[EMAIL PROTECTED] wrote: > [EMAIL PROTECTED] wrote on 11/16/2007 02:52:34 PM: > > >> [EMAIL PROTECTED] wrote: >> >>> Hello all. >>> >>> We've had some consultant make the spurious claim that Clam AV >>> >> only scans for 'windows viruses' and is really only useful for >> 'scanning email'. >> >>> Despite the fact that I know this to be patently false, is there >>> >> documentation out there I can slap him with that clearly indicates >> that the virus >> >>> defs are for any platform, Linux, windows, Unix, Mac OS X, etc. ? >>> >> I can prove that it scans the file system just by sprinkling a few >> test viri things >> >>> out in the file system. Hard to argue with that sort of evidence. >>> >>> The rest of it, well, now it's personal. >>> >>> >> As much as I like ClamAV and rely on it for scanning mail before it gets >> to our Exchange server, I wouldn't use it as my primary Windows >> solution. There are too many hooks necessary to get real-time scanning, >> internal Exchange scanning, and so on. The proper thing, in my opinion, >> is to build a multi-layer defense, using ClamAV on the MX servers >> checking incoming mail, and then using a different product on the >> Windows machines. This way, you get two different teams working on >> malware definitions, two different ways of looking a things, and two >> different timing cycles to make it more likely one of them will catch >> whatever's coming in. >> >> In our case, we use ClamAV on the MX servers and run Symantec Corporate >> on the Windows servers, Windows desktops, and the Exchange server. >> >> I certainly understand the personal bit. Isn't it amazing how they'll >> pay attention to an outsider and discount everything you say? >> > > I wouldn't even be in this situation, except that Symantec AV for Linux is a > little too fussy about kernel levels and the like to pass muster. > > We're builing a fairly massive vignette/orcale/apache et al environment and > the Symantec product is kernel level rigid. It's like we will support > 2.4.16-252. Not 251. Not 253 JUST 251. So we apply maintenance that involves > the kernal, which we did for some oracle/vignette level set requirements > and SAV stopped doing on access scanning and all the other stuff we wanted it > for. Just because the kernel level nudged up slightly. > > So I dusted off my Clam AV setup that I built for Linux on z/Series, created > a front end, and through some NFS magic, and automount, I scan all the > linux server file systems from a single point, and let ONE server do all the > heavy lifting. > > Is it perfect? no. Is it working? Yes. > > I would be adding chkrootkit and rkhunter to the Linux boxes myself and drop Symantec AV if it's going to be that picky. Rkhunter will even tell you if critical OS files moved to a new sector on the hard drive.(I changed hard drives on a system and found out about that feature the hard way<GRIN>)
Did you look at AVG for Linux while you were at it? Plus adding open port scanning via nmap or multiscan also. Lyle _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
