[CentOS] Antivirus for CentOS? (yuck!)

Thu Apr 23 18:54:54 UTC 2009
NM <nico at altiva.fr>

On Thu, 22 Jan 2009 15:00:43 -0600, Les Mikesell wrote:

> An occasional clamav scan can't hurt.

You are absolutely, completely wrong.

Clamav has had vulnerabilities that could be used to cause it to execute 
arbitrary code in the scanned files. I don't doubt for one second that 
proprietary AVs have the same kind of problem, except that you can't look 
at the code to check for yourself.

While the risk is worth taking when you are implementing a mail server or 
a Samba server, our PCI-DSS consultant is pushing us to have Clamav (or a 
proprietary product) installed on every single one of our servers in the 
PCI scope, even though there is not a single Windows machine in the 
scope. 

The likelyhood of an actual _virus_ infection is 0 for us. I don't mean 
malware -- I mean virus. The problem is that while PCI-DSS 1.2 now 
mentions malware as a whole, it still requires "antivirus" software, 
while only giving a weak "if applicable" exception. We are told we can't 
use it since there is at least a handful of known Linux viruses 
(nevermind that they are never seen in the wild) which could simply *not* 
infect us, since they require, by definition, that we run an infected 
binary. Running chkrootkit or tripwire or even rpmverify *is* useful, but 
it doesn't cover the "antivirus" requirement, we are told. 

So we're going to go ahead and weaken our security just to check a PCI-
DSS checkbox. This is simply ridiculous.

PS: I want to emphasize that by "virus" I mean "virus," not "worm" or 
"rootkit" or "malware" or "exploit." There are sploits, worms and 
rootkits on Linux, some are/have been quite nasty; there has *never* been 
an actual virus threat.