Even if requested by root, files should be SCANNED before they're started. That would prevent the starting of a file which matched a known signature.
I totally agree that Antivirus isn't a complete solution, but at the same time it isn't completely useless either. It helps. So does keeping a box up to date, so does Intrusion Detection, so do firewalls, so do even simple things like TCP Wrappers, or removing (and especially not running) programs/utilities that the machine doesn't need. Checking MD5s before compiling or installing something. They're all part of the puzzle. I think antivirus has it's place, Linux or not. I've never played with, looked for , or experienced (to my knowledge) a *nix rootkit. I've played with a rootkit for Win2K. It was one of the coolest things I've ever seen. The one I saw (I've still got it here somewhere) was in beta, and clearly wasn't complete. It allowed me to "define" something that I installed (Call it TrojanA) as one thing, but Windows saw it as something else (Notepad, for example). If I called Notepad, then notepad would run. If I called _root_Notepad, then TrojanA would run. Taskmanager saw me running Notepad. The executable was the same size as Notepad. a Directory List say Notepad. Everywhere I could think of I saw Notepad. But it wasn't Notepad. Hands down, it was the coolest thing I'd ever seen on a PC. One of the scarier too. I'm suprised that this isn't abused at the corporate level to (for example) monitor employees more than it is. I think that Windows rootkits are rare because they're unneccessary. It's relatively easy to remotely take control of a Windows box. At least to the point of having it run something for you. Things like Dameware and Remote Task Manager show that quite clearly, although they (as legitimate utilities) want you to have a password before they'll run something. Back Oriface is the same deal, except that since the authors were (at that time) black hats, it's consitered a remote exploit tool rather than a utility. I'd say I've played with more security tools than most. I think I know a fair bit about security in general but I wouldn't say I'm anywhere close to a guru. I'm still learning on the whole Linux thing, and generally I'm finding that I'm ahead of everyone I interact with on a daily basis (not so much on here, but I can't really ask ALL my questions here), so it's difficult to advance other than reading and playing myself. And at this point, most reading and playing is targetted as at a specific purpose. The RPMs that I installed which broke my mail's web admin stuff were all done via up2date. Personally, I'd blame the mail software before I'd blame anything else. It's OK, but it isn't great. My guess is that it did something that wasn't exactly normal, and the RPM killed it when it saw something wierd. When the admin tools stopped working, it wasn't REALLY broken, just some symlinks were gone that had previously been there. It was a stupid problem more than a serious one. I didn't even notice it for a few weeks, because the company's employee list is fairly static. Kev.
