Scanning for Windows Viruses in Linuxland?

rmmeyer asks: "I'm in the process of building an e-mail server for my company with a new twist. Since most of the clients are going to be Windows based (don't go there, I can't change 'em) and running Outlook (I know, I know...) I need to be able to scan the incoming and outgoing Emails for viruses. A quick check on Freshmeat shows fourty-nine projects related to email viruses. I intend to use Sendmail for the MTA with the milter API for scanning. There appear to be several commercial anti-virus scanners for Linux and at least one Open Source scanner. What are the community's experiences doing this? We expect to have 150 clients and potentially several thousand incoming Emails per day. Points are added for solutions that also include the capability of scanning Samba shares! =)" Ask Slashdot last touched on this issue in this article, from early March of last year, and before that in another article from October of 2000. I'm sure things have changed greatly since then.

F-Prot

[Tux2000]

F-Prot [f-prot.com] for Linux, free of charge for personal use.

I'm not related with Frisk Software except that I use their software.

antivirus - a sendmail milter

[elvisior]

I installed this for an organization's mail server which has over 40,000 users .. we were very concerned about a performance hit.. and on the server stats you can not see a hit.

http://www.nmt.edu/~wcolburn/antivirus/

We combined this with mcafee under linux which also works very well but there are other options available.

Not to start a us vs. them

[Gigs]

But consider Qmail [qmail.org]. Its more secure than sendmail. Much easier to configure. And does all the things you requested. Here is the link for the Anti-Virus [qmail.org] support. Check out the RAV [ravantivirus.com] product as it is can scan both emails and your drives...aka samba shares. Although it is a product you have to pay for... I consider anti-viruse one of those things that is worth paying for to make sure you're up to date.

Amavis

[Mr.Phil]

I use Sendmail with Amavis and UVScan to scan for viruses on a 3500 user mail server. No complaints so far, and I've not had a virus slip past. I've cron setup to download virus def updates every morning and that keeps me fairly up to date. Using the newer releases that daemonize amavis help to keep the system load down.

Overall, I'm pleased with the package.

http://www.amavis.org

(No affiliation with the programmers, I just use the product.)

Re:Amavis

[Mr.Phil]

I hate to reply to myself, but you can setup UVScan to scan samba shares, and amavis supports Sendmail Milter.

I knew there was something I forgot to include. Time for the morning coca-cola.

Re:Amavis

[arglesnaf]

amavis works wonders, I have a Solaris version of sendmail server with over 30K mailboxes, and I use Amavis with McAfee to keep my windows environment nice and clean. Just buy a copy of McAfee for workstations (around $20-60 dollars depending on your relationship with NAI) and hook it into Amavis, and you are all set! It even uses the normal NAI dats!

Re:RAV Antivirus

[Jonny 290]

I'll second the nomination for RAV. Busy regional ISP here, 25K customers, couldn't run spamassassin or anything of that nature due to the fact that all other apps have to fork off for each and every email coming in. RAV stays mem resident and as such, is super-quick.

Need for attachements?

[Gudlyf]

You might want to ask yourself what kind of attachements you're expecting to see come through the server. I personally use Postfix [postfix.org], which I've found to be a bit easier to configure than sendmail. Through that, I block any emails with "suspicious" attachements such as ".exe" or ".bat" (among many others). The rest are handled by the virus scanners on the individual client systems.

I'm not sure it's such a good idea not to have some kind of on-the-fly scanning for each client system, espeically if they're the type to demand the use of Outlook (I have the same situation here, and I sympathize). There's always the chance they'll grab infected files off the web as well.

Mailscanner

[Anonymous Coward]

I use mailscanner [mailscanner.info] with sendmail to scan mail for viruses . It has a number of nice features such as the ability to block certain types of attachments (e.g. exe's) - this can be configured to block/ allow any attachment based on regular expressions. It relies on third party virus engines - I use Sophos at work and f-prot on my home network, but others work too. It also integrates well with spamassassin [spamassassin.org] to effectively tag spam.

If you have a mixed network with samba shares you might also like to have a look at Rainer Link's samba-vscan VFS module for samba at the openantivirus [openantivirus.org] site.

Re:Mailscanner

[chfn]

Mailscanner is a good tool. I set it up with spam-assassin to filter the insane amounts of spam we get at our small office. What got me started was finding this article [kill-hup.com] that steps through a setup. I didnt use mcafee but the walk-thru helped anyway.

It works just fine

[TheAcousticMotrbiker]

We've been doing this for a (long) while.
Currenlty using Sophos antivirus but have used other products in the passed with equally good results.

qmail!!

[polyphemus-blinder]

Use qmail [cr.yp.to] as the MTA. It's way more secure, and more compatible with with cutting edge virus scanners and spam filters like spamassassin [taint.org].

Ideally your exchange server should end up being nothing more than a storage place for email (seems like you're doing that). I'll be doing this in about two weeks at my company, too. Good luck!

ASTROTURF! (was Re:Vexira mailarmor is the way...)

[Dagmar d'Surreal]

Anyone who feels like just moderating some comments down, feel free to hit this one and the ones below of the same vein...

Note carefully...

* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.

Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.

Try this.. mail scanner :)

[Manic Miner]

This Mail Scanner [soton.ac.uk] is very good and maintanied very regularly (just see the dates on the link listed). To quote the website: "Protecting over 1 billion e-mails every week, for over 40 million users". It is NOT a virus scanner itself, only a way of scanning mail using a virus scanner such as the one provided by Sophos.

I used to use the network that this mail scanner was attached to and it was very effective at providing pre-emptive detection as it looks for things such as extention masking etc.

I believe it has detected a few virus before the actual virus patterens were released :)

It also has quite an impressive list of sites using the software: here [soton.ac.uk]

Don't scan for viruses, do this instead.

[tswinzig]

It's much easier just to reject any message that contains a "dangerous attachment." You can figure this out by examining the attachment's filename extension. Here's a good list to work from for dangerous file extensions:

http://office.microsoft.com/Assistance/2000/Out2ks ecFAQ.aspx [microsoft.com]

(You could add a few more to the list, maybe Office files like Word .doc's, or even .html to avoid potential javacript holes.)

Send a server level error message stating "message rejected due to dangerous attachment ... zip these files, and resend."

If it's a human that really needs to send someone something "dangerous," they can re-package it.

This way you block ALL files that could contain viruses or trojans, without any of the overhead and maintenance. You're basically implementing the same new security model in Outlook XP in your server. If anyone complains, just tell them Outlook XP does the same exact thing.

Re:Don't scan for viruses, do this instead.

[mabinogi]

So viruses start coming in executables inside .zip files.

All this does is avoid the problem, and impose a counter productive inconvenience on your users.

Re:Don't scan for viruses, do this instead.

[tswinzig]

So viruses start coming in executables inside .zip files.

A virus inside a zipfile would never propagate enough to allow itself to be spread around. Viruses require the network effect to spread. You might get a couple of dumbasses to open the zipfile AND execute your program, but it would be VERY low profile.

The primary cause of viruses spreading is (1) stupid-asses clicking on viruses in their emails, (2) stupid-asses not keeping their computers patched, thereby allowing exploits like those found in OE that allow viruses to auto-execute themselves.

All this does is avoid the problem

That's right! We avoid the problem of viruses completely, because we don't allow executables through!

and impose a counter productive inconvenience on your users.

FYI, this "counter-productive inconvenience" is now the DEFAULT way for Outlook to operate, in Office XP and beyond, and anyone that was smart enough to install the Outlook security patch over a year ago.

People RARELY need to send someone an executable attachment. In those rare cases, renaming the file to .bin or zipping it up so that it can get through this sort of protection is not a big deal.

The entire time I was using Outlook with that security patch installed, and on outlook xp, I was never ONCE inconvenienced.

The alternative of virus scanning in an email server is much more expensive, complex, and a losing battle.

To wit, anti-virus companies don't detect specialized executables written specifically to input customized trojans in your internal network, such as someone trying to specifically hack your network, or the FBI/CIA spying on you. I could write a trojan right now that would not be detected by even the most sophisticated anti-virus software, because it doesn't fit any of their signatures. It would slip right into your network, whereas it gets stopped at the gate on mine.

Best of all, my solution requires no extra money or time to be spent to maintain. Occasionally we may need to add a new file extension to the list, wow...

Interscan Viruswall

[sclatter]

I used it at one of my jobs and I was pretty impressed. Our setup was Solaris but they do support Linux. It works with sendmail no problem. It will clean emails and optionally notify the sender, recipient, and IT when a virus is found. It also automatically updates the virus patterns as often as nightly. It was super easy to set up and use.

Sarah

postfix+amavis+clamav+spamassassin

[runswithd6s]

Postfix [postfix.org]: mail transport agent (MTA); packaged by most Linux distros; runs on many other platforms; easy to cinfigure; flexible; modular; secure; highly scalable; written in C by the venerable Wietse Venema [porcupine.org]; IBM Public License

AmaVis [amavis.org]: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL

Clam Antivirus (clamav) [elektrapro.com]: virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus [openantivirus.org] project; (does not disinfect, just identifies); GPL

SpamAssassin [spamassassin.org]: Perl-based Spam filter; use with Procmail [procmail.org]; client-server architecture (one daemon); Perl Artistic License

Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.

Re:postfix+amavis+clamav+spamassassin

[gmhowell]

I'd like to know a little more about your setup (as this is the direction I'm heading in. Ironic that this question is posted as I'm heading to work to get winbindd to work on our mail server, and finish ramping up)

What exactly is the difference between clam and amavis? Are you using spamassassin to go back and delete mail that was flagged by the other two products?

How quick is clam at providing updates? How comprehensive is their database? I'm somewhat remiss to not use a commercial solution for this.

(And I'll hit all of the pages and look for answers myself. But I figured if you had 'em already, I could be looking for other things. Thanks)

Re:postfix+amavis+clamav+spamassassin

[runswithd6s]

Not sure what winbindd is, but I'm assuming it's a DNS server modeled after the ISC Bind (DNS Server) [isc.org]?

Clam Antivirus is a virus scanner, a command-line tool used to scan files for virus signatures. It will report whether it finds a virus or not. AmaVis is used as a filtering daemon for email. It unpacks MIME messages into multiple files, decompressing them if necessary, and runs the virus scanner over each file. If it finds a virus with its tools, it reports the results to the following (configurable, of course): the admin, the sender (I shut this off because of spoofing), and the receiver (you can shut off alerts sent to recipients that are off-site). The entire email is saved in a quarantine directory; it is not deleted.

The virus definitions file is updated by the members of the Open Antivirus project. Subscribe to their email list to get bleeding-edge, just found definitions. Otherwise, just let the clam antivirus updater fetch the definitions when the project updates them (1-2 day delay after a new virus is identified -- or at least it seems that way). Talk to the OpenAV guys for legit frequency info.

The only reason why we don't go with a commercial product is because most of these products charge by the number of recipients or users on the system, often requiring client licenses for each user as well. McAffee wanted WAY too much money for what we wanted to do, especially considering that we already have Nortan Antivirus installed on the Windows and Mac machines (University site license). Why pay for something we already have?

To date, I haven't seen a virus come through amavis+clamav yet, but that is my own personal experience and that of our users.

Spamassassin is a different beast entirely. I use procmail scripts to intercept messages bound for email lists (served from ecartis) and filter them for spam. I also filter out VIRUS warnings sent by AmaVis. These filtered items get saved to a "spam" and a "virus" folder, and I wrote a cron job to report how many emails it finds in these folders twice per day. It's valuable to send these to individual recipients on the system, but not to a list.

Procmail is an important piece of the spam filtering process. Postfix can do content filtering, so I think it's certainly possible for me to have spamassassin tag EVERYTHING coming into the system, just like AmaVis does now. I just haven't pieced together how to do it yet. It would eliminate the need for users to run procmail recipes and drop the number of processes run on the server.

If you want to disinfect files, go commercially funded/grown software... that is, at least until the Open Antivirus people or another group come up with virus definition files that include instructions for disinfecting files.

Re:postfix+amavis+clamav+spamassassin

[gmhowell]

Winbindd actually has nothing to do with DNS (I was amazed also). It's a daemon that gets info from a windows PDC. Used in conjunction with some PAM modules, you can use the Windows info to allow/deny/verify all services on your Linux boxes.

Not interested in disinfection; just want to dump bad files to /dev/null.

Thanks for the info.

Re:postfix+amavis+clamav+spamassassin

[runswithd6s]

DOH, correction. It seems to me that clamscan (Clam Antivirus command line scanner) is the one doing the multithreading, not amavis. Very cool tool. Check it out if you have a chance, people.

Anomy + AVP + Spamassassin works great.

[cornice]

I have been using Anomy Mail Tools [anomy.net] to make decisions about incoming attachments and JavaScript infected messages. I use AVP [kaspersky.com] (although I'll likely switch to one of the free scanners listed in this thread) to scan certain attachments (.doc, .xls, etc.) but otherwise data formats get through and executables get quarantined. If someone wants an executable from quarantine I scan it with Norton Antivirus (thanks Win4Lin [netraverse.com]) simply because I think that Symantec does a fine job of keeping their system up to date (and I do it maybe twice a year). I also use SpamAssassin [taint.org] for spam filtering. It works really well.

One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use.

Interscan Viruswall

[tdyson]

Big thumbs up for this product. As an added bonus, you can also scan ftp and http traffic, so you have more points of entry covered.

We've used the product under RH for a few years and it has been very stable. Performance is good even on a low end machine (400Mh). The license is for a protected number of machines/user, so you can deploy multiple scanners to load balance.

We have a scanner in front of our co-located mail server, and a scanner in front of our on-site mail server. We do a lot of huge ftp work, so we setup a 3rd machine just to act as an ftp proxy so the web surfing doesn't get bogged down when the occassional 50M zip file is scanned.

Download the eval.

McAfee VirusScan + Qmail

[mxpengin]

Here we have this configuration and its great ... and cron downloads every night the virus definitions :) , here [sourceforge.net] you can find how to make it work .

Rav

[tzanger]

We use Rav Antivirus [ravantivirus.com] to scan the email for about 6000 dialup customers. It's about $600 + 20%/year for maintaining updates but we chose it specifically because it wasn't free: a virus scanner is absolutely no good when the updates aren't maintained. Pricing is based on number of domains and they have distributors all over the world.

They have versions to run qmail, sendmail, postfix, exchange server, etc., etc. and also have some user programs as well if you want. We've been very happy with it so far.

Scanning Email

[Lando]

Personally I use Amavis to handle the scanning of email. From there, I add different protection for different customers.

Interscan works well scanning email messages but it's a comercial package so your going to be paying about $20/seat licence. McAfee is about the same if not a bit higher.

Still for customers that want it, I recommend going with one of the commercial packages for scanning. If on the other hand a 3,000 investment doesn't quite interest your organization use one of the free scanners.

Now, the most important issue for using amavis though is the other plugin's you can add. Spam protection, automatic routing based on content, etc. It integrates well with milter and being written in perl is easy to modify.

Our virus scanning solution

[perp]

Sendmail + Cyrus IMAP + AMaViS + OpenAntiVirus + MimeDefang + SpamAssassin for ~300 users on SuSE. Sounds complicated (took a while to set up) but works great. All Free or Open Source, too.

"Gotchas" that I ran into are:

1) don't send virus notifications to the sender (since 90% of the viruses we get are Klez and don't actually come from the apparent sender), or to the intended recipient (unless most of your users are smarter and more computer literate that your average mollusc, unlike mine) who will probably get all confused and bombard your help desk with questions

2) don't scan for dangerous attachments before scanning for viruses, or the user will get a message saying that some file (not identified as a virus yet) was stripped from an email that wasn't even sent by the alleged sender. This will terminally confuse the users. MimeDefang is a milter and AMaViS is a weirdly hacked up (in the best way) local delivery agent. I have yet to find a way to make MimeDefang run after AMaViS, so I currently only use MimeDefang+SpamAssassin for the spam flagging which it does a great job at.

Really please with vexira

[dwadsosky]

New to reading slashdot so excuse me. I am using vexira [vexira.com] on our postfix mail server and no problems to report. It catches a unbelievable number of viruses and CPU is very low. Pricing is good too.