12

Over last year we have tried to deploy antivirus software on production linux servers. In most cases after a few weeks under month end loads applications start running slow, or do not work as it should.

I have always questioned to reason for having antivirus on linux, but it just seems a be must have item on auditors list. It is my understanding that the amount of linux malware is little in comparison to windows, which brings me to my question why linux servers are required to have anti virus in terms of SOX?

We have tried 2 different anti virus products and both deployments where rolled back on critical servers. Should we just put a compensating factor in place and forget about anti virus on linux altogether

biosFF
  • 397
  • 3
  • 10

2 Answers2

22

The main reason to have anti-virus running on linux servers is usually not to protect the server itself - but to protect the end users who use the services / files on the server. Think of the server as a potential virus carrier.

In order to protect the server itself you should be looking at proper firewalling and server hardening procedures, and packages like aide / tripwire and chkrootkit / rkhunter to detect compromises if they happen.

We use clamav on our fileservers, mailservers, and webservers. On the fileservers (by far the largest) we configured it to scan the modified files hourly, and do a full scan over the weekend on a monthly basis. Otherwise the default configuration has not caused a noticeable performance impact.

Brent
  • 22,857
  • 19
  • 70
  • 102
  • with f-secure i only installed the update agent. However on our servers we offer services that do not include files, so there is no risk of infecting connected clients. What i have observed is that machines behave pretty well and within the norm once anti virus software is deployed in our test environment. I have created a base linux image for SuSE 9 / 10, and on these machines i have observed no significant systems impact. – biosFF Jun 10 '09 at 17:24
3

Anti-virus products do have uses on Linux. While there isn't many viruses that target Linux, they are possible, and if it grows in popularity, then there's a chance that more viruses will be written for it. Having used Linux for 12 years I've never known anyone who's had a virus. There are worms and hacks, but a rootkit detector may be more useful, along with regular security updates.

Where you do what to run anti-virus checking is on mail servers and on file servers that server Windows clients.

We use clamav, which is an open source product, but you can buy Sophos and F-Secure products. I'm sure there are more.

David Pashley
  • 23,497
  • 2
  • 46
  • 73