Slashdot Mirror
Tasmanian Dept. of Education Wants Anti-Virus for Linux, OS X
An anonymous reader writes "One of Australia's largest government technology buyers, the Tasmanian Department of Education, has gone to market for a security vendor to supply anti-virus software for its 40,000-odd desktop PCs and laptops, as well as servers. But the department's not just running Windows — it runs Mac OS X and Linux as well, and has requested that whatever solution it buys must be able to run on those platforms as well. But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it."
no.
A computer can still pass on a virus even if it cannot directly infect you. It might not be your responsibility but will a child know this? If he forwards an attachment unwittingly or something?
Linux users and Mac users could accidentally infect a Windows user.
Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware. Linux doesn't have any common malware, and I'm not sure about Mac. There is clamav, but that's mostly detecting Windows viruses across platforms.
Some of us run AV on OS X to clean files before they head to Windows machines so we don't act as a carrier. It has no practical benefit yet for OS X itself.
That day is not to far away though, i just think the threats will not look like they do for Windows so existing tech is not relevant.
Anti-virus software is just a security blanket for people who are scared of computers. Not only is it not necessary on Linux and OSX, it is hardly necessary on Windows. Just don't do stupid things. In my experience, most AV impairs the functioning of the machine more than the majority of viruses.
If you exchange documents and files with other users, having anti-virus and anti-malware software or not is not only an issue for your own protection.
Even if you run on a system that you believe to be safe from those kinds of infections, you might spread it to other users if you ever pass on files that you get from others.
This might not be of any importance to you personally, but in a large organization it might be of vital importance that malicious software can't "hide" in unprotected systems of other flavours that it was designed for.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
I run Windows and I still don't use that stuff... I'm totally open source - err, open-minded - and I don't mind sharing my computer with a botnet and my credit card with poor Russkis, Nigerians, and Chinamen. All for one and one for all, I say!
There already exist both commercial and non-commercial anti-virus applications that run on Linux (Wikipedia has a list) which mainly target Windows viruses passing through corporate networks. Some anti-virus solutions target native viruses (virii?), but most are quickly obsoleted via updates anyways. I suspect this is what the Dept. of Education is asking for, and it's not unreasonable.
I use clamav. I'm currently running a dual boot setup with Win7, but its only used for gaming (once a month or so) and for a few programs that I've only gotten to run without a hiccup in windows. Since I dont use it all that often, I also dont update it all that often, so having an AV run from outside the OS seems like its not a bad idea.
#!/bin/sh
echo "stating scan..."
n=`find / -type f | wc -l`
echo "scan completed of $n files"
exit 0
Atari rules... ermm... ruled.
But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it.
In todays world it is not a matter of whether the OS requires it, its more and more a matter whether the User/Admin requires it.
Hivemind harvest in progress..
Tasmanian DoE? Large?
What?
1 group will claim GNU/Linux doesn't need anti virus software.
2nd group will claim they use antivirus on their GNU/Linux already, but only to clean emails destined for MS Windows machines or to look after their Samba exported storage.
3rd group will say GNU/Linux needs AV software because it's only a matter of time before viruses (virii?) appear.
4th group will say viruses for GNU/Linux already exist and provide links to some sensationalist articles on the interwebs where researchers published some concepts.
5th group (partially composed of group 1 and 2) will claim they're not real viruses, but worms/snakes/butterflies/etc...
6th group will claim the threat aren't viruses but PPAs in ubuntu.
3rd/4th group will return saying it's all about users and not the OS. And because they're careful users, they've never in their life needed AV on their MS Windows.
Does that about cover that? Let the holy war begin...
Well, does a Mac or Linux require Anti Virus?
Let me ask you a question, do you hand out your credit card number to anyone who asks? Of course you don't because you have some common sense and realise that some people would take that information and use it for malicious purposes. Mac's and Linux can be compromised, of course, there are not as often targeted as if you are going to write a virus/malware you will pick the most popular platform, but if you are a Mac/Linux user and you don't run AV or expect that your OS is 'immune' then you are part of the problem.
ALL users should run AntiVirus, or at the very least, be aware of the security of their systems, regardless of what platform they are running as their OS. If putting a AV package on Mac/Linux educates users that you should ensure that your system is secure, then absolutely.
Leg Godt!
This is probably just a policy issue. "We've put your AIX / HP-UX / Solaris server in". "What AV does it run?" "Er, it's running AIX / HP-UX / Solaris , we've not installed AV". "But our policy says we have to use product X or product Y to AV protect all our servers". "Yes, but you're not understan....." "Just install AV".
I was at first under the impression that they were seeking a cure for the virus induced cancer that decimates Tasmanian devils.
I thought viruses are too scared of Tasmanian Devil, no?
Useful? No, but it looks good in IT policy.
Tasmania is about 500,000 population. Largest purchasers in Australia? Snort. Giggle.
I surf the net and some of the pages aren't exactly the most innocent of pages. I experienced some times that viruses were able to exploit back-doors into my system. It's not often, but it happens. Even with firewalls, system and anti-virus updated there are things that sneak past the defenses. Needless to say, I run Windows. If I were to not surf the web and only be connected to the web for a brief amount of time I would not need anti-virus. But, as I said. I do need it. I actually ran without anti-virus software for a long time, but I stopped after my broadband-computer with 10 Mbit went into zombie-mode.
http://www.clamav.net/ Used this around 5 years back when I was in Uni. I recommended it for the university mail server whch was running linux. Worked pretty well..the number of malware on email dropped to zero in a day..not sure about its effectiveness in the modern day but it is a cross platform with the windows equivalent being immunet (runs the same engine)
F-prot and a long list of others have linux versions. It's useful for email gateways and I've got a spare licence to use the antivirus with knoppix to do malware removal on the laptops that come in with various infections (although a full wipe and reinstall is the only way to be sure).
It really depends upon whether they want software which CAN run on the platform or whether they actually want it deployed on every desktop. There is actual merit in one or two per site - if nothing else they can scan incoming material or network disks for Microsoft compatible malware even if there is no need to actually protect the computers doing the scanning against such incompatible malware.
Deploying it to the entire lot would be the same old story of somebody out of their depth making the choices before anybody with a clue working for them can properly inform them. Tasmania is the lowest population state of Australia do I don't know where the "largest" bit in the summary came from.
A lot of ppl run it.
every major vendor has a linux version for MTA's
have a look at a mavisd.conf
http://technet.microsoft.com/en-us/library/cc512587.aspx
>>You can't clean a compromised system by patching it.
>>You can't clean a compromised system by removing the back doors.
>>You can't clean a compromised system by using some "vulnerability remover."
>>You can't clean a compromised system by using a virus scanner.
>>You can't clean a compromised system by reinstalling the operating system over the existing installation.
>>You can't trust any data copied from a compromised system.
>>You can't trust the event logs on a compromised system.
>>You may not be able to trust your latest backup.
>>>>>The only way to clean a compromised system is to flatten and rebuild.
Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I
Security Program Manager
Microsoft Corporation
Since I started using mac os X I immediately purchased and anti virus solution.
After some comparison I got Karspersky and I must admit that it has done a pretty good job till now.
The possibility to detect and remove malware before it spreads further to my co-workers is an important factor in my decision to use an antivirus sw on a platform considered "secure" by default. (if it really is so, I amn't here to judge; although my personal opinion is that no system is really secure and that not using an antivirus due to advertisement from apple or linux opinion groups is worst than silly, it's dangerous).
To protect the Windows computers on the network. But also to protect the Linux computers from Linux specific malware and virus attacks.
These are government schools. They don't have the money to waste putting computers on every desk when the students are not going to be using them in every lesson. They have rooms with computers in them and timetables to organise who can use them and when - there is no need to have one computer per student. That makes many large companies in Australia larger users of desktop computers than the education department of a low population state such as Tasmania. There would be more students in just about any city in the USA.
Wait, so we bash the govement for using windows, for using faulty antivirus software, for not using any antivirus software, for not using open source, for spending too much......
Now we bash them for asking for something SENSIBLE? Just because most linux/os x users dont run it doesn't mean its s a good idea -> Most windows users don't run antivirus software and use I.E. 6......
Now... if they want one. ClamAV does both linux and windows, not sure about OS X though.
- http://www.milkme.co.uk
I have a problem with adding anti-virus software when there is no clear definition of what viruses it is defending my Ubuntu system from. I am not interested in Windows viruses just any Ubuntu ones. My view is that companies that sell antivirus software for Linux do so by fear rather than by fact.
Linux and Mac users risk being victims of phishing attacks and foolishly handing out passwords, just like the rest of us. It's been a long time since corporate antivirus was just about stopping malicious software being installed on a computer.
At least, both Symantec Antivirus and CA ETrust have honest to god linux and mac os x versions - they both use kernel modules/kexts to do realtime scanning, and actually catch linux threats. Sophos does at least linux too.
Commodore 64, Loading up the dance floor!
I seriously tried to contribute something useful to an earlier thread, no chance.
Then I was looking for some politically incorrect snide remark about ex-convicts, no chance.
Here comes my serious take, then: I read TFA, and what I can read into it, with only some interpretation, is that when you buy/install OSX or Linux, you can do so only, when there is a cross-platform AV. If your Windows Anti-Virus also finds the viruses in OSX/Linux.
For Christ's sake, the question here isn't if OSX/Linux need AV or not. No, greenfruitsalad (http://apple.slashdot.org/comments.pl?sid=2119134&cid=35997984), your arguments all don't apply.
The hare-brained part of the thing is that OSX/Linux - if they have or can have viruses - will have altogether other exploits than Windows. Where comes the 'cross-platform' into the perspective? I can't see it. The AV-definition for a MTA is cross-platform already (trying to stop any sorts of malware from entering users' mailboxes), to give an example. *-listing is platform-independent as well.
So what was it, that these people are actually asking?? I don't get it.
A lot of compliance audits have requirements that are not OS specific and one of them is having anti-virus (among other things). So a lot of large companies just find it easier to have something that supports all their systems so they don't have to get into an argument on every audit.
Whether it is right or wrong, or a system needs it, isn't the point. Audits can be very expensive and sometimes having those boxes checked can be an easier route to go.
TFA says they want a multiplatform security solution with more than just AV but also antimalware, URL scanning and probably stuff like page source scanning for malicious JavaScript and the like. A Linux or Mac is less prone to malicious executables for now, but what about later when more show up? Just because they're the minority in the OS market, they're growing in popularity and are beginning to come to the attention of the seedy side of the Internet. A general user with admin rights will blindly enter their username and password to confirm the installation of whatever flashy malware toolbar or cursor icon changer that catches their eye, regardless of what OS they're running.* Also, phishing email and websites are fairly OS agnostic and users will enter their bank or credit card info onto fakebank.com's website if given a chance. A URL scanner/blocker that is centrally managed can help minimise the impact of common known phishing sites and also help in targeted phishing attacks customized to the organisation - common ones like email from support@yourschool.blah saying something like "due to a failed mail server maintenance we require you to login and reset your mail credentials here at website blah". Just because you have Mac or Linux users doesn't mean they're immune to social hacking. Speaking of central management, having all your endpoints reporting security information back to one central product makes security easier to mange for you as an IT admin. If you can cleanup infections on Windows remotely, that's great. But now you get reporting of whether Macs and Linux computers are receiving infected files an clean them before they're passed on to Windows computers. Plus, these security suites may also include a host based firewall program so now you can control that in the same console as well regardless of OS. Additionally, due to laws or regulations such as privacy laws or PCI compliance or whatever, some computers might be handling personally identifiable information (student numbers, addresses, birthdates, grades, etc.) and Data Loss Prevention mechanisms must be in place and auditable. Plus do you really want to set a separate new central mangement and reporting solution for all this stuff for every OS? Having worked with several of industry leading solutions I'm not sure if any of them are really fully cross platform - that is to say, not all the functionality that is available on the Windows platform is available on other operating systems, but if you want vendors to sit up and take Mac and Linux on the desktop seriously then movements like these are needed; saying that for my organisation, Mac and Linux are just as important as Windows and if you want my business you, as a vendor, need to support them equally. We should be praising that the Tamanian Dept of Education is promoting minority operating systems to be taken seriously. *I know that the solution is not to give them admin access but Windows is very secure if locked down properly as well. Also since this is the education sector, the IT group probably isn't given the mandate to lock down computers anyways so users very likely have admin rights. Also being the education sector, there are probably multiple IT groups in lots of geographical areas and most are probably under resourced and underfunded.
The OP might have been stretching the truth:
> One of Australia's largest government technology buyers, the Tasmanian Department of Education
With a population of 507K (10% less than Wyoming), Tasmania is not quite top tier in the Government Departments department.
Andrew
This scene on Slashdot is sad. It's funny how people on here say "Antiviruses are useless." and "Linux does't need an antivirus."
Antiviruses are but one part of a defense-in-depth system and while aren't the be-all-end-all of security for a user, it is indeed a very useful item. Patching security vulnerabilities doesn't get rid of the trojans/viruses after the fact.
And it's entirely possible a piece of malware could get on to your system through a zero-day, unless I assume you're running a fully managed SELinux distribution on your desktop, which I doubt.
For the size of the installation base the only possibility is an commercial vendor.
I have used F-Secure in the past since it supports all of the platforms in question (and couple of others too) and has the needed management tools.
Linux servers make excellent file servers for both Windows and Mac clients. They also lead the way in mail servers.
The thought that this smallest of Australia's states would ask for a way to ensure that files passing through it on the way to lesser operating systems is brilliant stuff, well, apart from most mixed shops do that already.
Best practice. How about that?
I was embarrassed recently when the IT department claim a Linux computer in my office was taken over by the Rustock BOT. After checking the ssh log, I realized it was a coworker who uses it for code repository and SOCK5 Proxy as he works abroad from China. He has a compromised Windows machine. To the best of my knowledge, AV doesn't really catch these stuff which are more and more common now a day. Anyone has recommendations?
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
See subject-line 1st, & then this data from a respected source for known security vulnerabilities unpatched (keeping in mind Linux 2.6x is JUST A KERNEL ONLY - not an ENTIRE OS DISTRO (as is the case w/ Win7)):
---
Vulnerability Report: Microsoft SQL Server 2008: (04/29/2011)
http://secunia.com/advisories/product/21744/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Internet Information Services (IIS) 7.x: (04/29/2011)
http://secunia.com/advisories/product/17543/
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Exchange Server 2010: (04/29/2011)
http://secunia.com/advisories/product/28234/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft SharePoint Server 2010: (04/29/2011)
http://secunia.com/advisories/product/29809/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Forefront Endpoint Protection 2010: (05/01/2011)
http://secunia.com/advisories/product/34343/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Office 2010: (04/29/2011)
http://secunia.com/advisories/product/30529/?task=advisories
Unpatched 0% (0 of 6 Secunia advisories)
Vulnerability Report: Microsoft Virtual PC 2007:
http://secunia.com/advisories/product/14315/
Unpatched 0% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft Internet Explorer 9.x: (04/29/2011)
http://secunia.com/advisories/product/34591/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft Visual Studio 2010: (04/29/2011)
http://secunia.com/advisories/product/30853/?task=advisories
Unpatched 17% (0 of 1 Secunia advisories)
Vulnerability Report: Microsoft DirectX 10.x:
(04/29/2011)
http://secunia.com/advisories/product/16896/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft .NET Framework 4.x
(04/29/2011)
http://secunia.com/advisories/product/29592/
Unpatched 0% (0 of 3 Secunia advisories)
Vulnerability Report: Microsoft Silverlight 4.x: (04/29/2011)
http://secunia.com/advisories/product/28947/
Unpatched 0% (0 of 0 Secunia advisories)
Vulnerability Report: Microsoft XML Core Services (MSXML) 6.x:(04/29/2011)
http://secunia.com/advisories/product/6473/
Unpatched 0% (0 of 4 Secunia advisories)
Vulnerability Report: Microsoft Windows 7: (04/29/2011)
http://secunia.com/advisories/product/27467/?task=advisories
Unpatched 8% (5 of 65 Secunia advisories)
---
AND, of those 5 vulnerabilities, yes... 2 are still "remote". HOWEVER, they have EASY work-arounds (basic "don't be stupid" stuff everyone OUGHT to practice & be aware of).
They can be avoided by not just downloading & running "anything" etc. (being utterly stupid in other words, or just ignorant (which in the
relly who passed this story thers a list of av that have linux versions. so they whant something we aruldy have and didnt bother to fucking google it and the sad art its on slashdot whos supposed to knoe abought these things.
My impression was that BitDefender was the only free live-CD commercial scanner, the other commercial A/V live-CD's are available only for paying customers.
If I were to upgrade from using only free A/V on my Windows boxes, I would consider paying BitDefender, if only because they are providing such a useful free service to everyone (disclosure: I've paid for Kaspersky in the past).
Sophos and ESET NOD32 both have realtime AV scanners for Linux and OSX.
ESET would fill that bill, and in my experience is the only one with a small enough footprint to keep from pissing off Linux and OSX users *having* to use AV.
http://www.eset.com/us/business/enterprise
http://www.eset.com/us/business/why-eset
I don't work them, and am using the product after trying McAfee, and Virus Barrier X on my Mac.
Some days it's just not worth
chewing through my restraints.
Android smartphones run on linux.
Android smartphones are used by office workers and integrated with the company IT system.
Android smartphones are vulnerable to malicious apps
Therefore, antivirus or 'anti-malware' for linux is badly needed
See subject-line above...
Especially vs. documented FACTS I used from a reputable source on known security vulnerabilities remaining unpatched for BOTH Windows 7 (heck, nearly ALL of what MS gives users &/or developers really), a FULL OS DISTRO, vs. Linux 2.6x (a kernel only that has 3.5x as many known unpatched security issues in it, NOT AN ENTIRE LINUX DISTRO (which would, of course, make that # of UNPATCHED KNOWN SECURITY VULNERABILITIES GO UP EVEN MORE FOR LINUX!)), here:
http://apple.slashdot.org/comments.pl?sid=2119134&cid=35998426
APK
P.S.=> So, lol, ok: Call me a "crank" ALL YOU LIKE in your ad hominem attack on myself (rather than my concrete documented & verifiable FACTS I used), but facts, are facts - & if the "best you've got" is an ad hominem attack on myself, rather than the data I used?
U FAIL... period!
... apk
OS X and Linux computers are most vulnerable from Trojans, so I am curious to know how well ClamAV deals with those.
Jumpstart the tartan drive.
I don't know why they are complaining ... all they need to do to satisfy the bigwigs is to install ClamAV on Mac and GNU/Linux. It's free, reliable and works; unlike other third party anti-virus applications out there (namely, Windows apps).
Anyone try F-Prot. It's the one I've always used since DOS... They have a linux version I use to clean out other people's hard drives.
Why isn't Tasmania using BSD? Why go Penguin or Turtleneck when you can go Devil ?
I want to delete my account but Slashdot doesn't allow it.
ESET Windows, Mac OSX and Linux support for both desktops and servers.
The firm I work at uses Sophos on it's Windows machines - as there's an OSX version, it got inflicted on my iMac as well (as it's the only one in the firm, I kind of hoped they'd overlook it). To be honest, it's not intrusive and doesn't seem to slow things down. That said, in the 6 months or so it's been installed, it's detected 9 virus' - and all of them are infected Windows Powerpoint files, all from the same source, and all things that would have had zero impact on the Mac (iWork) or my Linux box (OpenOffice). The benefit of the AV software on the Mac has been purely for the Windows users.
Ok, a short 6 month sample of a single Mac on a single company network isn't really a very good survey - my experience does seem to support what other people have said, in that installing AV software on the Mac currently appears to be more a case of preventing transmission of infected documents to Windows users rather than suffering from the infections yourself (and at least in our firm, the windows machines would have spotted and prevented the infection themselves, so the Mac AV has been pointless to date).
So the fact that both McAfee and Symantec both have OS X and Linux AV solutions doesn't count, or what?
The statement that Mac users are running without these things is patently false. Most Mac computers I've run across and all of those I've set up have at a minimum ClamXav installed for virus protection (some use VirusBarrier). Aside from my own computers, I've seen very few computers (PC or Mac) running additional firewall software.
http://xkcd.com/463/
Inheritance is the sincerest form of nepotism.
The best way to deflect the idea that it is only Windows that has the basic vulnerability is to ensure that Linux and OSX users are forced to run AV too.
That way they can claim that the total cost of ownership on these platforms is ( artificially) higher.
It is also likely a case of the person working that factor then adding support to the lie by persuading his/her colleagues with the classic FUD:
"What if you omit this, and a virus that attacks these other OS infect us? Do you want the blame?"
What is actually needed is some education to users about best practices, detection of infections and how to establish a safety and testing regimen.
Maurice W. Hilarius Voice: (778) 347-9907
http://en.wikipedia.org/wiki/Troll_(Internet)
APK
P.S.=> Because, again: SINCE ALL YOU HAVE is your "ad hominem attack" vs. the documented, concrete & verifiable FACTS I utilized from a reputable respected source for said security data? You're just another STUPID troll...period!
... apk
My Ubuntu has antivirus. It's called "Update Manager". :-)
First they can work on getting viruses to run correctly under WINE, then get WINE support for Windows AV software.
I am the unwilling control for my Origin.
Okay, so ClamAV works on the three platforms though I find it difficult to use on Windows. But I intentionally leave my Mac boxes and Linux desktop boxes free of Antivirus after finding that Mac's and Linux boxen in my care have only been infected by a) people installing the rootkit and hence having permissions revoked and b) remote exploit of the antivirus software. AV scanner on the email server, sure, on the file server, sure but not on desktops where people really just need enough permissions to do word processing.
It didn't spot a single one of the EICAR files I left around my filesystem. I have to assume it would fail to detect any live viruses also.
We recently went through a PCI audit. The auditor wanted to make sure that we had antivirus software for our IBM System i. At first we thought he was crazy, but we discovered that such software DOES exist. However, it does not work quite the same way as on a Windows machine. The idea is that infected files, transferred from Windows PCs, can still reside on the System i, even though they cannot do any harm to that system. So they still need to be scanned. The same holds true for Linux and OS X machines. Those systems may not be subject to infection from viruses, but they can still store infected files, and these need to be scanned.
Proverbs 21:19
I consider that sort of software to be, at best, of extremely dubious usefulness, and at worst, almost as much a negative as having a virus. Why anybody would want to run it is a triumph of marketing over substance.
I think that things like ClamAV are pretty useful, largely because they do the scanning on something before it even gets close to the target computer. I think that they will still miss the most harmful stuff, but at least they are not operating in an environment that's basically already compromised and not slowing down the user's computer to do it.
Which makes it all the more amusing (in a cynical, schadenfreude sort of way) that solutions like ClamAV are out of the running. *sigh*
Need a Python, C++, Unix, Linux develop
http://www.youtube.com/watch?v=SP74aJBbIoY
(See that, from 2:50 onwards on the YouTube player control: As it simply "says it all", better than I EVER COULD, by analogy!)
Especially after my initial post here (that uses documented, concrete, & verifiable FACTS on security data):
http://apple.slashdot.org/comments.pl?sid=2119134&cid=35998426
And later, in my further rebuttal/reply to your EFFETE OFF TOPIC AD HOMINEM ATTACK:
http://apple.slashdot.org/comments.pl?sid=2119134&cid=35998636
(LMAO - an ENTIRE OS DISTRO & even the rest of what MS gives business' to do business on as a development platform in ServerWare, Dev Tools, Office Suites, WebBrowsers, & OS? HAS LESS BUGS THAN A LINUX OPEN "SORES" KERNEL ONLY! )
APK
P.S.=> Ah, I just GOTTA do it:
---
"Is there no one else? IS THERE NO ONE ELSE??" Achilles, Son of Peleus from the classic epic film TROY...
---
That'd be myself HERE too, lol, as I stand before "all of Linuxdom" here on /. challenging you, immediately after BLOWING YOUR "champion" Agreus ( by internettoughguy (1478741) on Monday May 02, @07:43AM (#35998572) ) away, easily (with concrete, verifiable, & undeniable facts)
... apk
The 7th group are implementing NERC/CIP compliance on their control network and have interpreted the requirements such that anything running linux needs AV. It doesn't matter that clam won't run on some of their devices. Nor does it matter that introducing more software then requires regular signature updates thus opening another attack vector. The millions of dollars in fines that are at stack are the deciding factor.
Sophos makes AV for Windows, Mac OS and Linux. AFAIK it's all able to be controlled from the enterprise console package too.
"A plan fiendishly clever in its intricacies"- Homer Simpson
Yes, we need anti-virus software, mainly to keep the lawyers happy. Actually, Linux does needs good security monitoring to protect from break-in exploits. The lawyers and businessmen just don't understand the difference between that and anti-virus, so they are sort of right.
Antivirus scanners provide a false sense of security with no real benefit. We've got pretty nice workstations at my work, but are saddled with McAfee by corporate IT mandate. Which regularly turns them into unresponsive pigs.
Better to properly lock down user accounts and teach users proper data hygiene. So we can use those resources to accomplish work instead of not-work.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
There is plenty of A/V software available for Linux, ranging from the open source ClamAV, to serious commercial products from f-prot, frisk, Symantec, McAfee, and others. If a public body is clueless about Linux A/V solutions, then they don't know how to use the search engines on their computers. As for spambots, when a client has an infected machine (always Windows systems), I scan their hard drives with 3 different professional-grad A/V scanners, first set to the default sensitivity. After cleaning off what those found, I rescan at the most sensitive levels, analyze the false positives, and clean the drive again. Finally, I have a tool to clean up the registry. All this I do from Linux with the client drive mounted in an external enclosure.
FWIW, the only time I've seen a Linux system compromised was when an Internet-facing machine was improperly configured/patched and had no firewall running. Mostly, A/V software on Linux systems is to scan for viruses in directories shared with Windows machines, or email repositories, and there are plenty of good appliances out there that will do all that for you at a reasonable cost and minimum administration.
Seriously though, it's far easier to spread malicious software by tricking someone into clicking on a link and installing malicious software themselves. Or giving up their passwords to online assets. You really can't automate defending against every one of those attacks -- at some point you're going to have to rely on the user to exhibit a healthy amount of skepticism. Ultimately that is your first line of defense.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Read up on immunology and specifically the term "herd immunity".
It's not just whether or not you are resistant to a virus, it is also if you help or hinder the spread. It takes surprisingly few non-vaccinated people in a population for an epidemic to get started. Because the spread of viruses, both biologically and in IT, is a numbers game. If the virus finds > 1.0 victims in its lifetime, it will spread and the number of infected hosts will steadily increase. Only if you manage to push down the infection rate to not even on hosts that are immune.
Assorted stuff I do sometimes: Lemuria.org
Read up on immunology and specifically the term "herd immunity".
It's not just whether or not you are resistant to a virus, it is also if you help or hinder the spread. It takes surprisingly few non-vaccinated people in a population for an epidemic to get started. Because the spread of viruses, both biologically and in IT, is a numbers game. If the virus finds > 1.0 victims in its lifetime, it will spread and the number of infected hosts will steadily increase. Only if you manage to push down the infection rate to < 1.0 can you eliminate it.
Anti-virus on a Mac or Linux system does not only protect the system itself, its purpose also is to protect other, for example windows, systems. You Linux may be immune to the Word macro virus, but if it can detect and kill it, that windows system you send it to doesn't get infected.
If you know anything about how stuff spreads in a population, you positively don't want the stuff in your environment, not even on hosts that are immune.
(edit: posting a 2nd time because /. stupid "plain old text" eats everything after the "lesser than" sign if you don't escape it...)
Assorted stuff I do sometimes: Lemuria.org
The DoD's reasoning is pretty straightforward. There are few to no "in the wild" viruses or trojans for Linux/Mac (several worms though), but data rarely stays in one platform in an interconnected world. We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.
Exactly. 99% of what my Linux boxes scan for are Windows malware (viruses, worms, trojans, etc). I prefer to scan for such things on a box that is not succeptible to most things. Since websites, USB keys, and portable media, bittorrent, etc., mean virus can come into almost any system on the network, all machines shoudl be scanning for all viruses, whatever the platform.
Home users can do what they want, but in any larger networked environment where you don't have absolute control, this is absolutely neccessary.
You are in a maze of twisted little posts, all alike.
Probably. I don't run anti-virus, but considering the fact I have Flash Player installed, I probably should.
My mind will warp a little bit the first time I have to rebuild my linux box from an infection, but it's only a matter of time.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
As the subject says. That is the only one I know of that has versions for Unix, Liunx, BSD, Mac OS X, and Windows.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
Has AV solutions for all platforms.
--- Do you believe in the day?
Our solution was to tape a floppy disk of McAfee inside our HP-UX server. The boss laughed, and checked the box "install AV".
No, you must have anti-virus software or assume your computer is compromised. The anti-virus software on my mac catches things all the time.
I sometimes solder new contacts onto flash drives when a friend/client has broken the end off (usually by smashing the flash drive with a chair while it is plugged it).
Sometimes when I insert flash drives in to my mac (just to get the stuff on to a new flash drive or CD) the anti virus warns that there is a (mac) virus on it. With out the anti-virus, I might have run the program to see if it is important to copy it.
Your statement is valid ("safe" OSs can be "carriers") but I don't think it's a reason why anyone should want Anti-Virus applications.
To make spreading infection be an argument for running such applications, we would have to have reason to believe that checking potentially hostile software against blacklists is a good idea. It isn't. There's just no reason to suspect that any attacker would be courteous enough to forward a copy of their malware to the AV companies, prior to offering their malware to you.
It's not that I don't believe in defense in depth; we should take a combined approach of using many approaches to fighting malware. But blacklist scanners are pretty much the dumbest idea in the whole arsenal. It's not worth the effort. It's probably even harmful since the public has this crazy idea that blacklists are a good idea, so they tend to not even try to defend themselves once they have a blacklist scanner. So in that sense, AV software makes people less safe.
OTOH, telling people "don't run apps where you don't know where they came from" makes them more safe, so we need to port that advice to Linux (done). We should port to Linux the idea of abstaining from running every single damn app as admin (done). We should port the idea of using whitelists whenever convenient (done). I'm not saying Linux has implemented every good idea that it could, but all the best ones out there, happen to already be available to Linux users. AV software is crap that we don't need. Windows doesn't need it either. We shouldn't adopt fake-solutions that have already failed on other platforms.
Hate to sound like I'm promoting any of these products, but at my (government) job we use Sophos on Windows, Linux & Mac clients & servers. Anyone can even download & use the Mac client for free. We've gone through a few different AV products in the past, but this one seems to be the most benign - doesn't sap system performance nearly as bad as some of the others we've used.
Still, I've never been big on the "one size fits all" way of thinking. Seems like there's something fundamentally wrong with running just one AV solution... Still as others have pointed out, these days if you support multiple users, you're asking for trouble if you're not running antivirus - no matter what platform. I think of AV the same way I do backups - you don't need it until you NEED it.
I had done polymorphic virus (for my own education, not to spread it or anything) and it is the easiest way to pass thru an AV. One of the earlier technics I used was changing operand at random which do the same things using old X86 code Sub ax,ax NOP NOP ; max ax,0000 ; xor ax,ax nop nop all do the same but will have different op code values. After that was having a set of register I would not be using (DX for example) and having XOR DX,AX and other operation INC DX INC DX INC DX etc.... Another one was to have every bit of code in small part and having near-jump to each other, but moving them around so no part is fixed. (so you would have (start) JMP @A -A: code- JMP @B -B: code- JMP @C -C: code - JMP @REST etc... but it could also be saved in a new version in real time as (start) JMP @A -C: code- JMP @REST -B: code - JMP @C -A: code - JMP @B or any other permutation)
.EXE and made some graphics and music) but did not have enough fixed part to have a signature.
The end results was quie bloated (15 KB for something which jsut copied to other
I deleted the code long ago when I was 18, and would never have had used it, but it learnt me a lot on x86 ASM and obsfucation...
This is clever, but before you mod up SanityInAnarchy's post for its cleverness, please remember that describing Symantec's business model as though its your own idea, is more along the lines of plaigarism than insight.
(Sorry, I couldn't resist. Nothing against you, SanityInAnarchy.)
They are most likely doing this because they believe it will simplify licensing and "save" money by buying in bulk. The problem is that Mac OS and Linux really don't need anti-virus on the desktop (and likely won't for the length of this contract) so their requirement for this will limit their selection of in-essence windows desktop anti-virus and server anti-virus selection (a market that has a lot more options than those with Linux and OSX desktop versions as well). I would prefer a better solutions in each area than settling for a single vendor just because they support some edge cases (Linux/Mac Desktop) the better ones don't. Additionally, free alternatives (clamav, etc) provide a fallback solution should Linux / Mac OS desktops need AV protection during the contract.
:)
A few posters have mentioned that having anti-virus on Linux and OSX workstations may help the Windows PCs avoid getting infected. This may be true but for the cost (in quality of vendor selection) you are getting very little return for that benefit. I suspect they have very few Mac and Linux desktops currently (this RFP screams of a Windows IT department). If they do have a large LInux / OSX desktop environment there are better ways to implement the virus scanning than adding it to all these desktops (server side real time scanning, etc).
If I were a betting man I would place money on the decision makers being windows admins that feel they are overworked. This type of RFP is the easiest for the IT management to create (basically they delegate the entire problem to a single vendor). Having consulted for fortune 500s for over 20 years, that is the environment I have seen that typically produces RFPs like this. You rarely see these coming from true heterogeneous environments (a substantial mix of non-windows infrastructure). That said, I don't know their specific motives so this is just a hunch
As a system admin and Information Assurance officer I myself run windows, linux ( virtualized) , and OS X. I use 3rd party malware detection on all 3 systems that are signature based. They are very much needed. It's silly for average users to think that just because they are running OSX which is a less targeted operating system that they aren't targeted. In fact... safari the OSX default browser ( which I like just because it's GUI is intutive to me) is probably the least secure of all the major web browsers ( if you look at the stats at each pwn to own competetion it gets busted the fastest). There are known OSX exploits and many of the same things apply. Man in the middle attacks, SQL injections, sneak ack attacks, all forms of malware... still apply. Just because you are using a specific operating system don't get lulled into a false sense of security.
teach users proper data hygiene Totally impossible. They don't care and you can't make them care.
Totally easy: 1: Here's not how to be an idiot. 2: If you're an idiot, you're fired without severance or health benefits.
Can you tell me how I can fire my boss? There's basically nobody above him in the organization, so I'm just wondering how you'd apply your totally easy method in this case?
There are also the cases where an employee is main rain-maker for the company, but hasn't a clue how to keep from getting malware on their computer. A law firm is not going to fire an attorney who brings in $30 million a year just because they keep getting malware on their pc, for example.
Putting moderation advice in your
That is why you should always run Windows on a virtualizer on Linux. That way, you can SSH into the machine and nuke the VM with a fresh tar ball.
Tasmanian
Department of
Education
Virus
Identification on
Linux
Some drink at the fountain of knowledge. Others just gargle.
Because I am LAUGHING @ you all... & what allows me to do that very thing? Facts (the 'bane' of all TROLLS). Especially this b.s. from you, Dr. Quack "the wannabe 'SiDeWaLk-ShRiNk'" of /. :
"you ought to seek medical attention" - by hxnwix (652290) on Monday May 02, @12:35PM (#36001382)
So, in addition to my mocking you above? Care to produce proof of:
---
1.) Your PHD in Psychiatry to your name/credit
2.) Years-to-Decades of actual professional practice on your part in the sciences of psychiatric care.
3.) A license to dispense meds & your advice in the 1st place
4.) A formal examination of myself in a professional psychiatric environs as to your 'instant prognosis/diagnosis' there, Dr. Quack?
---
Oh, you don't have ANY of those 3 things? Thought not... lol!
(Ah yes, that was just "too, Too, TOO EASY - just '2EZ'", as-is-per-my-usual, vs. wannabe shrinks & noob trolls from /., vs. myself!)
APK
Personally, If I were to put an anti-virus product on Linux servers, I'd choose a different vendor that what was running on the Windows desktops. The idea being that if the desktop AV fails to catch a virus, there's at least some that a different vendor's product might catch it.
Competition Good, Monopoly Bad.
I managed to garner a Trojaned zip file, claiming to be a needed ISO standard, on Mac OS X two years ago. ClamAV, which was running, did not catch it. Fortunately it was only partially successful in its attack, installing an altermate user account without root privileges. I had a separate, never-attached-while-the-primary-disk-was-the-boot-disk, system image on a USB drive, so booted from that, Googled for purchased Mac A/V, selected Intego, bought and installed it on the secondary system, then scanned the primary disk drive. Intego immediately detected the Trojan; I was able to use its date/time stamp to delete all other material on the primary OS X disk that had been written at that time, including the secondary user account.
Of course I immediately installed the Intego A/V on my primary drive when I booted it after the malware deletion. I still keep that second drive isolated, occasionally booting from it after a complete shutdown and backup, then scanning the entire primary drive for any rootkitted malware that wasn't caught in real time (e.g., because it got in before the detecting A/V vectors were released). So far I haven't been hit again (that I know of). To use a human analogy, multiple protective measures, such as use of both prophylactics and spermicide, is advisable.
So is it evolution or devolution in IT age(historical prespective)- Linux users have to pay for Windows users who ignorantly choose a stupid OS. I did quit one of the biggest city's IT department in disgust because they wanted to put antivirus on Linux servers. Call me biased - I immediately loose respect for a person who chooses to implement a solution based on Windows and also for the persons who put a proprietery app on Linux and give root privileges to it. For me it becomes a parasite infested Linux system.
I've never run any anti-virus software on Linux (and have been on the net continuously since 1995. I've never had a worm, trojan, virus or piece of malware. Most of the common (and a lot of the uncommon) attacks that are reported by Schnier, or over at 2600.com, or hack-a-day or wired or the Defcons are usually carefully examined, researched, and new code added/modified to enhance security. Its a continuous process as virus writers keep making better viruses. I also maintain the system, keep up to date on patches, particularly security patches, do md5sum's on software I download, and only use root when doing system maintenance.
1. Commercial
2. Open source
On the extortion side, I would choose Sophos.
On the free side, ClamAV.
NERC, in charge of all the power regulations in the US under FERC, requires A/V as well in CIP-007 R4. In fact, it is required for anything that is "cyber" (which means anything with an IP address). Got a networked printer, switch, router, firewall which cannot have A/V? Get ready to file a bunch of paperwork (known as a TFE), yearly, and prove that the vendor says you cannot get A/V for it. Better to install a dumb unmanaged switch or non-networked printer (share it via a workstation) so you can avoid paperwork.
McAfee VirusScan Enterprise for Linux works on RHEL5.5. However, McAfee recommends not running it on RHEL5.6 (although our testing has found no problems and we're not using NFS in our NERC areas, but we'd be officially unsupported by McAfee). It will not work on RHEL6 or any of the newer Fedora 13+ releases.
Don't go off the beaten trail and expect support either. Oracle Enterprise Linux is based significantly on RHEL, but yet McAfee won't support OEL.
I'm not sure what all the requirements are some folks may have, but I use ClamAV just so I can say I have some A/V on my desktop and laptop and so I can scan USB devices that others may ask me to check.
Well, what would you do if it was up to you? If your CEO asked you if you were absolutely, positively, 1,000% sure there is NO chance of virii (?) infecting the computers you are in charge of? "We're already buying antivirus for the windows machines. Shouldn't we get it also for the rest of them? What do you think?" Knowing that in the remote possibility that something did happen it would be your head the one that rolled, not the CEO's ("Well, I suggested it, but the IT guy said it wasn't necessary!"), nor the user's ("I thought this machine was secure, how was I supposed to know virus could actually get through [OS here]?").
We like to believe that certain OSes are so much more secure than they don't need the added security of an antivirus, and we may even be willing to risk it with our own machines - but when our job is on the line, I'm betting most if not all of us would rather err on the side of caution, even just so we might be able to say we did the best. Taxpayers' money be damned.
Thought this was pretty funny as I had just seen this at the Internet Storm Center:
http://isc.sans.edu/diary/More+on+MAC+OSX+Malware+-+MACDefender+Fake+Antivirus/10813
So, there's your Mac malware ^_^
So you can detect (and potentially clean) Windows viruses that end up on your servers or are forwarded through your Mac's email before it needs to be detected and increases the load on your Windows boxes. Yes, this is a problem. And AV vendors have been offering this feature for years. Why is this a Slashdot story?
That is all.
And once upon a time, most people rode around in cars without seatbelts.
Slashdot: Playing Favorites Since 1997
Just take a look at the programs chkrootkit and rkhunter, both are available under ubuntu. they search for native linux rootkits and viruses, not simply for windows viruses from under linux like clamav, btw clamav is not really the strongest out there and under windows i've frequently found viruses that were not detected by it, you get what you pay for sometimes and kaspersky and eset usually top the reviews. fprot also provides a console based linux scanner for windows viruses i believe. also one thing i believe clamav under linux may be missing is the ability to scan bootsectors, like all linux virus scanner's i've seen they just scan files but dont work on a partition or drive level.
btw i think chkrootkit and rkhunter have around ~150 viruses/rootkits in their databases, so the number is not really the issue, and many are families some of which are frequently patched and updated. once youre actually infected its a serious issue as to how you can actually disinfect some hardware. i've seen good motherboards eg. one from asus, that were easily flashed with a custom bios image, and even other hardware like routers and voip boxen need to be scanned imho, but from what i can tell there is no single solution for all these problems, and in many cases a solution may not even be possible! once you router is flashed with a malicious firmware do you know that reflashing it will remove the infection? how about all other hardware with flashable firmware?
so you might be surprised how many people do use SELinux features and others such as apparmour profiles on programs which need raw access to network interfaces etc. there was a recent vulnerability found in dhcpd3 which allowed injection of code, could be turned into a remote attack easily. even when there was a patch it was not applied correctly giving a window of months where malware authors could have easily known about the issue and ubuntu thought they were safe but were not. still i have hope that the huge number of security issues found constantly mean that linux is a rapidly improving product, and that fundamental architectural issues will not prevent security issues from being addressed seriously unlike in the microsoft world where microsoft treat the world as if they were their beta testers, and are more concerned with backwards compatibility and the implications of changes to legacy requirements than true security.
I run linux and I have had viruses. ClamAV caught a lot of email attachment viruses and such. ClamAV quarantined them. I suspect that they really only run on windows, but at least I didnt forward them on. Also, if you use USB you can get viruses on those devices too. As I did at a community services center with free internet. I told the sysadmin about it... but a week later I went in and I got it again.
Anyhow... I just wanted to point out that Linux does get viruses. Although the majority (all?) appear to target windoz.
I don't think I had a virus actually run on Linux... although if I did, it was really good and didnt reveal itself.
I've been using Windows since 2.0, never had a virus / malware.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
shhh... don't give the virus writers any good ideas.
http://www.ossec.net/ with central management on locked down machines would be more helpful in detecting anomalous behavior and security issues on the systems. Its also free so no wasted tax payer money on unneeded software.