[CentOS] Antivirus for CentOS? (yuck!)

Thu Jan 22 22:36:24 UTC 2009
Les Bell <lesbell at lesbell.com.au>

Adam Tauno Williams <awilliam at whitemice.org> wrote:

>>
CLAMAV, or any package, isn't THE answer, it is part of an answer.  And
PCI/DSS requires a server be scanned on a regular basis.  Fighting
against that directive just makes no sense.  You should scan an entire
system on some interval regardless of OS.
<<

It's worth noting that the type of scan required by PCI DSS is not a
filesystem scan by an antivirus product. It is a vulnerability scan
performed by an Approved Scanning Vendor.

Some other miscellanous points triggered by posts in this thread that I've
read this morning:

According to the Verizon 2008 Data Breaches Report, in over 90% of cases
where a successful attack exploited a vulnerability, there was a patch
available for at least six months prior to the breach. So the first thing
we can say is that there is good reason to patch your system - it's
definitely an effective activity.

While the most popular attack methods of cybercriminals are hacking and
malcode (again, the Verizon report confirms this), malcode is much more
popular in the Windows world and hacking is the method of choice against
Linux boxes, imho (SSH brute-forcing worms notwithstanding). This means
that anti-virus products will be less effective in safeguarding the data on
a Linux box, and host intrustion detection systems are correspondingly more
effective.

Most attacks against servers are conducted against the application layer
code (PHP vulnerabilities, especially, but also SQL injection, etc.) Again,
anti-virus products are not effective here, particularly since the original
poster seems to be running custom code (internally-developed or
outsourced). The best controls here will be HIDS like AIDE and Tripwire, as
well as network IDS.

An attacker who exploits a server might upload some recognisable malware,
and an anti-virus scanner might pick it up, but I'm not sure whether (e.g.)
ClamAV has signatures for stuff like eggdrop IRC servers, phishing sites
and other stuff sometimes turns up on compromised hosts. The bulk of the
signature database is undoubtedly Windows malware. However, a determined
attacker, who knows what the server hosts, is much more likely to either
use SQL injection or command injection techniques to extract credit card
info (use NIDS to detect this) or to install a rootkit to allow him to come
and go more easily (and HIDS will detect this).

Remember, there are two problems to be solved here:

a) Get the systems past the PCI-DSS Assessor

b) Do something useful to actually protect the systems

It would be great if both problems had the same solution, but that depends
on how clueful the Assessor is (and how artfully the original poster can
"manage" him). Right now, the original poster's employer is paying him to
solve a), and will probably only worry about b) much later, should the
excrement actually hit the fan. If installing ClamAV is what it takes to
solve a), just do it and then get to work on b).

Best,

--- Les Bell, RHCE, CISSP, M.Info.Tech (Systems Security)
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909