Virus Scanning on Solaris 10 + ZFS
for...@gmail.com
production Solaris from Sun). I'm looking for more information about
it and when it might become a part of production code.
In the mean time, I wonder what others are doing on a Solaris x86
(64bit) system for antivirus handling.
We export several of our ZFS filesystems via NFS, some are r/w though
only connected to UNIX systems, there are some I'd like to have
scanned on a regular basis. I like the idea of having an on-access
mechanism trigger via the vscan service. I wonder about the I/O load
on the system under moderate usage.
Thanks.
Dave Uhring
> In the mean time, I wonder what others are doing on a Solaris x86
> (64bit) system for antivirus handling.
Absolutely nothing. Why would we do something like that?
Richard B. Gilbert
Virus? What virus?
Viruses seem to be largely a PC/Mac thing. The PC/Windows target is a
very big target. I've never encountered or even heard of a Solaris virus.
This is not to say that there is not or could not be such a thing but it
doesn't seem like a problem I need to worry about!
John D Groenveld
for...@gmail.com <for...@gmail.com> wrote:
>In the mean time, I wonder what others are doing on a Solaris x86
>(64bit) system for antivirus handling.
Google points to at least two commercial offerings:
<URL:http://www.sophos.com/products/enterprise/endpoint/security-and-control/8.0/unix/sysreqs.html>
<URL:http://www.f-prot.com/products/corporate_users/solaris/>
And one free package:
<URL:http://www.clamav.net/>
Happy hacking,
John
groe...@acm.org
Doug McIntyre
>Virus? What virus?
What about having your Windows file shares stored on the Solaris
server. Wouldn't it be more efficient to run the Anti-Virus scanner
right on the file server box to scan the files on the share area?
There have been several Solaris remote breaches over the years (just
like any other vendor), and even more locally exploitable ones. I'm
not sure any antivirus package actually goes through and searches for
unpatched security problems on Solaris, or just will do a file scan
for windows/Mac viruses ala my example above.
Richard B. Gilbert
> "Richard B. Gilbert" <rgilb...@comcast.net> writes:
>> for...@gmail.com wrote:
>>> I read about the vscan service which is available in OpenSolaris (not
>>> production Solaris from Sun). I'm looking for more information about
>>> it and when it might become a part of production code.
>>>
>>> In the mean time, I wonder what others are doing on a Solaris x86
>>> (64bit) system for antivirus handling.
>>>
>>> We export several of our ZFS filesystems via NFS, some are r/w though
>>> only connected to UNIX systems, there are some I'd like to have
>>> scanned on a regular basis. I like the idea of having an on-access
>>> mechanism trigger via the vscan service. I wonder about the I/O load
>>> on the system under moderate usage.
>>>
>>> Thanks.
>
>> Virus? What virus?
>
>> Viruses seem to be largely a PC/Mac thing. The PC/Windows target is a
>> very big target. I've never encountered or even heard of a Solaris virus.
>
>> This is not to say that there is not or could not be such a thing but it
>> doesn't seem like a problem I need to worry about!
>
>
> What about having your Windows file shares stored on the Solaris
> server. Wouldn't it be more efficient to run the Anti-Virus scanner
> right on the file server box to scan the files on the share area?
>
IF you have a Solaris program to detect Windows viruses, it MIGHT be
more efficient to have Solaris scan for viruses.
This assumes that somebody has written a Windows Virus Scanner that runs
under Solaris and somebody issues updated virus definitions once or
twice a week.
The SECOND BEST solution to the malware problem is to close the
vulnerabilities exploited by the malware. The BEST is not to allow the
vulnerabilities in the first place!
Sadly, many programmers never do learn to routinely check that a buffer
is big enough to hold what they are about to move into it. Some O/Ss
allow execution on the stack, etc, etc. If it's POSSIBLE, someone will
figure out how. . . .
Michael Schmarck
> "Richard B. Gilbert" <rgilb...@comcast.net> writes:
>>for...@gmail.com wrote:
>>> I read about the vscan service which is available in OpenSolaris (not
>>> production Solaris from Sun). I'm looking for more information about
>>> it and when it might become a part of production code.
>>>
>>> In the mean time, I wonder what others are doing on a Solaris x86
>>> (64bit) system for antivirus handling.
>>>
>>> We export several of our ZFS filesystems via NFS, some are r/w though
>>> only connected to UNIX systems, there are some I'd like to have
>>> scanned on a regular basis. I like the idea of having an on-access
>>> mechanism trigger via the vscan service. I wonder about the I/O load
>>> on the system under moderate usage.
>>>
>>> Thanks.
>
>>Virus? What virus?
>
>>Viruses seem to be largely a PC/Mac thing. The PC/Windows target is a
>>very big target. I've never encountered or even heard of a Solaris virus.
>
>>This is not to say that there is not or could not be such a thing but it
>>doesn't seem like a problem I need to worry about!
>
>
> What about having your Windows file shares stored on the Solaris
> server. Wouldn't it be more efficient to run the Anti-Virus scanner
> right on the file server box to scan the files on the share area?
Not necessarily, no. The Windows clients need to scan their local stuff
anyway, so why install a scanner on the server?
> There have been several Solaris remote breaches over the years (just
> like any other vendor), and even more locally exploitable ones. I'm
Stuff like that is not protectable by a virus scanner.
Michael
Andrew Gabriel
I believe Kaspersky do Solaris too.
--
Andrew Gabriel
[email address is not usable -- followup in the newsgroup]
Andrew Gabriel
>
> Viruses seem to be largely a PC/Mac thing. The PC/Windows target is a
> very big target. I've never encountered or even heard of a Solaris virus.
Lot's of people use unix fileservers for serving their Windows
systems. Windows virus scanners frequently cause serious stability
and performance issues running on Windows. Many applications require
you to disable virus scanners during install, which means you often
have many users with permission to disable their virus scanners,
which are all too often left disabled (particularly if it makes
the system faster and more stable). Virus scanners are also the
most targetted application by viruses, for obvious reasons.
There is a big attraction in running scanners on a system which
isn't itself subject to viruses, and (hopefully) isn't destablised
by doing so.
Unix systems are also often used for email, web, IM, etc gateways
with virus scanning the data as it passes through.
Ian Collins
> On 2008-08-13, Richard B. Gilbert <rgilb...@comcast.net> wrote:
>
>> This assumes that somebody has written a Windows Virus Scanner that runs
>> under Solaris and somebody issues updated virus definitions once or
>> twice a week.
>
> Unixen. Of course, they use the same signature files as their Windows products,
> because that's what they're searching for.
>
> I would virus scan file systems ("shares") used by Windows clients, but I have
> never bothered with scanning native Unix systems.
>
Is even that limit use practical? I've just put a Thumper into
production with over 20 million windows files on various shares.
Scanning that lot would be like painting the Forth bridge.
--
Ian Collins.
hume.sp...@bofh.ca
> Is even that limit use practical? I've just put a Thumper into
> production with over 20 million windows files on various shares.
I'd imagine that's why the Novell and other "file server" versions tend to
rely a lot on on-access scanning.
Even without... you scan once, and after that, just scan the files that
are changing. It's roughly a similar mindset as your backups.
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
John D Groenveld
I see Kaspersky Labs listed in Anil Gadre and company's Solaris
Ready [tm] database, but I do not see "Solaris" in Kaspersky's
marketing or sales pages.
Has anyone talked to a Kaspersky sales critter about Solaris support?
It would be very cool to have another ISV supporting Solaris.
John
groe...@acm.org
Andrew Gabriel
> Andrew Gabriel <and...@cucumber.demon.co.uk> wrote:
>>I believe Kaspersky do Solaris too.
>
> I see Kaspersky Labs listed in Anil Gadre and company's Solaris
> Ready [tm] database, but I do not see "Solaris" in Kaspersky's
> marketing or sales pages.
I found it by searching their pages before I posted
(having had a strong hunch they did so).
John D Groenveld
Andrew Gabriel <and...@cucumber.demon.co.uk> wrote:
>I found it by searching their pages before I posted
>(having had a strong hunch they did so).
What is the URL, in case a prospective Sun or Kaspersky customer
stumbles across this thread?
I asked the Google Oracle and the answers weren't good.
All I could find was a press release regarding *BSD support
from 7 years ago and some recent requests to Kaspersky's web forums.
<URL:http://www.google.com/search?q=solaris+site:kaspersky.com>
I also asked Kaspersky's search engine.
<URL:http://www.kaspersky.com/find?words=solaris&x=0&y=0&search=1>
John
groe...@acm.org
Andrew Gabriel
http://www.google.com/search?hl=en&as_q=solaris&as_sitesearch=www.kaspersky.com
gives a number of hits. I worked for an ISV which used Kaspersky's
scanning API (on Linux as it happens), but the Kaspersky docs had
many references to using it on Solaris. Maybe they don't do a bare
scanner for Solaris, but you can buy their API interface to allow
your own application to call Kaspersky's scanning engine?
From http://www.kaspersky.com/de/downloads/oem/kaspersky_oem_overview.pdf :
The Kaspersky Anti-Virus family of products can be used with:
# Workstations (DOS, Windows 95/98/Me, Windows 2000/NT/XP
Workstation, OS/2, Linux, Solaris)
...