Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Networking

Open Source AV Proxies and Network Scanners? 35

Zphbeeblbrox asks: "Our Company is looking to set up a central proxy/gateway for several of our Networks. We would like to investigate some of the Open Source Antivirus Proxy solutions and AntiViral Network Scanning, however the information we have on them is rather sketchy. Have any of you had experience setting up DansGuardian with the Clam-AV plugin or similar such solutions. Additionally the mail proxy with Clam-AV solutions? If you have, what advice and recommendations would you have for us. Do they work and should we consider using something like snort-inline to scan our network traffic for viruses? I have found little by way of comparisons or reviews on them so I'm hoping you will be able to share some of your experiences on their effectiveness."
This discussion has been archived. No new comments can be posted.

Open Source AV Proxies and Network Scanners?

Comments Filter:
  • by Jjeff1 ( 636051 ) on Wednesday March 23, 2005 @04:52PM (#12028882)
    I have ASSP [sourceforge.net], it integrates with the ClamAV database. World-Wide Stats [sourceforge.net] as well as my own stats indicate it's blocking viruses. Though I still have some viruses get picked up by my Exchange server, however there are a very large number blocked.

    Since I have separate AV on my Exchange server, and had it before the ClamAV integration with ASSP, I never bothered to troubleshoot why ASSP misses some of the viruses that it should be catching.

    So based on this, I can't say I'd use it as my only mail AV solution, but then again I haven't tried to either.
    • by magefile ( 776388 ) on Wednesday March 23, 2005 @05:13PM (#12029161)
      You've gotta be kidding me - who chose an acronym that can be expanded as "ASS Proxy"?!
    • [...]I still have some viruses get picked up by my Exchange server[...]

      I'm seeing the same thing - it looks like some variants of the Netsky ("SomeFool" as ClamAV's database calls it) virus manage to elude ClamAV somehow. I spotted several references to this happening to other people poking around on Google, and there doesn't seem to be a fix for it yet (I'm not sure if ANYONE's yet figured out how some of them get past). On the other hand, ClamAV DOES seem to catch pretty much everything else (including

      • On the other hand...closer examination of the "Symantec Antivirus" logs seems to show that no viruses have been detected in the last week (while ClamAV is still showing viruses being caught), where before one or two were slipping through every day or so. Looks like perhaps whatever had been confounding ClamAV before got worked out and updated in the virus pattern data files.

      • I'm seeing the same thing - it looks like some variants of the Netsky ("SomeFool" as ClamAV's database calls it) virus manage to elude ClamAV somehow. I spotted several references to this happening to other people poking around on Google, and there doesn't seem to be a fix for it yet

        I submitted a few of these to the ClamAV team. They came back and said that they were code fragments, and did not contain any executable code and were thus harmless (regardless of Norton's findings).

  • I've got my home network set up behind DansGuardian/Squid and I've been VERY pleased with the results. Dansguardian was easy to get running, and I have been able to apply a large blacklist as well as easily configure allowed and blocked sites.

    On the email side, I don't run my own mailserver (ISP blocks port 25) but I use fetchmail to grab POP mail from them, then use procmail rules and Smapassassin to kill SPAM. Works pretty darn well.

    I've been meaning to write a howto on this, but.... life intervened.
    • Same here. We've got a 300 PC network running off of one DG/Squid server and its usage is very low. I'm sure you could run ClaimAV on it and still be fine, and it's only a 1GHZ machine with 512MB ram. Check out yahoo groups for the two official mailing lists. You'll want the non-dev one. Search the archives first because there's a lot of people doing the same setup.
  • You mean, other than "apt-get install exim-heavy dansguardian clamav"? (sarge or newer of course...) And configuring them according to the instructions?

    It's not hard. Try it. Shouldn't take more than a few hours. Then come back and give us your report later tonight...

    • I'm not worried about the setup. I can handle that in my sleep probably. I was wondering if they were effective enough to use. I'm very familiar with debian run it exclusively at home. So yes I can probably handle that.
      • Re:Debian? (Score:3, Informative)

        by walt-sjc ( 145127 )
        Yes, they are VERY effective.

        First, as far as email is concerned (one of the largest sources of malware) if you reject certain file types such as exe, vbs, hta, bat, pif, com, cmd, etc., most viruses just bounce off the mailserver outright.

        Second, using spamassassin and common RBL's to block dynamic IP space and known compromised machines, you cut down on another large hunk of crap (both malware and spam.)

        ClamAV does a great job on modern viruses. Commercial products have large databases of ancient virus
        • That's exactly what I was looking for thanks. We already run dansguardian and it works well in cutting down the spyware/malware counts. Its too easy to bypass in our current setup right now though So I have been looking at some alternate methods. And a good AV mail proxy will work wonders for us. I'm also slowly weaning people off of IE/Outlook. We are contractors for these networks so I can't do a blanket replacement of the software.
  • by Bronster ( 13157 ) <slashdot@brong.net> on Wednesday March 23, 2005 @05:20PM (#12029248) Homepage
    I use ClamAV both at work [fastmail.fm] and home [brong.net]. It's great.

    My home setup is just a hosted VPS (previously a real box but I got tired of dealing with hardware issues) running email for myself and my family, plus a couple of mailing lists. I'm using amavis-new to apply both SpamAssassin and ClamAV to mails as a content_filter within Postfix.

    Work has to be much higher performance - we use a custom LMTP proxy written in Perl which calls out to the clamd clamav daemon and contains a SpamAssassin instance which has been a lot more seriously tuned. We also run local copies of many RBLs (you generally need to pay to do that, but it's worth it for the saved network traffic if you've got enough spam comming in!)

    Interestingly, I did some work on the lmtp proxy just last week so that even when the clamd is down (restarts, etc) it will fall back to calling out to 'clamscan' directly on the spool file and parsing the output.

    So yes, especially since ClamAV 0.8, it's been very nice and easy to use - the mail scanning is reliable (haven't had a single virus get through into my mail, but I get around 30-50 virus notifications a day from it - I could probably turn them off, but it's nice to see what sort of traffic is floating around).

    Bron.
    • Just curious - why the LMTP step and not integrated into the SMTP server? Do you Accept and bounce, or reject at initial SMTP reception? If clamav is down you can always defer (4xx) and have the sender retry...

      I've been running scanning from within exim for well over a year. Never had an issue with the setup handling 5K users...
      • Just curious - why the LMTP step and not integrated into the SMTP server?

        Mainly because our backend Cyrus servers are already talking lmtp, so it seemed a little pointless to send it back into Postfix again just to be sent out to another local delivery agent. Also means we can do all sorts of funky per-user processing - and yes, we can 4xx back to Postfix easily enough if there's a temporary error condition.

        We have 4 incoming mx servers handling ~500k users, and the load average on these boxes sits pre
    • I use ClamAV in the mailserver I admin for the company I work for. I integrate both SpamAssassin and ClamAV (with the help of the ClamAssassin script [drivel.com]) witht Postfix using procmail. But it can integrate with any system, even as a http proxy.

      ClamAV correctly detects 99% of the infected emails, and it's database is updated very often, with new signatures a few times a day. The users here are happy not having to deal with tons of worm emails every day. :)
  • Questions. (Score:3, Interesting)

    by FreeLinux ( 555387 ) on Wednesday March 23, 2005 @06:24PM (#12029982)
    I'd have to ask, what size company are we talking about? What is the present and immediate future computing environment? Most of the answers that you'll see here are going to be from home users or REALLY small shops.

    I haven't used Dan's Guardian as yet. So far, most companies that I have seen that want content control are medium sized(100 users and up). The majority of these are Windows shops so the use MS ISA/Symantec, Novell BorderManager/eTrust, or some hardware based firewall/proxy/filter for content control. They "can't be bothered" with hacking together their own solution.

    I have numerous smaller companies(100 users) using Squid/ClamAV to protect the surfers and Postfix/ClamAV to protect the email with stellar results. Both solutions work well, are very fast and would likely scale to much higher loads if given the chance. I see no reason to doubt the capabilities of Dan's Guardian either, I just haven't used it in a corporate environment. But, with Dan's Guardian, the antivirus protection is actually from Squid/ClamAV which works great.
  • From a mial server point of view amavis with clamd have always worked well for me.

    For squid proxy servers have a look at viralator or c-icap.

    Dunc

  • ClamSMTP (Score:2, Informative)

    by stef0x77 ( 529972 )
    ClamSMTP is what I use. Nice, light and efficient. It does transparent proxying if you need that too.
    http://memberwebs.com/nielsen/software/clamsmtp/ [memberwebs.com]
    • Has anyone tried Mirapoint? Which is literally hardware mail server (www.mirapoint.com).

      • Re:ClamSMTP (Score:3, Informative)

        by harikiri ( 211017 )
        I trained on it in 2001, and it seemed quite cool at the time. What most impressed me was that they had a scriptable network service designed for third-party customisation. Ie, you send "add user blah profile blah" to create new users.

        For corporations looking at eliminating the overhead of having to manage both a unix server and the application running on it, an appliance server (like mirapoint) makes sense.
  • Clam (Score:3, Informative)

    by cuteseal ( 794590 ) on Wednesday March 23, 2005 @08:29PM (#12031190) Homepage
    Clam AV seems to be the biggest one out there, but if you're using POP3, P3Scan [sourceforge.net] is worth a try...
  • My company uses (Score:3, Informative)

    by dheltzel ( 558802 ) on Wednesday March 23, 2005 @08:43PM (#12031314)
    CanIt [roaringpenguin.com] for email Spam/AV filtering and it works really well (easy to administer too, that's what makes it worth the price). There is a free version for small implementations (or to pilot for a few users to test it out).

    We are planning a Squid implementation to proxy web traffic and there are add-ons to scan for viruses, popups, etc. I can't say how well that works just yet, but I'm very confident it will do the job admirably.

  • Clamav (Score:3, Informative)

    by dodobh ( 65811 ) on Thursday March 24, 2005 @04:53AM (#12033924) Homepage
    Clamav rocks for me on the mail side. Postfix, Amavisd-new, Clamav, SpamAssassin combine to form a very efficient virus and spam filtering/classifying system.

    Get them here:
    Postfix [postfix.org]
    Amavisd-New [www.ijs.si]
    Clam antivirus [clamav.net]
    SpamAssassin at CPAN [cpan.org]

    You would be particularly interested in header_checks, mime_header_checks and body_checks for Postfix.
    • "I can throw myself at the ground and miss." Cool I've been trying to manage flight for a few years now and still keep remembering to hit the ground at the last second. I'm confident I'll hit on the correct combination of falling/distraction soon though.
  • by phoenix_rizzen ( 256998 ) on Thursday March 24, 2005 @01:27PM (#12037517)
    That's the combo we're using to filter all messages for a school district (1600 staff accounts, roughly 8000 student accounts, approx 15 domains). 1 server handles all incoming and outgoing mail, and then it sends the messages off to appropriate mail server. Blocks approx 30,000 viruses and 120,000 spam messages each month. Server is a dual-Athlon-MP 2200+ with 3 GB RAM and 400 GB HD in RAID5 running FreeBSD 5.

    Configuration was simple, administration is even simpler.

    Looking at possibly adding dspam into the mix.
  • So what will everyone do when ClamAV starts charging a subscription fee for updates like Nessus and Snort started doing?
    • They can do any of the following:

      Pay for it.
      Pay Symantec et al.
      Start another free project.

      I think that what Snort and Nessus are doing is perfectly fair. Nessus seems to be reasonably priced but, I think that Snort is priced too high and will likely cause a rules community to develop, perhaps even a fork.
  • It does, and the instructions are shockingly clear and cover several distros. I have it set up on Debian.

"Being against torture ought to be sort of a multipartisan thing." -- Karl Lehenbauer, as amended by Jeff Daiell, a Libertarian

Working...