[BBLISA] Linux scanning for windows malware on samba share

Daniel Feenberg feenberg at nber.org
Thu Oct 3 19:00:24 EDT 2013 


On Thu, 3 Oct 2013, John P. Rouillard wrote:

> Hi all:
>
> Does anybody have anything to say about Trend Micro, Kapersky, Sophos
> or Eset which are on my to look at list? (I have had really bad luck
> with McAfee and Symantec in the past on pc's, so I have removed them
> from the list.)
>

We have used Kaspersky for many years with FreeBSD and Sendmail, but I 
presume Linux will be similar. The executable can read a file from the 
standard input and report a hit with the return code, so it is quite 
flexible as to what happens to files, reporting, etc if you can do a 
little shell scripting. I suppose you would have a script that ran it 
against all the files newer than the last run and removed rx permissions 
from hits while emailing the sysadmin and owner. We don't actually use it 
that way. A cron job can update the signiture file. It is not unfriendly 
to "the Unix way".

False virus positives are extremely rare to non-existent.

dan feenberg


> Also on the wishlist:
>
>   Automatic quarantining or denial of access to infected files
>     (with some method to override it to react to false positives)
>
>   On premises execution, not cloud based is prefered as the server
>     is firewalled to the outside currently
>
>   Automatic signature (not software) update.
>
>   Notification/reporting that can integrate with nagios and
>     provide some 'C' level type reports: number of files scanned of
>     each type, number of signatures in database, number of viruses
>     detected ...
>
> For a first pass at evaluating the effectiveness of the commercial
> versions, I have been using the AV testing from
>
>    http://chart.av-comparatives.org
> and
>    http://www.av-test.org)
>
> to do initial filtering of vendors. Thoughts? Other places I should look.
>
> Thanks for your help.
>
> --
> 				-- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.
>
> _______________________________________________
> bblisa mailing list
> bblisa at bblisa.org
> http://www.bblisa.org/mailman/listinfo/bblisa
>

More information about the bblisa mailing list