Tony Caudel wrote:
I am currently using the clamv anti-virus program. I was wondering if there
is a better one for Gentoo, especially one that integrates well with
Thunderbird. That has been my one disappointment with clamav. Not
necessarily clamav's fault since T/B maintains its emails in one long file.
Tony
I am extremely pleased with Antivir (aka Avira) and its realtime LKM,
Dazuko!
1. The Antivir database and heuristics contain dozens of Linux-specific
rootkits and Trojans. These in addition to Windows sigs. FWICT, the
only freeware AntiMalware that take Linux seriously (Kaspersky payware
does).
2. With Dazuko - a LKM, developed by AntiVir/Avira which provides
real-time, on-access (read/write) scanning within directories you
specify in configuration. I scan mail (in a chroot jail), browser and
downloads (within a chroot jail, within RamDisk), Portage and portage
work areas, and /home.
Given that emerges are done with Root privilege, this scanning for
signatures may keep your box from being borked, should someone hack a
distribution site, or poison the DNS system, or etc.
3. Recent testing by Windows testers indicate that Antivir is now one
of the better windows AV's, and that their heuristics are quite
effective. I'd guess the same to be true for 'ix.
4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left
unrepaired because I think it's so great:
"ANTIVIR 2008-05-05_05:49:12.39449 Mon May 5 01:49:12 2008 WARNING:
file '/etc/openvpn/trustconnect/pwd' is group or others accessible"
5. its heuristics have notified me of XSS script attacks (at test sites)
after scanning scripts loaded into the browser cache, with "suspicious
script" warnings - and blocking that script from use by the browser. The
only other tool of similar function that I know of is "NoScript", an
extension for use in FireFox.
6. I run WAN/LAN-connected applications in chroot jails (Grsecurity
Hardened). Anything downloaded into a browser jail, lftp or TBird jail
is moved to a "download" area via a script that invokes a deep scan by
Antivir after it gets there. Dazuko invokes a second scan, as it also
monitors that area.
7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other
AntiMalwares, or customized to respond to user-created tests (e.g.
changed file).
8. Linux and Unix oldtimers will scoff at real-time malware scanning -
but I'm convinced that in todays world, realtime scanning is one
important thing (perhaps the only thing) that we can learn from Windows.
HTH
--
gentoo-user@lists.gentoo.org mailing list
