Monday May 14, 2007

Anti virus software for Solaris? What are they thinking?

Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms.  They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement.  Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network.  It is EXTREMELY difficult to get a waiver to ignore a Category I finding.

To quote the most recent (March 2007) checklist:

GEN006640 – Virus Protection Software

Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file.  The Mcafee command line scanner is available for most Unix/Linux operating systems.  Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed.  In addition, the defintions file should not be older than 14 days.

 I have been researching the offerings of  major (and minor) AV vendors.  Please feel free to make corrections or additions to this list via the "Comments" feature of

  • TrendMicro
    • No host-based anti-virus software for Solaris (either platform)
  • Symantec
    • No host-based anti-virus software for Solaris (either platform)
  • McAfee
    • Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
  • F-Prot
    • Has anti-virus for Solaris on Sparc and X64 platforms.  F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
  • CA
    • Web site claims support for Sun Solaris 8 and greater.  Unclear on Sparc/X64 platforms.
  • Central Command
    • Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
  • Avast
    • Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms.  Based in Prague, Czech Republic.
  • Clam AV Open source project.  Now owned by SourceFire.
    • Has binary build for Solaris on Sparc and X64 platforms at
  • CyberSoft
    • VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.

I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.

  • McAfee
    • Two "malware" findings.  Each rated as low threat. One requires that telnet port be open which most enterprises close
  • Symantec
    • 11 Total findings, most of which are vulnerabilities rather than viruses.  These vulnerabilities can all be dealt with via existing Solaris patches.
  • Trend Micro
    • 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
  • F-Prot
    • Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.

A similar search of the McAfee "malware" database for Windows XP returned 5300 results.

Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:

The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
Chapter 8 of the NISPOM deals with Information System (IS) Security.
    8-103. The information Systems Security Manager (ISSM) shall:
    8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
    8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented.  All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM. 

In my mind, the key portion of this excerpt would be the phrase, "as appropriate."  While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.

 I am doing all of this work in an attempt to get the DISA Field Security Office to eliminate the requirement or at best, reduce its severity.  If you are also running into this issue, please email me or add a comment to my blog.  At this time, I understand that DISA is planning to lower the rating of this finding to Category II.  I don't know when this change might occur.

Solaris has a number of features that can help secure your system without anti-virus software including:

  • Signed binaries
  • Basic Audit and Reporting Tool (BART)
  • No stack execution
  • Mandatory Access Control (when Trusted Extensions are enabled)
  • Solaris Containers
A white paper on Solaris security is available.  The Solaris Security Toolkit supports the hardening of Solaris 10.

Why you should care.

Solaris is known for its security.  Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver.  In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.


Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).


« August 2016