Originally Published: Tuesday, 30 November 1999 Author: Quentin Cregan
Published to: enchance_articles_security/Advanced Security Articles Page: 1/1 - [Printable]

Linux Virus Protection
November 30 - December 6

Linux Virus Protection, you say, isn't that redundant? Why Linux itself is virus protection. A malicious program that seeks to infect system files is going to have very little success when invoked by a non-root user.

   Page 1 of 1  

[ Courtesy of SecurityPortal ]

Linux Virus Protection, you say, isn't that redundant? Why Linux itself is virus protection. A malicious program that seeks to infect system files is going to have very little success when invoked by a non-root user. So while our hearts are filled with great sorrow over the travails of our Windows friends who have had to do battle with Melissa, Chernobyl and ExploreZip, we have felt insulated from those threats ourselves. Those days are rapidly coming to an end. Not because Linux is highly susceptible to virii, but because the key to enterprise acceptance of Linux is its ability to be highly integrated with corporate standards, even if it means solving problems caused by other operating systems.

In this increasingly interconnected world, the indirect effects of problematic systems can be felt by everyone. When the Melissa virus hit, some Linux servers' sendmail became overloaded with messages and had to shut down. When ExploreZip exploded, some Linux servers running Samba had to contend with Windows clients deleting data files, which had to be restored. In this sense, Linux is only immune to virii if you unplug it from the network.

Beyond protecting Linux systems from the indirect effect of virii, in many enterprise networks, Linux servers should have anti-virus detection capabilities to detect and clean infected files that are moving through the network, files that may be missed by the anti-virus software running on other stations. As Linux is increasingly adopted in corporate environments, it must not act as "Typhoid Mary" during a virus outbreak, obliviously storing and passing along a virus. As IT managers seek to provide solutions to the increasing instances of virii, many are taking the approach of implementing multiple layers of defense, anti-virus software at every point of entry into the network, using multiple signature files.

While it is theoretically possible to develop a native Linux virus, it is a difficult task. The program will need to obtain root access to perform major damage, unlike Windows 9x where any user can execute a virus that can destroy the Master Boot Record and render a system unusable. The way Linux handles memory management also prevents a virus from executing at will. It is possible that a virus author could attempt to create an environment for infection by creating a buffer overflow condition. By invoking a child process out of an attacked daemon running with root privileges, a virus could potentially have access to system files and infect them. This is a very difficult piece of code to write, but merits more research as Linux gains in popularity. The bottom line is that since the first "native" Linux virus, Staog was reported in the fall of 1996, you can count the number of new Linux viruses on your shop teacher's left hand. Linux can be considered to have a strong inherent immunity to virii.

The virtual immunity that Linux has to the virus can and should be leveraged to build Linux anti-virus appliances. Not only should Linux Samba servers scan infected files deposited by Windows clients, but a Linux-based anti-virus gateway can be used to scan and protect SMTP, FTP and Web traffic for entire networks. It seems natural that an operating system that cannot be compromised a virus itself, will be the ideal platform for providing enterprise anti-virus solutions

There are a small but growing number of anti-virus solutions for the Linux market. There is a single open source solution and two "freeware" solutions we are aware of:

AMaVis - A Mail Virus Scanner. This software is intended to use other virus scanners as plug-ins to disinfect attachments traveling through sendmail. It is in effect a SMTP anti-virus gateway. This is an open source, GPL solution.

H+B EDV AntiVir/X - This scanner is only free for personal use.

Central Command - This is actually developed at Kaspersky labs

On the commercial side, Network Associates, Data Fellows and Sophos all have Linux versions of their virus scanners. Trend Micro is beta testing VirusWall, which is an example of an anti-virus gateway. We hope to see more products like this and additional functionality into some of the free solutions, such as AmaVis.

Linux users have had the luxury of ignoring virus threats in the past. As Linux grows up and becomes an enterprise player, integration and interoperability are key issues, and we can be in blissful ignorance no longer. Linux systems will grow as network file servers and need to be able to provide integrated virus detection and repair. In some instances, IT managers migrating to Linux are forced to keep NT servers in service to provide functions like anti-virus scanning, because of a dearth of Linux solutions. Linux advocates need to see the powerful role their chosen operating system can play in the AV market, even if it means they are making Microsoft-based desktops run all that more smoothly.

   Page 1 of 1