Scanning for Windows Viruses in Linuxland?

rmmeyer asks: "I'm in the process of building an e-mail server for my company with a new twist. Since most of the clients are going to be Windows based (don't go there, I can't change 'em) and running Outlook (I know, I know...) I need to be able to scan the incoming and outgoing Emails for viruses. A quick check on Freshmeat shows fourty-nine projects related to email viruses. I intend to use Sendmail for the MTA with the milter API for scanning. There appear to be several commercial anti-virus scanners for Linux and at least one Open Source scanner. What are the community's experiences doing this? We expect to have 150 clients and potentially several thousand incoming Emails per day. Points are added for solutions that also include the capability of scanning Samba shares! =)" Ask Slashdot last touched on this issue in this article, from early March of last year, and before that in another article from October of 2000. I'm sure things have changed greatly since then.

F-Prot

[Tux2000]

F-Prot for Linux, free of charge for personal use.

I'm not related with Frisk Software except that I use their software.

antivirus - a sendmail milter

[elvisior]

I installed this for an organization's mail server which has over 40,000 users .. we were very concerned about a performance hit.. and on the server stats you can not see a hit.

http://www.nmt.edu/~wcolburn/antivirus/

We combined this with mcafee under linux which also works very well but there are other options available.

Not to start a us vs. them

[Gigs]

But consider Qmail. Its more secure than sendmail. Much easier to configure. And does all the things you requested. Here is the link for the Anti-Virus support. Check out the RAV product as it is can scan both emails and your drives...aka samba shares. Although it is a product you have to pay for... I consider anti-viruse one of those things that is worth paying for to make sure you're up to date.

Amavis

[Mr.Phil]

I use Sendmail with Amavis and UVScan to scan for viruses on a 3500 user mail server. No complaints so far, and I've not had a virus slip past. I've cron setup to download virus def updates every morning and that keeps me fairly up to date. Using the newer releases that daemonize amavis help to keep the system load down.

Overall, I'm pleased with the package.

http://www.amavis.org

(No affiliation with the programmers, I just use the product.)

Re:Amavis

[Mr.Phil]

I hate to reply to myself, but you can setup UVScan to scan samba shares, and amavis supports Sendmail Milter.

I knew there was something I forgot to include. Time for the morning coca-cola.

Try this.. mail scanner :)

[Manic+Miner]

This Mail Scanner is very good and maintanied very regularly (just see the dates on the link listed). To quote the website: "Protecting over 1 billion e-mails every week, for over 40 million users". It is NOT a virus scanner itself, only a way of scanning mail using a virus scanner such as the one provided by Sophos.

I used to use the network that this mail scanner was attached to and it was very effective at providing pre-emptive detection as it looks for things such as extention masking etc.

I believe it has detected a few virus before the actual virus patterens were released :)

It also has quite an impressive list of sites using the software: here

Don't scan for viruses, do this instead.

[tswinzig]

It's much easier just to reject any message that contains a "dangerous attachment." You can figure this out by examining the attachment's filename extension. Here's a good list to work from for dangerous file extensions:

http://office.microsoft.com/Assistance/2000/Out2ks ecFAQ.aspx

(You could add a few more to the list, maybe Office files like Word .doc's, or even .html to avoid potential javacript holes.)

Send a server level error message stating "message rejected due to dangerous attachment ... zip these files, and resend."

If it's a human that really needs to send someone something "dangerous," they can re-package it.

This way you block ALL files that could contain viruses or trojans, without any of the overhead and maintenance. You're basically implementing the same new security model in Outlook XP in your server. If anyone complains, just tell them Outlook XP does the same exact thing.

Re:Don't scan for viruses, do this instead.

[mabinogi]

So viruses start coming in executables inside .zip files.

All this does is avoid the problem, and impose a counter productive inconvenience on your users.

Re:Don't scan for viruses, do this instead.

[tswinzig]

So viruses start coming in executables inside .zip files.

A virus inside a zipfile would never propagate enough to allow itself to be spread around. Viruses require the network effect to spread. You might get a couple of dumbasses to open the zipfile AND execute your program, but it would be VERY low profile.

The primary cause of viruses spreading is (1) stupid-asses clicking on viruses in their emails, (2) stupid-asses not keeping their computers patched, thereby allowing exploits like those found in OE that allow viruses to auto-execute themselves.

All this does is avoid the problem

That's right! We avoid the problem of viruses completely, because we don't allow executables through!

and impose a counter productive inconvenience on your users.

FYI, this "counter-productive inconvenience" is now the DEFAULT way for Outlook to operate, in Office XP and beyond, and anyone that was smart enough to install the Outlook security patch over a year ago.

People RARELY need to send someone an executable attachment. In those rare cases, renaming the file to .bin or zipping it up so that it can get through this sort of protection is not a big deal.

The entire time I was using Outlook with that security patch installed, and on outlook xp, I was never ONCE inconvenienced.

The alternative of virus scanning in an email server is much more expensive, complex, and a losing battle.

To wit, anti-virus companies don't detect specialized executables written specifically to input customized trojans in your internal network, such as someone trying to specifically hack your network, or the FBI/CIA spying on you. I could write a trojan right now that would not be detected by even the most sophisticated anti-virus software, because it doesn't fit any of their signatures. It would slip right into your network, whereas it gets stopped at the gate on mine.

Best of all, my solution requires no extra money or time to be spent to maintain. Occasionally we may need to add a new file extension to the list, wow...

Interscan Viruswall

[sclatter]

I used it at one of my jobs and I was pretty impressed. Our setup was Solaris but they do support Linux. It works with sendmail no problem. It will clean emails and optionally notify the sender, recipient, and IT when a virus is found. It also automatically updates the virus patterns as often as nightly. It was super easy to set up and use.

Sarah

postfix+amavis+clamav+spamassassin

[runswithd6s]

Postfix: mail transport agent (MTA); packaged by most Linux distros; runs on many other platforms; easy to cinfigure; flexible; modular; secure; highly scalable; written in C by the venerable Wietse Venema; IBM Public License

AmaVis: Antivirus filtering daemon; packaged by most linux distros; multi-threaded (recognized multiple CPU's); sends out email alerts; very configurable; supports many antivirus scanners; works well with postfix; written in Perl; GPL

Clam Antivirus (clamav): virus scanner; written in C; fast; virus definition update tool included; uses virus definitions from the Open Antivirus project; (does not disinfect, just identifies); GPL

SpamAssassin: Perl-based Spam filter; use with Procmail; client-server architecture (one daemon); Perl Artistic License

Our application of the above software seems to work quite well. We server about a thousand users (about 100 "heavy users"), and the average server load rarely gets above 0.21 with a Dual AMD 1500+ MP that provides SMTP, IMAP, and POP all w/SSL enabled.

Re:postfix+amavis+clamav+spamassassin

[runswithd6s]

Not sure what winbindd is, but I'm assuming it's a DNS server modeled after the ISC Bind (DNS Server)?

Clam Antivirus is a virus scanner, a command-line tool used to scan files for virus signatures. It will report whether it finds a virus or not. AmaVis is used as a filtering daemon for email. It unpacks MIME messages into multiple files, decompressing them if necessary, and runs the virus scanner over each file. If it finds a virus with its tools, it reports the results to the following (configurable, of course): the admin, the sender (I shut this off because of spoofing), and the receiver (you can shut off alerts sent to recipients that are off-site). The entire email is saved in a quarantine directory; it is not deleted.

The virus definitions file is updated by the members of the Open Antivirus project. Subscribe to their email list to get bleeding-edge, just found definitions. Otherwise, just let the clam antivirus updater fetch the definitions when the project updates them (1-2 day delay after a new virus is identified -- or at least it seems that way). Talk to the OpenAV guys for legit frequency info.

The only reason why we don't go with a commercial product is because most of these products charge by the number of recipients or users on the system, often requiring client licenses for each user as well. McAffee wanted WAY too much money for what we wanted to do, especially considering that we already have Nortan Antivirus installed on the Windows and Mac machines (University site license). Why pay for something we already have?

To date, I haven't seen a virus come through amavis+clamav yet, but that is my own personal experience and that of our users.

Spamassassin is a different beast entirely. I use procmail scripts to intercept messages bound for email lists (served from ecartis) and filter them for spam. I also filter out VIRUS warnings sent by AmaVis. These filtered items get saved to a "spam" and a "virus" folder, and I wrote a cron job to report how many emails it finds in these folders twice per day. It's valuable to send these to individual recipients on the system, but not to a list.

Procmail is an important piece of the spam filtering process. Postfix can do content filtering, so I think it's certainly possible for me to have spamassassin tag EVERYTHING coming into the system, just like AmaVis does now. I just haven't pieced together how to do it yet. It would eliminate the need for users to run procmail recipes and drop the number of processes run on the server.

If you want to disinfect files, go commercially funded/grown software... that is, at least until the Open Antivirus people or another group come up with virus definition files that include instructions for disinfecting files.

Re:postfix+amavis+clamav+spamassassin

[runswithd6s]

DOH, correction. It seems to me that clamscan (Clam Antivirus command line scanner) is the one doing the multithreading, not amavis. Very cool tool. Check it out if you have a chance, people.

Anomy + AVP + Spamassassin works great.

[cornice]

I have been using Anomy Mail Tools to make decisions about incoming attachments and JavaScript infected messages. I use AVP (although I'll likely switch to one of the free scanners listed in this thread) to scan certain attachments (.doc, .xls, etc.) but otherwise data formats get through and executables get quarantined. If someone wants an executable from quarantine I scan it with Norton Antivirus (thanks Win4Lin) simply because I think that Symantec does a fine job of keeping their system up to date (and I do it maybe twice a year). I also use SpamAssassin for spam filtering. It works really well.

One other thing to watch out for... I had become fairly lazy about scanning the desktop since incoming mail was virtually 100% clean and since nobody uses floppies any more. Then I had a user download an infected file from her personal webmail account. I went crazy trying to figure out how this thing got in until I finally got a confession on the webmail use.

ASTROTURF! (was Re:Vexira mailarmor is the way...)

[Dagmar+d'Surreal]

Anyone who feels like just moderating some comments down, feel free to hit this one and the ones below of the same vein...

Note carefully...

* Poster has only made one post ever--here.
* Poster's numeric ID is within a handful of the one above.
* Poster's comments are all very obviously marketing-speak.

Vexira has just cost themselves a possible customer. I don't buy products from people who lie about them, and astroturfing is lying.

Rav

[tzanger]

We use Rav Antivirus to scan the email for about 6000 dialup customers. It's about $600 + 20%/year for maintaining updates but we chose it specifically because it wasn't free: a virus scanner is absolutely no good when the updates aren't maintained. Pricing is based on number of domains and they have distributors all over the world.

They have versions to run qmail, sendmail, postfix, exchange server, etc., etc. and also have some user programs as well if you want. We've been very happy with it so far.

Re:RAV Antivirus

[Jonny+290]

I'll second the nomination for RAV. Busy regional ISP here, 25K customers, couldn't run spamassassin or anything of that nature due to the fact that all other apps have to fork off for each and every email coming in. RAV stays mem resident and as such, is super-quick.

Scanning Email

[Lando]

Personally I use Amavis to handle the scanning of email. From there, I add different protection for different customers.

Interscan works well scanning email messages but it's a comercial package so your going to be paying about $20/seat licence. McAfee is about the same if not a bit higher.

Still for customers that want it, I recommend going with one of the commercial packages for scanning. If on the other hand a 3,000 investment doesn't quite interest your organization use one of the free scanners.

Now, the most important issue for using amavis though is the other plugin's you can add. Spam protection, automatic routing based on content, etc. It integrates well with milter and being written in perl is easy to modify.