On-access AV scanning

Daniel Bye freebsd-questions at slightlystrange.org
Fri Jul 27 12:12:26 UTC 2012 

On Fri, Jul 27, 2012 at 01:23:36PM +0200, Polytropon wrote:
> On Fri, 27 Jul 2012 12:00:19 +0100, Daniel Bye wrote:
> > All desktops/workstations (that is, all of them, every single one),
> > must have AV software running on them. There will be no exceptions, on pain
> > of dismissal.
> 
> Why is the AV software running on FreeBSD not sufficient in
> the opinion of your superior (or by the guidelines of the
> corporate directives)?
> 
> And those who bring a smartphone to work (private or company
> use), how do they run AV software on those _IT devices_? :-)
> 
> Oh, and how is AV software brought to the company network
> printers, the LAN gear and WLAN APs and everything else
> that can be infected, exploited, ruined or damaged?
> 
> Or do they simply not count as "desktop/workstation" as you
> mentioned? In that case: Happy attack vectors. :-)

Well, no, they don't count, according to our policy, because they're not
desktops. I know, I know - but I didn't write the damn policy - I just have
to live by it! :-/

> 
> 
> 
> Excuse my sarcasm, but there's a little truth in it, when
> seen from an IT security point of view.

I know, you make valid points - but I am merely a minor functionary on the
content development department, and not a global IT policy maker.  If it
were up to me, everyone in the company would be on UNIX of some kind or
other, but it just isn't up to me.

Hopefully, I can convince those that need convincing that what is available
is sufficient. I've only been using FreeBSD for the last 13 years, after
all, and in that time can count on the fingers of no hands the number of
security flaws that have allowed any of the machines under my care to be
compromised... I know that's no reason for complacency, and that I have been
lucky, but it's still a comforting statistic.

Thanks for your thoughts, guys. Of course, I'm going to extol FreeBSD's
virtues (it'd be great to get it in the datacentre, wouldn't it?), and we'll
see how we go!

> 
> 
> 
> Really, I _do_ understand your problem (or better the problems
> others created for you). Try to get more specific statements
> to what kind of AV software with which "action attributes" is
> required and try to construct a solution that will be sufficient
> in the _view_ of the responsible superiors. The less they do
> actually understand, the easier it should be. FreeBSD does
> _have_ AV software, but not _for_ FreeBSD per se (as it cannot
> be infected by viruses, trojans and malware that are designed
> explicitely for "Windows" platforms), but it can very well
> detect them. This all still does not help against human
> stupidity.

Aye, quite so. Preaching to the choir, brother.

> 
> Feel free to show this article and make use of its arguments:
> 
> Robert McMillan: Is Antivirus Software a Waste of Money?
> 
> http://www.wired.com/wiredenterprise/2012/03/antivirus/

Thanks for the link - I'll certainly have a read of it, and might well drop
the link in my email to him.

> 
> A _responsible_ and well-educated IT representative should
> form his own intelligent opinions, instead of trying to
> blindly corporate guidelines which are possibly _impossible_
> to instantiate.

Oh, this guy isn't frightened of change, so I'm just trying to build the
best case I can for his accepting FreeBSD. He seems very reasonable, and I'm
sure will be able to make an informed decision based on what I tell him, and
his own knowledge and experience. To be honest, when I asked him for a UNIX
workstation, I was expecting him to just laugh at me, so to be given the
opportunity to make a case for FreeBSD came as a very welcome surprise.

> 
> 
> 
> My idea for a solution: You can use a file access monitor
> (FAM) to detect when a new file enters the system, and then
> immediately have it scanned by a virus scanner you have
> already installed from ports.

Yep - exactly the solution that occurred to me a few minutes ago. A project
for the weekend!  Because looking after a 6-month-old baby doesn't take up
all our time...

> 
> 
> 
> Next issue: "You need a virus scanner that inspects network
> packets!" :-)

lol. Don't! Like I said, I'm just a code jockey in the content development
department - all that stuff happens way up there, out sight of us mere
bottom-dwellers!

Cheers,

Dan

-- 
Daniel Bye
                                                                     _
                                              ASCII ribbon campaign ( )
                                         - against HTML, vCards and  X
                                - proprietary attachments in e-mail / \
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20120727/7e10d3b4/attachment.pgp

More information about the freebsd-questions mailing list