• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Virus protection for exim

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux

View previous topic :: View next topic  
Author Message
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Tue Jan 07, 2003 1:04 pm    Post subject: Virus protection for exim Reply with quote

Looking for virus protection server side. Currently use exim as the MTA, customers connecting via pop are getting tonnes of viruses at the moment, would be nice to sweep these server side.

If anyone could suggest a good package to use, would rather pay for a commercial one than use a free one which is unreliable if needed.

Not just attachment blocking needed, but content scanning of whole messages.

Cheers


Last edited by chris on Tue Jan 07, 2003 2:32 pm; edited 1 time in total
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Tue Jan 07, 2003 1:14 pm    Post subject: Reply with quote

Sophos is the best for stuff like that IMHO.

http://www.sophos.com/products/software/mailmonitor/

http://www.sophos.com/products/software/mailmonitor/mmsmtp.html

http://www.amavis.org/ Check this out, most solutions use this.

How-To's here: http://www.amavis.org/howto/

Free is here: http://www.openantivirus.org/
Back to top
View user's profile Send private message Visit poster's website
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Mon Jan 13, 2003 11:55 am    Post subject: Reply with quote

Have just found what seems to be the perfect all in one solution, very good price too

http://www.ravantivirus.com/pages/showproduct.php?p=75

Quote:
RAV AntiVirus for Exim MTA


Why is RAV AntiVirus for Exim MTA the optimal solution


Quote:
Simple installation process: The installation process is very simple and can be executed using an interactive install script (install.sh). If you want to manually install the product, you can find install instructions on the manufacturer’s website;

Easy to configure and use: RAV AntiVirus for Exim MTA is extremely easy to configure: options are available to order the actions to be taken by RAV AntiVirus when dealing with an infected file (Clean, Move/Copy to Quarantine, Delete, Rename, Ignore, Reject) or with a file containing suspicious code (Move/Copy to Quarantine, Delete, Rename, Ignore, Reject).

Complete antivirus protection: RAV AntiVirus for Exim MTA scans all incoming and outgoing mail flow for the protected domains, removing malwares from all levels (subject, body, attachments). RAV AntiVirus for Exim MTA is also scanning archives inside archives, packed executables and multiple MIMEtype encodings.

Enhanced e-mail traffic scanning: RAV AntiVirus for Exim MTA is using the Integrity Checker technology: when the files are scanned for the first time, the detection engine creates a database with all the information it has gathered during the scanning process. When doing a second scan, only the new or changed files are scanned, therefore increasing the detection speed with over 50%.

Multi platform virus removal: RAV Engine detects and removes all known Windows, Linux, Unix and DOS viruses, regardless of the operating system they’re stored on or designed for.

Heuristic methods: RAV AntiVirus for Exim MTA is using heuristic methods, to extend the protection offered to its users and act against new viruses and new versions of existing viruses.

Integration: RAV AntiVirus for Exim MTA is an integrated suite, containing all the components (antivirus, antispam, content filtering, group management) in one single installation.
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Mon Jan 13, 2003 12:26 pm    Post subject: Reply with quote

Nice one, looks good mate.

Let us know how you get on with it, if it's as easy as it markets itself etc.

I have heard positive things about RAV in the past, be good to see how it works in the field and if it passes GFI Smile
Back to top
View user's profile Send private message Visit poster's website
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Sat Jan 18, 2003 12:36 am    Post subject: Reply with quote

ShaolinTiger wrote:
Nice one, looks good mate.

Let us know how you get on with it, if it's as easy as it markets itself etc.

I have heard positive things about RAV in the past, be good to see how it works in the field and if it passes GFI :)


Ok rav comes as a set of rpms and an install script which was extremely easy, this was for linux slackware and exim.

Once installed there are several files of relevance to be editted.

The first is the domains file, in the evaluation mode you are restricted to 30 days and for 2 domains. These are simply entered into a domains file.

Next is the regexp file where regular expressions are defined for content filtering.

Here you can block specified, or double extensions etc.
Code:

file_regexp = .*\.((vbs)|(vbe)|(js)|(exe)|(com)|(pif)|(lnk)|(scr)|(bat)))

Also you could block text from well known viruses
Code:

body_wn_string = Snowhite was turning 18


Also content filtering on the actual mail body can also be defined, to get rid of those annoying mailing lists you just can't see to get off
Code:

bodyconfidential_string = teen pussy|10TV!|watch my cam live



The next configuration is to actually define what actions to take upon matching the expressions

Code:

# 1. clean      - clean the infected file.
# 2. move       - move the file to quarantine (equivalent to copy + delete acti$
# 3. copy       - copy the file to quarantine.
# 4. delete     - delete the file and replace it with a new file automatically
#       generated by RAV. The file name is "warn.txt" and it contains the messa$
#       "RAV AntiVirus has deleted this file because it contained
#       dangerous code.". Note that RAV doesn't change the mail file size
#       because of some protocols (like IMAP) may request the mail size first a$
#       then the mail body. So, the "warn.txt" file will be filled with spaces
#       to fit the original file length.
# 5. rename     - the file will be renamed using the "rename_ext" extension
#       specified in configuration.
# 6. ignore     - the file is ignored, no action is taken and the e-mail is
#       delivered.
# 7. reject     - the e-mail is rejected, it will not be delivered to any of
#       its recipients.
# 8. discard    - the e-mail is silently discarded, it will not be delivered to
#       its recipients and no bounce will be send to the sender
# 9. deliver    - used only for bulk mails; the mail is delivered to its
#                               recipients after tagged as SPAM.


Finally you put all the all these together in your group files, there is a global group or you can configure per domain, obviously some customers will have different needs to others.

Everything is scanned by the RAV engine which was worked very well so far.

RBL support is also built in although I havent implemented this yet as ive only configured for one client.

Competitively priced aswell, seems to be a few updates each day too, more than mcafees 'new dat file twice a week' :)

All logged aswell so you can see what is going on.

All the quarantined files are in a directory now with the full mail headers, wondering what the best wy to pass any of these on to the original recipient would be if needed?

Would recommend from what ive seen so far
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
danielrm26
Just Arrived
Just Arrived


Joined: 06 Nov 2002
Posts: 1


Offline

PostPosted: Sat Jan 25, 2003 11:51 am    Post subject: Kaspersky Reply with quote

My solution uses Kaspersky (integrated with Exim) and I am very happy with it. I haven't used any others to compare it to though...
Back to top
View user's profile Send private message
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Sat Jan 25, 2003 2:14 pm    Post subject: Reply with quote

Yep have read good things about kapersky.

Got a call from messagelabs.com recently, although a little pricey these have a really nice service and give a 100% money back guarantee if anything gets through
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ralf
Just Arrived
Just Arrived


Joined: 05 Feb 2003
Posts: 0
Location: ... don't know the name of this pub?

Offline

PostPosted: Wed Feb 05, 2003 7:11 pm    Post subject: Re: Virus protection for exim Reply with quote

saxo wrote:
Looking for virus protection server side. Currently use exim as the MTA, customers connecting via pop are getting tonnes of viruses at the moment, would be nice to sweep these server side.

If anyone could suggest a good package to use, would rather pay for a commercial one than use a free one which is unreliable if needed.

Not just attachment blocking needed, but content scanning of whole messages.

Cheers


.. another option to use with amavis or MailScanner is NOD32
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> UNIX // GNU/Linux All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register