Server Side Virus Scanning Options?

Unknown Relic asks: "Because of the number of virii which are propagated through email, and the tendancy for some users to open executable attachments no matter what they are told, we have decided to seek out a server side solution. We are currently running Linux with qmail on the server side, and while a we have found a couple of products which may fit the bill, I wanted to hear about the experiences and recommendations of slashdotters on this subject. Do you or your company make use of a server side virus scanning engine, Open Source or otherwise, and if so what are your impressions?"

Define your objectives

[tpv]

You need to decide what it is you want to stop, and then you can evaluate the options.

the tendancy for some users to open executable attachments no matter what they are told

There's two parts to that:

1. some users
2. executable attachments

The simplest solution is to strip all executable attachments. Save them somewhere and add a piece of text to the mail saying
Attachment 'blah.exe' stripped for virus protection. To get a copy of this attachment please call the helpdesk and quote 'Attachment Id: 44591'

It's a bit painful, but it stops people from randomly clicking on attachments.
If they need the file they can call the helpdesk and they can release it for them. It tends to work.

You can also throw in the first point of "some users", and have this based on user.

It depends on how you want to balance the factors of:

• Risk of letting a virus through
• Risk of false-positives
• Annoyance to users
• Cost to implement
• Cost to run

You really need to think about those, and come up with a solution that's right for your organisation.

Amavis and OAV

[mwilson]

Check out Amavis and Open AntiVirus. I've got them working under courier with some mods with great results. Plus the whole thing is free!

Qmail, Sophos, ClamAV, and Spamassassin

[MaufTarkie]

I've been running qmail forever at my place of employment, so when the bosses told me it was finally time to get an anti-Microsoft virus solution on my mail server, I dug around. Everyone seems to be using Sophos, so we went with that. Having used it for just half a month, I am really impressed with it. Easy to update. Fairly quick. I highly recommend it. However, if you do go with it I urge you to look into Sophie.

I'm also using Clam Anti-Virus as a backup. Out of the 3000+ viruses my server has caught so far, only 4 have been caught by ClamAV. Probably don't need it, but hey... anything free is worth keeping around.

I threw spamassassin in there because I was already wasting time scanning -- might as well tag spam. It helps my users filter spam, and they're happier for it. Plus, it gave me stats to throw out there -- nearly 50% of our incoming email that originates off-site email is spam. Scary.

Okay, so here's my setup:

• qmail-scanner
• Sophos (SAVI) + Sophie
• ClamAV (I need to write/find a client like Sophie for it -- it has the daemon, just no client)
• Spamassassin

I'm very happy with our results. My server scans upwards of 20000+ messages a day with the average time of ~4 seconds per message. I could probably get it to scan faster if I dropped ClamAV, which is the slowest piece of the puzzle right now. At any rate, I set it all up in less than a day. Everything was well documented.

Good luck.

Sendmail + MIMEDefang + SpamAssassin + McAfee Here

[SpaFF]

I just (as in 2 days ago) set up a sendmail box for about 6,000 accounts which is running sendmail plus the MIMEDefang milter. MIMEDefang strips out invalid attachments (we have a policy not to accept .exe's and a few other files), strips out messages with invalid headers and a few other things, calls McAfee uvscan, and then runs anything left through spamassassin.

It has worked like a charm thus far and with graphdefang (a set of scripts that comes with mimedefang) I can view how many messages are discarded, why they are discarded, how many messages are tagged as spam, how many of what type of virii were cleaned, etc.

I have been quite impressed with the McAfee scanner as well. I have heard nightmares from Windows users who have it installed on their workstations, but it seems to work great on the Unix side. It even comes with a perl script you can set to run in your crontab to download the latest virus definition files.

-Lee

qpsmtpd + clamav

[Matts]

[Disclaimer: I work in AV]

If cost is even slightly an issue, I can recommend using qpsmtpd and clamav. The clamav team are pretty fast at adding new virus signatures to their database, and they catch most of the common viruses out there. I've written a qpsmtpd plugin for clamav which you can find here.

I can't honestly recommend Sophos for gateway scanning. They are better on the desktop. If you can I would go for NAI who have the best gateway scanning of the commercially available scanners (according to our live tests).

Alternatively, if a 100% guarantee appeals to you, the company I work for, MessageLabs will give you a 100% guarantee against letting through an email virus. We'll also do spam scanning for you. Yes, I'm biased.

RAV

[photon317]

I've been using RAV Antivirus (specifically their sendmail+libmilter option for linux) to scan my company's mail as it passes through our linux/sendmail mail server. It's done a great job of picking out windows viruses. It's not open-source, but their pricing is very reasonable. I think for scanning 2 domains (their minimum) was $300 initially to purchase it, which comes with 1 year of virus database updates, and $60/year after that to keep getting updates. They don't care about the volume of scanning, just how many email domains you're scanning for. Check them out at http://www.ravantivirus.com.

sophos and mailscanner

[jmlyle]

I used Sophos and mailscanner on linux to protect our company. They worked great. I had a script get virus updates twice a day from the Sophos site and incorporate them into the scan. Once a month, they sent a CD with an engine update which just dropped in the directory.

It was easy to modify the mail messages (plain text and html versions) that were sent to me and to the intended recipients when something was detected. Lots of options, and easy to configure.