Server Side Virus Scanning Options?

Unknown Relic asks: "Because of the number of virii which are propagated through email, and the tendancy for some users to open executable attachments no matter what they are told, we have decided to seek out a server side solution. We are currently running Linux with qmail on the server side, and while a we have found a couple of products which may fit the bill, I wanted to hear about the experiences and recommendations of slashdotters on this subject. Do you or your company make use of a server side virus scanning engine, Open Source or otherwise, and if so what are your impressions?"

Re:Virii the word _does not exis_t. Read why. tsar

[PD]

It's not a troll, and it's not offtopic. That article has existed on the internet for a long time, written by someone who was as horrified by the use of virii as I'm sure most of us are.

And it's definitely not offtopic. The word that the article is about is right in the main article.

Anyway, I noticed that you used the word "trolls" in your article above. That would be "trollii". :-)

Unpopular, but...

[Tadrith]

The company I work for has a twofold solution which has effectively stopped *anything* from getting through to our system. I haven't seen a virus make it through since it's been implemented.

On the top half, we have an intermediate company called Big Fish scan our e-mail as it comes through, and then it passes it on to our Exchange server. On the Exchange server, we're running Norton Antivirus for Exchange.

The added benefit of the intermediate company, is that they also effectively remove 99% of all spam, and all of my normal e-mail gets through. They save all discarded e-mails so you can see how good of a job it does - so far, it's been perfect.

Re:Unpopular, but...

[alnapp]

same here only its:

Messagelabs [messagelabs.com] and Network associates [nai.com].
No Viruses, Viri, virii or virus from e-mail since we implemented them.

Re:Unpopular, but...

[Tadrith]

Yeah... I think the really key thing is having two points of protection. The additional services don't seem to be too cost prohibitiive, and the added benefit from them easily pays off. The spam filtering is also a nice bonus, because I *know* I should be getting tons of spam by now. :)

McAfee

[itwerx]

I wouldn't normally recommend Mcafee because their products have had so many problems the last few years but their e500 appliance is actually pretty decent.

(Hmm, and it's linux-based. Coincidence? I didn't think so... :)

Mailscanner

[redcliffe]

I'm using mailscanner with exim, it strips out any evil javascript or any attachments that are executable. This seems to work for me.

Re:Mailscanner

[ngibbins]

We also use mailscanner [mailscanner.info] here at Southampton (unsurprisingly, given that it's developed locally). It's a capable piece of software, and has a sizeable number of installations worldwide (the maintainer's current conservative underestimate is 7000-8000 sites with a throughput of around 3.5 billion messages per day).

A truly effective method of stopping incomming...

[karmavore]

In the last couple of years many companies have discovered a truly effective method of stopping incomming viruses and spam.

They stopped forwarding money to their ISP's

Define your objectives

[tpv]

You need to decide what it is you want to stop, and then you can evaluate the options.

the tendancy for some users to open executable attachments no matter what they are told

There's two parts to that:

1. some users
2. executable attachments

The simplest solution is to strip all executable attachments. Save them somewhere and add a piece of text to the mail saying
Attachment 'blah.exe' stripped for virus protection. To get a copy of this attachment please call the helpdesk and quote 'Attachment Id: 44591'

It's a bit painful, but it stops people from randomly clicking on attachments.
If they need the file they can call the helpdesk and they can release it for them. It tends to work.

You can also throw in the first point of "some users", and have this based on user.

It depends on how you want to balance the factors of:

• Risk of letting a virus through
• Risk of false-positives
• Annoyance to users
• Cost to implement
• Cost to run

You really need to think about those, and come up with a solution that's right for your organisation.

A Solution exists

[Manic Miner]

A virus scanning solution that provides the kind of functionality that you suggest is already out there... However rather than just stripping all attachments, it virus scans them, but also strips any attachments that attempt to hide the fact that they are really executables eg. britney.jpeg.exe

The system requires a virus scanner to be installed and I think they recommend sophos which is available for linux. Check it out here [soton.ac.uk]

Amavis and OAV

[mwilson]

Check out Amavis and Open AntiVirus. I've got them working under courier with some mods with great results. Plus the whole thing is free!

Re:Amavis and OAV

[perp]

Me too and I agree it works great. It even unzips zip|tar|jar files and scans all the files in them.

I run it on SuSE 7.something on a Compaq DL with sendmail, Cyrus IMAP and SpamAssassin. We only have 300 or so users and it can keep up with that no problem.

I also scan *outgoing* email, which is a bit trickier to set up but is good for legal reasons and for assuring someone that the Klez virus that they received which appeared to come from one of our users actually did not originate from within our network. I would recommend scanning your outgoing mail; it saves a lot of grief.

The only issue we had was the one regarding notification of the apparent sender of the virus; with so many spoofed senders, I just has to turn it off.

Qmail, Sophos, ClamAV, and Spamassassin

[MaufTarkie]

I've been running qmail forever at my place of employment, so when the bosses told me it was finally time to get an anti-Microsoft virus solution on my mail server, I dug around. Everyone seems to be using Sophos, so we went with that. Having used it for just half a month, I am really impressed with it. Easy to update. Fairly quick. I highly recommend it. However, if you do go with it I urge you to look into Sophie.

I'm also using Clam Anti-Virus as a backup. Out of the 3000+ viruses my server has caught so far, only 4 have been caught by ClamAV. Probably don't need it, but hey... anything free is worth keeping around.

I threw spamassassin in there because I was already wasting time scanning -- might as well tag spam. It helps my users filter spam, and they're happier for it. Plus, it gave me stats to throw out there -- nearly 50% of our incoming email that originates off-site email is spam. Scary.

Okay, so here's my setup:

• qmail-scanner [sourceforge.net]
• Sophos (SAVI) + Sophie [vanja.com]
• ClamAV [clamav.org] (I need to write/find a client like Sophie for it -- it has the daemon, just no client)
• Spamassassin [spamassassin.org]

I'm very happy with our results. My server scans upwards of 20000+ messages a day with the average time of ~4 seconds per message. I could probably get it to scan faster if I dropped ClamAV, which is the slowest piece of the puzzle right now. At any rate, I set it all up in less than a day. Everything was well documented.

Good luck.

Re:Qmail, Sophos, ClamAV, and Spamassassin

[JohnnyO]

At 4 seconds per message and 20,000 messages, you are using about 93% of your time every day scanning the mail. I hope you can scan multiple messages in parallel, or are planning to get some faster hardware, or you will be soon be buried under a mountain of undelivered, unscanned emails.

The users won't be smiling then.

Regards,
John

Re:Qmail, Sophos, ClamAV, and Spamassassin

[MaufTarkie]

Yeah, it's parallel scanning. The four seconds is the average time -- the box is also doing other things which is taking away CPU time from scanning. My long-term goal is to make the server solely a mail hub, do some spindle-moving, and to write a "sophie/spamc"-style client for ClamAV (or just drop it altogether). That should bring the average time down considerably.

Personally, I'm not too happy with the four second average time, but if it's blocking Microsoft virii... that's time I don't have to spend cleaning up after Klez.

We also use Norton AV for Exchange (don't even /ask/ why we have two separate mail systems), which has 1/10th of the users my server does. Messages on it take longer to scan and deliver (I wish I could give numbers but I don't have access to that information). Since I'm not the NT admin, I'm not sure if that's because the box is set up inefficiently or if it's due to the nature of the relationship between Exchange and Norton.

RAV - Reliable Anti-Virus

[rjamestaylor]

My network is also a Linux-controlled domain running qmail (the E-Smith-Server distribution). We were hit by the "EULA-worm" last week and I decided that it was time to institute server-side controls. Doing a quick search for qmail compatible products I settled on RAV Anti Virus [ravantivirus.com]. There's a free 30-day trial for 2 domains. I like it. Very customizable configuration, though proprietary and closed source. It handles spam (to and from us, which is nice), content control (through regexp and/or keywords; for example, "sales projections" to outside domains. . .), and anti-virus protection.

Give it a whirl.

Re:RAV - Reliable Anti-Virus

[darken9999]

My company uses RAV with Sendmail, and it works pretty good. No viruses in the year I've had it running, which is a considerable change from the multiple infections every two months we had before. Two problems, though:

1. The anti-spam locks up sendmail on my system, so I just shut it down.
2. When they say two domains, they mean two fully-qualified domains. For example, say you have three servers... smtp.yourdomain.org and imap.yourdomain.org will be protected, but mail.yourdomain.org is screwed. Of course, the licensing is pretty cheap, so whatever.

CyberSoft

[samjam]

When I worked at bigwig.net we used procmail and CyberSoft's VFIND and recursive archive-scanner.

If any virus's were detected the original was wrapped as a MIME attachment to a warning message which contained the report by VFIND.

Thus, users could decide what to do about it.

Of course, when we were spammed this made server load go through the roof, it is probably better either to

1) Move the scanning nearer to sendmail so sendmail throttles a bit earlier to save load eating all your CPU
2) Rename .scr, .pif, .js etc attachments and warn the user so intelligent users can rename them back.

Sam

Several checks...

[cornice]

There are a number of things I would suggest depending on you risk level. My company used to get hit all the time from mail viruses and worms but I installed Anomy Mail Tools [anomy.net] and we have not had a problem since. Anomy will defang and quarantine attachments based on the extension and it will remove harmful javascript. For files that are common and potentially dangerous like Excel and Word files we use the Kaspersky Antivirus [kaspersky.com] to scan the attachment since a simple extension rule won't work.

Like I said, we have not had any worms get through our mail server. However we did have one person download an attachment from an AOL webmail system. She infected herself and some customers but all her attachments were removed before getting back in to our users. ;-) This too can be stopped by using Squid and some rules about downloadable files. There is a simple explanation of this within this [gentoo.org] nice little security manual from Gentoo [gentoo.org]

Sendmail + MIMEDefang + SpamAssassin + McAfee Here

[SpaFF]

I just (as in 2 days ago) set up a sendmail box for about 6,000 accounts which is running sendmail plus the MIMEDefang milter. MIMEDefang strips out invalid attachments (we have a policy not to accept .exe's and a few other files), strips out messages with invalid headers and a few other things, calls McAfee uvscan, and then runs anything left through spamassassin.

It has worked like a charm thus far and with graphdefang (a set of scripts that comes with mimedefang) I can view how many messages are discarded, why they are discarded, how many messages are tagged as spam, how many of what type of virii were cleaned, etc.

I have been quite impressed with the McAfee scanner as well. I have heard nightmares from Windows users who have it installed on their workstations, but it seems to work great on the Unix side. It even comes with a perl script you can set to run in your crontab to download the latest virus definition files.

-Lee

trend micro!

[Peartree]

I used to work in the IT Dept at Rankin County (MS). I implemented a mail solution with Linux. One box acted as a mail proxy running TrendMicro VirusWall. The other box that was used for storage ran Sendmail w/ Razor and SpamAssassin. It worked great!

sanitizer?

[joostje]

Nobody uzing sanitizer/a? here? [anomy.net]

Re:sanitizer?

[gilgongo]

Yep - we've been using it for almost two years, and have have exactly ZERO virus outbreaks on our network.

Our users (about 60 of them) are fine with it, even though it'll catch the odd legit file from time to time if someone names a file "file.latest.pdf" or something. You can disable this behaviour but we've not seen the need so far.

The only criticism I'd have is that bacause it's procmail and perl based, large attachments (those dang users!) do take a while to pass through our little RedHat PII450 sendmail box, but other than that it's wonderful.

JJ

Vexira Mail-Armor

[JLester]

We started using Vexira (http://www.centralcommand.com) Mail-Armor this year. We use Debian/Exim for about 8000 users for a school system. The setup was very simple. Mail-Armor listens on the SMTP port and does real-time scanning of every message that goes through. It then passes the message on to the "real" SMTP server running on a non-standard port. We were initially worried about whether it could keep up with our traffic, but it has been flawless so far. It uses two processes: one listes on the SMTP port and does the scanning while the other processes the queue and passes the messages on to Exim.

It notifies the postmaster and both the sender and receiver when it detects a virus. A cron job runs every night to download the virus definitions. It cost $150 for a school system. The cool thing is that it is licensed by domain, not by # of mailboxes like some products.

Jason

qpsmtpd + clamav

[Matts]

[Disclaimer: I work in AV]

If cost is even slightly an issue, I can recommend using qpsmtpd [develooper.com] and clamav [elektrapro.com]. The clamav team are pretty fast at adding new virus signatures to their database, and they catch most of the common viruses out there. I've written a qpsmtpd plugin for clamav which you can find here [perl.org].

I can't honestly recommend Sophos for gateway scanning. They are better on the desktop. If you can I would go for NAI [nai.com] who have the best gateway scanning of the commercially available scanners (according to our live tests).

Alternatively, if a 100% guarantee appeals to you, the company I work for, MessageLabs [messagelabs.com] will give you a 100% guarantee against letting through an email virus. We'll also do spam scanning for you. Yes, I'm biased.

RAV

[photon317]

I've been using RAV Antivirus (specifically their sendmail+libmilter option for linux) to scan my company's mail as it passes through our linux/sendmail mail server. It's done a great job of picking out windows viruses. It's not open-source, but their pricing is very reasonable. I think for scanning 2 domains (their minimum) was $300 initially to purchase it, which comes with 1 year of virus database updates, and $60/year after that to keep getting updates. They don't care about the volume of scanning, just how many email domains you're scanning for. Check them out at http://www.ravantivirus.com.

Re:RAV

[iamchris]

I can't agree more. RAV for Qmail is an EXCELLENT product. It is an incredibly simple and seamless integration. The configuration is simple, and the (US) tech support is friendly and knowledgable, IMO. The price is very reasonable, even for the extra domains. The latest version has optional "push" updates so that new virus outbreaks can be taken care of quickly and easily. It melts the standard RAV engine right into the Qmail config be replacing qmail-queue. As a bonus you can use the ravav engine for other scanning jobs.

Trend Micro

[russward662]

We have been using Trend Micro since before I started here. RIght now we have an Exchange 2000 server with Trend Micro installed. We process around 10 million messages a month.

So far I have been very happy with Trend Micro. The only down side I have seen is the cost, but it is not as bad as some others.

Anti-Virus

[dasunt]

I'm in the middle of writing a HOWTO for the LDP concerning virus scanning on linux. (Wish it was done so I can point you to it).

I don't have my research in front of me, so I have to reply off the top of my head here.

If I was going to do this, I would first select one of those programs that mangles attachments. There are solutions that removes attachments entirely, solutions that detach the attachment and move it to a place where it can be accessed by a link in the email, or solutions that change the extension of the file. I'd suggest the latter solution. If any .vbs, .bat, .exe [...etc] files are renamed to .oldextension.txt, everything is fine. You might want to combine this solution with a rule to filter anything along the lines of .jpg.vbs or the like (which is probably a virus). Remember - If you remove attachments or block emails, please send a message to the sender saying you did. This is business email. The $virus_of_the_month might have attached itself to the CEO's quarterly fiscal report.

That being done, then run all emails through a virus scanner. Again, if you detect a virus, mail the sender explaining what you did and what virus was detected. [Btw, put in a disclaimer - some viruses send out false 'from' addresses in their headers]

That should filter incoming email without a problem. For shares, there are scanners that will integrate themselves with Samba, which will scan files whenever they are changed. I have not seen any real-time scanning solution for other file shares methods though.

If anyone has some more information, please drop an email to dasunt[at]hotmail[dot]com. If I use the information, I'll credit you.

sophos and mailscanner

[jmlyle]

I used Sophos and mailscanner on linux to protect our company. They worked great. I had a script get virus updates twice a day from the Sophos site and incorporate them into the scan. Once a month, they sent a CD with an engine update which just dropped in the directory.

It was easy to modify the mail messages (plain text and html versions) that were sent to me and to the intended recipients when something was detected. Lots of options, and easy to configure.

drweb

[mdaitc]

I have to say, i quite like Dr Web [sald.com][SALD.com is their english mirror]. Although it's written by some Russians, it seems very good. Worth having a look at it. Integrates nicely in MTAs such as postfix, sendmail.