Need to install antivirus on RHEL

Latest response

Hi Need to install antivirus on RHEL

Responses

Hi Mahesh,

You probably need to provide some more details.

Are you asking if there is an Antivirus included with Red Hat? or are you asking for recommendations for third party antivirus products in LInux?

I have seen a lot of interest in Linux virus scanners of late.. and suspect it may have something to do with PCI DSS 3.0 changes.. anyone investigating them for that reason?

Ugh... All I can say is steer clear of McAfee: it's a PIG.

Mahesh Dhamecha,
clamav is in EPEL clamav for rhel 6 or EPEL clamav for rhel 5. I have used it commandline, but there is a gui for it if one -really- must have one.
I do not know which version of RHEL you are using, 5 or 6.

If you activate the EPEL repo, then you can do a

yum install clamav clamav-db

Does the requirement you have for antivirus (perhaps from your customer or a larger organization, or security entity) demand "real-time antivirus file protection" for things that are opened? Or are they looking for something that can be scheduled or ran on demand by a user?

Clamav does not do persistent scanning but you can of course perform scheduled or on-demand scanning.

NOTE: in 2009, there was a poor review for clamav here. However, these statistics from 2010 might show some more positive stats for clamav. I'd recommend researching more.

Symantec has another option for Linux.

If you wanted to use EPEL...

  • quote from EPEL website - CLICK HERE FOR THE LINK
    NOTE for RHN users.
    You need to also enable the 'optional' repository to use EPEL packages as they depend on packages in that repository. This can be done by enabling the RHEL optional subchannel for RHN-Classic. For certificate-based subscriptions see Red Hat Subscription Management Guide
  • end quote from EPEL website

So if anyone does get the dreaded request to install a virus scanner on Linux, what real options are there?

ClamAV http://www.clamav.net/lang/en/
McAfee VirusScan Enterprise for Linux http://www.mcafee.com/au/products/virusscan-enterprise-for-linux.aspx
Symantec AntiVirus http://www.symantec.com/business/support/index?page=content&id=HOWTO17995
Trend Micro ServerProtect for Linux http://www.trendmicro.com/cloud-content/us/pdfs/business/datasheets/ds_serverprotect-linux.pdf

Found a fairly comprehensive (but old) list here:
https://www.linux.com/news/software/applications/8227-antivirus-solutions-for-linux

Is there an option Red Hat recommends customers use? Do they have any strategic partnerships with virus scanner vendors?

Most of my customers are given the dreaded mandate of this. I and others with my organization have spoken with numerous Red Hat people, not just sales, but Red Hat Principal Engineers who have happened to have visited us directly (not just for that reason of course) and others we contacted by other means. No direct recommendations. I posted a link to EPEL's clamav (previously in this discussion), and I've used it, and have seen mixed reviews good and bad. I've seen symantec used widely with one of my several larger customers. If Red Hat does have a recommendation besides placing clamav into EPEL, I'd really like to know about it as well.

The EPEL source I posted has the rpm version, and it seems to be about the same version at clamav.net. If one is going to build it from source, the clamav.net source version is rather straightforward, but takes a bit. The rpm at EPEL seems to be quicker and perhaps easier to install in numerous systems if an rpm is desired.

Usually, the option is to install the enterprise-licensed software selected by your organization's Windows groups.

I could see that, mercifully we had other options.

Interestingly, the PCI DSS v3 standard doesn't specify a requirement for real time scanning.

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Section 5. Page 46.

5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

PCI ambiguity hasn't changed :)

Good references already noted here (ClamAV, etc.) but as I've just gone through review/selection for Linux AV myself I will throw in a few more that could be considered, depending on your actual use-case/needs and requirements:
- Comodo Antivirus for Linux - AV and Mail Gateway we looked into for Desktops; not sure about enterprise/server editions;
- Eset for Linux - they have Linux AV offerings for Server, Desktop and Home endpoints and after conferencing with them over several days, they are legitimately supporting their Linux offerings;
- Bitdefender has offerings as well, but given my experience with them on this Linux is really not something they support and service worth a flip; I would not recommend looking into their unices offerings across the board (just my opinion, but of course if you cross-check any of their forums you will find they haven't really provided much development or support on this since 2011).

John,

Can I ask what you ended up selecting? and how are you finding it?

I get the feeling I am about to go through a similar process!

Sure thing! The non-technical story here is that I really needed to do something AV-wise b/c my linux devices have to plug into and out of clients' Windows enviros about 90% of the time (i didnt' want to be a Virus carrier/cross-pollinate into them by being wreckless not scanning my linux machines) + I just wanted to at least "feel" like I was being proactive for the inevitable linux av needs.

I decided on ESET and admittedly a top 3 motivating factor here was simply that, at least in my opinion, Eset seems extremely dedicated and enthusiastic towards their Linux AV products and solutions and the linux av market at large. Initially, i was just going to install Bitdefender's unices scanners primarily b/c I already had significant licensing of it for Windows machines - it was just a familiarity thing. Not intending to knock on Bitdefender here but it was immediately, and abundantly, clear to me that Bitdefender was not investing much in their Unices products - the repos available still date back to 2010, they've made one blog post on their Unices product updates since 2011, and steady streams of end user complaints on forums (mine included!) as to the same issues/bugs found in 2010/2011 were still persisting here in 2014 - 3 years later still unfixed/unaddressed; scary.

My experience with ESET was completely opposite (and again, this just my own personal experience - other experiences might be quite different?) - highly active development in this area and highly responsive on any questions related; they just seem to me to be very seriously, or at the very least increasingly, vested in the Linux AV market (e.g., they recently discovered the Unix attack dubbed "Operation Windigo" and worked jointly with CERT and CERN analyzing and tracking this as an OpenSSH backdoor and credential stealer named Linux/Ebury. The ESET Linux offerings to me seem the more sophisticated from a development perspective right now, plus it is quite clear to me they are very serious about LinuxAV - that level of current sophistication and commitment made ESET the clear-cut choice for what my owns needs and requirements were - it also helped that ESET was already used on some of my Android mobile devices so i get ESET covering all devices instead of mixing and matching (not opposed to doing that in most cases, but for AV i think it's a plus to use the same tool globally as this should cut down on the "ESET found 'trojan x' on device A but Comodo missed it entirely on device B" type scenario, if that makes sense? - all devices are being compared to the same AV threat libraries).

With all that being said, I did punch the tires some with Comodo as well and think it to be a darned good product (in fact I may turn to this as a "go-to" Free linux AV application for stand-alone devices); has mail gateway, on-access, on-demand and cloud based scanning, supports broad range of 32/64 linux distros/gateways. For a Free tool they are definitely packing in a good deal of functionality.

ClamAV seems to be the most often deployed/popular linux AV but (personal opinion) I felt this was due mainly in that there were little to no other alternatives in the market for linuxAV until the last few years. It is included in the openSUSE distribution and in Novell’s SUSE Linux Enterprise products and is packaged in EPEL though so it is quite stable, but i decided not to use ClamAV frankly b/c I'm lazy - i didn't want to have to interact with it even though it does have a daemon you could use, and if you drop in the ClamTK GUI i admit it's a good tool, but my feeling here was that ClamAV was primarily focused on Windows virus and it's main purpose is integration with mail servers for attachment scanning. I was hoping to find something that accounted for both Windows as well as a clear dedication towards emerging linux AV issues - i'm not saying ClamAV isn't paying attention or won't be to purely linux av issues but I wanted to see what else was out there newly emerged in the market, so I kept looking).

For a more "technical, in-depth" review and to address the "how are you finding it" part I do have a blog article on this I'm planning on drafting up over the weekend/posting the first of next week; so as not to commercialize myself here I'd be happy to distill a summary version of that article here (or is it bad form to just link the actual article?) once done if interested? Happy to share! ESET was what I went with because I felt it is more aggressive in taking LinuxAV seriously, they are committed to it and their products show that basically I feel like i have an application for now and an ongoing "LinuxAV Partner" for this emerging area.

Hey John,
Thanks for the extra info on antivirus, nice details.

yikes! looks like I was entirely too caffeinated in this reply; hadn't realized i went on as long as i did - hopefully useful

Thanks for the detailed write up!

ESET wasn't even on my radar, but will definitely check it out.

Which product of theirs are you using specifically?

i purchased a few single desktop licenses for immediate use on a handful of mobile endpoints (laptops): ESET Linux Desktop, but am also in discussion with their Sales team for licensing ESET File Security for Linux / BSD / Solaris

John,

Thanks for the detailed explanation. Did you ever write the article? I'd be interested to see how the last few months have been.

Thanks.

Hi Lindsey et al. - I've gotten a basic ESET installation guide done: yumyum yellowdog update eset. There are some considerations to take related to SELinux which spawned another blog post: yumyum yellowdog update selinux, but installation and use are otherwise painless, and I am very pleased with the ESET choice for linux antivirus (my own ease of use my lend itself from having prior exposure/experience with ESET I will admit, but it is extremely intuitive to use even for the unfamiliar imo).

I can expand the installation guide into more direct/detailed information if you prefer (and I'm still planning on getting one done for the Server version as well, although I should note that ESET says their Desktop v. Server software is exactly the same protection etc. the only diff is that the Server version has a pretty cool remote management dashboard). Please do let me know if the above is of any help and/or what else you'd find useful and I will certainly do what I can to oblige - enjoy!

Hi John,

How has ESAT been working for you since you installed? Is this on server or desktop?

Thanks

Would Scap be a good solution here? https://fedorahosted.org/scap-security-guide/ although not a virus checker its a scecuirty protocol that pulls together various security standards like STIG, CVE, CCE, CPE, OVAL, and XCCDF against which you system cna be scanned. The SCAP protocol was created by NIST, Red Hat are being slow to develop there own profiles by NIST provide a set here http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=438, There is a good background article here http://www.admin-magazine.com/Articles/Checking-Compliance-with-OpenSCAP/

this is very interesting, definitely taking a deeper-dive into this...

We're going to test openscap starting with a couple of our satellite servers to check some clients.

SCAP isn't a virus scanner and doesn't solve the same problem.

SCAP is good for auditing configuration and security compliance from a configuration best practices (SCAP profiles) point of view and to check if servers are drifting from 'known good' configuration or have outstanding updates etc.

AIDE (filesystem integrity monitoring) would be a much closer fit than SCAP scanning, but they still both don't provide the capability to identify known malware.

Let me know how you go with OpenSCAP on Satellite Remmele.. my memory is that it was a little tedious getting it up and running.

I will, we had heard of SCAP first from Vincent Passaro a while back in some security distribution he spoke of it and are interested in it.

I've done some work setting up Satellite 5.6 and packages from the SCAP Security Guide (https://fedorahosted.org/scap-security-guide/). From the Satellite side, it was extremely simple, install the client tools (oscap scanner) and the satellite package, start scheduling scans.

The content side can be more challenging. The SSG group is very active building profiles and has a mailing list with some helpful folks who can help with profiles. As an aside, it's also the upstream project for the US DoD STIG (Security Technical Implementation Guides). That said, I used the SSG project to build a profile based on a fairly popular internet RHEL benchmark in an afternoon.

After that, it was figuring out how to distribute the content to the clients. I used both config files and RPMs, each have benefits and drawbacks, not sure if there's a clear recommendation there.

John

I am interested to know if the ESET product is supported on the zSeries platform. Can You assist in that regard?

Thanks
Tom

Have any one knowledge in system center Endpoint protection(SCEP) in RHEL.

SCEP is used as Anti-virus for windows filesystyems in linux.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.