I could not have said it better. Each server in a farm
has a purpose. AV may be applied as needed.
If there is no chance of spreading a virus with that
server, then running AV only wastes CPU, memory and
creates higher IO Wait times. In addition to that, it
adds one more potential vulnerability, since some virii
target known functions in AV and not the OS itself.
On the other hand, as mentioned, if the server is relaying
files that could potentially carry a virii payload, then
whether for legal or ethical reasons, it is best to stop
the payload before it gets to hosts that are potentially
vulnerable. Mail servers, file servers, chat servers
(that allow txfer via the server) should run AV. ClamAV
is even adding malware detection in the .90 release as far
as I know.
Unix web servers by themselves have no need for AV
_unless_ they allow for users to upload/share files. One
such example would be the attachment modules for phpbb or
various web portal php sites. Web servers that serve up
static content have no need for AV, as the webmaster
should ensure that nothing on the site is malicious.
AV should also always be configured to exclude things that
would cripple a machine if they attempted to scan or lock
the files. One such example would be MySQL/Oracle
database files. Another example would be swap "files" if
swap were extended using non partitions. This isnt a real
problem if the AV user is non-root, however being
non-root, one must trust all of the applications handling
the payload to make use of the AV software properly.
In terms of protecting the server itself, _if configured
properly_ an alternate direction to go would be to make
use of SELinux when using linux as the server. This is no
small task in a highly customized site, however does not
consume the resources of a typical AV solution and
prevents far more serious issues than virii.
http://www.nsa.gov/selinux/ Included in Redhat and
Gentoo now, along with a few others.
--Aaron
On Fri, 27 Jan 2006 10:18:03 -0600
Eric Rostetter <rostetter@mail.utexas.edu> wrote:
Quoting Moderator <mod-linux@securityfocus.com>:
The following message was submitted to the list by
Alexander Klimov.
[...]
Since there are quite a few replies let me elaborate.
There are two
types of viruses: those that exploit software
vulnerabilities and
those that exploit wetware (that is a PEBKAC).
And there are _many_ kinds of linux systems and users.
the virus is released. Unlike some other OSes, with any
good Linux
distribution it is quite easy to live most of the time
without known
vulnerabilities in your system.
If you run wine, zen, mach, vmware, or anything that
runs or can run
windows (or another vulnerable OS), than you should run
AV in at least
the virtual machine, and preferably in both linux and
virtual machine.
If you run openoffice, you are open to macro viruses and
all the same
things that hit MS Office apps, and you should run an AV
if you don't
want to be a hit by them, or spread them to others.
Now if you have a system with no
vulnerabilities exploitable by known viruses none of
them can
compromise your system -- you cannot get better results
from an AV
(AFAIK `unknown virus detection' is more marketing than
reality).
True. But you can help spread them. Of course there is
the obvious
examples of linux machines which are file servers and
mail servers and
the like. Why would you want these spreading viruses?
But even regular
office user linux machines can spread around viruses via
file transfers
(forwarding e-mail, swaping floppies or usb devices,
burning cd-roms, etc).
Maybe not a big deal if you only deal with other linux
machines, but if
you interact with people using other OS's do you really
want to be the
one who passed a virus on to them?
root to solve it: wget ...'. I am not sure I understand
how sharing
files with Windows can be dangerous but probably it is
in this
category as well
It is dangerous for other windows users you give the
file to, or dangerous
to you if you run windows in a VM environment in linux,
or run OpenOffice
or other windows-software emulation software.
BTW do not get me wrong: if I say that AV is useless
(or, worse, it
can have its own vulnerabilities) it does not mean that
you should not
use a firewall in both directions or check integrity of
system files.
AV software _may_ be useless depending on your
environment. I run it
on my linux mail server, and it is not worthless to me
or my users, since
half my users run Windows and Mac machines. They thank
me for not exposing
them to the viruses via their e-mail. You could make
the same type of
arguments for file servers, etc.
Yes, you _may_ not need a AV product on your linux
machine. Then again,
you _may_ need one. It depends on how you use the
machine, what you run
on the machine, and how you and that machine interact
with others.
The real-world example is how it is illegal most places
to knowingly infect
other people with a human virus that you know you carry.
It does not matter
if you are immune to it or not, the law reflects the
fact that others are not
and that you should not knowingly spread it to them as
you know it can cause
them harm.
Use a similar principle in computers and networks. If
you know your
computer has or is likely to spread viruses to others
and could cause harm
to them, then the _responsible_ thing to do is to run AV
software on your
machine to try to prevent that. If you know your
computer is
_highly unlikely_ to spread viruses to others, and
should not pose any
virus risk to others, then there is no need to run AV
software if you
don't want to (and may be very good reasons not to, in
fact).
--
Regards,
ASK
--
Eric Rostetter
The Department of Physics
The University of Texas at Austin
Go Longhorns!
