Welcome to Ebola!

Only really useful to DEVELOPERS

Ebola is a AntiVirus scanning daemon system which offers to improve considerably the performance of scanning systems such as AMaViS, Inflex and other such programs which require ondemand scanning from various AV engines (ie, Sophos).

Ebola works by keeping loaded the AV engines. Instantly this reduces the overhead of build up and teardown as previously required with AMaViS and Inflex.

Ebola listens for file scanning requests using BSD sockets on port 1665 (typ). Once authenticated to the Ebola daemon, the client application can proceed to send file scan requests to EbolAnswer:Below is a typical conversation between client and daemon...

bash-2.03$ telnet inflex 1665
Trying 192.168.1.5...
Connected to inflex.
Escape character is '^]'.
Welcome to Ebola v0.1.1
user pldaniels
USER name received, please send PASS
pass xxxxxxxx
PASS accepted, you may proceed to SCAN
scan /home/worker/windvd21.zip
0
scan /home/worker/telkom_phphtml.tar.gz
0
scan /home/worker/eicar.com
200
quit
Goodbye
Connection closed by foreign host.
bash-2.03$ 

As you can see, it's a very simple protocol. It should be NOTED that BOTH the Ebola daemon and the client exist on the SAME MACHINE (though this doesn't have to be strictly so).

Versions to date:

  • v0.1.5 - Segfault/exploit fixes
  • v0.1.4 - Corrected zombie-child accumulation (21/11/2000)
  • v0.1.3 - First version suitable for Alpha type release to public.
  • v0.1.2 - Internal development only, authorisations used, very messy code
  • v0.1.1 - Internal development only, no authorisations used

Resources Required:

Older versions...

Questions:

  1. Why have you used BSD sockets for the communications?
    Answer:Although one could have used IPC/Pipes, I prefered the concept of using sockets to permit (in the future) the possiblity of multiple machines on the same "storage array" to make requests. Also, using BSD sockets ensures a greater chance of portability to other platforms.
  2. Why port 1665???????
    Answer: Two reasons,
    1. It's beyond 1024, hence there is no need for it to run as root.
    2. 1665 was the year that London suffered to the Black Plague (Thanks Beetsa!), not quite the same as Ebola, but seemingly just as efficient a killer.
    3. Why have you only supported Sophos? What about FProt, Nortons etc?
      Answer:Unfortunately, only Sophos has provided a C API for their AntiVirus library/engine. If you know of another C API out there (freely available) then I'll happily include it!
    4. Aren't you reinventing the wheel again? Isnt' there already enough AV scanners out there, like AMaViS, Inflex, Qmail-Scanner etc?
      Answer:Ebola is designed to be _USED_ by such programs, not to replace them.
    5. Scanning is scanning... how can using Ebola make things go faster? Surely it'll slow things down?
      Yes, the scanning speed of Ebola will be no faster than the AV engine it uses. HOWEVER, Using Ebola will save the time required to startup/teardown the AV engine as per normally required. Loading a database of ~57,000 Virus signatures does take a considerable amount of time.
    6. Is Ebola going to be ported to BSD/Solaris/SCO/HPUX/Insert-desired-OS?
      If I get my hands on one such of those machines+OS, yes...
    7. Can I write my own AV modules for Ebola ?
      Answer:Yes. Take a look at the 'mod_sweep.[ch]' file pair and see how that operates.
    8. How can I contact you?
      Answer:Email me at pldaniels@pldaniels.com
    9. What licence is Ebola?
      Answer:Ebola is written under a BSD licence.
    10. What other software have you written?
      A.
      • Inflex - Sendmail based Bidirectional email scanner.
      • jslice - Image slicer and table generator for HTML.
      • ripMIME - MIME attachment extractor for email.
      • pppdropper - PPP line utilisation based dropper.
      • cInflex - Commercial, written in C version of Inflex (incl's ACL's).