This document will illustrate how to setup and configure virus scanning.
To enable virus scanning, the Virus Scan Interceptor must be installed and configured.
Once the Virus Scan Interceptor is installed, all attachments to messages posted to forums are flagged for the Virus Scanner. Messages containing attachments are hidden until the attachment is scanned.
The Virus Scan Settings allow you to configure the ICAP server address as well as notification options for when viruses are found.
Virus scanning can be started and stopped. When stopped, messages will still be flagged by the interceptor and will build up in the queue. When started, all messages in the queue will be scanned, as well as any incoming message attachments.
One of three things will happen when an attachment is scanned:
Nothing is done to the attachment and it is posted normally.
The virus scanner found a virus but was able to fix it. The corrected file will be returned by the virus scanner and the attachment will be updated with the clean version.
The virus scanner found a virus but was unable to fix it. The attachment could not be posted.
When an attachment is blocked. Several things happen.
The name of the new attachment will be similar to the name of the blocked attachment. For instance, if the original attachment was named "virus.exe" the new attachment will be called "BLOCKED_virus_exe.txt".
Email notifications will be sent to all email addresses listed in the configuration under "Email Notification List". The email will some from the configured user name and email address, with body and subject specified in the configuration. If the "Notify User" option in the configuration is selected, the user who posted the infected file will also receive an email notification.
To configure the Virus Scanner Interceptor to work correctly with Trend Micro's InterScan, two key steps must be followed:
The uri configuration options must be of the form "icap://<hostname or ip of interscan>/interscan". If InterScan has been configured to listen on a port other than the default port 1344, the uri must look like "icap://<hostname or ip of interscan>:<port>/interscan"
Go to the InterScan administrative tool. Select "HTTP > Scanning > Notification", choose "Both" for "Downloaded file" and click "Save". Then click on the "Both" link under "Downloaded file" and add the following text to the "Customized Message": <!-- (virus=%v[Virus or Trojan name]) -->. Finally, click "Save". This additional text allows the Interceptor to correctly acquire the information about the virus found when a message is blocked. Since it is an HTML comment, Interscan can continue to be used in conjunction with an HTTP proxy and the page that web users see will be unaffected.
To disable virus scanning, simply stop the virus scanner and remove the Virus Scan Interceptor.