SolvedPrivate

Liightweight_Anti_Virus_Software

Posted on 2014-03-25
35
77 Views
Last Modified: 2016-02-25
Did anyone use or experienced with any good lightweight antivirus on linux/oracle 11g server that does not use much CPU?

I tried mcafee and that thing has major issues in it uses 100% of CPU and kills all applications on machine.

I have seen some mention of ESET, Sophos, ClamAV, f-prot, comodo, rootkit huner, etc.. but I have no experience with them.
0
Comment
Question by:sam15
  • 14
  • 12
  • 3
  • +5
35 Comments
 
LVL 10

Assisted Solution

by:Scott Thomson
Scott Thomson earned 33 total points
Comment Utility
Sophos is a good one i would suggest. Also depending on the version of linux you use you should be able to go into the app store and look for antivirus
0
 
LVL 14

Assisted Solution

by:leoahmad
leoahmad earned 33 total points
Comment Utility
avast "the best" light weight
0
 
LVL 10

Expert Comment

by:Scott Thomson
Comment Utility
Agree - avast is leightweight an non intrusive.
definitely a fan
0
 
LVL 3

Assisted Solution

by:mlsbraves
mlsbraves earned 34 total points
Comment Utility
I've heard a lot of good things about ClamAV. It's very popular in UTM's and mail gateways because of its stability and how lightweight it is.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
Basic ClamAV is not an active scanner, only an on-demand scanner.  It is supposed to work well for mail gateways because they will make the scan request on new emails.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You can read on mcafee's best practices for deployment and exclude *ALL* oracle files
0
 
LVL 36

Expert Comment

by:Geert Gruwez
Comment Utility
configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Yes, and mcafees recommendation in this regard is to not scan oracle data files ever...
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
ESET seem the best overall managed solution, if you want to cover all Linux, Windows, and OSX systems.  It's lightweight on all of them.  I haven't yet experienced a slowdown on any of the systems so far.  I also don't get complaints from the users.

Avoid McAfee & Symantec.
0
 

Author Comment

by:sam15
Comment Utility
<<<You can read on mcafee's best practices for deployment and exclude *ALL* oracle files >>>>

I do not manage this but the mcafee operator seems to always add directory or process exclusions.

Is that really normal and how other antivirus software normally works? It sounds like it is mcafee specific.

Is it also normal for A/V scanner to use 100% CPU and hang the machine or that should be considered a piece of junk software?


My understanding is that A/V software should only run real-time if you download a new file to machine and it should be very lightweight and not use more than 10% CPU. Is this correct?

<<<configuring of an AV is always a requirement on an oracle server
doesn't matter what os it is >>>

I have spoke to many DBAs on lnux and no one runs antivirus on it.
Linux is different than windows and you can only damage it if you run malware using root. In windows, all software runs as admin.
0
 
LVL 61

Accepted Solution

by:
gheist earned 200 total points
Comment Utility
https://www.google.es/search?q=vsel_170_config_guide_en-us.pdf
P16

If they fail to prove that they comply (put eicar.com in DB directory under name that must be excluded):
you can add lshook.blacklist=1 linuxshield.blacklist=1 to kernel command line to send on-access scanner away for good.
Actually on-demand scan list is not managed centrally and you should be able to completely undermine their damage.
0
 

Author Comment

by:sam15
Comment Utility
I looked at the document. Are you suggesting to turn off real time (on access scanning)  scan and run it on-demand (i.e. once per week)?  

What about if you run it on-demand and it still used 100% of CPU. Is not that still bad software? Can't you say that everything that uses over 20% put performance at risk.

Any ideas how much CPU do Clam AV or avast or sophos or Eset normally use when they run?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Nope, it suggests exclusions for oracle database.
It uses 100% of one CPU core. Dont you have multiprocessor or at least hyperthreading machine at hand?

Once your ePO administrator says they are in place just copy eicar.com file in oracle data directory under whatever file should not be scanned.
If it is caught and cleaned ask tem to fix it. Once thay are good oracle should run fine.
If they dont just immunize your system against antivirus and ignore their woes.
0
 

Author Comment

by:sam15
Comment Utility
I just searched this document vsel_170_config_guide_en-us.pdf
 for word "oracle" and there is no mention of it at all. Are you sure about your reference?

We have one physical dell 2900 poweredge server with 2 dual or quad core CPUs.
We are running 4 different virtual machines (vmware) on it (crystal, oracle , apache, .NET) etc. We have couple of windows VMs and couple of linux VMs.

I do not know how it is configured (dedicated CPU or shared, etc). But when scanner runs the oracle VM slows down and becomes useless.

Are you saying to copy eicar.com to database files directory or any directory to exclude scans? I doubt my permissions would allow that.

Do you agree that this softwre has major problems versus other scanners? Is it normal for antivirus software to work like this.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
My bad,
VSEL_1_7_Best_Practices_Guide.pdf is the right one
0
 

Author Comment

by:sam15
Comment Utility
I see the recommendation now for *.dbf and *.ctl and *.log.
 
This is just a start as there are OEM tools, java, etc,, etc,,

I recall they added an exclusion for oracle home directory which should include all of those anyway. But is not this really ineffective workaround for malfunction software?

Does other virus software work like using exlcusions and use 100% cpu for normal scans?

It seems the two most popular software is ClamAV and Avast:

http://www.makeuseof.com/tag/free-linux-antivirus-programs/

http://www.linux.org/threads/malware-and-antivirus-systems-for-linux.4455/

Am i reading this right. John Mcafee says mcafee software is the worst on planet. Unbelievable!

http://www.entrepreneur.com/article/230684

http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/01/07/intel-drops-mcafee-name-from-software.html
0
 
LVL 27

Expert Comment

by:serialband
Comment Utility
John McAfee is no longer really involved with his namesake software company and hasn't been for quite some time, but he's right.  Symantec and McAfee are software to avoid.

McAfee's somewhat eccentric, to put it mildly.  He took his millions to Belize a long while back and made an "escape" out of there a year ago and abandoned his compound.  He's currently in the USA and "on the lam".  http://www.usatoday.com/story/tech/2014/03/25/john-mcafee-on-the-lam-blue-ridge-mountains-futuretense/6374671/
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 61

Expert Comment

by:gheist
Comment Utility
You need to have access to mcafee log and to local web interface.
And dont trust "should be excluded anyway" - always drop eicar test file as they actually recommend.

Youre lucky it takes just 100% of CPU link
0
 

Author Comment

by:sam15
Comment Utility
what do you mean by being lucky if it only takes 100% cpu? that kills the machine performance.

but let me ask you since you are security experts.

before you deploy any antivrus software on any machine with applications running,
do you normally have to setup a dedicated test machine and install the antivirus there and do some sort of certification and document the test results before you can deploy it?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
There should be some acceptance procedure in place, definetly it is not you the end consumer who should build test infrastructure.
What they would do with windows desktop and such AV?
0
 

Author Comment

by:sam15
Comment Utility
Yes, but the test server should have the custom applications running on it too. Then you test the performance of application.

Since you are an expert, would you accept anything that use 99% CPU?

What  is the maximum CPU usage you are willing to accept when scanner runs?

Did you ever use ClamAV andAvast products.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
I dont use resident scanner
I use hbedv, bitdefender and f-prot (this the fast one)  in appropriate places where untrusted files from windows can appear. Had the requirement to have mcafee some ago. Why you try to jump into spirit of their request. They say you must have AV configured. Letter-by-letter disabling it is also "configured"
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Maximum CPU usage obviously is 100% among all cores, while mcafee just uses one (or there is new engine already that uses more than one ?)
0
 

Author Comment

by:sam15
Comment Utility
what do you mean by you dont use resident scanner? Does the scanner reside somewhere else and you run it from another machine. is this possible?

 I do not want AV but they keep claiming it is a standard.

Do you also mean you can install it and disable it by adding exclusion to all directories so it is sitting there but doing nothing?

The on-demand might resolve the issue but stanard calls for real-time on access.
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Resident scanner is one that runs all the time aka McAfee On-Access Scan\You can evict it with 2 kernel parameters completely, no matter the settings on ePO
0
 
LVL 27

Assisted Solution

by:serialband
serialband earned 200 total points
Comment Utility
Who are they?  Windows Admins?  IT managers that aren't real sysadmins?  Virus Scanner Vendors?  If they're recommending McAfee, it's because they have no clue about tech, are incompetent, or made some shady business deal.


Resident scanners are scanners that run in the background waiting for activity.  Non-resident scanners must be manually run or scheduled.

ClamAV is a non-resident scanner.  It doesn't run in the background.  You must schedule it to run or run it manually.  It's mostly used for scanning mail for Windows viruses.  You'd usually run ClamAV with Amavis on mail servers to make it a "resident" email scanner with Amavis as a service.  You could also run it on file servers to Windows, which I did for a a time.

rootkithunter is also non-resident.  This is probably more relevant to the linux world than a virus scanner.  This is usually run on login servers, since users are the more likely vectors for rootkit infiltrations.  Most people run it after IRCbots are discovered sending packets on the network.

I still recommend ESET, if you're forced to run commercial AV.  On linux, AV is mostly a "feel good" measure for IT managers and mainly Windows centric people and sometimes you just have to humor them.  Since they want AV, try and get a better one that doesn't hog up resources.
0
 

Author Comment

by:sam15
Comment Utility
yes a couple of boneheads in security.They keep claiming a company standard calls for malware protection and the company seems to use this poison software mcafee. I do not think it has been tested or certified with Linux VM and oracle though.

If you have ideas to counter that let me know.

When you run ESET and ClamAV does it affect your server performance (CPU ?).


<<<You can evict it with 2 kernel parameters completely, no matter the settings on ePO >>

What are those kernel parameters and do you need root privilege for that?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
0
 

Author Comment

by:sam15
Comment Utility
it seems blacklisting a service requires to edit a blacklist file which might require root access and reboot server. is this correct?

http://askubuntu.com/questions/110341/how-to-blacklist-kernel-modules

Where can i get that file eicar.com to copy it to the directory for exclusion?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
You have to change kernel boot parameters /etc/grub.conf
That in turn requires reboot to apply
0
 

Author Comment

by:sam15
Comment Utility
Yes the file is locked by root.

ls -alt grub*
-rw------- 1 root root 995 Nov  1  2012 grub.conf

What about that "eicar.com" file mentioned. Where do you get this file from?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
go to site www.eicar.com and look for antivirus test file.
remember you need it to test if exclusions of oracle datafiles are in force.
0
 

Author Comment

by:sam15
Comment Utility
the login is close area. can you download without having a login account?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
http://www.eicar.org/86-0-Intended-use.html
Scroll down and copy one-liner
Now if you make that one-liner a .exe file content AV is expected to "clean" it.
Or if you keep it as a line in a text file AV should not react.
0
 

Author Closing Comment

by:sam15
Comment Utility
Excellent solutions!
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
antivirus on mac 8 63
How to clone solaris 10 machine 33 71
ransomware virus 21 78
Concat multi row values of a field in oracle 6 31
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
From implementing a password expiration date, to datatype conversions and file export options, these are some useful settings I've found in Jasper Server.
This video shows information on the Oracle Data Dictionary, starting with the Oracle documentation, explaining the different types of Data Dictionary views available by group and permissions as well as giving examples on how to retrieve data from th…
This video shows how to copy an entire tablespace from one database to another database using Transportable Tablespace functionality.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now