From: Rick Moen <rick at>
Date: Wed Sep 10 19:00:11 PDT 2003
Subject: [conspire] linux antivirus?

Quoting Tom Macke (macke at

> Our head IT guy just asked me if I knew of any linux "antivirus"
> package that we could get. I think I saw that there was recently a
> linux virus, but just figured that that solution was keep the patches
> current. Any suggestions?

Hmm, this is a topic that tends to devolve into a lot of subtopics, many
of them in response to "Yes, but..." questions from people to whom the
answer is alien to the point of incredulity.

The concept of "Linux antivirus package" can mean one of several very
different things.

1. Quarantining and scrubbing of MS-Windows (and possibly other
foreign-OS) files temporarily resident on Linux, e.g., because your
Linux box is a Samba server (Windows file/print) or an SMTP/POP3/IMAP
server holding mail that is then handed to Windows MUAs (mail clients).

2. Quarantining and scrubbing of other files on Linux to protect
against Linux malware.

3. Or it can mean that the IT guy in question really hasn't the
faintest idea what he means, but just has a spinal reflex to put
"antivirus" software on any machine whatsoever.

I'm going to address case #1 in this e-mail. I'll probably get to case
#2 later, because that's where discussion tends to become endless and
branch out in lots and lots of directions. Why? Because the short form
of the answer is "There'd be no point. Linux malware may be easy to
create but it's in practice impossible to propagate, because of
cautionary mechanisms that are enforced by Linux architecture and
culture. Any attempt at an 'antiviral' package would be a huge system
threat in itself, and would tend to give wielders of root-user access a
false sense of security, since that privilege is already a much bigger
threat to the system than malware (viruses, etc.) is.

Anyhow, as to virus-checkers that run on virus to find and remove
other-OS viruses. Here are some links I found by googling:

Clam AntiVirus (ClamAV) and OpenAntiVirus:
Open source. Relies on community participation to keep database of
virus signatures up to date.


McAfee VirusScan
(Apparently, a number of Linux MTAs can be used with the McAfee viruscan
virus-definition files. No link, exactly, but you can google for
"mcafee antivirus linux" to find relevant materials.)

AMaViS Virus Scanner / AMaViS-ng / amavisd-new

Bit Defender

Kaspersky Labs's Anti-Virus for Linux

Trend Micro Interscan Viruswall

Sophos AntiVirus

[US $300 for Small Business & US $450 for Enterprise Business]


eTrust Antivirus (formerly InoculateIT and Inoculan)
(Note: Computer Associates is where formerly OK software companies go
to be embalmed and their customer-based milked after they've died.)


Vexira Antivirus for Linux Workstation

Panda Antivirus for Linux

H+ BEDV Dantentechnik GmbH's AntiVir for Linux
Antivir is free for non-commercial use, and you can get virus definition
updates for one year.

Hauri, Inc.'s ViRobot Expert


Norman Virus Control (NVC)

The above list is mostly gathered from other sources. Please note that
I have _zero_ experience with these packages. ClamAV appears to have a
good reputation, though, and is open-source.

A few words about case #3 (IT guy has no clue, but insists reflexively
that any comporate computer must run "antivirus software"): Sometimes,
rather than argue with the guy and try to educate him, it's best to tell
him what he wants to hear. That is, tell him that he raised an
excellent point, and you appreciate being reminded of that
company-critical issue. Therefore, you've deployed the extremely
effective antiviral package comprising Exim and Spamassassin. (See: Tell him that _zero_
Sobig.F e-mails ever get past that combination (which is true).

You _don't_ have to tell him that the package's design goal has nothing
whatsoever to do with viruses, but rather aims to eliminate almost all
junkmail during the SMTP session rather than after delivery. What he
doesn't know won't hurt him.

If you don't deploy the Exim-SA combo, you can still (correctly) tell
him that your anti-virus package's name is "procmail" (used as mail
delivery agent). Procmail with a modest collection of filters is
(possibly, maybe) at least as effective as dedicated virus scanners for
case #2 (native Linux viruses), given the fact that they're basically

More about case #2 in a separate mail.

Cheers, Wall Street has all the emotional stability of a
Rick Moen thirteen-year-old girl. -- Louis Rukeyser
rick at

Subject: Re: [plug] Re: Amavis performance
From: "Eddie Javier"
Date: Wed, 2 Oct 2002 11:17:31 +0800 (PHT)


If it's possible, avoid using Amavis. It's a memory hog (at least the last
one I used). You mentioned that in every message that comes in, Amavis
spawns the virus scanner. Imagine if you have thousands of email coming in.

Don't use virus scanning daemons as well. If the virus scanner dies or leaks
, you have to have another program watching it whenever that happens. Also,
if your mail servers gets attacked via the "Zip of Death", your virus
scanner may crash.

A more sophisticated solution is to use a system that scans messages by
batch rather than one by one. It works like this:

1. Spawn sendmail and store messages on an alternate folder, say

/usr/sbin/sendmail -bd -ODeliveryMode=queueonly
/usr/sbin/sendmail -q15m

2. Have the AV scanner scan the incoming queue. Move to /var/spool/mqueue if
clean, quarantine if not

A program that does this is mailscanner (
What's cool is that it can also filter spam if you want to. What's even
cooler is that cross-check mails with open relay databases. What's even
"spankingly cool" is that it can use SpamAssassin to filter more spam.


From rick Mon Nov 11 16:15:51 2002
Date: Mon, 11 Nov 2002 16:15:51 -0800
To: Michael Havens
Subject: Re: [TAG] Virus scan (I don't have the address to the general Linux questions mailbox)

Quoting Michael Havens (

> +-+--------------------------------------------------------------------+-+
> +-+ Original question from: "Michael Havens"
> +-+--------------------------------------------------------------------+-+
> Hey all, I have a friend that is scared of using Linux because he
> doesn't have a virus/worm scan protecting it. Does he need to worry?

Mike, here's more than you really need to know about that issue:

If you have a superstitious belief in software that checks for
"viruses", you can get them for Linux, from a number of firms, e.g.,

[list deleted as outdated -- see newer message, below]

However, most of those are basically intended to filter out Micros*ft
Wind*ws viruses on Linux-based file and e-mail servers used by
vulnerable Wind*ws clients. Otherwise, antiviral software on Linux is
about as useful as a buggy whip on a Corvette -- just like disk
defragmenters, generally speaking. (Modern filesystems other than
that of Digital Equipment Corp.'s VMS and the two filesystems used by
Micros*ft will automatically self-defragment over time, given a modest
amount of free disk space on them.)

Cheers, kill -9 them all.
Rick Moen Let init sort it out.

Date: Wed, 24 Sep 2003 19:51:09 +0200
From: Tomasz Papszun
Subject: Re: MS BS + Sorting out the virii

[ I'm resending it because yesterday try didn't appear on the list.
Thomas Ritter has already answered to the copy which I sent directly to
him. ]

On Wed, 24 Sep 2003 at 1:54:42 +0200, Thomas Ritter wrote:
> Just a note: Open Antivirus programs like clamav are not perfect,
> because the open virus database [1] is still too small... but for
> _sorting_ mail, clamav (it's in sid) is really good. It gives you
> [1]

Sorry but I must say that this is an incorrect claim.

Only in the very beginning, ClamAV had used just's
database. hasn't been updated for months now.

Currently ClamAV's own database is quite big and is updated even a
couple of times a day if needed. It's quite good at new viruses caught
"in the wild", e.g. we had the signature for Gibe.F (alias Swen) at the
same day that the virus appeared.

Older viruses are gradually added to the database.

Everyone is encouraged to submit samples of viruses unknown for ClamAV
( ).

It's a GPLed project and each of us can benefit of it, so developing it
(among others by submitting samples of new viruses) is a "Good Thing".

ClamAV is supported in Debian and it's very well integrated with
amavisd-new (which, in turn, can be used also with spamassassin).

Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only | ones and zeros.

More at: