AIX

 View Only
Expand all | Collapse all

Antivirus Software Recommendations for AIX System

  • 1.  Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Wed March 06, 2024 08:28 AM

    Hi Guys,

    Is the implementation of AIX Trusted Execution (TE) functions alone sufficient to address security features, or do you find it necessary to complement it with antivirus software on the AIX system? If you are using antivirus software, could you share your reasons for doing so and recommend any specific products that have proven effective in this context?



    ------------------------------
    Mafaaz Salam
    ------------------------------


  • 2.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 03:43 AM

    First you have to ask yourself why would you want AV software on AIX, ie what would this software detect and protect you against?

    What is the answer in your case?



    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 3.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 03:51 AM

    Hi,

    there will be AIX antivirus solution from RazLee company available soon.

    They have long and very successful history in security solutions for IBM i and AIX is on it's way now.

    Don't hesitate to contact them.

    Regards Igor. 



    ------------------------------
    Igor Novotny
    Principal Consultant
    MHM Computer, a.s.
    Prague 15
    00420602369375
    ------------------------------

    Original Message


  • 4.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 05:46 AM

    Mere existence of the AV software does not justify installing this software. As always there has to be a valid reason and a real added value.



    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 5.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 05:12 AM

    The only time I'd run AV on a Unix platform is when it is acting as a file & print server for windows.  This would be to avoid it being a conduit for the transmission of virus to/from windows.  Out side of this use case, I don't see any need for it.



    ------------------------------
    Phill Rowbottom
    ------------------------------

    Original Message


  • 6.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 06:01 AM

    AV software is essential due to the newly introduced PCI DSS regulations. Some of my customers' AIX systems are exposed to the Internet, requiring protection. I am seeking arguments to determine whether relying solely on Trusted Execution (TE) is adequate for security or if additional measures, such as Antivirus (AV) software, are necessary.



    ------------------------------
    Mafaaz Salam
    ------------------------------

    Original Message


  • 7.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 06:06 AM

    > Some of my customers' AIX systems are exposed to the Internet, requiring protection.

    What do you want to protect and against what? That's the question. AIX systems itself against AIX viruses?



    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 8.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 06:12 AM

    When considering protection for AIX systems against AIX viruses specifically, the focus is on safeguarding the integrity and functionality of the AIX operating system itself. AIX viruses, or malware targeting AIX environments, can pose a threat to the stability and security of the operating system.



    ------------------------------
    Mafaaz Salam
    ------------------------------

    Original Message


  • 9.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 08:07 AM

    > AIX viruses,

    Has anybody seen such a beast in a real world, not in a lab env?

    > or malware targeting AIX environments, can pose a threat to the stability and security of the operating system.

    True. So how does malware get executed in AIX?



    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 10.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 08:22 AM

    Lech,

    yes, there was at least one "AIX virus" and trojans/malware are always possible even today.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 11.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 06:13 AM

    TE is a more advanced "it's allowed to run" security technique than "detect it after the fact" AV software.



    ------------------------------
    Phill Rowbottom
    ------------------------------

    Original Message


  • 12.  RE: Antivirus Software Recommendations for AIX System

    Posted Thu March 07, 2024 07:47 AM

    Mafaaz,

    Theoretically, properly configured native AIX security tools are sufficient. I agree with most of the previous speakers, but ... it is a good idea to protect yourself with a non-IBM tool, e.g https://www.coresecurity.com/products/powertech-antivirus

    Regards, 

    Tadeusz Słapiński



    ------------------------------
    Tadeusz Słapiński
    ------------------------------

    Original Message


  • 13.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 08:29 AM

    If you don't have any requirements (and as we learned you have them - PCI/DSS) and if you don't run anything except standard AIX tools on an AIX, TE is sufficient.

    TE could be a pain if you try to protect Oracle/SAP/some other binaries. Most of the admins ends setting VOLATILE for everything non-AIX like:

    /usr/opt/perl5/lib/5.34.1/CPAN/Exception/RecursiveDependency.pm:
        owner = root
        group = system
        mode = 444
        type = FILE
        hardlinks = 
        symlinks = 
        size = VOLATILE
        cert_tag = 
        signature = VOLATILE
        hash_value = VOLATILE
        accessauths = 
        innateprivs = 
        inheritprivs = 
        authprivs = 
        secflags =

    The signature will not be checked for this file. This is an excerpt from the "standard" AIX TE TSD. I got it from a server without configured TE.

    The next point which is missing by many admins is if your server transfers files between different servers, it can contain Windows/Linux/whatsoever viruses, which can't be run on AIX, but can be stored there. Want to secure your workstations? Install antivirus on such servers. Especially if you can check uploaded files online during the upload.

    If you don't have such "transfer" servers or if you don't have special requirements like PCI/DSS (and some other), you don't need antivirus. TE is your free choice.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 14.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Thu March 07, 2024 09:57 AM

    The IBM PowerSC (PSC) product checks a lot of security and compliance automation boxes on Power.  Regarding the TE and malware topic here:

    • the PSC UI makes it easy to configure and maintain TE on AIX endpoints - as well as generating events and letting you attach automated actions/responses (also provides File Integrity Monitoring on Power - for AIX that's built on top of AHAFS).
    • PSC also provides traditional malware scanning for AIX (and Linux and i) on Power; a tight integration through the PSC UI to ClamAV scanning.  Frankly they had resisted adding malware scanning to PSC because that technique is less effective than the other PSC features like allow-listing (e.g. TE), FIM (e.g. RTC/AHAFS), blocklist-based threat hunting, intrusion detection, etc. etc. - BUT it was ultimately added because some regulations explicitly call for "malware scanning".


    ------------------------------
    Tim Hill
    ------------------------------

    Original Message


  • 15.  RE: Antivirus Software Recommendations for AIX System

    IBM Champion
    Posted Fri March 08, 2024 04:45 AM
    Edited by Christian Sonnemans Fri March 08, 2024 07:14 AM

    Hello, 

    In our case (working for a Dutch bank) we proved that TE with the right policies, and logging enabled is sufficient.

    The problem with virus scanners on Unix, is that few that are available such as clamav, cannot deal with AIX, and more specific with the AIX Kernel.

    I must confess that it is more than 2 years ago that I searched for those virus scanners.

    So maybe it’s different now?

    It seems there is at least one product now that has an endpoint scanner:

    Powertech Antivirus for AIX | Fortra but I never tested it.

    Due to this discussion, I will have a look at this product.

    Concerning virus scanners on AIX I think it also depends what kind of workload you are running, TE is a good protector for the operating system, (executables, libraries, and scripts) but if your data consists of files that are send form other systems, an extra virus scanner to check this data can be a good idea. More ideal is that this data is scanned on the origin system before it’s send to AIX.

    About the use of TE:

    we use TE in active mode and in passive mode, passive mode for daily scans.

    Active mode logs to syslog and the security department monitors TE messages. 

    See also my blog series:

    https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/08/aix-and-te-sec-part1

    https://community.ibm.com/community/user/power/blogs/christian-sonnemans1/2024/02/22/aix-and-te-trusted-execution-an-underestimated-sec

    Part 3 is coming soon 😊



    ------------------------------
    Christian Sonnemans
    Tactical Unix system engineer


    ------------------------------

    Original Message