[OpenIndiana-discuss] Anti-Virus strategy

Gary Gendel gary at genashor.com
Wed Dec 26 16:41:18 UTC 2012


Michelle,

The first thing I would do for performance is to limit your scans to
user home directories unless you're really paranoid.  Then you can use
one of the intrusion detectors to make sure none of the system files
were touched.  For me, validating that the system files haven't been
tampered with is much more critical. I was hit hard with a root-kit on a
SunOS machine back in the 80s and had no choice but to wipe everything
clean and reinstall since there was no clear way to determine what was
compromised.  The only good thing was that my firewall prevented the
root kit from getting the command/control connection to do whatever
nefarious work that was intended.

I've never had a successful attack since, but I still remember the
horror and pain that that caused.  If they didn't have a small bug in
their installation that caused a peculiar error message that I happened
to catch flying by during a boot, I would not have started the
investigation that finally uncovered it.  I happen to use aide and run
it nightly using the reference database stored on a read-only device for
added security.

The only downside is that after installing, updating, or removing a
package you have to take the time to "bless" the changes reported by
such a system.  On the plus side, it saved me a few times when I
accidentally overwrote things (one of those Oh-No! situations).  I could
easily generate a report of what was changed so I could pull back the
original files from backup.

Gary

On 12/26/2012 11:13 AM, Michelle Knight wrote:
> Hi Folks,
>
> Up until now, I've been using Clam on a linux client to remotely scan my
> ZFS volumes overnight every few days; primarily as I don't know anything
> about running anti-viru direclty on the OI box.
>
> However, the number of (especially small ) files has been increasing so
> I'm facing installing and configuring an anti-virus scan on the OI box
> itself.
>
> I've done some search engine reading, but it is all at a higher level
> and I haven't been able to learn enough to put together a solid
> strategy.
>
> I don't really suffer viruses; thanks to some hard lessons learned in
> the past. However I'm human and something could still catch me a blind
> side some day, so another gate keeper won't hurt.
>
> Has anyone got any advice and links to instructions please?
>
> Many thanks,
>
> Michelle.
>
> _______________________________________________
> OpenIndiana-discuss mailing list
> OpenIndiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss




More information about the OpenIndiana-discuss mailing list