how to verify cloud VM can't support AV & relevance of AV/patching on cloud VM

We are moving some of our apps/systems to the cloud.
However, some vendors for the cloud projects came back to
say that the OS is a stripped down Linux which is hardened
& that it's not applicable to install/run AV.

In view of high profile attacks and audit requirements, I
loathe to raise exemption/deviation even if the cloud VM
is not accessible to public (ie firewalled to our corporate
only).  I noticed that AWS & another vendor that uses VM
on WIndows guest offers AV

Is there a quick/easy way for me to verify that the 'strip-
down Linux OS' the vendor uses in the cloud truly could
not support AV?  Guess by running 'uname -a' is not
enough.  Or is there a script for me to verify?
Or can I verify by checking what are the past patches
they had been applying?  If it's all RedHat/Rhel patches
then, it's just simply a hardened RHEL which should
support many AV

What are the usual audit requirements for AV for a custom
Linux VM in the cloud?  Don't really need an AV under what

If it's truly a stripped-down Linux say based on CentOS or
FreeBSD, can I assess the patch requirements based on
CentOS & FreeBSD?  I recall when running a VA scan
against a PABX that's based on RHEL, all vulnerabilities
for RHEL are applicable & the PABX vendor produces
the patches though they are behind RedHat by a few
months in coming out with the patches.

This reminds me of IOT, many of which are appliances
that customizes their OS from Linuxes (eg: CentOS,
RHEL, Ubuntu) & FreeBSD.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CDRetiredCommented:
Stay away from something you can't verify.  The truly paranoid can use their own O/S.. Myself I'd only go with the bigger cloud providers.
sunhuxAuthor Commented:
Btw, this vendor is sending SMS from the application hosted in the cloud,
so how can 'data in transit' be encrypted?  We can use TLSv1.2 for https
(data in transit) but how about SMS?
sunhuxAuthor Commented:
What if it's an appliance OS in the VM?

Thing is how to verify what the vendor says:
if it's truly that 'stripped-down' (or appliance)
or it's only a hardened OS that could still
support AV.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

sunhuxAuthor Commented:
Just a last question, ie rephrasing:
what are the files  that must be present for an AV to work on Linux?
sunhuxAuthor Commented:
The above is the service  I'm exploring/considering;  seems
like their on-prem are appliances
sunhuxAuthor Commented:

Or even for appliance VM (ie VMs running stripped-down Linux), agentless AV is the way
to go ie we don't install AV agent in the guest OS but at hypervisor layer?    Is this how
AWS is doing it?
sunhuxAuthor Commented:
Have to assess on a case by case basis.

AWS offers agentless AV
sunhuxAuthor Commented:
Decided that if the service hosted in cloud (eg: can afford that the
data is lost ie we simply re-key in if it's lost & data is not sensitive,
don't need AV);   yes, AWS offers agentless AV which doesn't need
anything to be installed in the VM (useful for stripped-down OS)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.