FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-22-2009, 04:55 AM
Ian Forde
 
Default Antivirus for CentOS? (yuck!)

On Wed, 2009-01-21 at 21:06 -0500, Adam Tauno Williams wrote:
> > Yes, I know, it's really really embarrassing to have to ask but I'm
> > being pushed to the wall with PCI DSS Compliance procedure
> > (http://en.wikipedia.org/wiki/PCI_DSS) and have to either justify why
> > we don't need to install an anti-virus or find an anti-virus to run on
> > our CentOS 5 servers.
> > Whatever I do - it needs to be convincing enough to make the PCI
> > compliance guy tick the box.
> > 1. Has anyone here gone though such a procedure and got good arguments
> > against the need for anti-virus?
>
> There is no good argument against running malware detection on any
> sever.

That depends upon how you define malware detection. Antivirus software
for Linux typically scans for Windows viruses and malware. On the other
hand, if you're talking about detection in the sense of Tripwire, or a
cron job that runs a 'rpm -V' every night, I completely agree that this
is something that should be done.

> CLAMAV works well.

For detecting Windows malware, which isn't really the point...

-I

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 06:05 AM
"Les Bell"
 
Default Antivirus for CentOS? (yuck!)

Ian Forde <ian@duckland.org> wrote:

>>
That depends upon how you define malware detection. Antivirus software
for Linux typically scans for Windows viruses and malware. On the other
hand, if you're talking about detection in the sense of Tripwire, or a
cron job that runs a 'rpm -V' every night, I completely agree that this
is something that should be done.
<<

Bingo. The changes made in PCI DSS v 1.2 broaden the scope of section 5
from "viruses" to "malicious software". This covers viruses, worms,
trojans, spyware, rootkits, etc. Use of AIDE or Open-Source Tripwire, with
a carefully set up policy, should meet the requirements. I would write an
"explanation of non-applicability" that states that CentOS is at low risk
of infection by viruses and only slightly higher risk of infection by
worms, and that implementation of a host filesystem integrity verification
system (or host intrusion detection system) provides an appropriate control
to alert administrators to unauthorised changes of any kind on the system.
Add appropriate verbiage about SELinux, etc. if appropriate. I'd say that
should get the job done.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144
FreeWorldDialup: 800909


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 07:26 AM
Rainer Traut
 
Default Antivirus for CentOS? (yuck!)

Am 22.01.2009 02:19, schrieb Amos Shapira:

> 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> word combination ) do you use which doesn't affect our systems
> performance too much.

http://www.f-prot.com/products/corporate_users/unix/
has some Linux AV products.

Rainer


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 08:35 AM
Ralph Angenendt
 
Default Antivirus for CentOS? (yuck!)

Adam Tauno Williams wrote:
> > 1. Has anyone here gone though such a procedure and got good arguments
> > against the need for anti-virus?
>
> There is no good argument against running malware detection on any
> sever.
>
> > 2. Alternatively - what linux anti-virus (oh, the shame of typing this
> > word combination ) do you use which doesn't affect our systems
> > performance too much.
>
> CLAMAV works well.

What do you do with clamav on a linux server? Especially: How is it run
by you? What do you think it protects you against on a linux server?

Curious,

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 11:16 AM
Anne Wilson
 
Default Antivirus for CentOS? (yuck!)

On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
> What do you do with clamav on a linux server? Especially: How is it run
> by you? What do you think it protects you against on a linux server?

1 - it protects you against passing on any windows viruses to windows users
2 - it satisfied those auditors who can't think beyond what they have been
told, especially if you have log proof. Logwatch's daily report:

--------------------- clam-update Begin ------------------------

Last ClamAV update process started at Wed Jan 21 04:02:23 2009

Last Status:
main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder:
sven)
daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder:
ccordes)

---------------------- clam-update End -------------------------


--------------------- Clamav Begin ------------------------


**Unmatched Entries**
Database correctly reloaded (936952 signatures)

---------------------- Clamav End -------------------------

That should satisfy and auditor.

Anne
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 11:33 AM
Ralph Angenendt
 
Default Antivirus for CentOS? (yuck!)

Anne Wilson wrote:
> On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
> > What do you do with clamav on a linux server? Especially: How is it run
> > by you? What do you think it protects you against on a linux server?
>
> 1 - it protects you against passing on any windows viruses to windows users

Yes, but how is it run? Hourly via cron? On which files? What does it
protect against? Mind you, I'm not talking about workstations, but about
servers.

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 11:46 AM
Craig White
 
Default Antivirus for CentOS? (yuck!)

On Thu, 2009-01-22 at 12:16 +0000, Anne Wilson wrote:
> On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
> > What do you do with clamav on a linux server? Especially: How is it run
> > by you? What do you think it protects you against on a linux server?
>
> 1 - it protects you against passing on any windows viruses to windows users
> 2 - it satisfied those auditors who can't think beyond what they have been
> told, especially if you have log proof. Logwatch's daily report:
>
> --------------------- clam-update Begin ------------------------
>
> Last ClamAV update process started at Wed Jan 21 04:02:23 2009
>
> Last Status:
> main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder:
> sven)
> daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38, builder:
> ccordes)
>
> ---------------------- clam-update End -------------------------
>
>
> --------------------- Clamav Begin ------------------------
>
>
> **Unmatched Entries**
> Database correctly reloaded (936952 signatures)
>
> ---------------------- Clamav End -------------------------
>
> That should satisfy and auditor.
----
the above suggests that clamav signature files were updated and the
database reloaded but nowhere does it suggest that any scanning of the
file system occurred nor the output of such scanning which probably
never occurred. What you have demonstrated is a gymnastic exercise which
accomplishes little. clamd might be able to do something useful but it
is not indicated above.

Craig

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 12:05 PM
Anne Wilson
 
Default Antivirus for CentOS? (yuck!)

On Thursday 22 January 2009 12:46:46 Craig White wrote:
> On Thu, 2009-01-22 at 12:16 +0000, Anne Wilson wrote:
> > On Thursday 22 January 2009 09:35:11 Ralph Angenendt wrote:
> > > What do you do with clamav on a linux server? Especially: How is it run
> > > by you? What do you think it protects you against on a linux server?
> >
> > 1 - it protects you against passing on any windows viruses to windows
> > users 2 - it satisfied those auditors who can't think beyond what they
> > have been told, especially if you have log proof. Logwatch's daily
> > report:
> >
> > --------------------- clam-update Begin ------------------------
> >
> > Last ClamAV update process started at Wed Jan 21 04:02:23 2009
> >
> > Last Status:
> > main.cvd is up to date (version: 49, sigs: 437972, f-level: 35,
> > builder: sven)
> > daily.cld is up to date (version: 8881, sigs: 56877, f-level: 38,
> > builder: ccordes)
> >
> > ---------------------- clam-update End -------------------------
> >
> >
> > --------------------- Clamav Begin ------------------------
> >
> >
> > **Unmatched Entries**
> > Database correctly reloaded (936952 signatures)
> >
> > ---------------------- Clamav End -------------------------
> >
> > That should satisfy and auditor.
>
> ----
> the above suggests that clamav signature files were updated and the
> database reloaded but nowhere does it suggest that any scanning of the
> file system occurred nor the output of such scanning which probably
> never occurred. What you have demonstrated is a gymnastic exercise which
> accomplishes little. clamd might be able to do something useful but it
> is not indicated above.
>
True. As I have no windows boxes on the LAN I only run it manually, and it
wasn't done on the day that that reported. The one area that I am vulnerable
to is email-borne viruses, and since I am not serving those to windows boxes
it is only out of curiosity that I need clamav.

I'm sure there are plenty of people that can give Ralph detailed information
about using it efficiently. I was merely demonstrating how easy it is to show
that you keep the database up to date. You are quite right,of course, they
will want to see evidence that it is scanning as well.

Anne
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 12:15 PM
Ralph Angenendt
 
Default Antivirus for CentOS? (yuck!)

Anne Wilson wrote:
> I'm sure there are plenty of people that can give Ralph detailed information
> about using it efficiently.

Sorry, I do not want to know how to "use clamav efficiently", I am just
wondering what good clamav will do on a server, as there aren't really
any hooks into file writing or reading. Sure, I can hook up clamav into
my email stream or into my proxy on that machine for filtering out
requests to people who use windows boxes behind those.

But I do not understand which sense clamav makes on a linux server, if
there are no hooks into the kernel (I know about dazuko, but a) we don't
ship it and b) last time I looked at it I couldn't get it to run
properly without a *huge* speed penalty).

As far as I know there is no AntiVirus solution for Linux which works
the same as all the solutions under Windows do. And if you do not have
real time scanning on a server/workstation, an anti virus scanner
doesn't do you any good, as the time frame for attacks is just too
large. Either you get it on the first shot or you can just forget about
it.

So again: If you want to be PCI-DSS compliant - what's the use of
clamav?

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-22-2009, 12:24 PM
Matt Shields
 
Default Antivirus for CentOS? (yuck!)

On Thu, Jan 22, 2009 at 8:15 AM, Ralph Angenendt <ra+centos@br-online.de> wrote:

Anne Wilson wrote:

> I'm sure there are plenty of people that can give Ralph detailed information

> about using it efficiently.



Sorry, I do not want to know how to "use clamav efficiently", I am just

wondering what good clamav will do on a server, as there aren't really

any hooks into file writing or reading. Sure, I can hook up clamav into

my email stream or into my proxy on that machine for filtering out

requests to people who use windows boxes behind those.



But I do not understand which sense clamav makes on a linux server, if

there are no hooks into the kernel (I know about dazuko, but a) we don't

ship it and b) last time I looked at it I couldn't get it to run

properly without a *huge* speed penalty).



As far as I know there is no AntiVirus solution for Linux which works

the same as all the solutions under Windows do. And if you do not have

real time scanning on a server/workstation, an anti virus scanner

doesn't do you any good, as the time frame for attacks is just too

large. Either you get it on the first shot or you can just forget about

it.



So again: If you want to be PCI-DSS compliant - what's the use of

clamav?



Ralph



Check out BitDefender http://www.bitdefender.com
-matt
http://www.sysadminvalley.com

http://www.beantownhost.com
http://www.linkedin.com/in/mattboston
*


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 08:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org