Adam Tauno Williams <awilliam at whitemice.org> wrote: >> CLAMAV, or any package, isn't THE answer, it is part of an answer. And PCI/DSS requires a server be scanned on a regular basis. Fighting against that directive just makes no sense. You should scan an entire system on some interval regardless of OS. << It's worth noting that the type of scan required by PCI DSS is not a filesystem scan by an antivirus product. It is a vulnerability scan performed by an Approved Scanning Vendor. Some other miscellanous points triggered by posts in this thread that I've read this morning: According to the Verizon 2008 Data Breaches Report, in over 90% of cases where a successful attack exploited a vulnerability, there was a patch available for at least six months prior to the breach. So the first thing we can say is that there is good reason to patch your system - it's definitely an effective activity. While the most popular attack methods of cybercriminals are hacking and malcode (again, the Verizon report confirms this), malcode is much more popular in the Windows world and hacking is the method of choice against Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means that anti-virus products will be less effective in safeguarding the data on a Linux box, and host intrustion detection systems are correspondingly more effective. Most attacks against servers are conducted against the application layer code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again, anti-virus products are not effective here, particularly since the original poster seems to be running custom code (internally-developed or outsourced). The best controls here will be HIDS like AIDE and Tripwire, as well as network IDS. An attacker who exploits a server might upload some recognisable malware, and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.) ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites and other stuff sometimes turns up on compromised hosts. The bulk of the signature database is undoubtedly Windows malware. However, a determined attacker, who knows what the server hosts, is much more likely to either use SQL injection or command injection techniques to extract credit card info (use NIDS to detect this) or to install a rootkit to allow him to come and go more easily (and HIDS will detect this). Remember, there are two problems to be solved here: a) Get the systems past the PCI-DSS Assessor b) Do something useful to actually protect the systems It would be great if both problems had the same solution, but that depends on how clueful the Assessor is (and how artfully the original poster can "manage" him). Right now, the original poster's employer is paying him to solve a), and will probably only worry about b) much later, should the excrement actually hit the fan. If installing ClamAV is what it takes to solve a), just do it and then get to work on b). Best, --- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security) [http://www.lesbell.com.au] Tel: +61 2 9451 1144 FreeWorldDialup: 800909