View previous topic :: View next topic |
Author |
Message |
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Tue Jan 07, 2003 1:04 pm Post subject: Virus protection for exim |
|
|
Looking for virus protection server side. Currently use exim as the MTA, customers connecting via pop are getting tonnes of viruses at the moment, would be nice to sweep these server side.
If anyone could suggest a good package to use, would rather pay for a commercial one than use a free one which is unreliable if needed.
Not just attachment blocking needed, but content scanning of whole messages.
Cheers
Last edited by chris on Tue Jan 07, 2003 2:32 pm; edited 1 time in total |
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
|
Back to top |
|
|
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Mon Jan 13, 2003 11:55 am Post subject: |
|
|
Have just found what seems to be the perfect all in one solution, very good price too
http://www.ravantivirus.com/pages/showproduct.php?p=75
Quote: |
RAV AntiVirus for Exim MTA |
Why is RAV AntiVirus for Exim MTA the optimal solution
Quote: |
Simple installation process: The installation process is very simple and can be executed using an interactive install script (install.sh). If you want to manually install the product, you can find install instructions on the manufacturer’s website;
Easy to configure and use: RAV AntiVirus for Exim MTA is extremely easy to configure: options are available to order the actions to be taken by RAV AntiVirus when dealing with an infected file (Clean, Move/Copy to Quarantine, Delete, Rename, Ignore, Reject) or with a file containing suspicious code (Move/Copy to Quarantine, Delete, Rename, Ignore, Reject).
Complete antivirus protection: RAV AntiVirus for Exim MTA scans all incoming and outgoing mail flow for the protected domains, removing malwares from all levels (subject, body, attachments). RAV AntiVirus for Exim MTA is also scanning archives inside archives, packed executables and multiple MIMEtype encodings.
Enhanced e-mail traffic scanning: RAV AntiVirus for Exim MTA is using the Integrity Checker technology: when the files are scanned for the first time, the detection engine creates a database with all the information it has gathered during the scanning process. When doing a second scan, only the new or changed files are scanned, therefore increasing the detection speed with over 50%.
Multi platform virus removal: RAV Engine detects and removes all known Windows, Linux, Unix and DOS viruses, regardless of the operating system they’re stored on or designed for.
Heuristic methods: RAV AntiVirus for Exim MTA is using heuristic methods, to extend the protection offered to its users and act against new viruses and new versions of existing viruses.
Integration: RAV AntiVirus for Exim MTA is an integrated suite, containing all the components (antivirus, antispam, content filtering, group management) in one single installation.
|
|
|
Back to top |
|
|
ShaolinTiger Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777215 Location: Kuala Lumpur, Malaysia
|
Posted: Mon Jan 13, 2003 12:26 pm Post subject: |
|
|
Nice one, looks good mate.
Let us know how you get on with it, if it's as easy as it markets itself etc.
I have heard positive things about RAV in the past, be good to see how it works in the field and if it passes GFI
|
|
Back to top |
|
|
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Sat Jan 18, 2003 12:36 am Post subject: |
|
|
ShaolinTiger wrote: |
Nice one, looks good mate.
Let us know how you get on with it, if it's as easy as it markets itself etc.
I have heard positive things about RAV in the past, be good to see how it works in the field and if it passes GFI :) |
Ok rav comes as a set of rpms and an install script which was extremely easy, this was for linux slackware and exim.
Once installed there are several files of relevance to be editted.
The first is the domains file, in the evaluation mode you are restricted to 30 days and for 2 domains. These are simply entered into a domains file.
Next is the regexp file where regular expressions are defined for content filtering.
Here you can block specified, or double extensions etc.
Code: |
file_regexp = .*\.((vbs)|(vbe)|(js)|(exe)|(com)|(pif)|(lnk)|(scr)|(bat)))
|
Also you could block text from well known viruses
Code: |
body_wn_string = Snowhite was turning 18
|
Also content filtering on the actual mail body can also be defined, to get rid of those annoying mailing lists you just can't see to get off
Code: |
bodyconfidential_string = teen pussy|10TV!|watch my cam live
|
The next configuration is to actually define what actions to take upon matching the expressions
Code: |
# 1. clean - clean the infected file.
# 2. move - move the file to quarantine (equivalent to copy + delete acti$
# 3. copy - copy the file to quarantine.
# 4. delete - delete the file and replace it with a new file automatically
# generated by RAV. The file name is "warn.txt" and it contains the messa$
# "RAV AntiVirus has deleted this file because it contained
# dangerous code.". Note that RAV doesn't change the mail file size
# because of some protocols (like IMAP) may request the mail size first a$
# then the mail body. So, the "warn.txt" file will be filled with spaces
# to fit the original file length.
# 5. rename - the file will be renamed using the "rename_ext" extension
# specified in configuration.
# 6. ignore - the file is ignored, no action is taken and the e-mail is
# delivered.
# 7. reject - the e-mail is rejected, it will not be delivered to any of
# its recipients.
# 8. discard - the e-mail is silently discarded, it will not be delivered to
# its recipients and no bounce will be send to the sender
# 9. deliver - used only for bulk mails; the mail is delivered to its
# recipients after tagged as SPAM.
|
Finally you put all the all these together in your group files, there is a global group or you can configure per domain, obviously some customers will have different needs to others.
Everything is scanned by the RAV engine which was worked very well so far.
RBL support is also built in although I havent implemented this yet as ive only configured for one client.
Competitively priced aswell, seems to be a few updates each day too, more than mcafees 'new dat file twice a week' :)
All logged aswell so you can see what is going on.
All the quarantined files are in a directory now with the full mail headers, wondering what the best wy to pass any of these on to the original recipient would be if needed?
Would recommend from what ive seen so far
|
|
Back to top |
|
|
danielrm26 Just Arrived
Joined: 06 Nov 2002 Posts: 1
|
Posted: Sat Jan 25, 2003 11:51 am Post subject: Kaspersky |
|
|
My solution uses Kaspersky (integrated with Exim) and I am very happy with it. I haven't used any others to compare it to though...
|
|
Back to top |
|
|
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Sat Jan 25, 2003 2:14 pm Post subject: |
|
|
Yep have read good things about kapersky.
Got a call from messagelabs.com recently, although a little pricey these have a really nice service and give a 100% money back guarantee if anything gets through
|
|
Back to top |
|
|
ralf Just Arrived
Joined: 05 Feb 2003 Posts: 0 Location: ... don't know the name of this pub?
|
Posted: Wed Feb 05, 2003 7:11 pm Post subject: Re: Virus protection for exim |
|
|
saxo wrote: |
Looking for virus protection server side. Currently use exim as the MTA, customers connecting via pop are getting tonnes of viruses at the moment, would be nice to sweep these server side.
If anyone could suggest a good package to use, would rather pay for a commercial one than use a free one which is unreliable if needed.
Not just attachment blocking needed, but content scanning of whole messages.
Cheers |
.. another option to use with amavis or MailScanner is NOD32
|
|
Back to top |
|
|
|