Well...Justin will probably be glad to see this post... ;)

After taking in feedback from the previous thread (NSS supported
antivirus?), I've spent the last couple weeks experimenting with numerous
options. I didn't expect it, but...ClamAV was easily the best option for us.
Here's a quick rundown of my selection criteria, installation/configuration
experiences, and how various vendors stacked up against each other.

Requirements: In short, I had just two issues I wasn't willing to compromise
on. First, the antivirus software must support on-access scanning. Second,
there must be no library/kernel requirements that would force me to use
non-standard OES packaged kernels.

The second requirement is easily met if the antivirus software uses the
dazuko kernel module (www.dazuko.org). In theory, it is kernel and
filesystem independent, and from what I could see that claim holds true.

My testing should be considered preliminary, at best. I've not used any of
these products in a production environment. Basically, I've installed the
products on a test OES Linux+SP2 server, migrated production data to the
server from our Netware 5.1 servers, and had a handful of folks beat up on
things. All testing was done on NSS volumes.

Also, while I've not the skills to determine how effective a given product
was at identifying various infections, I did run full scans on large amounts
of data migrated over from our Netware servers. Every product I tested found
numerous infections that NetShield had missed, and they were very consistent
in what they did fine. Our NetShield configuration gets DATs updated hourly,
is configured for on-access scanning, and runs full scans weekly. Not
exactly a ringing endorsement for NetShield...

So...here are the players I investigated and/or tested.

McAfee LinuxShield: I looked here first, as we're using them for Netware and
Windows workstations/servers. They state they are compatible with OES Linux,
but the included release notes have a big exception - no NSS support.
If/when they do support NSS, it doesn't appear they use dazuko, so I would
be leery about kernel requirements down the road. Didn't test, didn't ask
about pricing.

Trend: No supported product. Spoke with a tech who mentioned they had an
internal version they were testing for SLE9, but they had no firm plans to
release it or support OES NSS volumes. Had very specific kernel and library
requirements. Didn't test, didn't ask about pricing.

AntiVir (www.avira.com): These are the folks who originally wrote the dazuko
kernel module before releasing it as an open source project, so I had high
hopes for them.

- Positives: The installation was the easiest of everyone I tried - ran the
install script, was prompted for all necessary settings, and everything
worked fine for the most part. Had good email alerting built in for virus
definition updates and infections.

- Negatives: Two problems were encountered - support and pricing. They are a
German company, with no US contact. Support was via email, and virtually
non-existent. The kicker was pricing...they were almost 10x the cost of
anyone else. Over $10K per year for unlimited servers handling 500 users.
We'll eventually need 1600 user licenses, so there's no way this was going
to fly.

AVG Linux File Server Edition (www.grisoft.com): Their Linux file server
offering is fairly new, and it shows...it's a little rough around the edges.

- Positives: dazuko is used, and pricing is decent - about $2K for 500
users/unlimited servers, which includes 2 years of maintenance, updates and
support. Once installed and configured, on-access and on-demand scanning for
NSS seemed to work fine.

- Negatives: Installation took quite a bit of tweaking...several minor
issues were encountered that were not covered in the docs. Native alerting
features are non-existent. Everything gets sent to syslog, so you'll have to
roll your own monitoring and/or alerting.

NOD32 Linux File Server Edition (www.nod32.com): Just about everywhere you
look, these folks get high ratings for their non-Linux antivirus products.
However, their current Linux offering...well, I'll just be nice, and suggest
folks look elsewhere for now.

- Positives: Price. $150/server, unlimited users. Dazuko based.

- Negatives: Where to start...the installation process was incredibly
painful. Took me almost a whole day of tweaking just to get the services to
load. Once they did load, they were incredibly fragile; the scanning process
would abort routinely, with no feedback in any logs. Scanning never did
work - attempts to access an infected file would just hang the client, be it
a Windows PC accessing the NSS volume, or a simple cp command from the
console. Support was virtually non-existent - email only, non-US based.
Documentation incomplete, and written by somebody with limited English
skills. I could go on, but...you get the picture.

Clam AntiVirus (www.clamav.net): At first, I ruled these guys out, even
though Justin had high praises for them. Reason being, I initially thought
they had no on-access support. Upon reading through the docs, I found out
they did, but one of the disclaimers scared me away...basically, it says
that on-access scanning is experimental, flakey, and should not be used on
production systems.

Turns out...ClamAV suffers from something I see routinely from open source
projects - bad and/or out-dated documentation. Evidently, the warnings in
the docs are mostly the result of early dazuko module code, not ClamAV
shortcomings. Since all the products I tested use the same dazuko module,
and everything I've read about recent dazuko code was positive, I decided to
go forward with ClamAV testing.

- Postives: Price (free). Dazuko based. Decent community support, paid
commercial support is available. Frequent definition updates. Customizable
alerting - call any script on infection.

- Negatives: Moderately difficult installation, due to out-dated and
incomplete docs. No heuristic scanning.

So...I've decided to go with ClamAV. The lack of heuristic scanning is not a
major problem for us - the vast majority of folks accessing our servers have
client-side heuristic scanning active. While I downgraded ClamAV for
difficult installation, it's completely the fault of the docs...they are
incomplete insofar as on-access scanning settings go, and don't address a
minor SuSE/OES anomoly. Once you figure things out, it's a piece of cake.

To that end, I documented things for our OES installations, but it's on our
Intranet wiki...here's a PDF converted doc for anyone interested. It also
covers dazuko configuration on OES, which has a few quirks as well. The PDF
conversion whacked the formatting a bit, and it's a work in progress, but
the initial draft should get you going.