[Security] Using Linux For Virus Scanning

[root]

*********************************************************************
Virus Scanning Under Linux
by Jim Reavis and Kurt Seifried
 
Most of you are looking at the title and thinking, "Huh? I don't need to 
scan my Linux system for viruses, what a useless article!" Well, the 
fact of the matter is that for most people it is far from useless. While 
there are relatively few Linux viruses currently in the wild (there are 
more worm-type programs circulating), the general architecture of Linux, 
and the usage habits of most administrators tend to discourage the 
spread of Linux viruses. On the other hand the Windows clients that make 
use of your Linux server (email, file, or otherwise) do have to worry 
about viruses. 

It is easier and somewhat safer to scan for viruses on your Linux server 
as opposed to loading anti-virus software on each Windows client 
machine. For example, instead of loading anti-virus software on 30 
Windows machines, and trying to keep it up to date, you can instead 
install one copy of Sophos anti-virus for Linux on your mail server and 
scan all incoming email (currently the most popular method to transmit 
viruses, it seems). Additionally, there is very little threat (as far as 
I know, there are no viruses capable of infecting Windows AND Linux, 
given that the binary formats are very different) that the virus will be 
able to infect the Linux platform doing the scanning. To scan incoming 
email for viruses, simply get "AMaViS", which provides a replacement for 
procmail (the program that actually delivers the mail locally on a 
system) with a program called scanmails, which first scans the email, 
and then delivers it. This is far from perfect, however, if AMaViS does 
not know how to unpack an attachment (i.e., it is compressed with some 
unknown program), or if the virus is somehow hidden (for example it is 
encrypted, or XORed against a pattern) most anti-virus scanners will not 
detect it. But hey, it's a lot better than nothing, it's easy to 
implement, and several anti-virus vendors have free deals for 
noncommercial (home) use of their software.

The next major step is to scan files for viruses, in this regard 
installing anti-virus software on each client can be better than only 
installing it on your fileserver. The problem is keeping all the client 
machines up to date and making sure that the users do not disable the 
software (accidentally or otherwise). One partial solution is to allow 
the Linux machine to mount the Windows clients' hard drive so that it 
can scan them. If you mount them writeable as well as readable, you can 
also have the anti-virus software try to clean the infected files. 
Unfortunately, the access the Samba client provides is "ftp-like," 
meaning you need to download files to interact with them and scan them, 
and have some sort of script deal with infected files (i.e., delete them 
from the client machines, or try to clean and upload the new one). 
Generally speaking, it will be a lot easier and safer to simply install 
anti-virus software on each client machine (and make sure they can't 
remove or disable it accidentally) if you want more complete file 
protection. 

In summary, Linux is relatively immune to viruses if you use normal, 
safe computing practices, such as using the root account minimally, and 
only installing software from trusted sources, like signed binary 
packages from vendors or signed source code from the developers). You 
are more likely to suffer a Windows virus, so every added layer of 
defense (such as scanning incoming email before the Windows client can 
even touch it) will reduce the risk. In any event, we will see more 
viruses aimed at Linux. Like Windows, most Linux platforms are similar 
enough (Intel-based CPU's, glibc, etc.) that a properly written virus 
could be quite effective, assuming it is either run as root, or exploits 
some new security hole to gain root privileges (otherwise it would only 
be able to infect a user's files, which are typically limited to 
/home/username -- very few users trade executables). 
 
<FRANCOIS NOTE>
I have contacted the authors to let them know that
the above is not exactly accurate.
It is possible to mount Windows SHARES and edit them directly
using a virus scanning tool or any other editor without
having to transfer the files across the LAN.
This is also a great way to consolidate all servers
filesystems for backups to a single LINUX backup server.
</FRANCOIS NOTE>

http://www.sophos.com/ - Sophos Anti-Virus
http://www.hbedv.com/ - AntiVir
http://www.antivirus.com/products/isvw/ - InterScan VirusWall
http://www.europe.datafellows.com/products/ - F-Secure Anti-Virus
http://www.kasperskylab.ru/eng/products/linux.asp - AVP
http://aachalon.de/AMaViS/ - AMaViS
http://www.securityportal.com/lasg/servers/email/index.html - Scanning 
email for Viruses - How to Set Up AMaViS with Sendmail and Postfix
http://www.securityportal.com/lasg/viruses/ - Anti virus software for 
Linux and other information 

About the author
----------------
Jim Reavis, founder of SecurityPortal.com, is an analyst with over 10 
years of experience consulting with Fortune 500 organizations 
on networking and security-related technology projects. 

Kurt Seifried is a security analyst and author of the "Linux 
administrators Security Guide", an authoritative resource for Linux 
security. 

Jim can be contacted at jim.reavis@linuxworld.com; Kurt can be contacted 
at kurt.seifried@linuxworld.com.
 
*********************************************************************

Jean Francois Sends...
President & CEO MagusNet, Inc.
MagusNet.com, MagusNet.Gilbert.AZ.US
CTO EBIZ Enterprises, Inc.
TheLinuxStore.com, TheLinuxLab.com, LinuxWired.net
480-778-1120 - Office
602-770-JLF1 - Cellular