LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-24-2007, 01:33 PM   #1
rcase5
Member
 
Registered: Apr 2004
Distribution: Fedora & Debian
Posts: 38

Rep: Reputation: 15
Question Anti-Virus for Linux


I have a general question. I guess I'm taking a poll of other Linux users.

Does anyone here use anti-virus software on their servers (mail server, web server, file server, any kind of server)? If so, what anti-virus software do you use?

Even if you don't use anti-virus software, I'm interested in hearing from you. I just had a strange conversation with someone and I would like some data to back up my argument.

Thanks!

Robert...
 
Old 04-24-2007, 01:39 PM   #2
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
The only serious use for AV on a Linux server is to scan incoming mail/files for Windows viruses. If you aren't dealing with Windows clients, then it is largely useless.

Most people do have rootkit scanners installed however, which prove a lot more useful. I would definitely suggest having that installed. I don't know if you consider that an anti-virus though.
 
Old 04-24-2007, 02:52 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
I know of at least one very large corporation that uses an Linux AV solution: SophosAV

I tested Sophos when I was a contractor for this company and I wasn't impressed, although I also tested CA's Linux AV solution. Between the two, Sophos' solution was the better product. The thing I didn't like about CA's solution was that it installs a web server on the machine...the idea is to give the administrator a GUI to work with. That was a deal-killer for the company (and myself). At that point, my testing of CA's product stopped, so I wasn't able to compare detection, configuration, and scanning capability.

Sophos' solution wasn't bad, but there Linux support is sorely lacking. They supply the application but you're on your own when trying to get the product to link with an AV server or getting it to run automatically then report results. Even when calling support and telling them that I was conducting a bake-off of their product with their competitor, support was limited...there was no Linux documentation on their page or included with the product. At least CA included documentation.

I also gave CA's solution a shot on a Slackware machine and it worked, although the distribution was unsupported. I didn't have the chance to test Sophos' install against Slackware (I left the contract before I could test).

The freeware solution would be ClamAV, which can monitor mail server traffic OR a workstation/end-user setup.

There was also a huge stink over installing AV on servers that were running tasks that sometimes sorely taxed system resources. Another stink was the fact that the client wanted AV to be installed on IDS machines (which is why the testing of the CA solution died so quickly). Also, unrelated, the customer wanted each IDS to run iptables as a local firewall, although the devices were very hardened.

While I agree that there's a need for AV, I don't believe that AV has a place on IDS devices, especially if the install includes the implementation of web services. A Snort box sniffing proxy traffic for half of a 50,000-user network will be taxed heavily, even before adding the additional and possibly heavy load of AV scanning. It's one of the reasons I left.

Now, I don't particularly agree with the fact that it is implied that there are no (or very little) malware that targets Linux. In fact, there are more than most people think. Not only that, such things as apps that are compromised (not the system itself) has to be factored in. I can log into a co-worker's account and install something questionable that may not need root access and still do some damage. If I can do that, a trojan or virus can do the same. So, yeah, I disagree.
 
Old 04-26-2007, 09:38 AM   #4
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 878

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
I have F-Prot for Linux here. There used to be an FTP server you could download it and updates off of, but they clamped down on that and now you have to let their monsterously bloated Perl script stumble around the system while it tries to determine what and if updates you need and how to get them home. That takes away from its usefulness, but I do have it, more as a matter of being a component to a complete system rather than something I depend on or even have serious need for.

Usually it runs with niced scheduling around 16-18 from Fcron, scanning /var/spool/mail area now and then, and also once daily all binary directories as well as stuff like /tmp and /var/tmp. It makes its little report, appended on to the end of /var/log/virus.log.

Once I think it even found a copy of a Microsoft virus some infected system sent attached to an email...
 
Old 04-28-2007, 03:25 AM   #5
rcase5
Member
 
Registered: Apr 2004
Distribution: Fedora & Debian
Posts: 38

Original Poster
Rep: Reputation: 15
Reason why I ask (and I'm still interested in more replies)

This is actually a word to the wise, because this caught my totally off guard.

I'm working with a client that is a publicly traded company, and part of the project is setting up a series of servers which will serve an application. The application is based on Linux, but the corporation and their hosting farm, which is actually a subsidiary of the client, deals exclusively with Windows. (That was a fun discussion at the beginning of the week, but I digress.)

They gave me a list of 6 basic requirements. These requirements were:

- The presence of a working Anti-virus program
- Security patches and updates when necessary
- Strong Passwords
- Security Logs to track unauthorized intrusions
- Encryption of sensitive data during transmission (SFTP/SSH)
- A documented Data Backup and Recovery scheme

4 of these requirements Linux meets as a matter of course. The last one is just a matter of planning and logistics on my part. But the first one caught me off-guard. And they INSISTED that I have an anti-virus program on these systems. After I explained to them that Linux doesn't really need an anti-virus program, they actually argued with me. I found this quite amusing since they just got finished telling me they knew nothing about Linux.

But as it turns out, it is now Federal Law (Sarbanes-Oxley) that all publicly-traded companies that run the type of servers I am implementing for this client MUST meet these requirements.

So I did some research, and found that there are a few companies selling virus checkers for Linux. I've decided to go with McAfee LinuxShield, mainly since this client seems to have standardized on McAfee products for their Windows machines, and the licensing is actually pretty good ($22.00 per license, with a minimum of 5 licenses). Of course I have no actual experience with this exact package, but it will be interesting.

Robert...
 
Old 04-28-2007, 06:03 AM   #6
reverse
Member
 
Registered: Apr 2007
Distribution: Gentoo
Posts: 337

Rep: Reputation: 30
How about .. don't and say you did? I suppose if we'd want to get all technical about it .. what exactly does a "working" anti-virus mean? In other news, I'd recommend ClamAv.
 
Old 04-28-2007, 12:50 PM   #7
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407

Rep: Reputation: 141Reputation: 141
If it's a federal requirement, I'd be a bit shy about just blowing it off; especially since it's a SARBOX issue.

As to the general issue of computer viruses - I haven't been using an anti-viral for the past 4 years, and most of that was using Win2K. I say that "I" wasn't using an AV, but I've been using Yahoo to read my mail all this time, and they are running Norton AV on their end.
 
Old 04-28-2007, 07:39 PM   #8
rocket357
Member
 
Registered: Mar 2007
Location: 127.0.0.1
Distribution: OpenBSD-CURRENT
Posts: 485
Blog Entries: 187

Rep: Reputation: 74
Quote:
Originally Posted by jayjwa
I have F-Prot for Linux here.
I've found that an OpenBSD pf machine sitting in front of a proxy (IpCop Adv. Proxy/CopFilter or the like), works to great effect for HAVP and other AV scanning and general perimeter security. CopFilter uses "pluggable" AV scanning engines (F-Prot and ClamAV can be used, in addition to other AV scanners I don't have much experience with), so you aren't locked down to a single AV solution. Typically, though, the only machine that benefits from this setup is my wife's WinXP machine...
 
Old 04-28-2007, 07:56 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
As has been mentioned there are freeware AV solutions for linux that are comparable to (if not better than) some of the commercial versions, such as ClamAV, Panda, BitDefender.
 
Old 04-29-2007, 01:43 PM   #10
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 782
Blog Entries: 8

Rep: Reputation: 158Reputation: 158
Yet another reason why I hate the Sarbanes Oxley Act...talk about a runaway train.
 
Old 04-29-2007, 01:51 PM   #11
KimVette
Senior Member
 
Registered: Dec 2004
Location: Lee, NH
Distribution: OpenSUSE, CentOS, RHEL
Posts: 1,794

Rep: Reputation: 46
ClamAV also detects and removes apache worms, so it is well worth installing and configuring a cron job. It's free, and just schedule it to scan off hours. Worst case: you will never get hit by a worm, and you will have lost two minutes configuring it.
 
Old 04-30-2007, 01:07 PM   #12
rcase5
Member
 
Registered: Apr 2004
Distribution: Fedora & Debian
Posts: 38

Original Poster
Rep: Reputation: 15
ClamAV

I've heard a lot of good things about ClamAV and I'm thinking about implementing it for my own systems.

My main concern about it for the project is that it's freeware. Now before I get flamed ten ways till Sunday, let me explain. I'm thinking that they will not want me to use it because it's freeware, not necessarily because it will not perform as promised, but because of liability. If something goes wrong, they want to be able to go to whomever makes the product and "collect". Along the same lines, if they do not object, and something does go wrong, and they have no manufacturer to hold accountable, I'm afraid they'll hold ME accountable, and I don't need that.

Now the truth is I really don't feel I need anything like this in the first place, and if Windows wasn't such a humongous piece of crap, all of this wouldn't be necessary. However, if I'm going to do this for a publicly-traded corporation, I figure I might as well fulfill their requirements like a publicly-traded corporation. It's not as if they're hurting for money (this is $110 out of a project in the tens of thousands of dollars). And if that little bit of insurance will protect both them and me, why not?

Robert...
 
Old 04-30-2007, 06:07 PM   #13
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 361Reputation: 361Reputation: 361Reputation: 361
If they have a bias against freeware/OSS, then doesn't that kind of pose a problem with using Linux in the first place?
 
Old 04-30-2007, 06:42 PM   #14
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
My main concern about it for the project is that it's freeware.
It might help to show them this list of organizations using clamav.
 
Old 04-30-2007, 07:07 PM   #15
Quakeboy02
Senior Member
 
Registered: Nov 2006
Distribution: Debian Linux 11 (Bullseye)
Posts: 3,407

Rep: Reputation: 141Reputation: 141
Quote:
If something goes wrong, they want to be able to go to whomever makes the product and "collect".
You can't "collect" incidental damages from a software company. If you could, MS would be broke. You get what you get. If it works, fine. If it doesn't work, that's fine too. It would be a very strange (i.e. stupid) company that didn't limit their responsibility to the cost of the product. When you tear off the shrinkwrap, it's yours, bugs and all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[ask] Linux Anti Virus OrangEdanGila Linux - Software 1 07-07-2006 12:40 AM
LXer: Microsoft Anti-Spyware Deleting Norton Anti-Virus LXer Syndicated Linux News 0 02-13-2006 04:31 AM
Anti Virus/ Anti Spam for Linux? Sp@rticus Linux - Software 3 11-18-2005 02:17 AM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 02:35 PM
Creating an ultimate anti-virus and anti-spam email gateway markcc Linux - Networking 2 10-08-2003 03:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration