topic Re: Virus checking on unix in Operating System - HP-UX

Virus checking on unix

Peter Gillis — Tue, 16 Nov 2004 19:45:18 GMT

Hi
RP2450 and RP2470 machines - running ux11.0 and ux 11.11 v1

Anyone suggest where Imight get an official stand from hp on the necessity or not for running virus scans on HP unix machines. If there is a way, please suggest a location where I might get info on how to scan for and protect the machines.

Thanks
maria

Re: Virus checking on unix

Steven E. Protter — Tue, 16 Nov 2004 19:57:25 GMT

Official stand on Unix.

Almost all viruses are designed to corrupt Windows machines. Far more targets, much greater havoc.

Anti virus software is of little utility on HP-UX. It would not necessarily detect a script written to use up all the cpu by spawning unlimited copies of itself.

Sendmail gleefully transmits viruss meant for Windows machines to Windows users with no ill effect on the HP-UX or Linux server they pass through.

On that point, I would say if you opened up selected directories to CIFS/samba and used a symmantec product, you could scan an HP-UX system for virus.

The way our organization protects Unix is thus. All unix email is relayed via a smtp relay server. Also a symanntec product. All viruses too or from are eliminated at that stage.

Summary: No real business need for anti-virus software on Unix. There are open source solutions you can compile if in spite of this logic you wish to proceed.

SEP

Re: Virus checking on unix

Steven E. Protter — Tue, 16 Nov 2004 20:00:44 GMT

That first line came out bad.

Should read: Unix's official stand as repeated by me.

Sorry.

Re: Virus checking on unix

Michael Tully — Tue, 16 Nov 2004 20:33:45 GMT

Hi Maria,

You'd be better off looking at products like HIDS that actually monitor certain functions of your system. The way unix systems are attacked are in a variety of ways, one being where system files or passwords might be compromised. Once the files have been infultrated, they can launch a further attack on your system by gaining control and then attempting to do further damage. Have a look at the offerings, you'll see they do a number of things. We are evaluating it now (HIDS) and once you work out what to monitor it gets easier.

There is no official stand, however HP will say to protect your system(s) by deploying tools like HIDS, Bastille etc. Many are free. Here are some links.

http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA
http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=J5083AA
http://www.software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6834AA

Regards
Michael

Re: Virus checking on unix

Ivajlo Yanakiev — Wed, 17 Nov 2004 03:20:48 GMT

Hi there,

First time when I find virus on my linux server I can't believe but it was.
YES there are virus for Unix.

Re: Virus checking on unix

Peter Gillis — Wed, 17 Nov 2004 16:00:02 GMT

Ivajlo,
How did the virus present itself?
Maria

Re: Virus checking on unix

John Kittel — Wed, 17 Nov 2004 17:46:37 GMT

We use samba on HP-UX to offer file/disk shares to Windows PCs. We run sophos on the HP-UX system to scan for Windows viruses on the share directories. Has never found one yet.

Sample output from the sophos cron job:

Sweeping /u01 filesystem

SWEEP virus detection utility
Version 3.80, April 2004 [HP-UX/HP-PA]
Includes detection for 89009 viruses, trojans and worms
Copyright (c) 1989,2004 Sophos Plc, www.sophos.com

System time 23:10:03, System date 16 November 2004
Command line qualifiers are: -nsc -nb --no-reset-atime --no-follow-symlinks

Quick Sweeping

23039 files swept in 4 minutes and 16 seconds.
No viruses were discovered.
End of Sweep.

Re: Virus checking on unix

Peter Gillis — Wed, 17 Nov 2004 17:53:24 GMT

Thanks for the info. this is all rather new to me..dealing with scanning and vireus detection . I was wondering, viruses only get on a system if sent or pass through the mail system on your server??
Maria

Re: Virus checking on unix

Sridhar Bhaskarla — Wed, 17 Nov 2004 19:02:10 GMT

Sorry - I haven't encountered a situation on my HP systems so far where I run some tool and it shows me a 'bug' saying that a file/memory got virus.

The most common threats (I don't call them viruses) are trojan horses on the system. You get a consultant (or a disgruntled employee) that worked on your system as root, leaves couple of suid-root programs in some unnoticiable places that simply spawn a shell , add couple of user logins. Anytime he/she could get into the box as long as it has network connectivity, use those suid programs to gain root access. Or that person could replace your /usr/bin/ls with a small script of their choice. They could also connect to some of the open ports like sendmail etc., run some malicious code to overflow the buffers and make the OS to give out shell. Viruses like Blaster worm simply sit on windoz boxes in the environment and do a continous polling of ports like RPCD and make them to crash. Or someone can put a sniffer on the wire connecting to your machine and watch the cleartext traffic containing secure information.

You will need to strenghthen the security on the systems by

1. Closing all the ports/services that are not necessary.
2. Encrypt the communication as much as possible using ssh, hardware encryption etc.,
3. Pay atmost attention to security patches. Subscribe to HP's bulletin and act on the security patches as soon as you can. People first try 'widely known' attacks first.
4. Have some tools like eSM, Cops, Satan, Bastille etc., t o report and fix the issues.
5. Minimize the number of users that have access to the system. No sharing of root passwords.
6. Implement strict account measures like password aging, expiry etc.,

HP can only be a carrier of viruses. So, you can store PC files containing viruses and distribute them to other systems. If you are running applications such as Samba, mail etc., that get/put files on PC, then you may want to run virus scans for those files as indicated in the previous threads.

-Sri

Re: Virus checking on unix

Steven E. Protter — Wed, 17 Nov 2004 19:09:51 GMT

I have just started reading a new Book called HP-UX Security by Chris Wong.

She states contrary to what I said that Viruses do exist for HP-UX.

So. I was wrong.

Big enough to admit it.

Still the premise that most viruses are aimed at Windows boxes, a more target rich environment is true.

If I pick up any tips as I read the book, I'll let you know. Book is probably worth having.

http://www.amazon.com/exec/obidos/tg/detail/-/0130330620/qid=1100736575/sr=1-1/ref=sr_1_1/102-7832521-3745723?v=glance&s=books

SEP

Re: Virus checking on unix

Ted Buis — Thu, 18 Nov 2004 01:20:29 GMT

I just went to google and did a search on "hp-ux virus", and found some products.

Re: Virus checking on unix

Sridhar Bhaskarla — Thu, 18 Nov 2004 01:32:44 GMT

A general property of virus is that it is contagious. So, if an virus infects an executable on windoz, then it may attack and infect other executables. A heavily infected windoz system may have to be reinstalled to completely get rid of the virus.

On HP-UX, what we have are vulnerabilities.. For ex., buffer-flow in apache's httpd daemon. But that is limited to only httpd. It can't contaminate 'inetd' daemon. In that aspect, there are no viruses for Unix systems.

-Sri

Re: Virus checking on unix

Robert-Jan Goossens — Thu, 18 Nov 2004 02:04:43 GMT

Hi Maria,

True hpux (unix) systems are not affected by viruses, but some users are allowed direct internet access, if you use samba to export filesystems to windows servers you can be a carrier of viruses.

http://www.ats.ucla.edu/software/antivirus/AdditionalSophos.htm

Best regards,
Robert-Jan

Re: Virus checking on unix

Daryl Much — Thu, 18 Nov 2004 11:23:17 GMT

The policy here is to scan all machines for viruses, independent of OS. Initially I thought it a waste of resources but now I agree that is is a worthwhile effore (and good cya). for hp-ux we use McAfee virus scanner for unix, scanning the system weekly. It is very straight forward to setup perl scripts to conduct the scanning and the updates and to send alerts when viruses are found. Due to the large volume of email we receive in the form of data, I occasionally do find a windows virus. Since we're all interconnected these days the viruses need to be eliminated wherever they are found.

Virus Scan for HP-UX v4.32.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights reserved.
(408) 988-3832 LICENSED COPY - Nov 27 2003

Scan engine v4.3.20 for HP-UX.
Virus data file v4407 created Nov 17 2004
Scanning for 107936 viruses, trojans and variants.

HTH,

Chuck Davis