Slashdot Mirror

← Back to Stories (view on slashdot.org)

Server Side Virus Scanning Options?

Posted by Cliff on from the those-questions-that-keep-popping-up-in-the-bin dept.

Unknown Relic asks: "Because of the number of virii which are propagated through email, and the tendancy for some users to open executable attachments no matter what they are told, we have decided to seek out a server side solution. We are currently running Linux with qmail on the server side, and while a we have found a couple of products which may fit the bill, I wanted to hear about the experiences and recommendations of slashdotters on this subject. Do you or your company make use of a server side virus scanning engine, Open Source or otherwise, and if so what are your impressions?"

3 of 46 comments (clear)

  1. Define your objectives by tpv · · Score: 4, Informative
    You need to decide what it is you want to stop, and then you can evaluate the options.

    the tendancy for some users to open executable attachments no matter what they are told

    There's two parts to that:

    1. some users
    2. executable attachments

    The simplest solution is to strip all executable attachments. Save them somewhere and add a piece of text to the mail saying
    Attachment 'blah.exe' stripped for virus protection. To get a copy of this attachment please call the helpdesk and quote 'Attachment Id: 44591'

    It's a bit painful, but it stops people from randomly clicking on attachments.
    If they need the file they can call the helpdesk and they can release it for them. It tends to work.

    You can also throw in the first point of "some users", and have this based on user.

    It depends on how you want to balance the factors of:

    • Risk of letting a virus through
    • Risk of false-positives
    • Annoyance to users
    • Cost to implement
    • Cost to run
    You really need to think about those, and come up with a solution that's right for your organisation.
    --
    Read more of this story at Slashdot.Read more of this story at Slashdot.Read more of this story at Slashdot.
  2. Qmail, Sophos, ClamAV, and Spamassassin by MaufTarkie · · Score: 4, Informative

    I've been running qmail forever at my place of employment, so when the bosses told me it was finally time to get an anti-Microsoft virus solution on my mail server, I dug around. Everyone seems to be using Sophos, so we went with that. Having used it for just half a month, I am really impressed with it. Easy to update. Fairly quick. I highly recommend it. However, if you do go with it I urge you to look into Sophie.

    I'm also using Clam Anti-Virus as a backup. Out of the 3000+ viruses my server has caught so far, only 4 have been caught by ClamAV. Probably don't need it, but hey... anything free is worth keeping around.

    I threw spamassassin in there because I was already wasting time scanning -- might as well tag spam. It helps my users filter spam, and they're happier for it. Plus, it gave me stats to throw out there -- nearly 50% of our incoming email that originates off-site email is spam. Scary.

    Okay, so here's my setup:

    I'm very happy with our results. My server scans upwards of 20000+ messages a day with the average time of ~4 seconds per message. I could probably get it to scan faster if I dropped ClamAV, which is the slowest piece of the puzzle right now. At any rate, I set it all up in less than a day. Everything was well documented.

    Good luck.

    --
    Without you I'm one step closer to happiness without violence.
  3. Anti-Virus by dasunt · · Score: 4, Interesting

    I'm in the middle of writing a HOWTO for the LDP concerning virus scanning on linux. (Wish it was done so I can point you to it).

    I don't have my research in front of me, so I have to reply off the top of my head here.

    If I was going to do this, I would first select one of those programs that mangles attachments. There are solutions that removes attachments entirely, solutions that detach the attachment and move it to a place where it can be accessed by a link in the email, or solutions that change the extension of the file. I'd suggest the latter solution. If any .vbs, .bat, .exe [...etc] files are renamed to .oldextension.txt, everything is fine. You might want to combine this solution with a rule to filter anything along the lines of .jpg.vbs or the like (which is probably a virus). Remember - If you remove attachments or block emails, please send a message to the sender saying you did. This is business email. The $virus_of_the_month might have attached itself to the CEO's quarterly fiscal report.

    That being done, then run all emails through a virus scanner. Again, if you detect a virus, mail the sender explaining what you did and what virus was detected. [Btw, put in a disclaimer - some viruses send out false 'from' addresses in their headers]

    That should filter incoming email without a problem. For shares, there are scanners that will integrate themselves with Samba, which will scan files whenever they are changed. I have not seen any real-time scanning solution for other file shares methods though.

    If anyone has some more information, please drop an email to dasunt[at]hotmail[dot]com. If I use the information, I'll credit you.