[Snort-users] Anti Virus on Linux?

Matt Kettler mkettler at ...4108...
Mon Jan 27 12:06:12 EST 2003

Well  there's no good reason to run a AV product on a Linux snort box, 
since all of the virus scanners that run on Linux, focus on use in 
detecting windows viruses as they pass through your server.

With a Linux snort box I'd be more worried about intrusion prevention than 
viruses. (ie: lock your box down, use grsecurity's kernel patch with a true 
non executable stack and ACLs, shut down services you don't absolutely 
need, disable loadable module support in the kernel, etc etc).

Most linux "virus" infections are actually worms that penetrate the server 
via bind, sendmail or Apache bugs and usually ones that have been fixed for 
at least a month. Thus a well secured system which is properly patched and 
maintained will have a very low infection rate.

As far as detecting an infection, Tripwire type systems, if carefully 
implemented so that nobody can simply replace the Tripwire database or 
program, go a long way as far as detecting anomalies in the system, 
including both hackers and worms. This will probably do a better job than 
any virus-signature based scan of the system can do. (personally I prefer 
to use Aide coupled with GPG, both binaries statically linked and mounted 
on a write protected media like a CDR along with the gpg keyring, and use 
GPG to sign my aide database. It's not perfect, but having a sealed kernel 
with unwritable /dev/kmem and no loadable module support makes most attacks 
on this setup, such as syscall interception, very difficult.).

If you still want a virus scanner which runs on Linux here's a few I can 
think of, based on some research I did when setting up a MTA side email 
virus scanner on a Linux box:

Sophos - this is a pricey option, but their virus def files are updated at 
a very impressive rate relative to when new viruses hit the net.

fprot by frisk software - there's a "small business" which is a 
command-line scanner, and an "enterprise" version which stays memory 
resident. The small-business version is quite reasonably price (aprox $500) 
if I remember right.

CommandAV, fsecure - these are more or less resellers of the f-prot engine 
with their own front ends.

There are some others out there that make linux versions too that I've not 
tinkered with. Kapersky, McAfee. There's probably others too.

ClamAV is a 100% free open-source product, but def file updates are a bit 
slower due to volunteer basis of work.

At 12:32 PM 1/27/2003 -0600, Bob McDowell wrote:

>This isn't exactly confined to snort, but what do you guys run for 
>AntiVirus on your Linux-based snort boxes?  I understand that there are 
>some 'free for non-commercial use' options out there, but I'm looking for 
>a good commercial product - if there is one.  If not, anything is better 
>than nothing.  Isn't it?  Unless of course there is some reason not to run 
>AV on a snort box...

More information about the Snort-users mailing list