Anti virus software for Solaris? What are they thinking?

Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms.  They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement.  Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network.  It is EXTREMELY difficult to get a waiver to ignore a Category I finding.

To quote the most recent (March 2007) checklist:

GEN006640 – Virus Protection Software

Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file.  The Mcafee command line scanner is available for most Unix/Linux operating systems.  Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed.  In addition, the defintions file should not be older than 14 days.

 I have been researching the offerings of  major (and minor) AV vendors.  Please feel free to make corrections or additions to this list via the "Comments" feature of blogs.sun.com

  • TrendMicro
    • No host-based anti-virus software for Solaris (either platform)
  • Symantec
    • No host-based anti-virus software for Solaris (either platform)
  • McAfee
    • Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
  • F-Prot
    • Has anti-virus for Solaris on Sparc and X64 platforms.  F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
  • CA
    • Web site claims support for Sun Solaris 8 and greater.  Unclear on Sparc/X64 platforms.
  • Central Command
    • Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
  • Avast
    • Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms.  Based in Prague, Czech Republic.
  • Clam AV Open source project.  Now owned by SourceFire.
    • Has binary build for Solaris on Sparc and X64 platforms at blastwave.org
  • CyberSoft
    • VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.

I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.

  • McAfee
    • Two "malware" findings.  Each rated as low threat. One requires that telnet port be open which most enterprises close
  • Symantec
    • 11 Total findings, most of which are vulnerabilities rather than viruses.  These vulnerabilities can all be dealt with via existing Solaris patches.
  • Trend Micro
    • 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
  • F-Prot
    • Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.

 
A similar search of the McAfee "malware" database for Windows XP returned 5300 results.

Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:

The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
 
Chapter 8 of the NISPOM deals with Information System (IS) Security.
 
    8-103. The information Systems Security Manager (ISSM) shall:
 
    8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
 
    8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented.  All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM. 

In my mind, the key portion of this excerpt would be the phrase, "as appropriate."  While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.

 I am doing all of this work in an attempt to get the DISA Field Security Office to eliminate the requirement or at best, reduce its severity.  If you are also running into this issue, please email me or add a comment to my blog.  At this time, I understand that DISA is planning to lower the rating of this finding to Category II.  I don't know when this change might occur.

Solaris has a number of features that can help secure your system without anti-virus software including:

  • Signed binaries
  • Basic Audit and Reporting Tool (BART)
  • No stack execution
  • Mandatory Access Control (when Trusted Extensions are enabled)
  • Solaris Containers
A white paper on Solaris security is available.  The Solaris Security Toolkit supports the hardening of Solaris 10.

Why you should care.

Solaris is known for its security.  Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver.  In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.

Comments:

Thank you for this post. I am in the same boat in my organization and I have to come up with a reason why its not needed and this is a tremendous help.

Any additional findings you have, please email me as soon as you can please. I would appreciate it very much.

Thanks in advance

Posted by Quentin Coles on November 17, 2011 at 09:09 AM EST #

I have a similar problem, except that I need to be able to virus scan files as they arrive at my application (they come in through a web service). Now McAfee runs on Solris, but it is TOO slow to run the command-line version up for each file (as it has to load the virus signatures each time) and there's no streaming or daemon version !
Again, I have a problem with F-PROT and Clam (altough BOTH do provide a daemon which I can stream files to and get them checked and they WORK), in that they are sourced from Iceland/Czech... I'm at a bit of a loss as to how I can come up with a suitable and timely solution (the users of the web service expect a quick response, they don't want to wait 2 minutes for McAfee to boot up each time). Also have a large volume of information coming in, so time is critical.
Any ideas?
Cheers.

Posted by Dom Campbell on December 08, 2011 at 04:22 AM EST #

Looks to me like if you've got a Solaris system, you're pretty much screwed. My managers are demanding anti-virus software on all machines including Solaris workstations; they want to see GUIs or some display that shows that there have been regular updates and to top it all off, I was never allowed to connect these machines to the internet to begin with. In all probability I'll have to scrap 'em, essentially because they are at such low-risk for infection that there is no commercially available software I can find that was designed to offer virus protection for them. See if you can figure that one out.

Any help MUCH appreciated...

Posted by guest on December 14, 2011 at 07:40 AM EST #

The only other reason for this requirement may be derived from the incidents where unix/linux systems are storehouses for windows malware. While the intent of a malware scanner is often to protect the host system, unix/linux systems can and are used to stage malware as a transfer point or jump off point to storage or file shares that are accessed by windows systems. some of the cli scanners you mentioned on there are capable of scanning for windows malware from non-windows systems.

For the Sev 1 are you able to supply a well supported POAM listing the mitigating factors precluding the need for the AV on Unix/Linux. Things like, isolated system, protected enclave, limited access or 1-way transfer, incompatible interaction with other systems, hardened permissions limiting execute rights?

Posted by guest on January 30, 2012 at 07:53 PM EST #

The only other reason I can think of is to detect windows viruses stored on Linux/Unix systems. In addition to protecting the host system, most AV is supposed to help prevent the spread of malware through its detections. Windows malware can be and are stored on non-windows systems as a way to infiltrate and stage the malware for distribution on storage and file shares accessible by Windows clients. Some of the CLI scanners you referenced can scan for windows malware despite them being for Unix or Linux.

Can you resolve a sev 1 with a POAM showing mitigating factors precluding the need for AV on you Unix/Linux system citing isolated system, protected enclave via IPS/UTM Firewall with malware detection, HTTP response scanning, limited access or 1-way transfer, restricted execute permissions on accounts, etc.

Posted by guest on January 30, 2012 at 07:59 PM EST #

Another scanner is Sophos - http://www.sophos.com/en-us/products/endpoint/endpoint-protection/components/anti-virus-protection/unix.aspx. We've used this to run scheduled scans of web pages

Posted by guest on May 08, 2012 at 01:19 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today