Slashdot Mirror
Scanning for Windows Viruses in Linuxland?
rmmeyer asks: "I'm in the process of building an e-mail server for my company with
a new twist. Since most of the clients are going to be Windows based (don't go there, I can't change 'em) and running Outlook (I know, I know...) I need to be able to scan the incoming and outgoing Emails for viruses. A quick check on Freshmeat shows fourty-nine projects related to email viruses. I intend to use Sendmail for the MTA with the milter API for scanning. There appear to be several commercial anti-virus scanners for Linux and at least one Open Source scanner. What are the community's experiences doing this? We expect to have 150 clients and potentially several thousand incoming Emails per day. Points are added for solutions that also include the capability of scanning Samba shares! =)" Ask Slashdot last touched on this issue in this article, from early March of last year, and before that in another article from October of 2000. I'm sure things have changed greatly since then.
F-Prot for Linux, free of charge for personal use.
I'm not related with Frisk Software except that I use their software.
Denken hilft.
I installed this for an organization's mail server which has over 40,000 users .. we were very concerned about a performance hit.. and on the server stats you can not see a hit.
http://www.nmt.edu/~wcolburn/antivirus/
We combined this with mcafee under linux which also works very well but there are other options available.
But consider Qmail. Its more secure than sendmail. Much easier to configure. And does all the things you requested. Here is the link for the Anti-Virus support. Check out the RAV product as it is can scan both emails and your drives...aka samba shares. Although it is a product you have to pay for... I consider anti-viruse one of those things that is worth paying for to make sure you're up to date.
I use Sendmail with Amavis and UVScan to scan for viruses on a 3500 user mail server. No complaints so far, and I've not had a virus slip past. I've cron setup to download virus def updates every morning and that keeps me fairly up to date. Using the newer releases that daemonize amavis help to keep the system load down.
Overall, I'm pleased with the package.
http://www.amavis.org
(No affiliation with the programmers, I just use the product.)
Our network is the same. Linux Servers but Windows based PC's. I use RAV Antivirus (www.ravantivirus.com - you can get a 90 day trial). It's a commercial product ( $300 per year though - well justifyable). It works with qmail, sendmail and postfix. It looks after itself (including daily virus db updates). I haven't found a virus yet that it hasn't caught. You can run the command line virus scanner to scan the Samba Shares.
I'm not sure it's such a good idea not to have some kind of on-the-fly scanning for each client system, espeically if they're the type to demand the use of Outlook (I have the same situation here, and I sympathize). There's always the chance they'll grab infected files off the web as well.
Trolls lurk everywhere. Mod them down.
I use mailscanner with sendmail to scan mail for viruses . It has a number of nice features such as the ability to block certain types of attachments (e.g. exe's) - this can be configured to block/ allow any attachment based on regular expressions. It relies on third party virus engines - I use Sophos at work and f-prot on my home network, but others work too. It also integrates well with spamassassin to effectively tag spam.
If you have a mixed network with samba shares you might also like to have a look at Rainer Link's samba-vscan VFS module for samba at the openantivirus site.
We've been doing this for a (long) while.
Currenlty using Sophos antivirus but have used other products in the passed with equally good results.
Use qmail as the MTA. It's way more secure, and more compatible with with cutting edge virus scanners and spam filters like spamassassin.
Ideally your exchange server should end up being nothing more than a storage place for email (seems like you're doing that). I'll be doing this in about two weeks at my company, too. Good luck!
It's all going according to
I was looking into anti-virus for a website that will store word docs etc. A friend recommended Sophos. They are not Open Source, but he said they do a very good job with keeping up to date on virus patterns etc. I'm sure they also have for a Samba share if you look or ask.
Vexira is stopping every virus that has tried to get in here about our customers have told us that they have not had a single virus delivered to their mail box since we installed the vexira virus scanner! I cannot praise vexira enough. Technical support has been very good and prompt and the pricing is GREAT!
This Mail Scanner is very good and maintanied very regularly (just see the dates on the link listed). To quote the website: "Protecting over 1 billion e-mails every week, for over 40 million users". It is NOT a virus scanner itself, only a way of scanning mail using a virus scanner such as the one provided by Sophos.
I used to use the network that this mail scanner was attached to and it was very effective at providing pre-emptive detection as it looks for things such as extention masking etc.
I believe it has detected a few virus before the actual virus patterens were released :)
It also has quite an impressive list of sites using the software: here
If you ever drop your keys into a river of molten lava, let'em go, because, man, they're gone.
It's much easier just to reject any message that contains a "dangerous attachment." You can figure this out by examining the attachment's filename extension. Here's a good list to work from for dangerous file extensions:
s ecFAQ.aspx
.doc's, or even .html to avoid potential javacript holes.)
... zip these files, and resend."
http://office.microsoft.com/Assistance/2000/Out2k
(You could add a few more to the list, maybe Office files like Word
Send a server level error message stating "message rejected due to dangerous attachment
If it's a human that really needs to send someone something "dangerous," they can re-package it.
This way you block ALL files that could contain viruses or trojans, without any of the overhead and maintenance. You're basically implementing the same new security model in Outlook XP in your server. If anyone complains, just tell them Outlook XP does the same exact thing.
"And like that
I used it at one of my jobs and I was pretty impressed. Our setup was Solaris but they do support Linux. It works with sendmail no problem. It will clean emails and optionally notify the sender, recipient, and IT when a virus is found. It also automatically updates the virus patterns as often as nightly. It was super easy to set up and use.
Sarah
AmaVis: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL
Clam Antivirus (clamav): virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus project; (does not disinfect, just identifies); GPL
SpamAssassin: Perl-based Spam filter; use with Procmail; client-server architecture (one daemon); Perl Artistic License
Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.
assert(expired(knowledge));
One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use.
Big thumbs up for this product. As an added bonus, you can also scan ftp and http traffic, so you have more points of entry covered.
We've used the product under RH for a few years and it has been very stable. Performance is good even on a low end machine (400Mh). The license is for a protected number of machines/user, so you can deploy multiple scanners to load balance.
We have a scanner in front of our co-located mail server, and a scanner in front of our on-site mail server. We do a lot of huge ftp work, so we setup a 3rd machine just to act as an ftp proxy so the web surfing doesn't get bogged down when the occassional 50M zip file is scanned.
Download the eval.I admit, what you guys are doing is pretty slick. I go to nmt and I've never, and I repeat never seen an e-mail virus in the wild there. It's always locked up tight. Much more secure than anywhere else I've ever seen.
While we're at it, I'm going to throw in the standard nmt b*tch. We have i2 connection there and a pretty decent setup. What did they do to the connection? I used to ping 60 anywhere in the US and get blazing fast downloads. Now I have a minimum ping of about 1,000 (one full second folks) and my downloads are hit and miss. Most people believe it has to do with some type of packet sniffing -- I just don't know.
Not to mention the fact that we get crap for webspace and crap for web-usage (30 MB a month is sad). Also, the no server policy is horrid. I mean connections have been shut off for people upping the port for their ssh connections so that they can actually see their computer from other parts of school and from off-campus houses! How horrid is that?!? You can only see your computer while you're on campus -- and even then, only when you're in certain parts of campus. Give me some effin freedom and crack down on all those people that are whoring the bandwidth. I know a guy that transferred over 100 Gigs of data in just over a week. They let that happen, but I can't ssh into my box?!?!?
Here we have this configuration and its great ... and cron downloads every night the virus definitions :) , here
you can find how to make it work .
"We all know Linux is great...it does infinite loops in 5 seconds." -- Linus
Anyone who feels like just moderating some comments down, feel free to hit this one and the ones below of the same vein...
Note carefully...
* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.
Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.
We use Rav Antivirus to scan the email for about 6000 dialup customers. It's about $600 + 20%/year for maintaining updates but we chose it specifically because it wasn't free: a virus scanner is absolutely no good when the updates aren't maintained. Pricing is based on number of domains and they have distributors all over the world.
They have versions to run qmail, sendmail, postfix, exchange server, etc., etc. and also have some user programs as well if you want. We've been very happy with it so far.
This is too glossy. Considering there have been a couple other messages above written in the same tone (c'mon, do you really have to hyperlink every occurence of "Vexira"?), I'd say it's a Vexira marketing schmuck trying to get some free advert.
I'd have respect for him if he just came out and admitted it: "Hi, I work for Vexira and we have a product that does just this...". Instead, we get a boilerplate from Vexira's product description pages claiming to be from a satisfied customer.
If you're gonna post to a news list, at least use plain language like everyone else.
"This one goes out to my homey, the reanimated corpse of Vic Atiyeh, first Arab-American Governor.
Rock on, Vic. Even if your politics sucked, you'll always be remembered."
Oregon has had it's share of winners in the gubernator's office. Whoop de doo.
The current one is as diplomatic as a turd. A previous one was so scatterbrained she needed a vacuum cleaner to collect her thoughts.
Personally I use Amavis to handle the scanning of email. From there, I add different protection for different customers.
Interscan works well scanning email messages but it's a comercial package so your going to be paying about $20/seat licence. McAfee is about the same if not a bit higher.
Still for customers that want it, I recommend going with one of the commercial packages for scanning. If on the other hand a 3,000 investment doesn't quite interest your organization use one of the free scanners.
Now, the most important issue for using amavis though is the other plugin's you can add. Spam protection, automatic routing based on content, etc. It integrates well with milter and being written in perl is easy to modify.
/* TODO: Spawn child process, interest child in technology, have child write a new sig */
"Gotchas" that I ran into are:
1) don't send virus notifications to the sender (since 90% of the viruses we get are Klez and don't actually come from the apparent sender), or to the intended recipient (unless most of your users are smarter and more computer literate that your average mollusc, unlike mine) who will probably get all confused and bombard your help desk with questions
2) don't scan for dangerous attachments before scanning for viruses, or the user will get a message saying that some file (not identified as a virus yet) was stripped from an email that wasn't even sent by the alleged sender. This will terminally confuse the users. MimeDefang is a milter and AMaViS is a weirdly hacked up (in the best way) local delivery agent. I have yet to find a way to make MimeDefang run after AMaViS, so I currently only use MimeDefang+SpamAssassin for the spam flagging which it does a great job at.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
How is the above a troll?
Am I missing something?
It's not like those are goatse links...
New to reading slashdot so excuse me. I am using vexira on our postfix mail server and no problems to report. It catches a unbelievable number of viruses and CPU is very low. Pricing is good too.