Rootkit signatures?

[Kenny Lussier]

On Thu, Jun 25, 2009 at 9:05 AM, Alex Hewitt<hewitt_tech at comcast.net> wrote:
>>
>
> Kenny, if you have a mandate to install anti-virus/anti-malware does that
> mean that whoever mandated this wants to scan all files on the servers for
> PC infections? Although these things typically have no effect on Linux
> systems they might be a problem for Windows boxes that are reading/writing
> files on the servers. If that is the case, ClamAV would be a good
> solution...

Alex,

The mandate actually isn't that intelligent. It was a broad statement
of "You have to have anti-virus and anti-malware software on all of
your servers", and when we wrote a compensating control that stated
"This is not needed on Linux servers", someone Googled Linux +virus
and found "rootkit". Thus, the mandate for "Anti-rootkit software"
(and yes, that is what the audit sheet calls it...... )

None of the Windows servers or workstations in the company have any
access to the servers that are in question. The servers are extremely
isolated in their own firewalled island, with no sharing allowed :-)
Windows systems can read/write to anything on that network. I could
probably install ClamAV on every box and call it a day, and they would
be perfectly happy. However, I would like to go beyond the letter of
the mandate and do something that is at least useful. If I can compile
a list of known rootkits and their properties, I can write Tripwire
recipes and add that to our tool chain.

Thanks,
Kenny