Page 1 of 1

Supported Antivirus Consideration & Question

Posted: 10 Jan 2019 09:18
by nicola.piazzi
I worked to find supported antivirus that can be used with EFA MailScanner and found that we have these 3 products

1 Clam that is included
2 Sophos 4 Linux that is free
3 Esets that have little fee about 100$ year

Clam is invoked using daemon that already have patterns in memory, so it doesnt use relevant cpu to scan messages
Sophos uses about 7 secs of cpu to load patterns for each message to scan
Esets uses about 4 secs of cpu to load patterns for each message to scan

So I found that using only Clam machine is very reactive and able to process tons of messages / day

Now it will be useful to find a daemon mode like Clam to have preloaded pattern for other AV

Sophos seems to be impossible, perhaps this can be done by sophossavi that seems no more working (32 bit arch)
Esets can be dome using esets_cli instead esets_scan, but it isnt support by MailScanner wrappers.

Another way can be to scan ONLY messages that have attachments, but I havent found a directive to do this
Someone have an idea about this ?

Re: Supported Antivirus Consideration & Question

Posted: 10 Jan 2019 11:28
by henk
Hi Nicola,

let's hope Shawn can manage to spend time to work on the new EFA/Mailwatch/MailsScanner, as it's a hell of off a job and there must be somesort of balance between EFA, work, sleep, eat, family.
Take a look at the near future: https://github.com/MailScanner/v5/tree/ ... er/wrapper

P.S.
I temporarily disabled Sophos, since it's disfunctional since Dec 2018, and you mentioned AVG had the same issue.

Re: Supported Antivirus Consideration & Question

Posted: 12 Jan 2019 01:52
by shawniverson
henk wrote:
10 Jan 2019 11:28
Hi Nicola,

let's hope Shawn can manage to spend time to work on the new EFA/Mailwatch/MailsScanner, as it's a hell of off a job and there must be somesort of balance between EFA, work, sleep, eat, family.
Balance? :lol: :lol: :lol: :lol:

Re: Supported Antivirus Consideration & Question

Posted: 22 Jan 2019 08:40
by nicola.piazzi
Hi,
I tested these 3 supported antivirus whith these results :
Cattura.PNG
Cattura.PNG (10.33 KiB) Viewed 1099 times
We can say that we can exclude Esets also because we need to pay it
We can retain only Clam and Sophos that are free and have a good detection rate

Clamd is good because we dont use cpu using daemon
Unfortunately sophos uses 7secs of cpu 4 each message because is a standalone module

This cam be corrected using sophossavi that act as clamd and can transform Efa box into a dounble antivirus system that doesnt need cpu and that have an higher messages throughput.

So i can correct my efa machine from 12 cpu at now to a box with 2 or 4 cpu.

Now the problem is how to install Sophos Savi ? Someone is able to do this ? I Downloaded SAVI PERL 030 but I am unable to compile it

https://metacpan.org/pod/SAVI

Re: Supported Antivirus Consideration & Question

Posted: 28 Jan 2019 22:03
by henk
Hi Nicola,

I did find some info about SAVI on page 81 https://s3.amazonaws.com/msv5/docs/ms-admin-guide.pdf

Seems you need a valid User and Password to get the files needed. It does give some additional info that could be usefull

You could download the evaluation of Sophos for Linux to test performance ( see install link below)

https://englanders.us/~jason/howtos.php?howto=sophie

Re: Supported Antivirus Consideration & Question

Posted: 19 Feb 2019 11:12
by ovizii
Not trying to hijack your thread just some input: we are also using the free sophos version and have bought additional AV definitions for clamav:

securiteinfo - roughly 30€ / year for their professional subscription and
malwarepatrol - roughly 40€ / year

This and using clamav-unofficial-sigs with their free additional sources makes us feel quite safe although we do have the occasional virus slip through.

I was recently looking for additional AV solutions and found this, have a look if its suitable for EFA: http://www.zonerantivirus.com/stahnout? ... at&arch=32

(I basically checked out virustotal and their list of scanners then went to find one that had a free linux version :-)

Re: Supported Antivirus Consideration & Question

Posted: 19 Feb 2019 12:44
by henk
Hi ovizii, thanks for the input, as any enhancement will benefit EFA.
The issue with additional scanners is the intergration with EFA/Mailwatch/MailScanner.

As EFA3 is EOL, I just focus on EFA4 and monitor the ongoing development and additional scanner intergration.
https://github.com/MailScanner/v5/blob/master/changelog
https://github.com/mailwatch/MailWatch/ ... ANGELOG.md

The major change is the MailScanner Milter project, as it decouples MailScanner from Postfix.
From the documentation:
A future version of the milter may support “Full Milter Scanner” mode in which traditional MailScanner is turned off and the Milter does all scanning, returning REJECTS and TMPFAILS at the expense of sacrificing bulk scanning for those who need this functionality and have lighter workloads.
To speed up the transition to EFA4, it would be great if more members could test the new EFA version or at least help with translations.
It's a small offer compaired to the massive effort of the EFA/Mailwatch/MailScanner teams to get the job done. :thumbup: