[Mimedefang] Trend Anti-Virus question

Stephen Smoogen smoogen at lanl.gov
Mon Apr 12 22:20:14 EDT 2004 

On Mon, 12 Apr 2004, David Minor wrote:


>Anyway ... to make a long question short, apparently Trend does not 
>make a milterized version of Viruswall fpr linux, but I see that 
>Mimedefang is able to call it. Could I start using this combination 
>instead of our current one? Would I lose any functionality? Would I 
>just install the standard Interscan Viruswall for linux and mimedefang 
>should be able to auto-detect it?
>

When I compiled mimedefang on a box with viruswall, the vscan was 
detected correctly and worked for the most part. Here are the issues 
that I have seen so far:

1) It is ssloww. Since it isnt run milterized/daemonized.. you are 
basically asking mimedefang to exec a new copy of it each time. I have 
not run it against clamav, but I have the feeling is that clamav is 
going to be faster. [It was definately faster than the uvscan I tried 
about 6 months ago.]

2) It seems to return odd code values for some reason (2x via
mimedefang). I am not sure why it is doing so.

On the other hand, I think it is better than the alternatives of

1) Standard configuration:

   Viruswall runs at port 25
   sendmail w/ milters runs at port 2525

when an email comes in.. viruswall opens a connection to the 2525 port
and then starts accepting the email for a virus-scan. The email is
broken apart into segments in say /var/tmp, and then put back together
and sent onto the port 2525 segment.. {you cant get viruswall to stop an
email if it is virusladen.. it is either quaranteeded with warning or
stripped with warning. We are using mimedefang on the server to look for
that warning and delete those emails.} The viruswall waits for the
sendmail on port 2525 to accept these messages before sending back a
return code to the original sender. So we have run into a very nasty 
situation where if the email is more than 10 attachments or 30 megs in 
size.. you can end up with a mail loop. The original box sends email, 
viruswall does its scan (taking its time), sends the mail to 
sendmail-2525. THe sendmail-2525 does its mimedefang scanning and 
depending on how long it takes.. you end up with the virus-scan sending 
back to the original box a tempfail, but the sendmail-2525 continueing 
to send the file. It is a quick way to make someones mailbox filled to 2 
gigs real quick.

2) Non-standard way Viruswall as middle-man

   Senderbox -> Viruwall -> Relay

This one looks to be the 'easiest' method, but it is listed as the 
non-supported/dont do this configuration. I am guessing because the same 
sort of 2 prong logic is (Viruswall wiats until the relay on another 
machine accepts/rejects the email before telling the sender if it is ok) 
Viruswall doesnt seem to have mqueue spooling mechanisms from what I can 
tell... which is why I dont really like it (but am stuck at the moment).

-- 
Stephen John Smoogen		smoogen at lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- You should consider any operational computer to be a security problem --

More information about the MIMEDefang mailing list