Integrating a virus scanner into a mail server

Windows dominates the desktop market with 90 percent of the market share [1], much of which is still dominated by Windows XP machines. This situation presents an enormous potential for virus and malware spreading, even when these machines are updated with the latest service packs. Meanwhile, about half the world's servers now run Linux or UNIX.

The widespread use of Linux servers, including in large server farms at Google, Facebook, and the like, would suggest that such computers present an attractive target for attacks by malicious software. Interestingly, this is hardly the case. The truth doesn't lie in the system architecture alone, because the security concepts of current Windows versions aren't that different from those of Linux or Unix.

Secure Linux?

With Linux and Unix, as well as in Windows, users have different rights. On UNIX-like systems, users can gain access only to their own files and those for which they're granted explicit rights. Administrative rights are reserved for the root user. Windows, in principle, could use the same concept, but this is virtually impossible to implement, because the system requires administrative rights for almost all activities; otherwise, many programs would not run correctly.

That's why Microsoft granted users extended rights up until Windows XP. From Windows Vista onward, however, a user prompt at least preceded a switch to administrator mode.

Still, the Windows default user had full administrator rights: All started processes have access to all parts of the system. In Linux and Unix, only su or sudo can switch to the mode with an effective user ID of 0 (root). By default, no user has administrator privileges.

The statement is often heard that Windows is a perfect target for malware on account of its software errors. The truth is that Windows, Linux, and Unix have equal vulnerability in terms of programming errors, conceptual failures, buffer overflows, and similar weaknesses, which is confirmed by the release notes for updates. The differences in the systems lie rather in the configuration, where Windows often sacrifices security in favor of convenience. This is due to the fact that typical Windows users have a totally different attitude with respect to the computer system than Linux users.

A Linux desktop, therefore, is not inherently more secure than a Windows machine. The difference is that Linux systems do not offer services on all possible ports to the outside – to the point that "personal firewalls" is virtually a foreign concept for Linux. Virus scanners in Linux scan data for other systems that have inadequate protection against attacks.

AV Software on Linux

There are many virus scanners for Linux. Emergency kits, such as Avira, F-Secure, and Bitdefender Rescue, all run on Linux systems. You start such rescue programs as a Linux Live system either from a CD or USB stick. They can also easily be booted using PXE from a server.

All major Linux distributions provide installations for the AMaViS [2] and ClamAV [3] packages. ClamAV is the actual virus scanner, whereas AMaViS integrates it with a mail system. Several other free systems, such as Bitdefender, Sophos, and AVG, are also available. Systems that come with a price tag include Kaspersky, Trend Micro, and others. In this article, I'll show how to arm a Linux server with a virus scanner based on ClamAV and AMaViS for scanning directories and emails for malware.