Either the AV ties into the kernel with a module, in which case it can also be an avenue for an increased permissions exploit, or it doesn't have any special kernel level capabilities, in which case it will never find rootkits that include kernel modules to hide themselves.
Personally, I would be happy with an open source community based disk scanner looking for weirdly named files and folders (there are common variants used in hacks) and a locked down selinux config. Bonus points if you compile a kernel that doesn't allow modules (but IIRC that doesn't preclude kernel level shenanigans).
Interestingly, it looks like since the PCI requirement for AV is for "all systems commonly affected by malicious software" they don't actually require it of all Linux systems in all cases.[1]
Either the AV ties into the kernel with a module, in which case it can also be an avenue for an increased permissions exploit, or it doesn't have any special kernel level capabilities, in which case it will never find rootkits that include kernel modules to hide themselves.
Personally, I would be happy with an open source community based disk scanner looking for weirdly named files and folders (there are common variants used in hacks) and a locked down selinux config. Bonus points if you compile a kernel that doesn't allow modules (but IIRC that doesn't preclude kernel level shenanigans).
Interestingly, it looks like since the PCI requirement for AV is for "all systems commonly affected by malicious software" they don't actually require it of all Linux systems in all cases.[1]
1: https://security.stackexchange.com/questions/58345/how-to-pa...