13

A large company is doing a review of our software before they will use the web software built by our start-up company. We are using Linux to host, which is properly secured and hardened.

The regulation of the security reviewer is that all computers and servers must have anti-virus program. Obviously, telling them that Linux can't be infected by a virus wont work.

Is there a 3rd party security article or resource which could help us convince them to drop the requirement, or will we need to install ClamAV and make it burn some CPU once a day?

romaninsh
  • 438
  • 5
  • 15
  • 3
    I guess it depends on how badly you want that contract. Unless your servers are heavily overloaded, it's unlikely you'll even notice the performance hit that AV scanning creates. – EEAA Sep 30 '11 at 15:39
  • It's no trouble to install AV, but I see no reason to do so. Am I wrong? Is that requirement for AV on Linux reasonable? – romaninsh Sep 30 '11 at 15:42
  • 9
    Yes, it's certainly reasonable. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility. Again, what's this contract worth to you and your employer? – EEAA Sep 30 '11 at 15:43
  • 1
    If the regulations say "You must have antivirus installed." you can get away by just installing it. It's not said that it has to run. So install ClamAV and not starting it. – mailq Sep 30 '11 at 15:43
  • 14
    its incorrect to assume Linux cant get viruses, they do, its just exceptionally rare compared to something like Windows – anthonysomerset Sep 30 '11 at 15:44
  • I don't know the value of a contract. – romaninsh Sep 30 '11 at 15:44
  • @ErikA ok, what you say about denying the threats makes sense. Could you reply properly, so that I can accept? – romaninsh Sep 30 '11 at 15:45
  • 22
    @mailq - No offense, but that's one of the most stupid ideas I've heard in quite a while. If a regulation says antivirus must be installed, the **intent** there is that it's running as well. If you think you'd be able to slip through an audit without it running, you're deluding yourself. – EEAA Sep 30 '11 at 15:47
  • @mailq it's related, but not duplicate. – romaninsh Sep 30 '11 at 15:47
  • 4
    I've seen many a mighty man fall when they made assumptions about their "security". Don't get wrapped up in that philosophy. It will only bring you heartache and sleepless nights. Assume the worst. – GregD Sep 30 '11 at 15:51
  • 9
    Who said linux can't get a virus? That's completely false and not true. It's like saying a Mac computer can't get a virus. Just install ClamAV, it's pretty lightweight and shouldn't even notice it's there. – Matt Sep 30 '11 at 17:23
  • 6
    I'm -1'ing you for being so naive you think Linux can't catch a virus. You're fighting to **not** install antivirus, and as such you don't deserve this (or any) contract from *paying customers*. If you came and told me this, I'd laugh your ass out of the building as well. Then I'd go and find another company that actually cares about their customers security. – Ben Pilbrow Oct 01 '11 at 15:19
  • 1
    @ErikA's answer is very good (and especially with the comments on "compensating controls"), however if you want additional info from the PoV of "those security guys", feel free to hop on over to [security.se]... – AviD Oct 02 '11 at 00:09
  • 1
    @GregD "_I've seen many a mighty man fall when they made assumptions about their "security"._" Do you mean the assumption that AV programs increase security? – curiousguy Oct 02 '11 at 00:37
  • 2
    @curiousguy No, I just really meant that I've seen a lot of Server Admins develop an ego with regard to their security and that it blinds them to the real possibility that their server *could* not be as secure as their egos would have them believe... – GregD Oct 02 '11 at 15:06

5 Answers5

30

Yes, it's certainly a reasonable request. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility.

You need to weigh the ramifications (annoyance factor, possible performance issues, maintenance overhead) of running AV with the value of this contract. If one company is listing AV as a requirement, it's likely that others will do the same in the future. If you're already running it, you'll be well-positioned to win their business.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 12
    +1 - There is an elegant argument to be made about Antivirus software causing MORE TROUBLE on unix systems, and how *compensating controls* (that's a term that makes auditors squeal with delight) are in place that make AV unnecessary. There is an equally elegant argument about why unix mail servers **should** be running some kind of AV (scanning the mail that passes through them) to help protect the recipients' workstations. – voretaq7 Sep 30 '11 at 16:14
  • 4
    Right - especially if your "compensating controls" consist of something like Tripwire and vigorous review of its results; audits of running software, etc. – mfinni Sep 30 '11 at 16:34
  • I seem to remember when we went through the PCI thing that [AIDE](http://aide.sourceforge.net/) actually counted as anti-virus software. It does depend on what your server does and how you configure AIDE as to whether it will detect a virus or not. In any case, that phrase "compensating controls" is a good one to use. – Ladadadada Oct 01 '11 at 15:47
28

The likelihood of a Linux server being infected by a virus is very very low, not zero. If that is a concern for your auditor/client/whoever, then you should understand that and determine if their business is important to you. If their business is worth more than the CPU cycles and disk I/O that it will take to scan, then you should install the AV. If it is not, then you should explain this to your customer and ask them to bring their contract elsewhere.

It's not an unreasonable claim, especially if this server is hosting up files to Windows clients. By installing ClamAV (or whatever) you are protecting those Windows clients that conenct to your server.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 2
    A key point in your answer is that we're talking a mixed-use environment (unix acting as a file server for Windows) - If your Windows AV doesn't scan network file systems having this extra layer becomes critical to protecting your Windows workstations. – voretaq7 Sep 30 '11 at 16:23
  • 1
    Even if it does, two heads are better than one if you have the resources. – MDMarra Sep 30 '11 at 16:25
  • 1
    Does running a virus scan reduce the risk of being infected? – johanvdw Sep 30 '11 at 17:29
  • @johanvdw It doesn't in many cases, but if you are scanning on a Linux server, chances of infection are low anyway. What you are doing is protecting the Windows clients that use your service by removing anything that's potentially malicious to them before it even reaches them. – MDMarra Sep 30 '11 at 17:31
  • 1
    The likelyhood of a properly configured and maintained server of any sort being hit by a virus is extremely low. Windows, Linux, MacOSX, it doesn't matter. If you are competetent at managing your systems, there should be no reason for a virus to be present on the system. That being said, if there is a client who wants it, and it causes not a lot of trouble, then you may want it, depending on how much the client is paying for it. – Kibbee Sep 30 '11 at 19:30
  • 7
    As someone who has been on shared hosting servers where peoples' Wordpress or phpBB holes led to my own unrelated accounts getting compromised and serving up malware and spam to random visitors, I wish more people actually realized that just because Linux's design makes it inherently more secure doesn't make it even remotely close to immune to massive problems. – fluffy Sep 30 '11 at 21:04
  • 1
    @fluffy what's your point? anti-virus won't help in that case anyway – Jeff Atwood Oct 01 '11 at 01:56
  • I think the important point isn't whether or not the server will be infected, but rather that it could potentially serve harmful content to users. We don't know what the OP's site is doing. If the clients are uploading and downloading files from it, then there is the risk that it could eventually host a harmful file, whether that file is harmful to the server or the clients is irrelevant. If the OP's company has end-to-end control of 100% of the files that go in and out then this becomes much less of a risk. – MDMarra Oct 01 '11 at 02:00
  • @MarkM "_two heads are better than one_" But having two different programs that scan content from the outside means two chances to exploit a vulnerability in these scanners. – curiousguy Oct 02 '11 at 00:15
  • 3
    @curiousguy I absolutely agree with you that a virus scanner is extra surface area that, while potentially mitigating some risks, creates new risks. The point that you seem to be making, and correct me if I'm wrong, is that the security benefits from running a virus scanner don't outweigh the risks. Some virus scans are as simple as a cryptographic hash against a file - not a ton of risk there. On something like an SMTP server doing spam filtering, you'd have a hard time making the assertion that the risk to the server running the filter outweighs the benefit. – Shane Madden Oct 09 '11 at 18:07
17

I think we need to put the term "virus" in context.

If you're talking about the self-replicating binaries that float around Windows networks then sure, the probability of Linux getting one of these is very very low.

If we're talking about the broader subject of malicious software, then Linux is anything but immune. Unpatched and poorly configured Linux servers are exploited all the time and turned into bot herders, or used for other nefarious purposes. To pretend that these threats don't exist is burying ones proverbial head in the sand.

I have never run antivirus software on a Linux server as I like to think that regular patching and sane configuration will protect my servers from 99.99% of threats. However I'd certainly consider it in this case, provided the software was actually able to detect the kind of malicious software that affects Linux servers and wasn't a simple port of a Windows AV suite.

Alex Forbes
  • 2,392
  • 2
  • 19
  • 26
  • "_put the terms "virus" in context._" Indeed. If they cannot even spell-out the many specific types of malicious softwares (some distinctions are not always clear, such the boundary between virus and worm, but the distinction between self-replicating and non propagating malware is IMO essential)... to me it means they are repeating buzzwords or phrases they heard ("must have AV installed"). – curiousguy Oct 02 '11 at 00:12
3

It wouldn't do any harm to install an AV package, epecially as it could mean the difference between gaining and a losing a contract.

Maybe more than an AV package you need to consider a rootkit detection suite, and CRON a scan to run at regular intervals. Be prepared for false positives also - some suites are more prone to false-positives than others, and until you get used to these anomalies it can be disconcerting.

peterg22
  • 79
  • 2
1

Ask them to define exactly the concept of "anti-virus". What kind of threats are they worried about?

If they cannot answer (maybe because they really have no idea what they are talking about and are just filling a check-list), ask them a list of approved anti-virus programs.

If the requirement is just:

You shall have an AV program installed, period.

they probably have no idea what they are talking about. Just ask them what they expect you to do exactly.

If the requirement is:

You should regularly check all installed programs (binaries and scripts) for new programs, altered files, or any other sign of pathological file content.

then it means you may not need the proverbial "AV", and that a script to check the integrity of the server will be adequate, more precise, more reliable: no false positives if you know which files are modified when your server is running normally, and if you can spell out the consistency requirements of modified files.

Designing a script check the integrity, or even setting-up some existing tool so that it understand the specific of your server will necessitate additional work (AV programs are more buy-then-install-then-forget, that's probably why they are so popular). But I think that will do much more for your server security.

curiousguy
  • 236
  • 1
  • 5