18 votes

Does Linux need antivirus?

7 comments

  1. [5]
    emnii
    Link
    At one point in my career, I was tasked with evaluating how to deploy Symantec Endpoint Protection on Red Hat. I put the brakes on as soon as I learned SEP required a Java runtime engine on Linux....

    At one point in my career, I was tasked with evaluating how to deploy Symantec Endpoint Protection on Red Hat. I put the brakes on as soon as I learned SEP required a Java runtime engine on Linux. That's the definition of the cure being worse than the disease. IIRC SEP didn't have any signatures for viruses affecting Linux either. We'd be installing a JRE and AV client with signatures to detect Windows viruses just to check an "asset has AV installed" box. No thanks.

    12 votes
    1. [4]
      reese
      Link Parent
      Omfg, at a past employer I won't name, we had Red Hat VMs that InfoSec insisted required McAfee. Devs like me were of course blamed because our services running on said VMs were erratic. Well, we...

      Omfg, at a past employer I won't name, we had Red Hat VMs that InfoSec insisted required McAfee. Devs like me were of course blamed because our services running on said VMs were erratic. Well, we looked into it, and guess what the problem was?

      McAfee.

      Adding insult to injury, McAfee was only compatible with older versions of Red Hat, stymieing our productivity by wholesale eliminating tools we could have otherwise used with newer versions.

      Not trying to be an asshole, but after enduring so much inane bullshit with the numerous InfoSec organizations I dealt with, I've come to believe that this is their informal motto:

      If you're doing your job, then we're not doing ours.

      7 votes
      1. minimaltyp0s
        Link Parent
        As an Infosec professional, I sympathise. I really do. I've worked in many places where Infosec had a degree of 'power' and used it badly. It's a shame every time I see it. But it's perhaps not as...

        As an Infosec professional, I sympathise. I really do.

        I've worked in many places where Infosec had a degree of 'power' and used it badly. It's a shame every time I see it. But it's perhaps not as simple as most people suppose.
        The issue is based around the fact that it's really easy to be Chicken Little. And even when you're on a team that's trying to get away from that mindset, it's a big gamble to go against Chicken Little because it only takes a single example to prove them right vs your hundreds of examples that never quite suffice in proving them wrong. It takes a big cultural effort to overcome this - but the good news is that I've seen it done right in a bunch of places too.

        OTOH, I've worked in places where I've tried to implement something like "this is my prod so it's my rules, this is your dev, so it's your rules". And this has worked well right up until the point that there's an 'edge case' that absolutely needs implementing and then the flood gates open to all sorts of crazy.

        The best/worst of it was when I'd implemented a new monitoring solution on the corporate LAN and found:

        • open TOR exit nodes
        • Warez server
        • one machine that was aggressively mapping the network and trying to connect to any port it found

        Something common between these three machines? Two things:

        • All 'dev' machines
        • All Linux.

        So, to the point: is AV absolutely necessary? Maybe not - but not because it's Linux, more because of the context and the trade-offs. But equally, just because it's Linux doesn't mean it's low risk or should get a free pass.

        2 votes
      2. [2]
        emnii
        Link Parent
        A lot of InfoSec professionals are 'no' people. No you can't do that, think about the risk! No, you do what everyone else does. No exceptions. And then they complain about being left out of...

        A lot of InfoSec professionals are 'no' people. No you can't do that, think about the risk! No, you do what everyone else does. No exceptions. And then they complain about being left out of discussions and shadow IT.

        1 vote
        1. minimaltyp0s
          Link Parent
          Yeah, it's a shitty attitude from what we broadly consider the 'old guard', but the problem is that it's a really easy route to follow - being 'the sky is falling' guy is easier than actually...

          Yeah, it's a shitty attitude from what we broadly consider the 'old guard', but the problem is that it's a really easy route to follow - being 'the sky is falling' guy is easier than actually thinking something through in context. But also, unless the org and the culture is willing to support the infosec guys properly then there's no incentive for them to be anything other that Chicken Little.

          It often lines up that if anything were to go wrong then Infosec would get the kicking, but equally they're supposed to be 'open' to new ideas. That's not something that can necessarily be solved within the infosec team - that needs a higher up vision that enables infosec to be part of the solution instead of 'the police'.

          1 vote
  2. skullkid2424
    Link
    SELinux is not an anti-virus program, but is the main security software I hear recommended by my linux buddies. But they are also in the Red Hat ecosystem, so...shrugs

    SELinux is not an anti-virus program, but is the main security software I hear recommended by my linux buddies. But they are also in the Red Hat ecosystem, so...shrugs

    3 votes
  3. mrbig
    Link
    The only thing to ever get infested on my Linux installs was Google Chrome, but it did not impact the rest of the system. I do enable GUFW. That’s about it.

    The only thing to ever get infested on my Linux installs was Google Chrome, but it did not impact the rest of the system. I do enable GUFW. That’s about it.

    1 vote