Ask HN: Is it common to run anti-malware on production linux boxes?

[itguy82394823]

A few enterprise customers have started asking / requiring anti-malware on all "computing devices" and periodic scanning.

I haven't encountered the idea of anti-malware on e.g. Ubuntu before, and this seems like an absurd idea. However, it could just be my inexperience showing, so - is anti-malware a common practice? What are the industry-standard products for anti-malware? Is the footprint ever a concern?

[unimpressive]

Yes, this is a silly upstairs corporate requirement on the part of your enterprise customers. Slap ClamAV (http://www.clamav.net/) on it and call it good.

One place where this sort of thing can be useful is when running a file or mail server to help stop you from spreading malware to users, but to do it as a way to prevent infection on the box itself? Worthless.

[mirimir]

I agree. But on development boxes in mixed Linux/Windows/OSX environments, it's prudent.

[archimedespi]

Having done some sysadmin for unix/linux, I haven't run into too many anti-malware programs for unix/linux or actual uses for them.

Kernel/userland hardening is a thing, however, and is arguably more effective.

[insoluble]

> Kernel/userland hardening is a thing

[forgive me if I misunderstood the topic] If you're running a server, then you really should keep the Web side of things in an even more restricted zone than normal Users. I create extremely limited accounts for each domain or large App being hosted. Each such account can access only those resources it's supposed to be able to.

[archimedespi]

> [forgive me if I misunderstood the topic]

You didn't misunderstand at all! When I stated that, I mean two different things:

- Kernel hardening

Kernel hardening is when you take the kernel and add patches/configure it to be more secure, like grsecurity.

- Userland hardening This is when you do exactly what you're talking about: you restrict what the userland can do and configure userland programs to be more secure (ie turning off insecure Apache options). This could also mean jailing or containerizing them.

[informatimago]

Ten years ago, I ran an email antivirus on a Linux box. Not for linux users (only root), and neither for the MacOSX users on the LAN, but for the people external to the organization who were sending MS-Word documents full of malware, that were forwarded back to them. Internally the viruses were ineffective, but it affected external correspondants, so we filtered them.

Nowadays, there are a few MacOSX and Linux malware, so it could be useful if you are a high visibility potential target, to have such filters.

[herbst]

I run fail2ban on anything that can be reached from the Internet. I would most likely run a virus software if i would run mail servers or some kind of public file hosting, but i don't.