VPOPSCAN for VPOP3 - Version 1.7
Last update: 10/27/2001
This guide is a set of instructions to install a Virus Scanner into Paul Smith's VPOP3 E-mail server software. These instructions will allow VPOP3 to scan all incoming E-mail message attachments, including ZIP's, for viral infection. If the attachment is found to be infected the E-mail message can be moved to a another E-mail user (quarantined) or deleted.
There are instructions in the VPOP3 Help file and some are also posted at the Paul Smith Computing Services main Internet site (http://www.pscs.co.uk/index.html). Unfortunately I found none of these worked correctly. Hence this guide was created. I hope it is helpful, saves people some time, and lets them be successfully at get VPOP3 to scan E-mail attachments for possible Viral infection.
This new found "urge" to Scan attachments was a result of the Melissa virus. I believe Melissa was a wake up call for all Internet users. Melissa did not have a destructive payload, but the next virus to come might well be much worse.
There are three steps to getting VPOP3 to scan E-mail attachments:
STEP1) Unarchive the required software. This guide contains all the required programs (excluding VPOP3) required for success. If you want to download updates to these files I have supplied FTP and HTTP address.
STEP2) Create the proper directory structure and copy the required files.
STEP3) Configure VPOP3 to Scan all attachments and test VPOP3 for proper operation.
STEP 1 - UNARCHIVE THE SOFTWARE
1) I assume you already have Paul Smith's excellent Shareware E-mail program called VPOP3. At present the current version is 1.3.0b. The latest version can be downloaded from:
2) The next software program required is a Decoder. A Decoder takes the encoded E-mail attachments and converts them back into their original format. UUDeview is a Freeware decoder program for DOS. The latest release is version 0.5d. It can be downloaded from:
If you would like to learn more about encoding and decoding, read "introduction.html" (included in this Guide) or go to:
4) The final software item is a Virus Scan program. There are several programs available to choose from. In the past we included configurations for a number of different virus scanners as part of this guide. To keep things simple, we have included McAfee's Protected Mode SCAN for DOS (CMZ4140E.ZIP) with this Guide.
There are a few reasons we favor the McAfee product over others such as Norton). The Protected Mode version (hence the PM in SCANPM) of McAfee's ScanPM is a Protected Mode (DPMI) program. This means it is well behaved under Windows 9x or NT. It's a 32 bit program, so it's very fast, and is time proven to be stable, and not cause memory leaks. The .DAT files are freely available, and the unregistered version will continue to operate properly even after the 30 day evaluation period (although we highly recommend registering software that you use). Finally, the SCANPM utility can perform recursive scans inside ZIP files without having to first unzip for archive. In past versions of VPOPSCAN we included the DOS version of PKUNZIP, but we found that using the built in ZIP capabilities of SCANPM to be simpler, faster and more through.
McAfee and Associates Protected Mode SCAN for DOS - Available from retail outlets or the shareware version can be downloaded from:
Be sure to download the latest version of McAfee's .DAT files often! The filename is DAT-xxxx.ZIP, where xxx is the current version. At present the latest DAT release is DAT-4125.ZIP. The latest release can be downloaded at:
This version of VPOPSCAN focuses exclusively on McAfee's SCANPM. If you wish to try other virus scanning software please follow these links:
Norton AntiVirus for DOS - Available from retail outlets or the Freeware (for non-commercial use) DOS version (NAVC10.EXE) is available for download from:
Note: Norton AntiVirus does NOT recognize the EICAR.COM file a test Virus and ignores it. This makes it difficult to test your setup.
F-Prot for DOS - The Freeware (for home use) DOS version is available for download at:
Always be sure to keep what ever Anti-Virus software program you choose equipped with the latest virus information files. These can be downloaded for free from the vendors site. If you don't keep the latest version installed, it can make your system vulnerable to new virus.
STEP 2 - CREATE THE PROPER DIRECTORY STRUCTURE : Locations are important!
The following two statements are assumed:
1) You have already installed VPOP3 in C:\PROGRAM FILES\VPOP3 (the default installation location).
2) VPOP3 is configured and operating properly. If this is not the case, do not install the Anti-Virus portion until you are confident VPOP3 is working correctly.
All the programs listed in STEP1 must be unachieved and copied to their proper locations. Not all files from each archive are required to allow proper operation of the program. I suggest you unachieved each of the programs in a separate directory, and coping only necessary files into their destinations.
1) Create the directory tree for the AntiVirus software:
Note: An Alternate to creating this directory tree is to copy the files into a directory mentioned in the PATH statement. Please refer to the Trouble Shooting section for more information.
2) From CMZ4140E.ZIP copy SCANPM.EXE, LICENSE.DAT, and MESSAGES.DAT to the VirusScan directory.
3) From the DAT-4166.ZIP (or what ever is the latest version) copy and all files that end in .DAT (*.DAT) to the VirusScan directory.
4) Create the directory for the Decoder file:
5) From UUDVD05D.ZIP copy the UUDEVIEW.EXE Decoder Program file to:
Note: These files are location dependent and will not operate properly from the PATH. They must be copied to C:\Program Files\VPOP3\VScan.
6) Copy the VSCAN.BAT file supplied with this guide to the C:\PROGRAM FILES\VPOP3 directory. The VSCAN.BAT file may need to be modified before it will work on your system. If you have followed the above instructions, keeping the same directory structure, using:
1) McAfee's SCANPM for DOS as the Virus Scanner
2) You are running Windows 95/98/ME
3) A user named "Infected" exists in your VPOP system (see STEP3)
then VSCAN.BAT should work with no modifications. The file is heavily commented to help you through any necessary changes. Don't try running it until you complete STEP3.
STEP 3 - MODIFY VPOP3 : Almost done!
1) All the files are in place, so VPOP3 now needs to be told to use them. This is done from the VPOP3 Properties menu. Start VPOP3, click the MISC tab, then click the "Define VPOP3 Extensions". From there type the following in the "External Router" field:
For 9x/ME: "C:\WINDOWS\COMMAND.COM" /c VSCAN.BAT
For NT: "C:\WINNT\SYSTEM32\CMD.EXE" /c VSCAN.BAT
The command line is case insensitive except for the "/c". We have found some versions of windows will not honor "/C", but all will honor "/c" For more information on command line parameters please see the Trouble Shooting - Command Line section.
2) Determine how you want the system to handle suspect messages. When the system finds an E-mail with an attached file that it suspects to be infected (that is, the antivirus software has exited with an error level other than 0), there are two things that can be done. The first is the message (with it's attached file) can be forwarded to another user to be dealt with at a later time (quarantined). The second is that the message (with it's attached file) can be deleted completely. The choice as to how suspect messages are dealt with is configured from the VSCAN.BAT file.
If you wish to keep the infected E-mail and it's attachment, we suggest creating a user called "Infected". This user does not need any special rights (i.e. admin). The suspect messages can be viewed, deleted, or forwarded from the VPOP3 console.
An alternative is to forward the offending E-mail to a system administrator that is accustomed to dealing with suspect files and has the proper tools and experience to handle whatever comes up. Use caution!
If you don't care about keeping suspect E-mail and attachments, then set "To:None" in the VSCAN.BAT file.
We suggest setting up your system to send suspect messages to a "infected". There are three reasons.
1) During initial setup and testing, this allows you to see for sure that the system is properly handling virus threats. 2) You can see how many viruses the system has detected.
3) You can see who has sent you an infected file. You may want to sent them a note re this problem, as they may be unaware that their system is infected.
The down side:
1) You have potentially hazardous files on the system. Proper handling is essential.
2) This takes one of your VPOP3 user licenses.
3) If you are low on user licenses and choose to send suspect email (with potentially infected attachments) to a user. Be aware that user can potentially infect himself if not careful or experienced.
As an alternative to sending suspect messages to anyone, after you have throughly tested VSCAN are convinced it is working properly, set VPOPSCAN.BAT to send messages to:NONE. This will completely delete the offending message with the attachment. Please note these deleted messages and attachments are not available from the Recycle Bin.
You are done! Now it's time to test the system to make sure it is operating properly. To do this we need a virus to check if the system is indeed going to work properly. Included in this guide is a copy of EICAR.COM, (archived as EICAR.ZIP), the Standard Antivirus Test File. EICAR.COM is NOT a real virus! The following is an excerpt from the McAfee documentation:
* TESTING YOUR INSTALLATION *
The EICAR Standard Antivirus Test File is a combined effort by anti-virus vendors throughout the world to implement one standard by which customers can verify their anti-virus installations.
To test your installation, copy the following line into its own file, then save the file with the name EICAR.COM.
The file size will be 69 or 70 bytes.
For more information on what the EICAR.COM Standard AntiVirus Test File it, how to make your own copy, download a copy, etc, please refer to:
If the EICAR.COM file is run from a command prompt, it will simply say:
Note for Norton AntiVirus users: NAVC does NOT recognize EICAR.COM as a test Virus and ignores it. This makes it more difficult to test your setup. Use caution with live viruses!
To check the operation of the new Virus Scan feature:
1) For testing purposes, turn off "Route Local Mail Locally" under the VPOP3 Local Mail tab. You need this message to get bounced off your ISP. Local Messages do not get scanned.
2) Open your E-mail program and send yourself a message with the EICAR.COM file as an attachment. With the EICAR.COM file attached, VPOP3 will treat this message as an infected message (even though the EICAR.COM file is not really a virus and can cause no harm). If you also want to check the functionality of VSCAN.BAT to unarchive and scan .ZIP attachments, send EICAR.ZIP.
If you would like to test the system under real world
3) Prompt VPOP3 to Connect so it sends your message (right click the VPOP3 icon in the task bar and click "Connect Now"). Then prompt VPOP3 again so it will fetch the message that you just sent.
If everything has gone well, your EICAR test message has been either forwarded to the "infected" user (you can see the number of messages has incremented by one) a user or deleted (according to how you set up your VSCAN.BAT file).
Please note that the Mail Server will suffer a small performance "hit" when you use the Virus Scan feature. On very busy systems this may become irritating, but in my opinion, it is worth the trade off.
If something has gone wrong, please follow these steps:
1) Verify that VSCAN.BAT is operating properly. To do this, you will want to:
1) Make a backup copy of VSCAN.BAT or at least print it.
2) Remove all ">NUL" statements from VSCAN.BAT.
3) Place some "PAUSE" statements in VSCAN.BAT. This makes it a lot easier to see what's happening.
4) Place some "CD" statements in VSCAN.BAT. It will help in trouble shooting location problems.
5) Open a DOS window and run VSCAN.BAT from the VPOP3 directory. Hopefully you will see where the problem is.
6) Replace all ">NUL" statements and remove all "PAUSE" statements.
2) If VSCAN.BAT operates properly from a DOS window, then the problem must be in the External Router field. Let VPOP process a message with an attachment, and then look at the ROUTER.DAT file in the VPOP3 directory. This is the file that VPOP3 passes to VSCAN.BAT for processing. View ROUTER.DAT and verify it contains the last decoded message. If you don't see anything in this file, then it points to a problem with the External Router field. Also inspect the ROUTING.CTL file for more hints as to what is going wrong. It contains the environment variables (STDOUT) that the External Router passes back to VPOP after it runs. This is how VPOP3 knows to change the target recipient, subject, or to delete a message. ROUTING.CTL also contains the information that would normally be sent to the screen of a DOS window.
3) COMMAND LINE: A lot of problems in getting VSCAN.BAT to be called or operate successfully stem from issues with the External Router or VSCAN.BAT command lines. How Windows 9x/NT handle extended file names and spaces in path statements is the main problem. If a path or a filename contains one or more spaces, or exceeds the standard DOS 8.3 FILENAME.EXT standard, that command line MUST be surrounded by parenthesis. Perhaps some examples will help:
1) C:\PRINTKEY\PRINTKEY.EXE Legal
2) "C:\PRINTKEY\PRINTKEY.EXE" Legal
3) C:\PRINT KEY\PRINTKEY.EXE Illegal (SPACE IN PATH)
4) "C:\PRINT KEY\PRINTKEY.EXE" Legal
5) C:\PRINTKEY\PRINT KEY.EXE Illegal (SPACE IN FILENAME)
6) "C:\PRINTKEY\PRINT KEY.EXE" Legal
7) C:\PROGRAM FILES\VPOP3\VSCAN.BAT Illegal (SPACE IN PATH)
8) "C:\PROGRAM FILES\VPOP3\VSCAN.BAT" Legal
9) C:\PROGRA~1\VPOP3\VSCAN.BAT Legal
10) "C:\PROGRA~1\VPOP3\VSCAN.BAT" Legal
11) C:\PROGRA~1\VPOP3\VIRUSSCAN.BAT Illegal (FILENAME>8)
12) C:\PROGRA~1\VPOP3\VIRUSC~1.BAT Legal
Please note if command switches or environment variables need to be passed to the program, they need to be OUTSIDE of the parenthesis. Also note that the "parenthesis" are legal even when they are not really needed.
If there is a problem with the External Router command line, VPOP may generate errors such as:
VPOP3 encountered an error launching the external router.
The message has been routed using internal routing.
The control file has been renamed to XQ8e184e.DAT in the HOUSEKEEPER directory.
The Windows error code returned was 2.
This can be verified by looking at the ROUTING.CTL file size. If the External Router is not being called from VPOP3 the file size will be 0 bytes.
If there is a problems with a command line in VSCAN.BAT, the ROUTING.CTL file may contain messages such as:
The name specified is not recognized as an internal or external command, operable program or batch file.
The syntax of the command is incorrect.
4) Note for Novell Users:
We strongly recommended that any client of a Novell file server run the Novell Client software from Novell, not the Microsoft Client from Microsoft (the built-in client that comes with 9x/ME/NT). The Microsoft client has problems retaining the default PATH statements after logging into a Novell File Server, allowing the Novell mappings to overwrite the default Windows mappings:
For 9x/ME: C:\WINDOWS;C:\WINDOWS\SYSTEM32
For NT: C:\WINNT;C:\WINDOWS\SYSTEM32
along with any other PATH statements that have been added to the system. Problems can arise if the machine running VPOP3 is logged into a Novell File Server, and the AntiVirus software resides on the File Server somewhere in a SEARCH MAP (ie the PUBLIC directory). This results in the SCANPM.EXE program loading and then giving an error that it cannot find the .DAT files. The Novell Client properly searches these MAP SEARCH paths and will allow the .DAT file to be found. The latest Novell Client software can be downloaded from:
5) Notes for NT users:
a) If you are running Windows NT 4 we recommend downloading and applying the latest NT Service Patch (SP6a). At present the most recent is SP6I386.EXE, available form Microsoft (34.5 MB).
b) Under NT we have found problems with running programs from PATH statements under NT. When VPOP3 calls VSCAN.BAT, NT cannot see any Novell File Servers. This makes it impossible to use command lines such as "PKUNZIP.EXE" or SCANPM.EXE" in VSCAN.BAT if these programs reside on the Netware server. If a DOS window is opened, the File Servers drive letters are present (Z:, Y:, X:, etc) and programs can be run from these search drive paths. But it appears that NT only looks to it's Environment Path statements (Control Panel, System, Environment, Path), and will not look to a File Server even if the File Server's path is added to NT's Environment Variables. VSCAN.BAT simply does not see Novell File Servers when called by VPOP3. We tested this with VPOP3 running on NT 4.0 Workstation with Service Pack 6 installed, and the Novell IntraNetware client for NT (4.8), with a bindery login to a Netware 3.2 server. Under Windows 9x/ME, the PATH statements are honored and will allow programs to run from search drive mappings on a Netware File Server. We do not have any NT servers to test with.
Note for Windows 9x/ME users:
An alternate method to creating the directory tree and copying SCANPM.EXE and *.DAT, to their respective directories would be to place these files somewhere mentioned in the PATH statement (i.e. a network server or the Windows directory). This has three advantages:
1) The files are easily updated (not nested deep in the tree).
2) The files are centralized (useful in a Network environment).
3) The SCANPM utility can be called from anywhere. Since the files reside in the PATH, you can simply type SCANPM at a DOS prompt anywhere in the directory tree and have SCANPM launch. By using the DOS AntiVirus version and not running a Windows based Anti-Virus program (such as McAfee for Windows 9x/ME/NT) on a workstation, you free up resources and keep your performance up. Let VSCAN check your Email attachments, and use the DOS version to check floppy disk's and programs you download. It requires a little more thinking, but you get the performance!
If you are unsure of the PATH, open a DOS window and type PATH. For a typical system, copy the files to:
For Windows 9X/ME: C:\WINDOWS
For Windows NT: C:\WINNT
For Netware: F:\PUBLIC
Understanding how VPOP3 and VSCAN operate will help in trouble shooting problems. The following is the sequence of events that occur when VPOP3 process a new Email with an attachment.
VPOP3 gets a new message. If that message has an attachment, VPOP3 looks to see if there is anything in the External Router command line. If there is, it calls the External Router program. Please note that even though VSCAN.BAT is DOS based, a DOS window will not open up and allow you to see what is going on. All processing is performed in the background.
1)VPOP3 calls the External Router command:
COMMAND.COM /c VSCAN.BAT (for 9X/ME)
CMD.EXE /c VSCAN.BAT (for NT)
The /c switch for COMMAND.COM carries out the command specified after /C (VSCAN.BAT, otherwise known as the string) and then closes that copy of COMMAND.COM. When VPOP3 calls the External Router command, it starts out in the VPOP3 Base Directory. This location is normally:
This location can be verified under the MISC. tab of VPOP3's configuration.
2) The first command in VSCAN.BAT is ECHO OFF. This turns off a lot of program information that is normally displayed on the screen. In the case of VPOP3, all the info that is normally displayed on the screen is stored in the file ROUTING.CTL, located in the VPOP3 Base Directory. The ROUTING.CTL file is recreated each time VSCAN.BAT is called. Turning off ECHO helps keep this file small and keep possible superfluous variables from being passed to VPOP3.
3) Next VSCAN.BAT runs is:
if not exist vscan\files\*.* md vscan\files
This command looks to see if the temporary directory FILES exists. For most installations, the directory tree looks like:
If the directory FILES does not exist (normally the case) it is created. This line has a counterpart, the very last line in VSCAN.BAT:
DELTREE /Y VSCAN\FILES >NUL (for 9x/ME)
RD /S /Q VSCAN\FILES >NUL (for NT)
which deletes the FILES directory. The temporary FILES directory is created and deleted each time VSCAN.BAT is run for safety reasons. By deleting the entire directory each time, even if there is a live Virus present in an unachieved attachment, it is wiped out.
4) The next command VSCAN.BAT runs is:
This makes the current directory C:\PROGRAM FILES\VPOP3\VSCAN\FILES. This is required for safe operation of the decoder and Virus Scanner software.
5) The next command is the decoder program:
..\UUDEVIEW.EXE -i -o -t ..\..\ROUTING.DAT >NUL
which decodes the Email into C:\PROGRAM FILES\VPOP3\VSCAN\FILES. VPOP3 passes the message with it's attachment to the External Router via the ROUTING.DAT file located in the VPOP3 Base Directory. The current directory is C:\PROGRAM FILES\VPOP3\VSCAN\FILES. The UUDEVIEW.EXE file is normally copied into the C:\PROGRAM FILES\VPOP3\VSCAN\FILES directory. The "..\" allows the UUDEVIEW.EXE program to be called from the directory below. This is again for safety reasons. Since ROUTING.DAT is two directories below the current directory, the "..\..\" is used to point to the ROUTING.DAT file. ">NUL" redirects all information normally sent to the screen into never-never land, allowing the ROUTING.CTL file to again stay small and keep out info that might cause mistakes.
6) The next command is:
which makes the current directory C:\PROGRAM FILES\VPOP3 again. This is required because the VSCAN.BAT file is located there. When the Virus Scanner exits (the next step), it's error level must be passed to VSCAN.BAT in order for further program processing.
7) The next command calls the Virus Scanner:
"C:\Program Files\McAfee\VirusScan\SCANPM.EXE" VSCAN\FILES\*.* /ALL /NOMEM /NOBEEP /NOEXPIRE /UNZIP >NUL
The Virus Scanner scans the C:\PROGRAM FILES\VPOP3\VSCAN\FILES directory. Most DOS based AntiVirus program exit with an ERRORLEVEL > 1 if they detect a virus or encounter a problem. If no virus or problems are encountered, they normally exit with ERRORLEVEL=0. This error level is passes as an environment variable.
Please note that because we are working in the DOS world with VSCAN.BAT, spaces in file names or directory names in not understood. Just like at a DOS prompt, extended names are truncated, so "PROGRAM FILES" becomes "PROGRA~1, limited to the 8.3 FILENAME.EXT standard. And Microsoft said DOS was dead.......
Also note the parenthesis around the command. They encompass the PATH and FILENAME.EXT, but exclude the command line switches. Parenthesis are required for any PATH or FILENAME that contain any spaces. Even if there are no spaces in the PATH or FILENAME, DOS honors the parenthesis and will properly run. I recommend using the parenthesis for clarity if nothing else.
The command line switches for SCANPM are:
/ALL - Scan all files - better safe than sorry.
/NOMEM - Does not scan memory for resident viruses - Makes scanning much faster.
/NOBEEP - No audible beeps - If SCANPM finds a virus it beeps as an alarm.
/NOEXPIRE - Ignore old .DAT files - If DAT files are older than 90 days the program will exit with errorlevel 1.
/UNZIP - Scan inside of .ZIP files - This recursively scans all zip files.
8) The next commands are:
The ERRORLEVEL is passed from the Virus Scanner and directs the actions of the VSCAN.BAT file.
IF ERRORLEVEL=1 GOTO INFECTED:
REM No infections were detected!
REM Suspect messages can be forwarded to a user or discarded depending on the "To:" address
REM Forward suspect messages to a user called Infected
REM Delete suspect messages (with no notification!)
REM ECHO To:None
REM The subject line will work for either scenario.
ECHO Subject:Virus Infected!
If the Virus Scanner has exited with ERRORLEVEL=0 (no viruses or problems) then the VACAN.BAT uses the "GOTO END:" branch, skipping the command lines in between, and continues processing the rest of the VSCAN.BAT file. If the Virus Scanner has exited with ERRORLEVEL>1 (virus or problem found) then it follows the ":INFECTED" branch. The "ECHO To:" and the "ECHO Subject:" lines are passed back to VPOP3 as STDOUT environment variables via the ROUTING.CTL file. This allows VPOP3 to take appropriate actions when problems are encountered. Any variables other than "To:<recipient>" or "Subject:<new subject>" are ignored by VPOP3.
9) The last commands VSCAN.BAT runs are:
REM Delete the temporary directory. It is recreated each time VSCAN.BAT is run.
REM For 95/98 users
DELTREE /Y VSCAN\FILES >NUL
REM For NT users
REM DELTREE not included with NT 4.0, use the RD command instead.
REM /S = Files and subdirectory
REM /Q = Quiet mode, don't ask for confirmation
REM RD /S /Q VSCAN\FILES >NUL
which delete the temporary FILES directory. If the FILES directory exist after VPOP3 processes an Email with an attachment, it is a good indicator that VSCAN.BAT is not being called, and there is most likely a problem with the External Router command line.
If you have any comments, questions, or enhancements, please E-mail me:
This guide is released as Freeware to the Public Domain. The latest version can be downloaded from:
I am not affiliated in any way with Paul Smith Computing Services.
Support Shareware authors by registering their software.
Many thanks to Paul Smith for writing and the continued development of VPOP3.