Compliance - PCI DSS


5.2 Testing effectiveness of anti-virus solution

5.2 Ensure that all anti-virus mechanisms are maintained

Anti-virus on Linux is a slightly different thing than running it on Windows. Depending on the goal of the system, the right choice should be made what kind of malware is common. This way the right scanner can be selected.

Whatever choice is made, PCI DSS requires you to keep it current, meaning that any definitions should be up-to-date. Additionally, malware scans should be performed and planned regularly, to ensure the system stays clean of any infection. For Linux systems, it is common to plan this via a cronjob, timer, or run it ad-hoc.

PCI DSS is strict when it comes to logging, and what fields should be there. For anti-virus and malware tools, this same requirement has to be met. The software should write an audit file with any findings, and stored in a proper way. For most packages this will involve syslog. Ensure that log rotation does not delete any data. When possible have syslog or other logs also stored on a central log server, or Security Incident and Event Management (SIEM) solution.

5.2.a Policies and procedures for anti-virus definitions

Non-technical, therefore needs manual testing. The documentation and technical staff should be interviewed regarding this subject.

5.2.b Verify anti-virus mechanisms

Like other compliance standards, PCI DSS requires measures to prevent and detect malware. This particular section of the standard is focused on checking the configuration of the anti-virus software components.

Automatic updates

To ensure that the definition files are up-to-date, a regular scheduled process should determine if there are updates available, download them and ensure they are used.

When using ClamAV, determine if freshclam is being used and check the data of the current virus definitions.

Periodic scans

Configured to perform periodic scans.

Anti-virus software

  • ClamAV
  • LMD

5.2.c Proper functioning of anti-virus

This particular control is about testing how well your software and definitions are kept up-to-date.

ClamAV

Check in what mode freshclam is running (daemon mode or manual). Then determine if the logging is correctly, by examining the file /var/log/clamav/freshclam.log. Outdated definitions are one thing to look for. Check if clamscan is scheduled via a cronjob. Additionally check if clamd is running and available for other software components to use it (e.g. mailbox scanning via MTA).

5.2.d Proper functioning of logging

To ensure your anti-virus software is working correctly, the logging should be configured. On Linux systems it is common to find ClamAV, which logs its data in /var/log/clamav.

Automated Testing

Most of the anti-virus related controls can be tested. Lynis and the related compliance module will gather most of the data, so it can cover the PCI DSS requirements for section 5.