Sunday, June 20, 2010

Using ClamAV to Protect Your Windows Clients

ClamAV can scan incoming emails and you also can configure Squid web proxy to use ClamAV as well. One of the coolest options is that Samba can be configured to use ClamAv to scan files when they are accessed. Note: Using ClamAV on your Linux servers to sanitize oncoming data to filter email and HTTP traffic won't make you completely safe so I advise to still have a local anti-virus program installed on those Windows PC. Most distros have ClamAV in the repository except for RHEL and CentOS so if you have them installed just search the web for the RPMs. ClamAV supports a server mode making it avaiable to other available systems on the network. With this feature you can have one centralized ClamAV server that is kept up to date and has some horsepower to be used by other machines, such as an email server to scan for viruses without bogging down your email server.
To get started install claman-scanner-sysvinit package on Fedora or Clamav-daemon on Debian based systems. On Fedora the clamd conf file (/etc/clamd.d/scan.conf) will need to be edited by uncommenting the TCPScoket and TCPAddr lines.
One of the important things that has to be done is updating the signatures of the antivirus. The majority of antivirus scanners rely on signatures to detect viruses; very few scanners implement heuristic or behavior-based monitoring which I believe to be the better choice. To update ClamAv with the up to date signatures install the clamav-update package on Fedora or the clamav-freshclam on Debian. The configure file in /etc/clamav/freshclam.conf is used for updating info. Then you can add freshclam to a cronjob so it can run regularly and notify you of the results:

0 * * * * /usr/bin/freshclam | mail -s "freshclam update info" admin@localhost.org

Note: To make sure clamd has the most up to date signatures you need to configure freshclam to send a "RELOAD" command to it.
Fedora: NotifyClamd /etc/clamd.d/scan.conf
Debian: NotifyClamd /etc/clamav/clamd.conf


Getting email protection is simple as installing clamsmtp,it will act as a proxy and filter email. In todays world one of the most popular techniques for creating botnets is by what is called "drive-by" downloads. That is where an attacker inserts malicious content into a web page and then infects several hundred or thousands Windows clients that are then compromised and taken over; the answer to that is to use Squid web proxy and install c-icap; basically ICAP is like Milter for Sendmail, in that it allows the offload of antivirus processing to a different server.

Now we move on to Samba protection. What happens when someone brings a removable media with a virus onboard, and it copies itself onto the file server in hoping to infecting others? The samba-vscan module adds on-access scanning for Samba. The minute a file with a virus is accessed it should be detected and block access to the file. Samba-vscan is not in Debain so you can get it at Open Anti-Virus.org
Read more
 

Shaun Mallette's Blog Design by Insight © 2009