As mentioned, viruses have never been reported on HP-UX. Like most of the commercial versions of Unix, HP-UX runs on totally proprietary hardware with very little documentation about the boot record areas and nothing whatsoever compatible with an Intel processor. Viruses are almost always written in assembler or compiled to produce Intel x86 instructions which are just random data on a PA-RISC computer. In fact, the boot record area and the details needed to infect this area are different among various models of HP 9000, way too much work for even the experienced hacker.
So the only vulnerability associated with HP-UX is as an email server for a bunch of PCs. The emails have no effect on the HP-UX box so the vulnerability (as always) is in the PC client reading the mail. Tell the auditors to run virus scans on the PC clients.
The other source of viruses is found in disk sharing, and as with email, the PC is both the creator and target for the viruses. Like any filesystem, the virus scan must also look at the shared disk(s). HP-UX does nothing with infected files from PCs. You can try to run them but since they have the instructions and executable format, the file is 100% rejected. So unless you are sharing disk space with PCs, this is non-issue.
And since there is no virus scan program for HP-UX, it will be pretty hard to perform this task. The closest you could come to auditing HP-UX is to run the security_patch_check program (which should be done for all secure servers).
Bill Hassell, sysadmin
