A large company is doing a review of our software before they will use the web software built by our start-up company. We are using Linux to host, which is properly secured and hardened.
The regulation of the security reviewer is that all computers and servers must have anti-virus program. Obviously, telling them that Linux can't be infected by a virus wont work.
Is there a 3rd party security article or resource which could help us convince them to drop the requirement, or will we need to install ClamAV and make it burn some CPU once a day?
Yes, it's certainly a reasonable request. The day you deny that your infrastructure is vulnerable to virus threats is the day you've lost a great deal of credibility.
You need to weigh the ramifications (annoyance factor, possible performance issues, maintenance overhead) of running AV with the value of this contract. If one company is listing AV as a requirement, it's likely that others will do the same in the future. If you're already running it, you'll be well-positioned to win their business.
The likelihood of a Linux server being infected by a virus is very very low, not zero. If that is a concern for your auditor/client/whoever, then you should understand that and determine if their business is important to you. If their business is worth more than the CPU cycles and disk I/O that it will take to scan, then you should install the AV. If it is not, then you should explain this to your customer and ask them to bring their contract elsewhere.
It's not an unreasonable claim, especially if this server is hosting up files to Windows clients. By installing ClamAV (or whatever) you are protecting those Windows clients that conenct to your server.
I think we need to put the term "virus" in context.
If you're talking about the self-replicating binaries that float around Windows networks then sure, the probability of Linux getting one of these is very very low.
If we're talking about the broader subject of malicious software, then Linux is anything but immune. Unpatched and poorly configured Linux servers are exploited all the time and turned into bot herders, or used for other nefarious purposes. To pretend that these threats don't exist is burying ones proverbial head in the sand.
I have never run antivirus software on a Linux server as I like to think that regular patching and sane configuration will protect my servers from 99.99% of threats. However I'd certainly consider it in this case, provided the software was actually able to detect the kind of malicious software that affects Linux servers and wasn't a simple port of a Windows AV suite.
It wouldn't do any harm to install an AV package, epecially as it could mean the difference between gaining and a losing a contract.
Maybe more than an AV package you need to consider a rootkit detection suite, and CRON a scan to run at regular intervals. Be prepared for false positives also - some suites are more prone to false-positives than others, and until you get used to these anomalies it can be disconcerting.
Ask them to define exactly the concept of "anti-virus". What kind of threats are they worried about?
If they cannot answer (maybe because they really have no idea what they are talking about and are just filling a check-list), ask them a list of approved anti-virus programs.
If the requirement is just:
they probably have no idea what they are talking about. Just ask them what they expect you to do exactly.
If the requirement is:
then it means you may not need the proverbial "AV", and that a script to check the integrity of the server will be adequate, more precise, more reliable: no false positives if you know which files are modified when your server is running normally, and if you can spell out the consistency requirements of modified files.
Designing a script check the integrity, or even setting-up some existing tool so that it understand the specific of your server will necessitate additional work (AV programs are more buy-then-install-then-forget, that's probably why they are so popular). But I think that will do much more for your server security.