[unisog] Mail Gateway Anti-Virus Products

Michael D. Sofka sofkam at rpi.edu
Wed Mar 27 16:19:09 GMT 2002


At 10:47 AM 3/27/2002 -0500, Gary Flynn wrote:
>Hi,
>
>I'd be interested in hearing from people doing anti-virus scanning
>on their mail gateways/servers. In particular:
>
>1) What product are you using and on what server/gateway platform?
>2) How effective has it been?
>3) How stable has it been?
>4) How much did it affect mail gateway/server performance?
>5) The approximate pricing.

I've been running mimedefang since last December (www.roaringpenquin.com). 
By itself it catches about 1/2 of all viruses by discarding, for example, 
executables with MIME type application/x-audio.  Or, executables named 
[^\.]\.\w\w\w\.exe, and so on.   The overhead for running mimedefang is high 
(it's a Perl process which uses MIME:Parser to unpack the MIME attachments). 
 With the multiplexor the mimedefang.pl processes are pre-exec-ed, but they 
take up memory. On our old mail server (RS6k B50 w/ 512 meg memory, 4 
processors) we could barely keep up with the load.  The new machine (RS6k 
B80, w/ 1 gig memory, 4 processor and SSA-Raided disks) we do fine.

I know mimedefang by itself is catching about 1/2 of the viruses, because 
since going to the new machine I've been running Sophos (www.sophos.com) 
under a demo license and keeping stats.  Viruses such as Magister, which use 
multiple attachment names and normal executable names and types are much 
harder to catch using simple MIME type heuristics.   But, with just 
mimedefang we were a lot better off than before.  (Rough numbers, about 200
viruses detected per day out of 90,000 messages. Another 6--8,000 of those
messages are rejected by sendmail because the sender/relay is virus infected
and so has been blocked---avoids overhead.  Most of those are single sources
that just don't get it.)

Prior to installing mimedefang viruses were a nearly weekly event requiring
scanning logs, putting in sendmail blocks, contacting users, cleaning out
mailboxes, etc.  After mimedefang the outbreaks stopped, and viruses became
a managable trickle.  However, a few of the recent viruses such as Klez-G would
likely have lead to outbreaks if we were not running the Sophos demo at the time.
(The MyParty virus was a matter of adding a new mimedefang rule, then scanning
the spool.)

I have also tested mailscanner 
(http://www.sng.ecs.soton.ac.uk/mailscanner/). Mailscanner is similar to 
mimedefang in that it is a Perl script which looks for funny executables and 
MIME types, and then runs an optional virus scanner. Mimedefang is more 
flexible (it runs as a sendmail Milter), but incurs more overhead.  
Mailscanner is a single Perl process that scans in in-queue, and if the mail 
passes moves it to an out-queue.  If we purchase Sophos I may move to 
mailscanner.

Regarding cost.  Mimedefang and mailscanner are both free.  Sophos (or other 
antivirus software) is expensive.  The cost is per-protected account.  I've 
been quoted 25k for 10,000 protected accounts.  (A corporate license might 
be more cost effective, since you then get desktop as well as server licenses).

I'm focused on Sophos because (1) it allows for automatic updates of the 
virus definitions via http.  This can be scripted.  And (2) they have a 
version that runs on AIX Power PC.  Long term, the smtp servers will be 
moved to Linux, but until then running virus scanning on AIX is nice.   
Sophos also appears flexible about rolling over an AIX license to Linux.  If 
you use Samba, the open virus project (www.openantivirus.org) is working on 
a Sophos `scan on open' plugin.

<editorial>
BTW, while you're asking for funds, don't over sell mail gateway scanning.  This
is the low fruit---easy to write viruses, easy to catch.  Once mail gateways are
effectively shutdown, virus writers will exploit other vectors.  I really think the way
to put an end to most viruses (the yahoo bragging rights variety) is to make it
too expensive.  For example, if all of our schools formed a consortium that
(1) promised never to admit a known virus writer to our schools, (2) put out
bounties for information leading to the arrest and conviction of virus writers,
(3) filed leans against future earnings by John/Jane Does should they ever
be found, the word might get out that it just isn't worth the risk.

Otherwise, it is just a matter of time before a really destructive virus gets
through, regardless of the precautions taken.  Well, to be really gloomy,
even the above steps won't prevent that.  But, it will free up resources
needed to watch out for the `big ones.'
</editorial>

Mike


>thanks,
>-- 
>Gary Flynn
>Security Engineer - Technical Services
>James Madison University
>
>Please R.U.N.S.A.F.E.
>http://www.jmu.edu/computing/runsafe

--
Michael Sofka                          sofkam at rpi.edu
CCT Sr. Systems Programmer  email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.    http://www.rpi.edu/~sofkam/



More information about the unisog mailing list