Re: [Mimedefang] Any Sophie users out there?
On Wed, 19 Mar 2014, Anne Bennett wrote: A belated thanks for the patch! ;-) What are you using now for anti-virus? No problem :-) Personally and professionally I've used ClamAV (via clamd) for a long time. I actually used to be a team member pre-Cisco, pre-SourceFire. I've used Avira AntiVir, but this happened: http://www.avira.com/en/support-for-home-knowledgebase-detail?kbid=1491 I've used F-PROT for Linux Workstations: http://www.f-prot.com/products/home_use/linux/ (but do not right now) I have not done much recent Linux anti-virus related work for client servers, but many of the ones that I used to use or at least test years ago have gone the way of the Dodo: Sophie, Trophie (+ TrendMicro), File::Scan, OpenAntiVirus, ... Not sure if McAfee/NAI/Intel uvscan is still around or not, but from what I remember that was very resource intensive to run the binary over and over every time, using a tmpfs or other RAM-based filesystem or not. I'm not involved with any environment right now where I have to worry about a large number of users and their mail, beyond making sure it gets delivered. I have a client ISP that actually does no anti-virus scanning incoming or outgoing, only recommends anti-virus software for them to install on their PC. They do have a conservative MIMEDefang filter and SpamAssassin though. Jason ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?
On Thu, 20 Mar 2014 14:49:32 -0400 (EDT) Jason Englander ja...@englanders.us wrote: Personally and professionally I've used ClamAV (via clamd) for a long time. I actually used to be a team member pre-Cisco, pre-SourceFire. Post-Cisco, ClamAV seems to have greatly declined in usefulness. It catches hardly anything anymore... anyone else experiencing this? In my experience, most of the commercial AV scanners for Linux are horrible. They often use undocumented wire protocols making it difficult/impossible to use them efficiently from MIMEDefang. The MIMEDefang-friendliest one I know of is F-PROTD version 6. On our hosted anti-spam offering, we simply block outright *.EXE, *.SCR etc whether directly attached or within zip files, RAR files, etc. So far no-one has complained. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?
DFS wrote on 03/20/2014 03:04:07 PM: Post-Cisco, ClamAV seems to have greatly declined in usefulness. It catches hardly anything anymore... anyone else experiencing this? In my experience, most of the commercial AV scanners for Linux are horrible. They often use undocumented wire protocols making it difficult/impossible to use them efficiently from MIMEDefang. The MIMEDefang-friendliest one I know of is F-PROTD version 6. On our hosted anti-spam offering, we simply block outright *.EXE, *.SCR etc whether directly attached or within zip files, RAR files, etc. So far no-one has complained. We haven't seen an increase in virii detected by McAfee or Symantec on servers downstream from our CanIt system. Maybe that's because blocking the unsafe extensions kills them before we even call ClamAV. Or are there fewer infections being sent by mail, rather focusing more on phishing emails? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?
On Thu, 2014-03-20 at 15:04 -0400, David F. Skoll wrote:
Post-Cisco, ClamAV seems to have greatly declined in usefulness.
It catches hardly anything anymore... anyone else experiencing this?
Are you using clamav-unofficial-signatures? We are.
I have no idea how much we should be catching. But here's a dump of what
we're doing, in case it's helpful to anyone. If I'm doing something
stupid or not doing something smart, I welcome feedback.
We outright reject files with these extensions:
my $bad_exts = '(ade|adp|app|asd|bas|bat|chm|cmd|com|cpl|crt|exe|fxp|
hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mde|mim|msc|msp|mst|ocx|pcd|
pif|prg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wmd|wms|wsc|wsf|wsh|\{[^
\}]+\})';
my $bad_filename_regex = '\.' . $bad_exts . '\.*$';
We outright reject encrypted zip files.
We ignore official or unofficial signatures with virus names that
match: /^(AAPL|Application|PUA|SPR)\./
We handle the phishing and spam signatures differently, and exempt mail
going to our helpdesk or a variety of phishing-reporting addresses (at
banks, etc.):
/^((email)?(abuse|fraud|phish(ing)?|(report_)?spam|spoof)\@.*|.*\@(abuse
\.net|spam\.spamcop\.net)|aollegal\@aol\.com|askvisa(usa)?\@visa\.com|
enforcement\@sec\.gov|fraud_help\@usbank\.com|mail-spoof\@cc\.yahoo-inc
\.com|phishing-report\@us-cert\.gov|reports\@habeas\.com|stop-spoofing
\@amazon\.com|reportphish\@wellsfargo\.com)$/
I'm skeptical that reporting phishing scams to major banks actually does
any good, but some of our customers want to be able to do so. We ignore
the Heuristics.Phishing.Email.SpoofedDomain test because of false
positives. Maybe we could score it, but we don't currently.
Viruses from the Internet are silently discarded to avoid generating
backscatter. Viruses from our customers are rejected (so they get an
error in their mail client if there's a false positive). Phishing/spam
mail detected by clamav is rejected on the spot; unlike SpamAssassin, we
apply this regardless of user settings and whitelisting does not apply.
In other words, the false positive rate is very, very low.
The encrypted zip and filename extensions are separate error messages
from each other and separate from spam and virus messages. We
special-case .lnk blocking with an error message that says they should
mail the file itself, not the shortcut to it.
--
Richard
signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] )What AV scanners do you use? (was Re: Any Sophie users out there?
On Thu, 20 Mar 2014 15:46:49 -0400 wbr...@e1b.org wrote: We haven't seen an increase in virii detected by McAfee or Symantec on servers downstream from our CanIt system. Maybe that's because blocking the unsafe extensions kills them before we even call ClamAV. I've attached the statistics for the last 60 days on our systems. The brown bars are messages blocked because of bad filename extensions. The red ones are ones detected as viruses by ClamAV. As you see, the red bars are two orders of magnitude smaller than the brown one. Or are there fewer infections being sent by mail, rather focusing more on phishing emails? We see waves. The last 30 days were quieter than the 30 days before that, but it waxes and wanes as new botnets come online and old ones go away. Regards, David. attachment: mailstats.png___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
