[CentOS] Antivirus for CentOS? (yuck!)
nico at altiva.fr
Thu Apr 23 19:54:54 UTC 2009
On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote:
> An occasional clamav scan can't hurt.
You are absolutely, completely wrong.
Clamav has had vulnerabilities that could be used to cause it to execute
arbitrary code in the scanned files. I don't doubt for one second that
proprietary AVs have the same kind of problem, except that you can't look
at the code to check for yourself.
While the risk is worth taking when you are implementing a mail server or
a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a
proprietary product) installed on every single one of our servers in the
PCI scope, even though there is not a single Windows machine in the
The likelyhood of an actual _virus_ infection is 0 for us. I don't mean
malware -- I mean virus. The problem is that while PCI-DSS 1.2 now
mentions malware as a whole, it still requires "antivirus" software,
while only giving a weak "if applicable" exception. We are told we can't
use it since there is at least a handful of known Linux viruses
(nevermind that they are never seen in the wild) which could simply *not*
infect us, since they require, by definition, that we run an infected
binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but
it doesn't cover the "antivirus" requirement, we are told.
So we're going to go ahead and weaken our security just to check a PCI-
DSS checkbox. This is simply ridiculous.
PS: I want to emphasize that by "virus" I mean "virus," not "worm" or
"rootkit" or "malware" or "exploit." There are sploits, worms and
rootkits on Linux, some are/have been quite nasty; there has *never* been
an actual virus threat.
More information about the CentOS