[OpenIndiana-discuss] Anti-Virus strategy
Jim Klimov
jimklimov at cos.ru
Wed Dec 26 17:08:07 UTC 2012
On 2012-12-26 17:13, Michelle Knight wrote:
> Hi Folks,
>
> Up until now, I've been using Clam on a linux client to remotely scan my
> ZFS volumes overnight every few days; primarily as I don't know anything
> about running anti-viru direclty on the OI box. (...)
> I don't really suffer viruses; thanks to some hard lessons learned in
> the past. However I'm human and something could still catch me a blind
> side some day, so another gate keeper won't hurt.
>
> Has anyone got any advice and links to instructions please?
Well, one thing you could use is ClamAV itself. It cleanly compiles
under Solaris, I believe OI or SFE even provide it as a package,
maybe even with SMF integration. I've recently packaged my own build
for my older Solaris machines (you might need ncurses for clamdtop,
otherwise no surprises).
Then you could either use regular scanning via command-line/crontab
and/or intrusion detection (as Gary detailed), perhaps mixing the
two to only scan changed files. Though it might make sense to scan
everything once in a while, just in case new fingerprints are added
to antivirus database that were not present when you originally
saved the files with possible unknown viruses.
However, ClamAV's strengths shine when you use it as a daemon.
Not only is its command-line client clamdscan much faster than
usual clamscan - because it doesn't have to load the databases
every time - but also you can use clamd as a filter for other tasks.
The bundled clamav-milter can help with your emails, and the extra
ICAP integration (i.e. c-icap software) allows to stick the filter
into Squid for web traffic, into Samba for CIFS and into ZFS for
any file IO (CIFS, NFS, FTP, local, ...).
* http://www.c0t0d0s0.org/uploads/vscanclamav.pdf
*
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id2652728
* http://squidclamav.darold.net and
http://louwrentius.com/blog/2012/08/setting-up-a-squid-proxy-with-clamav-anti-virus-using-c-icap/
* http://c-icap.sourceforge.net/
* http://www.clamav.net/lang/en/
DISCLAIMER: I did not try anything other than email integration
and command-line test usage, so can't help in detail further than
this...
HTH,
//Jim Klimov
More information about the OpenIndiana-discuss
mailing list