Slashdot Mirror
Server Side Virus Scanning Options?
Unknown Relic asks: "Because of the number of virii which are propagated through email, and the tendancy for some users to open executable attachments no matter what they are told, we have decided to seek out a server side solution. We are currently running Linux with qmail on the server side, and while a we have found a couple of products which may fit the bill, I wanted to hear about the experiences and recommendations of slashdotters on this subject. Do you or your company make use of a server side virus scanning engine, Open Source or otherwise, and if so what are your impressions?"
Sections in this document:
- English Inflections
- Classical Inflections and References
- Journey Into the Fourth Declension (new)
- Other Latin Resources
- ASM News
- ASM News Update (new)
- Footnotes
English Inflections First off, the OED gives nothing but viruses for the plural. Here's its abbreviated entry: Other sources that support viruses include Birchfield (n FowlerThe simple answer is that there wasn't one. The longer answer follows.
Writers who, searching for a fancy plural to virus, incorrectly write *viri are doubtless blindly applying an overreaching -us => -i rule. This mis-inflects many words. For example, status and hiatus only change the length of the final vowel; genus goes to genera; corpus goes to corpora. Others are even worse if this rule is mis-applied, like syllabus, caucus, octopus, mandamus, and rebus.
Anyway, Latin already had a word viri, but it was the nominative plural not of virus (slime, poison, or venom), but of vir (man), which as it turns out is also a 2nd declension noun. I do not believe that writers of English who write viri are intentionally speaking of men. And although there actually is a viri form for virus, it's the genitive singular[1], not the nominative plural. And we certainly don't grab for genitive singulars for the plurals when we've started out with a nominative. Such hanky panky would certainly get you talked about, and probably your hand slapped as well.
This apparently invariant use of virus as a genitive singular may also imply that it's 4th declension, as some scholars believe.
Those confused souls who write *virii are tacitly positing the existence of the non-word *virius, and declining it as though it were like filius. It's true that l/r are both linguals that sometimes get interchanged, and that f/v are just a change in voicing[2], but that's just reaching. *Virii is still completely silly, so don't do that; otherwise, everyone will know you're just a blathering script kiddie.
The crucial problem here is that, classically speaking, there appears to be no recorded use of virus in the plural. It was a 2nd declension noun ending in -us, which is rather common, but it was also a neuter, which is rather rare. I could only come up with three such 2nd declension neuters: virus (some poison), pelagus (the sea, usually poetically), and vulgus (the crowd). None appear to admit plurals. Perhaps this is because they are mass nouns, not count nouns. [3]
One citation below wonders whether these -us 2nd declension neuters might have inflected -us => -ora, the way the 3rd declension's neuter plurals for tempus and corpus do. There's really not any support for that notion--that I could find at least. If so, that would end up producing *virora. Most other citations think that these plurals just never happened at all, or that if they did, they didn't jump declensions. Perhaps they were invariant as they oddly are for the vocative and accusative cases. In any event, *virora does not fit comfortably in the mouth of an English speaker, which is a good reason to avoid it.[4]
Another theory holds that virus, if it was a 2nd declension neuter, must go to *vira in the plural as do its -um neuter brethren in the 2nd declension. However, that assumes that it works like a -um form, not as a -us form does. And it really seems to do neither. If it were a -us form (again, as a 2nd declension nominative), then its vocative would have to be *vire; but it's really only virus. You also expect an accusative form *viros, but that too is missing; it's still just virus in the accusative. And if it were a -um form, then its vocative would have to be *virum. But it's not--here again, it's only virus. (Vocative examples of virus are not particularly common. Apparently the Romans seldom addressed their slime in a personal fashion. :-)
So what we have here is something of a mixed or invariant declension. Trying to find a plural for something that didn't take a plural (possibly because it was not a count but a mass noun), or at least, one for which no plural is classically attested, is a fruitless endeavour. Best to stick with English and use viruses. Journey Into the Fourth Declension Some scholars, includining Gavin Betts, believe that virus pertained not to the second declension, but to the fourth one. Here is an example or two that support[5] Betts and dispute the 2nd declension theory. The first is classical, from Ammianus:
That seems to be using virus as a genitive, which contradicts the assertion that it's 2nd declension, which would have lead to viri, and supports the 4th declension position. This was brought to my attention by Andreas Waschbuesch, who went on to write: This recent letter also supports the fourth declension point of view. Of course, even if virus really turns out to have been in the fourth declension, we'll still have vulgus, pelagus, and cetus as irregular -us neuters in the second declension. Let's blame it all on the Greeks. ReferencesHere's what other sources have to say about this matter:
alt.usage.english FAQ Not all Latin words ending in -us had plurals in -i. Apparatus, cantus, coitus, hiatus, impetus, Jesus, nexus, plexus, prospectus, and status were 4th declension in Latin, and had plurals in -us with a long `u'. Corpus, genus, and opus were 3rd declension, with plurals corpora, genera, and opera. Virus is not attested in the plural in Latin, and is of a rare form (2nd declension neuter in -us) that makes it debatable what the Latin plural would have been; the only plural in English is viruses. Omnibus and rebus were not nominative nouns in Latin. Ignoramus was not a noun in Latin.
[...] classical plurals [...] What is the plural of virus? This neuter in Latin lacked a plural; it would presumably [disputable -tchrist ] have been virora like corpora, the plural of neuter corpus. (Like corpora, virora would be stressed on its initial syllable. As indicated earlier, *corpi would be as outlandish--as far beyond the pale--as *rhinoceri and *octopi.)
Latin had several declensions containing neuter, feminine, and masculine words ending in -us; the plurals are different in each one. Incidentally, the singular of mores (pronounced `moh-rehs') is mos, with the same change of `s' to `r' between vowels heard in corpus : corpora and in genus : genera.
Allen and Greenough The authors at the cited reference point out the follwoing:
Whether this leading would lead to ?vire, however, is unclear, since virus does not appear to be of Greek extraction.Latin inflections And for those who just can't get enough, try this. It is a bunch of inflection tables, more complete than I've seen elsewhere. For a good time, figure out the nominative plural of venus is. Hint: it's not veni. ASM News Apparently this question is `in the air'. The following is from the June 1999 issue of ASM News by the American Society for Microbiology, sent it by Jim Sandoz.
ASM News Update The following letter recently appeared in ASM News, from Ton E. van den Bogaard. (Formatting added.)
Other Latin Resources One textbook I'd like to recommend Gavin Betts's Teach Yourself Latin, which you can look up on Amazon if you'd like. No, I don't believe in kickbacks.Here are some Web resources: The Perseus Project Read Caesar, Catullus, Cicero, Hirtius, Horace, Livy, Ovid, Plautus, Servius, and Vergil, plus quite a bit of other useful material. For example, you can look up virus for a definition and forms, or find its citations in literature. Here's one by Vergil.
Latin Textbook: Wheelock's Latin (HTML) Wonderful on-line course notes designed as a study aid for those without formal grammar/linguistics training. Note that `the entire zip archive' he advertises isn't really complete, and so I used these commands to pull in and view the whole thing locally: % cd /tmp
% wget -r -l2 http://humanum.arts.cuhk.edu.hk/Lexis/Wheelock-Lat in/
% netscape /tmp/humanum.arts.cuhk.edu.hk/Lexis/Wheelock-Latin /index.html
The Classics Page Innumerable links, including some to on-line interactive exercises and to various dictionaries.
Transcriptio Nuntiorum Hebdomadalis Read your daily news--in Latin! Also contains sound files for the radio version whence it was transcribed. I'm sure glad that we now write FAQ instead of interrogata usitatissima. :-)
De Meditatione Various Latin snippets and sound clips. Footnotes [1] One examble of an invariant genitive form of virus is attested in Ammianus, which reads: qui ut coluber copia virus exuberans natorum. See the original for details. [2] Well, in English; in Latin it probably wasn't, as their `v' was likely more akin to the intervocalic `v' in today's Spanish, a sound with no equivalent in English but which is often perceived as a `w'. To be even more technical, an English `v' is a voiced labial-dental fricative. An intervocalic Spanish `v' (or `b') such as in aves, is a voiced bilabial fricative, usually represented in IPA as a lower-case Greek beta. [3] Some budding Romance philologist should go research a possible connection between the neuter conceptual nouns versus the gendered discrete ones in asturianu , the only extant Romance tongue with anything aproximating neuter nouns (I'm not counting the nominalized adjectives of Spanish such as lo difcil, since these aren't really nouns the way the so-called nomes de xneru neutru (de materia) are in asturianu.) a [4] The word virora actually appears to exist, but as some sort of South American tree. [5] Yes, I hated this sentence, too. It takes the singular verb "is" because the singular "an example" is the closer of the two elements in the disjunction, but likewise, "support" should be in the plural because the closer thing to it is now "two", which is obviously nonsingular. I think only a rewrite would be tolerable. Silly rules.
Sections in this document:
piss@fuck.com Last update: Wed Nov 17 09:20:10 MST 1969
The company I work for has a twofold solution which has effectively stopped *anything* from getting through to our system. I haven't seen a virus make it through since it's been implemented.
On the top half, we have an intermediate company called Big Fish scan our e-mail as it comes through, and then it passes it on to our Exchange server. On the Exchange server, we're running Norton Antivirus for Exchange.
The added benefit of the intermediate company, is that they also effectively remove 99% of all spam, and all of my normal e-mail gets through. They save all discarded e-mails so you can see how good of a job it does - so far, it's been perfect.
I wouldn't normally recommend Mcafee because their products have had so many problems the last few years but their e500 appliance is actually pretty decent.
:)
(Hmm, and it's linux-based. Coincidence? I didn't think so...
I'm using mailscanner with exim, it strips out any evil javascript or any attachments that are executable. This seems to work for me.
How long have you been waiting to post this? : )
Surprisingly well written for an offtopic troll. If you weren't an anonymous coward, I would have modded you up!
(You see, I believe that not all offtopic trolls are bad.)
Time flies like an arrow. Fruit flies like a banana.
In the last couple of years many companies have discovered a truly effective method of stopping incomming viruses and spam.
They stopped forwarding money to their ISP's
Speech: Free
Beer: $699.00
the tendancy for some users to open executable attachments no matter what they are told
There's two parts to that:
The simplest solution is to strip all executable attachments. Save them somewhere and add a piece of text to the mail saying
Attachment 'blah.exe' stripped for virus protection. To get a copy of this attachment please call the helpdesk and quote 'Attachment Id: 44591'
It's a bit painful, but it stops people from randomly clicking on attachments.
If they need the file they can call the helpdesk and they can release it for them. It tends to work.
You can also throw in the first point of "some users", and have this based on user.
It depends on how you want to balance the factors of:
- Risk of letting a virus through
- Risk of false-positives
- Annoyance to users
- Cost to implement
- Cost to run
You really need to think about those, and come up with a solution that's right for your organisation.Read more of this story at Slashdot.Read more of this story at Slashdot.Read more of this story at Slashdot.
Check out Amavis and Open AntiVirus. I've got them working under courier with some mods with great results. Plus the whole thing is free!
I've been running qmail forever at my place of employment, so when the bosses told me it was finally time to get an anti-Microsoft virus solution on my mail server, I dug around. Everyone seems to be using Sophos, so we went with that. Having used it for just half a month, I am really impressed with it. Easy to update. Fairly quick. I highly recommend it. However, if you do go with it I urge you to look into Sophie.
I'm also using Clam Anti-Virus as a backup. Out of the 3000+ viruses my server has caught so far, only 4 have been caught by ClamAV. Probably don't need it, but hey... anything free is worth keeping around.
I threw spamassassin in there because I was already wasting time scanning -- might as well tag spam. It helps my users filter spam, and they're happier for it. Plus, it gave me stats to throw out there -- nearly 50% of our incoming email that originates off-site email is spam. Scary.
Okay, so here's my setup:
- qmail-scanner
- Sophos (SAVI) + Sophie
- ClamAV (I need to write/find a client like Sophie for it -- it has the daemon, just no client)
- Spamassassin
I'm very happy with our results. My server scans upwards of 20000+ messages a day with the average time of ~4 seconds per message. I could probably get it to scan faster if I dropped ClamAV, which is the slowest piece of the puzzle right now. At any rate, I set it all up in less than a day. Everything was well documented.Good luck.
Without you I'm one step closer to happiness without violence.
Give it a whirl.
-- @rjamestaylor on Ello
When I worked at bigwig.net we used procmail and CyberSoft's VFIND and recursive archive-scanner.
.scr, .pif, .js etc attachments and warn the user so intelligent users can rename them back.
If any virus's were detected the original was wrapped as a MIME attachment to a warning message which contained the report by VFIND.
Thus, users could decide what to do about it.
Of course, when we were spammed this made server load go through the roof, it is probably better either to
1) Move the scanning nearer to sendmail so sendmail throttles a bit earlier to save load eating all your CPU
2) Rename
Sam
blog.sam.liddicott.com
Like I said, we have not had any worms get through our mail server. However we did have one person download an attachment from an AOL webmail system. She infected herself and some customers but all her attachments were removed before getting back in to our users. ;-) This too can be stopped by using Squid and some rules about downloadable files. There is a simple explanation of this within this nice little security manual from Gentoo
I just (as in 2 days ago) set up a sendmail box for about 6,000 accounts which is running sendmail plus the MIMEDefang milter. MIMEDefang strips out invalid attachments (we have a policy not to accept .exe's and a few other files), strips out messages with invalid headers and a few other things, calls McAfee uvscan, and then runs anything left through spamassassin.
It has worked like a charm thus far and with graphdefang (a set of scripts that comes with mimedefang) I can view how many messages are discarded, why they are discarded, how many messages are tagged as spam, how many of what type of virii were cleaned, etc.
I have been quite impressed with the McAfee scanner as well. I have heard nightmares from Windows users who have it installed on their workstations, but it seems to work great on the Unix side. It even comes with a perl script you can set to run in your crontab to download the latest virus definition files.
-Lee
-----BEGIN GEEK CODE BLOCK----- Version: 3.12 GIT d? s: a-- C++++ UL++++ P++ L+++ E- W++ N o-- K- w--- O- M+ V PS+ P
I used to work in the IT Dept at Rankin County (MS). I implemented a mail solution with Linux. One box acted as a mail proxy running TrendMicro VirusWall. The other box that was used for storage ran Sendmail w/ Razor and SpamAssassin. It worked great!
Nobody uzing sanitizer/a? here?
And boxen isn't a word either, but I don't see anyone bitching about its use. Virii is a commonly used slang term when refering to computer viruses. Deal with it.
We started using Vexira (http://www.centralcommand.com) Mail-Armor this year. We use Debian/Exim for about 8000 users for a school system. The setup was very simple. Mail-Armor listens on the SMTP port and does real-time scanning of every message that goes through. It then passes the message on to the "real" SMTP server running on a non-standard port. We were initially worried about whether it could keep up with our traffic, but it has been flawless so far. It uses two processes: one listes on the SMTP port and does the scanning while the other processes the queue and passes the messages on to Exim.
It notifies the postmaster and both the sender and receiver when it detects a virus. A cron job runs every night to download the virus definitions. It cost $150 for a school system. The cool thing is that it is licensed by domain, not by # of mailboxes like some products.
Jason
"FORMAT C:" - Kills bugs dead!
[Disclaimer: I work in AV]
If cost is even slightly an issue, I can recommend using qpsmtpd and clamav. The clamav team are pretty fast at adding new virus signatures to their database, and they catch most of the common viruses out there. I've written a qpsmtpd plugin for clamav which you can find here.
I can't honestly recommend Sophos for gateway scanning. They are better on the desktop. If you can I would go for NAI who have the best gateway scanning of the commercially available scanners (according to our live tests).
Alternatively, if a 100% guarantee appeals to you, the company I work for, MessageLabs will give you a 100% guarantee against letting through an email virus. We'll also do spam scanning for you. Yes, I'm biased.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I've been using RAV Antivirus (specifically their sendmail+libmilter option for linux) to scan my company's mail as it passes through our linux/sendmail mail server. It's done a great job of picking out windows viruses. It's not open-source, but their pricing is very reasonable. I think for scanning 2 domains (their minimum) was $300 initially to purchase it, which comes with 1 year of virus database updates, and $60/year after that to keep getting updates. They don't care about the volume of scanning, just how many email domains you're scanning for. Check them out at http://www.ravantivirus.com.
11*43+456^2
We have been using Trend Micro since before I started here. RIght now we have an Exchange 2000 server with Trend Micro installed. We process around 10 million messages a month.
So far I have been very happy with Trend Micro. The only down side I have seen is the cost, but it is not as bad as some others.
word on the street corners i hang out on is that exim+exiscan+sophie+spamassassin is pretty good for attacking emails at SMTP time.
however, if you're serving a large (40K+?) number of users who fall under an 'anarchic' AUP rather than a 'fascist' AUP they might grumble. alternatively your legal dept might have privacy issues.
notably, it's okay to mess with email originating within your domain but incoming email ought to be treated differently, perhaps. some users (or departments) might want to opt out of your blanket sweeps and look after things themselves.
in this case how do you provide differentiated qualities of service for opt-in and opt-out users? those opting out won't want to have their mail delayed by MTA's that are loaded up checking other emails for viruses or spam.
spam is tricky - tagging with headers is a better option than dropping or bouncing because of the great risk of false positives.
finally, drive home the message that this is just one in a series of defences against viruses and spam, and users should be encouraged to take advantage of site licences to run their own software, in other words watch out for a false sense of security!
hth.
a.c.
Inflex http://www.pldaniels.com/inflex
I'm in the middle of writing a HOWTO for the LDP concerning virus scanning on linux. (Wish it was done so I can point you to it).
I don't have my research in front of me, so I have to reply off the top of my head here.
If I was going to do this, I would first select one of those programs that mangles attachments. There are solutions that removes attachments entirely, solutions that detach the attachment and move it to a place where it can be accessed by a link in the email, or solutions that change the extension of the file. I'd suggest the latter solution. If any .vbs, .bat, .exe [...etc] files are renamed to .oldextension.txt, everything is fine. You might want to combine this solution with a rule to filter anything along the lines of .jpg.vbs or the like (which is probably a virus). Remember - If you remove attachments or block emails, please send a message to the sender saying you did. This is business email. The $virus_of_the_month might have attached itself to the CEO's quarterly fiscal report.
That being done, then run all emails through a virus scanner. Again, if you detect a virus, mail the sender explaining what you did and what virus was detected. [Btw, put in a disclaimer - some viruses send out false 'from' addresses in their headers]
That should filter incoming email without a problem. For shares, there are scanners that will integrate themselves with Samba, which will scan files whenever they are changed. I have not seen any real-time scanning solution for other file shares methods though.
If anyone has some more information, please drop an email to dasunt[at]hotmail[dot]com. If I use the information, I'll credit you.
It's not a troll, and it's not offtopic. That article has existed on the internet for a long time, written by someone who was as horrified by the use of virii as I'm sure most of us are.
:-)
And it's definitely not offtopic. The word that the article is about is right in the main article.
Anyway, I noticed that you used the word "trolls" in your article above. That would be "trollii".
If tits were wings it'd be flying around.
A virus scanning solution that provides the kind of functionality that you suggest is already out there... However rather than just stripping all attachments, it virus scans them, but also strips any attachments that attempt to hide the fact that they are really executables eg. britney.jpeg.exe
The system requires a virus scanner to be installed and I think they recommend sophos which is available for linux. Check it out here
If you ever drop your keys into a river of molten lava, let'em go, because, man, they're gone.
I used Sophos and mailscanner on linux to protect our company. They worked great. I had a script get virus updates twice a day from the Sophos site and incorporate them into the scan. Once a month, they sent a CD with an engine update which just dropped in the directory.
It was easy to modify the mail messages (plain text and html versions) that were sent to me and to the intended recipients when something was detected. Lots of options, and easy to configure.
I have misplaced my pants.
Most anti-virus software runs on Windows operating systems (for obvious reasons).
If you're looking for a solution to run on a Linux server (but still check for MS viruses), check out Vexira antivirus. It is inexpensive, automatically updates via cron, unpacks attachments (even multiple levels), and has an integrated virus checker. It can check incoming or outgoing email, or both.
I installed it about 3 weeks ago and I'm very happy with the results. It can be installed as a sendmail "Milter" if you're running a very recent version of sendmail, or as a separate SMTP server that passes the mail along to sendmail via a pipe or a different port (once it's been checked). They have a trial version so you can see if it will work before you buy it.
Most other email virus checkers require a separate program to virus check-- which means you need a MS virus checker that runs under Linux, such as Kaspersky, f-prot, or Sophos.
We've been using sendmail+sophos at our big customer sites for well over 18 months now, and it's great. We sailed through the various virus storms (Melissa, klez, etc) without a hiccup.
When we get the monthly update CD we need to do three installs. One is the mail server update, one is the file server update, and one is the user update. The user update is easy, because it's done to the file server, and all user workstations simply update themselves from that. WinNT/2k workstations do it in the background via the system service, and the few Win9X workstations do it next time they log in.
Between the monthly installs we use wget and a couple of trivial scripts to go out to their website every 2 hours and pick up the latest virus definition files. These are automatically applied to each installation, so we're never more than 2 hours behind in the latest virus info.
We haven't yet had a situation where we've heard reports of some new virus that isn't already known to both the server and desktop based virus scanning.
I like you PD, and when I'm not trolling as AC TSARKON I like you. I read your posts. Thanks for your show of Solidarity!!
I hate the Slash crap editors and the pseudo intellectuals infesting this place. I would call for a vote of no confidence and depose Fat Girl Kneel and Commander Ass Taco and others. I would vote for a person like you. But you have a brain. And people with brains have lives/families/jobs/friends. They do not just make love to keyboards, food and jolt cola.
That being said, I wish you to be an editor here, but know that being a troll or making snide, snarky cynical remarks is far more lofty than being an editor.
Impeach Fat Girl Kneel. Impeach Commander Ass Taco. I call for the removal of all Slashdot editors. Slashdot editors take story bait, spell incorrectly, lie, cheat, use fascist Waffen Schulz Stafauffel techniques and censor people. I think of Himmler, Goebbels when I think of editors moderating.
I have to say, i quite like Dr Web[SALD.com is their english mirror]. Although it's written by some Russians, it seems very good. Worth having a look at it. Integrates nicely in MTAs such as postfix, sendmail.