Product of the Day: Sophos Anti-Virus
Product: Sophos Anti-VirusManufacturer: Sophos AmericasAddress: 6 Kimball Lane, 4th Floor Lynnfield, Massachusetts 01940Telephone: 888-767-4679URL: www.sophos.com
Much attention has been directed at the high-profile viruses such as "Kournikova" and "Melissa" that have plagued the world of the Windows user. The resulting damaged files, mailserver clogging and IT department anxiety have given way to the rapid installation of anti-virus software solutions for Windows servers. In contrast, Linux/UNIX platforms have seemed immune from the virus threats- or have they? This article explores the vulnerability of Linux to virus threats and how Sophos Anti-Virus has anticipated the threat and developed solutions to inoculate Linux/UNIX systems now.
There is a perception among Linux/UNIX users that their systems are largely immune to virus infiltration, therefore, few users have taken active steps to protect their systems. Several factors contribute to why only a handful of Linux viruses have been seen to date. First, the Linux system structure and security design are less vulnerable (but not impermeable) than Windows systems. Second, because Linux has been less "high profile" than Microsoft, it has not been as tempting a target for virus writers, at least for now. Third, Linux was less mainstream in the past, with a limited, more specialized population of users.
Despite the perception of Linux/UNIX users being immune from the threat of viruses, Sophos has been producing anti-virus software for the UNIX community's file servers and workstations for years. Specifically, Sophos develops, manufactures and supports anti-virus software for the enterprise market, with a user base of over ten million. The company prides itself on its commitment to research and development, meticulous attention to quality, and unwavering, round-the-clock technical support. Sophos has virus labs in the UK and Australia, ensuring a prompt response to any new virus incident anywhere in the world, no matter when.
Sophos's anti-virus solutions for Linux include all of the company's key solutions. Sophos Anti-Virus, which provides protection for servers, desktops and laptops, MailMonitor, which offers an extra layer of protection, checking all email traffic at the gateway, and SAVI (Sophos Anti-Virus Interface) which allows third parties to integrate with the Sophos virus engine.
Sophos Anti-Virus is the centerpiece of Sophos's software arsenal. It monitors all virus entry points, disks, programs, documents, network drives and CD-ROMs as well as emails, Internet downloads, groupware and archive files at the desktop. At any of these points, Sophos Anti-Virus prevents access to any virus-infected file and disinfects it if necessary.
Sophos Anti-Virus for Unix offers on-demand and scheduled scanning on UNIX file servers, and ensures 100% virus detection. It is available for AIX/PowerPC, Digital UNIX/Alpha (Compaq Tru64 Unix/Alpha), FreeBSD/Intel, HP-UX/HP-PA, Linux/Alpha, Linux/Intel ,SCO OpenServer/Intel, SCO UnixWare/Intel, Solaris/Intel, and Solaris/SPARC platforms.
As well as on-demand scheduled scanning, non-Unix machines connected to or separate from UNIX servers, benefit from on-access scanning, using Sophos's patented InterCheck technology. InterCheck uses a combination of virus scanning and checksumming to minimize the number of times each file needs to be scanned for viruses without compromising security.
In May 2001, Sophos Anti-Virus detected the Linux/Cheese worm, which claims to be a "good virus". Cheese will only affect Linux systems previously infected with the Linux/Lion worm. When a machine is infected by it, it will extract the worm to the /tmp/.cheese directory. It will then erase any lines in /etc/inetd.conf which contain the text /bin/sh. (A line containing this text is added as a backdoor when a computer is infected with Linux/Lion). The worm will then also look for other computers with the backdoor left open by Linux/Lion.
The Cheese worm of May 2001 joined the likes of other Linux viruses protected against by Sophos Anti-Virus, such as Adore and Ramen. Only one month earlier, in April 2001, Sophos Anti-Virus detected Adore, a worm which runs and attempts to send confidential information with the files /etc/hosts and /etc/shadow to four email addresses which appear to be based in China. Adore spreads by scanning for randomly generated class B IP addresses and looking for vulnerabilities.
Prior to Adore, Sophos Anti-Virus identified Ramen in January of 2001. Ramen is an Internet worm for Linux, which downloads a copy of itself and is executed at computer start-up. The worm will remain running until the machine is switched off. While the worm is active it will choose an Internet network at random looking for email addresses and machines to infect. The worm replaces all index.html files on the computer with an HTML file containing the text 'Hackers looooooooooooooooove noodles.'
The capabilities of Sophos Anti-Virus for UNIX users are coupled with the power of Sophos MailMonitor, a suite of software that inspects all email traffic passing through gateways, providing an extra layer of protection against mass mailing viruses. It also disinfects, deletes or quarantines infected email and attachments at the gateway, with realtime scanning.
Finally, there is Sophos Anti-Virus Interface or SAVI. Typically used with gateway or firewall software, SAVI offers rapid system integration while taking up only a small amount of memory. SAVI also provides detection of all virus types and incorporates disinfection and provides detailed information when a virus is found.
UNIX users protecting their systems with the Sophos Anti-Virus offerings are assured 24x7x365 support and the necessary product updates. What's more is that they know Sophos software has a built-in capability that allows it to detect virus variants that have not yet been analyzed by the Sophos labs. Once a virus has been detected, the Sophos virus engine automatically disinfects macro and boot sector viruses. The software can also disinfect common executable viruses. The company reports that its false alarm rate is low.
The veil of security that Linux users have felt toward viruses is beginning to be lifted. But the belief that the low-level of maliciousness that these worms can cause is not as problematic as other viruses of recent history, can be a dangerous one. Many viruses do not destroy data, they just replicate themselves and spread to wherever they can. The havoc they wreak is not so much in lost information, but in bogging down servers with excess information and in confidence busting when your system infects those of your colleagues and friends. And then there is the disk that a friend loans a friend- inadvertently spreading malicious code. UNIX users are certainly susceptible to this type of threat. With the increasing popularity of the platform, the virus threat grows with each passing day.
Linux system operators have not invested in anti-virus protection to the same extent as Windows users. Even with a good history of relatively few virus threats, it can not be overlooked that Linux viruses do exist and the risks for the future are real, with significant financial implications. Sophos offers dependable solutions that protect UNIX systems as well as a wide range of popular operating systems. Taking precautionary measures now will safeguard your UNIX system against potentially threatening viruses that may exist tomorrow.