Slashdot Mirror

← Back to Stories (view on slashdot.org)

Open Source AV Proxies and Network Scanners?

Posted by Cliff on from the network-wide-virus-innoculations dept.

Zphbeeblbrox asks: "Our Company is looking to set up a central proxy/gateway for several of our Networks. We would like to investigate some of the Open Source Antivirus Proxy solutions and AntiViral Network Scanning, however the information we have on them is rather sketchy. Have any of you had experience setting up DansGuardian with the Clam-AV plugin or similar such solutions. Additionally the mail proxy with Clam-AV solutions? If you have, what advice and recommendations would you have for us. Do they work and should we consider using something like snort-inline to scan our network traffic for viruses? I have found little by way of comparisons or reviews on them so I'm hoping you will be able to share some of your experiences on their effectiveness."

11 of 35 comments (clear)

  1. ASSP - mail proxy +antispam + clamAV by Jjeff1 · · Score: 3, Informative

    I have ASSP, it integrates with the ClamAV database. World-Wide Stats as well as my own stats indicate it's blocking viruses. Though I still have some viruses get picked up by my Exchange server, however there are a very large number blocked.

    Since I have separate AV on my Exchange server, and had it before the ClamAV integration with ASSP, I never bothered to troubleshoot why ASSP misses some of the viruses that it should be catching.

    So based on this, I can't say I'd use it as my only mail AV solution, but then again I haven't tried to either.

    1. Re:ASSP - mail proxy +antispam + clamAV by magefile · · Score: 4, Funny

      You've gotta be kidding me - who chose an acronym that can be expanded as "ASS Proxy"?!

  2. ClamAV as a daemon is easy to use by Bronster · · Score: 3, Interesting

    I use ClamAV both at work and home. It's great.

    My home setup is just a hosted VPS (previously a real box but I got tired of dealing with hardware issues) running email for myself and my family, plus a couple of mailing lists. I'm using amavis-new to apply both SpamAssassin and ClamAV to mails as a content_filter within Postfix.

    Work has to be much higher performance - we use a custom LMTP proxy written in Perl which calls out to the clamd clamav daemon and contains a SpamAssassin instance which has been a lot more seriously tuned. We also run local copies of many RBLs (you generally need to pay to do that, but it's worth it for the saved network traffic if you've got enough spam comming in!)

    Interestingly, I did some work on the lmtp proxy just last week so that even when the clamd is down (restarts, etc) it will fall back to calling out to 'clamscan' directly on the spool file and parsing the output.

    So yes, especially since ClamAV 0.8, it's been very nice and easy to use - the mail scanning is reliable (haven't had a single virus get through into my mail, but I get around 30-50 virus notifications a day from it - I could probably turn them off, but it's nice to see what sort of traffic is floating around).

    Bron.

  3. Questions. by FreeLinux · · Score: 2, Interesting

    I'd have to ask, what size company are we talking about? What is the present and immediate future computing environment? Most of the answers that you'll see here are going to be from home users or REALLY small shops.

    I haven't used Dan's Guardian as yet. So far, most companies that I have seen that want content control are medium sized(100 users and up). The majority of these are Windows shops so the use MS ISA/Symantec, Novell BorderManager/eTrust, or some hardware based firewall/proxy/filter for content control. They "can't be bothered" with hacking together their own solution.

    I have numerous smaller companies(100 users) using Squid/ClamAV to protect the surfers and Postfix/ClamAV to protect the email with stellar results. Both solutions work well, are very fast and would likely scale to much higher loads if given the chance. I see no reason to doubt the capabilities of Dan's Guardian either, I just haven't used it in a corporate environment. But, with Dan's Guardian, the antivirus protection is actually from Squid/ClamAV which works great.

  4. ClamSMTP by stef0x77 · · Score: 2, Informative

    ClamSMTP is what I use. Nice, light and efficient. It does transparent proxying if you need that too.
    http://memberwebs.com/nielsen/software/clamsmtp/

    1. Re:ClamSMTP by harikiri · · Score: 2, Informative

      I trained on it in 2001, and it seemed quite cool at the time. What most impressed me was that they had a scriptable network service designed for third-party customisation. Ie, you send "add user blah profile blah" to create new users.

      For corporations looking at eliminating the overhead of having to manage both a unix server and the application running on it, an appliance server (like mirapoint) makes sense.

      --
      Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
  5. Clam by cuteseal · · Score: 3, Informative

    Clam AV seems to be the biggest one out there, but if you're using POP3, P3Scan is worth a try...

    --

    The friendliest digital photography forums on the net!

  6. My company uses by dheltzel · · Score: 2, Informative
    CanIt for email Spam/AV filtering and it works really well (easy to administer too, that's what makes it worth the price). There is a free version for small implementations (or to pilot for a few users to test it out).

    We are planning a Squid implementation to proxy web traffic and there are add-ons to scan for viruses, popups, etc. I can't say how well that works just yet, but I'm very confident it will do the job admirably.

  7. Clamav by dodobh · · Score: 2, Informative

    Clamav rocks for me on the mail side. Postfix, Amavisd-new, Clamav, SpamAssassin combine to form a very efficient virus and spam filtering/classifying system.

    Get them here:
    Postfix
    Amavisd-New
    Clam antivirus
    SpamAssassin at CPAN

    You would be particularly interested in header_checks, mime_header_checks and body_checks for Postfix.

    --
    I can throw myself at the ground, and miss.
  8. Re:Debian? by walt-sjc · · Score: 2, Informative

    Yes, they are VERY effective.

    First, as far as email is concerned (one of the largest sources of malware) if you reject certain file types such as exe, vbs, hta, bat, pif, com, cmd, etc., most viruses just bounce off the mailserver outright.

    Second, using spamassassin and common RBL's to block dynamic IP space and known compromised machines, you cut down on another large hunk of crap (both malware and spam.)

    ClamAV does a great job on modern viruses. Commercial products have large databases of ancient viruses that died out years ago, so counting the size of the database is pointless.

    Dansgardian can handle filtering nicely, and yes, you can run clamav with it - however: this isn't going to cut down on spyware much (if that is your goal.)

    Keep in mind that this setup can have a pretty sigificant performance impact, although you will only be scanning "download" file types for the most part.
    Getting off IE / outlook is your best line of defense frankly, since they are the most targeted apps.

    Snort does just fine at detecting probes and compromized machines (by their network activity), and with some scripting and proper network hardware, you can isolate a compromized machine almost instantly before it causes much damage.

    But again, the best thing is to try it. We don't know your detailed requirements, or the details of your network. Nobody can tell you for sure whether this solution is right for you.

  9. Postfix + Amavisd-new + ClamAV + SpamAssassin by phoenix_rizzen · · Score: 2, Informative

    That's the combo we're using to filter all messages for a school district (1600 staff accounts, roughly 8000 student accounts, approx 15 domains). 1 server handles all incoming and outgoing mail, and then it sends the messages off to appropriate mail server. Blocks approx 30,000 viruses and 120,000 spam messages each month. Server is a dual-Athlon-MP 2200+ with 3 GB RAM and 400 GB HD in RAID5 running FreeBSD 5.

    Configuration was simple, administration is even simpler.

    Looking at possibly adding dspam into the mix.