Tasmanian Dept. of Education Wants Anti-Virus for Linux, OS X

An anonymous reader writes "One of Australia's largest government technology buyers, the Tasmanian Department of Education, has gone to market for a security vendor to supply anti-virus software for its 40,000-odd desktop PCs and laptops, as well as servers. But the department's not just running Windows — it runs Mac OS X and Linux as well, and has requested that whatever solution it buys must be able to run on those platforms as well. But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it."

Re:Passing on Viruses

[Mouldy]

This is exactly why antivirus software for Linux already exists, they probably catch a couple of Linux viruses too, but the majority of their definitions are Windows viruses.

I've set up ClamAV on my Linux mail server to catch most dodgy stuff before it reaches my Windows PC. I also recently installed it onto my Linux Netbook to scan a friend's external hard drive for a Windows virus. I haven't been following the latest security news, so didn't particularly want to risk plugging it into my friend's or my Windows machine to scan it.

So I agree, there definitely is a use for Linux-based anti virus software...even if my own uses are mainly concerned with protecting Windows machines.

cross platform virus scanner for linux and mac

[Gunstick]

#!/bin/sh
echo "stating scan..."
n=`find / -type f | wc -l`
echo "scan completed of $n files"
exit 0

Re:cross platform virus scanner for linux and mac

[O'Nazareth]

I wish to file a bug report: you count multiple times files with several hard links.

Re:cross platform virus scanner for linux and mac

[Delgul]

For manager types you need to include "Your computer is safe" somewhere along the line ;-)

Re:cross platform virus scanner for linux and mac

[martin-boundary]

That's normal behaviour, sir. Those are harder files to scan, which is why they must be scanned multiple times. Have a good day.

prophecy

[greenfruitsalad]

1 group will claim GNU/Linux doesn't need anti virus software.
2nd group will claim they use antivirus on their GNU/Linux already, but only to clean emails destined for MS Windows machines or to look after their Samba exported storage.
3rd group will say GNU/Linux needs AV software because it's only a matter of time before viruses (virii?) appear.
4th group will say viruses for GNU/Linux already exist and provide links to some sensationalist articles on the interwebs where researchers published some concepts.
5th group (partially composed of group 1 and 2) will claim they're not real viruses, but worms/snakes/butterflies/etc...
6th group will claim the threat aren't viruses but PPAs in ubuntu.
3rd/4th group will return saying it's all about users and not the OS. And because they're careful users, they've never in their life needed AV on their MS Windows.
Does that about cover that? Let the holy war begin...

You can't

[bmo]

http://technet.microsoft.com/en-us/library/cc512587.aspx

>>You can't clean a compromised system by patching it.

>>You can't clean a compromised system by removing the back doors.

>>You can't clean a compromised system by using some "vulnerability remover."

>>You can't clean a compromised system by using a virus scanner.

>>You can't clean a compromised system by reinstalling the operating system over the existing installation.

>>You can't trust any data copied from a compromised system.

>>You can't trust the event logs on a compromised system.

>>You may not be able to trust your latest backup.

>>>>>The only way to clean a compromised system is to flatten and rebuild.

Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I

Security Program Manager
Microsoft Corporation

Re:Passing on Viruses

[Bert64]

I have found the same thing happen with most other AV engines too...

I have done a number of incident response jobs whereby a machine has become infected and its my job to work out what happened...

All machines were windows...
All machines were running some kind of AV (multiple different vendors).
Every machine had a persistent piece of malware present on it.
The AV actually installed failed to detect the malware.
Testing the malware with other AV engines found that some would find it, i never encountered anything totally new that wasn't detected by anything.

Re:Last Resort

[fuzzyfuzzyfungus]

Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware. Linux doesn't have any common malware, and I'm not sure about Mac. There is clamav, but that's mostly detecting Windows viruses across platforms.

One additional advantage(in institutional setups, home users are screwed) is that the presence of AV requires the designers of viruses to make a choice: Either you attempt to lay low, and take the risk that a future update of the AV package will detect your virus, or you go all cyber-AIDS on the system and attempt to throw a spanner in the AV system or its update mechanism. In the latter case, the client generally stops responding to the AV management server, which throws up a major red flag. At that point, you either pull the system aside for a more detailed chat, or nuke it, depending on your priorities.

It's like trying to scare off ninjas by deploying mall cops. The mall cops are hopelessly outmatched; but they will, on occasion, stumble across a ninja, which forces the ninjas to either passively risk detection or actively start killing the mall cops, which alerts you to their presence.

Re:Passing on Viruses

[HungryHobo]

Pretty much hit the nail on the head.

Polymorphic and Metamorphic viruses already exist and it's been proven mathematically that detecting such code is NP-complete.
(Spinellis, Diomidis; Reliable identification of bounded-length viruses is NP-complete, IEEE Transactions on Information Theory, 49(1):280â"284, January 2003. doi:10.1109/TIT.2002.806137)

http://en.wikipedia.org/wiki/Polymorphic_code
http://en.wikipedia.org/wiki/Metamorphic_code

The scanners are so bad at detecting viruses because it's an example of Enumerating Badness which is one of the 6 dumbest ideas in security which just won't die.

http://www.ranum.com/security/computer_security/editorials/dumb/

Rather than trying to keep track of the few thousand or tens of thousands of things that should be running on your own network and white-listing those you either try to keep track of everything bad in the world or pay someone else to. Then you try to blacklist those.
Thus you get an antivirus scanner.

Re:no

[rwa2]

Counterpoint: yes

The US DoD requires it too. Fortunately, it is available from commercial suppliers (ClamAV is not compliant with something or other), so you just install it and maintain it and pass the bill on to the taxpayers.

I think it's just standard CYA, so you have someone external to blame if something slips through (which possibly explains why effective roll-your-own measures are deemed insufficient by the policymakers).

Re:no

[DrgnDancer]

The DoD's reasoning is pretty straightforward. There are few to no "in the wild" viruses or trojans for Linux/Mac (several worms though), but data rarely stays in one platform in an interconnected world. We put virus protection on every platform so that whenever a document or program is introduced on the network it gets scanned. That way if it has malware in it, even Windows malware on a Linux/Mac system, it's caught early. Just because I first put the document on a Linux system doesn't mean it's going to stay on a Linux system.