Archived Weblog Entry - 02/19/2005: "Linux Anti-Virus redux"

[Previous entry: "Bastards!"] [Main Index] [Next entry: "Googlebombing"]

02/19/2005 Archived Entry: "Linux Anti-Virus redux"

Linux AntiVirus Update: I got BitDefender to scan mail, I got ClamAV installed, and I've learned how to update F-Prot.

F-Prot: The command /usr/local/f-prot/tools/check-updates.pl (run as root) will automatically download and install the latest virus signatures. A piece of cake, and easy to automate.

BitDefender: I've discovered that the command "bdc .mozilla --all --mail" will scan my Mozilla mailboxes. Both the options "--all --mail" are required. BitDefender then runs very slowly, but found some Javascript and HTML exploits that F-Prot didn't detect, and more viruses:

BDC/Linux-Console v7.0 (build 2490) (i386) (Dec 10 2003 16:11:35)
Copyright (C) 1996-2003 SOFTWIN SRL. All rights reserved.
.../Virus=>(message 30)=> (JAVASCRIPT 1)  infected: JS.Nimda.A
.../Radio=>(message 296)  suspected: Exploit.Iframe.Vulnerability
.../Radio=>(message 472)  suspected: Exploit.Iframe.Vulnerability
.../ifeminists=>(message 362)=> (application)  infected: Win32.Ganda.A@mm
.../Inbox=>(message 3)=> screensaver.zip  infected: Win32.Netsky.P@mm
.../Inbox=>(message 10)=> message.zip  infected: Win32.Lovgate.V@mm
.../Inbox=>(message 16)=> product.zip  infected: Win32.Netsky.P@mm
.../Inbox=>(message 19)=> signature_wendy.zip  infected: Win32.Netsky.P@mm
.../Inbox=>(message 20)=> readme.zip  infected: Win32.Lovgate.V@mm
.../Inbox=>(message 34)=> readme_wendy.zip  infected: Win32.Netsky.P@mm
.../Inbox=>(message 35)=> naked2.zip  infected: Win32.Netsky.C@mm
.../Trash=>(message 4)=> screensaver.zip  infected: Win32.Netsky.P@mm
.../Trash=>(message 9)=> message.zip  infected: Win32.Lovgate.V@mm
.../Trash=>(message 16)=> readme.zip  infected: Win32.Lovgate.V@mm
.../Trash=>(message 21)=> product.zip  infected: Win32.Netsky.P@mm
.../Trash=>(message 22)=> signature_wendy.zip  infected: Win32.Netsky.P@mm
.../Trash=>(message 40)=> naked2.zip  infected: Win32.Netsky.C@mm
.../Trash=>(message 41)=> readme_wendy.zip  infected: Win32.Netsky.P@mm
.../Junk=>(message 2)=> screensaver.zip  infected: Win32.Netsky.P@mm
.../Junk=>(message 7)=> message.zip  infected: Win32.Lovgate.V@mm
.../Junk=>(message 13)=> product.zip  infected: Win32.Netsky.P@mm
.../Junk=>(message 14)=> signature_wendy.zip  infected: Win32.Netsky.P@mm
.../Junk=>(message 20)=> naked2.zip  infected: Win32.Netsky.C@mm
.../Junk=>(message 21)=> readme_wendy.zip  infected: Win32.Netsky.P@mm
Results:
Folders           :41
Files             :58546
Packed            :248
Infected files    :22
Suspect files     :2
Warnings          :0
Identified viruses:5
I/O errors        :0
Files/second      :34
Scan time         :00:27:59

Not bad at all, except for the 28-minute execution time. BitDefender actually reported the subject line, date, and time of each infected message, but I trimmed that for brevity. This is an advantage over F-Prot, which only reports the name of the attachment (without telling you which message carries it).

ClamAV: I now have version 0.83 installed and running. This really wants to be installed by apt-get, not the Xandros installer. (There are a lot of prompts and configuration options that the Xandros installer handles clumsily.) It looks like my problems before were largely because the old version (0.6) wasn't successfully uninstalled. But, as is common with open-source projects, the authors expect a guru to do the installation:

1. It asks if I want to run ClamAV as a daemon, a cron job, or manually. (I chose "manual" even though it discourages that option. Most newbies will be confused by this question.)

2. It asks what site to use for virus updates; this is easy enough (the Canadian site).

3. It asks to create a user account "clamav" and asks what other groups this user should belong to. Again, I know what's going on here, but many people wouldn't. I chose the defaults.

4. It prompted me that if updating from a previous version, I need to run "dpkg-reconfigure clamav-base" to change a socket. That program in turn presents a bewildering variety of options...and it's not necessary; I checked the config file after the install and it already has the correct socket selected.

5. It doesn't tell you the name of the program. No, it's not "clam" or "clamav". You have to type "clamscan" to scan for viruses. (I already knew that "freshclam" updates the database.) I finally found this by searching for all files with "clam" in the name, and looking for those in the "bin" directories. (Probably I should have just downloaded the .pdf manual once I knew what version I had installed. But its installation instructions are wrong for a DEB package.)

After all that I was able to go to my home directory and type "clamscan -r -i ." (the -r is to include subdirectories, the -i to report only infected files). Unfortunately, ClamAV doesn't report infected email messages within a mailbox; it simply stops scanning and reports the first infection it finds in a given mailbox. (To scan individual messages you have to manually convert all your mailboxes to "Maildir" format.) I assume that ClamAV was intended to scan individual messages as they appear at a mail server, but this is a major limitation for desktop users.

Summary.

I've upgraded BitDefender to being a very close second, but F-Prot is still my first choice for desktop Linux users. It's easier to set up, lots faster, and does a complete scan with one command. I'd use two commands for a BitDefender scan: one with the "--all --mail" options for my mail directory, and one without those options for the rest of my directories. (Using --all for the whole disk would take hours.) My only concern with F-Prot is that it seemed to miss some email viruses.

For server use, ClamAV is more versatile (you can use it as a filter). But you need to be Linux-knowledgable in order to deploy ClamAV properly. Not a task for the faint of heart.

brad