Detailed AntiVirus Software Roundup

[Nathan Johanson]

I know... This is a popular topic on the list. We're getting ready to
purchase another virus scanner for use for MailScanner. Over the last
several months, people have posted various recommendations and findings
from their own efforts.

Since I'm about to set out calling the various vendors, sending email,
visiting the web sites, etc., I figured I would post and see if anyone
would be willing to share their findings for all scanners they've
reviewed. I'm looking to get a general overview of all or most of the
scanners supported by MailScanner. If anyone has put together something
like this, can they please post it to the list? If there isn't an
extensive review in existence, I would be willing to put together such a
list based on your responses and my own research. But by my count, I'm
guessing that at least five of you have done the work already.

Like most, we use MailScanner to scan viruses for several domains and
growing. In some cases, the mailboxes reside on the server itself and in
other cases we simply forward the mail to the appropriate mail server
(not often owned by us). In light of this, we want to avoid scanners
that adhere to the "per mailbox" licensing and stick with those that
offer per node licenses. 

Here are the questions we need answers to:

* Which scanners work dependably on a Linux platform from a purely
technical standpoint? There are several of them listed on the
MailScanner site:
http://www.sng.ecs.soton.ac.uk/mailscanner/install/OS-virus-scan-web.htm
Are there any issues with updates, viruses getting through, outdated
version, compatibility issues, etc.
* Which scanners use a "per mailbox" licensing model? Which of these
vendors is willing to work with the customer? And which scanners use a
"per node" licensing model? 

As a member of the list over the last year, here is the rather
disjointed information I've gathered so far:

* there is a lot of recent confusion around f-prot's licensing scheme
(probably most of the confusion can be attributed to conflicts between
the actual license content and content on the web site). F-prot is
mostly to blame for this.
* eTrust came out of nowhere as a viable, dirt-cheap alternative, but it
may be a little more difficult than usual to install and suffers from
some code bloat. Did I hear 34MB? 
* ClamAV is every bit as good as a commercial scanner, but most still
use it in conjunction with a commercial scanner. After watching the list
for several months, it appears that ClamAV does require a lot more
attention than some of the others (the update script lockup issues come
to mind here, and there does seem to be some confusion about updating or
upgrading the scanner in general). I'm basing these assumptions on the
number of posts regarding ClamAV and its installation or usage.
* f-secure has received mixed reviews, but may be a good solution now
that they've incorporated two different scanning engines. I do remember
there as a major problem with their scanner at one point, but can't
remember what that was. Someone did mention that they're willing to work
with customers on pricing, but (like f-prot) it's not clear which
version we would need to purchase. F-secure's recent publicity around
decoding instructions in the Sobig virus does seem to lend them some
recent credibility. 
* Sophos is used by the author of MailScanner (a good recommendation),
but could be cost prohibitive. There were issues with recent engines
slowing down the server, but that seems to have been solved.
* RAV is now under Microsoft's control. Enough said.

There are several others of which I have little or no information:
command, kaspersky,  nod32, antivir, etc. I'm familiar with McAfee and
Trend (having one foot in the Windows world), but it's obvious that
Linux isn't really their first concern (it's difficult to even find
mention of these scanners on their web sites).

Sincerely,

Nathan Johanson