antivirus & antispam software

Do you have a question? Post it now! No Registration Necessary

Translate This Thread From English to

Threaded View
Hello, All!

We're planning to include antivirus and antispam software in our Linux based
router. I'm researching this problem now.
Can you recommend any open-source projects to look for. I believe
antiviruses running on desktops/servers could be almost easily tuned for
embedded environment, or there may be some pifalls?

I'll be happy to get any hints and advices. Thank you.

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Hi Roman,
Quoted text here. Click to load it
We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our
embedded units.
http://www.clamav.net /

Its virus definition files are getting rather large as of late:

-rw-r--r--    1 clamav   nobody     580022 Sep 13 23:28 daily.cvd
-rw-r--r--    1 clamav   nobody    5858804 Sep 13 23:28 main.cvd

But other than that, it's fairly simple to implement.

Regards,


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  | Damion de Soto --------------------------------------------------
We've slightly trimmed the long signature. Click to see the full one.
Re: antivirus & antispam software
Hello, Damion!
You wrote  on Thu, 14 Sep 2006 10:46:35 +1000:

 DdS> Hi Roman,
 ??>> We're planning to include antivirus and antispam software in our Linux
 ??>> based router. I'm researching this problem now. Can you recommend any
 ??>> open-source projects to look for. I believe antiviruses running on
 ??>> desktops/servers could be almost easily tuned for embedded
 ??>> environment, or there may be some pifalls? I'll be happy to get any
 ??>> hints and advices. Thank you.
 DdS> We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our
 DdS> embedded units.
 DdS> http://www.clamav.net /
Thank you for link. As I understood you uses postfix as MTA (clamsmtp
filter). Have you had any problems with porting and tuning postfix on your
target board?

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Hi Roman,

Quoted text here. Click to load it
No, we don't use any postfix on the embedded unit itself.
clamsmtp just proxies all smtp traffic from the client to the real smtp
(postfix) server.


I'll also add, we're looking at implementing a dnsbl system for
spamfiltering in the future - it will be proprietary though, since it
comes from our recent CipherTrust acquisition.

regards,


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  | Damion de Soto --------------------------------------------------
We've slightly trimmed the long signature. Click to see the full one.
Re: antivirus & antispam software
Quoted text here. Click to load it

Any hint what criteria this system uses to identify Spam ?

-Michael

Re: antivirus & antispam software
Quoted text here. Click to load it

If client is Windows == 99% it's a spam ;)

Results of my test (done with p0f) - all here are spam sources:

   1315 Windows
    157 UNKNOWN
     34 Linux
      3 Solaris
      3 NetCache
      2 FreeBSD
      1 Novell


Re: antivirus & antispam software
Avast Michael,
Quoted text here. Click to load it

I don't actually know anything about it yet.
The website is probably more useful than my brain:
http://ciphertrust.com/products/index.php


regards,


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  | Damion de Soto --------------------------------------------------
We've slightly trimmed the long signature. Click to see the full one.
Re: antivirus & antispam software
 > Avast Michael,
 >>>
 >>> I'll also add, we're looking at implementing a dnsbl system for
spamfiltering in the future - it will be proprietary though, since it
comes from our recent CipherTrust acquisition.
 >>
 >> Any hint what criteria this system uses to identify Spam ?
 >
 > I don't actually know anything about it yet.
 > The website is probably more useful than my brain:
 > http://ciphertrust.com/products/index.php
 >
 >
There they state:

IronMail was the first product to integrate and correlate signature- and
content-based techniques into a single, combined detection engine.
IronMails Message Profiler technology uses a variety of detection
techniques to examine over 1000 characteristics of a message, which
creates a precise score for each message in order to determine the
probability that a message is spam or some other threat.

So IMHO it's quite obvious that the device needs a large database of
"characteristics" (patterns). Same need to be updated either by
importing them (e.g. as a payed service from ciphertrust) or are
constructed from user input about what mail is supposed to be Spam.

-Michael

Re: antivirus & antispam software
How is the software going to decide which download or mail is supposed
to be Spam or contain a virus ?

For virus detection I suppose you need to use a (payed) service that
updates the pattern file and the detection software on a regular basis.

I don't know if something like this exists for Spam detection. Otherwise
you need to use a channel from the users to the router to have them
define rules for Spam detection. Thunderbird is an open source project
that does a fairly nice Spam detection based on automatically generated
rules. Maybe you can look at it's code.

A primary Spam filter mechanism is to start to send a mail to the sender
of any mail and abort after the verification of the addressee. If the
verification of the sender fails, the mail can be considered to be Spam.

-Michael

Re: antivirus & antispam software
Hello, Michael!
You wrote  on Thu, 14 Sep 2006 10:23:04 +0200:

 MS> How is the software going to decide which download or mail is supposed
 MS> to be Spam or contain a virus ?
There're supposed to be two types of applications: one is for checking mails
for viruses, another is for catching spam mails.

 MS> For virus detection I suppose you need to use a (payed) service that
 MS> updates the pattern file and the detection software on a regular basis.

 MS> I don't know if something like this exists for Spam detection.
 MS> Otherwise you need to use a channel from the users to the router to
 MS> have them define rules for Spam detection. Thunderbird is an open
 MS> source project that does a fairly nice Spam detection based on
 MS> automatically generated rules. Maybe you can look at it's code.

 MS> A primary Spam filter mechanism is to start to send a mail to the
 MS> sender of any mail and abort after the verification of the addressee.
 MS> If the verification of the sender fails, the mail can be considered to
 MS> be Spam.
I think it'll result in significant overhead. I believe use of blacklists +
dnsbl may give more benefits.

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Quoted text here. Click to load it

IMHO blacklists will not help at all. Re "sender" blacklists: mails with
Spam or viruses always use fake senders. Blacklisting using the content
results in the scenario I described in the previous mail.

What is dnsbl ?

-Michael

Re: antivirus & antispam software
Hello, Michael!
You wrote  on Thu, 14 Sep 2006 17:00:19 +0200:

 ??>> I think it'll result in significant overhead. I believe use of
 ??>> blacklists + dnsbl may give more benefits.

 MS> IMHO blacklists will not help at all. Re "sender" blacklists: mails
 MS> with Spam or viruses always use fake senders. Blacklisting using the
 MS> content results in the scenario I described in the previous mail.
Blacklists also support regexps.
 MS> What is dnsbl ?
It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
records. Mail server usually makes query to one of DNSBL and checks
IP-address of sender.

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Quoted text here. Click to load it

Viruses usually spread themselves by reading the (Outlook-) Address
lists of their victims and use one as an addressee and another as a
sender. So the fake sender usually is existing and this method does not
help. Spammers work similar with their huge list of victims.

Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
good idea.

-Michael

Re: antivirus & antispam software
Hello, Michael!
You wrote  on Fri, 15 Sep 2006 10:30:48 +0200:

 ??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
 ??>> records. Mail server usually makes query to one of DNSBL and checks
 ??>> IP-address of sender.

 MS> Viruses usually spread themselves by reading the (Outlook-) Address
 MS> lists of their victims and use one as an addressee and another as a
 MS> sender. So the fake sender usually is existing and this method does not
 MS> help. Spammers work similar with their huge list of victims.
The idea is to reject mails coming from IP addresses found in DNSBL.
According to messages in various maillists this method effectively kills up
to 90% of spam.

 MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
 MS> good idea.

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Hello, Michael!
You wrote  on Fri, 15 Sep 2006 10:30:48 +0200:

 ??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
 ??>> records. Mail server usually makes query to one of DNSBL and checks
 ??>> IP-address of sender.

 MS> Viruses usually spread themselves by reading the (Outlook-) Address
 MS> lists of their victims and use one as an addressee and another as a
 MS> sender. So the fake sender usually is existing and this method does not
 MS> help. Spammers work similar with their huge list of victims.

 MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
 MS> good idea.
What is your suggestion? Do you use any spam-killing software in embedded
units? If so, please share details.

With best regards, Roman Mashak.  E-mail: snipped-for-privacy@tusur.ru



Re: antivirus & antispam software
Quoted text here. Click to load it

A useful way to limit the damage of viruses is for the firewall to block
all smtp traffic by default, and then open a hole to your ISP's smtp
server.  Viruses typically try to send out copies by smtp directly,
rather than going via your email client's normal smtp setup, to avoid
your ISP blocking you off.

Re: antivirus & antispam software
Quoted text here. Click to load it

For virus detection, there are several options - there is the open
source ClamAV (already mentioned), or commercial programs.  Of course,
you'd have to pay for the commercial ones, and you'd have a lot more
"fun" trying to get them to run in an embedded system.  ClamAV works
fine, and it database is updated regularly, although it can be a bit
slow compared to other systems.  The chances of valid emails being
wrongly marked as viruses is very low.

Quoted text here. Click to load it

For spam detection, you want something like spam assassin.  However,
here you have to give the users more control - presumably somewhere in
the world there are people who actually want to receive offers for dodgy
pills and the like.  While it is common to reject virus emails utterly,
it is normal to mark probable spam emails and pass them on so the user
can easily sort them.

Quoted text here. Click to load it

That can be worth doing, but only works for smtp incoming email.  If
typical users of your router do not have their own email server and
hosting, then it doesn't help as the emails come via pop3.

One thing to think through very carefully is how to handle updates for
your virus definitions, your virus checking software, your spam
detection software, and any blacklists.  Remember that for many of
these, voluntary free sites are providing the bandwidth, so selling a
commercial product that uses them may be questionable legally or
ethically, unless you are using your own servers as proxies or
channelling some of your profits back to those services (as money or
bandwidth).  You also have to consider the consequences if something
goes wrong with one of these sites or the files they supply - using your
own servers gives you a bit more control.


Quoted text here. Click to load it

Site Timeline