Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Best Antivirus Options for a Mailserver?

Cliff posted more than 10 years ago | from the remember-when-email-viruses-were-a-myth dept.

Security 91

CSIP asks: "I am setting up a small mailserver, with ~500 users, across 80 domains. I'm planning to use qmail-scanner and an antivirus scanner to block incoming viruses. I would prefer to use ClamAV, however I've read conflicting reports on its effectiveness. The commercial scanners appear to detect 99.X% however they are licensed per-user, which at 500+ users becomes quite the annual bill. What is everyone's experience with ClamAV? Are their other commercial scanners that allow you to license on a per-server basis?" The best indicator of quality for a virus scanner is the information in its virus database. How do ClamAV's virus definitions compare to commercial scanners, like McAfee's?

cancel ×

91 comments

Sorry! There are no comments related to the filter you selected.

BSD: it's (a)live! (-1)

users.pl (689022) | more than 10 years ago | (#8456531)

It is official; Netcraft confirms: *BSD: it's (a)live!

One more crippling bombshell hit the already beleaguered *BSD is dying community when Slashdot confirmed that *BSD death trolls have dropped yet again, now down to less than a fraction of 1 percent of all troll posts. Coming on the heels of a recent troll survey which plainly states that trolls are running out of *BSD ammo, this news serves to reinforce what we've known all along. Slashdot trolls are trolling with new and better methods [slashdot.org] because trolling about BSD's falsely prophetic death is as obsolete and useless as GNU HURD [gnu.org] .

You don't need to be Jesus [stallman.org] to predict the Slashdot troll phenomena's future. The hand writing is on the wall: *BSD trolls face a bleak future. In fact there won't be any future at all for *BSD trolls because *BSD trolls are dying. Things are looking very bad for *BSD trolls. As many of us are already aware, *BSD has recently acquired several [freesbie.org] Live CDs [livebsd.com] . Red devil Live CDs multiply like fucking rabbits.

The reasons for the death of the *BSD troll are obvious. The creators of the *BSD troll post have lost 93% of their core developers due to casulties from the sudden and unpleasant battles [slashdot.org] between Trollcore [slashdot.org] and GNAA [slashdot.org] . There can no longer be any doubt: FreeBSD trolls are dying.

Let's keep to the facts and look at the numbers.

GNAA leader Anonymous Coward states that there are 700 active trolls on Slashdot. How many BSD death trolls are there? Let's see. The number of troll posts vs BSD death troll posts on Slashdot is roughly in ratio of 5 to 1. Therefore there are about 700/5 = 140 BSD death trolls. But half of those are just cheezy karma-whore spinoffs of the original troll. Therefore there are about 70 users of the real BSD death troll. These statistics, of course, reflect Slashdot before the war between Trollcore and GNAA. So we must assume that there are less than 70 people who actually believe that *BSD is still dying!

All major surveys show that *BSD trolls have steadily declined in humor level. *BSD trolls are very sick and their long term survival prospects are very dim. If *BSD trolls are to survive at all, they will be nothing but workers toiling in Slashdot trolling phenomena obscurity. *BSD death trolls continue to decay. Nothing short of a miracle could save them at this point in time. For all practical purposes, *BSD death trolls are dead.

Fact: *BSD: it's (a)live! [freesbie.org]

ClamAV (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8456536)

I have been using ClamAV for about 6 months, and so far its blocked a few viruses. So far so good.

Re:ClamAV (1, Insightful)

revmoo (652952) | more than 10 years ago | (#8456659)

I have been using ClamAV for about 6 months, and so far its blocked a few viruses. So far so good.

Score:1, Interesting

Right....

Best mail virus scanner (0)

Anonymous Coward | more than 10 years ago | (#8456538)

Strip attachments, don't use Outlook.

Re:Best mail virus scanner (4, Funny)

JeffMagnus (133746) | more than 10 years ago | (#8456580)

While you are at it you might as well suggest converting it all to postal mail, and irridating it to prevent the spread of anthrax.

Re:Best mail virus scanner (-1)

c4thy (224077) | more than 10 years ago | (#8456766)

you might want to irradiate the postal mail as well.

Easy solution (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8456571)

Tell the dumbasses to ditch their Windoze boxes. Convert everyone to Linux, and watch the company's average IQ skyrocket.

Re:Easy solution (0, Offtopic)

hdparm (575302) | more than 10 years ago | (#8456678)

Also, don't forget to ask this guy [slashdot.org] how to utilise `apt-get sync domains` for easy distribution of Contacts and Calendars.

Re:Easy solution (0)

Anonymous Coward | more than 10 years ago | (#8478188)

yes! and then your dumbass will be out of a job!
sounds fair to me.

You'd be better off... (3, Informative)

Ophidian P. Jones (466787) | more than 10 years ago | (#8456577)

Using a fuzzy checksum tool like DCC [rhyolite.com] to block similarly worded messages. It will catch both spams and viruses.

Most viruses spread so quickly that the AV tools' databases are inevitably out of date and ineffective.

Re:You'd be better off... (2, Interesting)

richie2000 (159732) | more than 10 years ago | (#8456673)

Most viruses spread so quickly that the AV tools' databases are inevitably out of date and ineffective.

That wasn't really true until just a week ago when I had to manually update my f-prot twice in one day to catch the new Neksky variants. I had it set at once a day for the longest time, set it for twice a day a month ago and it's now at every four hours. The updated db got them right away, the delay (in my case) was me doing the update in the first place.

F-prot and SpamAssassin with Courier-MTA [gentoo.org] , BTW.

Re:You'd be better off... (2, Interesting)

BrookHarty (9119) | more than 10 years ago | (#8457252)

F-prot does indeed rock, for a home user, you can setup a linux box, use postfix,fetchmail,f-prot, procmail and spam assassin. Top it off with Mozilla Mail or Thunderbird, and spam/viruses are so much easier to deal with.
F-prot catchs most viruses, the rest seem to be on a blocked list, so I'm pretty happy with f-prot. In fact, I use f-prot to scan all the file-systems also, not just for email. F-prot has to be the easiest command line scanner out.

And if you want, you can use procmail/fetchmail and hotpop to grab your webbased emails and scan them for viruses. Little time to setup, but worth every minute.

Re:You'd be better off... (1)

BrokenHalo (565198) | more than 10 years ago | (#8457608)

SpamAssassin is also good for this: it lets people know up front that there's an executable there, so if the user has half a brain, he should know not to click on it.

That's the idea, anyway. Of course, the most common elements on this planet are hydrogen and stupidity...

Clam (4, Interesting)

ADRA (37398) | more than 10 years ago | (#8456668)

I don't know how many virus signatures it detects, but I can say that our company of only 30 ppl has yet to receive a virus through Clam.

We did have Norton AV/Exchange running when we used exchange as a front line server. It was also pretty good about viruses except for the first day of CodeRed I believe where it was 1/2 after the first emails showed up. We only paid once and the updates never seemed to discontinue after the year, so maybe its just support/assurance that you're paying for. Consult the contract if in doubt.

Re:Clam (2, Interesting)

RedHat Rocky (94208) | more than 10 years ago | (#8456808)

Used to use Sophos to scan email coming into a qmail server. Switched to ClamAV a couple of months ago and have never regretted it.

I do think they deserve some support from the community, I'm considering what to do in my workplace. A mirror would be possible but the mirror terms are a little out of the ordinary.

Re:Clam (1)

CSIP (31272) | more than 10 years ago | (#8458618)

Yep... I had the same thought about mirroring, seems its one per country or something like that, with the mirror for my location already ran by a company my best friend works for.

looked like the support they wanted was virus signatures, etc as the more of those, the more reliable it is.

I just wanted to be safe, and not switch to this without checking it out first.

thanks!

Re:Clam (2, Informative)

phoenix_rizzen (256998) | more than 10 years ago | (#8457591)

The current database scans for more than 20,000 viruses and variants.

there's always the blowtorch on an ant method! (3, Insightful)

Anonymous Coward | more than 10 years ago | (#8456695)

The Blowtorch on an Ant method: Block all email with attachments.

Now, granted, with 500 users, I'm going to assume that is not an option for you as people likely send files back and forth via email quite often.

Still, I just wanted to point out that blocking email with attachments is probably the most effective antivirus option for a mailserver, though certainly not the best solution.

Re:there's always the blowtorch on an ant method! (5, Insightful)

cybermace5 (446439) | more than 10 years ago | (#8456880)

Do it. Then set up a simple web-based upload/download site using PHP. This is more efficient because the attachment doesn't need to be encoded for mailing, and gets around any attachment size limits for various users.

It's extremely easy to do, and you could even set it up so that each uploaded file gets a little key so only the intended recipient can get it. The uploader script will automatically send an email to the desired recipient, containing a URL with the unique key embedded. Having all of the files stored on the server like that will probably cut down on all the inappropriate files too.

Solution should take no more than three PHP files of 100 or less lines each.

Re:there's always the blowtorch on an ant method! (0)

Anonymous Coward | more than 10 years ago | (#8457492)

As soon as I start seeing attachments converted to URLs, I'll turn your PHP uploader into a free porn hosting service and make millions!!

Re:there's always the blowtorch on an ant method! (1)

cybermace5 (446439) | more than 10 years ago | (#8459028)

It is also easy to make a session-based login system.

Re:there's always the blowtorch on an ant method! (1)

scott_davey (552885) | more than 10 years ago | (#8461882)

This is more efficient because the attachment doesn't need to be encoded for mailing...

Actually, if you use a web form to upload the file, it still encodes the file using MIME [w3.org] . But if your browser and server both support gzip it can be compressed - so you're half right.

I hate it when I get pedantic!

Re:there's always the blowtorch on an ant method! (1)

cybermace5 (446439) | more than 10 years ago | (#8466617)

I meant that it isn't MIME-encoded while on the server...thus taking up less space.

Re:there's always the blowtorch on an ant method! (1)

CSIP (31272) | more than 10 years ago | (#8458642)

yeah, thats definately one solution, but imposes limits on users that I'd rather not.

best Anti Virus Protection (1, Funny)

Anonymous Coward | more than 10 years ago | (#8456702)

The best Anti Virus protection for your mail server is to not let anyone recive mail =)

But since that's not going to work you need to enforce a strict policy "If you open a virus I chop off a finger"

This should work for you unless you have someone that just doesn't learn

We tried that recently at my company (2, Funny)

cgenman (325138) | more than 10 years ago | (#8457333)

MyDoom reduced our productivity by 10%.

Re:best Anti Virus Protection (1)

spood (256582) | more than 10 years ago | (#8458015)

Nope, that works fine. At most, they'll run 10 or 20 viruses before they'll have to start mousing with their nose. That makes it hard to see the monitor.

ClamAV vs. Commercial (4, Informative)

OneFix at Work (684397) | more than 10 years ago | (#8456736)

There's a good post [mail-archive.com] detailing the ClamAV vs. Commercial question...

To paraphrase, ClamAV's database is generally at least a few days ahead of sophos and sometimes weeks...

ClamAV was written from the ground-up to do mail scanning, so it should be better than commercial scanners that try to be everything to everyone...

Re:ClamAV vs. Commercial (1)

JofCoRe (315438) | more than 10 years ago | (#8459430)

It's true. We've been using a combination of MailScanner [mailscanner.info] , Spamassassin [spamassassin.org] , and ClamAV [sourceforge.net] on ours and a number of customer mailservers for a little over a year now. Don't seem to remember any viruses getting through, and many times Clam has an update before the commercial vendors. It's also got _great_ support through the mailing list(s). I would recommend ClamAV wholeheartedly.

Re:ClamAV vs. Commercial (1)

LnxAddct (679316) | more than 10 years ago | (#8470810)

Just out of curiosity, how many of you ClamAV users give back to them with either money and/or some sort of service? Keeping such an up to date database is a full time job, is the communtiy supporting them well enough?
Regards,
Steve

Re:ClamAV vs. Commercial (0)

Anonymous Coward | more than 10 years ago | (#8470997)

I read all the way through their requirements for hosting a mirror site. That ought to be enough, doncha think?

Huh? Doesn't everyone use Pine? (0)

Anonymous Coward | more than 10 years ago | (#8456762)

I do. No viruses.

Re:Huh? Doesn't everyone use Pine? (0)

Anonymous Coward | more than 10 years ago | (#8456825)

mutt > pine

Re:Huh? Doesn't everyone use Pine? (1)

RedHat Rocky (94208) | more than 10 years ago | (#8456845)

No PROBLEM with viruses in pine, unless one considers the hundreds of virus-laden email messages one must constantly delete to be a problem. That's why I finally installed a virus scanner on the email gateway, despite the fact that none of the users were on W32. Now all I have to do is remember to clear out the quarantine maildir every once in a while.

Re:Huh? Doesn't everyone use Pine? (2, Interesting)

great_snoopy (736076) | more than 10 years ago | (#8458345)

Even if you use pine, you still get tons of junk mail generated by viruses. All those messages must be manually deleted. Depending on various factors, you can get more or less junk virmail, and it's frustrating to delete them by hand. Better let the AV do that for you.

ClamAV (4, Interesting)

Evanrude (21624) | more than 10 years ago | (#8456791)

The ClamAV client is great for scanning email, but it is best used with another scan engine, such as amavis-ng [sourceforge.net] .

I own a company that uses the ClamAV+Amavis-ng configuration internally and implements the solution for clients. We've never seen a virus come through the system yet.

When you combine these tools with SpamAssassin you have a fairlyy "safe" email system.

Re:ClamAV (0)

Anonymous Coward | more than 10 years ago | (#8469291)

The ClamAV client is great for scanning email, but it is best used with another scan engine

You can't just make that claim and not state why... some detail please.

Chain Solutions (2, Interesting)

4of12 (97621) | more than 10 years ago | (#8456841)


Not recommending anything in particular, but you can chain together different tools to filter more completely than a single line of defense both against viruses and against spam.

IIRC, at MyCorp, Exchange servers are insulated from the outside by both PerlMX [perl.com] and Tumbleweed [dmoz.org] .

ClamAV and something else (2, Interesting)

Gaima (174551) | more than 10 years ago | (#8456953)

I also run a mailserver, but for a company of 50ish, over a dozen or so domains.
At first I converted it from exim to qmail with qmail-scanner, then replaced qmail-smtpd with qpsmtpd.
As we already have licencing for f-prot I used that, but it soon failed to pick up a variant of Swen. So I simple added the clamav plugin and stopped the variant (gibe) dead.

I probably should build some stats on which scanner detects what, but we've only had a few netsky variants before one or the other updated.
With at least the first and second netsky variants it was f-prot which updated first.

Here's an idea... (4, Interesting)

gklinger (571901) | more than 10 years ago | (#8457004)

It would take a bit of server side scripting but it shouldn't be that hard to implement. If someone gets a piece of email with an attachement, any binary attachment, strip it out and save it out somewhere (~/mail/attachments or ~/public_html/mail/attachments, wherever is easiest given your system's configuration) and in its place include a text attachment that says something like, "This email came with an attachment. This could be a virus. We recommend you exercise caution when dealing attachments. You may download/view the attachment at [give URL pointing to wherever you saved it]."

If it's a picture or a word document from a friend or colleague then they'll probably end up viewing it in their browser and if it's a binary, provided it came from a trusted source, they can download it (make sure to give them an option to delete it if they'll feel it isn't benign). If it's something they don't recognize and/or from someone they don't recognize, they're going to be a bit more cautious. The idea is that the extra step prevents people who open all attachements without thinking or, worse yet, run email clients which allow attachments to rape their computer without their knowing, from harming themselves.

If anyone complains, tell them this is the email version of "Are you sure you want to delete that file?" -- it's a pause that forces reflection that may end up saving them grief. They'll learn to live with the added step and eventually, they'll be glad it's there to protect them.

Re:Here's an idea... (1)

passthecrackpipe (598773) | more than 10 years ago | (#8457166)

Don't want to sound like a flame,but have you *ever* worked with end users? They will have your hide before you even get halfway explaining this, let alone allow you to contemplate implementing this. If it is a word virus, they will view it in their browser, that simply fires up word, and thus lets you execute whatever 3l337 macro sh*t is going in there, and if it is a binary from a trused source they will reflect and *then* think about launching or not? bets are it is "nakedchix.exe", sent to you by your bestest buddy, who's mailer got infected....

+1 Funny for your post dude....

Re:Here's an idea... (1)

torgosan (141603) | more than 10 years ago | (#8457238)

Depends on how well-trained you have your lusers and how well they have come to trust your judgement. If they think you're the know-it-all IT guy, well, then yeah, I could see that reaction.

Re:Here's an idea... (2, Insightful)

gklinger (571901) | more than 10 years ago | (#8457408)

Don't want to sound like a flame,but have you *ever* worked with end users?

I've admined corporate networks with between five hundred and a thousand clients and admined ISPs with five times as many so yeah, I've dealt with end users. It was my experience that you can either marvel at their stupidity and bang your head on your desk or marvel at their stupidity, try to help and educate them and then bang your head on your desk. I found the latter gave me the always heartwarming excuse, "I tried."

At any rate, I think that perhaps you've missed my point. You can't prevent all bad things from happening but by putting a block in place which causes people to pause and reflect, you _may_ aid them in helping themselves. This is why we have railings on stair cases, seatbelt warning lights in cars etc. I should also add that my suggestion does not in any way prevent an admin from also implementing some kind of server-side virus protection. The more protection, the merrier.

As for users just opening things in their browser which are configured to execute anything executable they come across, what's to stop the same script from changing .exe to .xex with a note telling users that in order to execute the program they will have to manually change it back?

Granted, you can't prevent a determinedly stupid person from being themselves but you can try to help those waivering on the edge. You also have to try to stay one step ahead of stupid because, contradictory to Darwin's teachings, stupid is evolving at a terrifying rate.

Re:Here's an idea... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8457748)

Really, I don't understand the point. You have your users jumping through hoops, but you've done nothing to actually rid yourself of viruses. The only thing you've 'educated' your users about is to follow silly BOFH instructions. All this when there's a gazillion easy to implement solutions which are both convenient and work.

This is the biggest problem with computer nerds. It's not just that they occasionally have a ridiculous idea -- it's that they will stubbornly defend that idea to the death, generally falling back on the olde "Users Are Stupid" saw. This tendency single-handedly explains most of the mal-designed systems out there.

Re:Here's an idea... (0)

Anonymous Coward | more than 10 years ago | (#8457474)

If it's a picture or a word document from a friend or colleague then they'll probably end up viewing it in their browser and if it's a binary, provided it came from a trusted source, they can download it (make sure to give them an option to delete it if they'll feel it isn't benign).

How does this make any difference? If they are gullible enough to run an attachment, then they are gullible enough to run the EXE they get when clicking on the link in the email. And, as recent viruses have shown, people are even gullible enough to open zip files and run the programs within them.

Re:Here's an idea... (1)

JRIsidore (524392) | more than 10 years ago | (#8457792)

Ok, this may sound a bit lazy, but should I be forced to launch my browser getting an attachment from a mail? The feature of adding attachments to mails mainly exists to *not* do this, IMHO.

But when you're already willing to take the step and teach the users something new, why not instead tell them to use a different, more secure, mail app (like Mozilla, Evolution etc.)? They still have to learn something new, but can stick to the lazy behaviour and save attachments as they are used to. I'm sure they'd swallow this sooner.

Re:Here's an idea... (1)

X (1235) | more than 10 years ago | (#8478378)

If anyone complains, tell them this is the email version of "Are you sure you want to delete that file?"

Great, the "Are you sure" thing has been proven to be very poor UI.

Works well with qmail-scanner (thumbs up) (2, Informative)

Penis_Envy (62993) | more than 10 years ago | (#8457245)

Using clamAV in combination with qmail (using qmail-scanner and the qmail-queue patch) on a debian box. It's caught a bunch of viruses (most recently all of these stupid doom variants), though I don't know how quickly the definitions are updated. I would imagine that is where the concern would be. I also wouldn't know if viruses made it through, as I run linux on my workstations/laptop. I only installed clamAV to help protect others using my mail server. I haven't heard any complaints so far, though.

Vexira Antivirus (2, Interesting)

PinkX (607183) | more than 10 years ago | (#8457262)

It has a very similar licencing scheme to what RAV used to offer (before they were bought out by The Evil Empire [microsoft.com] . They license by domain, with a maximum of 3000 users.

It integrates easily with any MTA (works as a proxy), including my favorite qmail. Runs over Linux and various *BSD's. I've succesfully installed it over Debian (even thought only RPM packages are provided - they can be easily converted to .deb or whatever other package format your distro uses with the help of Alien). And you could always use it together with ClamAV, to doule-check your mail messages for viruses.

They also offer an antivirus solution for Samba servers, which provides real-time scanning and blocking of files when opened/closed from the network. It comes with a fixed price for server with an unlimited number of users and shares to protect.

The recomendation may com from a little closer - my company is a Vexira Reseller. But all in all it's a good solution and IMHO it has the most convenient licencing scheme.

For more info visit: Vexira Website [centralcommand.com] .

Regards,

Not for OS X Server, though... (2, Interesting)

darken9999 (460645) | more than 10 years ago | (#8457356)


The biggest reason I have to use ClamAV is because almost no one else supports OS X. I didn't find any besides ClamAV that weren't a all-in-one mail server, which I'm not going to bother with.

If Vexira would have supported OS X when I was looking, I would have bought it.

something to check for in your AV scanner (3, Insightful)

Tumbleweed (3706) | more than 10 years ago | (#8457292)

Make sure your mail-server-based AV scanner can check inside attachments that are archives (zip, etc.), and not just individual documents. Many of the latest attachment-based viruses reside inside compressed archives. Also make sure it can tell the difference between an attached file's extension, and it's real format, as sometimes they're sent out with deliberately-incorrect file extensions to get around the more stupid AV scanners.

Re:something to check for in your AV scanner (0)

Anonymous Coward | more than 10 years ago | (#8457409)

Many of the latest attachment-based viruses reside inside compressed archives.

I don't think any of the antivirus software can scan archives other than zip. Gzip and bzip2 tarballs, stuffit archives, MS CAB archives, and others are not processed correctly by most scanners, if I'm not mistaken?

Re:something to check for in your AV scanner (1)

Tumbleweed (3706) | more than 10 years ago | (#8457464)

I dunno. zip archives should _definitely_ be on the list of attachments to be able to scan inside of - especially .exe self-extracting type archives. I'd hope .cab ones, too.

Either way, something to check on.

Re:something to check for in your AV scanner (0)

Anonymous Coward | more than 10 years ago | (#8491698)

Disclaimer: I work for Symantec and do QA on one of their antivirus-based products.

I know for a fact that Symantec can detect viruses in almost any archive you can think of, with the exception being encrypted containers (if you can't read inside the damn thing, of course you aren't going to find the virus). Gzip, hqx, tarballs, even a couple of containers I've never actually used outside of work can be broken down by Symantec's AV products.

Now, just to be sure I'm not a total schill, I'd like to point out that I'm sure our main commercial competitors can detect viruses in most or all of these containers as well. If you want to know for sure whether your AV software can read these containers, then download the eicar [eicar.org] test virus, put it in the container you want to check out, and run it through your AV scanner of choice.

For those who are not in the AV field and might not be familiar with it, google on "eicar" to ensure that I'm not pointing you to a real virus instead of a benign dummy virus.

Posting anon only because in this economy I fear for my job and do not wish to give my employer any excuse to fire me.

Works great here (1)

phoenix_rizzen (256998) | more than 10 years ago | (#8457683)

Been testing ClamAV + Amavisd-new + SpamAssassin + Postfix + Courier-IMAP here.

In the past 4 weeks, it's managed to block:
244 virus messages
416 spam messages
correctly tagged 450 messages as possible spam (kill setting is low right now while I test the system).

And that's just on my 3 e-mail accounts. I haven't put this into testing inside the department yet. :)

My experience with ClamAV/Qmail-scanner (4, Interesting)

j-turkey (187775) | more than 10 years ago | (#8457825)

I've had reasonably good luck with ClamAV. I've found that effectiveness tends to depend on configuration (which I'll get back to).

Some people say that the ironclad test of an A/V app is the number of virus definitions listed. In ClamAV's case (per FreshClam's log output), there are 20372 signatures in the DB. IMO, the number of definitions doesn't really mean much. In my experience, the most important stuff to protect against are the recent outbreaks -- where mail servers are inundated with worm-laiden email. In this case, it's really a matter of how soon the definitions are updated. Generally, I tend to see definitions updated within 12-48 hours of a reported outbreak. Combine this with your update frequency to figure out your expopsure period.

There will be an exposure period regardless of which A/V software you run. Some will have greater average periods than others. Don't rely on marketing information to figure this out. It's a bunch of crap. Real world experience is what counts here -- if you've got lots of experience with these, great. If not, try to find someone who knows their stuff who can give you a good idea for what's what with different apps. I haven't used a ton of these, so I can't give you any ironclad data.

Your configuration will tend to be your greatest asset/worst enemy in terms of finding the best A/V setup for your particular needs. For example -- I automatically block certain types of attachments via qmail-scanner. There's no reason for them -- and they're not worth the risk. I block any attachment with the following extensions (I'm sure that this is not perfect, but whatever): .vbs, lnk, scr, wsh, hta, pif, exe, bat, com, sct, chm, cmd, crt, hlp, hta, isp, pcd, reg, shs, and js. These attachments are all allowed inside of an archive (which ClamAV scan), but I'm willing to roll the dice on exposure to those, since screwing up and opening the attachment is no longer as simple as a single mouseclick.

Finally, I also run client-side A/V. These just aren't as reliable as server-side protection -- users always find wonky things to do with/to their computers...but I like to think of this is a last line of defense. Furthermore, users also tend to check their personal email from work. If you have the hardware to handle it, it might be worth your while to have your users forward their personal email through your service to cover your butt (or enact a policy forbidding users from checking personal email at work)...just be careful about discoverability of their personal email if it comes through your work email (IANAL).

Overall, I'm satisfied with ClamAV/Qmail-Scanner. I'm running it on a system designed for 1000 users (in its current hardware/software configuration) -- scalable to up to about 3000 users. Currently, we're running with around 150 users...in about 2 months, we'll have our new HR/payroll system up which will allow us to add accounts for the rest of our 750 employees (long story). We'll see how good it is once I have a larger userbase to work with. However, my favorite part about ClamAV (and this is the real selling point) is the lack of per-seat fees associated with most commercial AV products. This is the same reason we chose not to use Exchange...those fees are hefty!

Re:My experience with ClamAV/Qmail-scanner (1)

TykeClone (668449) | more than 10 years ago | (#8458311)

IMO, the number of definitions doesn't really mean much. In my experience, the most important stuff to protect against are the recent outbreaks -- where mail servers are inundated with worm-laiden email. In this case, it's really a matter of how soon the definitions are updated. Generally, I tend to see definitions updated within 12-48 hours of a reported outbreak. Combine this with your update frequency to figure out your expopsure period.

But just because a virus isn't new doesn't mean that it's not still spreading.

Re:My experience with ClamAV/Qmail-scanner (1)

j-turkey (187775) | more than 10 years ago | (#8462612)

But just because a virus isn't new doesn't mean that it's not still spreading.

Correct...but if you read my post again, you'll notice that I said that "the most important stuff to protect against are the recent outbreaks". I never said anything about completely overlooking old viruses. If you analyze a logfile from a mail server's quarantine logs, you'll find that the vast majority (~99.5%) of the worms/viruses that are picked off are from the latest outbreak. Furthermore, "latest outbreak" doesn't necessarily suggest a new virus/worm -- it's just a new outbreak.

Based on what I've written above, when it comes to protecting my users, where should my main priorities be...the .5%, or the 99.5%? I tend to worry about the common stuff first, then the way-out-of-the-ordinary stuff.

Re:My experience with ClamAV/Qmail-scanner (1)

TykeClone (668449) | more than 10 years ago | (#8463865)

I don't disagree there - but you pick up signatures for older viruses "for free" when you keep everything up to date.

Clam is *better* at times . . . (2, Insightful)

millisa (151093) | more than 10 years ago | (#8458012)

We use multiple front end postfix systems with the amavis-spamassassin-clam combo to hand off to a backend Imail server (which could be any backend mail server really), servicing several thousand domains and tens of thousands of end users in those domains. With the auto-updating features setup to check in hourly, we usually have the definitions for the latest worm on the system before it really starts hitting critical mass. When the Mydoom worm (worm.sco.x) came out, the definitions on our servers were updated on the 25th of January, the worm seemed to really start pounding things on the 26th and 27th. Monday morning, it had blocked 10k+ of the little bandit before any had gotten through and I got to read about the unhappy griping of the Norton AV users who hadn't gotten updated in time. It was a case where if we'd used anything but clam, we'd probably have had to deal with plenty of whiney end users (and who wants that?). Now, I'm still not 100% sold on clam, I'll sing its praises, but I'm not going to just use it just yet (so it takes me 6-12 months for me to trust something, call me paranoid). On the actual back end mail server, I'm still using declude to tie into f-prot's scanner. However, since setting up clam, I don't think there's been a single virus that's made it through (going on 5 months now) for it to catch. As Martha would say, "It's a good thing".

With the recent bagle and somefool worms, I was seeing lots of catches by amavis-clam, but it didn't handle the encrypted zips correctly (though word on the mailing lists are there are mods/updates that can be made to start handling them right. I'm just gonna dump all zips for now, those pesky users dont deserve 'em anyways). To answer the original question though? Is Clam ready for primetime? I think so, but erring on the side of caution and having another layer of virus checks in there can't hurt . . . either way, you'll need to keep tabs on it for the next 'catch you by surprise' variant that even the commercial products aren't responding to in time; the more users you are supporting, the higher the probability that you are going to be the one dealing with an account that was one of the first to receive the newest worm . . .

Password-encrypted Zips (3, Interesting)

caseih (160668) | more than 10 years ago | (#8458021)

No server based AV solution I know of will stop the latest wave of random password zip viruses. That is because the AV program cannot scan inside the zip file. I've posted a patch to the clamav-users mailing list that marks all password-encrypted zip files as suspect and thus can be quarantined for manual extaction and scanning if desired.

Right now I'm quarantining (with mimedefang and the patched clamav) all encrypted zip files. So far it's 100% hit rate, with no false positives. Unfortunately, ClamAV developers haven't said how they plan to deal with these password zip files.

Overall, once I patched clamav, I was more than pleased. Over the last 2 months Clamav working through mimedefang has saved us from almost all the viruses coming into our server. Updates are daily or more and I have a cron auto-updating them on the hour.

The beauty of having an open source AV was made clear to me today as I modified ClamAV to detect the encrypted zip files. Even though this is more of a stop-gap measure, with any other closed-source program I would have been completely at the vendor/developer's mercy.

That said, using clamav in conjunction with other AV programs in a stack fashion would give you even more coverage if you were worried.

Re:Password-encrypted Zips (1)

CSIP (31272) | more than 10 years ago | (#8459123)

No server based AV solution I know of will stop the latest wave of random password zip viruses. That is because the AV program cannot scan inside the zip file. I've posted a patch to the clamav-users mailing list that marks all password-encrypted zip files as suspect and thus can be quarantined for manual extaction and scanning if desired.

I just unintentionally discovered a way to block these.

On our existing server, I have a commercial scanner, which im using with qmail-scanner. I setup qmailscanner's - perlscanner to block zip files.

if a "normal" zip file comes through, it is unziped & the individual files scanned. (it is not detected as a .zip)

if a encrypted zip comes across, unzipping it fails, it is detected by qmailscanner as a zip and blocked.

Re:Password-encrypted Zips (1)

caseih (160668) | more than 10 years ago | (#8459637)

The ClamAV developers just posted to the clamav-users list and said that the ability to optionally identify (and thus block or quarantine) encrypted zip files has officially been added to the ClamAV source, so very soon you should be able to turn on such blocking in the clam.conf file. Not sure when they will release a new snapshot with this in it. The current anonymous CVS has not quite yet got the patch.

Tomasz Kojm, ClamAV developer, says about it:
You have to enable this feature manually withArchiveDetectEncrypted in clamav.conf and --detect-encrypted inclamscan. Please be careful and WARN YOUR USERS before enabling it.

Re:Password-encrypted Zips (1)

JLester (9518) | more than 10 years ago | (#8459642)

Vexira from Central Command scans inside zips. We've been happy with it. We did get hit by Netsky.C and Netsky.D before the definitions were released, but those are the first two that got through in a couple of years. We have approximately 7000 e-mail accounts running through it.

Jason

Re:Password-encrypted Zips (1)

0x0d0a (568518) | more than 10 years ago | (#8459782)

I've posted a patch to the clamav-users mailing list that marks all password-encrypted zip files as suspect and thus can be quarantined for manual extaction and scanning if desired.

Augh. Please don't do this. A lot of folks *use* password-encrypted zip files as the only way to securely exchange information in a world where not everyone uses PGP.

Re:Password-encrypted Zips (1)

bobv-pillars-net (97943) | more than 10 years ago | (#8460627)

A lot of folks *use* password-encrypted zip files as the only way to securely exchange information...

And a lot of people use Microsoft Outlook for the same reason ... and with the same results.

Re:Password-encrypted Zips (0)

caseih (160668) | more than 10 years ago | (#8460750)

There are much better and more secure ways to send data around. Consider using pgp or some other encryption package. I admit that these measures can cause a lot of inconvenience for users. This is the fault of the spam and virus gangs. They have ruined it for everyone. It is time to replace smtp, no doubt about it.

Re:Password-encrypted Zips (1)

ncr53c8xx (262643) | more than 10 years ago | (#8466287)

A lot of folks *use* password-encrypted zip files as the only way to securely exchange information in a world where not everyone uses PGP.

And how do you send the passwords for the zip files? Do they meet earlier and agree on the password (poor man's PKI)? If the password is in the mail itself, how is it more secure?

Re:Password-encrypted Zips (2, Interesting)

ncr53c8xx (262643) | more than 10 years ago | (#8466362)

No server based AV solution I know of will stop the latest wave of random password zip viruses. That is because the AV program cannot scan inside the zip file.

The password is in the text of the email. How difficult would it be to try all the different words in the mail as passwords? The mails have less than 50 words, so it should run pretty fast.

Re:Password-encrypted Zips (1)

IndependentVik (582582) | more than 10 years ago | (#8491797)

The password isn't necessarily in the text of the email. In fact, if the password _was_ in the text of the email then there really wasn't much of a point in using a password-protected archive at all. One could just as easily mail somebody the attachment, call them up on the phone, and say, "Hey, Bob, the password is 'password' on that zip I'm sending your way."

Also, I work for one of the AV companies and I foresee that if we were to implement something like this, then eventually some obnoxious black hat would have an encrypted zip file attached to an email with 100 MB (or some ridiculous amount) of mail text. A deluge of these and, guess what, instant DOS attack!

Yes, we could automatically stop trying to open the zip after a certain amount of tries. That's just one more test case I'd have to go through, though ;)

Re:Password-encrypted Zips (1)

bedessen (411686) | more than 10 years ago | (#8493178)

If it's impossible, then why don't you explain why I have dozens of lines like this in my mail log:

Wed Mar 3 02:00:59 2004 -> /var/spool/exim4/scan/1AyLgx-0005aY-3v/1AyLgx-0005 aY-3v.eml: Worm.Bagle.F-zippwd FOUND

Thank you, clamav!

Mostly works. (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8458028)

I use 0.65 with a patch with success. There are times when a mal-formed email will crash the daemon and then viruses can get through when the milters start timing out. One must be diligent to catch those situations. It can't be easily debugged because the offending email is long gone by the time the problem is noticed. Attempts to beg the developers for a less catastrophic failure mode (or at least a failure mode that leaves enough bits lying around to reproduce the crash for later debugging) have not resulted in anything useful, yet.

Re:Mostly works. (2, Informative)

Yottabyte84 (217942) | more than 10 years ago | (#8461136)

I run clamd under daemontools. Crashes take it down for a few seconds at most. Check out this guide [clamav.net]

From a user's POV (2, Interesting)

Mr. Piddle (567882) | more than 10 years ago | (#8458350)


Please don't use a scanner that "quarantines" e-mails that require admin intervention to get back. One of my prior employers created such a beast for their e-mail system, and it would even quarantine e-mails I send to co-workers. The admins of course have slow turn-around times. It ended up easier to use the telephone or FTP, defeating the original convenience and usefulness of e-mail. Even further, it would quarantine totally legitimate stuff from mailing lists. Really crappy stuff.

IMO, it is better to have suspicious e-mail diverted to a "Dangerous, Be Careful" folder with a big Skull-and-Bones air about it, so I can ignore the virus scanner altogether to get at important e-mails.

Also, don't use Windows. Of course, you already knew that, right?

Only just started to need them (1)

jamesh (87723) | more than 10 years ago | (#8458367)

90% of sites I know of spend a fortune on email virus scanning, and then block any attachment that might contain a virus. The product in question doesn't bother scanning any blocked attachment and ends up never detecting a virus.

That was until they started putting them in zip files, which are allowed through.

F-Prot (1)

Twisted Mind (155678) | more than 10 years ago | (#8458372)

For what it's worth (the article is quite 'old' already), F-Prot seems very well. In combination it's a very low-cost mail-virusscan sollution.

You can use the personal version for free even on Linux (for personal use of course). With the new amavis (at least on Debian) you hardly have to configure anything, f-prot even has a Debian package available.

The commercial workstation version works good too, but it can be slow when you have a lot of mails (probably around 10-100 per minute, haven't checked it), because the process is started each time for every mail.
The server version works in deamon mode, and does not have any per-client costs.

ClamAV with CommuniGate Pro (1)

Kalzus (86795) | more than 10 years ago | (#8458563)

We attached ClamAV on several CommuniGate Pro mail servers using CGPAV to glue the two together. Apart from the current wave of password-protected-ZIP files, it seems to have been quite effective. Updates seem to be ready at least daily as far as I can see. Disclaimer: it has only been in place some 3-4 weeks now.

Bad sides? Spartan documentation. Nothing a competent admin can't work out.

Take this as subjective experience; ClamAV has no way to tell me it allowed a virus through. And circumstances make it infeasible for me to put a commercial scanner behind it to let me know what it missed.

Use a hardware-based solution (2, Interesting)

5.11Climber (578513) | more than 10 years ago | (#8458650)

We use a Fortinet FG-60 [fortinet.com] to scan for viruses at the network layer. This has the advantage of also scanning HTTP, VPN, POP3, IMAP, SMTP and FTP traffic and strips the viruses from those streams before it hits your network!

These devices provide VPN support as well as full firewall features. The Fortinet devices start at $500 USD and go all the way up to data center class devices costing >$40,000 USD. Very easy configuration. Worth the cost.

Good results (1)

Peartree (199737) | more than 10 years ago | (#8458841)

I've experienced good results using ClamAV. My setup is as follows:

Sendmail 8.12 -> MS Exchange 2000 -> Outlook clients

My outfit was already married to Microsoft, and the Exchange server was buckling due to being inundatad with spam. I'm also running Symantec AVF [symantec.com] on my Exchange server (Dell PE6650, Quad 1.4Ghz Xeon, 3Gb ram).

I originally installed Linux on a Dell Dimension desktop (450Mhz PIII, 768Mb ram) using Sendmail + Spamassassin + spamass-milter + RAV [ravantivirus.com] . Spamass-milter isn't very stable, and I had a request to append a legal disclaimer to all outbound email (I work at a law firm). I swapped spamass-milter in favor of MIMEDefang to interface Spamassassin with Sendmail while also appending those legal disclaimers. Microsoft had bought RAV by this point, so I dumped RAV for ClamAV. The Linux box has also moved to a retired Dell PE6450 (Dual 700Mhz Xeon, 3Gb ram).

So now MIMEDefang is performing several functions, plus I only have one milter running instead of three.

ClamAV catches 90% of my incoming viruses and Symantec AVF catches the rest.

ClamAV concerns (2, Interesting)

menscher (597856) | more than 10 years ago | (#8459518)

I've been considering implementing ClamAV on our mailserver (sendmail for 800+ users), since procmail filtering is proving to be less than effective with the latest wave of viruses. But I have two concerns to resolve first:
  • How do virus definitions get into the database? Yes, they depend on community support. But what stops someone from submitting a fake virus signature that will block legitimate email?
  • There's the disturbing use of strcpy and strcat in the ClamAV source code. I don't like running software that uses such constructs as root.
Any information on these two issues would be greatly appreciated.

Re:ClamAV concerns (0)

Anonymous Coward | more than 10 years ago | (#8471393)

The virus definitions are checked by actual people before they are put in the DB. I sent in a virus def and I got an email saying it was rejected (it was one of those nasty password encrypted zip viruses (which makes sense I guess))

Re:ClamAV concerns (1)

dodobh (65811) | more than 10 years ago | (#8475434)

1> Peer review and testing.
2> Clamav need not run as root.

Just Implemented clamav (0)

Recovering Anonymous (754441) | more than 10 years ago | (#8459814)

I've just implemeted clamav+mimedefang+spamassassin so I'll have to wait a while and see how effective it is. One good place to start though is http://www.declude.com/tools/mailsend.html It allows you to test your set up by mailing you the eicar virus which is harmless. Good luck.

postfix + amavis-new + more (1)

draziw (7737) | more than 10 years ago | (#8460209)

Postfix, with RBL check, header_checks, + body checks for known spam content (even works on _known_ encrypted zips), then it hands what passes on to amavis-new, which runs _BOTH_ clamav (the clamd version, so scans are FAST), then f-prot non D version (takes longer, but is less $ vs the D version), then it gets handed to spamassassin. My clamav updates every hour via cron, the f-prot updates 2 times per day. My header_checks block lame stuff like pif, scr, etc extentions.

Example header check: /^Content-(Type|Disposition):.*(file)?name=.*\.(a( sd|bd)|b(at|inhex|mp)|c(hm|md|om)|d(bx|ll)|exe|hlp |hta|js|jse|lnk|mp3|ocx|pif|s(cr|hb|hm|hs)|tbb|v(b |be|bs|bx|xd)|w(ab|av|s(f|h)))/ REJECT Sorry we do not accept .${3} file types
#and you might want _reject_ just in case: /^Content-(Type|Disposition):.*(file)?name=.(do(c| cument)|readme|te(s(t|tdocument)|xt)|file|data|mes sage|body)\.(zip)/ discard Mydoom and other virus filename

I've had zero viruses get in.

Ryan

SuSE OpenExchange + AntiVir (2, Interesting)

arcade (16638) | more than 10 years ago | (#8460887)

I'm not sure if this is a good solution for 500+ usres, but at the company I work for, we use SuSE OpenExchange in combination with Antivir (www.antivir.de) . We've only got about 25-30 users, though.

SuSE OpenExchange's default spamassassin rules are really, really good. I had to make a minor adjustment to one of the rules - and after that it has had zero false positives in addition to taking care of over 99% of the spam we receive. The last month it has blocked about 1500 spam messages to me alone - and not let a single one through. With *zero* false positives. Other employees have the same experience.

I'm not sure if I would recomend using qmail anymore. I tended to love qmail, and has set up qmail based solutions for five different companies. qmail doensn't reject mail to invalid addresses in-smtp-session though (at least not by default), and insteads returns the message afterwards. With all the spoofed mail from:'s, with guessed mail to:'s -- this creates far too many bounce messages in todays virus-ladden environment.

Using both Clam and Sophos.. (2, Informative)

martin (1336) | more than 10 years ago | (#8461577)

on my mailgateway, as they both can miss the odd one.

I tend to find Clam updates faster, but Sophos's updates need less corrections..

I glue them together with MailScanner (www.mailscanner.info) which also allows men to pop in SpamAssassin to the mix.

On the desktop I use Norton's AV solution so give me a third layer of defence..

Belt and braces.....

Must reinstall sophos every 3 months (1)

Sits (117492) | more than 10 years ago | (#8596906)

The one big problem I've found with sophos is that the scanning engine itself will only work for 3 months before it has to be updated. This alone is incredibly frustrating.

Re:Must reinstall sophos every 3 months (1)

martin (1336) | more than 10 years ago | (#8596932)

Depends on how you update.

I've got a script that goes off and gets the latest engine once a month.

ClamAV have the same issues - just not driven by timescale, but by features/bug fixes.

For me this is a good idea as it forces the end user to spend a little time administrating the sytem IF you haven't got their Enterprise Manager tool that will do it for you...

Puremessage/perlmx (1)

smoon (16873) | more than 10 years ago | (#8461697)

I've been using Activestates "PerlMX" through a few name and company revisions -- ActiveState "PureMessage", now Sophos PureMessage.

Anyway, it does anti-spam and anti-virus and general policy type stuff. It has been extremely reliable and has been really excellent -- great spam filtering and now with the sophos AV very up-to-date virus signatures.

Licensed per CPU. We run about 1000 users behind a 1-cpu box and it could easily go to many more users.

Good luck-

ClamAV (1)

SuiteSisterMary (123932) | more than 10 years ago | (#8463568)

I've been using clamav for quite a few months now; it's pretty good.

Viruses are picked up quickly enough for me, and if they're not picked up quickly enough for you, they include tools to create your own virus signatures.

Response time for AV vendors (1)

bigmoosie (574165) | more than 10 years ago | (#8463926)

After viewing this thread I noticed that Clam AV came up quite a bit. So I went to their website [clamav.net] and went to the news section [sourceforge.net] . From there I saw a link for PC worlds response times [google.com] articles. Here is the original [pcwelt.de] article in german. Clam AV is #5, but the AV program I use frequently is BitDefender [bitdefender.com] , which is ranked #2. I use BitDefender because they have a LiveCD [bitdefender.com] that is a remastered version of Knoppix [knoppix.de] which is a Live CD based off of Debian Linux [debian.org] . BitDefenders scan engine can also scan Microsoft Windows partitions (to include FULL RW support for NTFS). The only thing missing from my recovery pack is a spyware scanner that runs under linux and will remove windows based spyware. ~ryan
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>