Scanning for Windows Viruses in Linuxland? 45
rmmeyer asks: "I'm in the process of building an e-mail server for my company with
a new twist. Since most of the clients are going to be Windows based (don't go there, I can't change 'em) and running Outlook (I know, I know...) I need to be able to scan the incoming and outgoing Emails for viruses. A quick check on Freshmeat shows fourty-nine projects related to email viruses. I intend to use Sendmail for the MTA with the milter API for scanning. There appear to be several commercial anti-virus scanners for Linux and at least one Open Source scanner. What are the community's experiences doing this? We expect to have 150 clients and potentially several thousand incoming Emails per day. Points are added for solutions that also include the capability of scanning Samba shares! =)" Ask Slashdot last touched on this issue in this article, from early March of last year, and before that in another article from October of 2000. I'm sure things have changed greatly since then.
F-Prot (Score:4, Informative)
F-Prot [f-prot.com] for Linux, free of charge for personal use.
I'm not related with Frisk Software except that I use their software.
antivirus - a sendmail milter (Score:3, Informative)
http://www.nmt.edu/~wcolburn/antivirus/
We combined this with mcafee under linux which also works very well but there are other options available.
Not to start a us vs. them (Score:4, Informative)
Amavis (Score:4, Informative)
Overall, I'm pleased with the package.
http://www.amavis.org
(No affiliation with the programmers, I just use the product.)
Re:Amavis (Score:2, Informative)
I knew there was something I forgot to include. Time for the morning coca-cola.
Re:Amavis (Score:1)
Re:RAV Antivirus (Score:2)
Need for attachements? (Score:1, Offtopic)
I'm not sure it's such a good idea not to have some kind of on-the-fly scanning for each client system, espeically if they're the type to demand the use of Outlook (I have the same situation here, and I sympathize). There's always the chance they'll grab infected files off the web as well.
Mailscanner (Score:1, Informative)
If you have a mixed network with samba shares you might also like to have a look at Rainer Link's samba-vscan VFS module for samba at the openantivirus [openantivirus.org] site.
Re:Mailscanner (Score:1)
It works just fine (Score:1)
Currenlty using Sophos antivirus but have used other products in the passed with equally good results.
qmail!! (Score:1)
Ideally your exchange server should end up being nothing more than a storage place for email (seems like you're doing that). I'll be doing this in about two weeks at my company, too. Good luck!
ASTROTURF! (was Re:Vexira mailarmor is the way...) (Score:2)
Note carefully...
* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.
Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.
Try this.. mail scanner :) (Score:2)
This Mail Scanner [soton.ac.uk] is very good and maintanied very regularly (just see the dates on the link listed). To quote the website: "Protecting over 1 billion e-mails every week, for over 40 million users". It is NOT a virus scanner itself, only a way of scanning mail using a virus scanner such as the one provided by Sophos.
I used to use the network that this mail scanner was attached to and it was very effective at providing pre-emptive detection as it looks for things such as extention masking etc.
I believe it has detected a few virus before the actual virus patterens were released :)
It also has quite an impressive list of sites using the software: here [soton.ac.uk]
Don't scan for viruses, do this instead. (Score:2)
http://office.microsoft.com/Assistance/2000/Out2k
(You could add a few more to the list, maybe Office files like Word
Send a server level error message stating "message rejected due to dangerous attachment
If it's a human that really needs to send someone something "dangerous," they can re-package it.
This way you block ALL files that could contain viruses or trojans, without any of the overhead and maintenance. You're basically implementing the same new security model in Outlook XP in your server. If anyone complains, just tell them Outlook XP does the same exact thing.
Re:Don't scan for viruses, do this instead. (Score:2)
All this does is avoid the problem, and impose a counter productive inconvenience on your users.
Re:Don't scan for viruses, do this instead. (Score:2)
A virus inside a zipfile would never propagate enough to allow itself to be spread around. Viruses require the network effect to spread. You might get a couple of dumbasses to open the zipfile AND execute your program, but it would be VERY low profile.
The primary cause of viruses spreading is (1) stupid-asses clicking on viruses in their emails, (2) stupid-asses not keeping their computers patched, thereby allowing exploits like those found in OE that allow viruses to auto-execute themselves.
All this does is avoid the problem
That's right! We avoid the problem of viruses completely, because we don't allow executables through!
and impose a counter productive inconvenience on your users.
FYI, this "counter-productive inconvenience" is now the DEFAULT way for Outlook to operate, in Office XP and beyond, and anyone that was smart enough to install the Outlook security patch over a year ago.
People RARELY need to send someone an executable attachment. In those rare cases, renaming the file to
The entire time I was using Outlook with that security patch installed, and on outlook xp, I was never ONCE inconvenienced.
The alternative of virus scanning in an email server is much more expensive, complex, and a losing battle.
To wit, anti-virus companies don't detect specialized executables written specifically to input customized trojans in your internal network, such as someone trying to specifically hack your network, or the FBI/CIA spying on you. I could write a trojan right now that would not be detected by even the most sophisticated anti-virus software, because it doesn't fit any of their signatures. It would slip right into your network, whereas it gets stopped at the gate on mine.
Best of all, my solution requires no extra money or time to be spent to maintain. Occasionally we may need to add a new file extension to the list, wow...
Interscan Viruswall (Score:3, Informative)
I used it at one of my jobs and I was pretty impressed. Our setup was Solaris but they do support Linux. It works with sendmail no problem. It will clean emails and optionally notify the sender, recipient, and IT when a virus is found. It also automatically updates the virus patterns as often as nightly. It was super easy to set up and use.
Sarah
postfix+amavis+clamav+spamassassin (Score:3, Informative)
AmaVis [amavis.org]: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL
Clam Antivirus (clamav) [elektrapro.com]: virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus [openantivirus.org] project; (does not disinfect, just identifies); GPL
SpamAssassin [spamassassin.org]: Perl-based Spam filter; use with Procmail [procmail.org]; client-server architecture (one daemon); Perl Artistic License
Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.
Re:postfix+amavis+clamav+spamassassin (Score:1)
What exactly is the difference between clam and amavis? Are you using spamassassin to go back and delete mail that was flagged by the other two products?
How quick is clam at providing updates? How comprehensive is their database? I'm somewhat remiss to not use a commercial solution for this.
(And I'll hit all of the pages and look for answers myself. But I figured if you had 'em already, I could be looking for other things. Thanks)
Re:postfix+amavis+clamav+spamassassin (Score:2)
Clam Antivirus is a virus scanner, a command-line tool used to scan files for virus signatures. It will report whether it finds a virus or not. AmaVis is used as a filtering daemon for email. It unpacks MIME messages into multiple files, decompressing them if necessary, and runs the virus scanner over each file. If it finds a virus with its tools, it reports the results to the following (configurable, of course): the admin, the sender (I shut this off because of spoofing), and the receiver (you can shut off alerts sent to recipients that are off-site). The entire email is saved in a quarantine directory; it is not deleted.
The virus definitions file is updated by the members of the Open Antivirus project. Subscribe to their email list to get bleeding-edge, just found definitions. Otherwise, just let the clam antivirus updater fetch the definitions when the project updates them (1-2 day delay after a new virus is identified -- or at least it seems that way). Talk to the OpenAV guys for legit frequency info.
The only reason why we don't go with a commercial product is because most of these products charge by the number of recipients or users on the system, often requiring client licenses for each user as well. McAffee wanted WAY too much money for what we wanted to do, especially considering that we already have Nortan Antivirus installed on the Windows and Mac machines (University site license). Why pay for something we already have?
To date, I haven't seen a virus come through amavis+clamav yet, but that is my own personal experience and that of our users.
Spamassassin is a different beast entirely. I use procmail scripts to intercept messages bound for email lists (served from ecartis) and filter them for spam. I also filter out VIRUS warnings sent by AmaVis. These filtered items get saved to a "spam" and a "virus" folder, and I wrote a cron job to report how many emails it finds in these folders twice per day. It's valuable to send these to individual recipients on the system, but not to a list.
Procmail is an important piece of the spam filtering process. Postfix can do content filtering, so I think it's certainly possible for me to have spamassassin tag EVERYTHING coming into the system, just like AmaVis does now. I just haven't pieced together how to do it yet. It would eliminate the need for users to run procmail recipes and drop the number of processes run on the server.
If you want to disinfect files, go commercially funded/grown software... that is, at least until the Open Antivirus people or another group come up with virus definition files that include instructions for disinfecting files.
Re:postfix+amavis+clamav+spamassassin (Score:1)
Not interested in disinfection; just want to dump bad files to
Thanks for the info.
Re:postfix+amavis+clamav+spamassassin (Score:2)
Anomy + AVP + Spamassassin works great. (Score:3, Informative)
One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use.
Interscan Viruswall (Score:1)
Big thumbs up for this product. As an added bonus, you can also scan ftp and http traffic, so you have more points of entry covered.
We've used the product under RH for a few years and it has been very stable. Performance is good even on a low end machine (400Mh). The license is for a protected number of machines/user, so you can deploy multiple scanners to load balance.
We have a scanner in front of our co-located mail server, and a scanner in front of our on-site mail server. We do a lot of huge ftp work, so we setup a 3rd machine just to act as an ftp proxy so the web surfing doesn't get bogged down when the occassional 50M zip file is scanned.
Download the eval.McAfee VirusScan + Qmail (Score:1)
Rav (Score:2)
We use Rav Antivirus [ravantivirus.com] to scan the email for about 6000 dialup customers. It's about $600 + 20%/year for maintaining updates but we chose it specifically because it wasn't free: a virus scanner is absolutely no good when the updates aren't maintained. Pricing is based on number of domains and they have distributors all over the world.
They have versions to run qmail, sendmail, postfix, exchange server, etc., etc. and also have some user programs as well if you want. We've been very happy with it so far.
Scanning Email (Score:2)
Interscan works well scanning email messages but it's a comercial package so your going to be paying about $20/seat licence. McAfee is about the same if not a bit higher.
Still for customers that want it, I recommend going with one of the commercial packages for scanning. If on the other hand a 3,000 investment doesn't quite interest your organization use one of the free scanners.
Now, the most important issue for using amavis though is the other plugin's you can add. Spam protection, automatic routing based on content, etc. It integrates well with milter and being written in perl is easy to modify.
Our virus scanning solution (Score:1)
"Gotchas" that I ran into are:
1) don't send virus notifications to the sender (since 90% of the viruses we get are Klez and don't actually come from the apparent sender), or to the intended recipient (unless most of your users are smarter and more computer literate that your average mollusc, unlike mine) who will probably get all confused and bombard your help desk with questions
2) don't scan for dangerous attachments before scanning for viruses, or the user will get a message saying that some file (not identified as a virus yet) was stripped from an email that wasn't even sent by the alleged sender. This will terminally confuse the users. MimeDefang is a milter and AMaViS is a weirdly hacked up (in the best way) local delivery agent. I have yet to find a way to make MimeDefang run after AMaViS, so I currently only use MimeDefang+SpamAssassin for the spam flagging which it does a great job at.
Really please with vexira (Score:1)