrogate the BitDefendersettings.

One popular tool to do SNMP queries is snmpget, part of the net-snmp package.Each command must follow this syntax:

# snmpget -v 1 -Cf -c [community] [hostname] [OID]

Let's take an example. Suppose that you want to find out the number of scannedobjects on JohnDoe server. Simply run this command.

# snmpget -v 1 -Cf -c initial JohnDoe \1.3.6.1.4.1.22446.1.1.1.1.1.1

Below you will find the complete list of the OIDs.

OIDType1.3.6.1.4.1.22446.1.1.1.1.1.1Scanned1.3.6.1.4.1.22446.1.1.1.1.1.2Infected

SNMP 104


OIDType1.3.6.1.4.1.22446.1.1.1.1.1.3Disinfected1.3.6.1.4.1.22446.1.1.1.1.1.4Quarantined1.3.6.1.4.1.22446.1.1.1.1.1.5Dropped1.3.6.1.4.1.22446.1.1.1.2.1LastUpdate1.3.6.1.4.1.22446.1.1.1.2.2LastCheck1.3.6.1.4.1.22446.1.1.1.2.3CheckSecs1.3.6.1.4.1.22446.1.1.1.3.1.1License/Type1.3.6.1.4.1.22446.1.1.1.3.1.2License/Count (user)1.3.6.1.4.1.22446.1.1.1.3.1.3License/Count (domain)1.3.6.1.4.1.22446.1.1.3.1.1bdregd1.3.6.1.4.1.22446.1.1.3.1.2bdmond1.3.6.1.4.1.22446.1.1.3.1.3bdscand1.3.6.1.4.1.22446.1.1.3.1.4bdmaild1.3.6.1.4.1.22446.1.1.3.1.5bdlogd1.3.6.1.4.1.22446.1.1.3.1.6bdlived1.3.6.1.4.1.22446.1.1.3.1.7bdsmtpd1.3.6.1.4.1.22446.1.1.3.1.8bdmilterd

15.3. The BitDefender Logger PluginThe BitDefender Logger receives messages from various BitDefender componentsand presents them to the user in various formats. It can log the messages to a file,forward them by email to a designated address or, using this plugin, it can send themto a SNMP server.

15.3.1. PrerequisitesYou will need a working SNMP server installed on the same or on some other machine.Please take a look at the Troubleshooting section below, because there are someglitches you have be aware of.

SNMP 105


You will also need the following MIB files present in the mibs directory we have talkedabout before: BITDEFENDER-ALERTS-MIB.txt, BITDEFENDER-NOTIFY-MIB.txtand BITDEFENDER-TRAP-MIB.txt.

Regarding the SNMP protocol version, you can use 1, 2c or 3with the following notes.

● Alerts of the TRAP type can be sent using the SNMP protocol versions 1 2c and 3.● Alerts of the INFORM type can be sent using the SNMP protocol versions 2c and3.

● Protocol 3 needs the user and offers authentication and encryption.● Protocols 1 and 2c need no user, they use the community string, which is publicby default.

15.3.2. ConfigurationThe messages sent to the SNMP server are received by the snmptrapd daemon. Weneed to configure it. But first, please make sure the SNMP services are not running.

We need a username for the SNMP version 3 protocol. If you want to use version 1or 2c, you do not need the user and you can skip the following paragraphs.

Let's use the same bitdefender username as above. Make sure there is this linein the /etc/snmp/snmpd.conf file.

rwuser bitdefender

Thus we specify that this user who is not yet defined will have read and write access.Add this line at the end of the /var/net-snmp/snmptrapd.conf file and rememberthe passwords should be longer than 8 characters. If the file does not exist, just createit.

createUser -e 0xBD224466 bitdefender MD5 <authpass> DES <privpass>

If you plan to use the INFORM alerts, without need for the EngineID, you will have toadd an user without specifying the EngineID. The user defined in the line above willnot work, so add a new one.

createUser bitdefender_inform MD5 <authpass> DES <privpass>

SNMP 106


Let's stop a while and explain this line. You are free to change anything in it with theonly condition to reflect the changes in the BitDefender configuration.

-e 0xBD224466This is the EngineID. It is mandatory for alerts of the TRAP type and optional forthe INFORM type. The alert type should be specified in/BDUX/LoggerDaemon/Plugins/SNMP/AlertType registry key.

The EngineID must also be specified in the BitDefender registry at the/BDUX/LoggerDaemon/Plugins/SNMP/SecurityEngineID key. If not used(it is optional when the alerts type is INFORM), the SecurityEngineID key mustbe empty.

bitdefenderThis is the user to create for authenticated SNMP v3. The same name should bedeclared in the /etc/snmp/snmpd.conf (please read above) and in the/BDUX/LoggerDaemon/Plugins/SNMP/SecurityName registry key.

MD5The authentication protocol (MD5 or SHA1) used for authenticated SNMP v3. Thes a m e v a l u e m u s t b e f o u n d i n/BDUX/LoggerDaemon/Plugins/SNMP/AuthProto registry key.

<authpass>Set the authentication pass phrase used for authenticated SNMP v3 messages.T h e s a m e v a l u e m u s t b e f o u n d i n t h e/BDUX/LoggerDaemon/Plugins/SNMP/AuthProtoPass registry key.

DESSet the privacy protocol (DES or AES) used for encrypted SNMP v3 messages.T h e s a m e v a l u e m u s t b e f o u n d i n t h e/BDUX/LoggerDaemon/Plugins/SNMP/SecurityPrivProto registry key.

<privpass>Set the privacy pass phrase used for encrypted SNMP v3 messages. The samev a l u e m u s t b e f o u n d i n t h e/BDUX/LoggerDaemon/Plugins/SNMP/SecurityPrivProtoPass registrykey.

This line will be replaced with another one, with encrypted passwords, when thesnmptrapd daemon is started.

One more thing: you do not need to use all the parameters specified above for SNMPv3. You can use the authentication without encryption (the SecurityLevel key is

SNMP 107


authNoPriv) or no authentication and no encryption (the SecurityLevel key isnoAuthNoPriv). You have to modify the createUser line accordingly.

This would be the user. Now, let's get back to the /etc/snmp/snmpd.conf file andadd some more lines. You might find them already in your file, but commented out.Uncomment them and set the correct values.

# trapsink: A SNMPv1 trap receivertrapsink localhost

# trap2sink: A SNMPv2c trap receivertrap2sink localhost

# informsink: A SNMPv2c inform (acknowledged trap) receiverinformsink localhost public

# trapcommunity: Default trap sink community to usetrapcommunity public

# authtrapenable: Should we send traps when authentication# failures occurauthtrapenable 1

I think this is the moment to start the snmpd and snmptrapd daemons. If you get anerror, please review the configuration.

15.3.3. UsageNow you can test the SNMP server. Here are some commands you may start with.The first one will send the TRAP alert that should be logged on syslog. Please notewe use the EngineID.

# snmptrap -e 0xBD224466 -v 3 -m ALL -u bitdefender -l authPriv \-a MD5 -A <authpass> -x DES -X <privpass> localhost 42 \coldStart.0

Another command sends an INFORM alert. In this case, there is no need to specifythe EngineID and the user you have created must not have the EngineID. In ourexamples, we have created the bitdefender_inform user for this purpose. Thealert will be logged on the syslog too.

SNMP 108


# snmpinform -v 3 -m ALL -u bitdefender_inform -l authPriv -a MD5 \-A <authpass> -x DES -X <privpass> localhost 42 \coldStart.0

If you do not want to use the SNMP version 3 protocol, you can use the other twosupported: 1 and 2c. In this case you do not need the username, all you have to knowis the community string. This is public by default. For example, for version 2c, usethis command.

# snmptrap -c public -v 2c -m ALL localhost 42 coldStart.0

If everything is all right and BitDefender is properly configured (that means the registrykeys fit the SNMP server configuration), all you have to do is to enable the plugin (ifnot already enabled) and try it by sending emails through the MTA. You will shortlysee the report on the syslog of the machine running the SNMP server.

15.4. TroubleshootingDue to some newly found bug in the net-snmp package, the TRAP feature does notwork for net-snmp version 5.2.2 or newer with the SNMP version 3 protocol (but itworks in version 5.2.1). This bug will hopefully be fixed by the net-snmp team soon.

For more information, please see the discussion from the following thread:http://sourceforge.net/mailarchive/forum.php?thread_id=9098786&forum_id=4959.

SNMP 109


http://sourceforge.net/mailarchive/forum.php?thread_id=9098786&forum_id=4959

Getting Help

110


16. Support16.1. Support department

As a valued provider, BitDefender strives to offer its customers an unparalleled levelof fast and accurate support. The Support Center listed below is continually updatedwith the newest virus descriptions and answers to common questions, so that youobtain the necessary information in a timely manner.

At BitDefender, dedication to saving customers' time and money by providing the mostadvanced products at the fairest prices has always been a top priority. Moreover, wethink that a successful business is based on good communication and a commitmentto excellence in customer support.

You are welcome to ask for support at [email protected] any time. For aprompt response, please include in your email as many details as you can about yourBitDefender, about your system and describe the problem as accurately as possible.

16.2. On-line help16.2.1. BitDefender Knowledge Base

The BitDefender Knowledge Base is an online repository of information aboutBitDefender products. It stores, in an easily accessible format reports on the resultsof the ongoing technical support and bug fixing activities of the BitDefender supportand development teams, along with more general articles about virus prevention, themanagement of BitDefender solutions and detailed explanations, and many otherarticles.

The BitDefender Knowledge Base is open to the public and freely searchable. Thiswealth of information is yet another way to provide BitDefender customers with thetechnical knowledge and insight they need. All valid requests for information or bugreports coming from BitDefender clients eventually find their way into the BitDefenderKnowledge Base, as bug fix reports, workaround cheatsheets or informational articlesto supplement product help files.

The BitDefender Knowledge Base is available any time at http://kb.bitdefender.com.

Support 111



http://kb.bitdefender.com

16.2.2. BitDefender Unix Servers Mailing ListThe BitDefender mailing lists bring the latest information regarding security, offeron-line technical support and provide valuable feedback. They are grouped in thefollowing categories.

● Technical Support.● Product Announcements: bug-fixes, new features or versions, etc.● Community feedback.

Subscribe and UnsubscribeIn order to join the BitDefender mailing lists, please undertake the following steps:

● Send a blank message to [email protected] with thesubject line subscribe.

● Confirm your subscription, validate your email address, by redirecting or forwardingthe received email from BitDefender to the same address, while leaving the messagebody unchanged.

To unsubscribe from themailing list, send an empty mail with the subject unsubscribeto [email protected], and follow the received instructions.

Submit a messageTo post a message in the list, compose a new message and send it [email protected], with a subject line describing your topic andincluding all details in your message.

Below are the guidelines and rules of the BitDefender discussion list:

● The official language of BitDefender mailing lists is English.● Messages must be plain text, instead of HTML or Rich Text.● All mails should have a short descriptive Subject line, specifying the product youare referring to.

● Necessary details must be included in the messages so that other list members canfully understand the situation.

● The posts may be moderated by the BitDefender Customer Service Department, ifthe message does not conform to standard and common-sense policies.

Support 112





16.3. Online ForumYou can also visit our online forum. Please log in to take benefit of the fruitfuldiscussions in the forum.

16.4. Contact informationEfficient communication is the key to a successful business. For the past 10 yearsBitDefender has established an indisputable reputation in exceeding the expectationsof clients and partners, by constantly striving for better a communication. Please donot hesitate to contact us regarding any issues or questions you might have

16.4.1. Web AddressesSales department: [email protected] support: http://kb.bitdefender.comDocumentation: [email protected] Program: [email protected]: [email protected] Relations: [email protected] Opportunities: [email protected] Submissions: [email protected] Submissions: [email protected] Abuse: [email protected] web site: http://www.bitdefender.comProduct ftp archives: ftp://ftp.bitdefender.com/pubLocal distributors: http://www.bitdefender.com/partner_listBitDefender Knowledge Base: http://kb.bitdefender.com

16.4.2. BitDefender OfficesThe BitDefender offices are ready to respond to any inquiries regarding their areas ofoperation, both in commercial and in general matters. Their respective addresses andcontacts are listed below.

North AmericaBitDefender, LLCPO Box 667588Pompano Beach, Fl 33066

Support 113


http://forum.bitdefender.com/












ftp://ftp.bitdefender.com/pub

http://www.bitdefender.com/partner_list


Phone (sales&technical support): 1-954-776-6262Sales: [email protected]: http://www.bitdefender.comWeb Self-Service: http://kb.bitdefender.com/site/KnowledgeBase/showMain/2/

GermanyBitDefender GmbHAirport Office CenterRobert-Bosch-Straße 259439 HolzwickedeDeutschlandPhone (office&sales): +49 (0)2301 91 84 222Phone (technical support): +49 (0)2301 91 84 444Sales: [email protected]: http://www.bitdefender.deWeb Self-Service: http://www.bitdefender.de/site/KnowledgeBase/showMain/2/

UK and IrelandBusiness Centre 10 Queen StreetNewcastle, StaffordshireST5 1EDUKPhone (sales&technical support): +44 (0) 8451-305096E-mail: [email protected]: [email protected]: http://www.bitdefender.co.ukWeb Self-Service: http://kb.bitdefender.com/site/KnowledgeBase/showMain/2/

Spain and Latin AmericaBitDefender España SLUAvda. Diagonal, 357, 1º 1ª08037 BarcelonaEspañaFax: +34 932179128Phone (office&sales): +34 902190765Phone (technical support): +34 935026910Sales: [email protected]: http://www.bitdefender.es

Support 114




http://kb.bitdefender.com/site/KnowledgeBase/showMain/2/


http://www.bitdefender.de

http://www.bitdefender.de/site/KnowledgeBase/showMain/2/



http://www.bitdefender.co.uk

http://kb.bitdefender.com/site/KnowledgeBase/showMain/2/


http://www.bitdefender.es

Web Self-Service: http://www.bitdefender.es/site/KnowledgeBase/showMain/2/

RomaniaBITDEFENDER SRLWest Gate Park, Building H2, 24 Preciziei StreetBucharest, Sector 6Fax: +40 21 2641799Phone (sales&technical support): +40 21 2063470Sales: [email protected]: http://www.bitdefender.roWeb Self-Service: http://www.bitdefender.ro/site/KnowledgeBase/showMain/2/

EMEA and APAC Business UnitBITDEFENDER SRLWest Gate Park, Building H2, 24 Preciziei StreetBucharest, Sector 6RomaniaFax: +40 21 2641799Phone (sales&technical support): +40 21 2063470Sales: [email protected]: http://www.bitdefender.comWeb Self-Service: http://www.bitdefender.com/site/KnowledgeBase/showMain/2/

Support 115


http://www.bitdefender.es/site/KnowledgeBase/showMain/2/


http://www.bitdefender.ro

http://www.bitdefender.ro/site/KnowledgeBase/showMain/2/



http://www.bitdefender.com/site/KnowledgeBase/showMain/2/

Appendices

116


A. Supported antivirus archives and packsBitDefender scans inside the most common types of archives and packed files,including, but not limited to the following.

Supported archive typesJarAceMS CompressArcLha (lzx)ArjRar (including 3.0)bzip2Rpm (clean+delete)CabTar (clean+delete)Cpio (clean+delete)ZGzip (clean+delete)Zip (clean+delete)HaZooImp

Installation packersInstallShield (ishield.xmd)Inno (Inno Installer)Nullsoft Installer (NSIS)InstylerWise InstallerVISE (viza.xmd)

Mail archivesDbx (Outlook Express 5, 6 mailboxes)Mbx (Outlook Express 4 mailbox)Pst (Outlook mailboxes, supports clean and delete)Mime (base64, quoted printable, plain) supports clean and deleteMbox (plain mailbox - Linux and Netscape)Hqx (HQX is a format used for mail attachments on Mac)UudecodeTnef (a Microsoft format in which some properties of the attachments are encoded,and which can contain scripts)

Supported packersPELock NTACProtect / UltraProtect

Supported antivirus archives and packs 117


Pencrypt (3.1, 4.0a, 4.0b)ASPack (all versions)PePack (all versions)Bat2exec (1.0, 1.2, 1.3, 1.4, 1.5, 2.0)PerplexYoda's CryptorPeShieldCExePeSpinDietPetite (all versions)DxPackPexDzaPhrozenCrew PE Shrinker (0.71)PatcherPkLiteECLIPSEPKLITE32 (1.11)Exe32Pack (1.38)PolyeneExePackRelPackExeStealthRjcrush (1.00, 1.10)JdProtectShrinker (3.3, 3.4)LzexeVgCryptMewStpeMolebox (2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.8)Telock (all versions)MorphineT-packNeoliteUcexePC/PE Shrinker 0.71UPolyxPCPECUPX (all versions)PE Crypt 32 (1.02 (a,b,c)WWPACK32 (1.0b9, 1.03, 1.12, 1.20)PE PACK\CRYPTWwpack (3.01, 3.03, 3.04, 3.04PU, 3.05,3.05PU)

PeBundle

Xcomor (0.99a, 0.99d, 0.99f (486), 0.99h,0,99i)

pecompact (up to 1.40 beta 3)

PeDiminisher

OthersChm (contains html which can be infected)Iso (CD images)PdfRtfMso (contains compressed OLE2 files, this way macros are saved in case a Doc issaved as html)Swf (extracts certain fields that contain various commands; these are scanned byother plug-ins, for ex: SDX)Bach (extracts debug.exe scripts on the basis of heuristic methods)Omf (object file)

Supported antivirus archives and packs 118


B. Alert templatesAll alerts can be customized. BitDefender provides a template mechanism to generatethe alert messages. These templates are plain text files containing the desired noticeand certain variables, keywords, which will be replaced with their proper values duringthe alert generation.

B.1. VariablesThe variables and their meaning are described in the table below.

DescriptionVariableThis variable will be replaced with the BitDefender string.${BitDefender}

The sender of the email, taken from MAIL FROM: SMTPcommand.

${RealSender}

The recipients of the email, taken from RCPT TO: SMTPcommand.

${RealReceivers}

The sender of the email, from the From: header of theemail.

${HeaderSender}

The receivers of the email, from the To: and Cc: emailheaders.

${HeaderReceivers}

The subject of the alert email.${Subject}

The object containing the malware.${Object}

The action taken on the object.${Action}

The virus name.${Virus}

The status of the object, namely Infected, Suspected,Unknown.

${Status}

The remaining period until key expiration.${Days}

The variable ${BitDefender}It is mandatory to include the variable ${BitDefender} in your custom template.If it is not found, the module will use the built-in template instead.

Alert templates 119


These variables can be combined in any form inside the object lists in order to generatea custom template, no matter the language. By default, the templates are stored insidethe /opt/BitDefender/share/templates/language directory. For everysupported language, there are subdirectory entries, such as en, ro, de, fr, hu, es.Inside the language subdirectories, there are the template files, suggestively named.

Regarding the email alerts, the involved templates are the following:MailServerAlert.tpl, KeyHasExpiredAlert.tpl,KeyWillExpireAlert.tpl, ReceiverAlert.tpl and SenderAlert.tpl.

The template nameYou do not have to keep the default file name or location. The only mandatory thing isto refer it accordingly inside the BitDefender Registry, under its corresponding key.

B.2. Sample resultsLooking inside the above-mentioned files, one could get confused about their structure.Here are the defaults for the English language and possible results when generatingalerts.

B.2.1. MailServer AlertThis is the alert the postmaster will receive when an infected message is found. Thevariables that could be used are as follows.

● ${RealSender}● ${RealReceivers}● ${HeaderSender}● ${HeaderReceivers}● ${Subject}● ${Object}● ${Action}● ${Virus}● ${Status}● ${BitDefender}

The default template is the following.

Subject: System info

Alert templates 120


${BitDefender} found an infected object in a message:

Real sender: ${RealSender}

Real receivers: ${RealReceivers}

From: ${HeaderSender}

To: ${HeaderReceivers}

Subject: ${Subject}

Virus: ${Virus}

http://www.bitdefender.com/vfind/?q=${virus}

Object: ${Object}

Status: ${Status}

Action: ${Action}

Thank you for choosing ${BitDefender}

http://www.bitdefender.com/

This will expand into the following message (provided as an example).

Subject: System info

BitDefender found an infected object in a message:

Alert templates 121


Real sender: <[email protected]>

Real receivers: <[email protected]>

From: The Sender <[email protected]>

To: The Receiver <[email protected]>

Subject: klez

Virus: Win32.Klez.A@mm

http://www.bitdefender.com/vfind/?q=Win32.Klez.A@mm

Object: /tmp/bdnp.milter.qf2aqW=>[Subject: klez]

Status: Infected

Action: Deleted

Thank you for choosing BitDefender

http://www.bitdefender.com/

B.2.2. Sender AlertThis is the alert the sender of the original email will receive when an infected messagehe has sent is found. Variables that could be used:

● ${RealReceivers}● ${HeaderReceivers}● ${Subject}● ${Object}● ${Action}● ${Virus}● ${Status}● ${BitDefender}

Alert templates 122



Subject: Virus Warning!

${BitDefender} found an infected object

in a message that was sent from your address

Real receiver: ${RealReceivers}

To: ${HeaderReceivers}

Subject: ${Subject}

Virus: ${Virus}


Object: ${Object}

Status: ${Status}

Action: ${Action}

For more information about ${BitDefender}

please visit http://www.bitdefender.com/


Subject: Virus Warning!

BitDefender found an infected object

Alert templates 123


in a message that was sent from your address

Real receivers: <[email protected]>

To: The Receiver <[email protected]>

Subject: klez




Status: Infected

Action: Deleted

For more information about BitDefender


B.2.3. Receiver AlertThis is the alert the receiver of the original email will get when an infected messagehaving reached him is found. Variables that could be used:

● ${RealSender}● ${HeaderSender}● ${Subject}● ${Object}● ${Action}● ${Virus}● ${Status}● ${BitDefender}


Alert templates 124


Subject: Virus warning!

${BitDefender} found an infected object

in a message addressed to you:

Real sender: ${RealSender}

From: ${HeaderSender}

Subject: ${Subject}

Virus: ${Virus}


Object: ${Object}

Status: ${Status}

Action: ${Action}

For more information about ${BitDefender}



Subject: Virus warning!

BitDefender found an infected object

in a message addressed to you:

Alert templates 125


Real sender: <[email protected]>

From: The Sender <[email protected]>

Subject: klez




Status: Infected

Action: Deleted

For more information about BitDefender


B.2.4. KeyWillExpire AlertThis is the alert the system administrator will receive when the license key is about toexpire. Variables that could be used:

● ${Days}● ${BitDefender}


Subject: Registration info

Your ${BitDefender} license will expire in ${Days} days!

Alert templates 126



B.2.5. KeyHasExpired AlertThis is the alert the system administrator will receive when the license key has expired.The variables that could be used are the next ones.

● ${BitDefender}


Subject: Registration Error

Your ${BitDefender} license has expired!


Alert templates 127


C. Footer templatesBitDefender supports full customization of the footers appended to the emails andindicating whether they are clean or infected as well as extra detailed informationabout the infection. These footers are user-configurable: based on templates, theyinclude several keywords, named variables, which will be replaced by the BitDefendernotifying module with their corresponding values.

C.1. VariablesThe variables and their meaning are described in the table below.

DescriptionVariableThis variable will be replaced with the BitDefender string.${BitDefender}

These are the markers of the object list boundary. Multipleobject lists are allowed, provided they are not imbricated.

${begin}, ${end}

The file or object found infected or suspected of being infected.${object}

The status of the object, namely Infected, Suspected,Unknown.

${status}

The virus name. If you want to know more about the reportedvirus, use the Virus Encyclopedia.

${virus}

The action taken for the object, namely Disinfected,Deleted, Quarantined, Dropped, Rejected, Ignored.

${action}

Normally Dropped and Rejected should never appear, sincethese emails are lost.

The variable ${BitDefender}It is mandatory to include variable ${BitDefender} in your custom template. If itis not found, the module will use the built-in template instead.

These variables can be combined in any form inside the object lists in order to generatea custom template, no matter the language. By default, the templates are stored insidethe /opt/BitDefender/share/templates/language directory. For everysupported language, there are subdirectory entries, such as en, ro, de, fr, hu, es.Inside the language subdirectories, there are the template files, suggestively named.

Footer templates 128


http://www.bitdefender.ro/site/VirusInfo/browseVirusEnciclopedia/

Regarding the email footers, the involved template is bd.tpl.

The template nameYou do not have to keep the default file name or location. The only mandatory thing isto refer it accordingly inside the BitDefender Registry, under its corresponding key.

C.2. Sample resultsLooking inside the above-mentioned file, one could get confused about the structure.Here are the defaults for the English language and possible results when generatingthe footers.

Text encodingTo avoid strange output results, the text must be written using the plain ASCII characterset, since there is no charset encoding conversion.

The default template is as follows.

-------------------------------------------------------------

This mail was scanned by ${BitDefender}

For more information please visit http://www.bitdefender.com

${begin:virus}

Found virus:

Object: ${object}

Name: ${virus}

Status: ${status}

Action: ${action}

${end}



-------------------------------------------------------------

C.2.1. CleanWhen the message is clean, the footer will as follows.

-------------------------------------------------------------

This mail was scanned by BitDefender

For more informations please visit http://www.bitdefender.com

-------------------------------------------------------------

C.2.2. IgnoredWhen an infected email is found and the action was to ignore that object, the resultis the following.

-------------------------------------------------------------



Found virus:

Object: (MIME part)=>(application)=>word/W97M.Smac.D

Name: W97M.Smac.D

Status: Infected

Action: Ignored



-------------------------------------------------------------

C.2.3. DisinfectedFinally, when an infected email was found and cleaned, the result will read as follows.

-------------------------------------------------------------



Found virus:

Object: (MIME part)=>(application)=>word/W97M.Story.A

Name: W97M.Story.A

Status: Infected

Action: Disinfected

-------------------------------------------------------------



GlossaryActiveX

ActiveX is a model for writing programs so that other programs and the operatingsystem can call them. The ActiveX technology is used with Microsoft InternetExplorer to make interactive Web pages that look and behave like computerprograms, rather than static pages. With ActiveX, users can ask or answerquestions, use push buttons, and interact in other ways with the Web page.ActiveX controls are often written using Visual Basic.

Active X is notable for a complete lack of security controls; computer securityexperts discourage its use over the Internet.

ArchiveA disk, tape, or directory that contains files that have been backed up.

A file that contains one or more files in a compressed format.

BackdoorA hole in the security of a system deliberately left in place by designers ormaintainers. The motivation for such holes is not always sinister; some operatingsystems, for example, come out of the box with privileged accounts intended foruse by field service technicians or the vendor's maintenance programmers.

Boot sectorA sector at the beginning of each disk that identifies the disk's architecture (sectorsize, cluster size, and so on). For startup disks, the boot sector also contains aprogram that loads the operating system.

Boot virusA virus that infects the boot sector of a fixed or floppy disk. An attempt to bootfrom a diskette infected with a boot sector virus will cause the virus to becomeactive in memory. Every time you boot your system from that point on, you willhave the virus active in memory.

BrowserShort for Web browser, a software application used to locate and display Webpages. The two most popular browsers are Netscape Navigator and MicrosoftInternet Explorer. Both of these are graphical browsers, which means that theycan display graphics as well as text. In addition, most modern browsers can

Glossary 132


present multimedia information, including sound and video, though they requireplug-ins for some formats.

Command lineIn a command line interface, the user types commands in the space provideddirectly on the screen, using command language

CookieWithin the Internet industry, cookies are described as small files containinginformation about individual computers that can be analyzed and used byadvertisers to track your online interests and tastes. In this realm, cookietechnology is still being developed and the intention is to target ads directly towhat you've said your interests are. It's a double-edge sword for many peoplebecause on one hand, it's efficient and pertinent as you only see ads about whatyou're interested in. On the other hand, it involves actually "tracking" and"following" where you go and what you click. Understandably so, there is a debateover privacy and many people feel offended by the notion that they are viewedas a "SKU number" (you know, the bar code on the back of packages that getsscanned at the grocery check-out line). While this viewpoint may be extreme, insome cases it is accurate.

Disk driveIt's a machine that reads data from and writes data onto a disk.

A hard disk drive reads and writes hard disks.

A floppy drive accesses floppy disks.

Disk drives can be either internal (housed within a computer) or external (housedin a separate box that connects to the computer).

DownloadTo copy data (usually an entire file) from a main source to a peripheral device.The term is often used to describe the process of copying a file from an onlineservice to one's own computer. Downloading can also refer to copying a file froma network file server to a computer on the network.

E-mailElectronic mail. A service that sends messages on computers via local or globalnetworks.

Glossary 133


EventsAn action or occurrence detected by a program. Events can be user actions, suchas clicking a mouse button or pressing a key, or system occurrences, such asrunning out of memory.

False positiveOccurs when a scanner identifies a file as infected when in fact it is not.

Filename extensionThe portion of a filename, following the final point, which indicates the kind ofdata stored in the file.

Many operating systems use filename extensions, e.g. Unix, VMS, and MS-DOS.They are usually from one to three letters (some sad old OSes support no morethan three). Examples include "c" for C source code, "ps" for PostScript, "txt" forarbitrary text.

HeuristicA rule-based method of identifying new viruses. This scanning method does notrely on specific virus signatures. The advantage of the heuristic scan is that it isnot fooled by a new variant of an existing virus. However, it might occasionallyreport suspicious code in normal programs, generating the so-called "falsepositive".

Internet Protocol (IP)A routable protocol in the TCP/IP protocol suite that is responsible for IPaddressing, routing, and the fragmentation and reassembly of IP packets.

Java appletA Java program which is designed to run only on a web page. To use an appleton a web page, you would specify the name of the applet and the size (lengthand width--in pixels) that the applet can utilize. When the web page is accessed,the browser downloads the applet from a server and runs it on the user's machine(the client). Applets differ from applications in that they are governed by a strictsecurity protocol.

For example, even though applets run on the client, they cannot read or writedata onto the client's machine. Additionally, applets are further restricted so thatthey can only read and write data from the same domain that they are servedfrom.

Glossary 134


Macro virusA type of computer virus that is encoded as a macro embedded in a document.Many applications, such as Microsoft Word and Excel, support powerful macrolanguages.

These applications allow you to embed a macro in a document, and have themacro execute each time the document is opened.

Mail clientAn e-mail client is an application that enables you to send and receive e-mail.

MemoryInternal storage areas in the computer. The term memory identifies data storagethat comes in the form of chips, and the word storage is used for memory thatexists on tapes or disks. Every computer comes with a certain amount of physicalmemory, usually referred to as main memory or RAM.

Non-heuristicThis scanning method relies on specific virus signatures. The advantage of thenon-heuristic scan is that it is not fooled by what might seem to be a virus, anddoes not generate false alarms.

Packed programsA file in a compression format. Many operating systems and applications containcommands that enable you to pack a file so that it takes up less memory. Forexample, suppose you have a text file containing ten consecutive spacecharacters. Normally, this would require ten bytes of storage.

However, a program that packs files would replace the space characters by aspecial space-series character followed by the number of spaces being replaced.In this case, the ten spaces would require only two bytes. This is just one packingtechnique - there are many more.

PathThe exact directions to a file on a computer. These directions are usually describedby means of the hierarchical filing system from the top down.

The route between any two points, such as the communications channel betweentwo computers.

Polymorphic virusA virus that changes its form with each file it infects. Since they have no consistentbinary pattern, such viruses are hard to identify.

Glossary 135


PortAn interface on a computer to which you can connect a device. Personalcomputers have various types of ports. Internally, there are several ports forconnecting disk drives, display screens, and keyboards. Externally, personalcomputers have ports for connecting modems, printers, mice, and other peripheraldevices.

In TCP/IP and UDP networks, an endpoint to a logical connection. The port numberidentifies what type of port it is. For example, port 80 is used for HTTP traffic.

Report fileA file that lists actions that have occurred. BitDefender maintains a report filelisting the path scanned, the folders, the number of archives and files scanned,how many infected and suspicious files were found.

ScriptAnother term for macro or batch file, a script is a list of commands that can beexecuted without user interaction.

Startup itemsAny files placed in this folder will open when the computer starts. For example,a startup screen, a sound file to be played when the computer first starts, areminder calendar, or application programs can be startup items. Normally, analias of a file is placed in this folder rather than the file itself.

System trayIntroduced with Windows 95, the system tray is located in the Windows taskbar(usually at the bottom next to the clock) and contains miniature icons for easyaccess to system functions such as fax, printer, modem, volume, and more.Double click or right click an icon to view and access the details and controls.

Transmission Control Protocol/Internet Protocol (TCP/IP)Transmission Control Protocol/Internet Protocol - A set of networking protocolswidely used on the Internet that provides communications across interconnectednetworks of computers with diverse hardware architectures and various operatingsystems. TCP/IP includes standards for how computers communicate andconventions for connecting networks and routing traffic.

TrojanA destructive program that masquerades as a benign application. Unlike viruses,Trojan horses do not replicate themselves but they can be just as destructive.

Glossary 136


One of the most insidious types of Trojan horse is a program that claims to ridyour computer of viruses but instead introduces viruses into your computer.

The term comes from a story in Homer's Iliad, in which the Greeks give a giantwooden horse to their foes, the Trojans, ostensibly as a peace offering. But afterthe Trojans drag the horse inside their city walls, Greek soldiers sneak out of thehorse's hollow belly and open the city gates, allowing their compatriots to pour inand capture Troy.

UpdateA new version of a software or hardware product designed to replace an olderversion of the same product. In addition, the installation routines for updates oftencheck to make sure that an older version is already installed on your computer;if not, you cannot install the update.

BitDefender has its own update module that allows you to manually check forupdates, or let it automatically update the product.

VirusA program or piece of code that is loaded onto your computer without yourknowledge and runs against your will. Most viruses can also replicate themselves.All computer viruses are manmade. A simple virus that can copy itself over andover again is relatively easy to produce. Even such a simple virus is dangerousbecause it will quickly use all available memory and bring the system to a halt.An even more dangerous type of virus is one capable of transmitting itself acrossnetworks and bypassing security systems.

Virus definitionThe binary pattern of a virus, used by the antivirus program to detect and eliminatethe virus.

WormA program that propagates itself over a network, reproducing itself as it goes. Itcannot attach itself to other programs.

Glossary 137


bitdefender free antispam for mailservers unix

Documents