*NIXing Malware
July 27, 2010 8:13 AM Subscribe
What antivirus software should I run on a large Debian web server?
You'd think there'd be a lot out there about this, what with Linux servers being in the middle of so many PC to PC file transfers, but pretty much everything I can find fits into one of these categories:
1. "LOL u dont need av on teh NIX n00b"
2. "With our solution, you will be synergyzing your upward mobility and monetizing your workflow with enterprise-grade infrastructure not to mention SEO and did we mention synergy? Download our whitepaper!
3. "Just use Clam."
Now, the people in charge are strictly Windows-oriented, and have left this Linux box entirely up to me. They would probably be comfortable with one of the corporate-speak solutions from #2. However, it seems like most of those are only available for Red Hat, and are closed source. Also, it is easy to find contradicting information, hard to find actual users' experiences, and it is clear that Linux is not where their priorities are. We use McAfee on our Windows network, so if there was even a murmor of a decent Linux product from them, that would probably be the favorite with the suits.
However, the only real requirement I've been given is that I use something effective, with up to date definitions. Is something like ClamAV enough for a website that will allow thousands of users to upload files for the general public? Is it effective and current enough to compete with big brand enterprise standards?
You'd think there'd be a lot out there about this, what with Linux servers being in the middle of so many PC to PC file transfers, but pretty much everything I can find fits into one of these categories:
1. "LOL u dont need av on teh NIX n00b"
2. "With our solution, you will be synergyzing your upward mobility and monetizing your workflow with enterprise-grade infrastructure not to mention SEO and did we mention synergy? Download our whitepaper!
3. "Just use Clam."
Now, the people in charge are strictly Windows-oriented, and have left this Linux box entirely up to me. They would probably be comfortable with one of the corporate-speak solutions from #2. However, it seems like most of those are only available for Red Hat, and are closed source. Also, it is easy to find contradicting information, hard to find actual users' experiences, and it is clear that Linux is not where their priorities are. We use McAfee on our Windows network, so if there was even a murmor of a decent Linux product from them, that would probably be the favorite with the suits.
However, the only real requirement I've been given is that I use something effective, with up to date definitions. Is something like ClamAV enough for a website that will allow thousands of users to upload files for the general public? Is it effective and current enough to compete with big brand enterprise standards?
Best answer: If you want free, ClamAV.
If you're willing to pay, Sophos.
posted by Mwongozi at 8:25 AM on July 27, 2010
If you're willing to pay, Sophos.
posted by Mwongozi at 8:25 AM on July 27, 2010
Have you read the Debian manual about securing the server, and tools to use? They have a decent section on anti-virus software.
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-tools.en.html
posted by blue_beetle at 8:29 AM on July 27, 2010
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-tools.en.html
posted by blue_beetle at 8:29 AM on July 27, 2010
What are you protecting against? Viruses causing a problem on the Linux box, or detecting viruses in the files to prevent infected files being picked up?
If the first, you should probably look at SElinux. RHEL has the best support for it.
posted by devnull at 9:25 AM on July 27, 2010
If the first, you should probably look at SElinux. RHEL has the best support for it.
posted by devnull at 9:25 AM on July 27, 2010
Several years ago at an old IT job we used F-Secure's command line Linux scanner to scan files uploaded to a public file dropbox. We skipped all the marketing BS and "enterprise solutions" and just got the simple, basic command line scanner, which was quite reasonably priced and was easy to integrate into scripts.
posted by zsazsa at 9:31 AM on July 27, 2010
posted by zsazsa at 9:31 AM on July 27, 2010
No antivirus is perfect. If you go with a commercial vendor you're mostly paying to CYA.
Judging by the fact that your bosses use McAfee, which is a uniformly terrible product, CYA is more important to them than actual security. For your own job security, go with a name they will recognize - Symantec would be a better big-name choice than McAfee, if not by that much.
If you just want something that works, Clam is perfectly adequate.
posted by zjacreman at 10:41 AM on July 27, 2010
Judging by the fact that your bosses use McAfee, which is a uniformly terrible product, CYA is more important to them than actual security. For your own job security, go with a name they will recognize - Symantec would be a better big-name choice than McAfee, if not by that much.
If you just want something that works, Clam is perfectly adequate.
posted by zjacreman at 10:41 AM on July 27, 2010
I am assuming you are not talking about securing the server, but rather scanning the data that people will be uploading to it.
Depending on your application I think your choice here is non trivial, since performance is a huge factor if you have a lot of active connections to deal with. I'd suggest you trial what will give the best performance and integrate well with your app, then make your decisions with that criteria in mind, followed after by scan engine effectiveness as the secondary consideration. I also really agree with Threeway Handshake about plopping a security device (or even a security VM, depending on the circumstances) in front of your server(s). Cisco and Juniper are the safe choices, but there are tons and tons of security appliance vendors that have gear for handling this type of problem.
Anyway for what it's worth Nod32 is, in my opinion, the finest scanning engine ever created by man. Reasonably priced, too.
posted by tracert at 12:14 AM on July 28, 2010 [1 favorite]
Depending on your application I think your choice here is non trivial, since performance is a huge factor if you have a lot of active connections to deal with. I'd suggest you trial what will give the best performance and integrate well with your app, then make your decisions with that criteria in mind, followed after by scan engine effectiveness as the secondary consideration. I also really agree with Threeway Handshake about plopping a security device (or even a security VM, depending on the circumstances) in front of your server(s). Cisco and Juniper are the safe choices, but there are tons and tons of security appliance vendors that have gear for handling this type of problem.
Anyway for what it's worth Nod32 is, in my opinion, the finest scanning engine ever created by man. Reasonably priced, too.
posted by tracert at 12:14 AM on July 28, 2010 [1 favorite]
Response by poster: Thanks to everyone for their input. I went through the spiel about how a lot of free and open source solutions are considered adequate, how the big-box enterprise solutions seem to not be very Linux friendly, and then mentioned most of the in-between suggestions.
Turns out my boss was very familiar with the Sophos brand, and that was all he needed to hear.
posted by Mr. Anthropomorphism at 12:15 PM on August 3, 2010
Turns out my boss was very familiar with the Sophos brand, and that was all he needed to hear.
posted by Mr. Anthropomorphism at 12:15 PM on August 3, 2010
This thread is closed to new comments.
You could always offload the AV stuff to an IPS/proxy server in front of it if you've got one of those already.
posted by Threeway Handshake at 8:21 AM on July 27, 2010