May 23, 2006

Antivirus protection for the really worried

You probably know that viruses pose no immediate danger to Linux, but maybe you want to protect some Windows machines attached to your Linux mail server. I compared a commercial product, Frisk Software's F-Prot, and a free open source product, ClamAV, both running on a Linux server.

F-Prot consists of three packages for Linux: Antivirus for File Servers, Mail Servers, and Workstations. Each is priced individually, but you get a discount for multiple users. You can download them all free for a 30-day trial period. They support the main Linux distributions, and installation is simple.

Having gone to the trouble of downloading F-Prot, you may be wondering what it's going to protect you from. It maker claims it protects you from "271,336 known viruses and their variants." You can list them all by going to the command line and typing f-prot –virlist. Interestingly, if you type f-prot -virlist|wc -l, you'll find there are actually 158,308 variants. If you want to view Linux viruses only, add |grep -i Linux, and you'll get:

Linux/Bash
Linux/Bliss.A
Linux/Bliss.B
Linux/Snoopy.A
Linux/Snoopy.B
Linux/Snoopy.C
Unix/Linuxconf@expl

Only seven out of 271,336 viruses -- 0.026% -- are Linux related! Check if you have one of these on your system already by typing sudo f-prot /. You need the sudo statement only to access files throughout the system, not to run F-Prot itself.

Chances are, you'll get the message, "No viruses or suspicious files/boot sectors were found." So how can you check how well F-Port works? You can try hunting the Internet for a suitable virus to infect your system with -- OK, maybe not. Instead, go to the European Institute for Computer Antivirus Research (EICAR) antivirus test file Web page, where you can download a "dummy" virus. The virus doesn't do anything, but the F-Prot software doesn't know that. Place one or more of the examples somewhere in your home directory, then test F-Prot properly:

$ ls -l eicar*
-rw-r--r--  1 bainm bainm  68 2006-04-18 15:58 eicar.com
-rwxr--r--  1 bainm bainm 308 2006-04-18 15:55 eicarcom2.zip
-rw-r--r--  1 bainm bainm  68 2006-04-14 14:52 eicar.com.txt
-rw-r--r--  1 bainm bainm 184 2006-04-14 14:56 eicar_com.zip
$ f-prot ~
Virus scanning report  -  18 April 2006 @ 15:59

F-PROT ANTIVIRUS
Program version: 4.6.6
Engine version: 3.16.14

VIRUS SIGNATURE FILES
SIGN.DEF created 18 April 2006
SIGN2.DEF created 18 April 2006
MACRO.DEF created 18 April 2006

Search: /home/bainm
Action: Report only
Files: "Dumb" scan of all files
Switches: -ARCHIVE -PACKED -SERVER

/home/bainm/f-prot/eicar.com  Infection: EICAR_Test_File
/home/bainm/f-prot/eicar_com.zip->eicar.com  Infection: EICAR_Test_File
/home/bainm/f-prot/eicarcom2.zip->eicar_com.zip->eicar.com  Infection: EICAR_Test_File

Results of virus scanning:

Files: 2654
MBRs: 0
Boot sectors: 0
Objects scanned: 2520
Infected: 3
Suspicious: 0
Disinfected: 0
Deleted: 0
Renamed: 0

Time: 0:29

At first glance, the result appears to be good, until you realize that F-Prot has identified only three of the four test files. F-Prot doesn't recognize a .txt file as being a possible threat.

Having tested that the AV software works, you can turn your attention to the F-Prot Mail Server software, where you'll likely be using the antivirus protection. When you install it, the software asks you about the type of mail server you're running. That's all the setup required. If you attach one of the test virus files to an email, you and the recipient will receive something like this:

***** Attachment removed by F-Prot Antivirus *****

The attachment/message

eicar.com (eicar.com)

was a virus/worm/trojan. It was removed.

This message was generated by F-Prot Antivirus Mail Scanner.

You can see that F-Prot does its job, but suffers from a bit of "Windows-think." Because of that, it doesn't do as thorough a job as it could.

Examining ClamAV

ClamAV -- a system designed for Linux by Linux developers -- installs easily. Once it's on your system, you can run a scan to see how effective it is in finding one of its claimed 50,000 viruses:

$ clamscan -l scan.txt -r ~

----------- SCAN SUMMARY -----------
Known viruses: 51004
Engine version: 0.88.1
Scanned directories: 405
Scanned files: 2625
Infected files: 4
Data scanned: 130.45 MB
Time: 470.935 sec (7 m 50 s)

$ grep FOUND scan.txt
/home/bainm/f-prot/eicar.com.txt: Eicar-Test-Signature FOUND
/home/bainm/f-prot/eicar.com: Eicar-Test-Signature FOUND
/home/bainm/f-prot/eicar_com.zip: Eicar-Test-Signature FOUND
/home/bainm/f-prot/eicarcom2.zip: Eicar-Test-Signature FOUND

Unlike F-Prot, ClamAV outputs all of its checks to the standard output, so you need to use the -l option to save the results in a log file. You can then grep the log file for the string "FOUND." You can get the full list of options by typing man clamscan.

ClamAV took much longer than F-Prot (seven minutes and 50 seconds for ClamAV compared to 29 seconds for F-Prot), but it did manage to catch all four virus test files.

Next, turn your attention back to your mail server. Unlike F-Prot, ClamAV doesn't set itself up for you, so the level of difficulty depends on which mail server you use. For instance, you can find extensive documentation for Exim4 (such as the Debian Administration's article, "Rejecting viral email at SMTP time with exim4"), but the setup isn't straightforward, and you need to know what you're doing. However, if you use qmail, you're going to find life much easier. Some excellent third-party tools can help you incorporate ClamAV. Have a look at Qmail-Scanner and Linux.com's Qmail-Scanner and ClamAV HowTo, or my personal favorite, QClam.

Finally, you'll want to know about regular viral updates. F-Prot supplies you with a Perl script you run with cron, while ClamAV gives you freshclam, which sits in the background and checks for fresh virus definitions without requiring you to do anything.

To ensure that viruses don't infest your network, how do you choose between these two? You can choose one method that incorporates easily into your server but doesn't scan every file and will cost you money, or you can opt for the free method that does a more thorough job, but which needs you to do some extra work to protect the system. I know which I'd go for.

Category:

  • Security
Click Here!