Monday, February 20, 2006

Linux Virus Scanners

Occasionally I talk to Windows users who believe the lack of worms and viruses on Linux is simply a result of low market share, and that if the market share of Linux approaches Windows, then they will start to appear. While I think that the number of worms and viruses available for Linux will increase, I have my doubts as to whether a market for anti-virus scanners will follow it.

My reasoning works like this: why do you need an anti-virus scanner? A scanner is something that catches malicious code before it can take advantage of an unpatched hole in an application or in the operating system. In other words, the size of the scanner market is, approximately, the delta between average time it takes for a vendor to release an OS/application patch and the average time it takes a virus vendor to release a signature. If vendors could release a patch in 24 hours, there would be no anti-virus market, since that's about how long it takes to come up with a signature.

I was reading this article about a recent Linux worm. Like most Linux worms seen to date, it's very specific to a particular configuration, and not a common one, at that. And, importantly, a patch already exists to fix the hole.

Is there still a market for antivirus software? Yes, AV still does a number of things much better -- signatures are easier to collect and distribute than automated patch/update software. Redhat and Suse both have automated patch systems, but experienced admins avoid them because constant updates break systems. But Linux lacks to major items which have created the large Windows anti-virus market: a large body of homogenous code (Windows+Office), and a long delta between vulnerability announcements and patch releases.

No comments: