All PCI, HITRUST, etc. auditors that I have encountered, require antivirus running on Linux systems. Many folks outside of the auditing community feel Linux does not need antivirus and that this is just a checkbox. It seems without some sort of antivirus running on Linux, you will not pass the audits.
Is there anyone out there that has passed the various audits without having antivirus running on a Linux system and if so, what justification did you use that convinced PCI, HITRUST, and others to accept your reasoning?
Note: My organization runs ClamAV but there is no central management and according to some, it places quite a load on the servers when scanning. What antivirus solutions for Linux are others successful with?
For us, in a Hospital environment, we do not have a CDE as we don't store, process or transmit credit card data. However, I'm on my 4th QSA and so far, all of them are adamant about using AV regardless of server OS & functionality. Also, as a mandated requirement, you'd be hard pressed to convince many not to run AV on Linux. I have indeed seen Malware and Viruses on Linux and would agree you should protect your servers accordingly.
ClamAV does have a heavier footprint in memory than it should. I run Linux on all my laptops at home and have found SophosAV to be an excellent replacement for ClamAv.
Found it easier to use update and scan my systems.
I am probably the least Linux expert I know, however, are they no longer taking the "commonly affected" exception?
I also hear from the Linux experts, the file systems can be very locked down to only allowed processes (third-party tools will do this also) and you may be able to convince the auditors with evidence from that standpoint.
All that aside, I believe you should find a product which will work for your organization to reduce the risk but I believe there is likely significant overhead to setup, manage exclusions and monitor the environment. In the end, the organization should make a decision, sign-off and have it agreed to by the QSA.
It's a great question. I've never had to deal with PCI personally, but was surprised to hear that AV on Linux/Unix systems is a requirement.
Surely a well patched, configured and hardened Linux server behind the normal network protections, (Firewall, IPS, etc), with log monitoring and regular vulnerability scanning in place would be enough.
Does an AV really give you much in addition on Linux? Feels to me like box checking on the part of your QSA.
If you serve files/documents it is a good idea - I wouldn't want to be the source of a virus to your network/enterprise. To minimize the CPU hit I would scan new files as soon as practical and all files on a regular schedule during off hours - to catch viruses whose signatures didn't exist during the initial scan.