The spectre of Antivirus has reared its' ugly head again at work, but this time the scope includes our AIX environments as well as linux. At least now within the organisation the general consensus is to just go with ClamAV, but I've managed to resist an antivirus product for so long in the linux/unix environments that I still don't want to install anything at all. So, my questions to the members of the unix/linux community here are: - has anything changed in the last 5 years or so to make AV on linux/unix worthwhile? - what arguments can I use to support my position of not installing any AV at all? - am I just going to have to accept reality, install ClamAV and be done with it?
I get this a lot too, probably for the same "compliance" rules as you. Same old problems of course - most AV vendors build Windows tools, port them to Linux/UNIX poorly, end up with things that don't support newer distros (or even popular ones - imagine not supporting Ubuntu in 2020), or utterly tank performance assuming they do work at all. Like you, I roll out ClamAV. Easy enough to set up your own update process (again if you've got compliance needs, often you need to deploy definitions internally which is easy to do by pushing out definition files through standard config management / deployment tools), ticks a compliance box, and you can have it log to syslog somewhere for centralised logging (again, compliance tick). And the big one - it's not YAL (Yet Another License) to manage, which in a world of dynamically spawning hosts and "treat it like cattle, not pets", is something that I want from all my tools. I really think this is an uphill battle sometimes. The people most vocally for AV on Linux generally have no fucking clue how enterprise systems work, and are just out to tick a box on the compliance form. In that case, put in the least harmful/impactful thing that has the right sticker on it to appease the clueless, and move on.
The only time I'd ever roll out AV is where Linux systems are being used for Windows clients, eg: fileservers, mail servers, etc. This is not to protect Linux, but to be another layer of protection for connected Windows systems. Beyond that, it's echoing what Elvis posted - if it keeps management happy, just do it. There's better things you can spend the time rather than trying to convince a non-technical Manager about why Linux wouldn't need it and it makes you look better to other bodies such as auditors.
Yeah, I guess at the moment I'm still a bit like a snake that's had its' head cut off. The body is still thrashing round, not yet realising it's dead. At least ClamAV is straight forward set-and-forget.
The only bugger with ClamAV is that it won't build with the real compilers, you need GCC/G++, (no, the magic "behave like gcc" flags aren't enough). Which can be another layer of bullshit^Wbureaucracy to navigate.
Can't resist: https://docs.microsoft.com/en-us/wi...oft-defender-atp/microsoft-defender-atp-linux Supports most major corporate-y distros
All the commercial AV vendors say this, and then they all do something stupid, non-POSIXy, or just outright break when not set up in whatever ridiculous way they incorrectly assume Linux to work. I work with a hell of a lot of commercial/proprietary vendors on Linux systems. Some of them get it, many of them don't and just instead brute force their Windows tools into a Linux environment poorly. AV vendors are typically some of the worst. With all of that said, Microsoft are doing good things in the Linux ecosystem these last couple of years. And boy does it feel weird to say that as a 25 year Linux veteran.
Mathworks used to use the MAC address of whatever they consider to be "the main network interface" as part of their presumably complicated machine license hash, for example. I had a lengthy email conversation with a mathworks dev about it a while ago to whom it was surprising bordering on shocking that many distros now randomise MAC addresses as a matter of course...
I've had a few vendors contact me in great surprise when they realised we've upgraded and even virtualised machines several times over but never contacted them for a new license key. Imagine their shock when they find out changing the MAC address of any given interface, real or virtual, is an utterly trivial thing to do, and nullifies their entire licensing scheme.
Teddybear!? I remember you posting this anecdote in IRC a few years ago... so you are on the forums. And my head is full of the most esoteric trivia apparently :S My most recent corporate-IT-are-annoying is that they use Cisco AnyConnect VPN with the hostscan features that fingerprints your system. My laptop runs Fedora and my desktop Arch, I loaded a Windows VM on a trial license and used some guy the the net's script to generate a script that openconnect accepts and all that solved that annoyance. After that the only way in is through a Microsoft RD Gateway. Work laptops are configured differently and once the VPN is connected you can browse intranet resources etc without hindrance - my current plan is to just run a SOCKS proxy or similar on a laptop and connect my desktop to that, but I have been meaning to investigate the difference between the connections that makes them different, haven't had the bothers yet though. It's dumb remote desktoping to my work laptop from my desktop though, and surprisingly sluggish. More on-topic I have briefly looked into the cybersecurity profile at work (I do have a strong say in operations tech which is distinct from information tech), have to play ball with the IT people and a large group of box tickers. We currently tick very few of the dumber boxes, and the IT group say we need business wide solutions but also need vendor support - company wide + vendor support means you need basically every software vendor in the world to agree to how we want to do things like AV and software inventories/monitoring - so the boxes go unticked! Crazy. I agree with elvis if you have an opportunity to just tick the box be thankful you can and move on! /rant
Yes indeedy Yeah I must say I've consistently found openconnect *waaaay* nicer than cisco's anyconnect tools, and I gather it's nicer than juniper's mostly-compatible-equivalent too. In particular from a laptop the openconnect plugin for networkmanager mostly seems to transparently Just Work, which is nice
Incorporating a device's 'presence' on an arbitrary 'corporate' network into an access policy is dumb full stop, hopefully you can convince the business of this. Cull vendors until your company and vendor support goals align
Oh I feel you, the number of actually useful features in Preview is nuts. However, this does point to Microsoft realising that the writing is on the wall for certain types of things and they are throwing the kitchen sink at keeping management subscription $$ (including security) inside Microsoft by increasing support for third party platforms. MacOS and Linux support sucks today compared to Win10 but boy is that changing fast.
Crowdstrike? That's interesting - we've just deployed it across the windows fleet... I must admit I only took a cursory look at it. Maybe it's worth a bit more time...
