Free virus detection software for linux

Apache Intrusion Detection Module is a simple tool to find out intrusion attempts by examining the client requests in real time.

This is a simple attempt to build an Intrusion Detection Module for Apache. It is being run at two different sites successfully but there is a performance penalty as the module intercepts all object requests and examines with the list of vulnerable CGI applications.

Issuing a simple make should do in most cases; at worst tweak with the Makefile. The make process will compile mod-id as a apache DSO module, if your server has no DSO support you will need more time...

Any suggestions and improvements are welcome.

About AVG Anti-Virus:

• AVG Professional Single Edition is perfectly designed to give you the maximum antivirus protection for your single home PC or workstation.
• It is simple to install and operate. No IT expertise is required and it can run in the background, providing uninterrupted protection. All file and e-mail activity is checked automatically, allowing you to get on with your work without worrying about viruses.
• It is extremely fast, reliable and light on resources, so, no matter how demanding a user you are, it will not slow down your performance.

Enhancements: Added detection of new variants of trojans SHeur2.ANNO, BackDoor.Hupigon5.LCW, SHeur2.ANOR, Downloader.Generic8.AXOI, PSW.Banker5.ONF, Generic13.BPUS.

Kvirus project is a board/puzzle game for the KDE Environment.

Kvirus is a board game for the KDE Environment and a clone of Ataxxlet originally written in Java.

The goal is to copy or jump your virus to eat up the enemy virus. Kvirus provides a cute interface with hours of fun.

The Qmail virus scanner (QScan) is a mail filter for Qmail that scans incoming messages using the Sophos Antivirus engine, immediately rejecting infected content.

It is designed to be minimalistic, yet extremely fast and secure, and uses multiple pipes instead of the traditional temporary files and privilege separation. It works with non-native versions of the virus scanner like under OpenBSD with Linux or FreeBSD emulation.


You must create a temporary directory to extract MIME attachments, and replace Qmails original qmail-queue program with Qscan. Quick way to achieve this for the impatients :

mkdir /var/qmail/qscan
chmod 700 /var/qmail/qscan
chown qmaild:qmail /var/qmail/qscan
ln /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue-old

Now, lets compile and install Qscan :

./configure --help

./configure [your beloved flags]

make install-strip

The last step is to replace the original qmail-queue program with our filter :

rm /var/qmail/bin/qmail-queue
ln -s /usr/local/sbin/qscan /var/qmail/bin/qmail-queue

Depending on your local configuration, it may be needed or not, but start with doing it :

chown qmaild:qmail /usr/local/sbin/qscan
chmod 6711 /usr/local/sbin/qscan

After testing, if everythings ok for you, remove the setuid bit :

chown 0:0 /usr/local/sbin/qscan
chmod 711 /usr/local/sbin/qscan

Aegis project is a virus scanner for Linux, Unix and Windows with a simple and intuitive user interface.

Aegis supports scanning of subdirectories, hidden files and .zip and .tar archive files, and drag-and-drop of files from the Nautilus file browser, or your Gnome desktop. When a virus is detected you can choose to delete, quarantine or rename the file.

Vipuls Razor is a collaborative, distributed, spam detection and filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam.
Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. User input is validated through reputation assignments based on consensus on report and revoke assertions which in turn is used for computing confidence values associated with individual signatures.
Enhancements:
- The discovery logic used for discovering Razor2 servers was updated.
- Several long-standing issues were fixed in discovery and TCP connectivity logic.

POP3 Virus Scanner Proxy is a full-transparent proxy daemon which scans all mails for viruses using third party scanners (built-in support for AVPD and Trophie).

You have to set up a port redirection in the linux-netfilter (iptables) so that all connections from e.g. inside your office to any POP3 server outside in the world will not leave your router, but come a local port, on which POP3VScan listens. POP3VScan receives from the linux kernel the original destinations of packets (the POP3 server outside in the world) and will connect to them.

All data we receive from the client will be sent to the server, and vice versa. With a little enhancement: we parse the neccessary parts of the POP3 protocol and when an email is sent from the server, we store it into a file, invoke a virusscanner and send it if it is good, or we just replace it with a virus notification. It should be possible to use all scanners using the scannertype=basic. Also POP3VScan provides scannertype=avpd for high-speed scanning using Kaspersky Anti-Virus for Linux, every C programmer can easily adept other scan-daemons (trophie, sophie, antivir, ...).

Neither the client nor the server has to be configured, none of them will take notice that theres a mailscanner (except the client when he gets a virus notification or if he looks into the header, and the server gets our ip as source).

Yet Another antiVirus Recipe is a procmail that helps to filter out a lot of the most common e-mail worms.
For some of the above (plain iframe, clsid, xml, macro) e-mail is delivered normally but gets a WARNING in subject plus its old subject ($SUB).
Some of the warnings are:
WARNING-XML-CODEBASE-OBJECT-$SUB
WARNING-CLSID-EXTENSION-$SUB
WARNING-IFRAME-$SUB
WARNING-MACRO-$SUB
WARNING-NSCAM-SCORE:$NKNGS-$SUB
Main features:
- :: base64 signatures ::
- Most of these worms are MS-Windows executables and arrive at our e-mail encoded through base64 routines. YAVR uses especially selected signatures to locate these attachments. After that it places them in a directory (/virus/) sorted by name.
-
- :: iframe html exploit ::
- Through IFrame tag a html encoded e-mail can download and execute a file from a remote http site without informing the user.
-
- :: CLSID hidden extensions exploit ::
- Attachments which end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files.
-
- :: xml codebase exploit ::
- Usage of some xml objects allow local files to be automatically executed, regardless of the security settings on the target machine.
-
- :: generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe ::
- The rest of MS-executable files that are not caught from base64 signatures end up in a virus-could-be file.
-
- :: generic macro detection for doc,dot,xls,xla files ::
- MS-Word and MS-Excel files that contain macro commands are marked with a warning.
-
- :: generic detection for most of nigeria scam e-mails (most of them) ::
- Nigeria scam e-mail is not a virus but a big spam problem... There are many good filters that use great algorithms for spam. This is just an add-on.
Enhancements:
- new switches for quarantine or not certain e-mailsbased on some ideas by Dan Smart
- YAVRQUARANTEXE if set to ON it sends unknown executables to /virus/virus-could-be as usual if set to OFF it delivers at inbox with a warning (and the X- header ;)
- YAVRQUARANTNIG same for nigeria scam
- YAVRQUARANTPRN same for porn e-mail read instuctions inside nkvir-rc
- X- marks in headers to help your own procmail scripts
- X-YAVR: MS-EXEC (any MS executable that wasnt identified by signatures)
- X-YAVR: NIGERIA (nigeria scam)
- X-YAVR: PORN (porn related)
- X-YAVR: MACRO (containing macro code)
- X-YAVR: XML-CODEBASE
- X-YAVR: IFRAME
- X-YAVR: CLSID-EXTENSION
- X-YAVR: SENDMAIL-EXPLOIT
- some more Worm.Moodown.b aka Netsky.b signatures
- another Mimail.Q