Best Antivirus Options for a Mailserver? 91
CSIP asks: "I am setting up a small mailserver, with ~500 users, across 80 domains. I'm planning to use qmail-scanner and an antivirus scanner to block incoming viruses. I would prefer to use ClamAV, however I've read conflicting reports on its effectiveness. The commercial scanners appear to detect 99.X% however they are licensed per-user, which at 500+ users becomes quite the annual bill.
What is everyone's experience with ClamAV? Are their other commercial scanners that allow you to license on a per-server basis?" The best indicator of quality for a virus scanner is the information in its virus database. How do ClamAV's virus definitions compare to commercial scanners, like McAfee's?
ClamAV (Score:1, Interesting)
Re:ClamAV (Score:2, Insightful)
Score:1, Interesting
Right....
Re:Best mail virus scanner (Score:4, Funny)
Re:Easy solution (Score:1, Offtopic)
You'd be better off... (Score:3, Informative)
Most viruses spread so quickly that the AV tools' databases are inevitably out of date and ineffective.
Re:You'd be better off... (Score:3, Interesting)
That wasn't really true until just a week ago when I had to manually update my f-prot twice in one day to catch the new Neksky variants. I had it set at once a day for the longest time, set it for twice a day a month ago and it's now at every four hours. The updated db got them right away, the delay (in my case) was me doing the update in the first place.
F-prot and SpamAssassin with Courier-MTA [gentoo.org], BTW.
Re:You'd be better off... (Score:3, Interesting)
F-prot catchs most viruses, the rest seem to be on a blocked list, so I'm pretty happy with f-prot. In fact, I use f-prot to scan all the file-systems also, not just for email. F-prot has to be the easiest command line scanner out.
And if you want, you can use procmail/fetchmail and hotpop
Re:You'd be better off... (Score:1)
That's the idea, anyway. Of course, the most common elements on this planet are hydrogen and stupidity...
Clam (Score:5, Interesting)
We did have Norton AV/Exchange running when we used exchange as a front line server. It was also pretty good about viruses except for the first day of CodeRed I believe where it was 1/2 after the first emails showed up. We only paid once and the updates never seemed to discontinue after the year, so maybe its just support/assurance that you're paying for. Consult the contract if in doubt.
Re:Clam (Score:3, Interesting)
I do think they deserve some support from the community, I'm considering what to do in my workplace. A mirror would be possible but the mirror terms are a little out of the ordinary.
Re:Clam (Score:1)
looked like the support they wanted was virus signatures, etc as the more of those, the more reliable it is.
I just wanted to be safe, and not switch to this without checking it out first.
thanks!
Re:Clam (Score:3, Informative)
there's always the blowtorch on an ant method! (Score:3, Insightful)
Now, granted, with 500 users, I'm going to assume that is not an option for you as people likely send files back and forth via email quite often.
Still, I just wanted to point out that blocking email with attachments is probably the most effective antivirus option for a mailserver, though certainly not the best solution.
Re:there's always the blowtorch on an ant method! (Score:5, Insightful)
It's extremely easy to do, and you could even set it up so that each uploaded file gets a little key so only the intended recipient can get it. The uploader script will automatically send an email to the desired recipient, containing a URL with the unique key embedded. Having all of the files stored on the server like that will probably cut down on all the inappropriate files too.
Solution should take no more than three PHP files of 100 or less lines each.
Re:there's always the blowtorch on an ant method! (Score:2)
Re:there's always the blowtorch on an ant method! (Score:1)
Actually, if you use a web form to upload the file, it still encodes the file using MIME [w3.org]. But if your browser and server both support gzip it can be compressed - so you're half right.
I hate it when I get pedantic!
Re:there's always the blowtorch on an ant method! (Score:2)
Re:there's always the blowtorch on an ant method! (Score:1)
best Anti Virus Protection (Score:1, Funny)
But since that's not going to work you need to enforce a strict policy "If you open a virus I chop off a finger"
This should work for you unless you have someone that just doesn't learn
We tried that recently at my company (Score:3, Funny)
Re:best Anti Virus Protection (Score:2)
ClamAV vs. Commercial (Score:5, Informative)
To paraphrase, ClamAV's database is generally at least a few days ahead of sophos and sometimes weeks...
ClamAV was written from the ground-up to do mail scanning, so it should be better than commercial scanners that try to be everything to everyone...
Re:ClamAV vs. Commercial (Score:2)
Re:ClamAV vs. Commercial (Score:1)
Regards,
Steve
Re:Huh? Doesn't everyone use Pine? (Score:2)
Re:Huh? Doesn't everyone use Pine? (Score:2, Interesting)
ClamAV (Score:5, Interesting)
I own a company that uses the ClamAV+Amavis-ng configuration internally and implements the solution for clients. We've never seen a virus come through the system yet.
When you combine these tools with SpamAssassin you have a fairlyy "safe" email system.
Chain Solutions (Score:3, Interesting)
Not recommending anything in particular, but you can chain together different tools to filter more completely than a single line of defense both against viruses and against spam.
IIRC, at MyCorp, Exchange servers are insulated from the outside by both PerlMX [perl.com] and Tumbleweed [dmoz.org].
ClamAV and something else (Score:2, Interesting)
At first I converted it from exim to qmail with qmail-scanner, then replaced qmail-smtpd with qpsmtpd.
As we already have licencing for f-prot I used that, but it soon failed to pick up a variant of Swen. So I simple added the clamav plugin and stopped the variant (gibe) dead.
I probably should build some stats on which scanner detects what, but we've only had a few netsky variants before one or the other updated.
With at least th
Here's an idea... (Score:5, Interesting)
If it's a picture or a word document from a friend or colleague then they'll probably end up viewing it in their browser and if it's a binary, provided it came from a trusted source, they can download it (make sure to give them an option to delete it if they'll feel it isn't benign). If it's something they don't recognize and/or from someone they don't recognize, they're going to be a bit more cautious. The idea is that the extra step prevents people who open all attachements without thinking or, worse yet, run email clients which allow attachments to rape their computer without their knowing, from harming themselves.
If anyone complains, tell them this is the email version of "Are you sure you want to delete that file?" -- it's a pause that forces reflection that may end up saving them grief. They'll learn to live with the added step and eventually, they'll be glad it's there to protect them.
Re:Here's an idea... (Score:2)
Re:Here's an idea... (Score:2)
Re:Here's an idea... (Score:3, Insightful)
I've admined corporate networks with between five hundred and a thousand clients and admined ISPs with five times as many so yeah, I've dealt with end users. It was my experience that you can either marvel at their stupidity and bang your head on your desk or marvel at their stupidity, try to help and educate them and then bang your head on your desk. I found the latter gave me the always heartwarming excuse, "I tried."
At any rat
Re:Here's an idea... (Score:1)
But when you're already willing to take the step and teach the users something new, why not instead tell them to use a different, more secure, mail app (like Mozilla, Evolution etc.)? They still have to learn something new, but can stick to the lazy behaviour and save attachments as they are used to. I'm sure they'd s
Re:Here's an idea... (Score:2)
Great, the "Are you sure" thing has been proven to be very poor UI.
Works well with qmail-scanner (thumbs up) (Score:2, Informative)
Vexira Antivirus (Score:3, Interesting)
It integrates easily with any MTA (works as a proxy), including my favorite qmail. Runs over Linux and various *BSD's. I've succesfully installed it over Debian (even thought only RPM packages are provided - they can be easily converted to
They also offer an antivirus solution for Samba servers, which provides real-time scanning and blocking of files when opened/closed from the network. It comes with a fixed price for server with an unlimited number of users and shares to protect.
The recomendation may com from a little closer - my company is a Vexira Reseller. But all in all it's a good solution and IMHO it has the most convenient licencing scheme.
For more info visit: Vexira Website [centralcommand.com].
Regards,
Not for OS X Server, though... (Score:2, Interesting)
The biggest reason I have to use ClamAV is because almost no one else supports OS X. I didn't find any besides ClamAV that weren't a all-in-one mail server, which I'm not going to bother with.
If Vexira would have supported OS X when I was looking, I would have bought it.
something to check for in your AV scanner (Score:4, Insightful)
Re:something to check for in your AV scanner (Score:2)
Either way, something to check on.
Works great here (Score:2)
In the past 4 weeks, it's managed to block:
244 virus messages
416 spam messages
correctly tagged 450 messages as possible spam (kill setting is low right now while I test the system).
And that's just on my 3 e-mail accounts. I haven't put this into testing inside the department yet.
My experience with ClamAV/Qmail-scanner (Score:5, Interesting)
I've had reasonably good luck with ClamAV. I've found that effectiveness tends to depend on configuration (which I'll get back to).
Some people say that the ironclad test of an A/V app is the number of virus definitions listed. In ClamAV's case (per FreshClam's log output), there are 20372 signatures in the DB. IMO, the number of definitions doesn't really mean much. In my experience, the most important stuff to protect against are the recent outbreaks -- where mail servers are inundated with worm-laiden email. In this case, it's really a matter of how soon the definitions are updated. Generally, I tend to see definitions updated within 12-48 hours of a reported outbreak. Combine this with your update frequency to figure out your expopsure period.
There will be an exposure period regardless of which A/V software you run. Some will have greater average periods than others. Don't rely on marketing information to figure this out. It's a bunch of crap. Real world experience is what counts here -- if you've got lots of experience with these, great. If not, try to find someone who knows their stuff who can give you a good idea for what's what with different apps. I haven't used a ton of these, so I can't give you any ironclad data.
Your configuration will tend to be your greatest asset/worst enemy in terms of finding the best A/V setup for your particular needs. For example -- I automatically block certain types of attachments via qmail-scanner. There's no reason for them -- and they're not worth the risk. I block any attachment with the following extensions (I'm sure that this is not perfect, but whatever): .vbs, lnk, scr, wsh, hta, pif, exe, bat, com, sct, chm, cmd, crt, hlp, hta, isp, pcd, reg, shs, and js. These attachments are all allowed inside of an archive (which ClamAV scan), but I'm willing to roll the dice on exposure to those, since screwing up and opening the attachment is no longer as simple as a single mouseclick.
Finally, I also run client-side A/V. These just aren't as reliable as server-side protection -- users always find wonky things to do with/to their computers...but I like to think of this is a last line of defense. Furthermore, users also tend to check their personal email from work. If you have the hardware to handle it, it might be worth your while to have your users forward their personal email through your service to cover your butt (or enact a policy forbidding users from checking personal email at work)...just be careful about discoverability of their personal email if it comes through your work email (IANAL).
Overall, I'm satisfied with ClamAV/Qmail-Scanner. I'm running it on a system designed for 1000 users (in its current hardware/software configuration) -- scalable to up to about 3000 users. Currently, we're running with around 150 users...in about 2 months, we'll have our new HR/payroll system up which will allow us to add accounts for the rest of our 750 employees (long story). We'll see how good it is once I have a larger userbase to work with. However, my favorite part about ClamAV (and this is the real selling point) is the lack of per-seat fees associated with most commercial AV products. This is the same reason we chose not to use Exchange...those fees are hefty!
Re:My experience with ClamAV/Qmail-scanner (Score:1)
But just because a virus isn't new doesn't mean that it's not sti
Re:My experience with ClamAV/Qmail-scanner (Score:2)
Correct...but if you read my post again, you'll notice that I said that "the most important stuff to protect against are the recent outbreaks". I never said anything about completely overlooking old viruses. If you analyze a logfile from a mail server's quarantine logs, you'll find that the vast majority (~99.5%) of the worms/viruses that are picked off are from the latest outbreak. Furthermore, "latest outbreak" doesn't ne
Re:My experience with ClamAV/Qmail-scanner (Score:1)
Clam is *better* at times . . . (Score:2, Insightful)
Password-encrypted Zips (Score:4, Interesting)
Right now I'm quarantining (with mimedefang and the patched clamav) all encrypted zip files. So far it's 100% hit rate, with no false positives. Unfortunately, ClamAV developers haven't said how they plan to deal with these password zip files.
Overall, once I patched clamav, I was more than pleased. Over the last 2 months Clamav working through mimedefang has saved us from almost all the viruses coming into our server. Updates are daily or more and I have a cron auto-updating them on the hour.
The beauty of having an open source AV was made clear to me today as I modified ClamAV to detect the encrypted zip files. Even though this is more of a stop-gap measure, with any other closed-source program I would have been completely at the vendor/developer's mercy.
That said, using clamav in conjunction with other AV programs in a stack fashion would give you even more coverage if you were worried.
Re:Password-encrypted Zips (Score:1)
No server based AV solution I know of will stop the latest wave of random password zip viruses. That is because the AV program cannot scan inside the zip file. I've posted a patch to the clamav-users mailing list that marks all password-encrypted zip files as suspect and thus can be quarantined for manual extaction and scanning if desired.
I just unintentionally discovered a way to block these.
On our existing server, I have a commercial scanner, which im using with qmail-scanner. I setup qmailscanner'
Re:Password-encrypted Zips (Score:2)
Tomasz Kojm, ClamAV developer, says about it:
Re:Password-encrypted Zips (Score:2)
Jason
Re:Password-encrypted Zips (Score:2)
Augh. Please don't do this. A lot of folks *use* password-encrypted zip files as the only way to securely exchange information in a world where not everyone uses PGP.
Re:Password-encrypted Zips (Score:2)
And a lot of people use Microsoft Outlook for the same reason ... and with the same
results.
Re:Password-encrypted Zips (Score:1)
Re:Password-encrypted Zips (Score:1)
And how do you send the passwords for the zip files? Do they meet earlier and agree on the password (poor man's PKI)? If the password is in the mail itself, how is it more secure?
Re:Password-encrypted Zips (Score:2, Interesting)
The password is in the text of the email. How difficult would it be to try all the different words in the mail as passwords? The mails have less than 50 words, so it should run pretty fast.
Re:Password-encrypted Zips (Score:2)
Also, I work for one of the AV companies and I foresee that if we were to implement something like this, then eventually some obnoxious black hat
Re:Password-encrypted Zips (Score:2)
Wed Mar 3 02:00:59 2004 ->
Thank you, clamav!
Mostly works. (Score:1, Interesting)
Re:Mostly works. (Score:2, Informative)
From a user's POV (Score:3, Interesting)
Please don't use a scanner that "quarantines" e-mails that require admin intervention to get back. One of my prior employers created such a beast for their e-mail system, and it would even quarantine e-mails I send to co-workers. The admins of course have slow turn-around times. It ended up easier to use the telephone or FTP, defeating the original convenience and usefulness of e-mail. Even further, it would quarantine totally legitimate stuff from mailing lists. Really crappy stuff.
IMO, it is better to have suspicious e-mail diverted to a "Dangerous, Be Careful" folder with a big Skull-and-Bones air about it, so I can ignore the virus scanner altogether to get at important e-mails.
Also, don't use Windows. Of course, you already knew that, right?
Only just started to need them (Score:2)
That was until they started putting them in zip files, which are allowed through.
F-Prot (Score:1)
You can use the personal version for free even on Linux (for personal use of course). With the new amavis (at least on Debian) you hardly have to configure anything, f-prot even has a Debian package available.
The commercial workstation version works good too, but it can be slow when you have a lot of mails (probably around 10-100 per minute, haven't checked it), be
ClamAV with CommuniGate Pro (Score:1)
Bad sides? Spartan documentation. Nothing a competent admin can't work out.
Take this as subjective experience; ClamAV has no way to tell me it allowed a virus through. And circumstances
Use a hardware-based solution (Score:2, Interesting)
These devices provide VPN support as well as full firewall features. The Fortinet devices start at $500 USD and go all the way up to data center class devices costing >$40,000 USD. Very easy configuration. Worth the cost.
Good results (Score:1)
Sendmail 8.12 -> MS Exchange 2000 -> Outlook clients
My outfit was already married to Microsoft, and the Exchange server was buckling due to being inundatad with spam. I'm also running Symantec AVF [symantec.com] on my Exchange server (Dell PE6650, Quad 1.4Ghz Xeon, 3Gb ram).
I originally installed Linux on a Dell Dimension desktop (450Mhz PIII, 768Mb ram) using Sendmail + Spamassassin + spamass-milter + RAV [ravantivirus.com]. Spamass-milter isn't very stabl
ClamAV concerns (Score:3, Interesting)
Re:ClamAV concerns (Score:2)
2> Clamav need not run as root.
postfix + amavis-new + more (Score:2)
Example header check:
SuSE OpenExchange + AntiVir (Score:2, Interesting)
SuSE OpenExchange's default spamassassin rules are really, really good. I had to make a minor adjustment to one of the rules - and after that it has had zero false positives in addition to taking care of over 99% of the spam we receive. The last month it has blocked about 1500 spam messages to me alone - an
Using both Clam and Sophos.. (Score:3, Informative)
I tend to find Clam updates faster, but Sophos's updates need less corrections..
I glue them together with MailScanner (www.mailscanner.info) which also allows men to pop in SpamAssassin to the mix.
On the desktop I use Norton's AV solution so give me a third layer of defence..
Belt and braces.....
Must reinstall sophos every 3 months (Score:2)
Re:Must reinstall sophos every 3 months (Score:2)
I've got a script that goes off and gets the latest engine once a month.
ClamAV have the same issues - just not driven by timescale, but by features/bug fixes.
For me this is a good idea as it forces the end user to spend a little time administrating the sytem IF you haven't got their Enterprise Manager tool that will do it for you...
Puremessage/perlmx (Score:2)
Anyway, it does anti-spam and anti-virus and general policy type stuff. It has been extremely reliable and has been really excellent -- great spam filtering and now with the sophos AV very up-to-date virus signatures.
Licensed per CPU. We run about 1000 users behind a 1-cpu box and it could easily go to many more users.
Good luck-
ClamAV (Score:2)
I've been using clamav for quite a few months now; it's pretty good.
Viruses are picked up quickly enough for me, and if they're not picked up quickly enough for you, they include tools to create your own virus signatures.
Response time for AV vendors (Score:1)