Antivirus for fileserver


#1

Hi,

Does anyone amavis or another antivirus program on their fileserver? Any recommendations?

Gerald


#2

Hey,

For clarification: amavis itself is not an anti-virus program. It is a program that sits between your mail server and one or more anti-virus scanners. amavis’ job is to receive a mail from the mail server, hand it over to one or more anti-virus programs, collect their results and act on those results by dropping the mail or handing it back to the mail server for final delivery.

So if you’re looking for an anti-virus solution for file servers, don’t look into amavis. Wrong tool for the job.

In the past we’ve had customers use F-secure, ESET and Kaspersky on file servers. On Linux there are generally three different approaches:

  1. Only on-demand scanning. This is the simplest solution that most A/V vendors offer for Linux: you regularly run a program that scans the whole file system and analyses all files for viruses. It’s slow, it isn’t real-time, but it has little to no dependencies and is therefore compatible across a wide variety of Linux distributions and kernel versions.
  2. Real-time scanning of all files with a kernel module. This inserts the A/V solution into each system call to open a file. Therefore all types of file accesses are vetted by the A/V solution. The downside is that the kernel module highly depends on the kernel version used on the machine. Most A/V vendors only support this on a very limited set of Linux distributions and versions; often restricted to the usual enterprise distributions (RedHat Enterprise Linux, SuSE Linux Enterprise Server, maybe CentOS, sometimes even Ubuntu LTS). I haven’t seen official support for Univention for such a solution yet. Doesn’t mean it won’t run, but chances are you won’t succeed. One of the issues is that the internal interfaces the kernel provides for loadable modules often change.
  3. Real-time scanning of files opened via Samba. Samba itself provides a similar mechanism to loadable kernel modules via its “virtual file system objects” (smb.conf option vfs objects). This is a pretty stable API (unlike the kernel’s internal interfaces). Several A/V solutions provide modules for Samba, and we’ve definitely had customers use this kind of setup with great success on Univention, too. The drawback is that only file accesses that happen via SMB/CIFS are scanned. In most setups this isn’t a big deal as most clients are Windows or macOS machines, and both types use SMB/CIFS for file access. And pure Linux applications are not usually targeted by malware or viruses. Therefore we often combine this method with method 1 (regular full filesystem scans).

I cannot say anything about the product quality of the three vendors listed above, though. Refer to the usual comparisons available all over the internet.

Kind regards
mosu