Best Antivirus Options for a Mailserver?

CSIP asks: "I am setting up a small mailserver, with ~500 users, across 80 domains. I'm planning to use qmail-scanner and an antivirus scanner to block incoming viruses. I would prefer to use ClamAV, however I've read conflicting reports on its effectiveness. The commercial scanners appear to detect 99.X% however they are licensed per-user, which at 500+ users becomes quite the annual bill. What is everyone's experience with ClamAV? Are their other commercial scanners that allow you to license on a per-server basis?" The best indicator of quality for a virus scanner is the information in its virus database. How do ClamAV's virus definitions compare to commercial scanners, like McAfee's?

You'd be better off...

[Ophidian+P.+Jones]

Using a fuzzy checksum tool like DCC to block similarly worded messages. It will catch both spams and viruses.

Most viruses spread so quickly that the AV tools' databases are inevitably out of date and ineffective.

Re:Best mail virus scanner

[JeffMagnus]

While you are at it you might as well suggest converting it all to postal mail, and irridating it to prevent the spread of anthrax.

Clam

[ADRA]

I don't know how many virus signatures it detects, but I can say that our company of only 30 ppl has yet to receive a virus through Clam.

We did have Norton AV/Exchange running when we used exchange as a front line server. It was also pretty good about viruses except for the first day of CodeRed I believe where it was 1/2 after the first emails showed up. We only paid once and the updates never seemed to discontinue after the year, so maybe its just support/assurance that you're paying for. Consult the contract if in doubt.

there's always the blowtorch on an ant method!

The Blowtorch on an Ant method: Block all email with attachments.

Now, granted, with 500 users, I'm going to assume that is not an option for you as people likely send files back and forth via email quite often.

Still, I just wanted to point out that blocking email with attachments is probably the most effective antivirus option for a mailserver, though certainly not the best solution.

Re:there's always the blowtorch on an ant method!

[cybermace5]

Do it. Then set up a simple web-based upload/download site using PHP. This is more efficient because the attachment doesn't need to be encoded for mailing, and gets around any attachment size limits for various users.

It's extremely easy to do, and you could even set it up so that each uploaded file gets a little key so only the intended recipient can get it. The uploader script will automatically send an email to the desired recipient, containing a URL with the unique key embedded. Having all of the files stored on the server like that will probably cut down on all the inappropriate files too.

Solution should take no more than three PHP files of 100 or less lines each.

ClamAV vs. Commercial

[OneFix+at+Work]

There's a good post detailing the ClamAV vs. Commercial question...

To paraphrase, ClamAV's database is generally at least a few days ahead of sophos and sometimes weeks...

ClamAV was written from the ground-up to do mail scanning, so it should be better than commercial scanners that try to be everything to everyone...

ClamAV

[Evanrude]

The ClamAV client is great for scanning email, but it is best used with another scan engine, such as amavis-ng.

I own a company that uses the ClamAV+Amavis-ng configuration internally and implements the solution for clients. We've never seen a virus come through the system yet.

When you combine these tools with SpamAssassin you have a fairlyy "safe" email system.

Here's an idea...

[gklinger]

It would take a bit of server side scripting but it shouldn't be that hard to implement. If someone gets a piece of email with an attachement, any binary attachment, strip it out and save it out somewhere (~/mail/attachments or ~/public_html/mail/attachments, wherever is easiest given your system's configuration) and in its place include a text attachment that says something like, "This email came with an attachment. This could be a virus. We recommend you exercise caution when dealing attachments. You may download/view the attachment at [give URL pointing to wherever you saved it]."

If it's a picture or a word document from a friend or colleague then they'll probably end up viewing it in their browser and if it's a binary, provided it came from a trusted source, they can download it (make sure to give them an option to delete it if they'll feel it isn't benign). If it's something they don't recognize and/or from someone they don't recognize, they're going to be a bit more cautious. The idea is that the extra step prevents people who open all attachements without thinking or, worse yet, run email clients which allow attachments to rape their computer without their knowing, from harming themselves.

If anyone complains, tell them this is the email version of "Are you sure you want to delete that file?" -- it's a pause that forces reflection that may end up saving them grief. They'll learn to live with the added step and eventually, they'll be glad it's there to protect them.

something to check for in your AV scanner

[Tumbleweed]

Make sure your mail-server-based AV scanner can check inside attachments that are archives (zip, etc.), and not just individual documents. Many of the latest attachment-based viruses reside inside compressed archives. Also make sure it can tell the difference between an attached file's extension, and it's real format, as sometimes they're sent out with deliberately-incorrect file extensions to get around the more stupid AV scanners.

My experience with ClamAV/Qmail-scanner

[j-turkey]

I've had reasonably good luck with ClamAV. I've found that effectiveness tends to depend on configuration (which I'll get back to).

Some people say that the ironclad test of an A/V app is the number of virus definitions listed. In ClamAV's case (per FreshClam's log output), there are 20372 signatures in the DB. IMO, the number of definitions doesn't really mean much. In my experience, the most important stuff to protect against are the recent outbreaks -- where mail servers are inundated with worm-laiden email. In this case, it's really a matter of how soon the definitions are updated. Generally, I tend to see definitions updated within 12-48 hours of a reported outbreak. Combine this with your update frequency to figure out your expopsure period.

There will be an exposure period regardless of which A/V software you run. Some will have greater average periods than others. Don't rely on marketing information to figure this out. It's a bunch of crap. Real world experience is what counts here -- if you've got lots of experience with these, great. If not, try to find someone who knows their stuff who can give you a good idea for what's what with different apps. I haven't used a ton of these, so I can't give you any ironclad data.

Your configuration will tend to be your greatest asset/worst enemy in terms of finding the best A/V setup for your particular needs. For example -- I automatically block certain types of attachments via qmail-scanner. There's no reason for them -- and they're not worth the risk. I block any attachment with the following extensions (I'm sure that this is not perfect, but whatever): .vbs, lnk, scr, wsh, hta, pif, exe, bat, com, sct, chm, cmd, crt, hlp, hta, isp, pcd, reg, shs, and js. These attachments are all allowed inside of an archive (which ClamAV scan), but I'm willing to roll the dice on exposure to those, since screwing up and opening the attachment is no longer as simple as a single mouseclick.

Finally, I also run client-side A/V. These just aren't as reliable as server-side protection -- users always find wonky things to do with/to their computers...but I like to think of this is a last line of defense. Furthermore, users also tend to check their personal email from work. If you have the hardware to handle it, it might be worth your while to have your users forward their personal email through your service to cover your butt (or enact a policy forbidding users from checking personal email at work)...just be careful about discoverability of their personal email if it comes through your work email (IANAL).

Overall, I'm satisfied with ClamAV/Qmail-Scanner. I'm running it on a system designed for 1000 users (in its current hardware/software configuration) -- scalable to up to about 3000 users. Currently, we're running with around 150 users...in about 2 months, we'll have our new HR/payroll system up which will allow us to add accounts for the rest of our 750 employees (long story). We'll see how good it is once I have a larger userbase to work with. However, my favorite part about ClamAV (and this is the real selling point) is the lack of per-seat fees associated with most commercial AV products. This is the same reason we chose not to use Exchange...those fees are hefty!

Password-encrypted Zips

[caseih]

No server based AV solution I know of will stop the latest wave of random password zip viruses. That is because the AV program cannot scan inside the zip file. I've posted a patch to the clamav-users mailing list that marks all password-encrypted zip files as suspect and thus can be quarantined for manual extaction and scanning if desired.

Right now I'm quarantining (with mimedefang and the patched clamav) all encrypted zip files. So far it's 100% hit rate, with no false positives. Unfortunately, ClamAV developers haven't said how they plan to deal with these password zip files.

Overall, once I patched clamav, I was more than pleased. Over the last 2 months Clamav working through mimedefang has saved us from almost all the viruses coming into our server. Updates are daily or more and I have a cron auto-updating them on the hour.

The beauty of having an open source AV was made clear to me today as I modified ClamAV to detect the encrypted zip files. Even though this is more of a stop-gap measure, with any other closed-source program I would have been completely at the vendor/developer's mercy.

That said, using clamav in conjunction with other AV programs in a stack fashion would give you even more coverage if you were worried.