What to do if employer demands proprietary "antivirus" software to be installed in GNU/Linux?

Consider this scenario: some of the employees at a company use GNU/Linux on their work computers. One day, the employer, in an effort aimed at increasing security, demands that all employees install some proprietary “antivirus” software (something like ESET).

Some of the employees don’t like the idea of installing proprietary software on their computers, and they also don’t agree with the belief that doing so would increase security.

What to do in this situation? How can the employees best argue their case? Asking for a friend. :slight_smile:

2 Likes

Install VM. Run Microsoft Windows in VM. Give VM access to basically nothing on the local computer and limit its network access to the bare minimum if any. Install AV in VM. ?

Or if the AV software is available for Linux then run Linux in the VM.

I would be seeking a refinement to the rules so that you must run particular AV software where available for the platform (where the AV software is not available for Linux) - or an outright exemption for Linux - or a restriction to open source AV where the platform is open source.

I know how these things go. The company has brought in a consultant and the consultant has recommended this - or the company has been security audited and this was one of the things in the audit. If this is accurate, you might ask the consultant / security auditor what per perspective is i.e. what might be agreed to.

1 Like

Do everything in a virtual machine? “Everything” here means everything work-related - work, the AV, etc.

Problem here is that if it’s a company machine, the company has control over what goes on it - it is their property, after all. If people were using their own computers then it would be a completely different matter and the employees would be quite justified in saying “no, if you want to mandate what gets installed then you provide the hardware”.

1 Like

In case it causes confusion, this is the opposite of what I was suggesting. Both are valid approaches.

I was going for the tick-a-box mentality i.e. the VM is useless but it runs the AV software so that everyone can tick the box.

If this is a company device -> accept the company policy and install the software.
If this is a private device -> get a company device.
If your friend feels strongly about this topic in general and does not feel at home at this company -> find a new job with a more suitable company.

Especially in a large company, one cannot have it 100% their way.

(typing this from a company device running Windows :roll_eyes:)

3 Likes

Completely hypothetical variation that has nothing to do with anything I ever experienced:

  • Installation of VMs on workstations is prohibited (mainly due to licensing concerns) in favor of a centralized VM environment
  • instead of AV, a thread detecting software is demanded

If you are going to use the VMs, I recommend trying Qubes OS for even better security. It can run Windows in a VM, too.

ClamAV is open source, runs on Linux and seems to be sufficient to meet ISO standards (which I imagine is what said Company really cares about).

Seems a reasonable compromise?

2 Likes

Show them your Covid vaccine shot card?

5 Likes

At least the company pension won’t have to make payouts for those with that card. Just don’t have your true work horses get it.

Hi, the German BSI (Federal Office for Information Security) states in an official paper for companies that no antivirus software is needed:

https://www.allianz-fuer-cybersicherheit.de/SharedDocs/Downloads/Webs/ACS/DE/BSI-CS/BSI-CS_009.pdf?__blob=publicationFile&v=2

Perhaps you show them a translation of this paper :slight_smile:
Regards, Speedy

4 Likes

I wonder if it includes companies that perform all their transactions on paper only?

The relevant Section 3.2 of the German BSI paper referenced by @speedy-10:

3.2 Virenschutzprogramm
Die Installation eines Virenschutzprogramms ist, basierend auf dem aktuellen Stand der Bedrohungslage in Bezug auf Schadsoftware für Linux, unter Ubuntu nicht notwendig.

is translated by https://www.deepl.com/translator as:

3.2 Virus protection program
The installation of an antivirus program is not necessary under Ubuntu, based on the current state of the threat situation with regard to malware for Linux.

Most excellent!

2 Likes

Well, if the reason those employees don’t want that software on their computers is that they aren’t comfortable running proprietary software, and feel that it wouldn’t increase security anyway, then the strategy is clear: convince management that running proprietary software is indeed a problem (which is going to be a hard sell given that the majority of employees runs Windows) and that it won’t increase security anyway.

If those are indeed the requirements, it would seem a reasonable compromise. Doesn’t mean the company has to accept this compromise, as they may have other requirements in place. Such as the software reporting its findings to a central server, in a certain format that the reporting software can parse. Perhaps they already use the Windows/Mac version of the proprietary software, and the proprietary reporting software on the server side, and it would be too much effort to alter ClamAV (or write some “translator” for its reports) in order to fit within that ecosystem. But one can at least propose it.

This would indeed address the second part of the argument. But, just because the German BSI thinks this is the case, doesn’t mean the company necessarily agrees.

A fine example of a similar situation: that whole thing about changing your passwords on a regular basis is now considered to hinder more than it helps, and this was confirmed even by the very same people who proposed those rules back in the early 2000’s in the first place… I work at an IT company with a security division that’s fully aware of this. And yet our policy still requires us to choose a new password every 3 months. Just because some authority claims something to be so, doesn’t mean everyone in the industry will follow their advice.

2 Likes

What to do in this situation? How can the employees best argue their case? Asking for a friend.

Instead of wearing himself down in endless discussions with the Linux-agnostic middle-management-halfwit who conceived this ingenious and revolutionary idea, your friend could simply do just as he is told and install ESet on his Linux computer - inside a docker container.
Which, of course, is configured to have no single permission to the outside but networking. That way, ESet will be running on his laptop as requested and be able to report to its controlling server that everything is just fine (in its nicely confined, empty little world).

Everyone lives on happily thereafter, case closed.

1 Like

Or simpler, just use systemd sandboxing directives like ProtectHome= or DynamicUser= to the AV service unit file.

  1. If it is their computer, then they get to tell you what to do.
  2. If it is your computer, then they should really provide you with something if they are going to make requests.
  3. Failing that, I’d personally just externalize the hard drive to a usb for home booting and put a new one in with a clone/new-linux-install for work. It sucks slightly but to me it is a small issue and I’d rather keep the peace. Or you can escalate the situation and wonder why the workplace is so tense.
2 Likes