Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source AV Proxies and Network Scanners?

Posted by Cliff on from the network-wide-virus-innoculations dept.

Zphbeeblbrox asks: "Our Company is looking to set up a central proxy/gateway for several of our Networks. We would like to investigate some of the Open Source Antivirus Proxy solutions and AntiViral Network Scanning, however the information we have on them is rather sketchy. Have any of you had experience setting up DansGuardian with the Clam-AV plugin or similar such solutions. Additionally the mail proxy with Clam-AV solutions? If you have, what advice and recommendations would you have for us. Do they work and should we consider using something like snort-inline to scan our network traffic for viruses? I have found little by way of comparisons or reviews on them so I'm hoping you will be able to share some of your experiences on their effectiveness."

35 comments

  1. ASSP - mail proxy +antispam + clamAV by Jjeff1 · · Score: 3, Informative

    I have ASSP, it integrates with the ClamAV database. World-Wide Stats as well as my own stats indicate it's blocking viruses. Though I still have some viruses get picked up by my Exchange server, however there are a very large number blocked.

    Since I have separate AV on my Exchange server, and had it before the ClamAV integration with ASSP, I never bothered to troubleshoot why ASSP misses some of the viruses that it should be catching.

    So based on this, I can't say I'd use it as my only mail AV solution, but then again I haven't tried to either.

    1. Re:ASSP - mail proxy +antispam + clamAV by magefile · · Score: 4, Funny

      You've gotta be kidding me - who chose an acronym that can be expanded as "ASS Proxy"?!

    2. Re:ASSP - mail proxy +antispam + clamAV by Dr.Dubious+DDQ · · Score: 1
      [...]I still have some viruses get picked up by my Exchange server[...]

      I'm seeing the same thing - it looks like some variants of the Netsky ("SomeFool" as ClamAV's database calls it) virus manage to elude ClamAV somehow. I spotted several references to this happening to other people poking around on Google, and there doesn't seem to be a fix for it yet (I'm not sure if ANYONE's yet figured out how some of them get past). On the other hand, ClamAV DOES seem to catch pretty much everything else (including most variants of Netsky/SomeFool).

      --
      Hacker Public Radio is our Friend
    3. Re:ASSP - mail proxy +antispam + clamAV by j-turkey · · Score: 1
      I'm seeing the same thing - it looks like some variants of the Netsky ("SomeFool" as ClamAV's database calls it) virus manage to elude ClamAV somehow. I spotted several references to this happening to other people poking around on Google, and there doesn't seem to be a fix for it yet

      I submitted a few of these to the ClamAV team. They came back and said that they were code fragments, and did not contain any executable code and were thus harmless (regardless of Norton's findings).

      --

      -Turkey

    4. Re:ASSP - mail proxy +antispam + clamAV by Jjeff1 · · Score: 1

      That's a good point. I'd assume the guy who wrote it.

      But then again, it has a purple snake for a mascot, plus a theme song (mouse over the musical note).

      I think it balances out in the end.

    5. Re:ASSP - mail proxy +antispam + clamAV by xsbellx · · Score: 1

      A place I used to work at, had a project called "Automated Information Distribution System". It was great when you were at meeting the chair[man:person:woman] asked the question, "Ok who has AIDS?".

      --
      If VISTA is the answer, you didn't understand the question
  2. MCSE says... by Anonymous Coward · · Score: 0

    ... MS Intarweb Connection Sharing and XP Firewall.

  3. Spambayes by Anonymous Coward · · Score: 0

    http://www.spambayes.org/

    Works pretty well, we have about 75 users. Doesn't use much of our P2-450 server running Slackware.

  4. No clam AV, but love DansGuardian by anomaly · · Score: 1

    I've got my home network set up behind DansGuardian/Squid and I've been VERY pleased with the results. Dansguardian was easy to get running, and I have been able to apply a large blacklist as well as easily configure allowed and blocked sites.

    On the email side, I don't run my own mailserver (ISP blocks port 25) but I use fetchmail to grab POP mail from them, then use procmail rules and Smapassassin to kill SPAM. Works pretty darn well.

    I've been meaning to write a howto on this, but.... life intervened. If you want to know more about how/why I did this, please email or post a reply.

    Regards,
    Anomaly

    --
    But Herr Heisenberg, how does the electron know when I'm looking?
    1. Re:No clam AV, but love DansGuardian by DetrimentalFiend · · Score: 1

      Same here. We've got a 300 PC network running off of one DG/Squid server and its usage is very low. I'm sure you could run ClaimAV on it and still be fine, and it's only a 1GHZ machine with 512MB ram. Check out yahoo groups for the two official mailing lists. You'll want the non-dev one. Search the archives first because there's a lot of people doing the same setup.

  5. Debian? by walt-sjc · · Score: 1

    You mean, other than "apt-get install exim-heavy dansguardian clamav"? (sarge or newer of course...) And configuring them according to the instructions?

    It's not hard. Try it. Shouldn't take more than a few hours. Then come back and give us your report later tonight...

    1. Re:Debian? by Zphbeeblbrox · · Score: 1

      I'm not worried about the setup. I can handle that in my sleep probably. I was wondering if they were effective enough to use. I'm very familiar with debian run it exclusively at home. So yes I can probably handle that.

      --
      If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
    2. Re:Debian? by walt-sjc · · Score: 2, Informative

      Yes, they are VERY effective.

      First, as far as email is concerned (one of the largest sources of malware) if you reject certain file types such as exe, vbs, hta, bat, pif, com, cmd, etc., most viruses just bounce off the mailserver outright.

      Second, using spamassassin and common RBL's to block dynamic IP space and known compromised machines, you cut down on another large hunk of crap (both malware and spam.)

      ClamAV does a great job on modern viruses. Commercial products have large databases of ancient viruses that died out years ago, so counting the size of the database is pointless.

      Dansgardian can handle filtering nicely, and yes, you can run clamav with it - however: this isn't going to cut down on spyware much (if that is your goal.)

      Keep in mind that this setup can have a pretty sigificant performance impact, although you will only be scanning "download" file types for the most part.
      Getting off IE / outlook is your best line of defense frankly, since they are the most targeted apps.

      Snort does just fine at detecting probes and compromized machines (by their network activity), and with some scripting and proper network hardware, you can isolate a compromized machine almost instantly before it causes much damage.

      But again, the best thing is to try it. We don't know your detailed requirements, or the details of your network. Nobody can tell you for sure whether this solution is right for you.

    3. Re:Debian? by Zphbeeblbrox · · Score: 1

      That's exactly what I was looking for thanks. We already run dansguardian and it works well in cutting down the spyware/malware counts. Its too easy to bypass in our current setup right now though So I have been looking at some alternate methods. And a good AV mail proxy will work wonders for us. I'm also slowly weaning people off of IE/Outlook. We are contractors for these networks so I can't do a blanket replacement of the software.

      --
      If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
  6. ClamAV as a daemon is easy to use by Bronster · · Score: 3, Interesting

    I use ClamAV both at work and home. It's great.

    My home setup is just a hosted VPS (previously a real box but I got tired of dealing with hardware issues) running email for myself and my family, plus a couple of mailing lists. I'm using amavis-new to apply both SpamAssassin and ClamAV to mails as a content_filter within Postfix.

    Work has to be much higher performance - we use a custom LMTP proxy written in Perl which calls out to the clamd clamav daemon and contains a SpamAssassin instance which has been a lot more seriously tuned. We also run local copies of many RBLs (you generally need to pay to do that, but it's worth it for the saved network traffic if you've got enough spam comming in!)

    Interestingly, I did some work on the lmtp proxy just last week so that even when the clamd is down (restarts, etc) it will fall back to calling out to 'clamscan' directly on the spool file and parsing the output.

    So yes, especially since ClamAV 0.8, it's been very nice and easy to use - the mail scanning is reliable (haven't had a single virus get through into my mail, but I get around 30-50 virus notifications a day from it - I could probably turn them off, but it's nice to see what sort of traffic is floating around).

    Bron.

    1. Re:ClamAV as a daemon is easy to use by walt-sjc · · Score: 1

      Just curious - why the LMTP step and not integrated into the SMTP server? Do you Accept and bounce, or reject at initial SMTP reception? If clamav is down you can always defer (4xx) and have the sender retry...

      I've been running scanning from within exim for well over a year. Never had an issue with the setup handling 5K users...

    2. Re:ClamAV as a daemon is easy to use by BinLadenMyHero · · Score: 1

      I use ClamAV in the mailserver I admin for the company I work for. I integrate both SpamAssassin and ClamAV (with the help of the ClamAssassin script) witht Postfix using procmail. But it can integrate with any system, even as a http proxy.

      ClamAV correctly detects 99% of the infected emails, and it's database is updated very often, with new signatures a few times a day. The users here are happy not having to deal with tons of worm emails every day. :)

    3. Re:ClamAV as a daemon is easy to use by Bronster · · Score: 1

      Just curious - why the LMTP step and not integrated into the SMTP server?

      Mainly because our backend Cyrus servers are already talking lmtp, so it seemed a little pointless to send it back into Postfix again just to be sent out to another local delivery agent. Also means we can do all sorts of funky per-user processing - and yes, we can 4xx back to Postfix easily enough if there's a temporary error condition.

      We have 4 incoming mx servers handling ~500k users, and the load average on these boxes sits pretty high - they're all multi processor xeon boxes with 4Gb of memory (some of the imap servers have >4Gb, but you run into funky kernel issues up there - not to mention the way cyrus does mmap.. scary stuff).

      Given that the load average on our mx servers never goes below about 2.5, we can't afford anything which spawns per-mail doing database connections, loading spamassassin, etc - so that's why the long running lmtp proxies.

  7. Questions. by FreeLinux · · Score: 2, Interesting

    I'd have to ask, what size company are we talking about? What is the present and immediate future computing environment? Most of the answers that you'll see here are going to be from home users or REALLY small shops.

    I haven't used Dan's Guardian as yet. So far, most companies that I have seen that want content control are medium sized(100 users and up). The majority of these are Windows shops so the use MS ISA/Symantec, Novell BorderManager/eTrust, or some hardware based firewall/proxy/filter for content control. They "can't be bothered" with hacking together their own solution.

    I have numerous smaller companies(100 users) using Squid/ClamAV to protect the surfers and Postfix/ClamAV to protect the email with stellar results. Both solutions work well, are very fast and would likely scale to much higher loads if given the chance. I see no reason to doubt the capabilities of Dan's Guardian either, I just haven't used it in a corporate environment. But, with Dan's Guardian, the antivirus protection is actually from Squid/ClamAV which works great.

    1. Re:Questions. by Zphbeeblbrox · · Score: 1

      We manage 5000 computers across 40 different networks of around 200 or more computers. The proxy/AV scanner would be a gateway for at most 300 computers per setup

      --
      If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
  8. Viralator or c-icap for proxy servers by loddington · · Score: 1

    From a mial server point of view amavis with clamd have always worked well for me.

    For squid proxy servers have a look at viralator or c-icap.

    Dunc

    --
    --- Who put this sig here? ---
  9. Corretcion - Slashcode by FreeLinux · · Score: 1

    I have numerous smaller companies(100 users) using

    The above should have read: smaller companies(less than 100 users)
    I can't get it to work even when using tt tags.

    1. Re:Corretcion - Slashcode by BinLadenMyHero · · Score: 1

      Try "<"
      See: <

  10. clamAV and NetSky, etc. by Dr.Dubious+DDQ · · Score: 1

    On the other hand...closer examination of the "Symantec Antivirus" logs seems to show that no viruses have been detected in the last week (while ClamAV is still showing viruses being caught), where before one or two were slipping through every day or so. Looks like perhaps whatever had been confounding ClamAV before got worked out and updated in the virus pattern data files.

    --
    Hacker Public Radio is our Friend
  11. ClamSMTP by stef0x77 · · Score: 2, Informative

    ClamSMTP is what I use. Nice, light and efficient. It does transparent proxying if you need that too.
    http://memberwebs.com/nielsen/software/clamsmtp/

    1. Re:ClamSMTP by superpulpsicle · · Score: 1

      Has anyone tried Mirapoint? Which is literally hardware mail server (www.mirapoint.com).

    2. Re:ClamSMTP by harikiri · · Score: 2, Informative

      I trained on it in 2001, and it seemed quite cool at the time. What most impressed me was that they had a scriptable network service designed for third-party customisation. Ie, you send "add user blah profile blah" to create new users.

      For corporations looking at eliminating the overhead of having to manage both a unix server and the application running on it, an appliance server (like mirapoint) makes sense.

      --
      Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
  12. Clam by cuteseal · · Score: 3, Informative

    Clam AV seems to be the biggest one out there, but if you're using POP3, P3Scan is worth a try...

    --

    The friendliest digital photography forums on the net!

  13. My company uses by dheltzel · · Score: 2, Informative
    CanIt for email Spam/AV filtering and it works really well (easy to administer too, that's what makes it worth the price). There is a free version for small implementations (or to pilot for a few users to test it out).

    We are planning a Squid implementation to proxy web traffic and there are add-ons to scan for viruses, popups, etc. I can't say how well that works just yet, but I'm very confident it will do the job admirably.

  14. Clamav by dodobh · · Score: 2, Informative

    Clamav rocks for me on the mail side. Postfix, Amavisd-new, Clamav, SpamAssassin combine to form a very efficient virus and spam filtering/classifying system.

    Get them here:
    Postfix
    Amavisd-New
    Clam antivirus
    SpamAssassin at CPAN

    You would be particularly interested in header_checks, mime_header_checks and body_checks for Postfix.

    --
    I can throw myself at the ground, and miss.
    1. Re:Clamav by Zphbeeblbrox · · Score: 1

      "I can throw myself at the ground and miss." Cool I've been trying to manage flight for a few years now and still keep remembering to hit the ground at the last second. I'm confident I'll hit on the correct combination of falling/distraction soon though.

      --
      If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
  15. Postfix + Amavisd-new + ClamAV + SpamAssassin by phoenix_rizzen · · Score: 2, Informative

    That's the combo we're using to filter all messages for a school district (1600 staff accounts, roughly 8000 student accounts, approx 15 domains). 1 server handles all incoming and outgoing mail, and then it sends the messages off to appropriate mail server. Blocks approx 30,000 viruses and 120,000 spam messages each month. Server is a dual-Athlon-MP 2200+ with 3 GB RAM and 400 GB HD in RAID5 running FreeBSD 5.

    Configuration was simple, administration is even simpler.

    Looking at possibly adding dspam into the mix.

  16. Subscription fee by mdeslaur · · Score: 1

    So what will everyone do when ClamAV starts charging a subscription fee for updates like Nessus and Snort started doing?

  17. Pay for it? by FreeLinux · · Score: 1

    They can do any of the following:

    Pay for it.
    Pay Symantec et al.
    Start another free project.

    I think that what Snort and Nessus are doing is perfectly fair. Nessus seems to be reasonably priced but, I think that Snort is priced too high and will likely cause a rules community to develop, perhaps even a fork.

  18. Qmailrocks by bondjamesbond · · Score: 1

    It does, and the instructions are shockingly clear and cover several distros. I have it set up on Debian.