Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Jul 2012 16:50:35 +0100
From:      Daniel Bye <freebsd-questions@slightlystrange.org>
To:        freebsd-questions@freebsd.org
Subject:   Re: On-access AV scanning
Message-ID:  <20120727155035.GG4834@catflap.slightlystrange.org>
In-Reply-To: <749F391EFB9AA6234EF1AFF4@localhost>
References:  <20120727104308.GA4834@catflap.slightlystrange.org> <749F391EFB9AA6234EF1AFF4@localhost>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--IuhbYIxU28t+Kd57
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jul 27, 2012 at 10:02:26AM -0500, Paul Schmehl wrote:
> --On July 27, 2012 11:43:08 AM +0100 Daniel Bye
> <freebsd-questions@slightlystrange.org> wrote:
>=20
> >Are there any current options available to support on-access antivirus
> >scanning on FreeBSD?
> >
>=20
> Clamav.

I use it on my home mail server (I have a Windows machine on my network, so
want to trap anything nasty that comes in to protect that). It integrates
well with exim's malware ACL checks.

>=20
> I did some testing several years ago with ClamAV, Sophos and McAfee
> (scanning incoming mail), and ClamAV was comparable to McAfee in
> detection rates - over 98%.

Yes, it's a good product, no doubt.

>=20
> If you run the daemon you have on access scanning.  Seems like that
> would satisfy the policy.

No - the daemon only provides on-demand scanning on FreeBSD. That is, it
only scans files that are explicitly passed to it by some other process -
usually an MTA or the clamscan command line tool.  On-access scanning
requires an additional layer on top of the file system, which intercepts
certain file system operations, sending files transparently to the scanner.=
=20
Opening a file in your editor, for example, might cause the file to first be
scanned before your editor can get it.  Likewise, trying to download
something from the web in your browser would cause the file to be scanned
before it's saved to disk.  That's what the dazuko port was for (although it
doesn't work on FreeBSD9, and the latest version is a Linux-only rewrite.)
As Polytropon pointed out, it should be possible to create a passing
approximation by using FAM/Gamin.

Thanks, everyone, for all your input. I think I have enough to be able to
put a strong case forward.

Dan

--=20
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \

--IuhbYIxU28t+Kd57
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAlASuMsACgkQixf5fBYiFmqBawCeJUbwL417+eqilmAQvyf9PWo2
3uQAoKIiYDllicb09G89MLr04S6urmTU
=Wz6z
-----END PGP SIGNATURE-----

--IuhbYIxU28t+Kd57--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20120727155035.GG4834>