cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Deyan
Contributor I

Anti-malware software for Linux? Is it needed?

Hi community,

 

This is a long going debate in the security world - what do you think around does a Linux device need anti virus - is it worth it and what's the risk for public facing and internal Linux system? All opinions - appreciated :).

10 Replies
Shannon
Community Champion

 

Linux may be more inherently secure and less impacted by malware than Windows --- but that doesn't make it invulnerable. Based on how critical a system is for business operations and its exposure, you may have to provide extra protection.

 

Our organization employs an application running on Linux; when I asked the vendor administrator to gauge the impact of running an anti-malware solution on it, he flatly stated that 'Linux didn't need anything like that.'

 

Shortly after, the system began generating a lot of unexpected traffic, and a worm was discovered in it. Now, all our Linux servers are running anti-malware. And this happened to be an internal server...

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Remember the original Internet Worm was based on Unix - the Morris Worm https://en.wikipedia.org/wiki/Morris_worm.     Yes, it is necessary along with Whitelisting and Characterization is also required.  Malware can get into Linux, Unix systems, due to lapses in practices and well constructed attacks.   They are susceptible to attacks like other Operating Systems.   

 

https://www.techrepublic.com/article/linux-unix-viruses-and-worms-demand-special-attention/

 

Regards

 

Caute_cautim

JoePete
Advocate I

I'll go a step further and remove a qualifier from your query - is "anti-malware" necessary on any system? Yes, there is an onslaught of hype and marketing that tells us the best way of protecting our vulnerable software from malicious software is to ... yep, you guessed it ... add more software! But the reality is anti-malware really hasn't done a heck of a lot to quell malware. The best practices of locking down a machine and patching it are far more effective than running a loose and porous set of OS and applications and hoping that some black-box software somehow catches it all. I'll posit that anti-malware may actually heighten risk rather than reduce it because it is at best a lazy person's form of security. It's the condom of software: It will protect you (somewhat), but better judgment would have been a far better defense.

 

As Linux distributions grow in complexity in order to rival popular desktop OS, perhaps we'll see a change, but I truly think the software isn't as much an issue as how it is used. How many people on the road, for example, drive distracted but they remember to buckle up. Meanwhile, there are people, I am sure, who eschew their seatbelt but are far more safe in their driving (they actually pay attention to the road!).

rslade
Influencer II

> Caute_cautim (Community Champion) posted a new reply in Tech Talk on 05-26-2019

> Remember the original Internet Worm was based on Unix - the Morris
> Worm

Actually, the *original* Internet worm was the CHRISTMA EXEC, which ran on
IBM mainframes (about a year before the Morris Worm) ...

======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion


@JoePete wrote:

How many people on the road, for example, drive distracted but they remember to buckle up. Meanwhile, there are people, I am sure, who eschew their seatbelt but are far more safe in their driving (they actually pay attention to the road!).


Going with the same analogy, here's my view...

 

Being a good driver doesn't guarantee that you won't end up in an accident --- which could be caused due to a vehicle design flaw, badly maintained roads, other rash drivers, etc. --- in which case a seat-belt may make a difference.

 

Following best practices and hardening a system won't always make it invulnerable to compromise.

 

While being a good driver is definitely an important factor, you should also take additional precautions, one of which is fastening the seat-belt when you drive.

 

Systems should be secured using a defense-in-depth approach, with deployment of an anti-malware solution being another layer of protection.

 

However good a driver you are, if traffic rules / laws / regulations require fastening your seat-belt, it won't be open for debate.

 

Regulatory authorities often mandate securing systems with an anti-malware solution, in which case you'll have to comply.

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
vt100
Community Champion

The question actually made me smile. Apologies to those keeping Linux in high regards as safe and secure OS, but I'll have to direct your attention here:

https://www.cvedetails.com/top-50-products.php?year=2018

 

And in addition, point out that one of the most exploited platforms in the world is, indeed, Linux. From Android, to IoT to routers and switches that have been compromised in the past few years, it has rapidly ascended the ranks of desired and exploitable targets.

 

We can blame it on the lack of patches, poor configuration, crappy software running on it, etc., but the facts remains the same. 

JoePete
Advocate I


@Shannon wrote:

Following best practices and hardening a system won't always make it invulnerable to compromise.

 

Systems should be secured using a defense-in-depth approach, with deployment of an anti-malware solution being another layer of protection.

 

Regulatory authorities often mandate securing systems with an anti-malware solution, in which case you'll have to comply.


All good points. To carry my driving analogy to fruition, a large problem is that most people are put behind the wheel of a "vehicle" that routinely receives very poor safety ratings. Relatively few of them realize that there are options. In this regard, I think many have sealed their malware fate before ever hitting the power button. It's not that antimalware is a bad idea, but I consider it more a tangent than best practice. Sure, if I were going to juggle flaming chainsaws, I might want to wear a helmet and gloves, but you know what? The better practice would be to not juggle flaming chainsaws.

 

 

JoePete
Advocate I


@vt100 wrote:

And in addition, point out that one of the most exploited platforms in the world is, indeed, Linux. From Android, to IoT to routers and switches that have been compromised in the past few years, it has rapidly ascended the ranks of desired and exploitable targets.


But you really have to look at the nature of the vulnerabilities and exploits. Undoubtedly Linux is loaded with them. The quality of the coding is not the difference - as a matter of fact, many open-source projects are far more sloppily written than proprietary software. The difference lies in approach. When you have a singular, closed source entity writing all the applications for the OS in addition to user applications, you can end up with an overt level of trust among these programs. A buffer overflow in some open-source project might result in an exploit crashing that program, but because everything else that interacts with that program inherently does not trust it, no further harm happens. However, exploiting a buffer overflow in some minor listening service on another OS suddenly gives you root access. Now, as the Linux distributions evolve into desktop replacements, we're beginning to see more complex vulnerabilities pop up, but in practice, there still seems to be a night and day difference.

 

The other thing to consider, especially with the IoT stuff, is that what we are seeing is that companies, in a rush to market are making some very bad choices. They're essentially loading a web server onto a linux distribution and running it as root with well-known usernames and passwords. That's not on the software. That's on the company selling the devices.

vt100
Community Champion


@JoePete wrote:

@vt100 wrote:

And in addition, point out that one of the most exploited platforms in the world is, indeed, Linux. From Android, to IoT to routers and switches that have been compromised in the past few years, it has rapidly ascended the ranks of desired and exploitable targets.


But you really have to look at the nature of the vulnerabilities and exploits. Undoubtedly Linux is loaded with them. The quality of the coding is not the difference - as a matter of fact, many open-source projects are far more sloppily written than proprietary software. The difference lies in approach. When you have a singular, closed source entity writing all the applications for the OS in addition to user applications, you can end up with an overt level of trust among these programs. A buffer overflow in some open-source project might result in an exploit crashing that program, but because everything else that interacts with that program inherently does not trust it, no further harm happens. However, exploiting a buffer overflow in some minor listening service on another OS suddenly gives you root access. Now, as the Linux distributions evolve into desktop replacements, we're beginning to see more complex vulnerabilities pop up, but in practice, there still seems to be a night and day difference.

 

The other thing to consider, especially with the IoT stuff, is that what we are seeing is that companies, in a rush to market are making some very bad choices. They're essentially loading a web server onto a linux distribution and running it as root with well-known usernames and passwords. That's not on the software. That's on the company selling the devices.


All valid points. With that said, and specifically applicable to the anti-malware products, I see a need for those everywhere, not just on the possible desktop OS. Regardless of how the processes are executed, manually or automatically, if particular payload is capable of tripping them, additional security controls may just safe our bacon and call our attention to the means and methods involved.