Revisiting Anti-Virus for Domino - Do you have feedback?
Daniel Nashed – 21 November 2021 15:50:47
ICAP Interface -- But I did not find the right vendor to use yet
I have been looking for a good anti-virus solution for my own environment running on Linux.
There is a ICAP interface used by many big vendors. But most of them offer it for OEM solutions only.
And it would be some effort to implement the ICAP interface. There is an open source project, which includes a client component I could use.
But then still the challenge is to get an anti-virus solution for a smaller environment running on Linux.
ClamAV integration
So I came back and looked again into the ClamAV interface I wrote some time ago, to directly integrate with clamd on TCP/IP.
It turned out that ClamAV is now owned by Cisco -- I wasn't aware of that!
And it is still the open source anti-virus implementation out there --> https://docs.clamav.net/
But I still don't know how good the detection rate is compared to others.
When I looked at it first, the detection rate wasn't what I expected.
As an additional component to scan databases, ClamAV would be for sure an option!
Maybe they improved in the last year with help from Cisco?
Scanning databases periodically
I added some scan options, just to scan modified document since n-days to permanently search for current attachments.
This could run incrementally during the week and have a full scan -- or a scan for a year over the weekend.
This would ensure you are also catching viruses which are not detected when they came in.
Running ClamAV in a Docker image
When I first used it, I had to install it on my own on Windows and Linux.
It can run on the same or another machine and communicates over TCP/IP.
I looked into the Docker image and it is very easy to install and use.
You just run it and can connect to it from your Domino server running on the same machine.
Feedback on ClamAV?
I would be very interested in your current experience with ClamAV or what you would be interested in.
And I would personally be interested to have someone test ClamAV against an existing quarantine database to see how good ClamAV detection rate is today.
This would be a local scan. No data would leave the network.
VirusTotal integration
Another component which could be interesting is VirusTotal and other cloud based services.
What I already implemented is adding a SHA1 for all attachments and there is a @Formula to allow direct lookups from every mail to VirusTotal by querying the hash of the file.
I also looked into their API and also other vendor's API. They are all REST based and easy to integrate leveraging LibCurl. In face I already have code for another project (the Tika benchmarking tool already sends attachments from Notes to Tika).
But I am not sure if I would like to send attachments to VirusTotal or other services. But there might be other local applications from different vendors supporting similar lookups on prem.
The hash lookup could be an interesting option and it would not expose much data. If the hash is not known on the other side, VirusTotal cannot do much with your hash.
VirtusTotal is only free for very low number of requests per day. And their license terms for the free offering have to be respected.
That's why I have only a user driven @Formula integration so far.
Feeback on VirusTotal and other services?
What do you think about it? Do you use VirusTotal or similar tools?
What about ClamAV? Does anyone want to benchmark it against the scanner you use?
-- Daniel
- Comments [4]