Hello, i'm searching the web for any OpenBSD (v3.6) compatible virus
scanners to use at my company.
I'm using ClamAV at the moment for which works great. But unfortunatly, some
sober variant got
slipped trough just before the new updates arrived so my boss wants to have
multiple AV scanners.
The problem is, i can't really find one wich is made *for* OpenBSD (They
don't have to be free)

Vexira Antivirus runs on OpenBSD, but only on 3.4 :/
http://www.centralcommand.com/buy_openbsd.html

# ldd vascan
vascan:
vascan: can't load library 'libpthread.so.2.1'
vascan: exit status 4

Hmz, anyone had any experiance with AV's other then clamav on Obsd v3.6 ?
Please let me know.

-Bas

In the referenced article, "Bas Keur" <bas.keur@dmrt.net> writes:
>Hello, i'm searching the web for any OpenBSD (v3.6) compatible
>virus scanners to use at my company. I'm using ClamAV at the
>moment for which works great. But unfortunatly, some sober variant
>got slipped trough just before the new updates arrived so my boss
>wants to have multiple AV scanners. The problem is, i can't really
>find one wich is made *for* OpenBSD (They don't have to be free)
>
>Vexira Antivirus runs on OpenBSD, but only on 3.4 :/
>http://www.centralcommand.com/buy_openbsd.html
>
># ldd vascan
>vascan:
>vascan: can't load library 'libpthread.so.2.1'
>vascan: exit status 4
>
>Hmz, anyone had any experiance with AV's other then clamav on Obsd
>v3.6 ? Please let me know.

I'm currently running ClamAV and Sophos on my mail gateways (*).
Sophos is commercial software for which we have a site license.

(*) This is unbelievably altrustic of me as I use operating systems
(OpenBSD) and mail systems that generally aren't affected by
computer viruses. The leading prefix "W32/" in the table
appended below should give a clue as to where the real
vulnerablilities lie.

ClamAV is at version 0.84 and obviously compiled on my OpenBSD
boxes. The Sophos software is the Linux libc6 release running in
compatability mode. I had to slightly tweak the Sophos installation
script to get it to work on OpenBSD.

You'll need to have the Linux libraries from
/usr/ports/emulators/redhat installed. To save on CPU I've
installed a slightly modified version of the sophie daemon:

http://www.vanja.com/tools/sophie/

which I compiled on a Linux box. So it too runs in compatability
mode.

I've been running the Sophos stuff in compatability mode for the
past few years. It works fine.

Appended below are some detection stats for the first week I ran
both virus scanners together. Note:

(1) ClamAV picks up a lot of phishing email that other virus
scanners don't. However I expect SpamAssassin would score these as
spam.

(2) Sometime only one virus scanner will pick up a virus. This is
usually down to the different signatures used. However database
updates arrive at different rates. So you can get new viruses
picked up by one scanner and not the other for a short while.


Viruses detected between 15th March 2005 and 21st March 2005
------------------------------------------------------------

Virus Count
----- -----
W32/Netsky-P ClamAV/Sophos 640
W32/Netsky-D ClamAV/Sophos 485
W32/MyDoom-O ClamAV/Sophos 150
HTML.Phishing.Bank-1 ClamAV 126
W32/Lovgate-V ClamAV/Sophos 47
W32/Bagle-BK ClamAV/Sophos 40
W32/MyDoom-N ClamAV/Sophos 37
W32/Bagle-Zip ClamAV/Sophos 30
W32/Netsky-Q ClamAV/Sophos 30
Worm.Lovgate.Z ClamAV 29
HTML.Phishing.Bank-107 ClamAV 27
W32/Bagle-AG ClamAV/Sophos 26
W32/Netsky-AE ClamAV/Sophos 23
Worm.Mydoom.M ClamAV 21
W32/Gibe-F ClamAV/Sophos 20
HTML.Phishing.Bank-83 ClamAV 17
HTML.Phishing.Postcard-3 ClamAV 16
W32/Lovgate-X ClamAV/Sophos 16
W32/Netsky-X ClamAV/Sophos 16
W32/Bagle-AI ClamAV/Sophos 15
HTML.Phishing.Bank-60 ClamAV 13
W32/Bagle-N ClamAV/Sophos 13
HTML.Phishing.Pay-14 ClamAV 12
W32/Netsky-AB ClamAV/Sophos 12
W32/Netsky-Y ClamAV/Sophos 12
W32/MyDoom-AR ClamAV/Sophos 9
HTML.Phishing.Auction-16 ClamAV 8
HTML.Phishing.Auction-28 ClamAV 8
HTML.Phishing.Bank-52 ClamAV 8
W32/Bagle-AF ClamAV/Sophos 8
W32/Lovgate-AJ ClamAV/Sophos 8
HTML.Phishing.Bank-106 ClamAV 7
HTML.Phishing.Bank-49 ClamAV 7
W32/Netsky-C ClamAV/Sophos 7
W32/NetskyD-Dam ClamAV/Sophos 7
W32/Zafi-D ClamAV/Sophos 7
HTML.Phishing.Bank-131 ClamAV 6
HTML.Phishing.Bank-57 ClamAV 6
HTML.Phishing.Bank-98 ClamAV 6
W32/Netsky-B ClamAV/Sophos 5
W32/Netsky-J ClamAV/Sophos 5
W32/Sober-K ClamAV/Sophos 5
HTML.Phishing.Auction-17 ClamAV 4
HTML.Phishing.Auction-19 ClamAV 4
HTML.Phishing.Pay-11 ClamAV 4
HTML.Phishing.Pay-6 ClamAV 4
HTML.Phishing.Pay-8 ClamAV 4
W32/Kriz ClamAV/Sophos 4
W32/Netsky-Z ClamAV/Sophos 4
W32/NetskyP-Dam ClamAV/Sophos 4
HTML.Phishing.Auction-27 ClamAV 3
HTML.Phishing.Auction-36 ClamAV 3
HTML.Phishing.Bank-121 ClamAV 3
HTML.Phishing.Bank-79 ClamAV 3
W32/Bagle-AU ClamAV/Sophos 3
W32/Lovgate-F ClamAV/Sophos 3
W32/Netsky-AD ClamAV/Sophos 3
HTML.Phishing.Auction-14 ClamAV 2
HTML.Phishing.Auction-32 ClamAV 2
HTML.Phishing.Bank-3 ClamAV 2
HTML.Phishing.Bank-78 ClamAV 2
HTML.Phishing.Bank-81 ClamAV 2
HTML.Phishing.Pay-12 ClamAV 2
VBS/Redlof-A ClamAV/Sophos 2
W32/Bagz-D ClamAV/Sophos 2
W32/Dumaru-AK ClamAV/Sophos 2
W32/Flcss ClamAV/Sophos 2
W32/Klez-H ClamAV/Sophos 2
W32/Mabutu-A ClamAV/Sophos 2
W32/NetskyZ-Dam ClamAV/Sophos 2
W32/Rox-A ClamAV/Sophos 2
Worm.Lovgate.X ClamAV 2
Worm.Mytob.C-2 ClamAV 2
Worm.SomeFool.N ClamAV 2
HTML.Phishing.Auction-33 ClamAV 1
HTML.Phishing.Auction-40 ClamAV 1
HTML.Phishing.Bank-119 ClamAV 1
HTML.Phishing.Bank-129 ClamAV 1
HTML.Phishing.Bank-28 ClamAV 1
HTML.Phishing.Bank-68 ClamAV 1
HTML.Phishing.Bank-70 ClamAV 1
HTML.Phishing.Pay-1 ClamAV 1
W32/Bagle-AA ClamAV/Sophos 1
W32/Bagz-E ClamAV/Sophos 1
W32/Bugbear-B ClamAV/Sophos 1
W32/Bugbear-Dam ClamAV/Sophos 1
W32/Bugbear-F ClamAV/Sophos 1
W32/Lovgate-AD ClamAV/Sophos 1
W32/Lovgate-W ClamAV/Sophos 1
W32/Netsky-Dam ClamAV/Sophos 1
W32/Nyxem-C ClamAV/Sophos 1
Worm.SomeFool.Gen-1 ClamAV 1
Worm.SomeFool.P ClamAV 1
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@bath.ac.uk

Bas Keur wrote:

> Hello, i'm searching the web for any OpenBSD (v3.6) compatible virus
> scanners to use at my company.
> I'm using ClamAV at the moment for which works great. But unfortunatly,
> some sober variant got
> slipped trough just before the new updates arrived so my boss wants to
> have multiple AV scanners.
> The problem is, i can't really find one wich is made *for* OpenBSD (They
> don't have to be free)
>

I admit this may not work for you, but my experience is that the best way is
simply to reject anything that comes with an attachment.

One of my clients has ClamAV on 3.6, they didn't get infected as Clam was
set to reject anything with a zip attachment. Got 3 of them before Clam's
update kicked in.

Mind you they are a fairly sensible lot and don't run Outleak.

Thus spake "Bas Keur" <bas.keur@dmrt.net>

> The problem is, i can't really find one wich is made *for* OpenBSD (They
> don't have to be free)

You might want to check

http://www.antivir.de/en/produkte/an...ver/index.html

I have used antivir on OpenBSD 3.3 through 3.7 without a problem. You
can update the virus definition data online and is supported by
amavisd-new.

Just download the Unix package, it contains the Linux, *BSD and
Solaris versions.

--
This sig intentionally left blank

> I admit this may not work for you, but my experience is that the best way
> is
> simply to reject anything that comes with an attachment.
>
> One of my clients has ClamAV on 3.6, they didn't get infected as Clam was
> set to reject anything with a zip attachment. Got 3 of them before Clam's
> update kicked in.
>
> Mind you they are a fairly sensible lot and don't run Outleak.

Unfortunatly this doesn't work for me since besides out own company
we run about 12 others true it which LOVE = demand to send atachments
But thanks anyway.

>>Hmz, anyone had any experiance with AV's other then clamav on Obsd
>>v3.6 ? Please let me know.
>
> I'm currently running ClamAV and Sophos on my mail gateways (*).
> Sophos is commercial software for which we have a site license.

> Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
> D.H.Davis@bath.ac.uk

Thanks, i'll give Sophos a try as well.

-Bas

> You might want to check
>
> http://www.antivir.de/en/produkte/an...ver/index.html
>
> I have used antivir on OpenBSD 3.3 through 3.7 without a problem. You
> can update the virus definition data online and is supported by
> amavisd-new.
>
> Just download the Unix package, it contains the Linux, *BSD and
> Solaris versions.
>
> --
> This sig intentionally left blank

Thanks a lot !
-Bas

"Bas Keur" <bas.keur@dmrt.net> writes:

>> One of my clients has ClamAV on 3.6, they didn't get infected as
>> Clam was set to reject anything with a zip attachment. Got 3 of
>> them before Clam's update kicked in.
>>
>> Mind you they are a fairly sensible lot and don't run Outleak.
>
> Unfortunatly this doesn't work for me since besides out own company
> we run about 12 others true it which LOVE = demand to send atachments
> But thanks anyway.

You may be able to combine ClamAV with amavis-new. Amavis-new allows
for expanding of attachments (including various archive formats) and
feeding them to a virus scanner (supports several).

On Thu, 12 May 2005 22:41:08 -0400, David wrote:

> "Bas Keur" <bas.keur@dmrt.net> writes:
>
>>> One of my clients has ClamAV on 3.6, they didn't get infected as
>>> Clam was set to reject anything with a zip attachment. Got 3 of
>>> them before Clam's update kicked in.
>>>
>>> Mind you they are a fairly sensible lot and don't run Outleak.
>>
>> Unfortunatly this doesn't work for me since besides out own company
>> we run about 12 others true it which LOVE = demand to send atachments
>> But thanks anyway.
>
> You may be able to combine ClamAV with amavis-new. Amavis-new allows
> for expanding of attachments (including various archive formats) and
> feeding them to a virus scanner (supports several).

amavis-new + clamav + spamassassin are working in combination on my debian
woody mailserver
The only issue I have with clamav (and this is due more to laziness than
anything) is one of the eicar test virii are getting through
I suspect I have misconfigured clamav somehow but havent looked :-)


--
Hardware, n.: The parts of a computer system that can be kicked

The best way to get the right answer on usenet is to post the wrong one.

> You may be able to combine ClamAV with amavis-new. Amavis-new allows
> for expanding of attachments (including various archive formats) and
> feeding them to a virus scanner (supports several).

Thats what i'm doing, my question was which of the several supported virri
scanners that amavis-new supports where supported by OpenBSD

Thanks to the feedback i'm currently using ClamAV, Sophos & Antivir for the
AV part.

In total that whould be....

OpenBSD, MySQL, Postfix, Amavisd-new, SpamAssassin,
Razor, DCC, ClamAV, Sophos, Antivir and to add a little
sugar on top i installed a web based interface called Maia to
let everybody control their white/black lists & quarantines.

It took a while, but it;s running like it should.. at last.

-Bas