Linux Antivirus

Table of Contents

Antivirus ...... 2

Rootkits ...... 3

Rkhunter ...... 4

Chkrootkit ...... 6

Antivirus Applications -1 ...... 7

Antivirus Applications -2 ...... 8

Antivirus Advantages and Disadvantages ...... 9

Notices ...... 10

Page 1 of 10 Antivirus

Antivirus

Even though Linux systems have generally been immune to a variety of viruses, worms, and trojan horses, there are reasons why antivirus and anti-malware applications should be installed. • Running a mail server – attachments could contain viruses. • File shares could contain malware. • Linux systems do get their fair share of shell scripts and rootkits that should be identified and removed.

**095 So now we'll talk about antivirus.

So even though Linux systems have generally been immune to varieties, there are some worms and Trojan horses. But we're looking more-- think of it from the standpoint of not so much looking for Linux viruses; but if you're a Linux server that's serving as a file share to Windows boxes, or maybe a webserver or an email server, you're still processing Windows type files; and those files can still have viruses on them. So you could still stop viruses from getting to your Windows machines and using your Linux box as a delivery mechanism.

Page 2 of 10 So that's what we're looking at when we're talking about antivirus more so on the Linux side is catching the ones destined for other operating systems; because you're running a file share or a mail server or a Windows server- or a webserver.

Rootkits

The most dangerous type of threats to Linux as discussed previously, are rootkits. There are two dedicated software packages that monitor and check for the existence of rootkits on a system. • Rkhunter • Chrootkit

**096 The actual most dangerous thing are the rootkits.

So OSSEC has a rootkit checker in it. These are two standalone rootkit checkers. They're not very sophisticated, like a normal antivirus program would be.

Page 3 of 10 Rkhunter

Rkhunter

Stands for Rootkit Hunter Compares SHA-1 hashes of important files with known good ones in online database Designed to scan a system, search for traces of rootkits, identify them, and either warn about them or remove them if found Does a great job of searching a system for rootkits • There are some false positives that appear from time to time. It is best to have an additional sanity check from another package such as AIDE, OSSEC, or chkrootkit to see if the files that are reported as possible rootkits have been modified.

**097 The first one is Rkhunter; it stands for Rootkit Hunter. So it compares the SHA-1 hashes of important files with known goods- known good ones in an online database.

So what it has is it has a small database that contains the signatures for the few rootkits that are out there right now; I guess for the 222-- I think that's the number I said on another slide.

So for those- for those files- for those rootkits which are known rootkits and they have a specific signature, it'll do that check against your files for that signature.

Page 4 of 10 It doesn't run as a service. It has to be run in a cron job also. It's just very basic; and it basically performs a very targeted file integrity check; much like AIDE does.

So you first- when you first start up the system, you have a baseline. You run Rkhunter; and it does its own database. It's kind of the original file check; so the files that these rootkits usually hide in. And then when you run it again, it'll go see if it matches any of these signatures. Like so you can schedule it to run weekly, daily, monthly.

And since there aren't that many Rootkit Hunters, it's also not updated that often. So you have to also manually tell it to go update and go check for updates off the internet.

It's a very small program; very straightforward.

Page 5 of 10 Chkrootkit

Chkrootkit

Stands for Check Rootkit Checks for the presence of a rootkit within a system • Shell script using common tools like strings and grep commands to search for signatures and look for discrepancies • Can be used from a “rescue disk” or an alternative directory to run all of its own commands. — This allows chkrootkit to trust the commands upon which it depends a bit more. Chkrootkit and Rkhunter are very easy to install and require no maintenance except for updates, which can be run through a script in a cron job.

**098 The other one is Check Rootkit; performs basically the same kind of function. This one uses shell script with common tools like string and grep to search for signatures and look for discrepancies.

Kind of just two different ways of doing it. So one's doing an integrity check; this one's using strings and grep commands. So we have two different avenues, two ways of looking at files. So strings goes and looks for strings inside a binary file, and looks for strings that'd be common to these rootkits.

Both of these need to be run through a cron job; as I mentioned already.

Page 6 of 10 Antivirus Applications -1

Antivirus Applications -1

There are only a handful of antivirus applications for Linux. • ClamAV • Sophos • McAfee • Avast • BitDefender • AVG If a file share is in use or there is any possibility that external content could come in contact with your Linux system, it is a good idea to have an antivirus software installed.

**099 So here are some of the antivirus applications. It's not the same kind of industry as we see out in the Windows world. You really want to focus on these if you're using file shares, webservers, mail.

Page 7 of 10 Antivirus Applications -2

Antivirus Applications -2

Most “free” antivirus solutions such as ClamAV are great to have on a system, however they must be run manually or with a cron job to scan the system. Most commercial products such as Sophos or McAfee have “always on”, real-time scanning engines that are always scanning new content that is brought onto the system. If a system is compromised or malware finds its way onto a system, a once-a-day scan may not be enough to remove the virus in time to minimize damage. However, “always on”, real-time scanners can degrade the performance of a system.

100

**100 Most of the free ones, such as ClamAV, are great to have on a system; but they must be run manually or with a cron job to scan the system. They're not like a real- time agent.

Some of the commercial ones do have real-time agents; but you've also got to weigh the consequences with the load it puts on your system. Because if you're processing a lot of files, that's an extra- a lot of extra processing power to analyze all those files.

So the- one of the key takeaways here is the commercial ones will have real-time scanning agents; while the

Page 8 of 10 free ones, you're going to have to schedule them, much like the AIDE does; for file integrity checking, you'll have to schedule the scan to run every so often. Which is a reactive measure still; because if it's already on there it might be a little too late. But at least you've identified it.

Antivirus Advantages and Disadvantages

Advantages for using antivirus • Ensures that a system, while mainly immune to viruses, is clean from any malicious content • Provides a sanity check that the system has not been compromised Disadvantages for using antivirus • Additional overhead added to a system that might affect system performance • False positives might keep an administrator from using the applications

101

**101 So advantages for using antivirus: Ensures that a system, while mainly immune to viruses, is clean from any malicious content. So we're not looking at the system, we're looking at the content it's providing. And provides a sanity check that the system has not been compromised.

Page 9 of 10 Disadvantages is the additional overhead; false positives; and then maintenance, since you're going to have to-- we're not talking about a centrally reporting engine either, unless you take the outputs from the log and save them to a common place over an NFS share or something to that effect.

Notices

© 2014 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected]. This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 10 of 10