[svlug] Integrated Linux Virus Scanners

Mark S Bilk mark at cosmicpenguin.com
Tue Aug 19 14:47:46 PDT 2003

Organization: http://www.cosmicpenguin.com/911
In-Reply-To: <Pine.LNX.4.44.0308191020400.13658-100000 at pluto2.express.org>; from wrl at express.org on Tue, Aug 19, 2003 at 10:26:31AM -0400

Not exactly what you asked, but I use AntiVir on my Linux 
workstation.  For individual, non-commercial use it is available 
free of charge (for Linux, FreeBSD, and MS-Windows).  The virus 
definition file, antivir.vdf, is kept nicely up to date; whenever 
I receive a virus by e-mail, the program can always identify it 
(after downloading the latest vdf file, if necessary).


As to using procmail to delete all attachments from all e-mails,
I would find this unacceptable, since many forwarded messaes,
articles, documents, images, etc., are legitimately sent as 

However, MS-Windows binary executables, which are the only type
of virus I've ever received (I only get a few per week), can 
easily be distinguished from other attachments, since (after 
base64 decoding) they all begin with the two ASCII bytes "MZ" 
(the signature of an MS-DOS/Windows .exe file).  Global deletion 
of attachments with that signature would be entirely acceptable,
and they could easily be identified by calling "mimencode -u" 
to decode them (unless procmail does this already), and "head -c 2" 
to isolate the first two bytes.  It might be faster to use another 
call to "head" initially to select the first 20 bytes or so of 
the encoded attachment to feed to mimencode.

Other formats for MS viruses (e.g., MS Visual Basic ?) might also 
be identifiable by similar means.


On Tue, Aug 19, 2003 at 10:26:31AM -0400, William R. Lorenz wrote:
>I'm sure this topic has been hashed out in the past, but I'd like to 
>revisit it once again and poll everyone as to any integrated virus 
>scanners they might be using on their Linux/UNIX-based mail servers.
>I know that Sendmail, Exim, and Postfix can all be integrated with
>on-the-fly scanning software; however, I believe that most of the virus
>definition/signature databases out there are only offered for a fee.  Is
>that the case from what others have found, or is there a free virus
>definition database available out there somewhere?  What engine and/or
>definition database have others found to work well in the past?
>I understand there's also the option of using procmail to strip out
>attachments on a global basis using an /etc/procmailrc or similar; in fact
>I remember implementing this for someone a while ago when I was doing the
>consulting thing.  It's been a while, but I might revisit that, also.
>--          _ 
>__ __ ___ _| | William R. Lorenz <wrl at express.org> 
>\ V  V / '_| | http://www.clevelandlug.net/ ; "Every revolution was 
> \./\./|_| |_| first a thought in one man's mind." - Ralph Waldo Emerson 
>svlug mailing list
>svlug at lists.svlug.org

More information about the svlug mailing list