[CentOS] Antivirus for CentOS? (yuck!)

Thu Jan 22 19:17:07 UTC 2009
Stephen John Smoogen <smooge at gmail.com>

On Thu, Jan 22, 2009 at 12:01 PM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
>> Adam Tauno Williams wrote:
>> > > 1. Has anyone here gone though such a procedure and got good arguments
>> > > against the need for anti-virus?
>> > There is no good argument against running malware detection on any
>> > sever.
>> > > 2. Alternatively - what linux anti-virus (oh, the shame of typing this
>> > > word combination :() do you use which doesn't affect our systems
>> > > performance too much.
>> > CLAMAV works well.
>> What do you do with clamav on a linux server?
>
> You scan the server for malware.
>
> There is nothing special about LINUX here.  The whole "don't run
> services as root" business is just so much noise.  It isn't about
> protecting the *server* it is about protecting the *data* which is
> accesses [hopefully] by services which are *not* root.  It is about the
> data and the clients that connect to the server.
>
> I've seen CLAMAV find malware on web servers (maybe it isn't common...
> because no one is checking).  Someone's crappy PHP code [is there any
> other kind?] allows malware to get injected into, and served, from the
> server.  No root access anywhere, or required.  It isn't about
> protecting the OS or the system, it is about protecting the data, the
> applications [from exploit], and the end-users [so the server isn't an
> attack vector].   Assuming none of the services on you server can be
> exploited is just wrong headed;  and the exploiter does not need to
> "own" the server (aka have root) in order to do mischief.   Access to
> your data is probably more valuable than whacking your server.
>
> The mantra "LINUX doesn't suffer from malware" is just bollocks.  Lots
> of malware is served from LINUX servers.   Scanning a server for
> signatures is just another way to proof (not prove) that a server has
> not been compromised and that data accessed by the server is secure.
> Which is what things like PCI/DSS is about - protecting the *data*.

I don't know about that last sentence.. I am not familiar enough with
PCI/DSS to say it protects data or protects from lawsuits. Everything
else I can agree with 100%. Linux/Mac/Solaris etc are all good vectors
for serving malware because they are not routinely looked at for
malware (because most Unix admins think it is something that affects
them.) Most malware authors learned that while they may not be able to
get 'root' all they really need is normal permissions for most things
because they can still open up high ports to send/recieve spam or that
most systems have data at o+rw for ease of use.

Does this mean that every Linux machine should have a malware detector
on it that runs and scans every file? No its a matter of risk
management. If you are in a high risk environment, you should know why
or why not it is not in place (having other strong security measures
in place with constant vigilance can be good enough or for something
else it might not be.).


>>  What do you think it protects you against on a linux server?
>
> "against a linux server?" ?
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"