[unisog] Mail Virus/Trojan Scanners

Anne Bennett anne at alcor.concordia.ca
Mon Nov 12 15:24:18 GMT 2001



Drew Schaffner:
>> We are currently looking into options for implementing
>> a virus/trojan scanner for our mail gateway running on
>> a Linux platform.
[...]
>> Considerations for a product include price for the
>> scan engine and keeping it current from year to year,
>> scanning of inbound as well as outbound messages, and
>> timely signature updates.

Russell Fulton:

> There is also inflex and its commercial sibling xamine. [...]
> We recetnly tried inflex but our mailserver could not handle the 
> additional load. [...]
> How much additional crunch to you need to do AV scanning on mail?
[...]
> Our mail server is currently handling hourly peaks of just over 10,000 
> messages per hour and currently peaks at about 30% cpu utilization.

I have been working for several weeks on implementing a similar thing
for my mail relays; the one I'm working on now is a dual-CPU DEC Alpha
running Tru64 v4.0e, which has a very mixed job load which is notorious
for tickling race conditions in just about any code.

My scan engine is Sophos sweep (demo version; we'll buy the thing if I
can make this work properly!).  Here's what I've tried so far to
connect the virus scanner to the mail software (sendmail), and my
results:

amavis-perl-11 in "milter" mode: mostly works, but is a bit glitchy
(occasionally logs at emergency priority, "writing" all logged-in users,
when something smashes the $PRIORITY variable to zero, for example).
I've run it as long as 15 minutes, and I don't have really usable load
figures, but it seemed a bit heavy to me; while the load and performance
remained acceptable, amavis processes were competing with httpd in the
"top" listing.

amavisd-snapshot-20010714: as its name implies, this is not
release-ready code.  I've hacked madly on it to make it daemonize
properly, and I think that the approach shows a lot of promise, but
the "milter" daemon still crashes every few minutes.  The perl daemon
(which does the expansion of MIME stuff and actually invokes the virus
scanner on each file) seems more stable, but it has not yet been given
a good workout.  If I can figure out what the matter is and fix it,
I'll contribute my changes and use this version, but if not...

I have not yet looked closely at MailScanner, because it's kind of
store-and-forward (in that it moves mail between sendmail queues), and
I'd prefer the milter approach if at all possible.

If anyone out there has had experience with either amavis or any other
"milter" application on a Tru64 system, or a multi-CPU system, I'd
love to hear from you, and am willing to summarize to the list.


Anne.
-- 
Ms. Anne Bennett, Senior Analyst, IITS, Concordia University, Montreal H3G 1M8
anne at alcor.concordia.ca                                        +1 514 848-7606



More information about the unisog mailing list