Antivirus in the modern unix world

Discussion in 'Other Operating Systems' started by pengy, Nov 13, 2020.

  1. pengy

    pengy Member

    Joined:
    Dec 3, 2003
    Messages:
    307
    Location:
    Melbourne
    The spectre of Antivirus has reared its' ugly head again at work, but this time the scope includes our AIX environments as well as linux.

    At least now within the organisation the general consensus is to just go with ClamAV, but I've managed to resist an antivirus product for so long in the linux/unix environments that I still don't want to install anything at all.

    So, my questions to the members of the unix/linux community here are:

    - has anything changed in the last 5 years or so to make AV on linux/unix worthwhile?
    - what arguments can I use to support my position of not installing any AV at all?
    - am I just going to have to accept reality, install ClamAV and be done with it? :D
     
  2. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,808
    Location:
    Brisbane
    I get this a lot too, probably for the same "compliance" rules as you.

    Same old problems of course - most AV vendors build Windows tools, port them to Linux/UNIX poorly, end up with things that don't support newer distros (or even popular ones - imagine not supporting Ubuntu in 2020), or utterly tank performance assuming they do work at all.

    Like you, I roll out ClamAV. Easy enough to set up your own update process (again if you've got compliance needs, often you need to deploy definitions internally which is easy to do by pushing out definition files through standard config management / deployment tools), ticks a compliance box, and you can have it log to syslog somewhere for centralised logging (again, compliance tick).

    And the big one - it's not YAL (Yet Another License) to manage, which in a world of dynamically spawning hosts and "treat it like cattle, not pets", is something that I want from all my tools.

    I really think this is an uphill battle sometimes. The people most vocally for AV on Linux generally have no fucking clue how enterprise systems work, and are just out to tick a box on the compliance form. In that case, put in the least harmful/impactful thing that has the right sticker on it to appease the clueless, and move on.
     
  3. HyRax1

    HyRax1 ¡Viva la Resolutión!

    Joined:
    Jun 28, 2001
    Messages:
    7,931
    Location:
    At a desk
    The only time I'd ever roll out AV is where Linux systems are being used for Windows clients, eg: fileservers, mail servers, etc. This is not to protect Linux, but to be another layer of protection for connected Windows systems.

    Beyond that, it's echoing what Elvis posted - if it keeps management happy, just do it. There's better things you can spend the time rather than trying to convince a non-technical Manager about why Linux wouldn't need it and it makes you look better to other bodies such as auditors.
     
  4. OP
    OP
    pengy

    pengy Member

    Joined:
    Dec 3, 2003
    Messages:
    307
    Location:
    Melbourne
    Yeah, I guess at the moment I'm still a bit like a snake that's had its' head cut off. The body is still thrashing round, not yet realising it's dead.

    At least ClamAV is straight forward set-and-forget.
     
  5. grs1961

    grs1961 Member

    Joined:
    Jan 21, 2005
    Messages:
    519
    Location:
    Melbourne
    The only bugger with ClamAV is that it won't build with the real compilers, you need GCC/G++, (no, the magic "behave like gcc" flags aren't enough).

    Which can be another layer of bullshit^Wbureaucracy to navigate.
     
  6. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,542
    Location:
    Adelaide
    Can't resist: https://docs.microsoft.com/en-us/wi...oft-defender-atp/microsoft-defender-atp-linux
    Supports most major corporate-y distros
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,808
    Location:
    Brisbane
    All the commercial AV vendors say this, and then they all do something stupid, non-POSIXy, or just outright break when not set up in whatever ridiculous way they incorrectly assume Linux to work.

    I work with a hell of a lot of commercial/proprietary vendors on Linux systems. Some of them get it, many of them don't and just instead brute force their Windows tools into a Linux environment poorly. AV vendors are typically some of the worst.

    With all of that said, Microsoft are doing good things in the Linux ecosystem these last couple of years. And boy does it feel weird to say that as a 25 year Linux veteran. :lol:
     
    Rass likes this.
  8. Quadbox

    Quadbox Member

    Joined:
    Jun 27, 2001
    Messages:
    6,504
    Location:
    Brisbane
    Mathworks used to use the MAC address of whatever they consider to be "the main network interface" as part of their presumably complicated machine license hash, for example. I had a lengthy email conversation with a mathworks dev about it a while ago to whom it was surprising bordering on shocking that many distros now randomise MAC addresses as a matter of course...
     
    elvis likes this.
  9. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    43,808
    Location:
    Brisbane
    I've had a few vendors contact me in great surprise when they realised we've upgraded and even virtualised machines several times over but never contacted them for a new license key.

    Imagine their shock when they find out changing the MAC address of any given interface, real or virtual, is an utterly trivial thing to do, and nullifies their entire licensing scheme.
     
    bcann likes this.
  10. GumbyNoTalent

    GumbyNoTalent Member

    Joined:
    Jan 8, 2003
    Messages:
    9,707
    Location:
    Briz Vegas
    Or running multiple VMs off 1 license dongle in the day... ;)
     
    bcann likes this.
  11. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    6,032
    Location:
    NSW
    Or virtualise the dongle, not that i would do that.
     
  12. schnappy

    schnappy Member

    Joined:
    Apr 23, 2008
    Messages:
    877
    Location:
    3124
    Teddybear!? I remember you posting this anecdote in IRC a few years ago... so you are on the forums. And my head is full of the most esoteric trivia apparently :S

    My most recent corporate-IT-are-annoying is that they use Cisco AnyConnect VPN with the hostscan features that fingerprints your system. My laptop runs Fedora and my desktop Arch, I loaded a Windows VM on a trial license and used some guy the the net's script to generate a script that openconnect accepts and all that solved that annoyance. After that the only way in is through a Microsoft RD Gateway. Work laptops are configured differently and once the VPN is connected you can browse intranet resources etc without hindrance - my current plan is to just run a SOCKS proxy or similar on a laptop and connect my desktop to that, but I have been meaning to investigate the difference between the connections that makes them different, haven't had the bothers yet though. It's dumb remote desktoping to my work laptop from my desktop though, and surprisingly sluggish.

    More on-topic I have briefly looked into the cybersecurity profile at work (I do have a strong say in operations tech which is distinct from information tech), have to play ball with the IT people and a large group of box tickers. We currently tick very few of the dumber boxes, and the IT group say we need business wide solutions but also need vendor support - company wide + vendor support means you need basically every software vendor in the world to agree to how we want to do things like AV and software inventories/monitoring - so the boxes go unticked! Crazy. I agree with elvis if you have an opportunity to just tick the box be thankful you can and move on! /rant
     
  13. Quadbox

    Quadbox Member

    Joined:
    Jun 27, 2001
    Messages:
    6,504
    Location:
    Brisbane
    Yes indeedy

    Yeah I must say I've consistently found openconnect *waaaay* nicer than cisco's anyconnect tools, and I gather it's nicer than juniper's mostly-compatible-equivalent too. In particular from a laptop the openconnect plugin for networkmanager mostly seems to transparently Just Work, which is nice
     
  14. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,542
    Location:
    Adelaide
    Incorporating a device's 'presence' on an arbitrary 'corporate' network into an access policy is dumb full stop, hopefully you can convince the business of this.

    Cull vendors until your company and vendor support goals align ;)
     
  15. ir0nhide

    ir0nhide Member

    Joined:
    Oct 24, 2003
    Messages:
    4,542
    Location:
    Adelaide
    Oh I feel you, the number of actually useful features in Preview is nuts. However, this does point to Microsoft realising that the writing is on the wall for certain types of things and they are throwing the kitchen sink at keeping management subscription $$ (including security) inside Microsoft by increasing support for third party platforms. MacOS and Linux support sucks today compared to Win10 but boy is that changing fast.
     
  16. mwil7034

    mwil7034 Member

    Joined:
    Jan 15, 2003
    Messages:
    614
    Location:
    Woy Woy
    1. ClamAV, if no budget
    2. CrowdStrike, if budget and not in a protected/restricted environment
     
  17. OP
    OP
    pengy

    pengy Member

    Joined:
    Dec 3, 2003
    Messages:
    307
    Location:
    Melbourne
    Crowdstrike? That's interesting - we've just deployed it across the windows fleet... I must admit I only took a cursory look at it. Maybe it's worth a bit more time...
     

Share This Page

Advertisement: