[BBLISA] Linux scanning for windows malware on samba share

John P. Rouillard rouilj at cs.umb.edu
Thu Oct 3 18:30:13 EDT 2013 

Hi all:

I was involved in cleaning up some malware effects recently. The samba
share that the company uses was hit. The desktop AV caught what was
deposited, but they would like to go for something running on the
linux side as a second level of protection.

Initially they are looking at scan scheduled via cron, but on use
scanning triggered from samba (preferably after a file opened for
write is closed) is a nice to have feature.

Support for detecting malicious content in pdf, ms office docs, inside
various archive formats is required along with the usual executable
scanning.

This is a point solution, so a big multi-install control center like
gui isn't needed.  CLI configuration/execution is preferred since the
system they want to protect is a pretty bare bones RHEL 6 server.

Does anybody have any recommendations? ClamAV is on my list as it
seems they have better document support and a reasonable signature
update schedule compared to what I remeber, and the price is right.

Does anybody have anything to say about Trend Micro, Kapersky, Sophos
or Eset which are on my to look at list? (I have had really bad luck
with McAfee and Symantec in the past on pc's, so I have removed them
from the list.)

Also on the wishlist:

   Automatic quarantining or denial of access to infected files
     (with some method to override it to react to false positives)

   On premises execution, not cloud based is prefered as the server
     is firewalled to the outside currently

   Automatic signature (not software) update.

   Notification/reporting that can integrate with nagios and
     provide some 'C' level type reports: number of files scanned of
     each type, number of signatures in database, number of viruses
     detected ...

For a first pass at evaluating the effectiveness of the commercial
versions, I have been using the AV testing from

    http://chart.av-comparatives.org
and
    http://www.av-test.org)

to do initial filtering of vendors. Thoughts? Other places I should look.

Thanks for your help.

--
				-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

More information about the bblisa mailing list