Title: Anti-virus software for Linux

KBTAG: kben10000024
URL: http://www.securityportal.com/lskb/10000000/kben10000024.html
Date created: 13/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Anti virus software for Linux
Keywords: Viruses

Summary:

Linux is not as susceptible to viruses in the same ways that a Dos/Windows or Mac platform is. In UNIX, security controls are a fundamental part of the operating system. For example users are not allowed to write promiscuously to any location in memory that they choose to, something that Dos/Windows and the Mac allow. However Anti-Virus scanners for Linux are useful for scanning incoming/outgoing email, files stored on servers (SAMBA/NFS), and network traffic, especially since the chances of a virus being able to infect the Linux platform are very minimal (almost none).

More information:

To be fair there are viruses for UNIX. However the only Linux one I have seen was called "bliss", had an uninstall option ("--uninstall-please") and had to be run as root to be effective. Or to quote an old Unix favorite "if you don't know what an executable does, don't run it as root". Worms are much more prevalent in the UNIX world, the first major occurrence being the Morris Internet worm which exploited a vulnerability in sendmail. Current Linux worms exploit broken versions of imapd, sendmail, WU-FTPD and other daemons. The simplest fix is to keep up to date and not make daemons accessible unless necessary. These attacks can be very successful especially if they find a network of hosts that are not up to date, but typically their effectiveness fades out as people upgrade their daemons. In general I would not specifically worry about these two items, and there is definitely no need to buy anti-virus software for Linux. 

Worms have a long and proud tradition in the UNIX world, by exploiting known security holes (generally, very few exploit new/unknown holes) and replicating they can quickly mangle a network(s). There are several worms currently making their way around Linux machines, mostly exploiting old Bind 4.x and old IMAP software. Defeating them is as easy as keeping software up to date, and generally speaking an anti-virus program won't be very effective.

Trojan horses are also popular. Recently ftp.win.tue.nl was broken into and the TCP_WRAPPERS package (among others) was modified to email passwords to an anonymous account. This was detected when someone checked the PGP signature of the package and found that it wasn't quite kosher. Moral of the story? Use software from trusted sites, and check the PGP signature(s).

Disinfection of the system once compromised

Back up your data, format and reinstall the system from known good media. Once an attacker has root on a Linux system they can literally do anything, from compromising gcc/egcs to loading interesting kernel modules at boot time or replacing your existing kernel. Do not run untrusted software as root. Check the GnuPG/PGP signatures on files you download, etc. An ounce of prevention will pretty much block the spread of viruses, worms and trojans under Linux.

Downloads:

AntiVir

AntiVir is another commercial virus scanner that runs on a variety of Windows platforms and Linux. You can get it from: http://www.hbedv.com/.

AVP

Kaspersky lab's has also ported their anti-virus scanner over to Linux, currently in beta, available at: http://www.kasperskylab.ru/eng/products/linux.html

InterScan VirusWall

Trend Micro has ported this product to Linux and offers it for free download on their site. You can get it from: http://www.antivirus.com/products/isvw/.

F-Secure Anti-Virus

Data Fellow's has ported their anti-virus scanner to Linux as well. You can get it at: http://www.europe.datafellows.com/products/

Sophos Anti-Virus

Sophos Anti-Virus is a commercial virus scanner that runs on a variety of Windows and UNIX platforms. It is free for personal use and relatively inexpensive for commercial use. You can get it at: http://www.sophos.com/.