Tasmanian Dept. of Education Wants Anti-Virus for Linux, OS X

An anonymous reader writes "One of Australia's largest government technology buyers, the Tasmanian Department of Education, has gone to market for a security vendor to supply anti-virus software for its 40,000-odd desktop PCs and laptops, as well as servers. But the department's not just running Windows — it runs Mac OS X and Linux as well, and has requested that whatever solution it buys must be able to run on those platforms as well. But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it."

no

no.

Re:no

[rwa2]

Counterpoint: yes

The US DoD requires it too. Fortunately, it is available from commercial suppliers (ClamAV is not compliant with something or other), so you just install it and maintain it and pass the bill on to the taxpayers.

I think it's just standard CYA, so you have someone external to blame if something slips through (which possibly explains why effective roll-your-own measures are deemed insufficient by the policymakers).

Re:no

[DrgnDancer]

The DoD's reasoning is pretty straightforward. There are few to no "in the wild" viruses or trojans for Linux/Mac (several worms though), but data rarely stays in one platform in an interconnected world. We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.

Re:no

[ironjaw33]

We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.

It's like getting a flu shot -- you're not only protecting yourself from the flu, but others as well.

Re:no

[theeddie55]

no viruses or trojans is a bit of an exaggeration but the fact that one piece of mac malware is considered news worthy proves that there are very few out there.

Passing on Viruses

A computer can still pass on a virus even if it cannot directly infect you. It might not be your responsibility but will a child know this? If he forwards an attachment unwittingly or something?

Linux users and Mac users could accidentally infect a Windows user.

Re:Passing on Viruses

[Mouldy]

This is exactly why antivirus software for Linux already exists, they probably catch a couple of Linux viruses too, but the majority of their definitions are Windows viruses.

I've set up ClamAV on my Linux mail server to catch most dodgy stuff before it reaches my Windows PC. I also recently installed it onto my Linux Netbook to scan a friend's external hard drive for a Windows virus. I haven't been following the latest security news, so didn't particularly want to risk plugging it into my friend's or my Windows machine to scan it.

So I agree, there definitely is a use for Linux-based anti virus software...even if my own uses are mainly concerned with protecting Windows machines.

Re:Passing on Viruses

[somersault]

Or antivirus on the email server, pretty sure there are Linux solutions for that.

Re:Passing on Viruses

[Compaqt]

Do have it set up to receive mail from Postfix, and then pass it on to Dovecot for distribution?

Or does ClamAV get a crack at mail first before Postfix?

Is there a way to scan an email as you're receiving it, and then stop in the middle of the process, making it look like you have a bad SMTP server, which hopefully spammers won't bother with again?

Oh, and, are you running Amavis, and SpamAssasin, too?

Re:Passing on Viruses

[Ailure]

You're probably thinking of ClamAV http://www.clamav.net/

Re:Passing on Viruses

[Bert64]

I have found the same thing happen with most other AV engines too...

I have done a number of incident response jobs whereby a machine has become infected and its my job to work out what happened...

All machines were windows...
All machines were running some kind of AV (multiple different vendors).
Every machine had a persistent piece of malware present on it.
The AV actually installed failed to detect the malware.
Testing the malware with other AV engines found that some would find it, i never encountered anything totally new that wasn't detected by anything.

Re:Passing on Viruses

[Lennie]

As many have already figured out, AV is pretty useless.

It is nowhere near fullproof.

Re:Passing on Viruses

[mjwx]

A computer can still pass on a virus even if it cannot directly infect you. It might not be your responsibility but will a child know this? If he forwards an attachment unwittingly or something?

Linux users and Mac users could accidentally infect a Windows user.

In my experience, Mac users are even more irresponsible then clueless Windows users. They think they are magically protected, which means they will ignore obvious signs of infection till the very end.

As we all know, malware is less about doing damage and more about making money these days. Keyloggers, trojans and spambots exist for OSX these days (as well as Linux) but they focus on staying hidden as their job is to make money, not make people annoyed which means they need to stay where they are to collect CC numbers or send spam.

Linux users should not have a problem with AV. Even if they are smart enough not to need it. Linux users already think with a security focused mind, as an effect using Linux in lieu of a AV client is laziness on our part (granted, we can recognise an infected machine, so we can afford a bit of laziness).

To use a Zombie virus analogy, Windows users are the ones running about in a mad panic as the Zombie hoard approaches, blocking highways and running to get away. Mac users walk towards them saying, "Zombies dont exist on Mac, I could never get infected". Linux users fled to the hills six months ago with as much fuel, food and porn as they could carry.

Re:Passing on Viruses

[memzer]

I'm guessing this was meant to be a troll but really things aren't as bad as you make them out to be these days...

If you're setting up a mail server there are packages available which integrate all of the things you mentioned above into easier to manage / maintain systems. For example one popular one is iRedMail http://www.iredmail.org/features.html which can be set up by an intermediate user in around 1 Minute [Video: http://www.youtube.com/watch?v=wi8CF3RKRm4%5D.

If you are implying it's much more complicated for the end user then you're kidding yourself as well. These days there are guides for most popular distributions and usually it's not much more difficult than installing the software and/or configuring an addon. For example, the Ubuntu community guide has easy to follow instructions for configuring Thunderbird with ClamAV. The process is by no means difficut (install, set ports, install addon) and takes less than a minute to complete for a novice user capable of following some instructions.

There are of course users who would find following such a guide too difficult but really these users simply lack the experience, confidence, patience or time to do so anway. They're likely the same users who pay somebody else (or come to you, their friend / relative) to install the software for them ;)

Point I'm trying to make for people thinking of giving it a try is that it is a lot easier to do than the parent implies - even for novice-intermediate users.

Re:Passing on Viruses

[memzer]

Link to the Ubuntu Community Guide for scanning email using Thunderbird and ClamAV for those interested:

https://help.ubuntu.com/community/ScanningEmail

Re:Passing on Viruses

[Robert+Zenz]

To use a Zombie virus analogy, Windows users are the ones running about in a mad panic as the Zombie hoard approaches, blocking highways and running to get away. Mac users walk towards them saying, "Zombies dont exist on Mac, I could never get infected". Linux users fled to the hills six months ago with as much fuel, food and porn as they could carry.

Here, take this imaginary +1 vote...it's all I have at the moment...but that awesome analogy deserves more!

Re:Passing on Viruses

[HungryHobo]

Pretty much hit the nail on the head.

Polymorphic and Metamorphic viruses already exist and it's been proven mathematically that detecting such code is NP-complete.
(Spinellis, Diomidis; Reliable identification of bounded-length viruses is NP-complete, IEEE Transactions on Information Theory, 49(1):280â"284, January 2003. doi:10.1109/TIT.2002.806137)

http://en.wikipedia.org/wiki/Polymorphic_code
http://en.wikipedia.org/wiki/Metamorphic_code

The scanners are so bad at detecting viruses because it's an example of Enumerating Badness which is one of the 6 dumbest ideas in security which just won't die.

http://www.ranum.com/security/computer_security/editorials/dumb/

Rather than trying to keep track of the few thousand or tens of thousands of things that should be running on your own network and white-listing those you either try to keep track of everything bad in the world or pay someone else to. Then you try to blacklist those.
Thus you get an antivirus scanner.

Re:Passing on Viruses

I take exception to:

Linux users and Mac users could accidentally infect a Windows user.

More accurately: "Linux users and Mac users could accidentally pass on a file that infects an ill-prepared Windows user."

Mac and Linux users don't infect Windows users. Windows users let themselves become compromised.

Re:Passing on Viruses

[guruevi]

Mac OS X has a built-in antivirus for the few Mac OS X virusses that actually exist and work, proof is in a patch a little while ago where the signatures got updated. This keeps the overhead to a minimum. Linux has the same thing going on - if a virus exploits the kernel, the kernel gets patched quickly and the virus is no longer a threat.

Re:Passing on Viruses

[Compaqt]

Well, I'm not up-to-date on the latest in Windows malware, but let's say you get a custom-crafted PDF that does "blah" in Acrobat on Windows. You read the PDF. You're unaffected in Linux. You forward it to your Windows colleague.

He is now affected.

Re:Passing on Viruses

Linux users fled to the hills six months ago with as much fuel, food and porn as they could carry.

Not only that, but in that six months, they've managed to find 6 completely different methods to cure the zombie virus, all of which are tied up in arguments over:
1) how stupid the name sounds
or
2) how "free" the license is.

Re:Passing on Viruses

[Mouldy]

Wikipedia lists more than a couple linux viruses.

I don't know where you got the notion of me being on the "*nix is just as vulnerable as Windows" bandwagon, at no point did I say anything along those lines. Anybody who assumes that *nix platforms have no native viruses aside from rootkits is utterly naive. Yes, *nix viruses aren't as widespread as their Windows counterparts, but they do exist, they can cause significant damage and *nix platforms are not inherently immune.

It would be relatively simple to write a script that would send itself to everybody in a user's address book and then execute "rm -fr /" with root permissions without even having to exploit some hole in the kernel or whatever. Never underestimate the end user's stupidity. A lot of Ubuntu (for example) newbies don't really understand why many operations prompt them for a password and a malicious script could abuse this by posing as something harmless but ask for root permissions. Many desktop Linux newbies are the same people that turn of Windows' UAC prompts because they're annoying.

An OS can be as secure as you want on paper, but no OS is 100% secure if it's got any human interaction.

Re:Passing on Viruses

[mspohr]

I have to admit that I have done this...

I work in Africa a lot and Windows viruses are everywhere. I always end up with at least one on my memory stick used to pass around documents.

Since I run Linux, I don't worry about these on my machine and I usually check the memory stick when I get it back and delete the virus files to prevent passing them on. However, it did happen at least once (that I know) where I didn't check the memory stick and another Windows machine did pop up a virus warning.

I guess it is my responsibility to clean up Windows viruses but I'm not sure. I'm beginning to think that people who run Windows should take responsibility for their own computer health (the easiest way is to just don't run Windows).

Re:Passing on Viruses

[brainfsck]

"In my experience, Mac users are even more irresponsible then clueless Windows users. They think they are magically protected, which means they will ignore obvious signs of infection till the very end."

Considering I could count the number of Mac "viruses" (Trojan horses) in the wild on one hand, I must wonder: how many data points does your "experience" consist of?

Re:Passing on Viruses

[oldmac31310]

except he doesn't know how to spell 'horde'.

Last Resort

[iYk6]

Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware. Linux doesn't have any common malware, and I'm not sure about Mac. There is clamav, but that's mostly detecting Windows viruses across platforms.

Re:Last Resort

[Ihmhi]

Linux was created by the finest minds of the last thousand years - truly, men among men. They jacked their brains into the cyberspace, navigating neon green 3-D cities and running their own virtual construction company for ten years to build the Linux kernel. Only after it was finished did they convert it to more mundane code so that the lesser men of the world may bask in its glory.

I don't know what's more disheartening, the fact that someone believes they can create a virus that can melt cyberspace steel, or the fact that there are companies that are scamming their customers with unnecessary products~!

Re:Last Resort

[timholman]

There's more OSX and Linux malware out there than you might think. Especially OSX.

One of the Windows users I work with says the same thing. Like you, he can't provide any examples either.

And if you're talking about those instances of trojans that rely on social engineering, what anti-virus program can defend against a user who willingly types in an administrative password and installs the malware on his own?

Re:Last Resort

[Bert64]

Traditional rootkits exist for most unix systems, although they typically do not spread on their own - someone has to manually root your system and install them. There are even tools dedicated to finding/removing unix rootkits, eg http://www.rootkit.nl/projects/rootkit_hunter.html has a long list of rootkits it knows about.

Re:Last Resort

[michelcolman]

Exactly. I bet the same user, if he had an anti-virus app running, would disable it to be able to run the malware.

Re:Last Resort

[mjwx]

There's more OSX and Linux malware out there than you might think.

Examples?

Here you go.

As always, the most common infection vector is the user. This gets worse when a user refuses to recognise they can be infected.

Re:Last Resort

[mjwx]

There's more OSX and Linux malware out there than you might think. Especially OSX.

One of the Windows users I work with says the same thing. Like you, he can't provide any examples either.

And if you're talking about those instances of trojans that rely on social engineering, what anti-virus program can defend against a user who willingly types in an administrative password and installs the malware on his own?

Well if we are excluding those...

There's 90% of Windows malware wiped out. The user is, always has been and will always be the biggest source of infection. Even in the Windows world and especially today when a patched Win 7 and Office suite aren't vulnerable to drive by infections.

I love how Mac fanboys need to move the goal posts to justify their positions. But here you go anyway.

http://about-threats.trendmicro.com/Search.aspx?language=us&p=OSX

No doubt you have some wonderfully convenient excuse to ignore this.

Have fun.

Re:Last Resort

[fuzzyfuzzyfungus]

Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware. Linux doesn't have any common malware, and I'm not sure about Mac. There is clamav, but that's mostly detecting Windows viruses across platforms.

One additional advantage(in institutional setups, home users are screwed) is that the presence of AV requires the designers of viruses to make a choice: Either you attempt to lay low, and take the risk that a future update of the AV package will detect your virus, or you go all cyber-AIDS on the system and attempt to throw a spanner in the AV system or its update mechanism. In the latter case, the client generally stops responding to the AV management server, which throws up a major red flag. At that point, you either pull the system aside for a more detailed chat, or nuke it, depending on your priorities.

It's like trying to scare off ninjas by deploying mall cops. The mall cops are hopelessly outmatched; but they will, on occasion, stumble across a ninja, which forces the ninjas to either passively risk detection or actively start killing the mall cops, which alerts you to their presence.

Re:Last Resort

[AtomicJake]

Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware.

This is too true. On our Windows machines is a self-updating AV installed. From time to time it deletes an email with a virus (or suspicious) attachment - we would never opened it in any case (you know those lame emails, where you can smell the virus already in the subject line). Nevertheless, over ten years in corporation, we had two outbreaks: one was the slammer worm brought in from an executive with a laptop and a bad firewall config (in the Windows 2000 days), the other was a very well crafted social engineered email with a PDF attachment that was not yet known by the AV. So, in both cases, the AV did not help and I assume that all the other viruses would not have the chance to run either, since the humans would not execute them (opening rotten attachments).

On the other hand the AV got multiple times in the way of the business by disabling remote login software, network analyzers, etc.

I think that it make sense to have an AV software on the email server to filter all those typical attacks, but I am not convinced about the need of an AV on each desktop, laptop etc. It makes sense to have AN AV to test each downloaded file or USB stick when connected, but to have it always running might be overkill.

And, btw: we also had Linux machines, which were successfully attacked. However, those were network attacks against security holes in Internet servers. Maybe an intrusion detection system would have helped, but clearly not a typical anti-virus.

Re:Last Resort

[John+Betonschaar]

Wow, no less then *FOURTY-EIGHT* OS X 'threats', some of which are 'proof of concept' malware and almost all others are simply Trojans or scripts that do absolutely nothing unless you start and authorize them yourself.

I guess I can still sleep at night without a virus scanner...

Re:Last Resort

[John+Betonschaar]

There's 90% of Windows malware wiped out. The user is, always has been and will always be the biggest source of infection. Even in the Windows world and especially today when a patched Win 7 and Office suite aren't vulnerable to drive by infections.

What does Windows have to do with anything, the statement was that there's "more OS X and Linux malware around then you might expect", which (at least to me) implies that this amount of malware is substantial enough to care about.

I love how Mac fanboys need to move the goal posts to justify their positions. But here you go anyway

Great, ram your point across by throwing stereotypes around, that's really going to help your argument /s

No doubt you have some wonderfully convenient excuse to ignore this.

No wonderfully convenient "excuse" is necessary here, because your 'list of OS X threats' is laughable and does nothing but disproving your own argument. In 10 years of OS X history, apparently only 43 pieces of malware have been identified, most of which are Trojans, which -in your own words- depend on the user as 'the biggest source of infection', and for which antivirus software completely unnecessary. If anything, that list proves that OS X is more or less immune to viruses and malware, and that a fully patched OS X install does not need antivirus, just common sense.

From your own signature:

Calling someone a "hater" only means you can not rationally rebut their argument.

And what does calling someone a 'Mac fanboy' make you?

Re:Last Resort

[kolicha]

I know it is a marking post, but it does include some examples of Mac malware:

http://nakedsecurity.sophos.com/2010/11/02/anti-virus-mac-free/

– Websites that pose as legitimate-looking software vendor's sites, but whose downloads are really Mac malicious code.
– Malware disguised as pirated software available for download from P2P file-sharing networks.
– Sexy online video links that urge you to install a plug-in to view the content, but really infect your computer with a Mac Trojan horse.
– Popular Twitter accounts, such as that belonging to former Apple evangelist Guy Kawasaki, who have tweeted out links to websites designed to infect Mac computers.

It doesn't prove it is common, but it does prove it is out there.

Re:Last Resort

[LoganDzwon]

Ok, I'll bite. Of the 43 listed, 11 are for Windows, leaving 32 for mac. (13 unique.) I broke then up into groups. phishing; *OSX_JAHLAV.A-M is a tojen that requies a user to download a DMG, install it with an admin password. It then changes the DNS to send to you phishing sites. It is listed 15 times as TM's list puts a seporate entry for each minor variation of the same malware. *OSX_DNSCHAN.A is also malware masqurating as a video codec. It changes your DNS settings to hosts which are quickly shutdown. It is the same virus as OSX_RSPLUG.A and UNIX_DNSCHAN.A . It is listed 6 times on the list because TM counts each slight variant as a new virus. backdoors; *OSX_MUSMINIM.A is a backoriface type backdoor. It requries the user to type in their admin password to install. a simple firewall renderes it ineffective. *OSX_LAMZEV.A is a backdoor that arrives via trojen. A firewall negates any ability. *OSX_KROWI.A is a backdoor that was built into pirated version of iWork09. dead; *OSX_LEAP.A only infects non-up-to-date 10.4 (current is 10.6, 10.7 is due out soon.) *OSX_INQTANA.A only infects non-up-to-date 10.4 (current is 10.6, 10.7 is due out soon.) *OSX_MACARENA.A is a non-propagating proof-of-concept. does not work on any version OS X with all pathces applied. junkware; *OSX_IMUNIZATOR.A is a varient of OSX_MACSWEEP.A . It is an application the user must run. It tells the user it found malware and offers to sell them junk to remove it. Concidering a simple banner pop-up is just as dangerous I don't really think it's fair to count this. worms; *OSX_TORED.D a true worm, speads via e-mails. Only infects non-up-to-date systems. games; *OSX_LOSEGAM.A a game that has to be downloaded and ran by the user. It is a game where wrong moves delete random files on the system.

Re:Last Resort

[science_gone_bad]

There's more OSX and Linux malware out there than you might think. Especially OSX.

One of the Windows users I work with says the same thing. Like you, he can't provide any examples either.

And if you're talking about those instances of trojans that rely on social engineering, what anti-virus program can defend against a user who willingly types in an administrative password and installs the malware on his own?

I've installed/used various commercial AV products on both OSX and Linux. The last was Symantec AV. While I was wondering why my OSX machine ground to a halt (72hrs to scan 100,000 files???), I looked at the signature file for the product. Out of 190,000 definitions, only 3 were Mac related. All or them were pre 1995 (The CD Worm, ABv, etc.). Absolutely none of the things being scanned for would run on anything later than Mac OS8, and I haven't run MS Office or other MS products for 10 years. Needless to say, that product was ripped out real fast.

The Linux version of Symantec was loading as a kernel level java process, and we were developing in java. Within 2 seconds of launching another java process, the kernel would hard-lock. The only way around that was to power off the machine. Nothing else would respond.

So, the results are:
No protection
No usage of the machine while it runs (I guess that means it's protected since NOBODY can use it)
No satisfaction
No longer used!!

Re:Last Resort

[RogerWilco]

This is more insightful then one would think a post about ninjas could be.

Re:Last Resort

[SanityInAnarchy]

It's like trying to scare off ninjas by deploying mall cops. The mall cops are hopelessly outmatched; but they will, on occasion, stumble across a ninja, which forces the ninjas to either passively risk detection or actively start killing the mall cops, which alerts you to their presence.

That is a beautiful analogy, and you deserve a +5 for that alone.

Still...

Wouldn't a ninja be able to take the mall cops out one at a time, hide the body, steal the uniform, and pretend to be a mall cop, thus avoiding alerting anyone to their presence? That seems like the obvious solution -- completely take over the AV system, continue receiving updates, but rather than implement them, send them back to your botnet's command-and-control so the botnet operator can stay one step ahead.

Re:Last Resort

[Tom]

but I am not convinced about the need of an AV on each desktop, laptop etc.

There are several papers out there describing malware spreading in corporate networks (full disclaimer: I wrote one of them). I'll give you a hint towards why you want AV on each and every machine: Because once your perimeter has been penetrated, the worst-case scenario for a well-crafted malware to infect your entire corporate network is measured in seconds. Give it the usual caveats because the worst-case scenario rarely happens in the real world, but even if you give it two orders of magnitude - can you contain an actively spreading infection in a few minutes?

So, what's going to be cheaper (in a corporate context, everything boils down to money in the end)? The moderate cost of keeping AV installed and updated on all machines, or the cost of rebuilding the entire windows network - servers, clients, notebooks, everything? Oh, after taking down everything and putting the network into quarantine to make sure no infected devices remain? Do you even know how to do that or will you have to figure it out while doing it? How much downtime are we talking about here? Days or weeks? If you said anything with "hours", you are kidding yourself big time.

Do the usual math: Sum up the best-, worst- and likely-scenario costs, multiply by a rough guess of chance of it happening per year and compare that to doing the usual AV routine. Oh, and don't forget to ask the CTO, CIO or CEO if he's willign to sign off on that risk. I'm very sure you'll have a signature on your AV purchase form long before you're halfway through the list of direct impacts for the other scenario.

Because that's the other ugly truth about corporations: Someone has to make the decision, and the bigger your company is, the more risk-averse it usually is. Most importantly, human and also manager (for those of you who don't include PHBs in the "human" category) minds are famously bad at estimating unlikely, but dramatic risks, especially in regards to more probable but smaller risks.(*)
So you will almost always get a moderate expense to prevent an unlikely, but catastrophic signed off easier than getting someone to sign off on the risk. If you have formal sign-off procedures. Just ignoring the risk by not doing something about it happens frequently and is a lot easier than accepting the risk, and totally not the same thing.

(*) Which is one reason why many more people are afraid of flying than of driving, even though the chance to die in a car crash is about 1:6000 while the chance to die in a plane crash is about 1:1000000 (both per year, source).

Re:Last Resort

[drsmithy]

And if you're talking about those instances of trojans that rely on social engineering, what anti-virus program can defend against a user who willingly types in an administrative password and installs the malware on his own?

Er, that's pretty much the whole *point* of AV software - the last ditch effort to protect the user trying to shoot himself in the foot.

A massive proportion of malware uses the trojan horse model. The reason we have AV software at all, is because OS-level security can't defend against ignorant users with administrative privileges.

AV software is not only for your own safety...

[Mattsson]

If you exchange documents and files with other users, having anti-virus and anti-malware software or not is not only an issue for your own protection.
Even if you run on a system that you believe to be safe from those kinds of infections, you might spread it to other users if you ever pass on files that you get from others.
This might not be of any importance to you personally, but in a large organization it might be of vital importance that malicious software can't "hide" in unprotected systems of other flavours that it was designed for.

Whassa problem?

[macraig]

I run Windows and I still don't use that stuff... I'm totally open source - err, open-minded - and I don't mind sharing my computer with a botnet and my credit card with poor Russkis, Nigerians, and Chinamen. All for one and one for all, I say!

Re:Whassa problem?

[J.J.+Dane]

Well, if some friendly Russian kindly allows me to download an Adobe suite or a new game from his website it's only polite that I let him use my box to send a few e-mails or whatever when I'm not using it

Clam AV

[BoogeyOfTheMan]

I use clamav. I'm currently running a dual boot setup with Win7, but its only used for gaming (once a month or so) and for a few programs that I've only gotten to run without a hiccup in windows. Since I dont use it all that often, I also dont update it all that often, so having an AV run from outside the OS seems like its not a bad idea.

Re:Clam AV

[pixline]

MS Security Essentials won't install on a non-genuine machine, take it into account :-) Seriously: what's wrong with Clam AV and some decent network setup? It just works for everyone with no budget at all, will work for them too....

cross platform virus scanner for linux and mac

[Gunstick]

#!/bin/sh
echo "stating scan..."
n=`find / -type f | wc -l`
echo "scan completed of $n files"
exit 0

Re:cross platform virus scanner for linux and mac

[O'Nazareth]

I wish to file a bug report: you count multiple times files with several hard links.

Re:cross platform virus scanner for linux and mac

# ./antivirus.exe
Segmentation fault

"Your honor, I ran the required anti-virus program, and it didn't detect any viruses."

Re:cross platform virus scanner for linux and mac

[Delgul]

For manager types you need to include "Your computer is safe" somewhere along the line ;-)

Re:cross platform virus scanner for linux and mac

[martin-boundary]

That's normal behaviour, sir. Those are harder files to scan, which is why they must be scanned multiple times. Have a good day.

Re:cross platform virus scanner for linux and mac

[AnonymousDot]

What, there is no [Like] button on Slashdot?

prophecy

[greenfruitsalad]

1 group will claim GNU/Linux doesn't need anti virus software.
2nd group will claim they use antivirus on their GNU/Linux already, but only to clean emails destined for MS Windows machines or to look after their Samba exported storage.
3rd group will say GNU/Linux needs AV software because it's only a matter of time before viruses (virii?) appear.
4th group will say viruses for GNU/Linux already exist and provide links to some sensationalist articles on the interwebs where researchers published some concepts.
5th group (partially composed of group 1 and 2) will claim they're not real viruses, but worms/snakes/butterflies/etc...
6th group will claim the threat aren't viruses but PPAs in ubuntu.
3rd/4th group will return saying it's all about users and not the OS. And because they're careful users, they've never in their life needed AV on their MS Windows.
Does that about cover that? Let the holy war begin...

Probably just a policy problem

[Blade]

This is probably just a policy issue. "We've put your AIX / HP-UX / Solaris server in". "What AV does it run?" "Er, it's running AIX / HP-UX / Solaris , we've not installed AV". "But our policy says we have to use product X or product Y to AV protect all our servers". "Yes, but you're not understan....." "Just install AV".

Re:Of course it's not needed.

Just don't do stupid things.

The average user doesn't know what's stupid and what is not.

To some extent, AV software is good for inexperienced users. Unfortunately most of these AV pograms have "evolved" to a point where they've become more of a burden than help. That's a real problem if you have to churn out a new-and-improved version every year.

You can't

[bmo]

http://technet.microsoft.com/en-us/library/cc512587.aspx

>>You can't clean a compromised system by patching it.

>>You can't clean a compromised system by removing the back doors.

>>You can't clean a compromised system by using some "vulnerability remover."

>>You can't clean a compromised system by using a virus scanner.

>>You can't clean a compromised system by reinstalling the operating system over the existing installation.

>>You can't trust any data copied from a compromised system.

>>You can't trust the event logs on a compromised system.

>>You may not be able to trust your latest backup.

>>>>>The only way to clean a compromised system is to flatten and rebuild.

Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

Re:You can't

[freedumb2000]

The only thing a positive scan tells me, is that it is time to rebuild which is a pain in the ass and I have skimped on it before.

Re:You can't

[jimicus]

Which is why you don't run AV on a compromised machine. You boot from a rescue CD such as that provided by Avira or F-Secure.

Even that's not a perfect solution, of course, because it assumes your scanner can detect secondary vulnerabilities injected by the infection itself - or that no such vulnerability exists. Both of which seem rather optimistic assumptions. Ideally you'd have some sort of boot CD that can run checksums against every file on the system - but by the time you get to this point, it's probably several times quicker to rebuild the system.

Re:You can't

[internettoughguy]

>Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

Even more impressively, he's A MICROSOFT CERTIFIED PROFESSIONAL ;).

Every classroom?

[dbIII]

These are government schools. They don't have the money to waste putting computers on every desk when the students are not going to be using them in every lesson. They have rooms with computers in them and timetables to organise who can use them and when - there is no need to have one computer per student. That makes many large companies in Australia larger users of desktop computers than the education department of a low population state such as Tasmania. There would be more students in just about any city in the USA.

Lets bash the sensible goverment!

[djsmiley]

Wait, so we bash the govement for using windows, for using faulty antivirus software, for not using any antivirus software, for not using open source, for spending too much......

Now we bash them for asking for something SENSIBLE? Just because most linux/os x users dont run it doesn't mean its s a good idea -> Most windows users don't run antivirus software and use I.E. 6......

Now... if they want one. ClamAV does both linux and windows, not sure about OS X though.

Re:Of course it's not needed.

[Bert64]

It's an extra layer to protect a user either from running vulnerable software, or from doing something stupid...

I've seen many windows systems become infected when the users haven't done stupid things, they were browsing perfectly legitimate sites that just happened to have been hacked and got infected without having to do anything else.

Re:Of Course

[mjwx]

You must work in IT support.

My personal experience is:

#1. For a technically sane, and security aware user, most antivirus software only exists to make the system hog slow.

#2. Antivirus software is used as a placebo to make users feel they are safer. If anything, I suspect it would make users feel less responsible for their own actions because some AV software is supposedly protecting them.

#3. How is a Linux user supposed to run AV? With WINE? I know there is clamav, but it's not intended for those "active monitoring/scanning" things you have on Windows. Maybe the "shell script" placebo* will work equally well at "educating users" if that's what you want. No point in making a system slow.

* http://apple.slashdot.org/comments.pl?sid=2119134&cid=35997968

You must work in sales, because you have no experience in the real world.

#1. Actual, technical users understand that AV is important, they just recognise the signs of infection as well as any AV does and will take steps when they detect them. For us, AV clients are just a way to be lazy.

#2. Just because AV will not protect against some 0-days does not make it useless. It's a method of protecting against old threats which are still quite prevalent thanks to people who dont use or ignore AV. Not to mention that many viruses are simply minor variations of old ones, the W32.Foo.F virus looks quite similar to W32.Foo.E.

#3. Umm... You do know that there are a variety of Linux clients out there. Clam AV, Trend Micro, AVG, Kaspersky and others have clients. Any AV vendor in the Enterprise space has a client as Enterprises use Linux servers quite a bit. Do a google search for "Linux Anti Virus" before launching on an ill informed rant.

worms and spam bots

[mathfeel]

I was embarrassed recently when the IT department claim a Linux computer in my office was taken over by the Rustock BOT. After checking the ssh log, I realized it was a coworker who uses it for code repository and SOCK5 Proxy as he works abroad from China. He has a compromised Windows machine. To the best of my knowledge, AV doesn't really catch these stuff which are more and more common now a day. Anyone has recommendations?

Any free except for BitDefender?

[Mathinker]

My impression was that BitDefender was the only free live-CD commercial scanner, the other commercial A/V live-CD's are available only for paying customers.

If I were to upgrade from using only free A/V on my Windows boxes, I would consider paying BitDefender, if only because they are providing such a useful free service to everyone (disclosure: I've paid for Kaspersky in the past).

Re:Pretty standard, really.

[Hognoxious]

I suspect this is what the Dept. of Education is asking for, and it's not unreasonable.

They want the same solution to run on all platforms. That's as reasonable as wanting the same tyre to fit a bike and a bus.

Linux malware is abundant

[Kanel]

Android smartphones run on linux.
Android smartphones are used by office workers and integrated with the company IT system.
Android smartphones are vulnerable to malicious apps

Therefore, antivirus or 'anti-malware' for linux is badly needed

M$ supporters are pushing this

[mauriceh]

The best way to deflect the idea that it is only Windows that has the basic vulnerability is to ensure that Linux and OSX users are forced to run AV too.
That way they can claim that the total cost of ownership on these platforms is ( artificially) higher.

It is also likely a case of the person working that factor then adding support to the lie by persuading his/her colleagues with the classic FUD:
"What if you omit this, and a virus that attacks these other OS infect us? Do you want the blame?"

What is actually needed is some education to users about best practices, detection of infections and how to establish a safety and testing regimen.

Re:Of Course

[Svartalf]

Just because AV will not protect against ALL 0-days does make it nearly useless.

Fixed that for you. If it's a 0-day exploit, typically nobody knows about the virus that uses it execpt the jokers that wrote it. Seriously. That's why it's called a 0-day in the first place. That means it won't find the thing for you- ever.

It's a method of protecting against old threats which are still quite prevalent thanks to people who dont use or ignore AV. Not to mention that many viruses are simply minor variations of old ones, the W32.Foo.F virus looks quite similar to W32.Foo.E.

Considering that patching for the holes is a better answer than relying on a signature scan for things...simply put, no. It's less useful than you're making it out to be. It's like closing the barn door after all your horses have went on a walkabout on you. The virus writers have gotten clever, by the way- they don't make easy to flag out a Foo.F from the Foo.E anymore. If you've gotten zapped by an "old" virus like that would get caught out this way, it means you either haven't updated the system or your OS vendor didn't fix the hole like they claimed they did.

Not as silly as it sounds

[wcrowe]

We recently went through a PCI audit. The auditor wanted to make sure that we had antivirus software for our IBM System i. At first we thought he was crazy, but we discovered that such software DOES exist. However, it does not work quite the same way as on a Windows machine. The idea is that infected files, transferred from Windows PCs, can still reside on the System i, even though they cannot do any harm to that system. So they still need to be scanned. The same holds true for Linux and OS X machines. Those systems may not be subject to infection from viruses, but they can still store infected files, and these need to be scanned.

Re:Of Course

[batwingTM]

#1. Actual, technical users understand that AV is important, they just recognise the signs of infection as well as any AV does and will take steps when they detect them. For us, AV clients are just a way to be lazy.

You know, in relation to that point, back in 1999 the most effective Virus detection software I had was "Need For Speed 3: Hot Pursuit". Back in the days of the rapidly spreading Win.CIH virus as soon as that got into my system it would end up in that executable (because I used it so often I guess) and that would cause the game to hang. When that occurred it was time to break out the trusty command line removal tool.

a waste of CPU cycles

[Thud457]

Antivirus scanners provide a false sense of security with no real benefit. We've got pretty nice workstations at my work, but are saddled with McAfee by corporate IT mandate. Which regularly turns them into unresponsive pigs.

Better to properly lock down user accounts and teach users proper data hygiene. So we can use those resources to accomplish work instead of not-work.

Re:a waste of CPU cycles

[h4rr4r]

teach users proper data hygiene
Totally impossible. They don't care and you can't make them care.

Re:a waste of CPU cycles

[mr_mischief]

Here's the thing many geeks don't get or just forget... the non-geeks often don't WANT to learn about the computer. They want to put in their 40 doing THEIR job and go home. They think that since there's a whole overhead IT department full of people who think about the computers all day that those people should take care of the damn tools so the people earning the company money can continue to do so.

Just because you like the computer and can teach them doesn't mean they want to learn.

herd immunity

[Tom]

Read up on immunology and specifically the term "herd immunity".

It's not just whether or not you are resistant to a virus, it is also if you help or hinder the spread. It takes surprisingly few non-vaccinated people in a population for an epidemic to get started. Because the spread of viruses, both biologically and in IT, is a numbers game. If the virus finds > 1.0 victims in its lifetime, it will spread and the number of infected hosts will steadily increase. Only if you manage to push down the infection rate to not even on hosts that are immune.

herd immunity

[Tom]

Read up on immunology and specifically the term "herd immunity".

It's not just whether or not you are resistant to a virus, it is also if you help or hinder the spread. It takes surprisingly few non-vaccinated people in a population for an epidemic to get started. Because the spread of viruses, both biologically and in IT, is a numbers game. If the virus finds > 1.0 victims in its lifetime, it will spread and the number of infected hosts will steadily increase. Only if you manage to push down the infection rate to < 1.0 can you eliminate it.

Anti-virus on a Mac or Linux system does not only protect the system itself, its purpose also is to protect other, for example windows, systems. You Linux may be immune to the Word macro virus, but if it can detect and kill it, that windows system you send it to doesn't get infected.

If you know anything about how stuff spreads in a population, you positively don't want the stuff in your environment, not even on hosts that are immune.

(edit: posting a 2nd time because /. stupid "plain old text" eats everything after the "lesser than" sign if you don't escape it...)

Re:Yes

[ePhil_One]

The DoD's reasoning is pretty straightforward. There are few to no "in the wild" viruses or trojans for Linux/Mac (several worms though), but data rarely stays in one platform in an interconnected world. We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.

Exactly. 99% of what my Linux boxes scan for are Windows malware (viruses, worms, trojans, etc). I prefer to scan for such things on a box that is not succeptible to most things. Since websites, USB keys, and portable media, bittorrent, etc., mean virus can come into almost any system on the network, all machines shoudl be scanning for all viruses, whatever the platform.

Home users can do what they want, but in any larger networked environment where you don't have absolute control, this is absolutely neccessary.

Re:Fear not fact

[Riceballsan]

As far as protection from linux virus's you would be wasting your time. Not so much entirely because of a better security model, but because of a lack of virus's in the wild, and a lack of spreading capabilities within them. Odds are if you have a virus on a linux system, it was most likely crafted for your system and specifically targeted, and targeted/custom written virus's won't be stopped by traditional AVs.

Ok, but that's not workable in the real world

[name_already_taken]

teach users proper data hygiene Totally impossible. They don't care and you can't make them care.

Totally easy: 1: Here's not how to be an idiot. 2: If you're an idiot, you're fired without severance or health benefits.

Can you tell me how I can fire my boss? There's basically nobody above him in the organization, so I'm just wondering how you'd apply your totally easy method in this case?

There are also the cases where an employee is main rain-maker for the company, but hasn't a clue how to keep from getting malware on their computer. A law firm is not going to fire an attorney who brings in $30 million a year just because they keep getting malware on their pc, for example.