Yes, I know, it's really really embarrassing to have to ask but I'm being pushed to the wall with PCI DSS Compliance procedure (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why we don't need to install an anti-virus or find an anti-virus to run on our CentOS 5 servers.
Whatever I do - it needs to be convincing enough to make the PCI compliance guy tick the box.
So:
- Has anyone here gone though such a procedure and got good arguments
against the need for anti-virus?
We are going through the same thing. The initial rollout was planned for only PCI critical systems, but has been expanded to SOX and business-critical servers. Given the extreme rarity of Unix/Linux related viruses, we did question why we needed to run an AV solution at all. However, we do have shares that are accessible via Windows and Mac users, so these were targeted. Per our compliance officer, though a rigid interpretation of the PCI documentation might not require full scans of every server, or even scanning every server, we would go beyond the spec. Thus, at some point we're expecting that all servers will require some sort of AV product.
- Alternatively - what linux anti-virus (oh, the shame of typing this
word combination :() do you use which doesn't affect our systems performance too much.
The AV solution we were told to use was Sophos AV. Our environment is primarily AIX with a few Linux systems. Though the Linux systems had (mostly) equivalent features to the Windows product, the AIX solution was essentially a command line driven scan similar to ClamAV.
Now, SophosAV on Linux requires some kernel hooks for the on-access scan. If Sophos-compiled binaries are not available for your kernel then you'd need to build them on the machine. I.e., you'd require GCC and the kernel-dev packages. Per our security requirements (not PCI specific), we do not have compilers and dev libraries on anything but development servers. Sophos also did not have an SLA as to when new binaries would be released after a new kernel.
Which leads to an interesting conundrum. The Sophos product cannot do on-demand scanning without a dev environment (and compiling elsewhere was not a documented process from Sophos). So we were left with the command line, cron driven scanner. Given that the files we would target were often temporary (e.g., uploaded documents, files to be pushed into a doc manager), it made little sense to scan daily. Instead, you'd need to script processes to watch directories and holding areas.
The rest of the problems were primarily with the AIX client.
Anyhoo, the AV products don't put too much load on the system, depending on your scan requirements. They can do so though. E.g., if you scan compressed files, do on demand, scan across shares, etc..
The reviewed servers run both Internet-facing web applications and internal systems, mostly using proprietary protocol for internal communications. They are being administrated remotely via IPSec VPN (and possibly in the future also OpenVPN).