Does Linux really need Anti-Virus (other than hosted file scanning)

A large company is doing a review of our software before they will use the web software built by our start-up company. We are using Linux to host, which is properly secured and hardened.

The regulation of the security reviewer is that all computers and servers must have anti-virus program. Obviously, telling them that Linux can't be infected by a virus wont work.

Is there a 3rd party security article or resource which could help us convince them to drop the requirement, or will we need to install ClamAV and make it burn some CPU once a day?


Solution 1:

Yes, it's certainly a reasonable request. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility.

You need to weigh the ramifications (annoyance factor, possible performance issues, maintenance overhead) of running AV with the value of this contract. If one company is listing AV as a requirement, it's likely that others will do the same in the future. If you're already running it, you'll be well-positioned to win their business.

Solution 2:

The likelihood of a Linux server being infected by a virus is very very low, not zero. If that is a concern for your auditor/client/whoever, then you should understand that and determine if their business is important to you. If their business is worth more than the CPU cycles and disk I/O that it will take to scan, then you should install the AV. If it is not, then you should explain this to your customer and ask them to bring their contract elsewhere.

It's not an unreasonable claim, especially if this server is hosting up files to Windows clients. By installing ClamAV (or whatever) you are protecting those Windows clients that conenct to your server.

Solution 3:

I think we need to put the term "virus" in context.

If you're talking about the self-replicating binaries that float around Windows networks then sure, the probability of Linux getting one of these is very very low.

If we're talking about the broader subject of malicious software, then Linux is anything but immune. Unpatched and poorly configured Linux servers are exploited all the time and turned into bot herders, or used for other nefarious purposes. To pretend that these threats don't exist is burying ones proverbial head in the sand.

I have never run antivirus software on a Linux server as I like to think that regular patching and sane configuration will protect my servers from 99.99% of threats. However I'd certainly consider it in this case, provided the software was actually able to detect the kind of malicious software that affects Linux servers and wasn't a simple port of a Windows AV suite.