Over last year we have tried to deploy antivirus software on production linux servers. In most cases after a few weeks under month end loads applications start running slow, or do not work as it should.
I have always questioned to reason for having antivirus on linux, but it just seems a be must have item on auditors list. It is my understanding that the amount of linux malware is little in comparison to windows, which brings me to my question why linux servers are required to have anti virus in terms of SOX?
We have tried 2 different anti virus products and both deployments where rolled back on critical servers. Should we just put a compensating factor in place and forget about anti virus on linux altogether
Best Answer
The main reason to have anti-virus running on linux servers is usually not to protect the server itself - but to protect the end users who use the services / files on the server. Think of the server as a potential virus carrier.
In order to protect the server itself you should be looking at proper firewalling and server hardening procedures, and packages like aide / tripwire and chkrootkit / rkhunter to detect compromises if they happen.
We use clamav on our fileservers, mailservers, and webservers. On the fileservers (by far the largest) we configured it to scan the modified files hourly, and do a full scan over the weekend on a monthly basis. Otherwise the default configuration has not caused a noticeable performance impact.