Antivirus Software for RHEL4
Any suggestions out there for a good anti-virus solution for RHEL4? I've seen CLAM, but am not convinced it is the answer.
|
AVG do a free Linux version. www.grisoft.com
|
Since you're using RHEL, I'll assume that you're wanting A/V solutions for a server environment. In that case, it really depends on what purpose you're intending to use the antivirus software for -- email server, file server, etc.
There are plenty of alternative antivirus solutions out there, but you'll have to pay for most of them (and especially for servers they're not cheap). May I ask though why you don't think Clam will fit your needs? I've used Clam on my servers for scanning Samba shares and incoming/outgoing email for the past 3 years now and it's always performed wonderfully. Not that I'm doubting you at all, I'm just curious what makes you leery of it... :confused: Once we know that information, we can help you make an informed decision! :cool: |
They're using it as a web server (Apache) and for mail (Sendmail). They also have MySQL loaded. I wasn't knocking Clam. I just said I wasn't convinced ;)
I need to hear your experiences with Clam!! |
I wasn't knocking Clam. I just said I wasn't convinced
Convinced about what? I need to hear your experiences with Clam! I ran some AV tests (granted, time ago) against my mixed collection of *NIX and W32 goodies and IIRC at the top of my list where Uvscan (the old McAffee *NIX engine), NOD32 and RAV (gone, sadly) while F-prot, AVG (freeware version) and ClamAV underperformed constantly measured by hitrate. I don't have my regular test set at hand but here's a quick report of running NOD32 and ClamAV on another stash containing all sorts of Rootkits, LKM's, flooders and other w32 goodies. Quality of detection engine and databases is what matters, IMHO: Files scanned: NOD32: 11000, ClamAV: 9280. "Threats / "Infected files" found: NOD32: 421, ClamAV: 150. Edit: if you decide to go for commercial AV then by paying them you acknowledge the AV market is a monopoly and you condone it to exist as such. Apart from true value like the quality of the detection engine you're basically paying ransom because they hold the data (signatures) hostage. If you don't play by their rules you get zilch. That's the reason ClamAV is what it is today, I think. |
O_O
Wow, unSpawn. |
Just in case I'll add BitDefender and F-prot as well:
Files scanned: BDC: 12113, F-prot: 9375. Infected+suspected found: BDC: 537, F-prot: 366. Product and engine versions (all db's updated before scan) and CLI args used: NOD32 (commercial, 1.1800/20061012 NT): (all detection options on) ClamAV (0.88.4/2025): "--infected --recursive --detect-broken --block-encrypted --max-recursion=100 --max-dir-recursion=100" BDC (console v7.1 build 2559): "--arc --mail --alev=100 --flev=100" F-prot (4.6.6/3.16.14): "-ai -archive=100 -dumb -packed" Some arbitrarily picked results: sauber (LRK logcleaner): BDC: YES, ClamAV: YES, F-prot: YES, NOD32: YES. modhide.o (Knark): BDC: YES, ClamAV: NO, F-prot: NO, NOD32: YES. raptor_prctl (kernel 2.6 local root exploit): BDC: NO, ClamAV: NO, F-prot: NO, NOD32: NO. du (FreeBSD rootkit) BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES. Nestea (prev millennium flooder): BDC: YES, ClamAV: NO, F-prot: YES, NOD32: YES. First of all these results should not be mistaken as a qualitative measurement of the products engine and sig db's. Apparently anyone can detect well known logcleaners and flooders, which is expected. Failing to detect a well known, old Linux LKM is not good, since these products (apart from my NOD32) are specifically meant for GNU/Linux and Knark is still used. The raptor kernel exploit isn't detected at all. What do you think? Wouldn't you like to know when there's a local root exploit found in your accessable temp dir?.. |
Quote:
|
All times are GMT -5. The time now is 06:41 AM. |