[conspire] linux antivirus?

Rick Moen rick at linuxmafia.com
Wed Sep 10 18:00:11 PDT 2003 

Quoting Tom Macke (macke at scripps.edu):

> Our head IT guy just asked me if I knew of any linux "antivirus" package
> that we could get.  I think I saw that there was recently a linux virus,
> but just figured that that solution was keep the patches current.  Any
> suggestions?

Hmm, this is a topic that tends to devolve into a lot of subtopics, many
of them in response to "Yes, but..." questions from people to whom the
answer is alien to the point of incredulity.

The concept of "Linux antivirus package" can mean one of two very
different things.

1.  Quarantining and scrubbing of MS-Windows (and possibly other
foreign-OS) files temporarily resident on Linux, e.g., because your
Linux box is a Samba server (Windows file/print) or an SMTP/POP3/IMAP
server holding mail that is then handed to Windows MUAs (mail clients).

2.  Quarantining and scrubbing of other files on Linux to protect
against Linux malware.

3.  Or it can mean that the IT guy in question really hasn't the
faintest idea what he means, but just has a spinal reflex to put
"antivirus" software on any machine whatsoever.


I'm going to address case #1 in this e-mail.  I'll probably get to case
#2 later, because that's where discussion tends to become endless and
branch out in lots and lots of directions.  Why?  Because the short form
of the answer is "There'd be no point.  Linux malware may be easy to 
create but it's in practice impossible to propagate, because of
cautionary mechanisms that are enforced by Linux architecture and
culture.  Any attempt at an 'antiviral' package would be a huge system
threat in itself, and would tend to give wielders of root-user access a
false sense of security, since that privilege is already a much bigger
threat to the system than malware (viruses, etc.) is.


Anyhow, as to virus-checkers that run on virus to find and remove
other-OS viruses.  Here are some links I found by googling:

Mailscanner:
http://www.sng.ecs.soton.ac.uk/mailscanner/
http://packages.debian.org/unstable/mail/mailscanner.html

Clam AntiVirus (ClamAV) and OpenAntiVirus:
http://clamav.elektrapro.com/
http://www.openantivirus.org/
http://packages.debian.org/unstable/utils/clamav.html

McAfee VirusScan
(Apparently, a number of Linux MTAs can be used with the McAfee viruscan
virus-definition files.  No link, exactly, but you can google for
"mcafee antivirus linux" to find relevant materials.)

AMaViS Virus Scanner / AMaViS-ng / amavisd-new
http://www.amavis.org/

Bit Defender
http://www.bitdefender.com/bd/site/solutions.php?menu_id=8&s_id=4
http://www.bitdefender.com/bd/site/products.php?p_id=11 

Kaspersky Anti-Virus for Linux
http://www.kaspersky.com/buyonline.html?chapter=595425&tgroup=4

Trend Micro Interscan Viruswall
http://www.trendmicro.com/

Sophos AntiVirus
http://www.sophos.com/products/sav/

F-Prot
http://www.f-prot.com/
http://packages.debian.org/unstable/utils/f-prot-installer.html
[$300 for Small Business & $450 for Enterprise Business]
 
F-Secure
http://www.f-secure.com/products/anti-virus/firewalls/linux.shtml
 
Kaspersky Labs
http://www.kasperskylabs.com/products.html?fos=3&os=%3E
 
eTrust Antivirus (formerly InoculateIT)
http://www3.ca.com/Solutions/Product.asp?ID=156
(Note:  Computer Associates is where formerly OK software companies go
to be embalmed and their customer-based milked after they've died.)
 
CommandAV
http://www.authentium.com/solutions/products/commandantivirus.cfm
 
Vexira Antivirus for Linux Workstation
http://www.centralcommand.com/

Panda Antivirus for Linux
http://www.pandasoftware.com/com/linux/linux.asp

AntiVir for Linux
http://www.hbedv.com/


The above list is mostly gathered from other sources.  Please note that
I have _zero_ experience with these packages.  ClamAV appears to have a
good reputation, though, and is open-source.


A few words about case #3 (IT guy has no clue, but insists reflexively
that any comporate computer must run "antivirus software"):  Sometimes,
rather than argue with the guy and try to educate him, it's best to tell
him what he wants to hear.  That is, tell him that he raised an
excellent point, and you appreciate being reminded of that
company-critical issue.  Therefore, you've deployed the extremely
effective antiviral package comprising Exim and Spamassassin.  (See:
http://marc.merlins.org/linux/exim/sa.html)  Tell him that _zero_
Sobig.F e-mails ever get past that combination (which is true).  

You _don't_ have to tell him that the package's design goal has nothing
whatsoever to do with viruses, but rather aims to eliminate almost all
junkmail during the SMTP session rather than after delivery.  What he
doesn't know won't hurt him.

If you don't deploy the Exim-SA combo, you can still (correctly) tell
him that your anti-virus package's name is "procmail" (used as mail
delivery agent).  Procmail with a modest collection of filters is
(possibly, maybe) at least as effective as dedicated virus scanners for
case #2 (native Linux viruses), given the fact that they're basically 
nonexistent.

More about case #2 in a separate mail.

-- 
Cheers,              Wall Street has all the emotional stability of a 
Rick Moen            thirteen-year-old girl.   -- Louis Rukeyser
rick at linuxmafia.com

More information about the conspire mailing list