You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Noel J. Bergman" <no...@devtech.com> on 2003/01/07 18:09:12 UTC
Adding virus detection to James
Consider this: http://help.rr.com/getpage.asp?/faqs/e_mgsp.html. From what
I read, 80% of corporate mail servers now incorporate some form of virus
detection.
It would be nice if James had a matcher capable of virus detection. I came
across this article http://online.securityfocus.com/infocus/1650, and the
associated OpenAV project at www.openantivirus.org.
Imagine my pleasure at finding that the official projects, ScannerDaemon,
VirusHammer and PatternFinder, are written in Java. The project page
mentions GPL, but their SourceForge.net page mentions that it is also
licensed under BSD, so we'll just have to ask for clarification, and make
sure that we have some Open Source, non-GPL, license, as we've received from
other cooperative projects.
I think that this looks interesting, but I expect my own time to be consumed
on other parts of James. Does someone else have the time and interest to
look at wrapping a Matcher around the OpenAV scanner classes?
--- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Adding virus detection to James
Posted by Kurt Huwig <k....@iku-ag.de>.
Noel J. Bergman wrote:
> Consider this: http://help.rr.com/getpage.asp?/faqs/e_mgsp.html.
> From what I read, 80% of corporate mail servers now incorporate some
> form of virus detection.
>
> It would be nice if James had a matcher capable of virus detection.
> I came across this article
> http://online.securityfocus.com/infocus/1650, and the associated
> OpenAV project at www.openantivirus.org.
>
> Imagine my pleasure at finding that the official projects,
> ScannerDaemon, VirusHammer and PatternFinder, are written in Java.
> The project page mentions GPL, but their SourceForge.net page
> mentions that it is also licensed under BSD, so we'll just have to
> ask for clarification, and make sure that we have some Open Source,
> non-GPL, license, as we've received from other cooperative projects.
The scanner is licensed GPL and I do not plan to release it under a less
restricting license. You still can use it via the TCP/IP-interface.
> I think that this looks interesting, but I expect my own time to be
> consumed on other parts of James. Does someone else have the time
> and interest to look at wrapping a Matcher around the OpenAV scanner
> classes?
A wrapper would be very easy. Something like
scanner.scan(file);
where 'file' is a 'File'. An VirusFoundException is being thrown if a
virus has been detected and nothing happens otherwise.
Greetings,
Kurt
--
Kurt Huwig iKu Systemhaus AG http://www.iku-ag.de/
Vorstand Am Römerkastell 4 Telefon 0681/96751-0
k.huwig@iku-ag.de 66121 Saarbrücken Telefax 0681/96751-66
GnuPG 1024D/99DD9468 64B1 0C5B 82BC E16E 8940 EB6D 4C32 F908 99DD 9468
Re: Adding virus detection to James
Posted by Nicola Ken Barozzi <ni...@apache.org>.
Noel J. Bergman wrote:
> Consider this: http://help.rr.com/getpage.asp?/faqs/e_mgsp.html. From what
> I read, 80% of corporate mail servers now incorporate some form of virus
> detection.
>
> It would be nice if James had a matcher capable of virus detection. I came
> across this article http://online.securityfocus.com/infocus/1650, and the
> associated OpenAV project at www.openantivirus.org.
>
> Imagine my pleasure at finding that the official projects, ScannerDaemon,
> VirusHammer and PatternFinder, are written in Java. The project page
> mentions GPL, but their SourceForge.net page mentions that it is also
> licensed under BSD, so we'll just have to ask for clarification, and make
> sure that we have some Open Source, non-GPL, license, as we've received from
> other cooperative projects.
>
> I think that this looks interesting, but I expect my own time to be consumed
> on other parts of James. Does someone else have the time and interest to
> look at wrapping a Matcher around the OpenAV scanner classes?
I've looked into it too, but never had really time to get to it. It's
not cutting edge, but still should be more than nothing, given now that
most viruses in mails come in "periods".
This code can be run from a separate server or in process. Personally I
like the separate-server thing so that I can offload processing.
A more complete antivirus system could use also other commercial virus
products, but it would be a second step.
The definitions of the viruses are in a semi-standard format, but I
don't know who actually updates them.
Finally, at Apache IIUC they use a sister project of it for a mail
antivirus. Maybe asking what definitions they use could be interesting.
Ciao.
--
Nicola Ken Barozzi nicolaken@apache.org
- verba volant, scripta manent -
(discussions get forgotten, just code remains)
---------------------------------------------------------------------
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Adding virus detection to James
Posted by Jason Webb <jw...@inovem.com>.
> Having looked into this a bit ago, I wouldn't say the OpenAV code is
> exactly how I would have designed it... you run a daemon that you TCP
> into and send the files through. This might be a nice design if you
> want to off-load the processing to another box (or cluster them since
> like Jason says, Virus scanning can take a huge load), but it doesn't
> make it very easy to bundle.
>
Still looking, Serge is faster than me ;)
> You have to be pretty judicious about what gets scanned, which then
> leads to possibly not having things fall through the holes.
> Maybe as a
> simple approach we have a mailet that uses the remote (or
> local for that
> matter) daemon to scan for viruses, rather than trying to bundle the
> code. I think most mail server virus scanners are add-ons anyway, so
> this may not be too bad... include a mailet and a HOWTO.
>
> While it's great to have this free, I do wonder about the value of
> slightly outdated virus definition files. I'd be interested
> to see if
> most viruses that get stopped by the commercial vendors are
> the current
> ones or if it's more just unknowing/unprotected users sending
> around old
> ones.
>
When I ran a site with large daily mail volume and we checked for virii,
we tended to get the flavour-of-the-moment ones. So things like Klez
etc. Old ones will eventually get pushed out of the system. Fresher
pattern files are always the best. Remember the speed that Melissa
spread with?
Like they say on the OpenAV site - don't rely it yet.
> --
> Serge Knystautas
> Loki Technologies - Unstoppable Websites http://www.lokitech.com
>
>
> --
> To unsubscribe, e-mail:
> <mailto:james-dev-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Adding virus detection to James
Posted by Serge Knystautas <se...@lokitech.com>.
Noel J. Bergman wrote:
> Consider this: http://help.rr.com/getpage.asp?/faqs/e_mgsp.html. From what
> I read, 80% of corporate mail servers now incorporate some form of virus
> detection.
>
> It would be nice if James had a matcher capable of virus detection. I came
> across this article http://online.securityfocus.com/infocus/1650, and the
> associated OpenAV project at www.openantivirus.org.
>
> Imagine my pleasure at finding that the official projects, ScannerDaemon,
> VirusHammer and PatternFinder, are written in Java. The project page
> mentions GPL, but their SourceForge.net page mentions that it is also
> licensed under BSD, so we'll just have to ask for clarification, and make
> sure that we have some Open Source, non-GPL, license, as we've received from
> other cooperative projects.
>
> I think that this looks interesting, but I expect my own time to be consumed
> on other parts of James. Does someone else have the time and interest to
> look at wrapping a Matcher around the OpenAV scanner classes?
>
> --- Noel
Having looked into this a bit ago, I wouldn't say the OpenAV code is
exactly how I would have designed it... you run a daemon that you TCP
into and send the files through. This might be a nice design if you
want to off-load the processing to another box (or cluster them since
like Jason says, Virus scanning can take a huge load), but it doesn't
make it very easy to bundle.
You have to be pretty judicious about what gets scanned, which then
leads to possibly not having things fall through the holes. Maybe as a
simple approach we have a mailet that uses the remote (or local for that
matter) daemon to scan for viruses, rather than trying to bundle the
code. I think most mail server virus scanners are add-ons anyway, so
this may not be too bad... include a mailet and a HOWTO.
While it's great to have this free, I do wonder about the value of
slightly outdated virus definition files. I'd be interested to see if
most viruses that get stopped by the commercial vendors are the current
ones or if it's more just unknowing/unprotected users sending around old
ones.
--
Serge Knystautas
Loki Technologies - Unstoppable Websites
http://www.lokitech.com
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Adding virus detection to James
Posted by "Noel J. Bergman" <no...@devtech.com>.
Jason and Serge,
If we re-do the processing chain as I would like, then we could hand off the
virus checking to some asynchronous matcher without unduly degrading the
server.
Also, if you would only filter messages that have attachments in the first
place, then the vast majority of messages would be unfiltered.
OpenAV may not be the best, but I didn't spot any other open source engine
that we could include with James. And supposedly OpenAV continues to get
development. I was not thinking that we'd use their "driver" without
change, but that we'd see how the driver worked, and call the scanning
classes directly. On the other hand, if someone wants to work on a matcher
that knows how to use an external scanning service, that'd be fine with me.
--- Noel
[who was on the road yesterday, and is looking at
a huge volume of new James messges]
-----Original Message-----
From: Jason Webb [mailto:jw@inovem.com]
Sent: Tuesday, January 07, 2003 12:16
To: 'James Developers List'
Subject: RE: Adding virus detection to James
Scanning for Virii on the mail server. Urgh
I've had lots of bad experiences with virus scanner on the server, due
to it hogging server resources like you wouldn't believe. I'd prefer the
Checkpoint style of handing it off to something else for scanning for a
volume solution.
After all that whining, I still think it would be useful.
I'll take a look...
-- Jason
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 07 January 2003 17:09
> To: James-Dev Mailing List
> Cc: Kurt Huwig
> Subject: Adding virus detection to James
>
>
> Consider this:
> http://help.rr.com/getpage.asp?/faqs/e_mgsp.html. From what
> I read, 80% of corporate mail servers now incorporate some
> form of virus detection.
>
> It would be nice if James had a matcher capable of virus
> detection. I came across this article
> http://online.securityfocus.com/infocus/1650, > and the
> associated OpenAV project at www.openantivirus.org.
>
> Imagine my pleasure at finding that the official projects,
> ScannerDaemon, VirusHammer and PatternFinder, are written in
> Java. The project page mentions GPL, but their
> SourceForge.net page mentions that it is also licensed under
> BSD, so we'll just have to ask for clarification, and make
> sure that we have some Open Source, non-GPL, license, as
> we've received from other cooperative projects.
>
> I think that this looks interesting, but I expect my own time
> to be consumed on other parts of James. Does someone else
> have the time and interest to look at wrapping a Matcher
> around the OpenAV scanner classes?
>
> --- Noel
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
RE: Adding virus detection to James
Posted by Jason Webb <jw...@inovem.com>.
Scanning for Virii on the mail server. Urgh
I've had lots of bad experiences with virus scanner on the server, due
to it hogging server resources like you wouldn't believe. I'd prefer the
Checkpoint style of handing it off to something else for scanning for a
volume solution.
After all that whining, I still think it would be useful.
I'll take a look...
-- Jason
> -----Original Message-----
> From: Noel J. Bergman [mailto:noel@devtech.com]
> Sent: 07 January 2003 17:09
> To: James-Dev Mailing List
> Cc: Kurt Huwig
> Subject: Adding virus detection to James
>
>
> Consider this:
> http://help.rr.com/getpage.asp?/faqs/e_mgsp.html. From what
> I read, 80% of corporate mail servers now incorporate some
> form of virus detection.
>
> It would be nice if James had a matcher capable of virus
> detection. I came across this article
> http://online.securityfocus.com/infocus/1650, > and the
> associated OpenAV project at www.openantivirus.org.
>
> Imagine my pleasure at finding that the official projects,
> ScannerDaemon, VirusHammer and PatternFinder, are written in
> Java. The project page mentions GPL, but their
> SourceForge.net page mentions that it is also licensed under
> BSD, so we'll just have to ask for clarification, and make
> sure that we have some Open Source, non-GPL, license, as
> we've received from other cooperative projects.
>
> I think that this looks interesting, but I expect my own time
> to be consumed on other parts of James. Does someone else
> have the time and interest to look at wrapping a Matcher
> around the OpenAV scanner classes?
>
> --- Noel
>
>
> --
> To unsubscribe, e-mail:
> <mailto:james-dev-> unsubscribe@jakarta.apache.org>
> For
> additional commands,
> e-mail: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>