Tasmanian Dept. of Education Wants Anti-Virus for Linux, OS X 396
An anonymous reader writes "One of Australia's largest government technology buyers, the Tasmanian Department of Education, has gone to market for a security vendor to supply anti-virus software for its 40,000-odd desktop PCs and laptops, as well as servers. But the department's not just running Windows — it runs Mac OS X and Linux as well, and has requested that whatever solution it buys must be able to run on those platforms as well. But have we reached the stage were Mac OS X and Linux even need third-party security software? It seems like most Mac and Linux users don't run it."
Re:Passing on Viruses (Score:5, Informative)
I've set up ClamAV on my Linux mail server to catch most dodgy stuff before it reaches my Windows PC. I also recently installed it onto my Linux Netbook to scan a friend's external hard drive for a Windows virus. I haven't been following the latest security news, so didn't particularly want to risk plugging it into my friend's or my Windows machine to scan it.
So I agree, there definitely is a use for Linux-based anti virus software...even if my own uses are mainly concerned with protecting Windows machines.
Re:cross platform virus scanner for linux and mac (Score:5, Informative)
Re:Of course it's not needed. (Score:2, Informative)
Just don't do stupid things.
The average user doesn't know what's stupid and what is not.
To some extent, AV software is good for inexperienced users. Unfortunately most of these AV pograms have "evolved" to a point where they've become more of a burden than help. That's a real problem if you have to churn out a new-and-improved version every year.
Re:cross platform virus scanner for linux and mac (Score:2, Informative)
# ./antivirus.exe
Segmentation fault
"Your honor, I ran the required anti-virus program, and it didn't detect any viruses."
You can't (Score:5, Informative)
http://technet.microsoft.com/en-us/library/cc512587.aspx [microsoft.com]
>>You can't clean a compromised system by patching it.
>>You can't clean a compromised system by removing the back doors.
>>You can't clean a compromised system by using some "vulnerability remover."
>>You can't clean a compromised system by using a virus scanner.
>>You can't clean a compromised system by reinstalling the operating system over the existing installation.
>>You can't trust any data copied from a compromised system.
>>You can't trust the event logs on a compromised system.
>>You may not be able to trust your latest backup.
>>>>>The only way to clean a compromised system is to flatten and rebuild.
Jesper M. Johansson, Ph.D. [YES, HE'S A DOCTOR], CISSP, MCSE, MCP+I
Security Program Manager
Microsoft Corporation
Re:Last Resort (Score:5, Informative)
Traditional rootkits exist for most unix systems, although they typically do not spread on their own - someone has to manually root your system and install them. There are even tools dedicated to finding/removing unix rootkits, eg http://www.rootkit.nl/projects/rootkit_hunter.html [rootkit.nl] has a long list of rootkits it knows about.
Re:Passing on Viruses (Score:4, Informative)
If you're setting up a mail server there are packages available which integrate all of the things you mentioned above into easier to manage / maintain systems. For example one popular one is iRedMail http://www.iredmail.org/features.html [iredmail.org] which can be set up by an intermediate user in around 1 Minute [Video: http://www.youtube.com/watch?v=wi8CF3RKRm4%5D [youtube.com].
If you are implying it's much more complicated for the end user then you're kidding yourself as well. These days there are guides for most popular distributions and usually it's not much more difficult than installing the software and/or configuring an addon. For example, the Ubuntu community guide has easy to follow instructions for configuring Thunderbird with ClamAV. The process is by no means difficut (install, set ports, install addon) and takes less than a minute to complete for a novice user capable of following some instructions.
There are of course users who would find following such a guide too difficult but really these users simply lack the experience, confidence, patience or time to do so anway. They're likely the same users who pay somebody else (or come to you, their friend / relative) to install the software for them
Point I'm trying to make for people thinking of giving it a try is that it is a lot easier to do than the parent implies - even for novice-intermediate users.
Re:Of Course (Score:5, Informative)
You must work in IT support.
My personal experience is:
#1. For a technically sane, and security aware user, most antivirus software only exists to make the system hog slow.
#2. Antivirus software is used as a placebo to make users feel they are safer. If anything, I suspect it would make users feel less responsible for their own actions because some AV software is supposedly protecting them.
#3. How is a Linux user supposed to run AV? With WINE? I know there is clamav, but it's not intended for those "active monitoring/scanning" things you have on Windows. Maybe the "shell script" placebo* will work equally well at "educating users" if that's what you want. No point in making a system slow.
* http://apple.slashdot.org/comments.pl?sid=2119134&cid=35997968 [slashdot.org]
You must work in sales, because you have no experience in the real world.
#1. Actual, technical users understand that AV is important, they just recognise the signs of infection as well as any AV does and will take steps when they detect them. For us, AV clients are just a way to be lazy.
#2. Just because AV will not protect against some 0-days does not make it useless. It's a method of protecting against old threats which are still quite prevalent thanks to people who dont use or ignore AV. Not to mention that many viruses are simply minor variations of old ones, the W32.Foo.F virus looks quite similar to W32.Foo.E.
#3. Umm... You do know that there are a variety of Linux clients out there. Clam AV, Trend Micro, AVG, Kaspersky and others have clients. Any AV vendor in the Enterprise space has a client as Enterprises use Linux servers quite a bit. Do a google search for "Linux Anti Virus" before launching on an ill informed rant.
Re:Passing on Viruses (Score:4, Informative)
https://help.ubuntu.com/community/ScanningEmail [ubuntu.com]
Re:Last Resort (Score:5, Informative)
Anti-virus is a security last resort. If you've already downloaded or executed malware, then anti-virus might prevent it from running, or might be able to remove it if it already has. But it can't detect everything. It can only detect common malware.
This is too true. On our Windows machines is a self-updating AV installed. From time to time it deletes an email with a virus (or suspicious) attachment - we would never opened it in any case (you know those lame emails, where you can smell the virus already in the subject line). Nevertheless, over ten years in corporation, we had two outbreaks: one was the slammer worm brought in from an executive with a laptop and a bad firewall config (in the Windows 2000 days), the other was a very well crafted social engineered email with a PDF attachment that was not yet known by the AV. So, in both cases, the AV did not help and I assume that all the other viruses would not have the chance to run either, since the humans would not execute them (opening rotten attachments).
On the other hand the AV got multiple times in the way of the business by disabling remote login software, network analyzers, etc.
I think that it make sense to have an AV software on the email server to filter all those typical attacks, but I am not convinced about the need of an AV on each desktop, laptop etc. It makes sense to have AN AV to test each downloaded file or USB stick when connected, but to have it always running might be overkill.
And, btw: we also had Linux machines, which were successfully attacked. However, those were network attacks against security holes in Internet servers. Maybe an intrusion detection system would have helped, but clearly not a typical anti-virus.
Re:Passing on Viruses (Score:5, Informative)
Pretty much hit the nail on the head.
Polymorphic and Metamorphic viruses already exist and it's been proven mathematically that detecting such code is NP-complete.
(Spinellis, Diomidis; Reliable identification of bounded-length viruses is NP-complete, IEEE Transactions on Information Theory, 49(1):280â"284, January 2003. doi:10.1109/TIT.2002.806137)
http://en.wikipedia.org/wiki/Polymorphic_code [wikipedia.org]
http://en.wikipedia.org/wiki/Metamorphic_code [wikipedia.org]
The scanners are so bad at detecting viruses because it's an example of Enumerating Badness which is one of the 6 dumbest ideas in security which just won't die.
http://www.ranum.com/security/computer_security/editorials/dumb/ [ranum.com]
Rather than trying to keep track of the few thousand or tens of thousands of things that should be running on your own network and white-listing those you either try to keep track of everything bad in the world or pay someone else to. Then you try to blacklist those.
Thus you get an antivirus scanner.
Re:no (Score:5, Informative)
Counterpoint: yes
The US DoD requires it too. Fortunately, it is available from commercial suppliers (ClamAV is not compliant with something or other), so you just install it and maintain it and pass the bill on to the taxpayers.
I think it's just standard CYA, so you have someone external to blame if something slips through (which possibly explains why effective roll-your-own measures are deemed insufficient by the policymakers).
Re:a waste of CPU cycles (Score:4, Informative)
teach users proper data hygiene
Totally impossible. They don't care and you can't make them care.