Re: Anti-Virus options

[Greg White]

On Fri, Aug 03, 2001 at 03:21:26PM -0400, Ed Weinberg wrote:
> I have seen the anti-virus options listed on the qmail.org site and looked at
> the documentation on vendors sites.  I was wondering what the advantage was of
> installing the anti-virus add-ons to Qmail (like Qmail-Scanner) when you can just 
>run most of
> the mail scrubbers as a daemon which  listens to port 25 and sends good eamail
> to some non-standard p;ort where qmail-smtpd (via tcpserver) can be listening?
> 
>   --  Ed

First thought that occurs to me: why would I trust the AV author to
entirely DTRT WRT SMTP? I use qmail because Dan's code is small, lean,
and appears from all accounts to be immune to remote exploit. I have no
such faith in any AV authors yet -- after all, they're incapable of
filtering simple double-extension Outlook viruses by their nature, why
trust them with network code? *grin*

-- 
Greg White

Re: anti-virus strategies

[Kenny Austin]

I am using AMaVIS, you can find it at www.amavis.org.
Before my company started using this we had to keep 
250 windows 9x & NT Workstations updated and there were always a few that 
quit updating or something would happen and then they would get hit by the virus 
of the week.  Since we started using amavis (10~11 months ago) we have 
not one system get infected, after all 99.9% of files come in and out of our 
company via email.  On an average day (when no new vb scripts are 
out) I see can see about 10~25 virus getting 
blocked amavis.
In any event, you get the idea.
Kenny Austin
[EMAIL PROTECTED]
 

 

  - Original Message - m 


  From: 
  Michel Rondeau 
  To: [EMAIL PROTECTED] 
  ; [EMAIL PROTECTED] 
  Sent: Thursday, July 19, 2001 2:43 
  PM
  Subject: anti-virus strategies
  
  Hello all,
   
  We're running Mandrake 8.0 with qmail as an email 
  server for a bunch of 2000 and 9x machines.  I was wondering what you 
  people would recommend anti-virus wise?  Is it better to have the 
  anti-viral program running on the server?  Or should one buy something 
  for the client computers?  Or perhaps both?  Any suggestions and/or 
  info anyone could provide would be appreciated!
   
  Thanks,
  Michel 
Rondeau

Re: anti-virus strategies

[Robin S. Socha]

begin Michel Rondeau's <[EMAIL PROTECTED]> LOVELETTERFORYOU.txt.vbs:

> We're running Mandrake 8.0 with qmail as an email server for a bunch
> of 2000 and 9x machines.  I was wondering what you people would
> recommend anti-virus wise? 

fdisk. And then the 2.9 servicepack to secure the machines. That will
also give you time to read man 1 hostname and the archives for these
lists.

end and stuff...

Re: anti-virus program for Qmail

[Erwin Hoffmann]

Hi,


At 12:21 26.6.2001 +0800, ?? wrote:
>hi,
>
>that's for ur prompt reply.
>
>think I should re-phrase the question:
>
>are there any FREE antivirus scanner for qmail?
>
>obviously, AVP isn't free for commercial or even personal use.
>
>thanks a lot...
>
Yes, there is.
Try trendmicro.
They only support Red Hat Linux. But it should run on all current Linux'es
(e.g. SuSE) patching the /etc/issue.

cheers.
eh.
>
>- Original Message -
>From: "Joshua Nichols" <[EMAIL PROTECTED]>
>To: "??" <[EMAIL PROTECTED]>
>Sent: Monday, June 25, 2001 11:02 PM
>Subject: RE: anti-virus program for Qmail
>
>
>> FROM www.qmail.org/top.html:
>>
>> --Jason Haar wrote Qmail-Scanner (also known as scan4virus), which scans
>all
>> gatewayed Email for certain characteristics. It is typically used for its
>> anti-virus protection functions, in which case it is used in conjunction
>> with commercial virus scanners. but also enables a site to react to Email
>> (at a server/site level) that contains specific strings in particular
>> headers, or particular attachment filenames or types (e.g. *.VBS
>> attachments). http://qmail-scanner.sourceforge.net/
>>
>> --AMaViS is A Mail Virus Scanner. http://www.amavis.org/
>>
>> --Kaspersky Lab includes qmail support for their AVP anti-virus program.
>> http://www.avp.ru/
>>
>>
>>
>> also from www.qmail.org/top.html:
>>
>> "There is a discussion list and an announcements list for qmail users,
>> maintained by Dan Bernstein using qmail, of course. There's also an
>archive.
>> You can search it."
>>
>> archive: http://www.ornl.gov/its/archives/mailing-lists/qmail/
>>
>>
>> In the future, please make sure you've read the FAQ and searched the
>archive
>> before posting a questions.  This question has been answered 3 times a day
>> for the last month!  We're not kidding.  9 times out of 10 your question
>has
>> already been answered, and it's faster to find that answer in the
>archives.
>>
>>
>> good luck.
>>
>>
>> --joshua.
>>
>>
>
+---+
|  fffhh http://www.fehcom.deDr. Erwin Hoffmann |
| ff  hh|
| ffeee     ccc   ooomm mm  mm   Wiener Weg 8   |
| fff  ee ee  hh  hh   cc   oo   oo  mmm  mm  mm 50858 Koeln|
| ff  ee eee  hh  hh  cc   oo oo mm   mm  mm|
| ff  eee hh  hh   cc   oo   oo  mm   mm  mm Tel 0221 484 4923  |
| ff      hh  hhccc   ooomm   mm  mm Fax 0221 484 4924  |
+---+

Re: anti-virus program for Qmail

[Johan Almqvist]

* ?? <[EMAIL PROTECTED]> [010626 06:21]:
> > FROM www.qmail.org/top.html:
> >
> > --Jason Haar wrote Qmail-Scanner (also known as scan4virus), which scans all
> > gatewayed Email for certain characteristics. It is typically used for its
> > anti-virus protection functions, in which case it is used in conjunction
> > with commercial virus scanners. but also enables a site to react to Email
> > (at a server/site level) that contains specific strings in particular
> > headers, or particular attachment filenames or types (e.g. *.VBS
> > attachments). http://qmail-scanner.sourceforge.net/

Check out www.antivir.de, which is free for personal use.

-Johan
-- 
Johan Almqvist
http://www.almqvist.net/johan/qmail/

 PGP signature

Re: anti-virus program for Qmail

[??]

hi,

that's for ur prompt reply.

think I should re-phrase the question:

are there any FREE antivirus scanner for qmail?

obviously, AVP isn't free for commercial or even personal use.

thanks a lot...



- Original Message -
From: "Joshua Nichols" <[EMAIL PROTECTED]>
To: "??" <[EMAIL PROTECTED]>
Sent: Monday, June 25, 2001 11:02 PM
Subject: RE: anti-virus program for Qmail


> FROM www.qmail.org/top.html:
>
> --Jason Haar wrote Qmail-Scanner (also known as scan4virus), which scans
all
> gatewayed Email for certain characteristics. It is typically used for its
> anti-virus protection functions, in which case it is used in conjunction
> with commercial virus scanners. but also enables a site to react to Email
> (at a server/site level) that contains specific strings in particular
> headers, or particular attachment filenames or types (e.g. *.VBS
> attachments). http://qmail-scanner.sourceforge.net/
>
> --AMaViS is A Mail Virus Scanner. http://www.amavis.org/
>
> --Kaspersky Lab includes qmail support for their AVP anti-virus program.
> http://www.avp.ru/
>
>
>
> also from www.qmail.org/top.html:
>
> "There is a discussion list and an announcements list for qmail users,
> maintained by Dan Bernstein using qmail, of course. There's also an
archive.
> You can search it."
>
> archive: http://www.ornl.gov/its/archives/mailing-lists/qmail/
>
>
> In the future, please make sure you've read the FAQ and searched the
archive
> before posting a questions.  This question has been answered 3 times a day
> for the last month!  We're not kidding.  9 times out of 10 your question
has
> already been answered, and it's faster to find that answer in the
archives.
>
>
> good luck.
>
>
> --joshua.
>
>

Re: anti-virus program for Qmail

[??]

hi,

I would like to know whether there are FREE anti-virus patch for qmail?

thanks a lot..

vincent
- Original Message - 
From: "Chris Johnson" <[EMAIL PROTECTED]>
To: "Alex Tsang" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Sunday, June 24, 2001 10:58 PM
Subject: Re: anti-virus program for Qmail

Re: anti-virus program for Qmail

[Rick Stanley]

I use a combination of McAfee's uvscan for Ainti-Virus, 
(http://www.mcafee.com), and Jason Haar's qmail-scanner for running uvscan, 
and for filtering, (http://qmail-scanner.sourceforge.net/). I've been very 
happy with the results!


At 07:52 AM 6/24/2001 -0700, Alex Tsang wrote:
>Dear all
>
>  Is there any anti-virus program for qmail?
>
>Regards
>
>Alex Tsang

Re: anti-virus program for Qmail

[Chris Johnson]

On Sun, Jun 24, 2001 at 07:52:25AM -0700, Alex Tsang wrote:
> Is there any anti-virus program for qmail? 

Check http://www.qmail.org/top.html#microsoft

Chris

 PGP signature

Re: Anti-Virus

[Mihai Serban]

Hi!
Check this product (I've just upload it on the ftp ;)):
ftp://ftp.gecadsoftware.com/pub/GeCAD/rav8/ravqmailobsd.tar.gz
For more information please visit: http://www.ravantivirus.com
Regards,
Mihai Serban
Martin Marconcini wrote:
Hello: I have to convince a couple of customers to
replace MS-Exchange
w/qmail on OpenBSD.
 Tech stuff we know
apart, He will not accept it if there is no antivirus
(since they are using Symantec For Exchange).
 On QMail's web site
i've seen a couple of free stuff and Kaspersky?
Anti-Virus. The question is, has anyone succeded running this product
on
OpenBSD? It seems to support Linux/FreeBSD only.
 And apart from that,
any suggestion for antivirus package? He'll need real
time scanning of incoming mail/attachments.
 Thanks in advance,
Martin Marconcini
Departamento de Sistemas
www.circuloasegurador.com
José Andrés Pacheco de Melo 2945, Piso 1 Oficina 6
Buenos Aires - ARGENTINA (C1425AUK)
Phone: +54 (11) 4807-7666
Este mensaje es estrictamente confidencial. Puede contener informacion
amparada y protegida por el secreto profesional. Si usted ha recibido
este
e-mail por error, por favor comuniquese inmediatamente via e-mail a
?[EMAIL PROTECTED]" o al número telefónico
+54 (11) 4807-7666 y
eliminelo de su sistema. Este mensaje no puede ser copiado ni divulgado
su
contenido a ninguna persona.
This message is strictly confidential. It may also be privileged or
otherwise protected by work product immunity or other legal rules.
If you
have received it by mistake please let us know by reply or to
"[EMAIL PROTECTED]" or to the telephone number +54 (11)
4807-7666 and then delete it from your system. You should not copy
the
message or disclose its contents to anyone.


-- 
Software Developer - GeCAD The Software Company
Tel./Fax: +40-1-321.78.03; Hotline: +40-1-321.78.59;
Please visit http://www.gecadsoftware.com; http://www.ravantivirus.com
 

Re: Anti Virus

[David Dyer-Bennet]

Michael T. Babcock <[EMAIL PROTECTED]> writes on 4 August 2000 at 10:02:54 -0400
 > I beg you to cite the place where this list abides by these "Age-old
 > standards".
 > I've cited some standards about mailing lists to people before -- but
 > usually along the lines of "don't quote 100 lines and give only 1 of your
 > own" or "don't use 10 line signatures".  I don't complain about whether my
 > mail reader is only intelligent enough to recognise "-- " as a leader to a
 > signature instead of "--" or "- Michael" ...  

Signature is pretty well-defined, and "-- " is the delimiter.  Stuff
that uses other delimiters breaks all sorts of archiving and reply
software. 

 > That, and I much prefer to put
 > my statements above the quoted text if my statement deals with the entirety
 > of the comment (not just segments, as yours was), so that anyone following
 > the list can quickly read what I have to say without scrolling.

I wish you wouldn't.  When I then respond to various paragraphs of
your text, the resulting sequence is very confusing -- or would be if
I didn't take the trouble to reorder your message first.
-- 
Photos: http://dd-b.lighthunters.net/ Minicon: http://www.mnstf.org/minicon
Bookworms: http://ouroboros.demesne.com/ SF: http://www.dd-b.net/dd-b 
David Dyer-Bennet / Welcome to the future! / [EMAIL PROTECTED]

Re: Anti Virus

[Robin S. Socha]

* Steve Wolfe <[EMAIL PROTECTED]> writes:

[scanning for MS viruses under MS OSes]
> Well, in a world devoid of any other security mechanisms, perhaps.
> But it's perfectly easy to simply deny all traffic to the machine not
> related to SMTP, at the router, firewall, and on the machine itself.
> It's hard to exploit something on the machine if your packets never
> get there.

man gauntlet

>> > I trust stuff I pay for more than free, open source scripting efforts.

> Well, it's sixes.  Some commercial software is well-written, a lot
> isn't.  

I beg to differ. You simply cannot know if closed source commercial
software is well written. I may seem to work well, but you don't know
what's under the hood. Back in university, we had the NT 4.0 CD that we
installed on a spare computer for laughs. We had blocked it inside a
firewall. It sent two crypted emails. We let them free. They disappeared
behind a MSN firewall. We did not laugh.

> Some open-source software is well-written, I've found a lot that's
> not.  It all comes down to the individual package.

That's so true it's meaningless, I'd say. There is a lot of really bad
software available especially for Linux, true. But if you take a well
audited distribution (Jurix would be one) or stick to a core *BSD, you'll
find that the code base is excellent. It still remains to be shown how
you break into a bare-bones OpenBSD. I could not say that for a couple
commercial OSes. Bottom line: every system can be made insecure. But some
"packages" are secure by default. qmail springs to mind ;-) Stick to
those and you're fine.
-- 
Robin S. Socha 

Re: Anti Virus

[Chris, the Young One]

On Sat, Aug 05, 2000 at 01:13:05AM +1000, Brett Randall wrote:
!  I trust stuff I pay for more
! than free, open source scripting efforts. Just a peace-of-mind.

This reminds me of http://www.ultraviolet.org/treed/lam.txt. :-)

---Chris K.
-- 
 Chris, the Young One |_ Never brag about how your machines haven't been 
  Auckland, New Zealand |_ hacked, or your code hasn't been broken. It's 
http://cloud9.hedgee.com/ |_ guaranteed to bring the wrong kind of 
 PGP: 0xCCC6114E/0x706A6AAD |_ attention. ---Neil Schneider 

Re: Anti Virus

[Steve Wolfe]

> > I dislike them as well. All our servers are transitioning to
> > linux/openbsd EXCEPT for this one virus-scanning machine.
>
> Interestingly, this will leave this one machine open to attacks against
the
> OS itself. Strange notion of security.

  Well, in a world devoid of any other security mechanisms, perhaps.  But
it's perfectly easy to simply deny all traffic to the machine not related to
SMTP, at the router, firewall, and on the machine itself.  It's hard to
exploit something on the machine if your packets never get there.

> > I trust stuff I pay for more than free, open source scripting efforts.

  Well, it's sixes.  Some commercial software is well-written, a lot isn't.
Some open-source software is well-written, I've found a lot that's not.  It
all comes down to the individual package.

steve

Re: Anti Virus

[Robin S. Socha]

* Brett Randall <[EMAIL PROTECTED]> writes:
> OK I wasn't planning on continuing my argument but since others are for me!

I'm still against you, Brett, so let's see how far we'll get... ]:->

>> Incidentally, I dislike NT, Microsoft Outlook and Exchange as much as
>> you probably do.

> I dislike them as well. All our servers are transitioning to
> linux/openbsd EXCEPT for this one virus-scanning machine. 

Interestingly, this will leave this one machine open to attacks against the
OS itself. Strange notion of security. You could be running TrendMicro's
viruswall or [insert AV-vendor] stuff on various flavours of Un*x or Linux
as well.

> Virtually a day after the "I Love you" virus was realised, Norton had
> a fix for it and liveupdate automatically updated it on our server.

Literally one minute after I was informed about the problem via my
email2sms gateway (one of those things you'd call a "scripting effort"
monitoring various security MLs), I had remotely logged into our
mailserver and added a rule nuking all respective emails. Arguably, the
approach is different, but with the gaping holes in MS's security
"policy", chances are yet another script kiddy will find yet another
exploit soonish and it will not qualify as a virus again. Technically
speaking, BTW, ILOVEYOU was not a virus, anyway. Needless to say that
there are i18n versions of MS Office viruses that aren't caught by
American scanners...

> Luckily this prestigous event happened largely on a weekend and so the
> few e-mails which got through the server were then killed on Monday
> when the user went to read their e-mail... 

"Luckily"... how do you sleep at night, Brett, when an integral part of
your security policy relies on luck?

> We have stopped countless hundreds of this virus, and tens of thousands
> of other virii with this firewall-style approach.

Brett, I just talked to my firewall. She's a nice firewall, y'know, and
she's got a great sense of humour. But that carpet was quite expensive,
and I stronly advise you not to make such rude jokes again unless you
want to face punitive damages. Besides, a 19" rack biting a rug is just
plainly ridiculous.

>> come in with dozens of viruses -- usually some combination of Stoned
>> or Monkey with a few other oldies.  These are all caught by modern
>> anti virus software and thus it _should_ be installed on machines.
>> McAfee VirusScan for workstations is only $15 (cost).

> Totally agreed with. You can't always catch the latest and greatest
> virii with virus scanning software and yes killing every binary
> attachment is an approach to removing the possibility altogether, but
> in many cases that is just not an option. 

True. That's why you set up sandboxes in each department, running
Linux and StarOffice. For the unaware, StarOffice is a free, GPL'ed
(?)  Office Suite running on Windows and various Un*xoid OSes. Yes,
it's a little inconvenient to hop to another office to take a look at
an attachment. But it also makes you very angry at the people sending
them. Which is good.

> I trust stuff I pay for more than free, open source scripting efforts.

Ok, so on top of luck, you rely on trust. Then again, it's all that's
left to you, isn't it? While you can have an expert audit Open Source
Software, (closed source) commercial software has to be trusted. I
don't trust closed source software, and even less so if it comes from a
foreign country. Can you guarantee (100%) where Notes or Exchange or
whatever send your company's trade secrets? Does the word OPSEC ring a
bell? IT security isn't everything.

And, quite honestly, I don't like your condescending tone when you talk
about OSS. Calling OpenBSD or qmail "scripting efforts" is, well.. you
know, if MS ever released the Exchange code, and one were to compare it
to qmail's... oh, well...

> Just a peace-of-mind.

Then why are you running qmail? You /are/ running qmail, aren't you?

> Norton are not overly bloated. Lotus' Notes is, to some extent,
> bloated, but we have been using it for the last couple of years with
> thousands of e-mails coming through and being scanned daily and have
> had no obvious problems thus far...

Notes Server has had some bugs that qualify as lethal. And they weren't
fixed nearly as quickly as those in, say, sendmail. What makes you
recommend software with a bad track record in security on a ML for the
most secure mailserver there is?
-- 
Robin S. Socha 

Re: Anti Virus

[Robin S. Socha]

* Michael T Babcock <[EMAIL PROTECTED]> writes:
> From: "Robin S. Socha" <[EMAIL PROTECTED]>

Michael,

I thought you were making sense when you suggested ending this thread in
PM. Unfortunately, I was wrong. So here goes...

> Deal with the question at hand, please.

,
| A+14  [Slider  ]:=Anti Virus
|  +20 [Robin S. Socha  ]:= <- anomy for procmail
| A+41[Slider  ]:=
|  +20   [Robin S. Socha  ]:<- 
|http://www.qmail.org/top.html#microsoft
|[...]
|  +59 :=
| A+86[Brett Randall   ]:=
|  +128  [Robin S. Socha  ]:=
| A+14  [Adam McKenna]:=
| A+29 [Paul Schinder   ]:=
|  +55[Robin S. Socha  ]:=
|  +32   [Michael T. Babcock  ]:  <- you are here
`

I presume you can see where you missed the point, Michael?

>> I've said it once and I'll say it again: anti-virus software is
>> snake oil. Under certain circumstances, it will buy you exactly
>> nothing. Had I sent you ILOVEYOU the moment I got it, you would have
>> been fucked. Real bad. Maybe your filter would have caught it, but
>> who knows?

> No, its not snake-oil.  Its just not perfect.  

It is inherently snake-oilish. I would call my colleague in London an
experienced NT admin with a lot of common sense. He went "we've now got
4 virus scanners running, so we're safe". So I went "On your backup
mailserver, too? Cause some nasty buddy just DOS'ed your primary one."
So he went "AAARRR!!!1".

The problem is not the quality of the scanners, the frequency of your
updates, the speed with which updates are released or whatever. The
problem is the quality of MS Software. Windows is a disaster waiting
to happen. Brett advocated using an insecure OS with closed source
protection mechanisms to secure a production environment running an
operating system that is as secure as a bullet proof vest made of
NT-CDs.

Since the system cannot be secured, the threat must be eliminated. Either
by changing the OS or by nuking all attachments that are potentially
dangerous.

> The anti-virus software companies, by necessity, need to analyse a
> virus before they can add the signature to their software.  That
> usually requires that the virus be "in the wild" for some period of
> time first.  

Right. And you do remember how fast ILOVEYOU spread, don't you?

> However, I've had client machines come in with dozens of viruses --
> usually some combination of Stoned or Monkey with a few other oldies.
> These are all caught by modern anti virus software and thus it _should_
> be installed on machines.  McAfee VirusScan for workstations is only
> $15 (cost).

You're working around the problem. Ever wondered how come there are
no[1] viruses for Un*x?

> I don't classify that as snake-oil

You're as entitled to your personal opinion as everybody else. Too
bad it's beside the point since the OP wasn't interested in fixing
an infected system but preventing from viruses (or other dangerous
content) from entering his system. reply-to set accordingly.

Footnotes: 
[1]  Yes, there are three. But they don't exist.
-- 
Robin S. Socha 

RE: Anti Virus

[Brett Randall]

OK I wasn't planning on continuing my argument but since others are for me!
...

> Incidentally, I dislike NT, Microsoft Outlook and Exchange as much as you
> probably do.

I dislike them as well. All our servers are transitioning to linux/openbsd
EXCEPT for this one virus-scanning machine. Virtually a day after the "I
Love you" virus was realised, Norton had a fix for it and liveupdate
automatically updated it on our server. This change was propogated to every
client in the building, as well as used in scanning of e-mails. Luckily this
prestigous event happened largely on a weekend and so the few e-mails which
got through the server were then killed on Monday when the user went to read
their e-mail...We have stopped countless hundreds of this virus, and tens of
thousands of other virii with this firewall-style approach.

> come in with dozens of viruses -- usually some combination of Stoned or
> Monkey with a few other oldies.  These are all caught by modern anti virus
> software and thus it _should_ be installed on machines.  McAfee VirusScan
> for workstations is only $15 (cost).

Totally agreed with. You can't always catch the latest and greatest virii
with virus scanning software and yes killing every binary attachment is an
approach to removing the possibility altogether, but in many cases that is
just not an option. Killing script files, ok...can understand that. Less
impact on working habits, 95% agree with it. I trust stuff I pay for more
than free, open source scripting efforts. Just a peace-of-mind. Norton are
not overly bloated. Lotus' Notes is, to some extent, bloated, but we have
been using it for the last couple of years with thousands of e-mails coming
through and being scanned daily and have had no obvious problems thus far...

Brett.

Manager
InterPlanetary Solutions
http://ipsware.com/


> -Original Message-
> From: Michael T. Babcock [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, August 05, 2000 12:36 AM
> To: qmail list; Robin S. Socha
> Subject: Re: Anti Virus
>
>
> - Original Message -
> From: "Robin S. Socha" <[EMAIL PROTECTED]>

RE: Anti Virus

[Slider]

Well,

I think we should keep the topic!

There are alot of inexperienced users out there like myself who are rather
interested in this topic!

Slider


> Because I reformatted his mail according to age-old standards. In short,
> it boils down to the following:

Some ideas for the list and it turns to this? Any voters to return to the
topic of how to stop our users getting virii attacks?

Thanks for opinions, defences, and updates on the latest netiquette.

Brett.

Manager
InterPlanetary Solutions
http://ipsware.com/

Re: Anti Virus

[Michael T. Babcock]

- Original Message -
From: "Robin S. Socha" <[EMAIL PROTECTED]>


> So you are basically advocating running a piece of exremely expensive
> software with a mixed track record of functionality, running on an
> unstable, expensive and insecure operating system for production
> services?
> [ ... ]
> So, you're not only running an unstable OS but also an extremely
> flaky, bug-ridden MTA, and you actually have this setup connected to
> the internet. May I ask what your company is worth *to you*?

Sometimes its not their choice, you do realise.  It might be that any tech
that decides to change operating systems gets fired.  That happens.  Deal
with the question at hand, please.

> It's more up to one's TCO calculations, isn't it? So, you're not only
> running an unstable OS but also an extremely flaky, bug-ridden MTA, have
> this setup connected to the internet, but also throw in more money to
> buy unneeded functionality that is likely to introduce more bugs. Can
> you explain your rationale, please?

They have no need to justify their rationale to you.  You don't matter to
their corporation in all likelihood.  In that light, maybe you could have
stuck to answering what was asked?

> Wow, we're finally back on topic... *sigh*

The previous part of the message was to satisfy those folks who always say
'give us more detail about your setup' (like me).

Incidentally, I dislike NT, Microsoft Outlook and Exchange as much as you
probably do.

> I've said it once and I'll say it again: anti-virus software is snake
> oil. Under certain circumstances, it will buy you exactly nothing. Had I
> sent you ILOVEYOU the moment I got it, you would have been fucked. Real
> bad. Maybe your filter would have caught it, but who knows?

No, its not snake-oil.  Its just not perfect.  The anti-virus software
companies, by necessity, need to analyse a virus before they can add the
signature to their software.  That usually requires that the virus be "in
the wild" for some period of time first.  However, I've had client machines
come in with dozens of viruses -- usually some combination of Stoned or
Monkey with a few other oldies.  These are all caught by modern anti virus
software and thus it _should_ be installed on machines.  McAfee VirusScan
for workstations is only $15 (cost).

I don't classify that as snake-oil
--
Michael T. Babcock
CTO, FibreSpeed

Re: Anti Virus

[Michael T. Babcock]

I beg you to cite the place where this list abides by these "Age-old
standards".
I've cited some standards about mailing lists to people before -- but
usually along the lines of "don't quote 100 lines and give only 1 of your
own" or "don't use 10 line signatures".  I don't complain about whether my
mail reader is only intelligent enough to recognise "-- " as a leader to a
signature instead of "--" or "- Michael" ...  That, and I much prefer to put
my statements above the quoted text if my statement deals with the entirety
of the comment (not just segments, as yours was), so that anyone following
the list can quickly read what I have to say without scrolling.

- Original Message -
From: "Robin S. Socha" <[EMAIL PROTECTED]>


Because I reformatted his mail according to age-old standards. In short,
it boils down to the following:

[ MTB: available in archives: http://www-archive.ornl.gov:8000/ ]

Rationale: some people
actually pay for download. Full quotes with HTML make an email
significantly bigger than necessary (like, 5 times per average) without
buying the reader anything. All it takes is a little thoughtfulness on
behalf of the users of inferior (or badly set up) software (cf. my sig
for a good tool). Is that asked too much, Paul?

[ MTB: cf. http://cr.yp.to/sarcasm/modest-proposal.txt ]

RE: Anti Virus

[Brett Randall]

> Because I reformatted his mail according to age-old standards. In short,
> it boils down to the following:

Some ideas for the list and it turns to this? Any voters to return to the
topic of how to stop our users getting virii attacks?

Thanks for opinions, defences, and updates on the latest netiquette.

Brett.

Manager
InterPlanetary Solutions
http://ipsware.com/

Re: Anti Virus

[Robin S. Socha]

* Paul Schinder <[EMAIL PROTECTED]> writes:

This is all grossly off topic. I suggest taking this thread off the
list ASAP and apologize for the inconvenience caused by my unnecessary
rudeness.

[my complaint about overhead through uncropped quotes]
> Does anyone else see what he's complaining about?  I've read this
> thread using MacOS Eudora, and just looked at one of the messages with
> mutt, and I see nothing out of the ordinary.

Because I reformatted his mail according to age-old standards. In short,
it boils down to the following:

· your text goes below the quoted text;

· trim and if necessary reformat malformed quotes to the absolute
  minimum, using "[...]" where necessary;

· a line ends at 80 charactes max.;

· no HTML, format-fla^Hwed, or similar "enhancements" on mailing lists -
  ASCII only;

· an attribution line is 1 (one) line;

· sigdashes are "-- " (aka dash, dash, blank RET - you, Paul, are missing
  the blank, rendering the whole thing useless for both my address book
  (which is aimed at snarfing information from signatures) and my email
  setup that automatically nukes signatures in replies);

> (Reminds me of the time some idiot flamed me on Usenet for using "}"
> instead of ">" as the quoting character.)

Might as well have been me. ">" is for quoted text in a reply, "|" is
for quotes from external sources. Using non-standard conformant quote
strings breaks many editors in the way that text cannot be automatically
reformatted to fit the "80 char per line" limit. It's nice and dandy
that you can do loads of things you might think funny with your MUA -
but it does not really mean you *have* to do them, right? I mean, I
could do quoted-printable, text-enriched text with nested citations and
a 10 line "attribution line". It's all here and I could even encode it
according to some arcane standards. But it would annoy you just as much
as mindless use of toys like Outlook annoys me (and AFAICS the majority
of technically-minded users all over the Net). Rationale: some people
actually pay for download. Full quotes with HTML make an email
significantly bigger than necessary (like, 5 times per average) without
buying the reader anything. All it takes is a little thoughtfulness on
behalf of the users of inferior (or badly set up) software (cf. my sig
for a good tool). Is that asked too much, Paul?
-- 
Robin S. Socha 

Re: Anti Virus

[Paul Schinder]

At 4:20 AM -0400 8/4/00, Adam McKenna wrote:
>On Fri, Aug 04, 2000 at 10:17:41AM +0200, Robin S. Socha wrote:
>>  your way of quoting *may* be convenient for you. It is, however, annoying
>>  for probably everyone else (particularly people not reading your "threads"
>>  in a row. It also adds a *massive* amount of unnecessary overhead. May I
>>  suggest your grabbing a copy - really, just about any - of the netiquette
>>  and fixing your mail toys?
>
>For christ sake, leave the guy alone.  IMHO your incessant personal attacks
>are way more annoying than his quoting style.

Does anyone else see what he's complaining about?  I've read this 
thread using MacOS Eudora, and just looked at one of the messages 
with mutt, and I see nothing out of the ordinary.  (Reminds me of the 
time some idiot flamed me on Usenet for using "}" instead of ">" as 
the quoting character.)

>
>--Adam

-- 
--
Paul J. Schinder
NASA Goddard Space Flight Center
Code 693
[EMAIL PROTECTED]

Re: Anti Virus

[Adam McKenna]

On Fri, Aug 04, 2000 at 10:17:41AM +0200, Robin S. Socha wrote:
> your way of quoting *may* be convenient for you. It is, however, annoying
> for probably everyone else (particularly people not reading your "threads"
> in a row. It also adds a *massive* amount of unnecessary overhead. May I
> suggest your grabbing a copy - really, just about any - of the netiquette
> and fixing your mail toys?

For christ sake, leave the guy alone.  IMHO your incessant personal attacks 
are way more annoying than his quoting style.

--Adam

Re: Anti Virus

[Robin S. Socha]

* Brett Randall <[EMAIL PROTECTED]> writes:
> From: Noel Mistula [mailto:[EMAIL PROTECTED]]
>> From: Brett Randall <[EMAIL PROTECTED]>
>>> From: Brett Randall [mailto:[EMAIL PROTECTED]]

Dear Brett and Randall,

your way of quoting *may* be convenient for you. It is, however, annoying
for probably everyone else (particularly people not reading your "threads"
in a row. It also adds a *massive* amount of unnecessary overhead. May I
suggest your grabbing a copy - really, just about any - of the netiquette
and fixing your mail toys?

 Our organisation has an NT (sorry :> ) box which acts as the
 primary MX server for our domain. All mail goes to it and gets
 scanned via the (brilliant, automatic, no-maintenance) Norton
 Antivirus Enterprise software 

So you are basically advocating running a piece of exremely expensive
software with a mixed track record of functionality, running on an
unstable, expensive and insecure operating system for production
services?

 (worth a little money but what is your company's data worth to
 you?).

My company is worth enough to me not to trust closed-source, proprietary
software from a foreign country. Particularly since I've seen NT send
encrypted emails to a firewall in the MS network after installation. Thank
you very much.

 It then just relays it on to the internal mail machine (via an MX
 lookup in the internal DNS for the same domain as the e-mail was
 sent to). We route several domains through the one server, and it
 works like a dream!

Can you - in simple terms so a mere user like me can understand -
explain to me what the advantage of this setup is over, say, RedHat
Linux with Trend Micro's VirusWall (if you think you absolutely must
rely on software you bought instead of the vast array of free software
offering the same functionality but having the advantage of being open
sourced)?

>>> But then again, scripts kiddies are "Always" one step ahead compared
>>> to the dat files of your beautiful Norton Enterprise Antivirus.

>> Sorry, forgot to add that we use Norton Antivirus as a 'plug-in' for the
>> Lotus Notes e-mail server on our internet-viewable SMTP machine. 

So, you're not only running an unstable OS but also an extremely
flaky, bug-ridden MTA, and you actually have this setup connected to
the internet. May I ask what your company is worth *to you*?

>> This of course adds the possibility of much more functionality, which
>> we use as if it was sand on the beach in summer, but that's up to
>> your organisation's needs :>

It's more up to one's TCO calculations, isn't it? So, you're not only
running an unstable OS but also an extremely flaky, bug-ridden MTA, have
this setup connected to the internet, but also throw in more money to
buy unneeded functionality that is likely to introduce more bugs. Can
you explain your rationale, please?

> True, and I shouldn't have recommended Norton Enterprise without the
> use of some other filtering software to hold back the yucky vbs, sh,
> ... files, 

Wow, we're finally back on topic... *sigh* I'd like to thank Noel
G. Mistula again for his little script. Works. What was the advantage of
running an expensive peace of feature-ridden software from a dubious
source again?

> but even then our organisation (and how many others?)  deals with
> corporations from all over the world who do various bits of work for
> us - art, programming, web site design... 

You seem not to have grasped the concept of "service" yet. It goes like
this: "you want my money? Here's a list of files we don't accept for
security reasons. Basically everything that says Microsoft is, like,
no-no. Got it? No? Here's our public security policy describing the
conversion of your files to safe formats. Use it or learn to fear me."

> I guess corporate policy and training is the best solution 

It can be. If you add a little spice. Like "in violating our securiy
policy, you're jeopardizing your colleagues' work and the reputation of
the entire company and therefore make yourself subject to immediate
sacking". I've seen this policy at work (first in an Ohio non-profit
organization of all places) and it, well, works. /Telling/ people that
everything Windows is Hiroshima waiting to happen to their company is
not enough - you need to create a personal interest in these matters.

It took a blatant display of arrogance and a lot of security "hype" but
that's how I prevented NT/MS-Exchange to happen on our mailserver. I'm now
running OpenBSD http://www.openbsd.org/ and qmail - everyone's *extremely*
pleased with the result. qmail and DJB's other software as well as the
software submitted by various people are simply excellent. I'd like to
take the opportunity to express my heartfelt gratefulness for providing a
stable, secure and [...] mail environment.

> but a combo of good anti-virus software and good filtering software

I've said it once and I'll say it again: anti-virus software is snake
oil. Under certain circumstances

RE: Anti Virus

[Brett Randall]

True, and I shouldn't have recommended Norton Enterprise without the use of
some other filtering software to hold back the yucky vbs, sh, ... files, but
even then our organisation (and how many others?) deals with corporations
from all over the world who do various bits of work for us - art,
programming, web site design...I guess corporate policy and training is the
best solution but a combo of good anti-virus software and good filtering
software (perhaps something to alert sysadmin with it the script attached so
it can be verified and either permanently banned or passed through?) would
do most people fairly well...

Brett.

Manager
InterPlanetary Solutions
http://ipsware.com/



> -Original Message-
> From: Noel Mistula [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 04, 2000 4:02 PM
> To: Brett Randall; qmail
> Subject: Re: Anti Virus
>
>
> But then again, scripts kiddies are "Always" one step
> ahead compared to the dat files of your beautiful Norton Enterprise
> Antivirus.
>
> cheers
>
> Noel
>
> -Original Message-
> From: Brett Randall <[EMAIL PROTECTED]>
> To: qmail <[EMAIL PROTECTED]>
> Date: Friday, 4 August 2000 15:51
> Subject: RE: Anti Virus
>
>
> >Sorry, forgot to add that we use Norton Antivirus as a 'plug-in' for the
> >Lotus Notes e-mail server on our internet-viewable SMTP machine. This of
> >course adds the possibility of much more functionality, which we
> use as if
> >it was sand on the beach in summer, but that's up to your organisation's
> >needs :>
> >
> >Brett
> >
> >Manager
> >InterPlanetary Solutions
> >http://ipsware.com/
> >
> >
> >
> >> -Original Message-
> >> From: Brett Randall [mailto:[EMAIL PROTECTED]]
> >> Sent: Friday, August 04, 2000 3:44 PM
> >> To: qmail
> >> Subject: RE: Anti Virus
> >>
> >>
> >> On another note...
> >>
> >> Our organisation has an NT (sorry :> ) box which acts as the
> >> primary MX server for our domain. All mail goes to it and gets
> >> scanned via the (brilliant, automatic, no-maintenance) Norton
> >> Antivirus Enterprise software (worth a little money but what is
> >> your company's data worth to you?). It then just relays it on to
> >> the internal mail machine (via an MX lookup in the internal DNS
> >> for the same domain as the e-mail was sent to). We route several
> >> domains through the one server, and it works like a dream!
> >>
> >> Brett.
> >>
> >> Manager
> >> InterPlanetary Solutions
> >> http://ipsware.com/
> >>
> >
> >
>

Re: Anti Virus

[Noel Mistula]

But then again, scripts kiddies are "Always" one step
ahead compared to the dat files of your beautiful Norton Enterprise
Antivirus.

cheers

Noel

-Original Message-
From: Brett Randall <[EMAIL PROTECTED]>
To: qmail <[EMAIL PROTECTED]>
Date: Friday, 4 August 2000 15:51
Subject: RE: Anti Virus


>Sorry, forgot to add that we use Norton Antivirus as a 'plug-in' for the
>Lotus Notes e-mail server on our internet-viewable SMTP machine. This of
>course adds the possibility of much more functionality, which we use as if
>it was sand on the beach in summer, but that's up to your organisation's
>needs :>
>
>Brett
>
>Manager
>InterPlanetary Solutions
>http://ipsware.com/
>
>
>
>> -Original Message-
>> From: Brett Randall [mailto:[EMAIL PROTECTED]]
>> Sent: Friday, August 04, 2000 3:44 PM
>> To: qmail
>> Subject: RE: Anti Virus
>>
>>
>> On another note...
>>
>> Our organisation has an NT (sorry :> ) box which acts as the
>> primary MX server for our domain. All mail goes to it and gets
>> scanned via the (brilliant, automatic, no-maintenance) Norton
>> Antivirus Enterprise software (worth a little money but what is
>> your company's data worth to you?). It then just relays it on to
>> the internal mail machine (via an MX lookup in the internal DNS
>> for the same domain as the e-mail was sent to). We route several
>> domains through the one server, and it works like a dream!
>>
>> Brett.
>>
>> Manager
>> InterPlanetary Solutions
>> http://ipsware.com/
>>
>
>

RE: Anti Virus

[Brett Randall]

Sorry, forgot to add that we use Norton Antivirus as a 'plug-in' for the
Lotus Notes e-mail server on our internet-viewable SMTP machine. This of
course adds the possibility of much more functionality, which we use as if
it was sand on the beach in summer, but that's up to your organisation's
needs :>

Brett

Manager
InterPlanetary Solutions
http://ipsware.com/



> -Original Message-
> From: Brett Randall [mailto:[EMAIL PROTECTED]]
> Sent: Friday, August 04, 2000 3:44 PM
> To: qmail
> Subject: RE: Anti Virus
>
>
> On another note...
>
> Our organisation has an NT (sorry :> ) box which acts as the
> primary MX server for our domain. All mail goes to it and gets
> scanned via the (brilliant, automatic, no-maintenance) Norton
> Antivirus Enterprise software (worth a little money but what is
> your company's data worth to you?). It then just relays it on to
> the internal mail machine (via an MX lookup in the internal DNS
> for the same domain as the e-mail was sent to). We route several
> domains through the one server, and it works like a dream!
>
> Brett.
>
> Manager
> InterPlanetary Solutions
> http://ipsware.com/
>

RE: Anti Virus

[Brett Randall]

On another note...

Our organisation has an NT (sorry :> ) box which acts as the primary MX
server for our domain. All mail goes to it and gets scanned via the
(brilliant, automatic, no-maintenance) Norton Antivirus Enterprise software
(worth a little money but what is your company's data worth to you?). It
then just relays it on to the internal mail machine (via an MX lookup in the
internal DNS for the same domain as the e-mail was sent to). We route
several domains through the one server, and it works like a dream!

Brett.

Manager
InterPlanetary Solutions
http://ipsware.com/

Re: Anti Virus

[Eric Cox]

Alexander Pennace wrote:
> 
> Not all binary attachments are bad. PGP/MIME signed messages (such as
> this one) put the PGP signature in a MIME attachment, see
> http://www.rfc-editor.org/rfc/rfc2015.txt.
> 
> I would be very unhappy if someone was removing the PGP signatures
> from my messages.

What PGP signatures?  



:-)


Eric

Re: Anti Virus

[Noel Mistula]

I like AV. I really do. But the thing is "all" AV are "reactive".
You can only be protected all the time iff, your dat file is updated every
minute.
But if the LoveBug or Melissa or any html borne worm
is mutating every minute then your AV dat file is useless.

the choice is yours...

cheers

Noel


-Original Message-
From: Jason Haar <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Friday, 4 August 2000 9:07
Subject: Re: Anti Virus


>On Thu, Aug 03, 2000 at 02:28:38PM +0100, Slider wrote:
>> Hello again!
>>
>> Thanks for the tip on procmail, looking at it, it seems to be more a
>> personal solution. apologies for not being clear, is there a bulk
method
>> of scanning viruses?
>
>Go look at http://www.geocities.com/jhaar/scan4virus/
>
>A Qmail-specific Email scanner that supports many Unix versions of
>commercial AV scanners (e.g. Trend, MacAfeee/NAI).
>
>Works great - but then I'd say that ;-)
>
>--
>Cheers
>
>Jason Haar
>
>Unix/Network Specialist, Trimble NZ
>Phone: +64 3 9635 377 Fax: +64 3 9635 417
>
>

Re: Anti Virus

[Jason Haar]

On Thu, Aug 03, 2000 at 02:28:38PM +0100, Slider wrote:
> Hello again!
> 
> Thanks for the tip on procmail, looking at it, it seems to be more a
> personal solution. apologies for not being clear, is there a bulk method
> of scanning viruses?

Go look at http://www.geocities.com/jhaar/scan4virus/

A Qmail-specific Email scanner that supports many Unix versions of
commercial AV scanners (e.g. Trend, MacAfeee/NAI). 

Works great - but then I'd say that ;-)

-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
   

Re: Anti Virus

[Noel Mistula]

Hi,

Speaking of filtering binary attachments?
Use my method...right here.
http://www.ornl.gov/its/archives/mailing-lists/qmail/1999/07/msg00518.html

just modify it at your own requirements.

cheers

Noel

-Original Message-
From: Robin S. Socha <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, 3 August 2000 22:45
Subject: Re: Anti Virus


>* Slider  <[EMAIL PROTECTED]> writes:
>> Please can anyone inform me as to the best anti virus package that is
>> not going to cost me an absolute fortune and is really reliable to
>> plug onto the server side!
>
>Use procmail to filter out all attachments. Keep a LART at hand in case
>your cow-orkers start whining. Make them fear you. Tell your management
>to release a policy on the grounds of which anyone sending or receiving
>binary attachments will be sacked immediately.  Works fine for me.
>
>As an alternative, install an Operating System on the clients and get
>rid of viruses for good. Rationale: we were running 4 virus scanners at
>once and that still would not have prevented us from being infected with
>(to mention just two) Melissa and ILOVEYOU. Search freshmeat for anomy
>or sanitze or something.
>-- 
>Robin S. Socha <http://socha.net/>
>

Re: Anti Virus

[Robin S. Socha]

* Slider  <[EMAIL PROTECTED]> writes:

Your quoting is an abomination. Please fix it or refrain from using
software that simply is not meant to be used in a technical environment.

> Thanks for the tip on procmail, looking at it, it seems to be more a
> personal solution. 

It isn't. Take a look at proc.sh that comes with the source distribution.

> apologies for not being clear, is there a bulk method of scanning
> viruses?

Did you bother visiting the qmail website first?
http://www.qmail.org/top.html#microsoft
-- 
Robin S. Socha 

Re: Anti Virus

[Alexander Pennace]

On Thu, Aug 03, 2000 at 02:33:04PM +0200, Robin S. Socha wrote:
> * Slider  <[EMAIL PROTECTED]> writes:
> > Please can anyone inform me as to the best anti virus package that is
> > not going to cost me an absolute fortune and is really reliable to
> > plug onto the server side!
> 
> Use procmail to filter out all attachments. Keep a LART at hand in case
> your cow-orkers start whining. Make them fear you. Tell your management
> to release a policy on the grounds of which anyone sending or receiving
> binary attachments will be sacked immediately.  Works fine for me.

Not all binary attachments are bad. PGP/MIME signed messages (such as
this one) put the PGP signature in a MIME attachment, see
http://www.rfc-editor.org/rfc/rfc2015.txt.

I would be very unhappy if someone was removing the PGP signatures
from my messages.

 PGP signature

RE: Anti Virus

[Slider]

Hello again!

Thanks for the tip on procmail, looking at it, it seems to be more a
personal solution. apologies for not being clear, is there a bulk method
of scanning viruses?

Thanks

AC



-Original Message-
From: Robin S. Socha [mailto:[EMAIL PROTECTED]]
Sent: 03 August 2000 13:33
To: [EMAIL PROTECTED]
Subject: Re: Anti Virus


* Slider  <[EMAIL PROTECTED]> writes:
> Please can anyone inform me as to the best anti virus package that is
> not going to cost me an absolute fortune and is really reliable to
> plug onto the server side!

Use procmail to filter out all attachments. Keep a LART at hand in case
your cow-orkers start whining. Make them fear you. Tell your management
to release a policy on the grounds of which anyone sending or receiving
binary attachments will be sacked immediately.  Works fine for me.

As an alternative, install an Operating System on the clients and get
rid of viruses for good. Rationale: we were running 4 virus scanners at
once and that still would not have prevented us from being infected with
(to mention just two) Melissa and ILOVEYOU. Search freshmeat for anomy
or sanitze or something.
--
Robin S. Socha <http://socha.net/>

Re: Anti Virus

[Robin S. Socha]

* Slider  <[EMAIL PROTECTED]> writes:
> Please can anyone inform me as to the best anti virus package that is
> not going to cost me an absolute fortune and is really reliable to
> plug onto the server side!

Use procmail to filter out all attachments. Keep a LART at hand in case
your cow-orkers start whining. Make them fear you. Tell your management
to release a policy on the grounds of which anyone sending or receiving
binary attachments will be sacked immediately.  Works fine for me.

As an alternative, install an Operating System on the clients and get
rid of viruses for good. Rationale: we were running 4 virus scanners at
once and that still would not have prevented us from being infected with
(to mention just two) Melissa and ILOVEYOU. Search freshmeat for anomy
or sanitze or something.
-- 
Robin S. Socha 

Re: Anti-virus

[Steve Peace]

I am using the Amavis wrapper with Mcaffee's amti virus.  Seems to work
great for me.  The install was also a snap.  Good luck!

Steve P.
- Original Message -
From: "Andrés" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, May 06, 2000 6:02 PM
Subject: Anti-virus


> Hello.
>
> I've been looking for programs to install with my Qmail to detect those
> nasty virus. The only program which seems to work with Qmail is Scan4virus
> and AMaViS (this one hasn't been tested).
>
> Is there anyone more? Which one is the best?
>
> Thanks.
>
>

Re: Anti-virus

[Jason Haar]

On Sun, May 07, 2000 at 03:06:52PM +0200, Rainer Link wrote:
> Sweep, H+B EDV AntiVir, KasperskyLabs AVP or F-Secure AV. If a infected
> attachment is detected, the complete mail is moved to a quarantine
> directory. It is then up to you, to clean a infected attachment with one
> of the above commercial antivirus software.

Too right - in fact I think that's probably the best thing to do. Cleaning
up infected Email means what - you _don't_ bother telling anyone there was
an infection present? If you can clean out the virus automatically, where is
the "incentive" for the infected person to actually get rid of the virus?

Quarantines are the best option IMHO - they "suggest" to the infected party
that they should sort out their system, and still allow the recipient to get
access to the message (after it's been manually cleaned of course).

Of course, what do you do with viruses like ILOVEYOU? There is no message to
"clean" as such...


-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 9635 377 Fax: +64 3 9635 417
   

Re: Anti-virus

[Rainer Link]

Ronneil Camara wrote:

> Is amavis for linux just a virus scanner? Or does it cleans viruses also?

Neither AMaViS nor scan4virus are antivirus software per se. They need
one (or more) installed (commercial) antivirus packages, such as Sophos
Sweep, H+B EDV AntiVir, KasperskyLabs AVP or F-Secure AV. If a infected
attachment is detected, the complete mail is moved to a quarantine
directory. It is then up to you, to clean a infected attachment with one
of the above commercial antivirus software.

HTH

best regards,
Rainer Link

-- 
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)   
[EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)
rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)

RE: Anti-virus

[Ronneil Camara]

Is amavis for linux just a virus scanner? Or does it cleans viruses also?

Thanks

Re: Anti-virus

[Rainer Link]

Andrés wrote:

> >See also the discussion a few days before. For a comparison, I would
> >recommand AMaViS-Perl at http://www.unixzone.com/virus/.
> >Which one is best - well, I'm biased :-)
> I've seen in your web a patch for the latest version of Amavis, do I need to
> apply that patch for the Perl version of Amavis?

No, the two patches on my homepage (www.cn.fh-furtwangen.de/~link/)
apply only to AMaViS 0.2.0-pre6 (the "original" version). They are in a
way out-of-date, because most stuff is included into 0.2.0-pre6-clm-rl-8
(that's the shell script version). 
Simply download AMaViS-Perl-6 (maybe also some required Perl modules)
and give it a try. 

HTH

best regards,
Rainer Link

-- 
Rainer Link  | Student of Computer Networking
[EMAIL PROTECTED] | University of Applied Sciences, Furtwangen, Germany   
rainer.w3.to | http://www.computer-networking.de/

RE: Anti-virus

[Andrés]

>> Hello.
>>
>> I've been looking for programs to install with my Qmail to detect those
>> nasty virus. The only program which seems to work with Qmail is
Scan4virus
>> and AMaViS (this one hasn't been tested).
>>
>> Is there anyone more? Which one is the best?
>
>Well, see http://av-linux.w3.to/, click on english and then the
>Mini-FAQ. Note: AVP for qmail is missing in the Mini-FAQ (I'll update it
>today).
>See also the discussion a few days before. For a comparison, I would
>recommand AMaViS-Perl at http://www.unixzone.com/virus/.
>
>Which one is best - well, I'm biased :-)

I've seen in your web a patch for the latest version of Amavis, do I need to
apply that patch for the Perl version of Amavis?

Re: Anti-virus

[Rainer Link]

Andrés wrote:
> 
> Hello.
> 
> I've been looking for programs to install with my Qmail to detect those
> nasty virus. The only program which seems to work with Qmail is Scan4virus
> and AMaViS (this one hasn't been tested).
> 
> Is there anyone more? Which one is the best?

Well, see http://av-linux.w3.to/, click on english and then the
Mini-FAQ. Note: AVP for qmail is missing in the Mini-FAQ (I'll update it
today). 
See also the discussion a few days before. For a comparison, I would
recommand AMaViS-Perl at http://www.unixzone.com/virus/.

Which one is best - well, I'm biased :-)

best regards,
Rainer Link

-- 
Rainer Link  | Member of Virus Help Munich (www.vhm.haitec.de)   
[EMAIL PROTECTED] | Member of AMaViS Development Team (amavis.org)
rainer.w3.to | Maintainer FAQ "antivirus for Linux" (av-linux.w3.to)

Re: Anti Virus Solution

[Jason Haar]

On Mon, Dec 13, 1999 at 11:50:54PM -0300, [EMAIL PROTECTED] wrote:
> 
> > > It's fast, perl-based and specifically written for qmail.
> > > 
> > > See http://www.geocities.com/jhaar/scan4virus/ for details...
> > > 
> 
> I could not get it... Am I wrong?
> Do you have another address?

Sheezh - my fault - but Geocities is running the flakiest FTP server I've
seen in a looong time.

All fixed - the appropriate index.html file is now in place :-)

-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
 

Re: Anti Virus Solution

[vicente]

> > It's fast, perl-based and specifically written for qmail.
> > 
> > See http://www.geocities.com/jhaar/scan4virus/ for details...
> > 

I could not get it... Am I wrong?
Do you have another address?

-- Vicente Andrade
VIRCOM Internet Solutions

http://www.vircom.com.br
http://www.10reais.com.br

Re: Anti Virus Solution

[Ismal Hisham Darus]

thanks a lot jason .. it works. 

- Original Message -
From: "Jason Haar" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, December 14, 1999 9:24 AM
Subject: Re: Anti Virus Solution


> > how to get the Perl module Time::HiRes (if debugging enabled) ?
*blushed*
> >
>
> Well, I install all perl modules via
>
> perl -e 'use CPAN; install /Time::HiRes/'
>
> ...but that depends a lot on firewalls/etc.
>
> You can just go to CPAN and get it:
>
> http://search.cpan.org/search?module=Time::HiRes
>
>
> --
> Cheers
>
> Jason Haar
>
> Unix/Network Specialist, Trimble NZ
> Phone: +64 3 3391 377 Fax: +64 3 3391 417
>

Re: Anti Virus Solution

[Jason Haar]

> how to get the Perl module Time::HiRes (if debugging enabled) ? *blushed*
> 

Well, I install all perl modules via 

perl -e 'use CPAN; install /Time::HiRes/'

...but that depends a lot on firewalls/etc.

You can just go to CPAN and get it:

http://search.cpan.org/search?module=Time::HiRes


-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
 

Re: Anti Virus Solution

[Ismal Hisham Darus]

> It's fast, perl-based and specifically written for qmail.
> 
> See http://www.geocities.com/jhaar/scan4virus/ for details...
> 
> 
> 
> -- 
> Cheers
> 
> Jason Haar
> 
> Unix/Network Specialist, Trimble NZ
> Phone: +64 3 3391 377 Fax: +64 3 3391 417
 
how to get the Perl module Time::HiRes (if debugging enabled) ? *blushed*

Re: Anti Virus Solution

[Jason Haar]

On Thu, Dec 09, 1999 at 12:42:32PM -0600, Jennifer Tippens wrote:
> I have gone through the list archive and the only information I can find
> on this subject was listmembers asking about if there was any anti-virus
> solution out there.
> Is there any anti-virus thing out there that can scan for macro viruses
> in Qmail?
> 

I've written one in response to some design issue problems I had with amavis
(like lack of error checking).

It's now homed at Geocities and can scan all incoming SMTP Email via
whatever virus scanners you have installed on your Qmail host (I use NAI's
and Trends virus scanners).

It's fast, perl-based and specifically written for qmail.

See http://www.geocities.com/jhaar/scan4virus/ for details...



-- 
Cheers

Jason Haar

Unix/Network Specialist, Trimble NZ
Phone: +64 3 3391 377 Fax: +64 3 3391 417
 

Re: Anti Virus Solution

[Alex Shipp]

We use vfind as well, and are very happy with the product and the support
we get. My company runs a commercial service protecting email from viruses,
and since it's based on qmail I thought it appropriate to mention it
here. If you want to 'roll your own' anti virus solution, here are some of
the
points we have found (based on 18 months worth of hard earned experience)
you should
consider.

1) Email is now the primary point of entry of viruses into most companies.
Over the last
18 months we have found that on average 1 in every 1500 emails contains a
virus. Emails
from free mail services, such as hotmail/yahoo etc, contain a higher
proportion of viruses.

2) If you only use one virus scanner, you will miss around 3% of viruses
over the course
of a year. This is because all the AV vendors have different schedules for
issuing new signatures,
and because they all find new viruses at slightly different times. The more
virus scanners you add,
the better your detection rate, but also the higher your costs are, and the
longer it takes
to scan mail. (We have currently settled on 3 scanners)

3) You have to be able to cope with all the obscure formats mail can arrive
in (recursive mime,
ZIP, binhex, microsoft propriatory etc etc) or you will miss viruses.

4) Updating your scanners with new signatures is very important. The new
breed of email viruses
spread so quickly that speed really is of the essence. For instance, the UK
was hit badly on 29th March
by the Melissa virus. However, the signatures to detect this virus were
available
at least 3 days before this date. To be truly effective, consider updating
at least hourly, if not
more often.

5) New viruses are often detected and publicised for some time before the
signatures are available.
Consider how you will deal with these threats before standard signatures are
published.

6) All AV scanners generate some false alarms, so you will need to consider
how to handle these

7) All AV scanners crash occasionally, (or worse, get into an infinite loop
and never return)
so you will need to consider how to handle this

8) You should consider training your help-desk to be virus-literate, since
they will get a large
number of queries about viruses.

9) Scanning will slow down mail delivery. To maintain the same level of
service as before, we estimate
you will need up to 10 times the current hardware (of course, if your
current hardware is not running
at full capacity, you won't need as much.

10) Linux virus scanners we have tried, and found to be good are (no
particular order):
NAI Antivirus www.nai.com
Datafellows F-Secure www.datafellows.com
Cybersoft vfind www.cyber.com
Sophos Antivirus www.sophos.com
If anyone is interested in a detailed comparison of these products, please
contact me off the list.
If anyone knows of any other linux AV products you think we should consider,
please let me know.

11) To be truly effective, you may need to dedicate personell full-time to
an anti-virus role. This
will obviously depend heavily on the size of your company.


Well, thats all I can think of off the top of my head. Hope it gives you all
some food for thought!

Alex

~
Alex Shipp
Virus Technologist
Starlabs www.starlabs.net
E: [EMAIL PROTECTED]
T: 44 1285 884400
~


-Original Message-
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>


>Hi Jennifer,
>
>We use a commercial product called VFind, provided by a company found
>on the web here: http://www.cyber.com/



This message has been checked for all known viruses by the Star Screening System
http://academy.star.co.uk/public/virustats.htm

Re: Anti Virus Solution

[martin]

Hi Jennifer,

We use a commercial product called VFind, provided by a company found
on the web here: http://www.cyber.com/

With a bit of a shell wrapper, you can make it into a generic scanning
tool which works like this

STDIN --> vfind --> STDOUT

We call it from a .qmail-file, once for each incoming message, and let
qmail assess our return code.  Works quite well, and we've been happy
with the support from them.

And, yes, it does detect many of the different X97M and W97M virus
variants.

-Martin

On  9 Dec, Jennifer Tippens wrote:
  : I have gone through the list archive and the only information I can find
  : on this subject was listmembers asking about if there was any anti-virus
  : solution out there.
  : Is there any anti-virus thing out there that can scan for macro viruses
  : in Qmail?
  : 
  : Thanks so much for your time,
  : Jennifer
  : 

-- 
Martin A. Brown --- SecurePipe Communications --- [EMAIL PROTECTED]

RE: Anti Virus Solution

[Dustin Miller]

There is a package called "Amavis", but no one has been able to supply any
information on how to get it to work.  I couldn't find the patches in the
archives, but I'd really love to know how I can get Amavis to work with
qmail.

Good luck, Jennifer.
  _

Dustin Miller, President
WebFusionDevelopmentIncorporated


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 09, 1999 12:43 PM
To: [EMAIL PROTECTED]
Subject: Anti Virus Solution


I have gone through the list archive and the only information I can find
on this subject was listmembers asking about if there was any anti-virus
solution out there.
Is there any anti-virus thing out there that can scan for macro viruses
in Qmail?

Thanks so much for your time,
Jennifer