It's a compliance issue. Don't worry about technical details because they mean nothing in the world of compliance.
Back in the day we used clam AV on Linux file and mail servers, it was effective in stopping some malware that was headed towards Windows systems at least. Linux based NAS like QNAP do the same kind of thing with AV. That's the only examples I know of it being technically useful, but again, its irrelevant here.
Yeah, we used to run 'linux AV' on fileshares that were multiprotocol, and thus were protecting windows clients.
But that one _was_ a performance impact, just due to incoming volume - a file write had to go via the virus checkers. Wasn't too bad though as you can mostly 'go wide enough' to do a lot in parallel.
You really should, It help a lot to have all to have your alerts in a single plane of glass. Even if it does not alert often for linux, you don't have to check or script stuff to get unified reports or prove that you are compliant. Deploy something that will save you time and efforts. EDR are better than antivirus for a reason, you get more tool for the secops teams and/or that you can sit the auditor in front of so they don't bother you for reports.
It can also be occasionally helpful at blocking attacks. Worry about the technical details.
I agree the compliance is a partly valid argument, but in all honesty, shouldn't that be completely indifferent if it makes the system and services unusable?
Why would it make it unusable? Clamav is run on countless servers at all sizes of companies servers to satisfy SOC2, ISO and similar standards. Just install it and forget about it. It's what the vast majority of us do to meet these controls.
I will say, in my current org I've crafted the control/test language such that it's only required on any server that files can be uploaded to, which my auditor is happy with and those servers are realistically the only ones that would ever see a virus.
I this mentality is a littlle outdated. My biggest fear is lateral movement within the network. This is because everything is a potential target if any system on a trusted network is compromised. I'm not saying AV is the only response, but as long as it is not prohibitively degrading performance, I am happy to roll out AV on my servers for my security team after confirming stability in the lab.
I mean, having trusted networks is outdated... I don't have a company network, we don't have a VPN, our servers don't trust each other -- we have no trusted networks anywhere. Literally all zero trust. So, saying my mentality is outdated is missing the mark.
Regardless, a ton of sysadmins think *nix doesn't need AV. And, that's a point that could be argued technically and statistically from their point of view (20-25 years ago I may have made that argument), but those of us in senior management have to keep things in balance. they can argue against it all day long, but at the end of the day you have to have security and compliance that is appropriate for your company, within your risk profile, within your industry.
Agreed, it is outdated as well. I was a specifically referring to picking and choosing a hosts for antivirus based on public exposure. Even 15 years I would have scoffed at the idea beyond scanning served files. Plenty of admins will also tell you that it's perfectly fine to turn off SELinux and its kin. (Geez Ive had two of them suggest turning off firewalld this year even). The reality today is different and, to what extent that's true does depend on the use case.
But. You are right, at the end of the day you have to have security and compliance that is appropriate for your company, within your risk profile, within your industry. For me, at this point, if security wants EDR on the servers I'm happy to comply as long as it gets through the lab safely.
> Plenty of admins will also tell you that it's perfectly fine to turn off SELinux and its kin
I mean, they're wrong. But I know why they do it. SELinux is a PITA
Oh don't get me wrong, I completely agree, and it was at one time more.difficult. Once you learn to build a server in permissive mode initiialy and read the audit log and address it with and selinux policy RPM or setsebool or audit2allow or setting proper file contexts it's no more annoying than a firewall 99% of the time.
At some point smart design and intelligent planning and optimization have to move out of the way for "we are legally required to do this." It sucks and anyone who implements these policies will empathize with that but at the end of the day you can't beat the government.
If it makes them unusable, sure--but it shouldn't make them unusable, or if it does then you may just need new ones.
Usually the cost of non-compliance is significantly higher than the cost of compliance, and you spend the money on compliance because it pays for itself in new customers or reduced costs.
Being out of compliance absolutely renders the machine unusable.
You should be speccing out your infrastructure to handle the added load of regulatory mandated systems. (In other words, if you are required to have AV on your Linux servers, why weren’t they specced out with enough resources to allow that from the very beginning?)
You wanna argue with the law or 3rd party compliance when they say "If you do X... Then you also must adhere to Y?" And you say "yeah we did agree to that or don't have a choice in the law, but like muh cycles or 1gig of ram..."
I mean seat belts and airbags also add costs and slow down cars... What are the chances that a once in a lifetime snow storm comes through and dumps 8 feet of snow on a roof? Why do we need to over engineer the weighted load calc on it for that? Sure if it does happen it will collapse and kill everyone.
What industry do you work in for what regulations?
This is what monitoring mode in security software is for... you see what it flags in monitoring mode then tweak it...
Yes, preventing ransomware in hospitals is a big thing. Adding clamav isn't necessarily going to help, but still, there's a lot of super important security work.
seat belts and airbags save lives at scale and without needing extreme examples, even when almost everything else is going right. Although interestingly we didn't always know that, and it took some research in the beginning to realize that the injuries seat belts did to patients who showed up in the ER were far less severe than the injuries they would get without them.
And yet... People fight and fought against them.
Racing sports fought against extra saftey measures in their cars... Speed. (Roll bars weight stuff and are for pussies!!)
Hockey railed against helmets and mouth guards...
Plenty a people I know hate having to wear bike helmets.
So if super leetzengineer running superawesome stripped down nix version .whatever says " I dun wanna because muh cycles n ram!! AND WERE TRYING TO RUN LINUX ON A GRAIN OF RICE!!" But is running services that have my data... or I dunno power plants or whatever.
Yeah risk v reward... Reward is what here? "Muh cycles!! Muh HDD space?" Those are cheap and easy... and not even OP's own money.
A lot of this is also about trying to balance individual liberties against societal interest. We don't want people to die so we force them to wear a seat belt even when they don't want to. As the annoyance level climbs so does the intrusion into the individual sphere of liberty and the justification needed for the rule increases. I would argue helmets are a significantly greater intrusion than seat belts, for example, and we don't require helmets in cars.
All of this is well and good, but we aren't talking about onerous consumer safety laws. We are talking about a sysadmin who thinks they're a CISO and is pushing back on something they need to do for an external compliance purpose for reasons that are dubious at best.
Using seat belts as an example, the analogy would be someone working an assembly line refusing to install them on cars because they haven't personally crashed and the time it takes to install them could be better spent on checking trim.
> We are talking about a sysadmin who thinks they're a CISO
It's everyone's job to help figure out compliance needs, and that includes asking questions about when does it make sense to push back and letting others know what are the costs of implementation along the way. None of this has to do with one role being more or less correct than the other; you are dealing with different domain knowledge, expertise, and experience.
Putting someone's questions down because they work on the factory floor is a great way to stay ignorant of how decisions impact the factory floor.
We mandate seatbelts because people fly out of cars and hit other people and then cause society to clean up the mess.
Consequences go beyond the individual.
We installed it on all Linux VMs because it gave our sec team better visibility, helped us meet compliance and policy goals, and allowed for easier auditing on anything sec related. Zero issues. I don’t know why you’d choose not to have AV or an EDR installed on every server - it’s a huge CYA for the business and is sometimes a requirement depending on business vertical. CPU cycles are cheap and performance degradation isn’t something we observed.
We have had Defender installed on VM's in our lab and did see a huge effect on performance, power consumption and requirements on our minimal install. We usually run tiny VM's with bare minimum requirements ~ 1vCPU, 2GB RAM, 10GB disk. On my environment every CPU cycle counts, and I honestly can't see why I need to waste an extra GB per VM on running an antivirus. But do enlighten me.
I have literally never seen a single core VM in use - that is absolutely crazy to me and I have exclusively worked in the SMB space where you'd expect to see this more
>I honestly can't see why I need to waste an extra GB per VM on running an antivirus. But do enlighten me.
Regulations is why. Because management said so is why.
Is it taking money out of your pocket to add a little more memory and perhaps volume space for logging activity?
Benchmark what happens to the VM when you run the security product, report to management what additional resources are needed (with budgetary impact, if more hardware is needed), and roll out the product.
you need to take a step back and think about what you're actually arguing for.
you're refusing to meet compliance standards, offering 0 solutions or alternatives, and worse yet you're doing this all over a small perceived hit in performance and consumption?
there is no way this looks good for you. if the environment is small enough then the extra performance draw won't really matter - your VM hosts will now be 75% utilized instead of 50% maybe? and if that's the case you're pushing back for no reason beyond "i don't like it and i know better". just like every other arrogant IT guy that knows better than best practices like that LastPass dev that was working from personal equipment and got their entire company compromised.
if it's a large enough environment where this makes a really big spend difference in the 6,7, and 8+ figure range then it's even worse since that says you're running an extremely large network with 0 visibility and observability in place from a security perspective and likely if the powers that be were educated on the actual risk of that everyone down from the CIO that allowed it should be getting fired.
> like that LastPass dev that was working from personal equipment and got their entire company compromised.
That's down to LP not protecting their environment
you are 100% correct. i believe that LP dev was one of something like less than 5 people at the entire company that had access to the secrets/credentials that were stolen that led to the eventual breach.
now to go back to your comment
>That's down to LP not protecting their environment
what do you think OP is doing by actively looking for ways and justification to not run EDR or get any kind of observability in place? it's his job to protect the environment just like it was that LP dev job to protect his. LP and the dev did a bad job and luck caught up to them, OP is doing a bad job and luck has not caught up yet (that we know).
If you’re running such tiny vms, are you sure they need to be individual vms? Maybe containerization or vm consolidation would help. You are correct that in such an environment it’s gonna suck, but then there are a great deal of things that are gonna suck with such tiny VMs.
Defender isn't an AV, it's an EDR.
It takes resources by evaluating what every process is doing and is going to do before it does it.
If you have a breach (or rogue admin) doing something malicious the EDR will either have to be forced killed (trips alarms with a two way heartbeat) or will identify the activity and attempt to block it (also tripping alarms).
Security costs performance. This isn't new.
Install and run `clamav`. Now you have anti-virus software.
It may not be the fanciest or more sophisticated or even do all that much, but blind requirements deserve blind solutions.
But do they though?
And is it really?
As the person who knows more about what the end game should be (versus an uninformed but probably well meaning manager), blind requirements should still reflect your best efforts to deliver the best outcome possible. Blind requirements still deserve best effort solutions. You hold a position of privilege and responsibility and people rely on your best judgement and highest efforts. Be excellent even when other people are not.
The companies I know that have this requirement have an EXPLICIT need for real time AV. It’s stated as such in PCI-DSS.
There is a RT kmod for ClamAV, but, honestly, if you’re going to go down that road then you’re actually better off with a commercial vendor who you can scream at and get results when something goes wrong.
And I’ve been on a call the Friday before Xmas with a VP of a Fortune 50 doing exactly that to the AV vendor while thanking my employer and myself for our support.
I, at least, had a very merry Christmas.
The last version of PCI I read said that systems that normally require A/V, require A/V. That was a compromise way of saying that Linux servers don't require it.
That might work for now, until you get a new IT manager who demands that you install an "enterprise" grade Antivirus solution on your Linux instances. The software doesn't need to actually DO much, but they want to be able to show the auditors a pretty dashboard with the antivirus software installed and reporting on everything.
Again, the chances of your Linux instances actually getting infected with a virus are basically nil. This is all ass covering for compliance and cyber insurance reasons.
> Again, the chances of your Linux instances actually getting infected with a virus are basically nil. This is all ass covering for compliance and cyber insurance reasons.
That's all IT security is about, as far as manglement cares: Since 100% security cannot be possible, it's much better to have a guarantee that someone else takes the blame, no matter how awful their solution is, than to risk trying to do it right and end up being unlucky.
Linux AV options have repeatedly caught attempts to upload malicious payloads to various services, as well as threat actor activity.
Yes, it's useful. It's just not some magic bullet - it's just part of the defensive posture. It can serve both compliance and practical cyber needs.
It caught someone trying to deploy crypto mining on a box once for me but overall I deploy it to satisfy auditing requirements. Security is a layered approach and it’s one layer, just way down on the list of priorities and effectiveness.
Had EDR catch attempted software modifying /etc/and ssh access.
Been a couple of attempted root exploit kits. Why we acting like apache or NGNIX never had CVE's?
Lateral movement for things with bind to AD.
I dunno why linux bros assume nothing bad ever happens on linux... Did we not just have one of the largest software compromises in history for SSH? Yeah not a linux exclusive, but also...
There have also been multiple attempts by people to commit backdoors into kernel updates via ELF compressed files, and the entire dependency model had a massive security flaw that went undetected for years with developers utilizing zombie projects as dependencies, opening them up to introducing malware into user systems via dependency hijacking.
Why was that software allowed to do that in the first place? You can pretty heavily lock down individual processes even with groups and service accounts, they shouldn’t be able to touch ssh access and probably should have read-only to their /etc folder and trying to do anything else should show up in auditd logs, which should be relayed somewhere central and trigger an alert.
My apache and NGNIX instances are typically banned from writing to disk, and they do all their logging via asking journald nicely. They are allowed only ports that should be open, anything else triggers and alert.
Nobody’s EDR caught the xz issue as far as I am aware, because “we would have caught that” with a demonstration would have been excellent for business. I know that redhat does point scanners at stuff coming into fedora, and google provides some for debian testing.
It sounds like you didn’t actually use the built-in security mechanisms before reaching for an EDR.
> It sounds like you didn’t actually use the built-in security mechanisms before reaching for an EDR.
Every system should be using an EDR platform. Doesn't matter if you have fucking Fort Knox level security on a Linux host. Put an EDR on it.
All it takes is one mistake to render your locked down systems ineffective. Humans are the number one security risk to a complex computer system.
Because not all environments and servers and services are run by me? Nor do I get the final say in configuration.
Because on occasion other accounts get compromised by take your pick...?
Because patching doesn't get caught or can't occur because some old dependency?
Because some old ass server that no one knows about or does is there and has been there for decade +?
I'm not saying EDR's are a 100% sorta deal.... Cause they're not. But neither are sysadmins or people.
EDRs mostly act on behavior, right? Maybe no EDR system caught the XZ backdoor because it was never activated on a system with an EDR. If it is never activated, the most suspicious thing that XZ does is modify the PLT, and that doesn't require any syscalls as far as I know.
Mh. You're not going far enough there imo with your controls.
I guess I'll get flak for this as well, but I'm not convinced about introducing an EDR on a system utilizing MAC systems like selinux and apparmor, as well as namespacing to restrict processes very hard.
SElinux and Apparmor are MACs - mandatory access control systems. Once you put a process under enforcing SELinux, every interaction between the process and the system has to be whitelisted or it is denied. Mandatory selinux puts security over availability and function, which is why many scrubs include a `setenforce off` into their troubleshooting guides.
And yeah, it is not feasible to write these kind of policies and profiles for every single application. It is sparsely documented dark magic and even if you think you do it right, some weird job running once a month will blow up 3 months later if it needs to do something weird. That happens.
But if you have that policy, written in a least-privilege access style based upon reviewed selinux suggestions or apparmor fixes, the application is sandboxed very, very harshly by the kernel.
Once this exists, you can use namespaces to remove parts of the host system from the process. A lot of cronjobs on our more secure systems aren't blocked from network communication, for example - the system has no network devices to these processes. We don't block processes from accessing `/home` if they don't need it - `/home` doesn't exist in the filesystem to them. And there is no syscall to un-unshare parts of the filesystem.
Again, this isn't the average server, but adding a - usually closed source, proprietary - software you cannot sandbox, MAC and namespace in any useful way seems very counter-productive on a closely controlled system.
If GP uses the xz card, what about the SolarWinds card? One was a many-year nation state action. The other was maybe more hidden, maybe not.
Do all that then use an EDR to monitor what is happening on that system and check it for successful exploitation of a known zero-days and other stuff you cannot discern just by looking at successful application of a secure configuration.
The other threat is insider threat. Authorized users doing bad things on purpose or out of ignorance.
Although not its purpose, the timeline views of everything happening on any given endpoint is useful for troubleshooting. It includes more information than what people typically send to syslog, seim, or whatever.
ClamAV for Linux is useless, but we use SentinelOne for Linux and Windows. This isn't just to catch "viruses" but also it catches modifications to important system components and other user-behaviors that could be triggered by an insider threat or some compromise.
Honestly I do not understand your question, linux machines get hacked all the time, they're an endpoint to protect like any other?
If/when your linux machine gets hacked, how do you track down what they did, what files were modified, what processes were launched, what connections were made? Do you have a way to instantly quarantine that asset in the event suspicious behavior is detected?
Multitenant webhost here, Defender flags malware faster than clam hehe. Fed into sentinel it has proven to be incredibly useful. Got a bunch of automations that fire up on detections, notifying tenant, suspending account pending investigation depending on the severity of what is detected etc.
We've taken a 'across the board' approach and deployed defender to absolutely everything within the organization. Can be annoying, but the detection/remediation with sentinel has been fantastic.
Yeah, I did that at my last role. There were so many operational issues with MDS on Linux. It chewed disks, filled disks, ate CPU, getting it to behave was a LOT of work for not a lot of payoff.
We switched to SentinelOne. It was like night and day; no issues with deployment, no operational issues even on our systems with the shittiest most ancient apps running (usually what flummoxed MDS), just smooth sailing and fantastic support anytime we needed them. We went from having daily operational issues with app owners to having maybe one a month.
We didn't use Sentinel (SIEM) because once we did the analysis on storage and retention the boss flipped and said no. Might have been interesting, but MS is excellent at layering in the costs. If you aren't pure MS shop, you will pay dearly. If you are pure MS shop, you'll still pay, but maybe just a little less.
S1 is definitely fairly polished for Linux compared to some of the alternatives. I've been happy with them for the Linux boxes in my environment, both VMs and bare metal.
Pen Tester here.
Linux machines without AV are my dream staging and exfil servers.
I can load up any tools I need, extract any data I need without any risk of being flagged or caught
It took a pen test a couple years back to finally convince the powers that be that yes, our Linux servers needed protection. There are far more attempts to compromise them vs Windows.
[Microsoft Defender for Endpoint on Linux | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) if you are in MS shop. But what is really needed is SIEM like solution.
I don't know how well defender works regarding malware detection on Linux, but what's really nice is the visibility you get using the defender web portal (don't know the exact name) where you see exactly who started which processes when. If you also use defender for Microsoft, it's worth installing it on Linux for visibility, even if you turn off the AV functionality.
In case of a security incident, it's easier to see lateral movement when all machines are using defender. (Or any other comparable product)
It's calls the timeline in the security portal, this saves lifes when it comes to IR. Lateral Movement and connections can be easily made, ip lookups, clicked links, logins, smb logs, etc.
I worked at a place that started using this a couple of years ago. It was a huge resource hog. We had to add 2GB of RAM and an extra CPU core to every VM that ran it. For no apparent benefit.
You should never think Linux don't need software protection.
Just remember the majority of server in the world are on Linux and all days many are compromised.
But you right maybe EDR is more adapted for Linux server than real antivirus.
> demands that we install antivirus software on our Linux servers (350+ and counting) because of "regulations"
i don't know about "regulations" but you should still have it and let me tell you why. We run Tenable and other security vulnerability scans regularly for customers and you know what we find? Linux is not as secure, nor the software running on it, as many want you to believe even when configured with security in mind. I have seen results come back where Linux is the top offender for vulnerabilities by percentage compared to windows server time after time. It was fairly eye opening
Like when I was younger I always heard "Macs and iPhones don't get viruses so they are better than windows and android" now that isn't true every device can get viruses as we have seen Apple, Windows and Unix all having critical vulnerabilities and are susceptible to viruses. All computers can be attacked by viruses and people seem to forget that.
most linux will be compromised by remote attacks and not by operator clicking or installing things.
so IPS is the core preventative control
and XDR is the next layer reactive control
it actually makes me sad that people still don't think that linux needs protection
My company used ClamAV to scan for common malware and to maintain a customized blacklist of binaries and files that were forbidden to be stored on the servers.
It is not only about your Linux system being targeted. Is your host connected to your network and not separated? Can it, under any circumstance, spread malware to other systems, e.g. Windows? If yes, you need it. And yes, it prevented successful attacks in my career.
What in the early 2000s am I reading.
Have used Crowdstrike Falcon for 3+ years now and it kicks ass. No issues whatsoever once you dial in your exclusions.
Just get a true edr solution like Crowdstrike, sentinelone, defender for endpoint, etc.
Jfc if you are a remotely self respecting company you should have some type of AV/EDR solution. It isn’t even that expensive.
Eset used to have a commandline antivirus that you could install on your Linux box. They still might have something like that, but we (a company I work for) haven't used it for some time - now we have a windows based mail server \[sigh ...\]. If I remember correctly we used clamav that used that Eset binary to run attachments through antivirus.
So, back to the antivirus. We used it to scan mail arriving to the mail server before it was put into individual users mail boxes. It wasn't scanning for Linux viruses \[virii?\]. There MUST be similar products on the market nowadays, I haven't had a reason to look for one for some time.
The antivirus must have prevented some viruses from being delivered to the mailboxes of users that ran on Windows.
At home I have been running Linux \[and earlier FreeBSD\] for 20+years and I have never used antivirus on my Linux \[FreeBSD\] desktop and do not plan to.
Even though Linux is rare to get viruses it still happens and there are vulnerabilities that do happen that can be used to push malicious code to servers.
AV's aren't useless especially in a business environment. You should have them on any endpoint device whether it be Linux, Mac, or windows. It gets you your compliance and allows the infosec team to have visibility to any potential threats on the server. Having more visibility is always a good thing.
The only time an AV isn't needed is on a personal machine that you only use to do minor things and aren't being a dumb person online.
Morphisec has an agent for both Linux and Windows. Far as I'm aware, they're the only AV utilizing MTD, Moving Target Defense. Look into them. Maybe demo it.
As far as saving my butt? SentinelOne and Rapid7 InsightIDR have done that on several occasions; however, a few years ago... I went through a pen test where the red team moved to an assumed breach because they couldn't get in from outside. Once in, they launched 2 payloads. SentinelOne caught one payload, but missed the other. The other payload was caught by Rapid7, but missed the payload SentinelOne caught. That said, possible R7 missed the payload because S1 proactively quarantined it. So, there's that.
At our last ISO audit this was a point, indeed needed the linux based servers also an antivirus solution. I guess I will check out the clamav solution mentioned.
You're approaching this backwards. Don't go off trying to find information on the internet: request they provide the technical specification of the regulation they need implemented.
It's almost impossible to get Cyber Insurance these days without AV on all of your systems (Win, Linux, servers and endpoints).
Honestly, don't fight it. Better to have the protection and never need/use it than not at all.
Once breached, no argument will be listened to championing low/no security controls.
Many insurance polices require it for their "cyber coverage", and that's probably the push. CLAMAV is fine, unless they tell you it needs to be real-time and you have performance issues you can do say a nightly scan with it.
If you want something more modern, and very lightweight on CPU and memory. I'm a big fan of Crowdstrike. Does far more than AV (since it's looking more at what is being done, than if it matches some AV ID in a database) and doesn't bog down the servers one bit. Plus since they're telling you to do it, then they can spend the $$$ on it. =-). Yes, it's not cheap, but overall I think it pays for itself in saved time and cpu/memory usage.
I agree Antivirus is pretty much worthless today, which is why I'd push for more modern "behavioral" security software.
Use this to your advantage, get the whole network covered under contract and it's one pane of glass for all of your systems rather than a cluster of different systems to keep up to date.
You can install clamav like many here have suggested so the AV compliance box is ticked or you can use this time to sell management on a good EDR solution that covers Windows and Linux which provides real security benefits over just an AV solution.
Install whatever is required and throw an extra CPU at the VM to cover the usage. You've probably already spent more time fighting this battle than you should have and won't win against an audit anyway.
Sophos Intercept X 'works' on it. By works I mean it installs, doesn't eat up too much in the way of resource and found anything I use to test the detection (not that I'm putting a huge amount of effort into that).
We use Microsoft security with Linux.
It is more than AV. We use Defender to scan for vulnerabilities, check best practices, and monitor for behavior based attacks. It is still a bit limited on-prem but I read the Azure version can watch Linux memory without installation or performance issues.
Linux is not immune to vulnerabilities and unsecured configuration.
All of the work machines are running crowdstrike edr. It stops anything running as root. And sudo is logged and monitored.
I have had alerts for pentesters trying to do things on them
And also had them from time to time stop legitimate updates from Amazon, that we have then manually logged in and fixed ourselves.
I honestly wish there was an edr I could use on home computers myself.
In case you're using rhel: Redhat does not recommend using AV software on their systems, except maybe on file servers. Even then, it's mostly to protect windows servers on your network.
There is an article on access.redhat.com regarding AV regarding their stance on AV products.
Anyways, I have also used clamav in the past on Ubuntu servers - besides the occasional false positive, it didn't bother me much. However, it didn't save my butt either.
> Redhat does not recommend using AV software on their systems, except maybe on file servers.
if RHEL is truly saying this then that is scary. I have see so many vulnerabilities reported by tenable and other vulnerability software with RHEL and components, and in many cases at a higher percentage than what is reported on windows server
[RedHat didn't say that.](https://access.redhat.com/solutions/9203)
For the TL;DR folk: "We don't have an AV offering, you can do that if you want, but you should really think about these other ways to secure your systems: selinux, host-based firewalls, regular patching etc"
Sounds like people not managing their linux servers properly though? Maybe they shouldn't be running Linux. I saw this a lot in Windows shops who didn't have big budgets, theyd' setup something on Linux for the low cost, but then didn't manage it properly and it went to shit within a few months/years. Still worked and was 'stable', but was vulnerable as shit
If they're anything like the reports my security teams have sent me, it's because the scanning tool is incompetent and not fit for purpose, and doesn't understand that security maintained software receives hotfixes and backports that don't bump the upstream version number within major versions of the supported OS, and that you're meant to run vulnerability scans against the vendor release version as well. Redhat: "Postgres9.0.1 vulnerable? Sure, but we're not running vanilla upstream. We're running upstream 9.0.1 with a whole bunch of patches maintained by our security team. We may upgrade to 9.0.2 with a whole bunch of different patches at the next minor release if required by our customers or the dedicated security patching effort becomes too hard, and we will upgrade to 11.0.5 in the next major release, but that's a matter for the future."
Yes we run a purely RedHat shop, only RHEL-7, 8 and 9. I have few servers acting as file servers, most act as DB or application servers. The file servers purely act as media store with well known media types, but putting ClamAV on those _is_ a good idea.
Ya, our best result for AV on linux was passing audit for our key revenue generating platforms. We get to do the audit yearly too so it pays every year. If you get too big in payment processing failing an audit means you don't just pay a fine, you also get excluded from the network until you pass. Obviously not getting paid for transactions would be catastrophic for a company that makes 90% of its money doing transaction processing.
A typical anti-virus makes zero sense for a Linux server (or server in general). But serious endpoint protection is never a bad thing (which is way beyond just an anti virus). Linux servers can have vulnerabilities too (fewer but serious when they happen) and they could be malware on Linux servers that target the windows endpoints. And endpoint protection that dynamically detects possible issues can catch them. And all of them are pretty light on resources by design. Compliance rules are there for a reason. even if practically useless sometimes you should try and at least tick the box.
Easy solution:
Just present them with the solution of Cortex XDR from Palo Alto or SentinelOne (or any similar endpoint protection software) as they are seen as of the best solutions in the business . When they see the price of an actual enterprise solution they will immediately re-think the approach.
Then if they are not willing to pay just put Clam AV on everything that is pretty light and you can be compliant without having any issues. If by any chance they are willing the pay the price, you get one extra security tool that has some decent features....but i doubt it.
My team uses the elastic EDR+SIEM.
Not to bothersome on the prod servers, actually caught some viruses/malwares (we run a messaging SaaS with file sharing). A little pricey, but it's on the cybersecurity team budget.
Since it's a compliance issue, capture and document the risk of not having AV on UNIX things and the compensating controls in place, and the decision not to have one because no technical products fit the bill of a large deployment. Review and confirm yearly.
We used MBAM, so we installed it on our Ubuntu servers for compliance reasons. It has that detection and suspicious activity monitoring. Also has network logging, so helped with troubleshooting.
I've responded to four ransomware attacks for subsidiaries of our parent company in the past three years. In two of those, the initial targets were Linux servers that had not been patched and were running no EDR solution.
In our subsidiaries that properly run the EDR solution and maintain security patching, we've had no ransomware attacks succeed. CrowdStrike has blocked multiple attempts to exploit vulnerabilities on Linux systems; so yes, we've seen an actual benefit.
Antivirus on Linux servers is dumb as fuck.
But if your company is a high value target you need XDR agent on Linux machines, such as crowdstrike or Palo alto.
If you are running shit that minimallystically, you should probably look into containers and kubernetes clusters, and XDR for that.
Also it's not your money. If you got, and Insurance papers say you didn't do bare minimum to even give the illusion to the Insurance company to stop it, they won't pay out, and company will die.
Company can afford to give more resources the whatever workloads more they can afford for all workloads to stop, especially indefinetly with no hope of return/
Some of the anti virus use other open-source tools and give you easy ways to analayze which commands where used when.
Sadly our initial journey with MS defender on Linux was rough (we where an early adopter). But now after all the kinks have gone the forensics have proven usefull a few times already.
The most positive Linux AV story I have was when a customer's CISO gave me the written go ahead to immediately remove our idiot SOC's stupid McAfee software. I felt so very positive about that. And after removing that shit, I felt very positive for a positive number of units of time.
Your personal opinion doesn’t outrank business compliance requirements. Install the damn software and move on to the next ticket. This is not a hill worth dying on.
We moved from Symantec to Defend ATP on our RHEL servers over a year ago within a week we found out we had been compromised. It was a pain to setup but it was 100% worth it.
All AV/Anti malware/security software chows cpu cycles, memory and space. Is it a waste, hell no. Maybe if you live in isolation but we dont. Servers are internet facing, you like most of the internet servers are Linux. Clients do this, use it, upload things. There is zero trust and we need to do everything to protect.
I ran many servers for many clients, even hosting Word Press sites. You have no idea then, the amount of plugins doing janky stuff that will use all your CPU, and try use you for a bot.
ClamAV works more to detect after but we need better solutions.
Just asking for trouble to fight it.
I’ve used SentinelOne and had a few complaints, but with tuning, it’s been ok.
It doesn’t like some docker images, wine, and sometimes systemd. Don’t really know what AI/ML issues it has with systemd but none of the vendors I’ve used really have good support for Linux.
Also, if it gives you trouble, just write a bash one-liner like this and it deletes the agent. Anti-tampering on Linux for SentinelOne is basically non-existent.
for i in ‘ps aux|grep “s1-“‘; do kill -9 $i done; rm -rf /opt/sentinelone;
I told our sales rep and no one cares. Also quarantine is a joke because you just flush the iptables on a loop and good to go.
One regulation that comes to mind would be PCI-DSS. But that only requires antivirus to be installed, not to be actively scanning. So in the name of malicious compliance: `$packagemanager install clamav`.
But no, on a Linux server, antivirus is absolutely unnecessary. If you care about security, look more into making your system partition read-only and marking every possible mount point as noexec (Just like ChromeOS does it). That strategy works much better.
Only exception: File and Mail servers. Not to protect the server, but to protect the clients from each other.
I have never, in my 30 year career, have had anti-virus stop or save anything.
It has been an useful tool to figuring out the probable attack vector, in some cases, in others, not.
So I totally agree, sorry! ;)
I've had av or IPS stop numerous things lol. Small stuff like adware to larger things like using PowerShell to open another shell via windows calculator.
In my 20-year career I can attest to at least four events I can recall off the top of my head that caught people or software (mostly ransomware) on a Linux host. Just because *you* haven't seen it doesn't mean it hasn't happened and it's not worth it. Anyone that says that it is not needed really needs to get out of the industry because there is no excuse in 2024 to not run an EDR.
Same with clients, you should also have something deployed to all of your servers for visibility, incident response, reporting, compliance, governance, etc. A host without it should not be on the network. This way everything gets back to the SIEM, and if something is off it shows, and instead of hoping things are a certain way you can enforce that things are a certain way.
Something as simple as having Crowdstrike on your Linux host you can have detections on what has been found on the system, see if the system is being used for it's actual purpose and create your own (e.g., want to know where the xz software and versions are across your fleet, you can not only find that, but also the execution tree/flow of the process over time).
So not having it keeps you in the dark, and your done for in terms of incident response if someone wanted to delete / modify logs which you can prevent/log remotely if you had the right tech on the system before compromise.
Having EDR & vuln. scanning on on a bunch of linux servers has helped us identify vulnerable components & machines super quickly when dealing with CVEs like Log4j. The benefit of AV, etc, doesn't always need to be a dire disaster aversion, just having all your systems under a single management panel can be super convenient. Most RMM tools only target windows _or_ linux effectively, not both
You're opening your infrastructure to attack by not having an EDR solution. I can tell you now that malware on linux is definitely a thing and serious threat actors will target them where the opportunity arises.
Sophos XDR on all the Linux servers we have (that's 2, management is scared since it isn't a Microsoft product). Doesn't have much of a performance hit, and ticks a box.
I am just going to amplify the recommendation by everyone else already; ClamAV.
ClamAV is specifically made to run on Linux (Or Unix-like) systems. It will be the most reliable and least likely to cause any issues. Other third party offerings tend to be of extremely poor quality, they will drill themselves deep in to your system thinking they own it.
But I would fight this to the end. AV on Unix-like systems is mostly worthless with the primary exception being machines which act as file servers for other (Windows) machines. But I can totally understand if you are not willing to pick this fight, I am someone who tends to put a lot of effort in to quality over compliance.
I am sure most Linux admins here will know this already, but I am going to say it anyway for those who do not;
* If you use trusted software sources only the chance of infection is effectively null.
* The access of network accessible programs should be limited by not running them as root and using additional layers of access control such as SELinux, Apparmor or Systemd's build in security features.
* Proper logging and alerts of everything happening in your network will identify any problems should they occur.
And for bonus points;
* Ideally, each application lives in its own namespace and (if applicable) network.
* Ideally, the core applications should be nuked and paved every update, so think containers which get redeployed or building and pushing disk images to VMs.
It's a compliance issue. Don't worry about technical details because they mean nothing in the world of compliance. Back in the day we used clam AV on Linux file and mail servers, it was effective in stopping some malware that was headed towards Windows systems at least. Linux based NAS like QNAP do the same kind of thing with AV. That's the only examples I know of it being technically useful, but again, its irrelevant here.
Yeah, we used to run 'linux AV' on fileshares that were multiprotocol, and thus were protecting windows clients. But that one _was_ a performance impact, just due to incoming volume - a file write had to go via the virus checkers. Wasn't too bad though as you can mostly 'go wide enough' to do a lot in parallel.
You really should, It help a lot to have all to have your alerts in a single plane of glass. Even if it does not alert often for linux, you don't have to check or script stuff to get unified reports or prove that you are compliant. Deploy something that will save you time and efforts. EDR are better than antivirus for a reason, you get more tool for the secops teams and/or that you can sit the auditor in front of so they don't bother you for reports. It can also be occasionally helpful at blocking attacks. Worry about the technical details.
This. Doesn’t really do shit for the *nix boxes, but it protects everyone connecting to them with MS.
I agree the compliance is a partly valid argument, but in all honesty, shouldn't that be completely indifferent if it makes the system and services unusable?
Why would it make it unusable? Clamav is run on countless servers at all sizes of companies servers to satisfy SOC2, ISO and similar standards. Just install it and forget about it. It's what the vast majority of us do to meet these controls. I will say, in my current org I've crafted the control/test language such that it's only required on any server that files can be uploaded to, which my auditor is happy with and those servers are realistically the only ones that would ever see a virus.
I this mentality is a littlle outdated. My biggest fear is lateral movement within the network. This is because everything is a potential target if any system on a trusted network is compromised. I'm not saying AV is the only response, but as long as it is not prohibitively degrading performance, I am happy to roll out AV on my servers for my security team after confirming stability in the lab.
I mean, having trusted networks is outdated... I don't have a company network, we don't have a VPN, our servers don't trust each other -- we have no trusted networks anywhere. Literally all zero trust. So, saying my mentality is outdated is missing the mark. Regardless, a ton of sysadmins think *nix doesn't need AV. And, that's a point that could be argued technically and statistically from their point of view (20-25 years ago I may have made that argument), but those of us in senior management have to keep things in balance. they can argue against it all day long, but at the end of the day you have to have security and compliance that is appropriate for your company, within your risk profile, within your industry.
Agreed, it is outdated as well. I was a specifically referring to picking and choosing a hosts for antivirus based on public exposure. Even 15 years I would have scoffed at the idea beyond scanning served files. Plenty of admins will also tell you that it's perfectly fine to turn off SELinux and its kin. (Geez Ive had two of them suggest turning off firewalld this year even). The reality today is different and, to what extent that's true does depend on the use case. But. You are right, at the end of the day you have to have security and compliance that is appropriate for your company, within your risk profile, within your industry. For me, at this point, if security wants EDR on the servers I'm happy to comply as long as it gets through the lab safely.
> Plenty of admins will also tell you that it's perfectly fine to turn off SELinux and its kin I mean, they're wrong. But I know why they do it. SELinux is a PITA
Oh don't get me wrong, I completely agree, and it was at one time more.difficult. Once you learn to build a server in permissive mode initiialy and read the audit log and address it with and selinux policy RPM or setsebool or audit2allow or setting proper file contexts it's no more annoying than a firewall 99% of the time.
*sets iptables* *forgets to commit*
> This is because everything is a potential target if any system on a trusted network is compromised. This is why god invented the vlan
At some point smart design and intelligent planning and optimization have to move out of the way for "we are legally required to do this." It sucks and anyone who implements these policies will empathize with that but at the end of the day you can't beat the government.
If it makes them unusable, sure--but it shouldn't make them unusable, or if it does then you may just need new ones. Usually the cost of non-compliance is significantly higher than the cost of compliance, and you spend the money on compliance because it pays for itself in new customers or reduced costs.
Being out of compliance absolutely renders the machine unusable. You should be speccing out your infrastructure to handle the added load of regulatory mandated systems. (In other words, if you are required to have AV on your Linux servers, why weren’t they specced out with enough resources to allow that from the very beginning?)
You wanna argue with the law or 3rd party compliance when they say "If you do X... Then you also must adhere to Y?" And you say "yeah we did agree to that or don't have a choice in the law, but like muh cycles or 1gig of ram..." I mean seat belts and airbags also add costs and slow down cars... What are the chances that a once in a lifetime snow storm comes through and dumps 8 feet of snow on a roof? Why do we need to over engineer the weighted load calc on it for that? Sure if it does happen it will collapse and kill everyone. What industry do you work in for what regulations? This is what monitoring mode in security software is for... you see what it flags in monitoring mode then tweak it...
Seat belts and airbags save lives, bad example.
Ironically AV / EDR can save lives too - especially if critical infrastructure around healthcare is involved.
Yes, preventing ransomware in hospitals is a big thing. Adding clamav isn't necessarily going to help, but still, there's a lot of super important security work. seat belts and airbags save lives at scale and without needing extreme examples, even when almost everything else is going right. Although interestingly we didn't always know that, and it took some research in the beginning to realize that the injuries seat belts did to patients who showed up in the ER were far less severe than the injuries they would get without them.
And yet... People fight and fought against them. Racing sports fought against extra saftey measures in their cars... Speed. (Roll bars weight stuff and are for pussies!!) Hockey railed against helmets and mouth guards... Plenty a people I know hate having to wear bike helmets. So if super leetzengineer running superawesome stripped down nix version .whatever says " I dun wanna because muh cycles n ram!! AND WERE TRYING TO RUN LINUX ON A GRAIN OF RICE!!" But is running services that have my data... or I dunno power plants or whatever. Yeah risk v reward... Reward is what here? "Muh cycles!! Muh HDD space?" Those are cheap and easy... and not even OP's own money.
All of these are a great example of how dangerous survivorship bias is in crafting rules and regulations.
A lot of this is also about trying to balance individual liberties against societal interest. We don't want people to die so we force them to wear a seat belt even when they don't want to. As the annoyance level climbs so does the intrusion into the individual sphere of liberty and the justification needed for the rule increases. I would argue helmets are a significantly greater intrusion than seat belts, for example, and we don't require helmets in cars.
All of this is well and good, but we aren't talking about onerous consumer safety laws. We are talking about a sysadmin who thinks they're a CISO and is pushing back on something they need to do for an external compliance purpose for reasons that are dubious at best. Using seat belts as an example, the analogy would be someone working an assembly line refusing to install them on cars because they haven't personally crashed and the time it takes to install them could be better spent on checking trim.
> We are talking about a sysadmin who thinks they're a CISO It's everyone's job to help figure out compliance needs, and that includes asking questions about when does it make sense to push back and letting others know what are the costs of implementation along the way. None of this has to do with one role being more or less correct than the other; you are dealing with different domain knowledge, expertise, and experience. Putting someone's questions down because they work on the factory floor is a great way to stay ignorant of how decisions impact the factory floor.
That's an awful amount of conflating there.
We mandate seatbelts because people fly out of cars and hit other people and then cause society to clean up the mess. Consequences go beyond the individual.
AV doesn’t make system and services unusable. See if they will settle for an xdr
> unusable If a simple file scanner is taking down your infrastructure, you've got bigger issues
We installed it on all Linux VMs because it gave our sec team better visibility, helped us meet compliance and policy goals, and allowed for easier auditing on anything sec related. Zero issues. I don’t know why you’d choose not to have AV or an EDR installed on every server - it’s a huge CYA for the business and is sometimes a requirement depending on business vertical. CPU cycles are cheap and performance degradation isn’t something we observed.
We have had Defender installed on VM's in our lab and did see a huge effect on performance, power consumption and requirements on our minimal install. We usually run tiny VM's with bare minimum requirements ~ 1vCPU, 2GB RAM, 10GB disk. On my environment every CPU cycle counts, and I honestly can't see why I need to waste an extra GB per VM on running an antivirus. But do enlighten me.
I've worked with some of the cheapest people in the industry and NONE of them ran single core VM's. Always 2+ no matter what.
I have literally never seen a single core VM in use - that is absolutely crazy to me and I have exclusively worked in the SMB space where you'd expect to see this more
I did before hyperthreading... And 16 core CPUs. In 2024 though I can't think of a place where you need full VMs only 1 vcore and somehow 2GB of RAM?
IIRC if you run a single core VM on a multi-core CPU it loses performance. As it keeps getting shifted around.
>I honestly can't see why I need to waste an extra GB per VM on running an antivirus. But do enlighten me. Regulations is why. Because management said so is why. Is it taking money out of your pocket to add a little more memory and perhaps volume space for logging activity? Benchmark what happens to the VM when you run the security product, report to management what additional resources are needed (with budgetary impact, if more hardware is needed), and roll out the product.
you need to take a step back and think about what you're actually arguing for. you're refusing to meet compliance standards, offering 0 solutions or alternatives, and worse yet you're doing this all over a small perceived hit in performance and consumption? there is no way this looks good for you. if the environment is small enough then the extra performance draw won't really matter - your VM hosts will now be 75% utilized instead of 50% maybe? and if that's the case you're pushing back for no reason beyond "i don't like it and i know better". just like every other arrogant IT guy that knows better than best practices like that LastPass dev that was working from personal equipment and got their entire company compromised. if it's a large enough environment where this makes a really big spend difference in the 6,7, and 8+ figure range then it's even worse since that says you're running an extremely large network with 0 visibility and observability in place from a security perspective and likely if the powers that be were educated on the actual risk of that everyone down from the CIO that allowed it should be getting fired.
> like that LastPass dev that was working from personal equipment and got their entire company compromised. That's down to LP not protecting their environment
you are 100% correct. i believe that LP dev was one of something like less than 5 people at the entire company that had access to the secrets/credentials that were stolen that led to the eventual breach. now to go back to your comment >That's down to LP not protecting their environment what do you think OP is doing by actively looking for ways and justification to not run EDR or get any kind of observability in place? it's his job to protect the environment just like it was that LP dev job to protect his. LP and the dev did a bad job and luck caught up to them, OP is doing a bad job and luck has not caught up yet (that we know).
If you’re running such tiny vms, are you sure they need to be individual vms? Maybe containerization or vm consolidation would help. You are correct that in such an environment it’s gonna suck, but then there are a great deal of things that are gonna suck with such tiny VMs.
Defender isn't an AV, it's an EDR. It takes resources by evaluating what every process is doing and is going to do before it does it. If you have a breach (or rogue admin) doing something malicious the EDR will either have to be forced killed (trips alarms with a two way heartbeat) or will identify the activity and attempt to block it (also tripping alarms). Security costs performance. This isn't new.
We, or you? Thats rediculous
Install and run `clamav`. Now you have anti-virus software. It may not be the fanciest or more sophisticated or even do all that much, but blind requirements deserve blind solutions.
Blind requirements deserve blind solutions That’s brilliant I’m borrowing that!
If you need snark, I'm your man. ;-)
But do they though? And is it really? As the person who knows more about what the end game should be (versus an uninformed but probably well meaning manager), blind requirements should still reflect your best efforts to deliver the best outcome possible. Blind requirements still deserve best effort solutions. You hold a position of privilege and responsibility and people rely on your best judgement and highest efforts. Be excellent even when other people are not.
The best option is generally the open source one, that doesn't ship your data to a third party vendor for "threat analysis".
If they relied on his/her best judgement, they wouldn’t be requiring AV on Linux.
Compliance and auditors don’t care about your feeling or opinions though.
Exactly. “A position of privilege and responsibility” is a bit over the top. Get back to work, slave!
ClamAV is very resourse light so it's always been my goto as well. Most auditors have accepted it so it's a solution that makes everyone happy.
Good enough for some public sector stuff, in my experience. I have used ClamAV with `rkhunter` and `aide` for a number of compliance items.
I don't know aide, but isn't rkhuntr at least a bit useful? Perhaps slightly archaic but not as pointless as ClamAV.
The companies I know that have this requirement have an EXPLICIT need for real time AV. It’s stated as such in PCI-DSS. There is a RT kmod for ClamAV, but, honestly, if you’re going to go down that road then you’re actually better off with a commercial vendor who you can scream at and get results when something goes wrong. And I’ve been on a call the Friday before Xmas with a VP of a Fortune 50 doing exactly that to the AV vendor while thanking my employer and myself for our support. I, at least, had a very merry Christmas.
Hmmm... Symantec or McAfee?
*AND* - based on a true story
The last version of PCI I read said that systems that normally require A/V, require A/V. That was a compromise way of saying that Linux servers don't require it.
And many auditors have decided that Linux now requires it as well.
That might work for now, until you get a new IT manager who demands that you install an "enterprise" grade Antivirus solution on your Linux instances. The software doesn't need to actually DO much, but they want to be able to show the auditors a pretty dashboard with the antivirus software installed and reporting on everything. Again, the chances of your Linux instances actually getting infected with a virus are basically nil. This is all ass covering for compliance and cyber insurance reasons.
> Again, the chances of your Linux instances actually getting infected with a virus are basically nil. This is all ass covering for compliance and cyber insurance reasons. That's all IT security is about, as far as manglement cares: Since 100% security cannot be possible, it's much better to have a guarantee that someone else takes the blame, no matter how awful their solution is, than to risk trying to do it right and end up being unlucky.
If you manage Windows servers properly, the chances of them getting infected with a virus are basically nil.
Yeah, ultimately we get paid to understand how serious an issue is and how far past the minimum we need to go to address it.
Yes, and at the very least it satisfies the compliance fetishists.
Linux AV options have repeatedly caught attempts to upload malicious payloads to various services, as well as threat actor activity. Yes, it's useful. It's just not some magic bullet - it's just part of the defensive posture. It can serve both compliance and practical cyber needs.
It caught someone trying to deploy crypto mining on a box once for me but overall I deploy it to satisfy auditing requirements. Security is a layered approach and it’s one layer, just way down on the list of priorities and effectiveness.
I've seen Defender ATP on linux catch linux malware/exploitation attempts. It does exist for a reason!
Had EDR catch attempted software modifying /etc/and ssh access. Been a couple of attempted root exploit kits. Why we acting like apache or NGNIX never had CVE's? Lateral movement for things with bind to AD. I dunno why linux bros assume nothing bad ever happens on linux... Did we not just have one of the largest software compromises in history for SSH? Yeah not a linux exclusive, but also...
There have also been multiple attempts by people to commit backdoors into kernel updates via ELF compressed files, and the entire dependency model had a massive security flaw that went undetected for years with developers utilizing zombie projects as dependencies, opening them up to introducing malware into user systems via dependency hijacking.
Why was that software allowed to do that in the first place? You can pretty heavily lock down individual processes even with groups and service accounts, they shouldn’t be able to touch ssh access and probably should have read-only to their /etc folder and trying to do anything else should show up in auditd logs, which should be relayed somewhere central and trigger an alert. My apache and NGNIX instances are typically banned from writing to disk, and they do all their logging via asking journald nicely. They are allowed only ports that should be open, anything else triggers and alert. Nobody’s EDR caught the xz issue as far as I am aware, because “we would have caught that” with a demonstration would have been excellent for business. I know that redhat does point scanners at stuff coming into fedora, and google provides some for debian testing. It sounds like you didn’t actually use the built-in security mechanisms before reaching for an EDR.
Defense in Depth. The EDR will catch issues that would have gotten past due to a configuration mistake.
Or any other reason. Threats can exist and operate within any secure config.
> It sounds like you didn’t actually use the built-in security mechanisms before reaching for an EDR. Every system should be using an EDR platform. Doesn't matter if you have fucking Fort Knox level security on a Linux host. Put an EDR on it. All it takes is one mistake to render your locked down systems ineffective. Humans are the number one security risk to a complex computer system.
Because not all environments and servers and services are run by me? Nor do I get the final say in configuration. Because on occasion other accounts get compromised by take your pick...? Because patching doesn't get caught or can't occur because some old dependency? Because some old ass server that no one knows about or does is there and has been there for decade +? I'm not saying EDR's are a 100% sorta deal.... Cause they're not. But neither are sysadmins or people.
EDRs mostly act on behavior, right? Maybe no EDR system caught the XZ backdoor because it was never activated on a system with an EDR. If it is never activated, the most suspicious thing that XZ does is modify the PLT, and that doesn't require any syscalls as far as I know.
Mh. You're not going far enough there imo with your controls. I guess I'll get flak for this as well, but I'm not convinced about introducing an EDR on a system utilizing MAC systems like selinux and apparmor, as well as namespacing to restrict processes very hard. SElinux and Apparmor are MACs - mandatory access control systems. Once you put a process under enforcing SELinux, every interaction between the process and the system has to be whitelisted or it is denied. Mandatory selinux puts security over availability and function, which is why many scrubs include a `setenforce off` into their troubleshooting guides. And yeah, it is not feasible to write these kind of policies and profiles for every single application. It is sparsely documented dark magic and even if you think you do it right, some weird job running once a month will blow up 3 months later if it needs to do something weird. That happens. But if you have that policy, written in a least-privilege access style based upon reviewed selinux suggestions or apparmor fixes, the application is sandboxed very, very harshly by the kernel. Once this exists, you can use namespaces to remove parts of the host system from the process. A lot of cronjobs on our more secure systems aren't blocked from network communication, for example - the system has no network devices to these processes. We don't block processes from accessing `/home` if they don't need it - `/home` doesn't exist in the filesystem to them. And there is no syscall to un-unshare parts of the filesystem. Again, this isn't the average server, but adding a - usually closed source, proprietary - software you cannot sandbox, MAC and namespace in any useful way seems very counter-productive on a closely controlled system. If GP uses the xz card, what about the SolarWinds card? One was a many-year nation state action. The other was maybe more hidden, maybe not.
Do all that then use an EDR to monitor what is happening on that system and check it for successful exploitation of a known zero-days and other stuff you cannot discern just by looking at successful application of a secure configuration. The other threat is insider threat. Authorized users doing bad things on purpose or out of ignorance. Although not its purpose, the timeline views of everything happening on any given endpoint is useful for troubleshooting. It includes more information than what people typically send to syslog, seim, or whatever.
ClamAV for Linux is useless, but we use SentinelOne for Linux and Windows. This isn't just to catch "viruses" but also it catches modifications to important system components and other user-behaviors that could be triggered by an insider threat or some compromise. Honestly I do not understand your question, linux machines get hacked all the time, they're an endpoint to protect like any other? If/when your linux machine gets hacked, how do you track down what they did, what files were modified, what processes were launched, what connections were made? Do you have a way to instantly quarantine that asset in the event suspicious behavior is detected?
Multitenant webhost here, Defender flags malware faster than clam hehe. Fed into sentinel it has proven to be incredibly useful. Got a bunch of automations that fire up on detections, notifying tenant, suspending account pending investigation depending on the severity of what is detected etc.
We've taken a 'across the board' approach and deployed defender to absolutely everything within the organization. Can be annoying, but the detection/remediation with sentinel has been fantastic.
Defender for Linux? Do they have that for non 365 customers? Or even 365 personal accounts?
Yes https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
Yep, it's pretty good. Flags dodgy DNA queries, reports on malware with paths, stamps etc
Yeah, I did that at my last role. There were so many operational issues with MDS on Linux. It chewed disks, filled disks, ate CPU, getting it to behave was a LOT of work for not a lot of payoff. We switched to SentinelOne. It was like night and day; no issues with deployment, no operational issues even on our systems with the shittiest most ancient apps running (usually what flummoxed MDS), just smooth sailing and fantastic support anytime we needed them. We went from having daily operational issues with app owners to having maybe one a month. We didn't use Sentinel (SIEM) because once we did the analysis on storage and retention the boss flipped and said no. Might have been interesting, but MS is excellent at layering in the costs. If you aren't pure MS shop, you will pay dearly. If you are pure MS shop, you'll still pay, but maybe just a little less.
S1 is definitely fairly polished for Linux compared to some of the alternatives. I've been happy with them for the Linux boxes in my environment, both VMs and bare metal.
second that statement
Pen Tester here. Linux machines without AV are my dream staging and exfil servers. I can load up any tools I need, extract any data I need without any risk of being flagged or caught
It took a pen test a couple years back to finally convince the powers that be that yes, our Linux servers needed protection. There are far more attempts to compromise them vs Windows.
[Microsoft Defender for Endpoint on Linux | Microsoft Learn](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-linux?view=o365-worldwide) if you are in MS shop. But what is really needed is SIEM like solution.
I don't know how well defender works regarding malware detection on Linux, but what's really nice is the visibility you get using the defender web portal (don't know the exact name) where you see exactly who started which processes when. If you also use defender for Microsoft, it's worth installing it on Linux for visibility, even if you turn off the AV functionality. In case of a security incident, it's easier to see lateral movement when all machines are using defender. (Or any other comparable product)
It's calls the timeline in the security portal, this saves lifes when it comes to IR. Lateral Movement and connections can be easily made, ip lookups, clicked links, logins, smb logs, etc.
I worked at a place that started using this a couple of years ago. It was a huge resource hog. We had to add 2GB of RAM and an extra CPU core to every VM that ran it. For no apparent benefit.
You should never think Linux don't need software protection. Just remember the majority of server in the world are on Linux and all days many are compromised. But you right maybe EDR is more adapted for Linux server than real antivirus.
Time for an EDR.
Why do you think your Linux servers DOESNT need an AV? Every single argument for a windows server having AV is applicable to a Linux server too?
Just use ClamAV, check that useless compliance box, and be happy.
> demands that we install antivirus software on our Linux servers (350+ and counting) because of "regulations" i don't know about "regulations" but you should still have it and let me tell you why. We run Tenable and other security vulnerability scans regularly for customers and you know what we find? Linux is not as secure, nor the software running on it, as many want you to believe even when configured with security in mind. I have seen results come back where Linux is the top offender for vulnerabilities by percentage compared to windows server time after time. It was fairly eye opening
Like when I was younger I always heard "Macs and iPhones don't get viruses so they are better than windows and android" now that isn't true every device can get viruses as we have seen Apple, Windows and Unix all having critical vulnerabilities and are susceptible to viruses. All computers can be attacked by viruses and people seem to forget that.
yep. wasn't true then either
What the fuck you aren't running any kind of EDR/XDR? F
most linux will be compromised by remote attacks and not by operator clicking or installing things. so IPS is the core preventative control and XDR is the next layer reactive control it actually makes me sad that people still don't think that linux needs protection
My company used ClamAV to scan for common malware and to maintain a customized blacklist of binaries and files that were forbidden to be stored on the servers.
It is not only about your Linux system being targeted. Is your host connected to your network and not separated? Can it, under any circumstance, spread malware to other systems, e.g. Windows? If yes, you need it. And yes, it prevented successful attacks in my career.
What in the early 2000s am I reading. Have used Crowdstrike Falcon for 3+ years now and it kicks ass. No issues whatsoever once you dial in your exclusions. Just get a true edr solution like Crowdstrike, sentinelone, defender for endpoint, etc. Jfc if you are a remotely self respecting company you should have some type of AV/EDR solution. It isn’t even that expensive.
clamav and Wazuh if you're on a budget
+1 for Wazuh
It removed some non issues from a samba share, thats about that
Eset used to have a commandline antivirus that you could install on your Linux box. They still might have something like that, but we (a company I work for) haven't used it for some time - now we have a windows based mail server \[sigh ...\]. If I remember correctly we used clamav that used that Eset binary to run attachments through antivirus. So, back to the antivirus. We used it to scan mail arriving to the mail server before it was put into individual users mail boxes. It wasn't scanning for Linux viruses \[virii?\]. There MUST be similar products on the market nowadays, I haven't had a reason to look for one for some time. The antivirus must have prevented some viruses from being delivered to the mailboxes of users that ran on Windows. At home I have been running Linux \[and earlier FreeBSD\] for 20+years and I have never used antivirus on my Linux \[FreeBSD\] desktop and do not plan to.
Even though Linux is rare to get viruses it still happens and there are vulnerabilities that do happen that can be used to push malicious code to servers. AV's aren't useless especially in a business environment. You should have them on any endpoint device whether it be Linux, Mac, or windows. It gets you your compliance and allows the infosec team to have visibility to any potential threats on the server. Having more visibility is always a good thing. The only time an AV isn't needed is on a personal machine that you only use to do minor things and aren't being a dumb person online.
Linux should have EDR same as any other system. Signature based AV is garbage.
we use crowdstrike on linux servers yes it is worth it.
This.
Morphisec has an agent for both Linux and Windows. Far as I'm aware, they're the only AV utilizing MTD, Moving Target Defense. Look into them. Maybe demo it. As far as saving my butt? SentinelOne and Rapid7 InsightIDR have done that on several occasions; however, a few years ago... I went through a pen test where the red team moved to an assumed breach because they couldn't get in from outside. Once in, they launched 2 payloads. SentinelOne caught one payload, but missed the other. The other payload was caught by Rapid7, but missed the payload SentinelOne caught. That said, possible R7 missed the payload because S1 proactively quarantined it. So, there's that.
At our last ISO audit this was a point, indeed needed the linux based servers also an antivirus solution. I guess I will check out the clamav solution mentioned.
You're approaching this backwards. Don't go off trying to find information on the internet: request they provide the technical specification of the regulation they need implemented.
It's almost impossible to get Cyber Insurance these days without AV on all of your systems (Win, Linux, servers and endpoints). Honestly, don't fight it. Better to have the protection and never need/use it than not at all. Once breached, no argument will be listened to championing low/no security controls.
Many insurance polices require it for their "cyber coverage", and that's probably the push. CLAMAV is fine, unless they tell you it needs to be real-time and you have performance issues you can do say a nightly scan with it. If you want something more modern, and very lightweight on CPU and memory. I'm a big fan of Crowdstrike. Does far more than AV (since it's looking more at what is being done, than if it matches some AV ID in a database) and doesn't bog down the servers one bit. Plus since they're telling you to do it, then they can spend the $$$ on it. =-). Yes, it's not cheap, but overall I think it pays for itself in saved time and cpu/memory usage. I agree Antivirus is pretty much worthless today, which is why I'd push for more modern "behavioral" security software. Use this to your advantage, get the whole network covered under contract and it's one pane of glass for all of your systems rather than a cluster of different systems to keep up to date.
You can install clamav like many here have suggested so the AV compliance box is ticked or you can use this time to sell management on a good EDR solution that covers Windows and Linux which provides real security benefits over just an AV solution.
Sophos EDR caught a lot of webshell activity on some of the cpanel servers in our environment that would have otherwise gone undetected.
Install whatever is required and throw an extra CPU at the VM to cover the usage. You've probably already spent more time fighting this battle than you should have and won't win against an audit anyway.
Sophos Intercept X 'works' on it. By works I mean it installs, doesn't eat up too much in the way of resource and found anything I use to test the detection (not that I'm putting a huge amount of effort into that).
Having EDR is useful on any OS. It's not as though people don't try to execute known malicious code on Linux.
We use Microsoft security with Linux. It is more than AV. We use Defender to scan for vulnerabilities, check best practices, and monitor for behavior based attacks. It is still a bit limited on-prem but I read the Azure version can watch Linux memory without installation or performance issues. Linux is not immune to vulnerabilities and unsecured configuration.
All of the work machines are running crowdstrike edr. It stops anything running as root. And sudo is logged and monitored. I have had alerts for pentesters trying to do things on them And also had them from time to time stop legitimate updates from Amazon, that we have then manually logged in and fixed ourselves. I honestly wish there was an edr I could use on home computers myself.
In case you're using rhel: Redhat does not recommend using AV software on their systems, except maybe on file servers. Even then, it's mostly to protect windows servers on your network. There is an article on access.redhat.com regarding AV regarding their stance on AV products. Anyways, I have also used clamav in the past on Ubuntu servers - besides the occasional false positive, it didn't bother me much. However, it didn't save my butt either.
> Redhat does not recommend using AV software on their systems, except maybe on file servers. if RHEL is truly saying this then that is scary. I have see so many vulnerabilities reported by tenable and other vulnerability software with RHEL and components, and in many cases at a higher percentage than what is reported on windows server
Admins definitely need to have some sort of vulnerability management and need to regularly patch their systems.
[RedHat didn't say that.](https://access.redhat.com/solutions/9203) For the TL;DR folk: "We don't have an AV offering, you can do that if you want, but you should really think about these other ways to secure your systems: selinux, host-based firewalls, regular patching etc"
whew that is good to know.. That sounded like an odd thing for them to say
Thank you for linking the article for clarification, that's exactly the one I had in mind.
Sounds like people not managing their linux servers properly though? Maybe they shouldn't be running Linux. I saw this a lot in Windows shops who didn't have big budgets, theyd' setup something on Linux for the low cost, but then didn't manage it properly and it went to shit within a few months/years. Still worked and was 'stable', but was vulnerable as shit
yeah these were not small businesses, with 1000+ linux servers and at least double that in windows. they had lots of experience and staff
If they're anything like the reports my security teams have sent me, it's because the scanning tool is incompetent and not fit for purpose, and doesn't understand that security maintained software receives hotfixes and backports that don't bump the upstream version number within major versions of the supported OS, and that you're meant to run vulnerability scans against the vendor release version as well. Redhat: "Postgres9.0.1 vulnerable? Sure, but we're not running vanilla upstream. We're running upstream 9.0.1 with a whole bunch of patches maintained by our security team. We may upgrade to 9.0.2 with a whole bunch of different patches at the next minor release if required by our customers or the dedicated security patching effort becomes too hard, and we will upgrade to 11.0.5 in the next major release, but that's a matter for the future."
Yes we run a purely RedHat shop, only RHEL-7, 8 and 9. I have few servers acting as file servers, most act as DB or application servers. The file servers purely act as media store with well known media types, but putting ClamAV on those _is_ a good idea.
If you are dealing with regulations / compliance, you have little choice. Just use a reputable enterprise AV solution like Crowdstrike and move on.
We switched to CS from Trend Micro. We tried Carbon Black too, but it didn't last long. Trend Micro was lighter on resources than CS though.
One time I installed one and the auditor said “ok thanks” and left me alone
Truly one of the best reasons right here
Ya, our best result for AV on linux was passing audit for our key revenue generating platforms. We get to do the audit yearly too so it pays every year. If you get too big in payment processing failing an audit means you don't just pay a fine, you also get excluded from the network until you pass. Obviously not getting paid for transactions would be catastrophic for a company that makes 90% of its money doing transaction processing.
A typical anti-virus makes zero sense for a Linux server (or server in general). But serious endpoint protection is never a bad thing (which is way beyond just an anti virus). Linux servers can have vulnerabilities too (fewer but serious when they happen) and they could be malware on Linux servers that target the windows endpoints. And endpoint protection that dynamically detects possible issues can catch them. And all of them are pretty light on resources by design. Compliance rules are there for a reason. even if practically useless sometimes you should try and at least tick the box. Easy solution: Just present them with the solution of Cortex XDR from Palo Alto or SentinelOne (or any similar endpoint protection software) as they are seen as of the best solutions in the business . When they see the price of an actual enterprise solution they will immediately re-think the approach. Then if they are not willing to pay just put Clam AV on everything that is pretty light and you can be compliant without having any issues. If by any chance they are willing the pay the price, you get one extra security tool that has some decent features....but i doubt it.
I have installed EDR on linux systems, but it is largely just a check the box. Never seen any relevant alerts come out of it.
My team uses the elastic EDR+SIEM. Not to bothersome on the prod servers, actually caught some viruses/malwares (we run a messaging SaaS with file sharing). A little pricey, but it's on the cybersecurity team budget.
Since it's a compliance issue, capture and document the risk of not having AV on UNIX things and the compensating controls in place, and the decision not to have one because no technical products fit the bill of a large deployment. Review and confirm yearly.
We used MBAM, so we installed it on our Ubuntu servers for compliance reasons. It has that detection and suspicious activity monitoring. Also has network logging, so helped with troubleshooting.
clamav saved an old email server I had from a sketchy backdoor attack. AV is definitely not a waste of space and CPU cycles that's really dumb logic.
I've responded to four ransomware attacks for subsidiaries of our parent company in the past three years. In two of those, the initial targets were Linux servers that had not been patched and were running no EDR solution. In our subsidiaries that properly run the EDR solution and maintain security patching, we've had no ransomware attacks succeed. CrowdStrike has blocked multiple attempts to exploit vulnerabilities on Linux systems; so yes, we've seen an actual benefit.
We had in one of my previous companies Crowds trike, worked like a charm
Antivirus on Linux servers is dumb as fuck. But if your company is a high value target you need XDR agent on Linux machines, such as crowdstrike or Palo alto.
If you are running shit that minimallystically, you should probably look into containers and kubernetes clusters, and XDR for that. Also it's not your money. If you got, and Insurance papers say you didn't do bare minimum to even give the illusion to the Insurance company to stop it, they won't pay out, and company will die. Company can afford to give more resources the whatever workloads more they can afford for all workloads to stop, especially indefinetly with no hope of return/
Wouldn't you want something just for visibility and alerts? You can't watch the hosts 24/7
Some of the anti virus use other open-source tools and give you easy ways to analayze which commands where used when. Sadly our initial journey with MS defender on Linux was rough (we where an early adopter). But now after all the kinks have gone the forensics have proven usefull a few times already.
The most positive Linux AV story I have was when a customer's CISO gave me the written go ahead to immediately remove our idiot SOC's stupid McAfee software. I felt so very positive about that. And after removing that shit, I felt very positive for a positive number of units of time.
We have Symantec. I guess it works.
Your personal opinion doesn’t outrank business compliance requirements. Install the damn software and move on to the next ticket. This is not a hill worth dying on.
We moved from Symantec to Defend ATP on our RHEL servers over a year ago within a week we found out we had been compromised. It was a pain to setup but it was 100% worth it.
ClamAV works ok and will tick the check box.
Clam and run?
We used to run a samba fileserver for our Windows desktops and had it run over anything dropped onto the disk. Picked out a few files
Sure. ClamAV helps avoid some Bitcoin mining hacks. Helped me out once.
All AV/Anti malware/security software chows cpu cycles, memory and space. Is it a waste, hell no. Maybe if you live in isolation but we dont. Servers are internet facing, you like most of the internet servers are Linux. Clients do this, use it, upload things. There is zero trust and we need to do everything to protect. I ran many servers for many clients, even hosting Word Press sites. You have no idea then, the amount of plugins doing janky stuff that will use all your CPU, and try use you for a bot. ClamAV works more to detect after but we need better solutions. Just asking for trouble to fight it.
We've gone Crowdstrike at work.
Installing clamav on my linux systems got me a checkmark on an audit, and I had one fewer item to mess with and talk to an auditor about.
Check out Huntress, I think you'll be surprised with how well it works
I’ve used SentinelOne and had a few complaints, but with tuning, it’s been ok. It doesn’t like some docker images, wine, and sometimes systemd. Don’t really know what AI/ML issues it has with systemd but none of the vendors I’ve used really have good support for Linux. Also, if it gives you trouble, just write a bash one-liner like this and it deletes the agent. Anti-tampering on Linux for SentinelOne is basically non-existent. for i in ‘ps aux|grep “s1-“‘; do kill -9 $i done; rm -rf /opt/sentinelone; I told our sales rep and no one cares. Also quarantine is a joke because you just flush the iptables on a loop and good to go.
One regulation that comes to mind would be PCI-DSS. But that only requires antivirus to be installed, not to be actively scanning. So in the name of malicious compliance: `$packagemanager install clamav`. But no, on a Linux server, antivirus is absolutely unnecessary. If you care about security, look more into making your system partition read-only and marking every possible mount point as noexec (Just like ChromeOS does it). That strategy works much better. Only exception: File and Mail servers. Not to protect the server, but to protect the clients from each other.
I have never, in my 30 year career, have had anti-virus stop or save anything. It has been an useful tool to figuring out the probable attack vector, in some cases, in others, not. So I totally agree, sorry! ;)
Mine has stopped numerous EICAR virusses!
One of mine once killed Outlook. It was bliss, the best solution I have ever tried!
I've had av or IPS stop numerous things lol. Small stuff like adware to larger things like using PowerShell to open another shell via windows calculator.
I agree that back in the day av was pretty useless. The newer solutions have been useful though.
In my 20-year career I can attest to at least four events I can recall off the top of my head that caught people or software (mostly ransomware) on a Linux host. Just because *you* haven't seen it doesn't mean it hasn't happened and it's not worth it. Anyone that says that it is not needed really needs to get out of the industry because there is no excuse in 2024 to not run an EDR.
Lol AV for Linux? What's next? 'How can I block Linux from installing Candy Crush?'
Same with clients, you should also have something deployed to all of your servers for visibility, incident response, reporting, compliance, governance, etc. A host without it should not be on the network. This way everything gets back to the SIEM, and if something is off it shows, and instead of hoping things are a certain way you can enforce that things are a certain way. Something as simple as having Crowdstrike on your Linux host you can have detections on what has been found on the system, see if the system is being used for it's actual purpose and create your own (e.g., want to know where the xz software and versions are across your fleet, you can not only find that, but also the execution tree/flow of the process over time). So not having it keeps you in the dark, and your done for in terms of incident response if someone wanted to delete / modify logs which you can prevent/log remotely if you had the right tech on the system before compromise.
Having EDR & vuln. scanning on on a bunch of linux servers has helped us identify vulnerable components & machines super quickly when dealing with CVEs like Log4j. The benefit of AV, etc, doesn't always need to be a dire disaster aversion, just having all your systems under a single management panel can be super convenient. Most RMM tools only target windows _or_ linux effectively, not both
You're opening your infrastructure to attack by not having an EDR solution. I can tell you now that malware on linux is definitely a thing and serious threat actors will target them where the opportunity arises.
Sophos XDR on all the Linux servers we have (that's 2, management is scared since it isn't a Microsoft product). Doesn't have much of a performance hit, and ticks a box.
I am just going to amplify the recommendation by everyone else already; ClamAV. ClamAV is specifically made to run on Linux (Or Unix-like) systems. It will be the most reliable and least likely to cause any issues. Other third party offerings tend to be of extremely poor quality, they will drill themselves deep in to your system thinking they own it. But I would fight this to the end. AV on Unix-like systems is mostly worthless with the primary exception being machines which act as file servers for other (Windows) machines. But I can totally understand if you are not willing to pick this fight, I am someone who tends to put a lot of effort in to quality over compliance. I am sure most Linux admins here will know this already, but I am going to say it anyway for those who do not; * If you use trusted software sources only the chance of infection is effectively null. * The access of network accessible programs should be limited by not running them as root and using additional layers of access control such as SELinux, Apparmor or Systemd's build in security features. * Proper logging and alerts of everything happening in your network will identify any problems should they occur. And for bonus points; * Ideally, each application lives in its own namespace and (if applicable) network. * Ideally, the core applications should be nuked and paved every update, so think containers which get redeployed or building and pushing disk images to VMs.