[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: virus-scanners for mail servers
- To: Linux-IL Mailing List <linux-il(at-nospam)linux.org.il>
- Subject: Re: virus-scanners for mail servers
- From: Gal Goldschmidt <gal(at-nospam)cs.haifa.ac.il>
- Date: Tue, 26 Jun 2001 19:17:44 +0300 (IDT)
- Delivered-To: linux.org.il-linux-il@linux.org.il
- In-Reply-To: <Pine.GSO.4.33_heb2.09.0106252149270.27405-100000@techunix.technion.ac.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
On Mon, 25 Jun 2001, Tzafrir Cohen wrote:
> Installation turned out to be not as easy as I thought,
I had some additional problems beside amavis poor documentation one.
When CPAN/perl install creates directories it uses the umask
I use (700) so no one could use my installed modules,
don't forget to check your umask before installing any global
perl modules.
>
> Installation was fairly easy. The docmentation is resonable. I'll have to
> try tinkering with it a bit so it will send in the warinng message to the
> virus sender the name of the suspected virus, and some other small
> details.
The documentation is bad.
I use the postfix content filtering. the daemon starts as root(?)
postfix could not write to the socket.
It was opened as 700 ( umask).
I had to make it work as vscan user(more secure anyway).
No scripts to start/close amavisd.
>
> empty headrs from infected messages, and then I noticed the log
> messages, and created such a directory that is writable by the vscan user.
>
It's needed for more then just log, it's where the attachment are
converted, unziped, unarjed etc..
Then the virus scanner kicks in and test the raw files.
>
> As I have mentioned in another post, I wanted to also check outgoing mail.
> The problem is that PostFix has no simple way to add a scanning by an
> external programs to all the messages in the queue.
The content filter is simple.
It would be nice If the docs would tell how
the mail flows (postfix(port 25)-> amavisd ( unix socket) ->
postfix(localhost port 10025) -> delivery local & remote)
As long as you use smtp or postfix's sendmail script it will go into the
scanner.
> Downsides:
> * complication (for instance: you now have to "master" processes)
> * resource consumption (not much, but I have to mention it ;-)
Content filter is much better.
You can limit the pipe forking and reduce the resource to the level you want.
> Unexpected advantage:
> * It is now much easier to stop all mail delivery, while still accepting
> new mail on smtp.
Yap, I only need to kill amavisd, no mail is lost.
>
>
> As for the virus scanner itself:
>
> amavis is a does everything, except scanning the files themselves for
> virii. It needs a command-line scanner for that.
>
> Amavis lacks a bit interactive commands. For instance, when it discovers a
> message that is suspected as infected, it puts it as a file in a certain
> folder.
It has it, it is not created by default, you need to create it
/var/virusmails and chown to amavisd user
>
>
> Another one that I will not use is McAfee's one. It may be fine, but the
> EULA (at least for the evaluation copy) forbids the user to publish
> reviews and benchmarks on the product without NAI's agreement. I'm not
> going to write any review about this product, but for another reason.
I use the above and I can't tell you anything else ;-)
The only problem I had with it is amavisd related:
amavisd examine the exit code to see if virus was found, for some reason
this was set to 1 for NAI and not 13, I got the right number from the
logs using EICAR.COM.
I guess the 4.X scan engine is from the 3.X.
I didn't run benchmarks, I used it because it's already paid for.
Don't forget to test using EICAR.COM!!!! plain, gziped, arc, bzip2
etc....
Bye
Gal
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il