Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Antivirus protection for the really worried
Share
Print
CommentsF-Prot consists of three packages for Linux: Antivirus for File Servers, Mail Servers, and Workstations. Each is priced individually, but you get a discount for multiple users. You can download them all free for a 30-day trial period. They support the main Linux distributions, and installation is simple.
Having gone to the trouble of downloading F-Prot, you may be wondering what it's going to protect you from. It maker claims it protects you from "271,336 known viruses and their variants." You can list them all by going to the command line and typing f-prot –virlist. Interestingly, if you type f-prot -virlist|wc -l, you'll find there are actually 158,308 variants. If you want to view Linux viruses only, add |grep -i Linux, and you'll get:
Linux/Bash Linux/Bliss.A Linux/Bliss.B Linux/Snoopy.A Linux/Snoopy.B Linux/Snoopy.C Unix/Linuxconf@expl
Only seven out of 271,336 viruses -- 0.026% -- are Linux related! Check if you have one of these on your system already by typing sudo f-prot /. You need the sudo statement only to access files throughout the system, not to run F-Prot itself.
Chances are, you'll get the message, "No viruses or suspicious files/boot sectors were found." So how can you check how well F-Port works? You can try hunting the Internet for a suitable virus to infect your system with -- OK, maybe not. Instead, go to the European Institute for Computer Antivirus Research (EICAR) antivirus test file Web page, where you can download a "dummy" virus. The virus doesn't do anything, but the F-Prot software doesn't know that. Place one or more of the examples somewhere in your home directory, then test F-Prot properly:
$ ls -l eicar* -rw-r--r-- 1 bainm bainm 68 2006-04-18 15:58 eicar.com -rwxr--r-- 1 bainm bainm 308 2006-04-18 15:55 eicarcom2.zip -rw-r--r-- 1 bainm bainm 68 2006-04-14 14:52 eicar.com.txt -rw-r--r-- 1 bainm bainm 184 2006-04-14 14:56 eicar_com.zip $ f-prot ~ Virus scanning report - 18 April 2006 @ 15:59 F-PROT ANTIVIRUS Program version: 4.6.6 Engine version: 3.16.14 VIRUS SIGNATURE FILES SIGN.DEF created 18 April 2006 SIGN2.DEF created 18 April 2006 MACRO.DEF created 18 April 2006 Search: /home/bainm Action: Report only Files: "Dumb" scan of all files Switches: -ARCHIVE -PACKED -SERVER /home/bainm/f-prot/eicar.com Infection: EICAR_Test_File /home/bainm/f-prot/eicar_com.zip->eicar.com Infection: EICAR_Test_File /home/bainm/f-prot/eicarcom2.zip->eicar_com.zip->eicar.com Infection: EICAR_Test_File Results of virus scanning: Files: 2654 MBRs: 0 Boot sectors: 0 Objects scanned: 2520 Infected: 3 Suspicious: 0 Disinfected: 0 Deleted: 0 Renamed: 0 Time: 0:29
At first glance, the result appears to be good, until you realize that F-Prot has identified only three of the four test files. F-Prot doesn't recognize a .txt file as being a possible threat.
Having tested that the AV software works, you can turn your attention to the F-Prot Mail Server software, where you'll likely be using the antivirus protection. When you install it, the software asks you about the type of mail server you're running. That's all the setup required. If you attach one of the test virus files to an email, you and the recipient will receive something like this:
***** Attachment removed by F-Prot Antivirus ***** The attachment/message eicar.com (eicar.com) was a virus/worm/trojan. It was removed. This message was generated by F-Prot Antivirus Mail Scanner.
You can see that F-Prot does its job, but suffers from a bit of "Windows-think." Because of that, it doesn't do as thorough a job as it could.
Examining ClamAV
ClamAV -- a system designed for Linux by Linux developers -- installs easily. Once it's on your system, you can run a scan to see how effective it is in finding one of its claimed 50,000 viruses:
$ clamscan -l scan.txt -r ~ ----------- SCAN SUMMARY ----------- Known viruses: 51004 Engine version: 0.88.1 Scanned directories: 405 Scanned files: 2625 Infected files: 4 Data scanned: 130.45 MB Time: 470.935 sec (7 m 50 s) $ grep FOUND scan.txt /home/bainm/f-prot/eicar.com.txt: Eicar-Test-Signature FOUND /home/bainm/f-prot/eicar.com: Eicar-Test-Signature FOUND /home/bainm/f-prot/eicar_com.zip: Eicar-Test-Signature FOUND /home/bainm/f-prot/eicarcom2.zip: Eicar-Test-Signature FOUND
Unlike F-Prot, ClamAV outputs all of its checks to the standard output, so you need to use the -l option to save the results in a log file. You can then grep the log file for the string "FOUND." You can get the full list of options by typing man clamscan.
ClamAV took much longer than F-Prot (seven minutes and 50 seconds for ClamAV compared to 29 seconds for F-Prot), but it did manage to catch all four virus test files.
Next, turn your attention back to your mail server. Unlike F-Prot, ClamAV doesn't set itself up for you, so the level of difficulty depends on which mail server you use. For instance, you can find extensive documentation for Exim4 (such as the Debian Administration's article, "Rejecting viral email at SMTP time with exim4"), but the setup isn't straightforward, and you need to know what you're doing. However, if you use qmail, you're going to find life much easier. Some excellent third-party tools can help you incorporate ClamAV. Have a look at Qmail-Scanner and Linux.com's Qmail-Scanner and ClamAV HowTo, or my personal favorite, QClam.
Finally, you'll want to know about regular viral updates. F-Prot supplies you with a Perl script you run with cron, while ClamAV gives you freshclam, which sits in the background and checks for fresh virus definitions without requiring you to do anything.
To ensure that viruses don't infest your network, how do you choose between these two? You can choose one method that incorporates easily into your server but doesn't scan every file and will cost you money, or you can opt for the free method that does a more thorough job, but which needs you to do some extra work to protect the system. I know which I'd go for.
Comments
on Antivirus protection for the really worriedNote: Comments are owned by the poster. We are not responsible for their content.
I've never looked at clamav... is it really this slow just to fine the eicar test?
ClamAV took much longer than F-Prot (seven minutes and 50 seconds for ClamAV compared to 29 seconds for F-Prot)
No, read that again... 7:50 vs 0:29. (and the linux.com subs could do with a better style guide... numbers never write numbers as words for numerical data, and if you do use a number spelt out somewhere in a sentence, you normally spell out all numbers after that in the same sentence, but we digress)
Now... a point that the author might be able to clarify: I presume that test was run a few times so that definitions were cached by the kernel fs layer etc. That can make a big difference to benchmarks. (but probably not that big!)
Anyone interested in contacting the clamav devs and discussing an optimisation project?
"F-Prot doesn't recognize a<nobr> <wbr></nobr>.txt file as being a possible threat."
He also failed to realize that the AV software doesn't judge wether a file is text or not based on the extension (maybe he's been in the Windows world a little too long?) it makes the judgement based on the byte signature of the file. Note this difference from the article as well...
F-Prot:
Objects scanned: 2520
ClamAV:
Scanned files: 2625
An extra 105 files on the ClamAV side and I will take all bets that those are text files. I have worked with scanning algorithms for test searches. It take a lot of time to EFFECTIVELY parse a text file looking for patterns. Look through<nobr> <wbr></nobr>/etc and all of it's sub directories once. Try counting all the text files.
The nitwit author should have known this and brought this up in his article. If you don't know what you are doing or how the software works, don't make yourself look like an idiot and comment on it or review it.
The lesson is the big commercial "security" companies cannot be trusted. They make backdoor deals with their corporate buddies, and it's only going to get worse with "Trusted Computing" and DRM.
Free BitDefender Linux Edition Already Available
Posted by: Anonymous Coward on May 24, 2006 04:51 AM<a href="http://www.bitdefender.com/PRODUCT-63-en--BitDefender-Linux-Edition.html" title="bitdefender.com">http://www.bitdefender.com/PRODUCT-63-en--BitDefe<nobr>n<wbr></nobr> der-Linux-Edition.html</a bitdefender.com>
2. AntiVir also provides a free Linux AV/AT, and it also looks for Linux rootkit sigs.
I would use BitDefender because its version 7 can be used for free on Linux.
While you're at it, throw SpamAssassin into the mix. Your users will thank you for it.
ClamAV has the advantage it also finds phishing attempts.
You can find (some very condensed information) in a mind map I created on my web site: <a href="http://www.winfix.it/EMAIL.html" title="winfix.it">http://www.winfix.it/EMAIL.html</a winfix.it>
I used this for a presentation I gave. It's in Dutch, but the links all point to info in English. The mindmap itself is available as well:
<a href="http://www.winfix.it/email_mindmap.zip" title="winfix.it">http://www.winfix.it/email_mindmap.zip</a winfix.it>
It's nicer to click through, but you'll have to install freemind <a href="http://freemind.sourceforge.net/wiki/index.php/Main_Page" title="sourceforge.net">http://freemind.sourceforge.net/wiki/index.php/Ma<nobr>i<wbr></nobr> n_Page</a sourceforge.net> yourself then.
Cheers,
Jo
I want to create one email server in linux for global use
Posted by: Anonymous [ip: 61.95.224.148] on November 02, 2007 09:58 AMsapan_saxena@yahoo.com
This article is a joke
Posted by: Anonymous Coward on May 23, 2006 11:01 PM#