PaX & SELinux & whatever from GRSecurity is useful & Forkbomb Protector & IBM Stack Smash Protector & Stateful Firewalling (netfilter) & Packet filter firewalling (netfilter) & Dan's Guardian & ClamAV (after adding heuristics) & snort-inline & DigSig & UML & Discressionary Netfilter (non-existant hack that could be done using iptables, sudo, and some scripts)SE isn't everything. PaX isn't everything. GR isn't everything. Firewalls aren't everything. Stack smash protection isn't everything. You need to combine everything to get everything.Again, I won't say either of you is right; I'm just concerned that this argument is a poor way to convey your points, and that you are dwelling on defending your egos far too much more than you are on discerning what's wrong on each side and fixing those. Civilizing SELinux Posted Nov 26, 2004 7:56 UTC (Fri) by spender (guest, #23067) [Link]
Another thought is this will detect only the viruses passing by your sensor. If your organization is considering venturing down the path of intrusion prevention systems (IPS) and application firewalls, you might want to check out the new patch for snort-inline that drops the virus packets at the inline device.
For Squid-3.0and later we can use ICAP for content filtering or antivirus checking.This config example describes how to scan for viruses on-the-fly usingsquidclamav antivirus module incombination with ClamAV antivirusservice. It is a bit different with recommended squidclamav configuration and adaptedfor Squid-3.4releases and above with latest configuration changes.
Note: ClamAV daemon (clamd) is memory consumption service, it uses about 200-300 megabytes in minimal configuration (mainly used to store AV database in memory), it can be higher during deep scans of big archives. So, you can put it on separate node with fast network interconnect with your proxy (this option is valid only when using squidclamav).
To build submodule clamav_mod (uses libclamav) you can require patch your c-icap installation with last fixes. It uses OpenSSL headers dependency and you can have problems with modules build. This can be workarounded if your system has an older OpenSSL version (i.e. 0.9.8). To do that just add old OpenSSL headers path to CPPFLAGS variable.
In practice, configuration with clamd and squidclamav is fastest. Infact, squidclamav using INSTREAM to perform AV checks is the best way.You may need only adjust the amount of the workers in the c-icap serviceaccording to your load. You will have only two bottlenecks - theinteraction of your proxy server with c-icap and interaction of c-icapwith antivirus service. You need to reduce latency of these interactionsto the minimum possible.
This module configures a baseline for Ubuntu endpoints. It installs software, disables IP forwarding, installs clamav anti-virus, and copies over filesincluding a script dailyscript that runs daily and is placed in the /etc/cron.daily directory. You can use the same technique to ensure that your scriptsremain where you want them. 2b1af7f3a8