LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (https://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   Antivirus Software for RHEL4 (https://www.linuxquestions.org/questions/linux-enterprise-47/antivirus-software-for-rhel4-491870/)

Cambren 10-12-2006 02:38 PM

Antivirus Software for RHEL4
 
Any suggestions out there for a good anti-virus solution for RHEL4? I've seen CLAM, but am not convinced it is the answer.

rjwilmsi 10-12-2006 03:13 PM

AVG do a free Linux version. www.grisoft.com

Gato Azul 10-12-2006 03:18 PM

Since you're using RHEL, I'll assume that you're wanting A/V solutions for a server environment. In that case, it really depends on what purpose you're intending to use the antivirus software for -- email server, file server, etc.

There are plenty of alternative antivirus solutions out there, but you'll have to pay for most of them (and especially for servers they're not cheap). May I ask though why you don't think Clam will fit your needs? I've used Clam on my servers for scanning Samba shares and incoming/outgoing email for the past 3 years now and it's always performed wonderfully. Not that I'm doubting you at all, I'm just curious what makes you leery of it... :confused:

Once we know that information, we can help you make an informed decision! :cool:

Cambren 10-13-2006 07:15 AM

They're using it as a web server (Apache) and for mail (Sendmail). They also have MySQL loaded. I wasn't knocking Clam. I just said I wasn't convinced ;)

I need to hear your experiences with Clam!!

unSpawn 10-13-2006 09:10 AM

I wasn't knocking Clam. I just said I wasn't convinced
Convinced about what?


I need to hear your experiences with Clam!
I ran some AV tests (granted, time ago) against my mixed collection of *NIX and W32 goodies and IIRC at the top of my list where Uvscan (the old McAffee *NIX engine), NOD32 and RAV (gone, sadly) while F-prot, AVG (freeware version) and ClamAV underperformed constantly measured by hitrate. I don't have my regular test set at hand but here's a quick report of running NOD32 and ClamAV on another stash containing all sorts of Rootkits, LKM's, flooders and other w32 goodies. Quality of detection engine and databases is what matters, IMHO:
Files scanned: NOD32: 11000, ClamAV: 9280.
"Threats / "Infected files" found: NOD32: 421, ClamAV: 150.


Edit: if you decide to go for commercial AV then by paying them you acknowledge the AV market is a monopoly and you condone it to exist as such. Apart from true value like the quality of the detection engine you're basically paying ransom because they hold the data (signatures) hostage. If you don't play by their rules you get zilch. That's the reason ClamAV is what it is today, I think.

Cambren 10-13-2006 12:30 PM

O_O

Wow, unSpawn.

unSpawn 10-14-2006 04:37 AM

Just in case I'll add BitDefender and F-prot as well:
Files scanned: BDC: 12113, F-prot: 9375.
Infected+suspected found: BDC: 537, F-prot: 366.

Product and engine versions (all db's updated before scan) and CLI args used:
NOD32 (commercial, 1.1800/20061012 NT): (all detection options on)
ClamAV (0.88.4/2025): "--infected --recursive --detect-broken --block-encrypted --max-recursion=100 --max-dir-recursion=100"
BDC (console v7.1 build 2559): "--arc --mail --alev=100 --flev=100"
F-prot (4.6.6/3.16.14): "-ai -archive=100 -dumb -packed"

Some arbitrarily picked results:
sauber (LRK logcleaner): BDC: YES, ClamAV: YES, F-prot: YES, NOD32: YES.
modhide.o (Knark): BDC: YES, ClamAV: NO, F-prot: NO, NOD32: YES.
raptor_prctl (kernel 2.6 local root exploit): BDC: NO, ClamAV: NO, F-prot: NO, NOD32: NO.
du (FreeBSD rootkit) BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES.
Nestea (prev millennium flooder): BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES.

First of all these results should not be mistaken as a qualitative measurement of the products engine and sig db's. Apparently anyone can detect well known logcleaners and flooders, which is expected. Failing to detect a well known, old Linux LKM is not good, since these products (apart from my NOD32) are specifically meant for GNU/Linux and Knark is still used. The raptor kernel exploit isn't detected at all. What do you think? Wouldn't you like to know when there's a local root exploit found in your accessable temp dir?..

Cambren 10-16-2006 08:03 AM

Quote:

Originally Posted by unSpawn
Some arbitrarily picked results:
sauber (LRK logcleaner): BDC: YES, ClamAV: YES, F-prot: YES, NOD32: YES.
modhide.o (Knark): BDC: YES, ClamAV: NO, F-prot: NO, NOD32: YES.
raptor_prctl (kernel 2.6 local root exploit): BDC: NO, ClamAV: NO, F-prot: NO, NOD32: NO.
du (FreeBSD rootkit) BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES.
Nestea (prev millennium flooder): BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES.

What do you think? Wouldn't you like to know when there's a local root exploit found in your accessable temp dir?..

Absolutely and it looks like they all fail on that front...hmmmm. Still and all NOD32 is looking like a good candidate.


All times are GMT -5. The time now is 06:41 AM.