********************************************************************* Virus Scanning Under Linux by Jim Reavis and Kurt Seifried Most of you are looking at the title and thinking, "Huh? I don't need to scan my Linux system for viruses, what a useless article!" Well, the fact of the matter is that for most people it is far from useless. While there are relatively few Linux viruses currently in the wild (there are more worm-type programs circulating), the general architecture of Linux, and the usage habits of most administrators tend to discourage the spread of Linux viruses. On the other hand the Windows clients that make use of your Linux server (email, file, or otherwise) do have to worry about viruses. It is easier and somewhat safer to scan for viruses on your Linux server as opposed to loading anti-virus software on each Windows client machine. For example, instead of loading anti-virus software on 30 Windows machines, and trying to keep it up to date, you can instead install one copy of Sophos anti-virus for Linux on your mail server and scan all incoming email (currently the most popular method to transmit viruses, it seems). Additionally, there is very little threat (as far as I know, there are no viruses capable of infecting Windows AND Linux, given that the binary formats are very different) that the virus will be able to infect the Linux platform doing the scanning. To scan incoming email for viruses, simply get "AMaViS", which provides a replacement for procmail (the program that actually delivers the mail locally on a system) with a program called scanmails, which first scans the email, and then delivers it. This is far from perfect, however, if AMaViS does not know how to unpack an attachment (i.e., it is compressed with some unknown program), or if the virus is somehow hidden (for example it is encrypted, or XORed against a pattern) most anti-virus scanners will not detect it. But hey, it's a lot better than nothing, it's easy to implement, and several anti-virus vendors have free deals for noncommercial (home) use of their software. The next major step is to scan files for viruses, in this regard installing anti-virus software on each client can be better than only installing it on your fileserver. The problem is keeping all the client machines up to date and making sure that the users do not disable the software (accidentally or otherwise). One partial solution is to allow the Linux machine to mount the Windows clients' hard drive so that it can scan them. If you mount them writeable as well as readable, you can also have the anti-virus software try to clean the infected files. Unfortunately, the access the Samba client provides is "ftp-like," meaning you need to download files to interact with them and scan them, and have some sort of script deal with infected files (i.e., delete them from the client machines, or try to clean and upload the new one). Generally speaking, it will be a lot easier and safer to simply install anti-virus software on each client machine (and make sure they can't remove or disable it accidentally) if you want more complete file protection. In summary, Linux is relatively immune to viruses if you use normal, safe computing practices, such as using the root account minimally, and only installing software from trusted sources, like signed binary packages from vendors or signed source code from the developers). You are more likely to suffer a Windows virus, so every added layer of defense (such as scanning incoming email before the Windows client can even touch it) will reduce the risk. In any event, we will see more viruses aimed at Linux. Like Windows, most Linux platforms are similar enough (Intel-based CPU's, glibc, etc.) that a properly written virus could be quite effective, assuming it is either run as root, or exploits some new security hole to gain root privileges (otherwise it would only be able to infect a user's files, which are typically limited to /home/username -- very few users trade executables). I have contacted the authors to let them know that the above is not exactly accurate. It is possible to mount Windows SHARES and edit them directly using a virus scanning tool or any other editor without having to transfer the files across the LAN. This is also a great way to consolidate all servers filesystems for backups to a single LINUX backup server. http://www.sophos.com/ - Sophos Anti-Virus http://www.hbedv.com/ - AntiVir http://www.antivirus.com/products/isvw/ - InterScan VirusWall http://www.europe.datafellows.com/products/ - F-Secure Anti-Virus http://www.kasperskylab.ru/eng/products/linux.asp - AVP http://aachalon.de/AMaViS/ - AMaViS http://www.securityportal.com/lasg/servers/email/index.html - Scanning email for Viruses - How to Set Up AMaViS with Sendmail and Postfix http://www.securityportal.com/lasg/viruses/ - Anti virus software for Linux and other information About the author ---------------- Jim Reavis, founder of SecurityPortal.com, is an analyst with over 10 years of experience consulting with Fortune 500 organizations on networking and security-related technology projects. Kurt Seifried is a security analyst and author of the "Linux administrators Security Guide", an authoritative resource for Linux security. Jim can be contacted at jim.reavis@linuxworld.com; Kurt can be contacted at kurt.seifried@linuxworld.com. ********************************************************************* Jean Francois Sends... President & CEO MagusNet, Inc. MagusNet.com, MagusNet.Gilbert.AZ.US CTO EBIZ Enterprises, Inc. TheLinuxStore.com, TheLinuxLab.com, LinuxWired.net 480-778-1120 - Office 602-770-JLF1 - Cellular