Slashdot Mirror

Two times, I've observed that the opensource AV software ClamAV nailed new email virii
about 6 and 12 hours before the commercial alternatives got signatures for them (3-4 examples, names left out to protect the guilty).

Of course, this doesn't always happen, but it's still an interesting observation.

I use ClamXAV on OS X, which is based on the GPLed clamAV anti-virus engine. I have also used clamAV embedded in the PostFix mail server on Linux to scan incoming email for sites I maintained. It gets decent reviews against other packages and I have been happy with it. I use a Windows variant when I am forced to deal with XP as well. Anyway, it is completely open source and all above-board. I would not touch Symantec software with 3.048 m pole these days.

The reason I use AV software on OS X is not just masochism. For one, I have a rarely used XP/bootcamp install and it is safer to scan it from OS X which a Windows virus cannot easily affect. For another, I avoid unwittingly passing virii from one Windows user to another. Lastly, I am paranoid and want to stay in good habits. It is quite likely that viruses will eventually appear on OS X as it grows in popularity, even though it is not as good a host. The practice costs me nothing and may save me something in the end.

Think about the AV products for Linux or Mac. Most of them clean Windows viruses out of files/emails so that they won't infect other machines

Think about the AV products for Linux or Mac. Most of them clean Windows viruses out of files/emails so that they won't infect other machines

Well, how many people run AV on their linux/BSD boxes?

Huh?

For starters, lots of people.

How else to protect Windows systems?

Maybe the ClamAV people ought to submit their program for testing.

• mOnOwall - firewalling
• IPCop - firewalling
• Metadot - CMS
• Apache - web server
• Bind - Name Server
• asterisk - telephony/voip
• Sendmail - cussed but stable MTA
• SpamAssassin - spam filtering
• MIME-Defang - email content filtering/manipulation
• ClamAV - Virus filtering
• Freebsd - the best OS since sliced bread (IMHO)
• Centos - Not to shabby an OS either
• ...

What we can hope is that some hardware manufacturer start building hardware acceleration boards for OCR, so that huge prociders that manage several thousands of e-mail accounts and processing millions of mails per day can use this kind of filters to remove spam.

It has been done before for anti virus like ClamAV, so there's hope for image filters to hit soon our mail providers, even if their require some more magnitude order of processing power than regular filters.

I can only answer points one and two in your post, since I have no experience whatsoever with SEC.

E-mail? Sometimes, but not so much anymore, IME. ISP and other sys admins *are* using a number of e-mail filters, and yes, there are a number of good, free (as in speech *and* as in beer) e-mail filters. One of the more popular is clamav http://www.clamav.net/. At an ISP where I used to work, we had a Sendmail farm that ran clamav, mimedefang, a number of custom perl scripts, sieve http://www.rfc-editor.org/rfc/rfc3028.txt and maybe a few other things to filter our e-mail, and *still* our clients complained about spam (but not about too much e-mail virii).

Exploits in the OS? Yep, more often than not. So why don't ISP's filter incoming traffic? There are a number of answers to this question. First, a lot of sys admins take an ideological approach--"I am providing you with a pipe to the internet. Filtering this pipe is your responsibility; not mine." IMHO, this is kind of like saying "The internet was founded on open principles, and therefore, *all* mail servers should be open relays." It's nice, warm, fuzzy, lets-gather-round-the-campfire-and-sing-kumbaya idea, but it just doesn't work in real life. Second, there is a legal/liability reason. If I, as an ISP, start filtering traffic, then sooner or later some stupid schmuck is going to take me to court because something slipped through the filters and infected his machine. I may win, but the legal battle still wastes my time and my resources. So, instead, a number of ISP's cop out and provide no filtering. Third, and this is the big reason, most common networking equipment simply hasn't got the CPU to handle a bunch of filters. A Cisco 3640 on my network, for example, shows it only has a 100MHz processor--how much filtering do you think it can do without impacting throughput? An AS5300 on my network is only 150MHz. So most ISPs apply access lists very sparingly, since trying to firewall an entire ISP on a router will crater your router in short order. Fourth, the only way to effectively block with an access list is to block either a specific IP address (dynamic IP addressing, anyone?) or to block by port. Yes, you can tell your Cisco iron to drop all incoming traffic on ports 135-139, but this only works to a point. A lot of malware uses high-numbered ports ( >1024, IIRC), which are used at random for *any* network traffic. So yes, you can drop all traffic on port 3127 for example, but when you start filtering too many high-numbered ports, you begin impacting legitimate traffic as well.

In a nutshell, if you are a sys admin for a small business with a reasonably beefy SOHO router, it's pretty easy to filter for legitimate traffic at your edge. But it doesn't scale. Just because you can do it for 100-1,000 employees doesn't mean you can do it for 10,000 or 100,000 (or more) customers.

No one seems to have mentioned that ClamAV has been ported to OS X. Not terribly user-friendly, but being free can encourage people to put up with jumping through some extra hoops...

Speaking of alternative solutions, there's another big difference between this and the netscape/explorer incident :

Several years passed between when the Netscape browser became b0rked beyond usefullness, and before new partical opensource solutions started to rise from the ashes like FireFox/IceWeasel.
This gave plenty of time for the "bundled with and good enough" explorer to gain market share.

In the current situation not only are there already several player with enterprise-wide contracts with big corps, but free-as-in-speech alternatives have already emerged, and those are already good for a lot of utilisation similar as Mozilla and FireFox were at their dawn (ClamAV is routinely used in mail servers), plus solutions to make them really great are being actively developped (built-in mail plugin, available browser plugin, embeding in opensource watchdogs, nice windows suite, etc)

In article similar to this one, Microsoft is praised with the way in which it managed to catchup in the internet field even if it was a late commer. But we all know how microsoft usually catches up : it's solution are often completly botched, bugged, under-performing. Explorer was getting used by a lot of people, but it mostly was a joke in term of security, stability and standarts.
For sure, Microsoft will try to get a similar monopoly on security. But we can be certain that their solution will, this time too, not be very effective or usefull, probably buggy, full of exploits itself, often circumvented by malware writer, and propably turned of by "wanna-be-power-users" because it slows down their computers (which are already falling under the load of viruses and spambots).

But this time, ClamAV, AVG, H+BDEV and Kaspersky will already be there to be promoted as a better solution by articles, just like now FireFox and Opera are promoted against IE's defects after years of IE dominance.

They have windows ports with GUI as well.

Outlook? There's Evolution or kontact

Viruses? what's that?
Oh well, if you're worried about email viruses, you can always check out ClamAV

ActiveX controls that install software without you knowing is the last thing you have to worry about linux.

Popup blocker? It comes with Mozilla Firefox

Firewall? It's called Netfilter but if you find it too hard to configure, there are tools available, like Shorewall

And finally, there's a large choice of IM Clients on linux, like aMSN and Gaim that support animated emoticons and toaster popups (I haven't got the slightest idea about what the blue tray guy is)

Anyways, if you don't like any of these, you can always check out your distribution's package database for other other software.

You mean, something like ClamAV, http://www.clamav.net/...? Works just fine on both Solaris and Linux, although the vast majority of malware it detects is for the Windows platform (of course).

I'm sure that this will be covered, but I have installed ClamWin on my Mom's and Mother-in-laws computers to cover their anti-virus needs. Every now and then I'll get a call or glance at it when I'm over, but the most complicated thing for them is when they get a 'new engine available, click to download' link; which the click, it's installed, and they're done. All virus updates happen daily and it'll report that to them so they know things are working via the icon in the taskbar. At home on my FreeBSD mailserver I trust GPLd clam AV and BitDefender in parallel, so I know it works, no reason for this 40$ a year McAfee with the all the bloatware you'd never need! ;)

I'd reccommend clamAV for windows or clamwin, both are windows ports of the excellent GPLd clam AV.

But I'm also going to make an obligatory dig at windows. Consider downloading some software that means you wont have to run anti-virus software.

(Staying true to my username, I would also like to reccommend os x, but as it's not available for download, and requires new hardware, I won't).

> Think about it, how many of us linux users are regularly downloading a virus cleaning program?

Regulary : http://www.clamav.net/

I would highly recomend checking out Clam AV.

It comes in both *nix and Windows varients and works pretty well for system scanning. It also works very well in a mail server tool-chain.

MTW

of ClamAV to Mac OS X (10.2, 10.3, 10.4). It is called clamXav. It does have on access scanning and a GUI.
I use it on my PowerBook, it is quite easy to install, configure and use.

--
...did I say it is free ?

Hear! Hear!

I downloaded ClamAV for MacOS X to see what it was about just to find out that I had a windows virus in some of my archived files. If I had used that file on my Windows machine before scanning I would have had to spend several hours cleaning up the mess.

Always use some form of AV, even if it's just for other's people's sake.

This story is bullshit but regardless, if you use Mac OS X, Linux or BSD or whatever, a periodic AV scan doesn't hurt anything. The software is inexpensive. I can't really think of a good excuse not to do it, even if only ever compile 100% of the code you run it's an easy extra layer of security.

I don't want to blame McAfee or Symantec excessively, but you do realize that you are posting to a thread where an update to their products ended up breaking hundreds or thousands of machines.

As for freely available A/V software, try ClamAV at http://www.clamav.net/, or the associated ClamWin for Windows. The site has some studies and comparisons that people have done against other antivirus products. I think that ClamAV's scanner is somewhat slower than the big name AV products, but it seems to be more thorough about catching nested viruses (ie, a zip containing a rar containing a .exe or whatever).

Perhaps you might be thinking of an actually free alternative such as ClamAV? Of course, ClamAV is actually a server-side solution. TrendMicro and Grisoft's enterprise solutions come to mind since you hate big companies so much. Myself, I'm using Symantec Corporate for my Windows boxes and it works just fine.

There are several free Linux software projects which might or might not what you are looking for. The first thing that comes to mind is something called ZoneMinder which, if I am not mistaken, is a Linux home security sytem which uses remote wireless Internet cameras.

Then there is also the well known Myth TV project which among other things is mainly used by people who bouild their own Personal Video Recorders(PVR). Myth TV supports both HDTV, NTFS and possbly also some other video broadcast standards.

A third possiblility that comes to mind is VLC which is a cross-platform media player and streaming server.

And then there are various other video related programs for Linux such as TvTime the televison application, or MPlayer the movie player. Concievably even something like the Ekiga (formerly known as GnomeNetMeeting) might be relevant. Ekiga supports Full-Screen Videoconferencing. Ekiga supports Video4Linux and Firewire Cameras Support through plugins.

Many Linux video projects seem to be built building block fashion, using other previously written free Linux software, as dependencies. In many cases there are also various other free video projects which are sometimes just user friendly front ends for other free video software. I could not even begin to list all of those free Linux software projects for video and other things.

By the way, Linux has never had virus problems but, even so, there are free anti-virus programs available for Linux. The one that I use is Clam Anti-virus. There are also several good free firewalls avilable for Linux which allow you to control which IP ports are open or closed. There is one other interesting video project which is interesting but, probably not what you are looking for is the free movie studio in a Linux box.

I hope that something that I mentioned might be usesful. You can then decide if Linux is really what you want or not. I personally like it anyway.

At my company, we've had at least two virus infections before definitions were released. We worked through symptoms and used stuff like HijackThis! and Process Explorer to find out what was going on, plus a few of the PS Tools to get rid of it and Bart's PE to clean-room the system to remove persistent files. It took our virus vendor a week to come up with definitions, but a few others had them earlier and we could use their online or free versions to clean the systems.

Generally, when we get a suspicious file, it goes to VirusTotal first. If any of the 20-or-so listed AV vendors have a definition for the virus, you can usually find some information about it (at least a name) and from there figure out how to clean it. If nobody has a definition, next stop is Norman Sandbox to figure out what the beastie does, at least from a high-level point of view. If nothing else, it will probably give you a mutex that you can create to block execution/further infection, and sometimes it even gives you a clue as to what the virus would be or if it's a variant of something else. I found that we had a new variant of W32/Sality based on its mutex, which was one version number incremented from the info available online.

If there are no hits after that, there are some more things you can try, but they're mostly shots in the dark. Unless you can un-UPX the file and do some serious reverse-engineering on your own, you probably have to wait for a definition or post your symptoms in a newsgroup or forum and hope someone can help.

One good thing about VirusTotal is that it submits your sample to AV vendors (if you give it permission) so they are alerted and can start to develop definitions. It's difficult to find contact info for some vendors, but McAfee, ClamAV, CA and others have places you can submit a sample, you would do well to try them all if you have non-sensitive information in an infected file.

What I want to know is why nobody has mentioned ClamAV. It's got free updates, it doesn't ruin your system like Norton, and unlike all those other antivirus programs, it's GPL!

...Is he right, and what actual products exist for OS X that would protect against infections?

I agree, a 6 month subscription to Norton lessens the value of the pack. Google would have done better with AVG. They should also consider supporting the open source virus scanner (as they have done with Firefox):

http://www.clamwin.com/
http://www.clamav.net/

Newbie users are apt to simply click [Download pack] without understanding that 6 months later, they'll either have to pay for the very important virus protection or try and find a comparable free solution

I'm not obsessive compulsive, keeping virus definitions up to date is very important, more so for corporations, so I only check once a day (nightly). From ClamAV's faq they talk of how to update 4 times/hour!

ClamAV FAQ

How many times per hour shall I run freshclam?

        If you are running ClamAV 0.7x do NOT check more often than once per hour. If you are running ClamAV 0.8x or later, you can check for database update as often as 4 times per hour provided that you have the following options in freshclam.conf:
        DNSDatabaseInfo current.cvd.clamav.net
        DatabaseMirror db.XY.clamav.net
        DatabaseMirror database.clamav.net
        Replace XY with your country code. If you don't have that option, then you must stick with 1 check per hour.

I mostly use KMail at home for the same reasons. Though i use fetchmail to retrieve the mails and procmail to pipe them thru ClamAV and SpamAssassin and finally sort them with some scripts of my own.

The fact Kmail use mail dir format, as mutt, let me also check my mail from a remote ssh session.

Some people might want to have a look to AMaVIS or check SWiK about
- emails
- fetchmail
- procmail
- ClamAV
- SpamAssassin
- KMail (nothing really here)
- mutt

But it's easy to install CalmAV on Windows. Cygwin will be installed and configured. I recommend configuring \clamav-devel\thirdparty\runclamd so it runs as a Windows service.

http://www.clamav.net/

Like ClamAV and pf?

As some other said, Clamwin is a wonderful software using an open source engine.

Although, (as they said) it doesn't have a on-access scanner (which some users find good because it's slowes down the system less and scan only when the user decided), it has a few interesting things :

- it comes with an outlook addin for scanning attachment.
- there's a firefox extension that can scan downloaded files.
- there are some POP3 proxies for other mail clients.
- most of your favorite P2P software & download managers allow to run a command after each download : you can use the function to launch clamscan/clamwin and scan files.

So clamav, even without on-access scanner, can be used to block virus at the most common entry points.
Now, all windows users need is a GAIM plugin to block "lol no its not a virus" IM worms too and will stop 99.99% worms out-there.

As some other said, Clamwin is a wonderful software using an open source engine.

Although, (as they said) it doesn't have a on-access scanner (which some users find good because it's slowes down the system less and scan only when the user decided), it has a few interesting things :

- it comes with an outlook addin for scanning attachment.
- there's a firefox extension that can scan downloaded files.
- there are some POP3 proxies for other mail clients.
- most of your favorite P2P software & download managers allow to run a command after each download : you can use the function to launch clamscan/clamwin and scan files.

So clamav, even without on-access scanner, can be used to block virus at the most common entry points.
Now, all windows users need is a GAIM plugin to block "lol no its not a virus" IM worms too and will stop 99.99% worms out-there.

I thought he said free ? According to AVG's website it's subscription based.

As for Free AV software, the only one I know of is ClamWin(based on ClamAV), which is decent. ClamAV is widely used on Linux mail servers aswell, so it has a decent user base and thus a decent virus database.

"One more option. Windows boxes with Open Source software running. If there are 8 things the box must do, and one of them is available only for Windows..., use free software wherever it fits.... Proprietary here: ... AVG (no Free antiviruses)"

What about ClamAV?

The article suggests that one should scan the files downloaded from the internet for viruses.

For excellent antivirus software see free open source Clam AntiVirus.

You use this nifty registry editing boot disk to fix the registry

And you use the linux NTFS tools and TestDisk to undelete/unformat/rebuild lost or damaged files and partitions. I use these all the time, they work REALLY well.

I carry around a copy of Damn Small Linux on my USB key, customized with above tools and including an image of the registry editing floppy and endless other utilities. Not to mention, DSL Linux gives me full access to the Debian APT repository! It serves me very well, especially since it can boot entirely into RAM, so I can take my key out and boot additional system.

Supposedly, ClamAV gets definitions for the latest and greatest viruses before commercial vendors are able to...although I have no evidence to back this claim up.

Here ya go!

I'd give an excerpt, but SourceForge is currently down (that's where ClamAV's news is hosted). The gist is, for the most recent 50 viruses, ClamAV had the quickest response time for 77% of them. That says a lot.

Run ClamAV on the Linux servers. Disallow file sharing from any other machine. Have good firewall rules. Don't allow people to run as Administrator.

This will prevent the spread of most worms. Email virii and trojans are still a concern. You might get by with running ClamWin on as much as possible. This lacks a real-time scanner, so you may still want a commercial package. All of the big names have their own pros & cons.

Remember that there are many different types of antivirus solutions out there. I assume that you're looking for a basic desktop virus scanner. I've heard all kinds of great things about AVG, which is supposedly free, but have no experience with it. If they are ever planning on growing their network/userbase, a managed AV client/server is the way to go. Otherwise, you have to worry about different configurations and whether or not systems are being regularly updated with the latest definitions.

If you're looking for something on the mail gateway side, I would highly recommend looking into ClamAV. The price is certainly right (free/free). Supposedly, ClamAV gets definitions for the latest and greatest viruses before commercial vendors are able to...although I have no evidence to back this claim up. The main selling points for me are first, that works. Second, it's free - there are no per-seat license fees. Third, there are no subscription models to deal with.

I'll close with a short on-topic rant. I can't stand antivirus subscriptions. Having to track, budget for, and renew subscriptions is a huge PITA. It's not a service - it's software. I'm sort of bummed that so many people have accepted this subscription BS, enabling the vendors to keep pulling it.

And ClamAV.

There's always ClamAV, though it doesn't have real-time virus scanning and it's not as easy to use (a Windows install requires Cygwin). Still, it's an open source option.

I recommend setting up ClamAv with FreshClam to filter out virus/worm type email. I have found it performs very well on my server. I have also found they have a very fast responce to new viri as they appear.

http://www.clamav.net/

• How about that spiffy big Postfix or Sendmail box you've got sitting out there, whose sole purpose in life is to act as a relay? Sure, it'll process millions of messages per day. It doesn't have to do much.
• What if you're running a virus checker like ClamAV or a spam checker like SpamAssassin? Those take up CPU cycles. Sure, delivery is slower, but value was added.
• What if your back end mail system is something like the Citadel groupware platform, where MIME content drives an event handler system? Again, delivery is impacted, but the functionality of the system depends on it.
• What if your org has a global directory and your mail hub is responsible for making complex routing decisions for each message? Again, delivery is impacted; it'll be slower than the mega-fast-box, but mail won't be delivered correctly otherwise!

I've written about this before. Writing an anti-spyware program which scans the process list, the registry, etc is trivial.

The hard part is vetting the datafile(s) and keeping things up to date.

Whilst it could be done, as the AV program clamav manages it with only volunteers. I can't see the market for it.

The people that would be attracted to working on a program would probably prefer to support Linux platforms instead.

Even if they did start working on it, it would be hard to gain marketshare until it worked very well - so it needs a lot of effort initially from a few users to get the datafiles covering most of the common and difficult to remove parasites.

And companies with large, vulnerable, desktop installations presumably have the budget to either purchase a commerical spyware scanner, or the knowhow to use Spybot S&D.

• ClamAV virus definition distribution model (use of incremental updates, dns txt field checks for new updates, automatic, etc..) -- compare this to the weekly (!) updates of Symantec (or manually updating slightly more frequently) or even some of the "download a big chunk from a centralized location" method of commercial competitors.
• BitTorrent
• So many things in KDE its insane.. (just check out all the awards, including Software Innovation of the Year - CeBit!)
• Plone, Zope, Typo3 - These content management systems lead the way for both commercial and opensource.. so much innovation going on here
• CUPS - While not glamerous, I have setup lots of print servers and the flexibility and modularlity of CUPS (in my experience) is unmatched.
• The spam fighters: greylisting, spamassassin, amavisd, postfix, dnsrbl, etc.. developed under or made popular due to opensource.. I have yet to come across _any_ non-FOSS solution that comes close to the success and accuracy of the OSS tools for spam filtering

Any advice? Solutions?

• JDS
• Sunray
• RHEL
• ClamAV and ClamWin
• Fedora
• Debian
• etc.. etc.. lots of other virus-free OSS solutions out there.

Pick one or more of the above natural remedies for your MS related affliction...

Problem solved.

There is no open-source anti-virus solution right now (other than switching to Linux).