Is Open Source Anti-Virus Right for You?
A great deal is riding on the effectiveness of your anti-virus protection.
by Christopher Jones
These days, few users would think of running their PC or Windows servers without anti-virus software. Protection of UNIX, Linux, and even System i servers is also becoming part of corporate security policy. But the lure of a cheap elixir is a risky temptation that some users are seeing as an easy way to address the need. While free or inexpensive anti-virus may seem like an adequate solution, it is not. There are real dangers to using open source solutions, and the protection they provide is of little benefit—not much better than taking no steps at all. Here, we look at the realities of open source anti-virus solutions and how they can compromise your security.
The Harsh Reality
The idea of open source is not bad in and of itself. It is admirable that programmers volunteer their time in an effort to help the community. But the reality is that those working on open source anti-virus are just that: volunteers. Through their best efforts, they identify virus threats and update definition files as they are able.
This is in contrast to commercial anti-virus solutions such as those from McAfee, Symantec, TrendMicro, and others. These commercial solutions are backed by teams of researchers who are continuously monitoring threats and preparing countermeasures. In the case of McAfee, the virus definitions are maintained by AVERT Labs, a team of 100 researchers in 14 countries who monitor threats 24x7 and update definition files (DATs) as needed, even releasing emergency DATs in extreme situations.
Today's viruses are no longer mere nuisances. They've become a tool for organized crime, and they pose a very serious security threat to the business world. Those who unleash viruses don't work on the same time schedule as volunteers, and this means that open source solutions cannot keep pace with real-world threats.
To highlight this point, let's take a look at the numbers. According to latest numbers, there are more than 185,000 viruses and malicious code threats. Most commercial anti-virus products detect all of these. One popular open source solution detects only between 35,000 and 50,000 viruses. That's just 19% of the total number of threats. If four in five viruses can penetrate your defenses, there is little benefit in taking the preventative steps in the first place.
The harsh reality is that with open source anti-virus, you are using a limited arsenal to protect the castle from a technologically superior enemy that will easily overwhelm your defenses.
Gaps in Security
You wouldn't surround your network with a firewall that stopped only 19% of unauthorized access attempts, and you wouldn't install a security system in your home or office that sounded only one out of every five times a burglar attempted to break in. But protecting your information and systems with open source anti-virus is the same as doing just that.
It is important to note that anti-virus protection is not simply a tool for keeping little nuisances off the system, but rather a key component of your well-rounded, layered security policy. Anti-virus is just as critical to the success of your policy as network security software, firewalls, backups, and physical security.
Viruses and malware that enter your network are more often than not there to disable security, open backdoors, log keystrokes, steal sensitive information, or even bring down a system. These pieces of code infiltrate where humans cannot.
Worms like Sasser, for example, can scan your system remotely from the Internet and jump on whenever they find an unpatched security exposure. Often such an exposure could be due to a failure by the administrator to apply proper security policies. However, it could also be the case that the administrator did take proper steps, but the security was disabled by separate malicious code that infiltrated insufficient virus protection.
Another example is the common use of open source anti-virus on Linux mail servers. There have been reports of administrators discovering attachments and code that look like viruses but that were not caught by the anti-virus protection on their mail server. Because open source coverage is so limited, relying on it to protect from threats attached to incoming mail can create holes in your security. Once the virus gets through the mail server and onto the system, DAT updates are of no benefit for stopping that threat.
This is just one example of potential exposures that are created by not adequately closing the door on viruses and malicious code. Relying on insufficient protection creates gaps in your security that can compromise all of your other measures.
Meeting Your Needs
The University of Hamburg Virus Test Center in Germany conducts independent testing of anti-virus solutions. Commercial anti-virus scanning engines rated highest in the results, followed by open source solutions, which received a score of zero in the testing.
Another important factor for those on System i to consider is the ability of an anti-virus solution to meet the specific needs of the platform. While open source solutions will (with limited effectiveness) perform the common tasks that their commercial counterparts do—scan, detect, quarantine—they can't meet the special needs of a server like System i. And in some cases, the open source solution may not even offer cleaning capabilities. When implementing virus protection as a piece in your overall security policy, these abilities play an important role in strengthening security to the level necessary in today's world.
You should look for unique functionality in an anti-virus solution for System i that includes the following:
- Handling recursive links
- Scanning IBM system objects
- Managing and protecting partitions running guest operating systems (AIX and Linux)
- Integrating with System i Navigator and Scheduler
- Supporting i5/OS mail scanning
- Integrating with automated messaging solutions to keep you in the loop of virus events that need attention
Let’s look at how two of these can impact your system:
Recursive Links
One unique part of i5/OS is the use of paths that loop on themselves. An example would be /QOpenSys/QOpenSys. Non-native scanners may be unable to properly handle these recursive links and therefore will loop infinitely. The result is that the scan will never complete, and your virus protection will be effectively disabled.
Digital Signatures
IBM digitally signs system objects in i5/OS to allow administrators to verify that no alterations have been made to the operating system. Patched programs—programs that modify the operating system to achieve functionality not otherwise possible—make changes to system objects that invalidate these digital signatures. The changes can lead to security exposures and stability issues. A native anti-virus solution for System i should have the ability to scan for these changes in order to provide complete protection.
Even more important when it comes to System i is to implement a solution that is designed to run natively on i5/OS. The same would go for any other platform. If you are running Windows, you want native Windows code; for Linux, you want native Linux code; and so on. Speed, efficiency, and stability depend on the code being suited to the platform, and your security depends on speed, efficiency, and stability.
Closing the Gap
Rounding out your security with solid virus protection is essential to maintaining today's servers and networks—including System i. And doing so is surprisingly easy and inexpensive; but it's not free. Beware of the promise of free or bargain-basement protection based on open source engines and definition files. While such solutions may seem to be a sufficient solution—35,000 monitored viruses is a big number, after all—the real-world effectiveness is not much better than leaving your front door open while away from home. There's a reason that commercial anti-virus vendors are few and far between, and there's a reason these vendors consistently finish at the top in independent testing.
This article was originally published on MC Press Online.