Mick wrote:
On 28/03/2008, 7v5w7go9ub0o <[EMAIL PROTECTED]> wrote:
Anti-Virus on Linux. No.
(presuming that you don't run as root, and have lots of unprivileged
users for individual applications.)
Anti-Malware on Linux. Yes.
(Malware gets to the box via spoofed or hacked software distribution or
creation sites; bad links or poisoned DNS caches; or via (e.g.) browser
memory attacks - at plugins or exploits)
The oldtimers will tell you that safe hex and perhaps integrity
monitoring (e.g. Samhain or tripwire) are all that's needed. But desktop
Linux with Browsing, IM, etc. is changing that, IMHO.
The three packages above have Linux Trojan and Rootkit signatures, as
well as Windows malware sigs. Easy enough to run an occasional scan of
the Linux box (or Windows partition); and to scan each Linux download
before reading, compiling, or passing on.
(Dazuko additionally allows realtime scans of compilation read/writes).
IMHO, Linux and MAC are the next frontier for malware, and -SADLY-
AntiMalware signature and heuristic techniques are one thing we can
learn about from Windows :-(
http://news.yahoo.com/s/pcworld/20080327/tc_pcworld/143901
What worries me is the reference to Safari . . . (khtml rendering engine?)
What is an appropriate anti-malware for Linux, other than safe-hex?
As a "monitor" (a.k.a. real-time access), I've had good experience with
AntiVir and Dazuko. AntiVir has lots of Linux signatures and heuristics,
and Dazuko/Antivir has both caught bugs in downloads, and blocked
"suspicious scripts" in my browser cache when visiting bad sites.
As a "scanner", I tend to scan my box from a second "maintenance OS" on
another partition hoping to avoid stealthing by any RootKits on the
primary partition. Scanning includes Samhain, equery md5 checks, the
three Anti-Malware products mentioned earlier, Rootkithunter, and
Checkrootkit. I'll run this occasionally overnight.
Interesting that this year's exploit was a "safe" browser Safari, on a
"safe" 'nix/BSD OS.... MAC. And last year's exploit winner, QuickTime,
can also appear on multiple OS's. Both of these were likely online
attacks; via streaming in the case of quicktime.
Seems to me that WAN-connected applications should be sequestered from
the rest of the system in the same way that a server sequesters
WAN-connected processes - i.e. put them each in their own chroot jail.
In addition to individual chroot jails, I run my mail client and browser
in RamDisk - so that any changes to them (other than bookmarks and mail)
are discarded at shutdown
Using Hardened Sources (GRSecurity) with both memory protection and
access control, one gets a particularly resilient, hardened chroot jail
(i.e. OpenBSD theory :-) ) and a kernel that restricts where the browser
user/application can go, and what it can do.
hth
--
gentoo-user@lists.gentoo.org mailing list
