On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote:
An occasional clamav scan can't hurt.
You are absolutely, completely wrong.
Clamav has had vulnerabilities that could be used to cause it to execute arbitrary code in the scanned files. I don't doubt for one second that proprietary AVs have the same kind of problem, except that you can't look at the code to check for yourself.
While the risk is worth taking when you are implementing a mail server or a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a proprietary product) installed on every single one of our servers in the PCI scope, even though there is not a single Windows machine in the scope.
The likelyhood of an actual _virus_ infection is 0 for us. I don't mean malware -- I mean virus. The problem is that while PCI-DSS 1.2 now mentions malware as a whole, it still requires "antivirus" software, while only giving a weak "if applicable" exception. We are told we can't use it since there is at least a handful of known Linux viruses (nevermind that they are never seen in the wild) which could simply *not* infect us, since they require, by definition, that we run an infected binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but it doesn't cover the "antivirus" requirement, we are told.
So we're going to go ahead and weaken our security just to check a PCI- DSS checkbox. This is simply ridiculous.
PS: I want to emphasize that by "virus" I mean "virus," not "worm" or "rootkit" or "malware" or "exploit." There are sploits, worms and rootkits on Linux, some are/have been quite nasty; there has *never* been an actual virus threat.