Slashdot Mirror

Lame of Microsoft as usual.
Oh well, no problem, we have ClamAV.
http://www.clamav.net/

ClamAV
http://www.clamav.net/

OpenAntiVirus Project
http://www.openantivirus.org/

Actualy I have an Email server setup wit Postfix + AmavisNEW + SA + ClamAV, and I'm yet to see a virus that passed undetected.

Check our virus detection statistics here:
http://integracao.saude.rio.rj.gov.br/amavis-stats /

We're behind the main corporate server, so our department depends on it to send or receive email. They use a NortonAV server, but more than once an infected email passed trough, and it were stoped by our Server.

So I now wonder how ClamAV would perform against the proprietary alternatives...

I really want to try it, but our "corporate policy" states that every email traffic must pass trough the "homologated" AV solution. We're actally the only department that is really using Linux for real, and the rest of the company still has this strong Microsoft culture and don't quite trust Open Source...

Seconded. I didn't believe it until I actually did my own testing, but ClamAV outperforms much of the commercial competition (McAfee, Symantec, Trend Micro) in terms of response time, speed, and accuracy.

We used to run Trend's Interscan VirusWall for SMB on our mail hub, and would get a few false positives every week (out of approx. 40000 messages). Not anymore. Now we run ClamAV with Postfix and ClamSMTP, and we have had exactly zero false positives and zero false negatives since we switched (shortly after the MYTOB update was released).

My users are delighted that they're no longer getting viruses, and my monthly "Warning! There's a new virus that our Trend Micro scanner isn't catching yet" messages. I'm happy that I don't have to re-send and apologize for the false positives anymore. My boss is happy that he no longer has to shell out $5000 per year for Trend's crappy product. It's all been good.

There are a couple of good reasons for having anti-virus software on a unix/linux mail server, even though they don't get viruses. First, it can protect Windows email clients. Second, anti-virus software can also pick up things like phishing emails, which are platform-agnostic.

Fortunately, good quality free (speech and beer) anti-virus software is available from http://www.clamav.net/ - and it's packaged in many linux distros.

By the way, the most effective and affordable AV program of the Linux world, namely ClamAV, already runs on Windows. Prepare to be flattened, proprietary vendors.

not just 6 viruses, but 6 viruses that all are patched in the latest kernel. Though i guess it doesnt hurt to be prepared. So check out clamav and Klamav

ClamAV can be used on Linux too, and it's even Free Software!

I have a similar story.

ClamAV blocked the first one on my server at 00:20 CET on may 3rd. Since then I have recieved exactly 100 Sober.P containing mails. And I only have one publicly known email address on that server.

It's almost a 20 fold increase in blocked mails.

At my office I have MailScanner configured with Postfix, SpamAssassin, and ClamAV. Every bit of this configuration is free (beer and speech) and works very well. I have the rules set fairly loosely, yet it still manages to catch >80% spam and I have yet to see a virus make it passed. It is a bit of a bear to set up, but for those who would rather not, all of those packages can be found in openprotect (with or without commercial support).

Now, for the caveat. As is the case with any type of email scanner, it is very resource intensive. As such, I have a dedicated dual Athlon machine which handles scanning for 50-100,000 emails/day and it stays very busy (load over 1, >50% processor utilization).

As I understand it, 10.4 Server edition now includes ClamAV http://clamav.net/ for scanning e-mail attachments. 10.4 "regular", I have heard, includes the clamav user and group but not the actual software (much like MySQL in 10.3). Whether or not this is the case, ClamAV can still be installed on OS X (I have done so under 10.3).

After all, technical solutions have worked SOOOO well against Spam, and email worms.
/dripping sarcasm

Some do, some don't. I find that most of my spam is now caught by various RBL's like Razor/Pyzor, and DCC. Plus a few of the new tests added in SpamAssassin 3.0. Bayesian scoring seems to do very little now, the spammers have found ways to obscure words so that they don't attract attention. But SA (even before 3.0) has tests for those tricks as well. Plus Clam AV appears to be adding new signatures for common phishing attacks. I sometimes see phishing emails flagged as viruses (by Clam AV) instead of spam (by SpamAssassin) because of this. I use Amavis new to tie SpamAssassin and Clam AV together into a filter system at the MTA (postfix) level.

anti-spyware utility manufacturers are still thinking whether to include it on their list

If you use the blackhole dns list of spyware domains from bleedingsnort.com its already included based on this submission from doxdesk. Squid ACLs are a great way to stop these parasites and you don't have to wait for anti-spyware manufacturers to decide whether its spyware or not. Also ClamAV lets you create your own signatures so you can setup rules to detect anything you consider to be spyware.

How about a combination of MailScanner, ClamAntivirus, and,SpamAssassin.

All FOSS, easy to install, and extremely effective. You could even keep your Exchange server; just put the scanning box between it and your inbound email firewall. (You do have an inbound email firewall, right?) I assume you also scan outbound email as well. For those, just set up Exchange to use the scanner box as a "smart host."

Recently, though, there was some functionality I wanted added to ClamAV, an open-source virus scanner. Basically, I wanted to make sure the milter was running. So, I wrote clmilter_watch, a tool to monitor the functionality of clamav-milter. Of course, I don't trust my own programming skills enough to know if it's stable for production use. So, it gets released to the world. A few downloads later, I get a couple of suggested patches, and the thing is pretty solid. Everyone wins.

To be honest, i dont receive in my gmail account mail worms, but that is because gmail executable attachment filtering. But in a server i administer there are a constant flow of mail worms (that dont impact end users thank to anomy sanitizer and ClamAV) but the biggest part of them are not for especific individuals but for randomgeneratedname@mydomain.com, almost none hits a real account. Not sure what or how many worms of this kind are, but a few infected people generates a lot of mail traffic this way.

Could it be that more users are employing protection against these worms now? Thanks to ClamAV I never see any in my inbox now, but my log messages would suggest there are still plenty of clueless people out there propagating them.

Clamav rocks for me on the mail side. Postfix, Amavisd-new, Clamav, SpamAssassin combine to form a very efficient virus and spam filtering/classifying system.

Get them here:
Postfix
Amavisd-New
Clam antivirus
SpamAssassin at CPAN

You would be particularly interested in header_checks, mime_header_checks and body_checks for Postfix.

http://mac.softpedia.com/get/Antivirus/ClamXav.sht ml

bo

At least don't blow money on it as well.

you mean something like clamAV?

Try ClamAV.

I love ClamAV, props to all the developers and the clamav community. They've been helpful to me.

I love ClamAV, props to all the developers and the clamav community. They've been helpful to me.

If you have anything to do at all the administration of your mail server then I would suggest looking into greylisting. Has helped tremendously with the volume of spam I receive to the server I admin because it forces spammers to use a single point to send spam from (a point which you can identify).

Also ClamAV can be used to scan incoming email on the server side and has definitions for many phishing attacks as well as worms and viruses.

Linux and FOSS is affected by Windows viruses.. Lets see.. because of Windows viruses, my Linux based mail servers have had lots of great FOSS software developed to help combat the issue. On the down-side, many of these Windows viruses have also greatly affected my Linux systems due to DDOS attacks that have origins pointing back to viruses and other malware that has infected Windows boxes.

Besides that, anti-virus software is effectively necessary on Windows due to the lack of security and the buggy email and web browsing clients. However, Mac OS X and most Linux distributions don't suffer from the same problems, particularly when installed and configured properly (ie. don't log in as root!) I guess you could bundle ClamAV and Dazuko with the Linux Desktop distros, just to give people a warm fuzzy.

Anyone know whether clamAV is able to detect "official" viruses?

Great idea, but do you have any suggestions? I know there's clamav (GUI Windows version) but where can you find OSS firewall and/or anti-spyware?

In the long run it stopped being a problem when the hard drive Symantec's adware was installed on dropped dead.

Nowadays there's a much better virus scanner, very simple to use. For *nix boxes, for example to integrate with your email processing, there is Clam AntiVirus. It's GPLed Free Software, has a great mailing list, its virus database is updated regularly. There is an automated tool called "freshclam" that gets database updates.

I use ClamAV when I download my mbox files from my hosting service. At one point I was getting 400 MB of email a day, almost entirely viruses, and clamav was very simple to use to delete the virus-infected messages, so the combination of legitimate mail and spam was just a couple meg each day.

For scanning your hard drive under Windows, there is a GUI program called ClamWin, based on the clamav engine with the same virus database, and automatic updates. It's a very simple program, with a minimalist user interface. It's very easy to use and effective.

What I can't figure out though, is how to satisfy WinXP SP2's insistence I get a virus checker. It doesn't recognize clamwin as being one. I would imagine all the virus scanner publishers had to pay microsoft for the privilege of being a recommended virus tool. Or maybe it's just that Microsoft doesn't want to admit a Free Software solution is superior to any of the proprietary ones.

However, in my opinion one often overlooked problem is what to do with messages that are flagged as spam. You don't want to generate a bounce message, because 95% of the time it will go to an innocent third party (spam is forged). On the other hand, silently discarding it or putting it in some spam folder one never looks at is not a good idea either. Lately I've been just refusing to accept mail from the client if the message is identified as spam. Mail Avenger lets me do this, and it seems like a good compromise.

relays.ordb.org - http://www.ordb.org/
combined.njabl.org - http://www.njabl.org/
list.dsbl.org - http://dsbl.org

BTW, I use this procmail rule to catch all of the DSNs I get and stuff them in a mbox rather than having them clutter my inbox. I didn't write this and I forget who did. I think I got it from a post here on Slashdot sometime in the last year. To whoever wrote this, thanks.

# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs

I contemplated starting something, a while back and am still fairl interested.

There are four parts to a decent anti-spyware suite:

• GUI + Update mechanism.
• Registry Scanner
• File System Scanner
• Process Iterator

All three parts are trivial and something pretty looking could be hacked together in a week or (much) less to do all those things.

The really hard part is building up and verifying the patterns which can be used to identify spyware - and then removing it.

(Many spyware applications nowadays use "random" keys on install so it's not even a static list).

You'd need to be prepared to have a scratch system to test spyware on - and you'd nee dto accept submissions of malware from users.

If the clamav people can do it then it's certainly possible - but it's not a simple thing to do.

People sponsoring bandwidth / hardware / cash would be a real incentive.

That plus a combination of blocking senders on the Spamhaus SBL and doing greylisting, which I put in place on my mail server a few months ago, has dropped my personal spam volume to about one every week (out of about 600 a day that try to get through.) Most spams are stopped by the SBL and the greylisting, which is great because very little bandwidth is wasted. Greylisting blocks a lot of viruses too (ClamAV takes care of the rest.)

Needless to say, I won't be installing any HashCash systems on my mail server any time soon. For the moment, until spammers get a lot more sophisticated, they're pretty much stopped dead in their tracks by a combination of existing, widely-deployed technologies.

ClamAV

ClamAV gets updated faster than the major AV companies, and some really neat matching algorithms match mutations before specific signatures are released. Very reputable.

ClamAV or F-Prot are both good virus scanners for Linux, which are free for home use (Or completely open in the case of ClamAV). Both will scan your samba shares, and can be automated in a number of ways. Both seem to be maintained and updated quite frequently.

Once you decide to set up a mail server, you'll probably want to add spam and virus scanning. Both are CPU- and memory-intensive. A consumer router probably won't have the horsepower for that. (I'm using MIMEDefang (a sendmail milter), SpamAssassin, and ClamAV on my box.

Its going to be a mail/file server. I think you don't need a ton of horsepower.......

It depends on whether you are planning on doing any mail filtering. I have a bunch of experience with MailScanner and ClamAV -- a sendmail server that normally eats 4-5% CPU will quickly start hitting 75% and more. SpamAssassin will add a bunch more to the load. As far as file sharing goes though, you are probably safe.

From the origional How to Decide if Linux is for you:

Q I am looking for a dummy step by step setup of Linux router using freesco on old PC with windows98, for purposes of setting up a NAT gateway from broadband to two unconnected PCs at home. Also I am interested in a ZoneAlarm? (freeware version) like firewall that can close ports and restrict incoming/outgoing traffic. Please help with a good link, or list simple steps I must take. Thanks -- dl

A Starting with kernel version 2.0 (released 1996, before ZoneAlarm?), linux has filtering and firewalling built-in. From kernel 2.4 (released 2001) the default utility for setting up a firewall is IPFilter. Each distro has its own UI front-end to the ipfilter command.

There are also many antivirus programs for Linux. A Free application is Clam AV. You can google for some proprietary alternatives if you wish.

While I realize you are trying to be funny it's really sad how many people don't know about virus scanning tools for Linux.

http://www.clamav.net/
http://www.f-prot.com/

etc.

If that rebuild-from-source allowed you to do something difficult-or-impossible-or-expensive in MS-Windows land, it would be well worth it.

Recent case-in-point, if you want email virus scanning for 200 users, a .src.rpm fetch and "rpm -bb" of clamav would be a top investment even if you had to sit and watch it instead of going about your other business when you look at the cost of (for example) Sophos or Norton for 200 seats.

Another one, hunting down dependencies for AMaViS is worthwhile (my preferred distro, Mandrake Linux, has them all and it's just "urpmi amavisd" but this customer's site was running Red Hat) if you can discard mail containing semi-broken ZIP files (as sent by mutating MS-Windows viruses) where the commercial packages' attitude seems to universally be "can't read it, therefore it's not really a ZIP, therefore it's safe". Having this crap cut out at the gateway meant that the customer's internal MS-Exchange server could then handle the remaining load. Usually.

Heck I get at least 900 virus emails everyday sometimes over 2000 a day.

Thanks to the guys over at Clam Anti Virus and MailScanner most of these get caught at the mail server.

We have a daily humor mailing list with a few 100,000 subscribers and every time a new virus comes out we get blasted from all the unprotected windows/outlook express users.

To make sure we don't get infected and send out virus to all the users we use FreeBSD for our desktop OS and Evolution as our email client.

Oh and then there is all the spam we get sent, thanks to SpamAssassin for filtering most of this out.

Duh.
Dude, you should see clamav, a full opensource antivirus for Linux, FreeBSD and even Windows, which integrates nicely with virtually every mailer out there.

If viruses/worms/trojans spread by email are your biggest concern, an obvious solution would be to scan all incoming email.

If students are using the university-supplied addresses, the university's server should be doing some sort of virus check - there are numerous commercial (pay) solutions available depending on your config (Norton, McAfee, Trend Micro, RAV, Sophos, etc), and there are even some open-source ones, such as ClamAV (which is updated very frequently, and is, of course, free) which you can integrate into your mail system.

If your university doesn't want to modify it's existing server, you can "front-end" the existing mail server with another server running a virus-scanning solution, such as the open-source MailScanner, which simplifies integrating virus and spam scanning into a mail delivery program (it can use ClamAV, for instance), which would then forward the email to the existing server once scanned.

As well, if you wanted to be extra careful with 3rd party email addresses, you could block POP3 and IMAP ports to any server other than the university's at the firewall, so that students would be forced to forward their 3rd party mail to the university's server (which would be scanning for viruses). Or, you could set up the firewall to redirect all POP3 requests to a box running POP3Vscan (again, open source, so free), which is a "transparent" proxy would scan incoming POP3 email for viruses. Not sure if there's an equivalent IMAP proxy solution, however...

Anyway, you do have low-cost options for preventing these things in the first place.

Like the AC said, put Exchange behind a proper MTA. Keep your exchange server inside the firewall for the suits to fiddle with their calendars and crap. Setup Postfix, Qmail, Sendmail, Exmim or some other MTA as your internet-facing email server. I use Postfix with Amavis forming a nice interface to Clam-AV and SpamAssassin. I don't run exchange though. Can't help you there.

Microsoft loves to make money. They would love to be in a situation where you buy a product from them, and then you just keep sending them money on a nice, predictable basis.

Antivirus software is perfect from that point of view. I'm actually kind of surprised it took them this long to do it. I suspect they just didn't want to annoy Symantec and the other companies.

Antivirus software is one of the few products where I think paying an annual fee really makes sense. You need constant, continuous updates to make sure that your protection is good, so you feel like you are getting something for your money.

Despite the above, the free software community has actually shown that it can provide effective antivirus software for free. ClamAV was originally designed to be a server-side antivirus solution only, but there is a Windows version available now (file scanning only, it doesn't yet intercept downloads and scan them automatically). ClamAV works and it has a good track record of getting updates quickly to dectect new viruses.

http://www.clamav.net/

I run Debian GNU/Linux on my server and on my desktops, and I'm not too worried about viruses and worms. But I do have ClamAV running on my mail server, and it intercepts dozens of viruses per month. I have not seen any email containing a virus or worm ever get past it.

steveha

Are there any good open source anti-virus programs out there? We could sure use one.

http://www.clamav.net/

By the way, where do I get ClamWinAV? ClamAV is *nix only.

Won't bother explaining why it's stupid, the rest of Slashdot has already done so.

This has served my mail well.

Once an actual human person has read and acted on the mail, they should be able to mark it "official business" and/or move the email into an "official business" folder which does get kept as required.