Revisiting Anti-Virus for Domino - Do you have feedback?
Daniel Nashed – 21 November 2021 15:50:47
ICAP Interface -- But I did not find the right vendor to use yet
I have been looking for a good anti-virus solution for my own environment running on Linux.
There is a ICAP interface used by many big vendors. But most of them offer it for OEM solutions only.
And it would be some effort to implement the ICAP interface. There is an open source project, which includes a client component I could use.
But then still the challenge is to get an anti-virus solution for a smaller environment running on Linux.
ClamAV integration
So I came back and looked again into the ClamAV interface I wrote some time ago, to directly integrate with clamd on TCP/IP.
It turned out that ClamAV is now owned by Cisco -- I wasn't aware of that!
And it is still the open source anti-virus implementation out there --> https://docs.clamav.net/
But I still don't know how good the detection rate is compared to others.
When I looked at it first, the detection rate wasn't what I expected.
As an additional component to scan databases, ClamAV would be for sure an option!
Maybe they improved in the last year with help from Cisco?
Scanning databases periodically
I added some scan options, just to scan modified document since n-days to permanently search for current attachments.
This could run incrementally during the week and have a full scan -- or a scan for a year over the weekend.
This would ensure you are also catching viruses which are not detected when they came in.
Running ClamAV in a Docker image
When I first used it, I had to install it on my own on Windows and Linux.
It can run on the same or another machine and communicates over TCP/IP.
I looked into the Docker image and it is very easy to install and use.
You just run it and can connect to it from your Domino server running on the same machine.
Feedback on ClamAV?
I would be very interested in your current experience with ClamAV or what you would be interested in.
And I would personally be interested to have someone test ClamAV against an existing quarantine database to see how good ClamAV detection rate is today.
This would be a local scan. No data would leave the network.
VirusTotal integration
Another component which could be interesting is VirusTotal and other cloud based services.
What I already implemented is adding a SHA1 for all attachments and there is a @Formula to allow direct lookups from every mail to VirusTotal by querying the hash of the file.
I also looked into their API and also other vendor's API. They are all REST based and easy to integrate leveraging LibCurl. In face I already have code for another project (the Tika benchmarking tool already sends attachments from Notes to Tika).
But I am not sure if I would like to send attachments to VirusTotal or other services. But there might be other local applications from different vendors supporting similar lookups on prem.
The hash lookup could be an interesting option and it would not expose much data. If the hash is not known on the other side, VirusTotal cannot do much with your hash.
VirtusTotal is only free for very low number of requests per day. And their license terms for the free offering have to be respected.
That's why I have only a user driven @Formula integration so far.
Feeback on VirusTotal and other services?
What do you think about it? Do you use VirusTotal or similar tools?
What about ClamAV? Does anyone want to benchmark it against the scanner you use?
-- Daniel
- Comments [4]
1Pavel Zhe 22.11.2021 17:31:42 Revisiting Anti-Virus for Domino - Do you have feedback?
ClamAV owned by Cisco for many years, but ClamAV staying the same useless software. You need to use antivirus databases from other commercial product with ClamAV to get a good virus detection and avoid false detections too. I tried to use ClamAV on my CommuniGate Pro in far 2012, but switched to Kaspersky for Linux Mail Servers in the final.
2lgy 11.01.2022 14:34:45 Revisiting Anti-Virus for Domino - Do you have feedback?
Clamav official almost useless, but when you add unofficial signature source like securiteinfo.com will be quite useful
3Tim 24.01.2022 11:34:39 Revisiting Anti-Virus for Domino - Do you have feedback?
I think malware scanning should happen before an email even reaches your server, so my preferred solution in customer setups is to use a Cloud solution like CheckPoint between the mail server and the public internet to scan all incoming and outgoing mail. These solutions are also usually way more potent than any scanner you can install on your own server.
4Daniel Nashed 24.01.2022 12:49:21 Revisiting Anti-Virus for Domino - Do you have feedback?
@Tim, you actually need both!
A gateway solution and a periodic scan once per day or week on each server.
-- Daniel