[Avcheck] Re: avpcheck vs amavis

[Michael Tokarev]

[Cc'd to amavis-users and avcheck mailinglists.
 My answer can't be complete without comments from amavis folks]

Bosko Radivojevic wrote:
> 
> Hello,
> 
> Why it is better to use (if it is at all:) avpcheck instead of
> amavis? Faster? Better security?

Well, it really depends.  Avcheck (note it is now called avcheck,
without "p", since it isn't AVP-specific) isn't "product" per se,
but only "glue" between mail system and antivirus engine/daemon.
It only passes a mail message to antivirus for inspection, nothing
more -- *all* work required to parse MIME structure, extract
archives and finally check all files is done inside antivirus
(and so avcheck can't be used with antivirus that can't understand
MIME and archives).  In contrast, amavis have it's own "unpacking
engine" with MIME parser and so on -- so it can be used with
antivirus that even can't deal with archives.  Since amavis written
in perl and uses external archivers to unpack (some of) archive
types, it is slow and may require significant amount of disk space
for it's operations (and is a good target for 42.zip-like mailbombs,
while this issue was addressed somehow already).

Many antiviruses today *that knows* about mime and archives can
extract them on the fly without any disk access at all, by
"stacking" viruschecker on top of unarchiver on top of unarchiver
on top of "demimer" and so on -- but this operation can be very
CPU intensitive (but viruschecker itself usually requires a lot
of CPU time anyway) and, depending on implementation, memory
intensitive too.  Well, again, all depends -- in some cases,
amavis with it's disk requiriments/usage may be faster than
some antivirus when extracting "archive structure" -- for example,
I know at least one antivirus that will extract one archive
several times to feed output into several "antivirus subengines" --
depending on file amavis can be significantly faster than this
approach.  But this is really an antivirus engine issue.

Amavis sometimes can pass archives (when antivirus isn't able to
unpack them) -- for example, self-extracting archives handled as
executables, not as archives (i.e. not looking inside) (well, I'm
not really shure about this, but think so).

Amavis currently supports very wide range of virusscanners, while
avcheck can use only two (avp or drweb, last one isn't widely
available).  Both can be more-or-less easily extended to support
other engines too.

Amavis supports more mailers (or, in the other words, was run with
more mailers) than avcheck (avcheck was used successefully with
postfix and sendmail).  Again, having good expirience with some
mailer, one can adapt or set it up to use both (if it is doable
at all).  Since amavis has built-in smtp server, it can be
integrated to more mailers than avcheck.  Amavis also can be
used as MDA (mail delivery agent), and thus can support even
more mailers (but avcheck in principle can also be used this
way, with minor mods).

Avcheck should be easier to set up -- it is only one little
program without any external dependences, and a shell script
that will handle infected mails.

Avcheck can't be run on another machine (antivirus daemon
should be run on the same machine), while amavis, with it's
smtp support, can be run on any machine available for MTA.

Speaking of security -- it is really hard to answer.  My
understanding is that avcheck is less prone to any security
issues than amavis, *but* both can be setup with almost equal
security "level".  "Problem" with amavis is that it should
deal with input from remote by itself, filling up disk, calling
external tools on "random" pieces of remote data and so on.
It is hard to enshure that every code involved has no security
issues inside, or that interfaces between different programs
are safe.  One needs all the tools accessible to amavis in
one place (amavis can run chrooted without root privileges,
and *this* is a method, as I see it, to remove most security
risks; but one need to place *all* support files into this
area.  Another variant is to use dedicated machine for
virusscanning, with proper firewalls around it.  Both methods
are costly).

With avcheck, all operations on input are inside antivirus
itself -- no other external software involved.  So it is simpler
to restrict antivirus's privileges (and security risks) --
matter of setting up file permissions corrcectly (not a big
task) and, optionally, chrooting antivirus.

But again, this last "comparision" is more a setup issue than
product issue: both can be set up with equal security level,
at least from "impact to other system components" point of
view.  Note that I personally trust antivirus's unarchivers
in a less level than real unarchivers, while it is my personal
feeling (for example, drweb shows a good code that deals with
M$ formats -- excellent and *safe* (compared to original)
"readers" of various .doc, .xls and so on.  Drweb can easily
read .doc that will simply crash msword -- so my feeling may
be wrong).

There are many other "aspects" of this question.  But in reality,
it isn't a question "is amavis better than avcheck" -- but "what
antivirus to use" *is* a question.   Both avcheck and amavis are
interfaces to a real virusscanner.

Regards,
 Michael.