Re: On-access AV scanning
His problem is that there's a corporate reglementation of what he has to do, which he needs to obey in order to the only cure for such case is changing a job. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On 28/07/2012 11:32, Wojciech Puchar wrote: His problem is that there's a corporate reglementation of what he has to do, which he needs to obey in order to the only cure for such case is changing a job. A little drastic perhaps? Company policies can be changed[*]. Cheers, Matthew [*] It's important that the workers believe this. It helps keep them in line. -- Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey signature.asc Description: OpenPGP digital signature
Re: On-access AV scanning
the only cure for such case is changing a job. A little drastic perhaps? Company policies can be changed[*]. depends on the company. But i assumed attempt to point out nonsense of such policy were already done. [*] It's important that the workers believe this. It helps keep them in line. true and proven. but my point was that if policy is just nonsense (requirement of virus protection in spite of using virus-incapable OS) and still enforced in spite of this then No matter if it is 5 users of 80 users (largest i have to control in one place) then the policy should be think what you are doing, and do your work at work, not your toys. Believe me that having 2-3 virus problems per year, with no spreading, WITH WINDOWS USERS, and windows workstations running few years without touching is possible. It's simple, but off topic to explain in details. PS make in every shared (used by many people) samba share a directory Autorun.inf, owned by root with access rights of 700. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. I don't want to lose my job, because you said I didn't need AV software. -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp5nybljJpkE.pgp Description: PGP signature
Re: On-access AV scanning
On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote: All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. Why is the AV software running on FreeBSD not sufficient in the opinion of your superior (or by the guidelines of the corporate directives)? And those who bring a smartphone to work (private or company use), how do they run AV software on those _IT devices_? :-) Oh, and how is AV software brought to the company network printers, the LAN gear and WLAN APs and everything else that can be infected, exploited, ruined or damaged? Or do they simply not count as desktop/workstation as you mentioned? In that case: Happy attack vectors. :-) Excuse my sarcasm, but there's a little truth in it, when seen from an IT security point of view. Really, I _do_ understand your problem (or better the problems others created for you). Try to get more specific statements to what kind of AV software with which action attributes is required and try to construct a solution that will be sufficient in the _view_ of the responsible superiors. The less they do actually understand, the easier it should be. FreeBSD does _have_ AV software, but not _for_ FreeBSD per se (as it cannot be infected by viruses, trojans and malware that are designed explicitely for Windows platforms), but it can very well detect them. This all still does not help against human stupidity. Feel free to show this article and make use of its arguments: Robert McMillan: Is Antivirus Software a Waste of Money? http://www.wired.com/wiredenterprise/2012/03/antivirus/ A _responsible_ and well-educated IT representative should form his own intelligent opinions, instead of trying to blindly corporate guidelines which are possibly _impossible_ to instantiate. My idea for a solution: You can use a file access monitor (FAM) to detect when a new file enters the system, and then immediately have it scanned by a virus scanner you have already installed from ports. Next issue: You need a virus scanner that inspects network packets! :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpmcMu7t87SO.pgp Description: PGP signature
Re: On-access AV scanning
On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? daniel feenberg NBER of dismissal. I don't want to lose my job, because you said I didn't need AV software. -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On 7/27/12 1:47 PM, Daniel Bye wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? FreeBSD doesn't need this as there are no viruses on that system. Well, thanks. And yes, I know that neither FreeBSD nor Solaris are renowned for their sickly vulnerability to viruses, but we operate in a mixed environment, with a lot of Windows machines and ZFS file systems exported by SMB/CIFS, so we need the AV to ensure any viruses are stopped before they infect a susceptible machine. It seems a small price to pay to finally get a decent workstation! No idea - YOU will not spread wiruses, and viruses from other winstations will not affect you. so just install antivirus software on winstations. Or finally educate users as it is really simple to avoid viruses even with windows I refer you to the part where I specifically talk about our corporate IT policy. All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain Well, there is AV software for FreeBSD - we use Kaspersky on our FreeBSD based mailserver, but the viruses it looks for are Windows viruses. I don't know if that will satisfy your IT policy. Maybe you should be looking at Cygwin? Or, can FreeBSD run under HyperV? Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. Dan FUSE ClamFS But then, FUSE... ew... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 01:23:36PM +0200, Polytropon wrote: On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote: All desktops/workstations (that is, all of them, every single one), must have AV software running on them. There will be no exceptions, on pain of dismissal. Why is the AV software running on FreeBSD not sufficient in the opinion of your superior (or by the guidelines of the corporate directives)? And those who bring a smartphone to work (private or company use), how do they run AV software on those _IT devices_? :-) Oh, and how is AV software brought to the company network printers, the LAN gear and WLAN APs and everything else that can be infected, exploited, ruined or damaged? Or do they simply not count as desktop/workstation as you mentioned? In that case: Happy attack vectors. :-) Well, no, they don't count, according to our policy, because they're not desktops. I know, I know - but I didn't write the damn policy - I just have to live by it! :-/ Excuse my sarcasm, but there's a little truth in it, when seen from an IT security point of view. I know, you make valid points - but I am merely a minor functionary on the content development department, and not a global IT policy maker. If it were up to me, everyone in the company would be on UNIX of some kind or other, but it just isn't up to me. Hopefully, I can convince those that need convincing that what is available is sufficient. I've only been using FreeBSD for the last 13 years, after all, and in that time can count on the fingers of no hands the number of security flaws that have allowed any of the machines under my care to be compromised... I know that's no reason for complacency, and that I have been lucky, but it's still a comforting statistic. Thanks for your thoughts, guys. Of course, I'm going to extol FreeBSD's virtues (it'd be great to get it in the datacentre, wouldn't it?), and we'll see how we go! Really, I _do_ understand your problem (or better the problems others created for you). Try to get more specific statements to what kind of AV software with which action attributes is required and try to construct a solution that will be sufficient in the _view_ of the responsible superiors. The less they do actually understand, the easier it should be. FreeBSD does _have_ AV software, but not _for_ FreeBSD per se (as it cannot be infected by viruses, trojans and malware that are designed explicitely for Windows platforms), but it can very well detect them. This all still does not help against human stupidity. Aye, quite so. Preaching to the choir, brother. Feel free to show this article and make use of its arguments: Robert McMillan: Is Antivirus Software a Waste of Money? http://www.wired.com/wiredenterprise/2012/03/antivirus/ Thanks for the link - I'll certainly have a read of it, and might well drop the link in my email to him. A _responsible_ and well-educated IT representative should form his own intelligent opinions, instead of trying to blindly corporate guidelines which are possibly _impossible_ to instantiate. Oh, this guy isn't frightened of change, so I'm just trying to build the best case I can for his accepting FreeBSD. He seems very reasonable, and I'm sure will be able to make an informed decision based on what I tell him, and his own knowledge and experience. To be honest, when I asked him for a UNIX workstation, I was expecting him to just laugh at me, so to be given the opportunity to make a case for FreeBSD came as a very welcome surprise. My idea for a solution: You can use a file access monitor (FAM) to detect when a new file enters the system, and then immediately have it scanned by a virus scanner you have already installed from ports. Yep - exactly the solution that occurred to me a few minutes ago. A project for the weekend! Because looking after a 6-month-old baby doesn't take up all our time... Next issue: You need a virus scanner that inspects network packets! :-) lol. Don't! Like I said, I'm just a code jockey in the content development department - all that stuff happens way up there, out sight of us mere bottom-dwellers! Cheers, Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpDEDncQmqJK.pgp Description: PGP signature
Re: On-access AV scanning
Hi, On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? FreeBSD doesn't need this as there are no viruses on that system. Ok, this is a bad reasoning. Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. You will not find them. The scanners running on FreeBSD are looking for Windows pests. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. Does it scan for FreeBSD viruses? I would wonder. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. You will have to give it a miss then. The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote: FUSE ClamFS Ah, thanks for that. I'll check it out. But then, FUSE... ew... I know. But, if it gets me my workstation... ;-) Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgp6MJm1b2W4J.pgp Description: PGP signature
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote: Hi, On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? Because the IT policy (currently) requires it. I don't agree with that policy, but there you are - I don't have the authority to simply ignore it. FreeBSD doesn't need this as there are no viruses on that system. Ok, this is a bad reasoning. Thanks, Daniel. I have looked at Kaspersky, and various others, but the main sticking point, as I see it, is that there is no on-access scanning capability in any of the AV packages available for FreeBSD. You will not find them. The scanners running on FreeBSD are looking for Windows pests. Yes, I know. But we have petabytes of file systems shared over SMB/CIFS, so if a Windows machine inroduces something to the network, it strikes me as reasonable that if my (still putative) FreeBSD system finds it before another Windows system, I have potentially prevented a much wider problem. It's not essential to build my case, but it would certainly strengthen it. I use ClamAV on my home mail server, and it works well. I have also tested it out on a desktop machine to run on-demand scans, and it works just fine, and doesn't impose so much of a load as to be a nuisance. Does it scan for FreeBSD viruses? I would wonder. I wouldn't waste your time wondering, if I were you. Of course they *all* look for malware that infests Windows machines. But, that nontwithstanding, I have to adhere to the policy, whether I like it or not. We have had a couple of virus outbreaks recently, so this is quite a high profile concern around here at the moment. The CIO is from a technical background, so I might well be able to convince him of FreeBSD's strengths as a very secure system, but I will still need to accede to the IT policy, sadly - no way around it. You will have to give it a miss then. The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Yes, and I am hoping that that fact is enough to persuade him that the current policy (which he inherited, by the way, he didn't have a hand it its establishment) is no longer applicable in an increasingly mixed environment (Polytropon brought up the obvious matter of smartphones and tablets and other devices). Thanks for your thoughts. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpZZcvYWv02S.pgp Description: PGP signature
Re: On-access AV scanning
Hi, On Fri, 27 Jul 2012 13:38:11 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:15:29PM +0700, Erich Dollansky wrote: On Fri, 27 Jul 2012 12:47:29 +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: On Fri, Jul 27, 2012 at 07:19:45AM -0400, Daniel Feenberg wrote: On Fri, 27 Jul 2012, Daniel Bye wrote: On Fri, Jul 27, 2012 at 12:51:04PM +0200, Wojciech Puchar wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? why should it be available when it is not needed? Because the IT policy (currently) requires it. I don't agree with that policy, but there you are - I don't have the authority to simply ignore it. no, no, I meant why should FreeBSD need them. I am aware of your problem. Yes, I know. But we have petabytes of file systems shared over SMB/CIFS, so if a Windows machine inroduces something to the network, it strikes me as reasonable that if my (still putative) FreeBSD system finds it before another Windows system, I have potentially prevented a much wider problem. Why don't you get a FreeBSD machine which scans the network traffic and have some fun with the results? The security concepts of FreeBSD are 100% different. They will never match this kind of policy. Yes, and I am hoping that that fact is enough to persuade him that the current policy (which he inherited, by the way, he didn't have a hand it its establishment) is no longer applicable in an increasingly mixed environment (Polytropon brought up the obvious matter of smartphones and tablets and other devices). Why don't you have another try? We use very often a FreeBSD machine with more CPU power as a server and older machines just as thin clients. These machines can be Windows machines running whatever virus scanners you want and an X server (cygwin will do). Your applications run actually on the FreeBSD machine and the Windows machine is only a terminal. I think that this could match your policy and also shows how pointless the policy is. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On 27/07/2012 13:15, Erich Dollansky wrote: You will not find them. The scanners running on FreeBSD are looking for Windows pests. Does it scan for FreeBSD viruses? I would wonder. AV Scanners are looking for the signature of any known malware. The important word there is 'known' -- it's malware that has come to the attention of the AV software manufacturers and that they have published a fingerprint of. They don't generally work heuristically; ie. so that they could detect and stop a 0-day malware automatically. Now, as the vast majority of known malware affects Windows -- there are 3 or 4 known worms that used to affect Linux and I think one that would also have affected FreeBSD (but those all relied on old and vulnerable versions of Apache to spread and they are from many years ago in any case) plus a recent virus or two that attacks MacOS X -- then any AV scanner is, pretty much by definition, going to be looking for Windows malware. In the light of that, the OP's workplace AV policy is clearly nonsensical when applied to a FreeBSD desktop. Scanning shared filesystems at regular intervals and scanning incoming mail or web content is generally sufficient to keep a FreeBSD box clean and also protect a whole network-full of Windows clients that access it as a server from most avenues of infection. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: On-access AV scanning
On 07/27/12 13:14, Daniel Bye wrote: On Fri, Jul 27, 2012 at 01:52:16PM +0200, Damien Fleuriot wrote: FUSE ClamFS Ah, thanks for that. I'll check it out. But then, FUSE... ew... I know. But, if it gets me my workstation... ;-) The wiki suggests that FUSE might be part of release 10: http://wiki.freebsd.org/FreeBSD10 (under Filesystem header), but I gather it's a subject that causes a degree of debate :-} Anyone who knows more about this care to comment? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
--On July 27, 2012 11:43:08 AM +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? Clamav. I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. If you run the daemon you have on access scanning. Seems like that would satisfy the policy. It's in ports, so it should be easy to install and keep up to date. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. *** It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead. Thomas Jefferson There are some ideas so wrong that only a very intelligent person could believe in them. George Orwell ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, Jul 27, 2012 at 10:02:26AM -0500, Paul Schmehl wrote: --On July 27, 2012 11:43:08 AM +0100 Daniel Bye freebsd-questi...@slightlystrange.org wrote: Are there any current options available to support on-access antivirus scanning on FreeBSD? Clamav. I use it on my home mail server (I have a Windows machine on my network, so want to trap anything nasty that comes in to protect that). It integrates well with exim's malware ACL checks. I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. Yes, it's a good product, no doubt. If you run the daemon you have on access scanning. Seems like that would satisfy the policy. No - the daemon only provides on-demand scanning on FreeBSD. That is, it only scans files that are explicitly passed to it by some other process - usually an MTA or the clamscan command line tool. On-access scanning requires an additional layer on top of the file system, which intercepts certain file system operations, sending files transparently to the scanner. Opening a file in your editor, for example, might cause the file to first be scanned before your editor can get it. Likewise, trying to download something from the web in your browser would cause the file to be scanned before it's saved to disk. That's what the dazuko port was for (although it doesn't work on FreeBSD9, and the latest version is a Linux-only rewrite.) As Polytropon pointed out, it should be possible to create a passing approximation by using FAM/Gamin. Thanks, everyone, for all your input. I think I have enough to be able to put a strong case forward. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpWnIudkhITd.pgp Description: PGP signature
Re: On-access AV scanning
Virus scanning should not be your problem. If the Windows users in the organization have an antivirus solution there is no need for you to have one. It doesn't matter if you share files over SAMBA -- when they access the files their virus scanner will check them. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
On Fri, 27 Jul 2012 13:10:12 -0500, Mark Felder wrote: Virus scanning should not be your problem. If the Windows users in the organization have an antivirus solution there is no need for you to have one. It doesn't matter if you share files over SAMBA -- when they access the files their virus scanner will check them. His problem is that there's a corporate reglementation of what he has to do, which he needs to obey in order to keep his job. Even though this ruleset contains something stupid (or even impossible), it's a requirement. Of course a stupid one, but it does exist. Surely it would be better for the company that has _admitted_ to have had more than one significant infection to do the simplest, most stupid and absolutely basic tasks: 1. educate users, repeat educating users, continue educating users 2. connect Windows PCs through a non-Windows scanning facility to the Internet; think about who needs Internet and who doesn't 3. limit access to local storage (CD, DVD, USB sticks) and force those to be inserted to the network (e. g. as a CIFS share) again through a non-Windows scanning facility; again think about who should be allowed to enter foreign data to the company network and _how_ it is _required_ to be done 4. consider the whole network, also think about (W)LAN or BT connected smartphones, printers, networking gear 5. learn about viruses, trojans, malware: how they work, how they are used and therefore how to actively act against them 6. understand security as a process, not a stupid list that tells you to have a virus scanner on the system that works on access; now go to item 1 again Of course, _none_ of those points seems to be on the agenda at the moment. There's still the rule You must have a virus scanner on your computer that acts as on-access scanner and scans for any viruses. It misses both that FreeBSD is not infectable by Windows viruses, and it does not prevent any non-virus attacks (such as per smartphone, per printer, per human stupidity and carelessness). So I think Daniel is actually on the best road at the moment. Sure, it won't make _his_ system safer, and it won't make other systems safer, but it will conform to the rules. If he's able to use FAM/Ganim as the on-access part, and a virus scanner he finds suitable for the virus scan part, that should be sufficient. if(system_has_scanner scan_on_access) allow_system(); else if(insist_on_system) fire(Daniel); else deny_system(); Obeying can be fun, if it _is_ that easy. :-) Maybe later on, he can convince his superior to switch on his brain for thinking about the corporate guidelines. It's worth it, and it saves money. I'm confident that it is a chance to finally dump the stupid idea of insisting to have a virus scanner on FreeBSD where there are no viruses it could scan for. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: On-access AV scanning
I did some testing several years ago with ClamAV, Sophos and McAfee (scanning incoming mail), and ClamAV was comparable to McAfee in detection rates - over 98%. i use clamav for mail virus checking and IMHO it is the only place where realtime virus checking make sense. some windows users have NOD32 antivirus and i never got a case that NOD32 detected email virus after clamav filter. Of course this is all windows only problem, unix doesn't have viruses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
