*********************************************************************
Virus Scanning Under Linux
by Jim Reavis and Kurt Seifried
Most of you are looking at the title and thinking, "Huh? I don't need to
scan my Linux system for viruses, what a useless article!" Well, the
fact of the matter is that for most people it is far from useless. While
there are relatively few Linux viruses currently in the wild (there are
more worm-type programs circulating), the general architecture of Linux,
and the usage habits of most administrators tend to discourage the
spread of Linux viruses. On the other hand the Windows clients that make
use of your Linux server (email, file, or otherwise) do have to worry
about viruses.
It is easier and somewhat safer to scan for viruses on your Linux server
as opposed to loading anti-virus software on each Windows client
machine. For example, instead of loading anti-virus software on 30
Windows machines, and trying to keep it up to date, you can instead
install one copy of Sophos anti-virus for Linux on your mail server and
scan all incoming email (currently the most popular method to transmit
viruses, it seems). Additionally, there is very little threat (as far as
I know, there are no viruses capable of infecting Windows AND Linux,
given that the binary formats are very different) that the virus will be
able to infect the Linux platform doing the scanning. To scan incoming
email for viruses, simply get "AMaViS", which provides a replacement for
procmail (the program that actually delivers the mail locally on a
system) with a program called scanmails, which first scans the email,
and then delivers it. This is far from perfect, however, if AMaViS does
not know how to unpack an attachment (i.e., it is compressed with some
unknown program), or if the virus is somehow hidden (for example it is
encrypted, or XORed against a pattern) most anti-virus scanners will not
detect it. But hey, it's a lot better than nothing, it's easy to
implement, and several anti-virus vendors have free deals for
noncommercial (home) use of their software.
The next major step is to scan files for viruses, in this regard
installing anti-virus software on each client can be better than only
installing it on your fileserver. The problem is keeping all the client
machines up to date and making sure that the users do not disable the
software (accidentally or otherwise). One partial solution is to allow
the Linux machine to mount the Windows clients' hard drive so that it
can scan them. If you mount them writeable as well as readable, you can
also have the anti-virus software try to clean the infected files.
Unfortunately, the access the Samba client provides is "ftp-like,"
meaning you need to download files to interact with them and scan them,
and have some sort of script deal with infected files (i.e., delete them
from the client machines, or try to clean and upload the new one).
Generally speaking, it will be a lot easier and safer to simply install
anti-virus software on each client machine (and make sure they can't
remove or disable it accidentally) if you want more complete file
protection.
In summary, Linux is relatively immune to viruses if you use normal,
safe computing practices, such as using the root account minimally, and
only installing software from trusted sources, like signed binary
packages from vendors or signed source code from the developers). You
are more likely to suffer a Windows virus, so every added layer of
defense (such as scanning incoming email before the Windows client can
even touch it) will reduce the risk. In any event, we will see more
viruses aimed at Linux. Like Windows, most Linux platforms are similar
enough (Intel-based CPU's, glibc, etc.) that a properly written virus
could be quite effective, assuming it is either run as root, or exploits
some new security hole to gain root privileges (otherwise it would only
be able to infect a user's files, which are typically limited to
/home/username -- very few users trade executables).
<FRANCOIS NOTE>
I have contacted the authors to let them know that
the above is not exactly accurate.
It is possible to mount Windows SHARES and edit them directly
using a virus scanning tool or any other editor without
having to transfer the files across the LAN.
This is also a great way to consolidate all servers
filesystems for backups to a single LINUX backup server.
</FRANCOIS NOTE>
http://www.sophos.com/ - Sophos Anti-Virus
http://www.hbedv.com/ - AntiVir
http://www.antivirus.com/products/isvw/ - InterScan VirusWall
http://www.europe.datafellows.com/products/ - F-Secure Anti-Virus
http://www.kasperskylab.ru/eng/products/linux.asp - AVP
http://aachalon.de/AMaViS/ - AMaViS
http://www.securityportal.com/lasg/servers/email/index.html - Scanning
email for Viruses - How to Set Up AMaViS with Sendmail and Postfix
http://www.securityportal.com/lasg/viruses/ - Anti virus software for
Linux and other information
About the author
----------------
Jim Reavis, founder of SecurityPortal.com, is an analyst with over 10
years of experience consulting with Fortune 500 organizations
on networking and security-related technology projects.
Kurt Seifried is a security analyst and author of the "Linux
administrators Security Guide", an authoritative resource for Linux
security.
Jim can be contacted at
jim.reavis@linuxworld.com; Kurt can be contacted
at
kurt.seifried@linuxworld.com.
*********************************************************************
Jean Francois Sends...
President & CEO MagusNet, Inc.
MagusNet.com, MagusNet.Gilbert.AZ.US
CTO EBIZ Enterprises, Inc.
TheLinuxStore.com, TheLinuxLab.com, LinuxWired.net
480-778-1120 - Office
602-770-JLF1 - Cellular