antivirus & antispam software - Embedded

This is a discussion on antivirus & antispam software - Embedded ; Hello, All! We're planning to include antivirus and antispam software in our Linux based router. I'm researching this problem now. Can you recommend any open-source projects to look for. I believe antiviruses running on desktops/servers could be almost easily tuned ...

+ Reply to Thread
Results 1 to 17 of 17

Thread: antivirus & antispam software

  1. antivirus & antispam software

    Hello, All!

    We're planning to include antivirus and antispam software in our Linux based
    router. I'm researching this problem now.
    Can you recommend any open-source projects to look for. I believe
    antiviruses running on desktops/servers could be almost easily tuned for
    embedded environment, or there may be some pifalls?

    I'll be happy to get any hints and advices. Thank you.

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  2. Re: antivirus & antispam software

    Hi Roman,
    > We're planning to include antivirus and antispam software in our Linux based
    > router. I'm researching this problem now.
    > Can you recommend any open-source projects to look for. I believe
    > antiviruses running on desktops/servers could be almost easily tuned for
    > embedded environment, or there may be some pifalls?
    >
    > I'll be happy to get any hints and advices. Thank you.

    We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our
    embedded units.
    http://www.clamav.net/

    Its virus definition files are getting rather large as of late:

    -rw-r--r-- 1 clamav nobody 580022 Sep 13 23:28 daily.cvd
    -rw-r--r-- 1 clamav nobody 5858804 Sep 13 23:28 main.cvd

    But other than that, it's fairly simple to implement.

    Regards,


    --
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    | Damion de Soto --------------------------------------------------
    | Software Engineer email: Damion_deSoto@au.securecomputing.com
    | Secure Computing Corporation web: http://www.securecomputing.com
    | fax: +61 7 3891 3630 ph: +61 7 3435 2809
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    ---- Free Embedded Linux Distro at http://www.snapgear.org ----

  3. Re: antivirus & antispam software

    Hello, Damion!
    You wrote on Thu, 14 Sep 2006 10:46:35 +1000:

    DdS> Hi Roman,
    ??>> We're planning to include antivirus and antispam software in our Linux
    ??>> based router. I'm researching this problem now. Can you recommend any
    ??>> open-source projects to look for. I believe antiviruses running on
    ??>> desktops/servers could be almost easily tuned for embedded
    ??>> environment, or there may be some pifalls? I'll be happy to get any
    ??>> hints and advices. Thank you.
    DdS> We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our
    DdS> embedded units.
    DdS> http://www.clamav.net/
    Thank you for link. As I understood you uses postfix as MTA (clamsmtp
    filter). Have you had any problems with porting and tuning postfix on your
    target board?

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  4. Re: antivirus & antispam software

    How is the software going to decide which download or mail is supposed
    to be Spam or contain a virus ?

    For virus detection I suppose you need to use a (payed) service that
    updates the pattern file and the detection software on a regular basis.

    I don't know if something like this exists for Spam detection. Otherwise
    you need to use a channel from the users to the router to have them
    define rules for Spam detection. Thunderbird is an open source project
    that does a fairly nice Spam detection based on automatically generated
    rules. Maybe you can look at it's code.

    A primary Spam filter mechanism is to start to send a mail to the sender
    of any mail and abort after the verification of the addressee. If the
    verification of the sender fails, the mail can be considered to be Spam.

    -Michael

  5. Re: antivirus & antispam software

    Hello, Michael!
    You wrote on Thu, 14 Sep 2006 10:23:04 +0200:

    MS> How is the software going to decide which download or mail is supposed
    MS> to be Spam or contain a virus ?
    There're supposed to be two types of applications: one is for checking mails
    for viruses, another is for catching spam mails.

    MS> For virus detection I suppose you need to use a (payed) service that
    MS> updates the pattern file and the detection software on a regular basis.

    MS> I don't know if something like this exists for Spam detection.
    MS> Otherwise you need to use a channel from the users to the router to
    MS> have them define rules for Spam detection. Thunderbird is an open
    MS> source project that does a fairly nice Spam detection based on
    MS> automatically generated rules. Maybe you can look at it's code.

    MS> A primary Spam filter mechanism is to start to send a mail to the
    MS> sender of any mail and abort after the verification of the addressee.
    MS> If the verification of the sender fails, the mail can be considered to
    MS> be Spam.
    I think it'll result in significant overhead. I believe use of blacklists +
    dnsbl may give more benefits.

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  6. Re: antivirus & antispam software

    > I think it'll result in significant overhead. I believe use of blacklists +
    > dnsbl may give more benefits.


    IMHO blacklists will not help at all. Re "sender" blacklists: mails with
    Spam or viruses always use fake senders. Blacklisting using the content
    results in the scenario I described in the previous mail.

    What is dnsbl ?

    -Michael

  7. Re: antivirus & antispam software

    Hello, Michael!
    You wrote on Thu, 14 Sep 2006 17:00:19 +0200:

    ??>> I think it'll result in significant overhead. I believe use of
    ??>> blacklists + dnsbl may give more benefits.

    MS> IMHO blacklists will not help at all. Re "sender" blacklists: mails
    MS> with Spam or viruses always use fake senders. Blacklisting using the
    MS> content results in the scenario I described in the previous mail.
    Blacklists also support regexps.
    MS> What is dnsbl ?
    It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
    records. Mail server usually makes query to one of DNSBL and checks
    IP-address of sender.

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  8. Re: antivirus & antispam software

    Michael Schnell wrote:
    > How is the software going to decide which download or mail is supposed
    > to be Spam or contain a virus ?
    >
    > For virus detection I suppose you need to use a (payed) service that
    > updates the pattern file and the detection software on a regular basis.
    >


    For virus detection, there are several options - there is the open
    source ClamAV (already mentioned), or commercial programs. Of course,
    you'd have to pay for the commercial ones, and you'd have a lot more
    "fun" trying to get them to run in an embedded system. ClamAV works
    fine, and it database is updated regularly, although it can be a bit
    slow compared to other systems. The chances of valid emails being
    wrongly marked as viruses is very low.

    > I don't know if something like this exists for Spam detection. Otherwise
    > you need to use a channel from the users to the router to have them
    > define rules for Spam detection. Thunderbird is an open source project
    > that does a fairly nice Spam detection based on automatically generated
    > rules. Maybe you can look at it's code.
    >


    For spam detection, you want something like spam assassin. However,
    here you have to give the users more control - presumably somewhere in
    the world there are people who actually want to receive offers for dodgy
    pills and the like. While it is common to reject virus emails utterly,
    it is normal to mark probable spam emails and pass them on so the user
    can easily sort them.

    > A primary Spam filter mechanism is to start to send a mail to the sender
    > of any mail and abort after the verification of the addressee. If the
    > verification of the sender fails, the mail can be considered to be Spam.
    >


    That can be worth doing, but only works for smtp incoming email. If
    typical users of your router do not have their own email server and
    hosting, then it doesn't help as the emails come via pop3.

    One thing to think through very carefully is how to handle updates for
    your virus definitions, your virus checking software, your spam
    detection software, and any blacklists. Remember that for many of
    these, voluntary free sites are providing the bandwidth, so selling a
    commercial product that uses them may be questionable legally or
    ethically, unless you are using your own servers as proxies or
    channelling some of your profits back to those services (as money or
    bandwidth). You also have to consider the consequences if something
    goes wrong with one of these sites or the files they supply - using your
    own servers gives you a bit more control.


    > -Michael


  9. Re: antivirus & antispam software

    > It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
    > records. Mail server usually makes query to one of DNSBL and checks
    > IP-address of sender.


    Viruses usually spread themselves by reading the (Outlook-) Address
    lists of their victims and use one as an addressee and another as a
    sender. So the fake sender usually is existing and this method does not
    help. Spammers work similar with their huge list of victims.

    Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
    good idea.

    -Michael

  10. Re: antivirus & antispam software

    Hello, Michael!
    You wrote on Fri, 15 Sep 2006 10:30:48 +0200:

    ??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
    ??>> records. Mail server usually makes query to one of DNSBL and checks
    ??>> IP-address of sender.

    MS> Viruses usually spread themselves by reading the (Outlook-) Address
    MS> lists of their victims and use one as an addressee and another as a
    MS> sender. So the fake sender usually is existing and this method does not
    MS> help. Spammers work similar with their huge list of victims.
    The idea is to reject mails coming from IP addresses found in DNSBL.
    According to messages in various maillists this method effectively kills up
    to 90% of spam.

    MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
    MS> good idea.

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  11. Re: antivirus & antispam software

    Hello, Michael!
    You wrote on Fri, 15 Sep 2006 10:30:48 +0200:

    ??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
    ??>> records. Mail server usually makes query to one of DNSBL and checks
    ??>> IP-address of sender.

    MS> Viruses usually spread themselves by reading the (Outlook-) Address
    MS> lists of their victims and use one as an addressee and another as a
    MS> sender. So the fake sender usually is existing and this method does not
    MS> help. Spammers work similar with their huge list of victims.

    MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
    MS> good idea.
    What is your suggestion? Do you use any spam-killing software in embedded
    units? If so, please share details.

    With best regards, Roman Mashak. E-mail: mrv@tusur.ru



  12. Re: antivirus & antispam software

    Michael Schnell wrote:
    >> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS
    >> records. Mail server usually makes query to one of DNSBL and checks
    >> IP-address of sender.

    >
    > Viruses usually spread themselves by reading the (Outlook-) Address
    > lists of their victims and use one as an addressee and another as a
    > sender. So the fake sender usually is existing and this method does not
    > help. Spammers work similar with their huge list of victims.
    >
    > Thus IMHO implementing "DNS-based Blackhole List" in a router is not a
    > good idea.
    >
    > -Michael


    A useful way to limit the damage of viruses is for the firewall to block
    all smtp traffic by default, and then open a hole to your ISP's smtp
    server. Viruses typically try to send out copies by smtp directly,
    rather than going via your email client's normal smtp setup, to avoid
    your ISP blocking you off.

  13. Re: antivirus & antispam software

    Hi Roman,

    > Thank you for link. As I understood you uses postfix as MTA (clamsmtp
    > filter). Have you had any problems with porting and tuning postfix on your
    > target board?

    No, we don't use any postfix on the embedded unit itself.
    clamsmtp just proxies all smtp traffic from the client to the real smtp
    (postfix) server.


    I'll also add, we're looking at implementing a dnsbl system for
    spamfiltering in the future - it will be proprietary though, since it
    comes from our recent CipherTrust acquisition.

    regards,


    --
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    | Damion de Soto --------------------------------------------------
    | Software Engineer email: Damion_deSoto@au.securecomputing.com
    | Secure Computing Corporation web: http://www.securecomputing.com
    | fax: +61 7 3891 3630 ph: +61 7 3435 2809
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    ---- Free Embedded Linux Distro at http://www.snapgear.org ----

  14. Re: antivirus & antispam software

    >
    > I'll also add, we're looking at implementing a dnsbl system for
    > spamfiltering in the future - it will be proprietary though, since it
    > comes from our recent CipherTrust acquisition.


    Any hint what criteria this system uses to identify Spam ?

    -Michael

  15. Re: antivirus & antispam software

    Michael Schnell wrote:
    >>
    >> I'll also add, we're looking at implementing a dnsbl system for
    >> spamfiltering in the future - it will be proprietary though, since it
    >> comes from our recent CipherTrust acquisition.

    >
    > Any hint what criteria this system uses to identify Spam ?


    If client is Windows == 99% it's a spam

    Results of my test (done with p0f) - all here are spam sources:

    1315 Windows
    157 UNKNOWN
    34 Linux
    3 Solaris
    3 NetCache
    2 FreeBSD
    1 Novell


  16. Re: antivirus & antispam software

    Avast Michael,
    >>
    >> I'll also add, we're looking at implementing a dnsbl system for
    >> spamfiltering in the future - it will be proprietary though, since it
    >> comes from our recent CipherTrust acquisition.

    >
    > Any hint what criteria this system uses to identify Spam ?


    I don't actually know anything about it yet.
    The website is probably more useful than my brain:
    http://ciphertrust.com/products/index.php


    regards,


    --
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    | Damion de Soto --------------------------------------------------
    | Software Engineer email: Damion_deSoto@au.securecomputing.com
    | Secure Computing Corporation web: http://www.securecomputing.com
    | fax: +61 7 3891 3630 ph: +61 7 3435 2809
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~
    ---- Free Embedded Linux Distro at http://www.snapgear.org ----

  17. Re: antivirus & antispam software

    Damion de Soto wrote:
    > Avast Michael,
    >>>
    >>> I'll also add, we're looking at implementing a dnsbl system for

    spamfiltering in the future - it will be proprietary though, since it
    comes from our recent CipherTrust acquisition.
    >>
    >> Any hint what criteria this system uses to identify Spam ?

    >
    > I don't actually know anything about it yet.
    > The website is probably more useful than my brain:
    > http://ciphertrust.com/products/index.php
    >
    >

    There they state:

    IronMail was the first product to integrate and correlate signature- and
    content-based techniques into a single, combined detection engine.
    IronMail’s Message Profiler technology uses a variety of detection
    techniques to examine over 1000 characteristics of a message, which
    creates a precise score for each message in order to determine the
    probability that a message is spam or some other threat.

    So IMHO it's quite obvious that the device needs a large database of
    "characteristics" (patterns). Same need to be updated either by
    importing them (e.g. as a payed service from ciphertrust) or are
    constructed from user input about what mail is supposed to be Spam.

    -Michael

+ Reply to Thread