Google
Web BSDatwork.com
FreeBSD Anti-Virus Protection - A Commercial Alternative
Anti-virus software for FreeBSD is not a common thought to most FreeBSD administrators. However, if you’re like me, most of my networks are Windows 2000/NT on the workstations, and FreeBSD on the servers. This means that the average user can download all kinds of unhealthy files and contaminate the Windows workstations. I prefer to spend most of my time doing something other than running Norton Antivirus. The solution to this i thought would be anti-virus software that runs under FreeBSD as a centralized anti-virus scanner. Such software can be integrated into the FreeBSD server’s Mail Transfer Agent to protect peoples’ email accounts, and by using smbfs or Sharity, you can even do a full scan of the Windows computers on your network from remote. This keeps your Windows clients free from the resource crunch that can be caused by installed anti-virus software. The virus scanning software does not degrade the workstation’s performance, nor can a knowledgeable user disable it.
Concluding that Anti-virus software for FreeBSD is an effective way to protect a network and email, one must determine which Anti-virus software to use. There are not however many to choose from. In my original deployment I used UVSCAN from the FreeBSD ports tree, it uses the scanning engine and virus definitions from McAfee. Although UVSCAN is available in the ports tree, it is binary only and licensed as Shareware, this restricts you to 30 days of use without purchasing a license. In my opinion UVSCAN works, but it lacks the refined feature set that a busy systems administrator would need in order to keep using it efficiently. It is a barebones port of their virus scanning engine, with no auto-updating and no direct MTA plugins. To use it in conjunction with an Email Server, you must use a third-party application that makes an external call to the anti-virus scanner binary. I implemented Amavis and integrated that package with a Mail Transfer Agent or MTA. To update the package, I was forced to find the URL for their daily virus update and write a Perl script to download this file, which is in ZIP format, unzip it, and copy it into my UVSCAN directory. Once I got it all up and running, it’s was a very nice system to have. But it took quite a bit of setup, and is really a combination of several components rather than a nice single package.
Enter Kaspersky Anti-Virus (AVP). Kaspersky’s software is a complete anti-virus package, including an Auto-update system, a daemon with hooks for custom anti-virus programming, and a powerful scanner. The scanner has many features which UVSCAN lacks. Kaspersky’s is able to scan inside a huge selection of compressed files, such as ZIP, ARJ, and Tar/Gzip, and is even capable of reading email files and databases and scanning MIME encoded attachments. It also unpacks and scans compressed EXE that have been created with programs like Pklite and LzExe. Kaspersky’s is the most comprehensive anti-virus scanner I’ve ever seen. The file and compression formats it supports are far more than anything I’ve ever seen under FreeBSD, and I don’t know of any mainstream Windows based scanners that can unpack EXEs. Kaspersky’s also has heuristic support, which allows it to detect some viruses not yet listed in the anti-virus database by examining the function of the code as it’s being scanned.
I was provided a courtesy copy of Kaspersky’s, and a trial license. I printed out their manual at Kinkos so I could have a nice reference. The first thing I noticed was that the documentation described installation software that did not exist in the downloaded package. This was unfortunate, because according to the documentation the installation software was very useful and handled almost everything automatically. I proceeded to install Kaspersky’s by hand. Once I’d gotten everything in the right place, I tried to begin a virus scan. Unfortunately, the installation instructions don’t mention that Kaspersky’s doesn’t ship with a default anti-virus database; instead you must update to get your first database. That’s not a major problem, but it’s unfortunate that the documentation doesn’t match the software. It’s possible that the first update is supposed to be done by the missing installation software. All I needed to do was connect to their FTP site, and download the current virus definition and copy them into the AVP directory. In any case, the update went smoothly, and I now had my anti-virus database. I began a test scan of my Samba shares. I was surprised and pleased to see that Kaspersky’s was one of the fastest scanners I’ve used under any OS. It opened the ZIPs and tarballs, and scanned everything. It even found an .eml I’d saved which contained a virus which was caught in my email filters. I then proceeded to scan my entire FreeBSD server.
After examining the Kaspersky package further, I found that it included plugins for Qmail, Exim, Sendmail, and Postfix. As a user of Qmail, I was very pleasantly surprised to see a dedicated Qmail plugin. I followed the instructions for installation, and sent a few test messages through the system, and it worked very nicely. I even saw maillog messages telling me that the emails were scanned and found to be virus free. It was one of the easiest MTA plugins I’d ever seen. However, after running the software for about 2 hours, one of my users claimed their email client was stuck sending mail. I checked the process list and there was a ‘stuck’ copy of qmail-smtpd running next to a ‘stuck’ copy of the virus scanner. I killed the processes and asked the user to resend. It continued to occur. The email message was a very simple text message to a legal email address. The program made no syslog entries and there was no information as to what was causing the error. Eventually I was forced to give up on it and remove the plugin so mail could continue to flow to and from my system. I emailed Kaspersky’s technical support, and they requested more information about what had happened, but I had no more information to give. None of the programs were making log entries or outputting anything to the console indicating what might be causing the problem. The issue is still unresolved. However, I would point out that using Amavis, one can still add Kaspersky’s support to their MTAs. In fact, Amavis supports multiple scanners so Kaspersky’s and UVSCAN can run side by side if you’re interested in that level of protection.
After several hours of trying to get some form of smbfs working under FreeBSD, I got Sharity to mount the SMB shares of each of my workstations. Using these SMB (CIFS) mounts, I was able to scan the hard drives of my Windows workstations very quickly. The users didn’t notice and were able to continue working without any noticeable performance degradation. Kaspersky’s really excels in scanning Windows computers remotely.
All in all, despite a few flaws, and the Qmail plugin issue (according to related testing, the Sendmail component works flawlessly), I believe Kaspersky’s to be an excellent anti-virus product. I would recommend it to anyone running an MTA, Samba server, and to anyone running a network with Windows clients. Kaspersky’s is very fast, very powerful, and is by far the best FreeBSD anti-virus solution I have seen yet.
Related URL: http://www.kaspersky.com
Content Copyright © Original Author