[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: virus-scanners for mail servers



Hi all

Installation turned out to be not as easy as I thought, so I decided that
it would be useful to post a follow-up

On Thu, 21 Jun 2001, Tzafrir Cohen wrote:

>
> * As a framework for a virus scanner I saw recommendations for amavis
>  (http://www.amavis.org ). Any other recomendations? It seems that it is
>  at least as good as the others.

Installation was fairly easy. The docmentation is resonable. I'll have to
try tinkering with it a bit so it will send in the warinng message to the
virus sender the name of the suspected virus, and some other small
details.

One thing that lacked in the installation insructions was something about
which user will run the virus scanner. It seems that the default install
script assumes that it will be root, and thus does not bother creating a
special directory for data, and this also does not appear in the install
instructions. In the first tests I couldn't figure out why I'm getting
empty headrs from infected messages, and then I noticed the log
messages, and created such a directory that is writable by the vscan user.

I needed the programs 'tnef' and 'reformime'. I got 'tnef package from
Mandrake's contrib and rebuilt it (I had to rebuild it, of course. I'm not
going to upgrade my system to glibc 2.2 just for those packages!).
reformime is part of the 'maildrop' package. I decided to install the
whole package, as I hope it will supply me better command-line tools for
handling MIME. Here, again, I rebuilt the package from mandrake's contrib.

>
> * I'm currently using PostFix as the MTA. I currently use
> postfix-19991231_pl08 from mandrake 7.2 .I saw something in the latest
> version regarding content filtering. Worth the upgrade?

I didn't upgrade.

As I have mentioned in another post, I wanted to also check outgoing mail.
The problem is that PostFix has no simple way to add a scanning by an
external programs to all the messages in the queue.

One common solution seems to be to scan only locally-delivered messages,
and hook into the mail delivery process.

Another solution (which is suggested in the amavis documentation) is
similar to the "smtp proxy" solution presented in another post. You add a
seperate postfix copy, which only listens on the smtp port. It handles all
the basic sanity checks, and then delivers all the mail to the "vscan"
transport, which is the virus scanner (amavis).

When amavis finishes scanning the message, it delivers it as a local
message to the main postfix copy, which handles all the delivery.

Downsides:
* complication (for instance: you now have to "master" processes)
* resource consumption (not much, but I have to mention it ;-)
* this still does not allow scanning of locally-created messages (If you
operate a webmail, don't let it mail using /usr/sbin/sendmail, for
instance)

Unexpected advantage:
* It is now much easier to stop all mail delivery, while still accepting
new mail on smtp.

The instructions for doing this change were in README.postfix , and were
clear and accurate. One small thing that I have changed there was to make
the two postfix processes  use two seperate services (I have created a new
/etc/init.d/postfix.smtp which is a tweaked copy of /etc/init.d/postfix)


As for the virus scanner itself:

amavis is a does everything, except scanning the files themselves for
virii. It needs a command-line scanner for that.

Amavis lacks a bit interactive commands. For instance, when it discovers a
message that is suspected as infected, it puts it as a file in a certain
folder.

> The organization generally works with Symantec (Norton), however, it seems
> that symantec is the only major vendor which does not have a virus scanner
> for linux, and thus I'm forced to look elsewhere.

Another one that I will not use is McAfee's one. It may be fine, but the
EULA (at least for the evaluation copy) forbids the user to publish
reviews and benchmarks on the product without NAI's agreement. I'm not
going to write any review about this product, but for another reason.

I'm currently trying sophos's one. seems resonable. One small nconvinince:
the command-line scanner (sweep) does not allow scanning a file from the
standard input.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir




=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il