5.2 Testing effectiveness of anti-virus solution
5.2 Ensure that all anti-virus mechanisms are maintained
Anti-virus on Linux is a slightly different thing than running it on Windows. Depending on the goal of the system, the right choice should be made what kind of malware is common. This way the right scanner can be selected.
Whatever choice is made, PCI DSS requires you to keep it current, meaning that any definitions should be up-to-date. Additionally, malware scans should be performed and planned regularly, to ensure the system stays clean of any infection. For Linux systems, it is common to plan this via a cronjob, timer, or run it ad-hoc.
PCI DSS is strict when it comes to logging, and what fields should be there. For anti-virus and malware tools, this same requirement has to be met. The software should write an audit file with any findings, and stored in a proper way. For most packages this will involve syslog. Ensure that log rotation does not delete any data. When possible have syslog or other logs also stored on a central log server, or Security Incident and Event Management (SIEM) solution.
5.2.a Policies and procedures for anti-virus definitionsNon-technical, therefore needs manual testing. The documentation and technical staff should be interviewed regarding this subject.
5.2.b Verify anti-virus mechanismsLike other compliance standards, PCI DSS requires measures to prevent and detect malware. This particular section of the standard is focused on checking the configuration of the anti-virus software components.
To ensure that the definition files are up-to-date, a regular scheduled process should determine if there are updates available, download them and ensure they are used.
When using ClamAV, determine if freshclam is being used and check the data of the current virus definitions.
Configured to perform periodic scans.