From: Rick Moen <rick at linuxmafia.com>
To: conspire@linuxmafia.com
Date: Wed Sep 10 19:00:11 PDT 2003
Subject: [conspire] linux antivirus?
Quoting Tom Macke (macke at scripps.edu):
> Our head IT guy just asked me if I knew of any linux
"antivirus"
> package that we could get. I think I saw that there was
recently a
> linux virus, but just figured that that solution was keep
the patches
> current. Any suggestions?
Hmm, this is a topic that tends to devolve into a lot of
subtopics, many
of them in response to "Yes, but..." questions from people to
whom the
answer is alien to the point of incredulity.
The concept of "Linux antivirus package" can mean one of
several very
different things.
1. Quarantining and scrubbing of MS-Windows (and possibly
other
foreign-OS) files temporarily resident on Linux, e.g., because
your
Linux box is a Samba server (Windows file/print) or an
SMTP/POP3/IMAP
server holding mail that is then handed to Windows MUAs (mail
clients).
2. Quarantining and scrubbing of other files on Linux to
protect
against Linux malware.
3. Or it can mean that the IT guy in question really hasn't
the
faintest idea what he means, but just has a spinal reflex to
put
"antivirus" software on any machine whatsoever.
I'm going to address case #1 in this e-mail. I'll probably get to
case
#2 later, because that's where discussion tends to become endless
and
branch out in lots and lots of directions. Why? Because the short
form
of the answer is "There'd be no point. Linux malware may be easy
to
create but it's in practice impossible to propagate, because
of
cautionary mechanisms that are enforced by Linux architecture
and
culture. Any attempt at an 'antiviral' package would be a huge
system
threat in itself, and would tend to give wielders of root-user
access a
false sense of security, since that privilege is already a much
bigger
threat to the system than malware (viruses, etc.) is.
Anyhow, as to virus-checkers that run on virus to find and
remove
other-OS viruses. Here are some links I found by googling:
Clam AntiVirus (ClamAV) and OpenAntiVirus:
http://clamav.elektrapro.com/
http://www.openantivirus.org/
http://packages.debian.org/unstable/utils/clamav.html
Open source. Relies on community participation to keep database
of
virus signatures up to date.
Mailscanner:
http://www.sng.ecs.soton.ac.uk/mailscanner/
http://packages.debian.org/unstable/mail/mailscanner.html
McAfee VirusScan
(Apparently, a number of Linux MTAs can be used with the McAfee
viruscan
virus-definition files. No link, exactly, but you can google
for
"mcafee antivirus linux" to find relevant materials.)
AMaViS Virus Scanner / AMaViS-ng / amavisd-new
http://www.amavis.org/
Bit Defender
http://www.bitdefender.com/bd/site/solutions.php?menu_id=8&s_id=4
http://www.bitdefender.com/bd/site/products.php?p_id=11
Kaspersky Labs's Anti-Virus for Linux
http://www.kaspersky.com/buyonline.html?chapter=595425&tgroup=4
http://www.kasperskylabs.com/products.html?fos=3&os=%3E
Trend Micro Interscan Viruswall
http://www.trendmicro.com/
Sophos AntiVirus
http://www.sophos.com/products/sav/
F-Prot
http://www.f-prot.com/
http://packages.debian.org/unstable/utils/f-prot-installer.html
[US $300 for Small Business & US $450 for Enterprise
Business]
F-Secure
http://www.f-secure.com/products/anti-virus/firewalls/linux.shtml
eTrust Antivirus (formerly InoculateIT and Inoculan)
http://www3.ca.com/Solutions/Product.asp?ID=156
(Note: Computer Associates is where formerly OK software
companies go
to be embalmed and their customer-based milked after they've
died.)
CommandAV
http://www.authentium.com/solutions/products/commandantivirus.cfm
Vexira Antivirus for Linux Workstation
http://www.centralcommand.com/
Panda Antivirus for Linux
http://www.pandasoftware.com/com/linux/linux.asp
H+ BEDV Dantentechnik GmbH's AntiVir for Linux
http://www.hbedv.com/
Antivir is free for non-commercial use, and you can get virus
definition
updates for one year.
Hauri, Inc.'s ViRobot Expert
http://www.hauriusa.net/
http://techrepublic.com.com/5100-6313-5071855.html
NOD32
http://www.nod32.com/products/products.htm
Norman Virus Control (NVC)
http://www.norman.com/products_nvc.shtml
The above list is mostly gathered from other sources. Please note
that
I have _zero_ experience with these packages. ClamAV appears to
have a
good reputation, though, and is open-source.
A few words about case #3 (IT guy has no clue, but insists
reflexively
that any comporate computer must run "antivirus software"):
Sometimes,
rather than argue with the guy and try to educate him, it's best
to tell
him what he wants to hear. That is, tell him that he raised
an
excellent point, and you appreciate being reminded of that
company-critical issue. Therefore, you've deployed the
extremely
effective antiviral package comprising Exim and Spamassassin.
(See:
http://marc.merlins.org/linux/exim/sa.html)
Tell him that _zero_
Sobig.F e-mails ever get past that combination (which is
true).
You _don't_ have to tell him that the package's design goal
has nothing
whatsoever to do with viruses, but rather aims to eliminate
almost all
junkmail during the SMTP session rather than after delivery. What
he
doesn't know won't hurt him.
If you don't deploy the Exim-SA combo, you can still
(correctly) tell
him that your anti-virus package's name is "procmail" (used as
mail
delivery agent). Procmail with a modest collection of filters
is
(possibly, maybe) at least as effective as dedicated virus
scanners for
case #2 (native Linux viruses), given the fact that they're
basically
nonexistent.
More about case #2 in a separate mail.
--
Cheers, Wall Street has all the emotional stability of a
Rick Moen thirteen-year-old girl. -- Louis Rukeyser
rick at linuxmafia.com
Subject: Re: [plug] Re: Amavis performance
From: "Eddie Javier" edjavier@i-snapinternet.com
To: plug@lists.q-linux.com
Cc: jijo@free.net.ph,
mgca@pacific.net.ph
Date: Wed, 2 Oct 2002 11:17:31 +0800 (PHT)
Hello,
If it's possible, avoid using Amavis. It's a memory hog (at
least the last
one I used). You mentioned that in every message that comes in,
Amavis
spawns the virus scanner. Imagine if you have thousands of email
coming in.
Don't use virus scanning daemons as well. If the virus scanner
dies or leaks
, you have to have another program watching it whenever that
happens. Also,
if your mail servers gets attacked via the "Zip of Death", your
virus
scanner may crash.
A more sophisticated solution is to use a system that scans
messages by
batch rather than one by one. It works like this:
1. Spawn sendmail and store messages on an alternate folder, say mqueue.in
/usr/sbin/sendmail -bd -ODeliveryMode=queueonly
-OQueueDirectory=/var/spool/mqueue.in
/usr/sbin/sendmail -q15m
2. Have the AV scanner scan the incoming queue. Move to
/var/spool/mqueue if
clean, quarantine if not
A program that does this is mailscanner (http://www.mailscanner.info).
What's cool is that it can also filter spam if you want to.
What's even
cooler is that cross-check mails with open relay databases.
What's even
"spankingly cool" is that it can use SpamAssassin to filter more
spam.
Cheers,
Ed
From rick Mon Nov 11 16:15:51 2002
Date: Mon, 11 Nov 2002 16:15:51 -0800
To: Michael Havens bmike1@vei.net
Cc: linux-questions-only@ssc.com
Subject: Re: [TAG] Virus scan (I don't have the address to the
general Linux questions mailbox)
Quoting Michael Havens (bmike1@vei.net):
>
+-+--------------------------------------------------------------------+-+
> +-+ Original question from: "Michael Havens" bmike1@vei.net
>
+-+--------------------------------------------------------------------+-+
>
> Hey all, I have a friend that is scared of using Linux
because he
> doesn't have a virus/worm scan protecting it. Does he need
to worry?
Mike, here's more than you really need to know about that
issue:
http://linuxmafia.com/~rick/faq/#virus
If you have a superstitious belief in software that checks
for
"viruses", you can get them for Linux, from a number of firms,
e.g.,
[list deleted as outdated -- see newer message, below]
However, most of those are basically intended to filter out
Micros*ft
Wind*ws viruses on Linux-based file and e-mail servers used
by
vulnerable Wind*ws clients. Otherwise, antiviral software on
Linux is
about as useful as a buggy whip on a Corvette -- just like
disk
defragmenters, generally speaking. (Modern filesystems other
than
that of Digital Equipment Corp.'s VMS and the two filesystems
used by
Micros*ft will automatically self-defragment over time, given a
modest
amount of free disk space on them.)
--
Cheers, kill -9 them all.
Rick Moen Let init sort it out.
rick@linuxmafia.com
Date: Wed, 24 Sep 2003 19:51:09 +0200
From: Tomasz Papszun tomek-deb_sec@lodz.tpsa.pl
To: debian-security@lists.debian.org
Subject: Re: MS BS + Sorting out the virii
[ I'm resending it because yesterday try didn't appear on the
list.
Thomas Ritter has already answered to the copy which I sent
directly to
him. ]
On Wed, 24 Sep 2003 at 1:54:42 +0200, Thomas Ritter wrote:
>
> Just a note: Open Antivirus programs like clamav are not
perfect,
> because the open virus database [1] is still too small...
but for
> _sorting_ mail, clamav (it's in sid) is really good. It
gives you
[...]
> [1] http://www.openantivirus.org/
Sorry but I must say that this is an incorrect claim.
Only in the very beginning, ClamAV had used just
openantivirus.org's
database. openantivirus.org hasn't been updated for months
now.
Currently ClamAV's own database is quite big and is updated
even a
couple of times a day if needed. It's quite good at new viruses
caught
"in the wild", e.g. we had the signature for Gibe.F (alias Swen)
at the
same day that the virus appeared.
Older viruses are gradually added to the database.
Everyone is encouraged to submit samples of viruses unknown
for ClamAV
( http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi
).
It's a GPLed project and each of us can benefit of it, so
developing it
(among others by submitting samples of new viruses) is a "Good
Thing".
ClamAV is supported in Debian and it's very well integrated
with
amavisd-new (which, in turn, can be used also with
spamassassin).
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek@lodz.tpsa.pl
http://www.lodz.tpsa.pl/ |
ones and zeros.