Slashdot Mirror
Tasmanian Dept. of Education Wants Anti-Virus for Linux, OS X
An anonymous reader writes "One of Australia's largest government technology buyers, the Tasmanian Department of Education, has gone to market for a security vendor to supply anti-virus software for its 40,000-odd desktop PCs and laptops, as well as servers. But the department's not just running Windows — it runs Mac OS X and Linux as well, and has requested that whatever solution it buys must be able to run on those platforms as well. But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it."
A computer can still pass on a virus even if it cannot directly infect you. It might not be your responsibility but will a child know this? If he forwards an attachment unwittingly or something?
Linux users and Mac users could accidentally infect a Windows user.
If you exchange documents and files with other users, having anti-virus and anti-malware software or not is not only an issue for your own protection.
Even if you run on a system that you believe to be safe from those kinds of infections, you might spread it to other users if you ever pass on files that you get from others.
This might not be of any importance to you personally, but in a large organization it might be of vital importance that malicious software can't "hide" in unprotected systems of other flavours that it was designed for.
/.Mattsson - My native language is not English, so please don't whine over linguistic errors. (That's lame anyway...)
#!/bin/sh
echo "stating scan..."
n=`find / -type f | wc -l`
echo "scan completed of $n files"
exit 0
Atari rules... ermm... ruled.
1 group will claim GNU/Linux doesn't need anti virus software.
2nd group will claim they use antivirus on their GNU/Linux already, but only to clean emails destined for MS Windows machines or to look after their Samba exported storage.
3rd group will say GNU/Linux needs AV software because it's only a matter of time before viruses (virii?) appear.
4th group will say viruses for GNU/Linux already exist and provide links to some sensationalist articles on the interwebs where researchers published some concepts.
5th group (partially composed of group 1 and 2) will claim they're not real viruses, but worms/snakes/butterflies/etc...
6th group will claim the threat aren't viruses but PPAs in ubuntu.
3rd/4th group will return saying it's all about users and not the OS. And because they're careful users, they've never in their life needed AV on their MS Windows.
Does that about cover that? Let the holy war begin...
This is probably just a policy issue. "We've put your AIX / HP-UX / Solaris server in". "What AV does it run?" "Er, it's running AIX / HP-UX / Solaris , we've not installed AV". "But our policy says we have to use product X or product Y to AV protect all our servers". "Yes, but you're not understan....." "Just install AV".
Well, if some friendly Russian kindly allows me to download an Adobe suite or a new game from his website it's only polite that I let him use my box to send a few e-mails or whatever when I'm not using it
http://technet.microsoft.com/en-us/library/cc512587.aspx
>>You can't clean a compromised system by patching it.
>>You can't clean a compromised system by removing the back doors.
>>You can't clean a compromised system by using some "vulnerability remover."
>>You can't clean a compromised system by using a virus scanner.
>>You can't clean a compromised system by reinstalling the operating system over the existing installation.
>>You can't trust any data copied from a compromised system.
>>You can't trust the event logs on a compromised system.
>>You may not be able to trust your latest backup.
>>>>>The only way to clean a compromised system is to flatten and rebuild.
Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I
Security Program Manager
Microsoft Corporation
Traditional rootkits exist for most unix systems, although they typically do not spread on their own - someone has to manually root your system and install them. There are even tools dedicated to finding/removing unix rootkits, eg http://www.rootkit.nl/projects/rootkit_hunter.html has a long list of rootkits it knows about.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You must work in IT support.
My personal experience is:
#1. For a technically sane, and security aware user, most antivirus software only exists to make the system hog slow.
#2. Antivirus software is used as a placebo to make users feel they are safer. If anything, I suspect it would make users feel less responsible for their own actions because some AV software is supposedly protecting them.
#3. How is a Linux user supposed to run AV? With WINE? I know there is clamav, but it's not intended for those "active monitoring/scanning" things you have on Windows. Maybe the "shell script" placebo* will work equally well at "educating users" if that's what you want. No point in making a system slow.
* http://apple.slashdot.org/comments.pl?sid=2119134&cid=35997968
You must work in sales, because you have no experience in the real world.
#1. Actual, technical users understand that AV is important, they just recognise the signs of infection as well as any AV does and will take steps when they detect them. For us, AV clients are just a way to be lazy.
#2. Just because AV will not protect against some 0-days does not make it useless. It's a method of protecting against old threats which are still quite prevalent thanks to people who dont use or ignore AV. Not to mention that many viruses are simply minor variations of old ones, the W32.Foo.F virus looks quite similar to W32.Foo.E.
#3. Umm... You do know that there are a variety of Linux clients out there. Clam AV, Trend Micro, AVG, Kaspersky and others have clients. Any AV vendor in the Enterprise space has a client as Enterprises use Linux servers quite a bit. Do a google search for "Linux Anti Virus" before launching on an ill informed rant.
Calling someone a "hater" only means you can not rationally rebut their argument.
I was embarrassed recently when the IT department claim a Linux computer in my office was taken over by the Rustock BOT. After checking the ssh log, I realized it was a coworker who uses it for code repository and SOCK5 Proxy as he works abroad from China. He has a compromised Windows machine. To the best of my knowledge, AV doesn't really catch these stuff which are more and more common now a day. Anyone has recommendations?
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware. Linux doesn't have any common malware, and I'm not sure about Mac. There is clamav, but that's mostly detecting Windows viruses across platforms.
One additional advantage(in institutional setups, home users are screwed) is that the presence of AV requires the designers of viruses to make a choice: Either you attempt to lay low, and take the risk that a future update of the AV package will detect your virus, or you go all cyber-AIDS on the system and attempt to throw a spanner in the AV system or its update mechanism. In the latter case, the client generally stops responding to the AV management server, which throws up a major red flag. At that point, you either pull the system aside for a more detailed chat, or nuke it, depending on your priorities.
It's like trying to scare off ninjas by deploying mall cops. The mall cops are hopelessly outmatched; but they will, on occasion, stumble across a ninja, which forces the ninjas to either passively risk detection or actively start killing the mall cops, which alerts you to their presence.
Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware.
This is too true. On our Windows machines is a self-updating AV installed. From time to time it deletes an email with a virus (or suspicious) attachment - we would never opened it in any case (you know those lame emails, where you can smell the virus already in the subject line). Nevertheless, over ten years in corporation, we had two outbreaks: one was the slammer worm brought in from an executive with a laptop and a bad firewall config (in the Windows 2000 days), the other was a very well crafted social engineered email with a PDF attachment that was not yet known by the AV. So, in both cases, the AV did not help and I assume that all the other viruses would not have the chance to run either, since the humans would not execute them (opening rotten attachments).
On the other hand the AV got multiple times in the way of the business by disabling remote login software, network analyzers, etc.
I think that it make sense to have an AV software on the email server to filter all those typical attacks, but I am not convinced about the need of an AV on each desktop, laptop etc. It makes sense to have AN AV to test each downloaded file or USB stick when connected, but to have it always running might be overkill.
And, btw: we also had Linux machines, which were successfully attacked. However, those were network attacks against security holes in Internet servers. Maybe an intrusion detection system would have helped, but clearly not a typical anti-virus.
There's 90% of Windows malware wiped out. The user is, always has been and will always be the biggest source of infection. Even in the Windows world and especially today when a patched Win 7 and Office suite aren't vulnerable to drive by infections.
What does Windows have to do with anything, the statement was that there's "more OS X and Linux malware around then you might expect", which (at least to me) implies that this amount of malware is substantial enough to care about.
I love how Mac fanboys need to move the goal posts to justify their positions. But here you go anyway
Great, ram your point across by throwing stereotypes around, that's really going to help your argument /s
No doubt you have some wonderfully convenient excuse to ignore this.
No wonderfully convenient "excuse" is necessary here, because your 'list of OS X threats' is laughable and does nothing but disproving your own argument. In 10 years of OS X history, apparently only 43 pieces of malware have been identified, most of which are Trojans, which -in your own words- depend on the user as 'the biggest source of infection', and for which antivirus software completely unnecessary. If anything, that list proves that OS X is more or less immune to viruses and malware, and that a fully patched OS X install does not need antivirus, just common sense.
From your own signature:
Calling someone a "hater" only means you can not rationally rebut their argument.
And what does calling someone a 'Mac fanboy' make you?
Counterpoint: yes
The US DoD requires it too. Fortunately, it is available from commercial suppliers (ClamAV is not compliant with something or other), so you just install it and maintain it and pass the bill on to the taxpayers.
I think it's just standard CYA, so you have someone external to blame if something slips through (which possibly explains why effective roll-your-own measures are deemed insufficient by the policymakers).
The DoD's reasoning is pretty straightforward. There are few to no "in the wild" viruses or trojans for Linux/Mac (several worms though), but data rarely stays in one platform in an interconnected world. We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.
It's like getting a flu shot -- you're not only protecting yourself from the flu, but others as well.