Antivirus on Linux

Wed Mar 3 14:57:56 PST 2010

On 03/03/2010 12:47 PM, Tracy Reed wrote:
>..
> 5.1.1 Ensure that all anti-virus programs are capable of detecting,
>       removing, and protecting against all known types of malicious
>       software.
> 
>       For a sample of system components, verify that all anti-virus
>       programs detect, remove, and protect against all known types of
>       malicious software (for example, viruses, Trojans, worms,
>       spyware, adware, and rootkits).

Heh, sounds a wee bit unreasonable -- I wonder if anyone complies with
this one.

>..
> Note the use of "commonly affected" and "applicable". If we are to put
> antivirus on Linux servers then what servers could we possibly not put
> it on? How do we meet 5.1.1 on Linux and ensure that it is capable of
> detecting/removing/protecting against all known types of malicious
> software? I'm not even sure how one would do that on Windows,
> really. We would need a sample of malware to test the removal? Surely
> we wouldn't want to test that on the production in-scope
> servers. Machines storing card info are not allowed to have routing to
> the public Internet, only the DMZ. So they cannot auto-update. This
> further suggests that these rules are targeted at Windows such as in a
> call-center environment.

If I were writing my company's security policy manual, I would try to
find a way to use wording like "to the extent possible" and "use
certified" or "use industry standard" or "use approved" [detection
and/or removal products] -- that is, try to put the assurance
resonsibilities on the manufacturer or on industry best practices.

>.. 
>> Even if things such as antivirus, malware, and rootkit scanning are
>> often ineffective, I doubt you mean to tell someone not to make use of
>> those tools. What am I missing? Oh.. maybe you are just objecting to
>> /antivirus/ scanning specifically on *nix? If so, perhaps it would be
>> useful to emphasize what existing system features and security practices
>> reduce the need for antivirus; in other words, how general objectives
>> are achieved without need for antivirus.
> 
> I just don't think they are worth the trade-off anymore. And now
> people are being suckered by antivirus software which is itself
> malware. Botnets remain all over the place. I know lots of people who
> are running antivirus and still having problems. Not to mention the
> problems the antivirus itself inevitably causes by trying to dig so
> deep into Windows to be able to outsmart the viruses (and still
> failing).

I hear, but somehow feel there is still some value in /periodic/ checks.
It might mainly reassure pointy-head types, but it would also constitute
some small amount of sanity check on your own assumptions.

I see that there are arguments that av (etc) programs might themselves
constitute a risk, and that deploying updates is itself another level of
complication and risk. This gets one directly into the risk/benefit
tradeoff, I guess.

..But, and this gets back to things in your own previous email, I
believe, there would seem to be value in publishing and following a
policy that removes vulnerabilities. Thus computers that access
financial transaction data deserve special treatment such as strictly
following your "just say no" stuff, and maybe even isolation from the
internet(?). And then your compliance claims could argue the enforced
reduction of risk.

I admit I am assuming that having and following a reasonable written
policy has some influence on outside audit personnel, even if the policy
does not echo the specs verbatim -- especially if it would take an act
of dishonesty to echo the specs!

>.. 

Regards,
..jim