Re: [SLUG] Re: Virus Scanner
On Sun, 3 Apr 2011 09:36:07 pm you wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, like Apple users have done for many years. Wasn't there a virus for unix systems a few years ago that slowed almost the entire internet to an almost halt? -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
Jon and Hannah wrote: On Sun, 3 Apr 2011 09:36:07 pm you wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, like Apple users have done for many years. Wasn't there a virus for unix systems a few years ago that slowed almost the entire internet to an almost halt? A reasonable telling of the history: http://www.freerepublic.com/focus/f-chat/2634313/posts That history lacks a telling of whether these were zero-day exploits or exploits against old versions of software which could have easily been prevented by keeping systems up-to-date. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
On Monday 04 April 2011 21:14:51 Erik de Castro Lopo wrote: Jon and Hannah wrote: On Sun, 3 Apr 2011 09:36:07 pm you wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, like Apple users have done for many years. Wasn't there a virus for unix systems a few years ago that slowed almost the entire internet to an almost halt? A reasonable telling of the history: http://www.freerepublic.com/focus/f-chat/2634313/posts That history lacks a telling of whether these were zero-day exploits or exploits against old versions of software which could have easily been prevented by keeping systems up-to-date. I suspect the original reference (with a generous meaning given to a few) was to this: http://en.wikipedia.org/wiki/Morris_worm -- Regards, Troy Rollo Solicitor Parry Carroll Commercial Lawyers Direct: (02) 8257 3177 Fax: (02) 9221 1375 Switch: (02) 9221 3899 E-mail: t...@parrycarroll.com.au Web: www.parrycarroll.com.au Liability limited by a scheme approved under Professional Standards Legislation This message and any attachments are confidential to Parry Carroll. If you have received it my mistake, please let us know by reply and then delete it from your system. You must not copy the message, alter it or disclose its contents to anyone. Thank you. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Re: Virus Scanner
On Sunday 03 April 2011 11:41:34 Chris Allen wrote: What is the current consensus on using a virus scanner for Linux (specifically Ubuntu 10.10)? When I last asked this (about 2 years ago) the general opinion was, waste of time, Linux did' need it If scanners are recommended now, which is the favourite? I always scan e-mail both ways. I send e-mail with Exim. Clamav and other anti-virus software is installed. My firewall has a proxy which scans downloading web pages for viruses and worms. This does not slow down my network connection. I don't know about Australia but in England it's considered to be criminal not to scan for viruses. The legal stuff doesn't say that it is criminal but it implies that something is wrong if virus scanning software is not installed on a workstation or somewhere else... Firewalls http://sleepypenguin.homelinux.org/blog/?page_id=174 -- Richard http://www.sheflug.org.uk -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, like Apple users have done for many years. Now there are Mac viruses appearing and a mac botnet. Clamav and common sense can go a long way, don't install or run things from an unknown source, and scan your system on occasion to be safe. All the security in the world can not stop a misguided user from doing something they shouldn't like giving a file execute permissions and running it with sudo. On Sun, Apr 3, 2011 at 8:57 PM, Richard Ibbotson richard.ibbot...@googlemail.com wrote: On Sunday 03 April 2011 11:41:34 Chris Allen wrote: What is the current consensus on using a virus scanner for Linux (specifically Ubuntu 10.10)? When I last asked this (about 2 years ago) the general opinion was, waste of time, Linux did' need it If scanners are recommended now, which is the favourite? I always scan e-mail both ways. I send e-mail with Exim. Clamav and other anti-virus software is installed. My firewall has a proxy which scans downloading web pages for viruses and worms. This does not slow down my network connection. I don't know about Australia but in England it's considered to be criminal not to scan for viruses. The legal stuff doesn't say that it is criminal but it implies that something is wrong if virus scanning software is not installed on a workstation or somewhere else... Firewalls http://sleepypenguin.homelinux.org/blog/?page_id=174 -- Richard http://www.sheflug.org.uk -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
Morgan Storey wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, Unfortunately, the alternative, virus scanners that look for particular virus signatures is nothing more than security theatre. Firstly, inew viruses can be written so fast that the virus detection engines have absolutely no way of keep up. Secondly, self modifing polymorphic virses have been around for at least a decade. That means for an instruction set like x86, for any set of 1000 instructions there are probably 10s of thousands of ways to rewrite those 1000 instructions so they behave the same but won't be detected by a scanner that detects the original. The *only* 100% safe way to guard against viruses to fix all the security holes that viruses exploit. That means better coding practices. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
On Mon, Apr 4, 2011 at 6:46 AM, Erik de Castro Lopo mle+s...@mega-nerd.com wrote: Morgan Storey wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, Unfortunately, the alternative, virus scanners that look for particular virus signatures is nothing more than security theatre. I agree that to an extent it is security theatre, it isn't 100% foolproof, though little is. It does get the lowest common denominator, the most common of viruses, that come along with screen savers (gnome-look.org) and mouse cursor addon's (this is a windows user thing usually). Firstly, inew viruses can be written so fast that the virus detection engines have absolutely no way of keep up. Having worked with the clamav guys, this is true that new viruses are coming out all the time, but they update their signatures so quickly it is at least of some value. The record I have seen was two hours from my submission of a sample to them publicly releasing a signature update. Secondly, self modifing polymorphic virses have been around for at least a decade. That means for an instruction set like x86, for any set of 1000 instructions there are probably 10s of thousands of ways to rewrite those 1000 instructions so they behave the same but won't be detected by a scanner that detects the original. Yes polymorphic viruses have been around a long time, but look at say the 100 biggest infectors at the moment, none of them I would say are polymorphic, all of them can be picked up by signatures. Virus writers are as lazy as the rest of us, so the majority of viruses will be written to take over the majority of unsecured systems. The *only* 100% safe way to guard against viruses to fix all the security holes that viruses exploit. That means better coding practices. Not 100% safe, you can still have users doing things they shouldn't like giving a screensaver root privileges. You have to layer your security on, so that your code is secure, and your users activities are restricted and audited. One way to restrict is application white or blacklisting, Av at the moment kind of fills the application blacklisting, which isn't the best method due to malware now outnumbering legitimate software, but whitelisting has its issues to (apparmour/SeLinux), it can be hard for the average user to set this all up. 100% secure code is also nigh-on impossible to write if you want it to be flexible to the user. I know everyone likes to bash Microsoft, but they spend billions on their secure development lifecycle, and they still have holes that get exploited all the time, the only safe code is code that doesn't run. Most of the people on this list are not the average user, but my point still stands if we continue along the line that Linux is immune to viruses we will get bitten as Apple has, one day, and it will be harder than the gnome-look screensaver of the Proftpd compromise. Erik Most definitely not the average computer user. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
On Mon, Apr 04, 2011 at 06:46:36AM +1000, Erik de Castro Lopo wrote: Morgan Storey wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, Unfortunately, the alternative, virus scanners that look for particular virus signatures is nothing more than security theatre. I agree. What would a virus scanner look for anyway, if there are no extant viruses on linux systems? Firstly, inew viruses can be written so fast that the virus detection engines have absolutely no way of keep up. I don't think this is a strong argument. Windows viruses have lifetimes in decades (if not forever). Statistically speaking, a given computer is very unlikely to be infected by a young virus which cannot yet be detected by a virus scanner. Much more likely that a computer will come into contact with many well known viruses long after the viruses became prevalent. The *only* 100% safe way to guard against viruses to fix all the security holes that viruses exploit. That means better coding practices. Don't execute incoming data as code. That's rule #1, learned by hard knocks as Windows systems happily executed auto-run files, email attachments, word macros, PostScript documents, and so on. Unfortunately we forgot rule #1 with the invention of JavaScript and Flash. Your browser is now happily executing untrusted third party code in your account. That leads to rule #2 - defense-in-depth. The only hope we have to survive this untrusted and potentially malicious code being executed by our browsers is to implement sandboxes, language-level restrictions and strict limits on authorization. Nick. -- PGP Key ID = 0x418487E7 http://www.nick-andrew.net/ PGP Key fingerprint = B3ED 6894 8E49 1770 C24A 67E3 6266 6EB9 4184 87E7 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
I am subscribed to this list. Please don't CC me when replying. Morgan Storey wrote: Yes polymorphic viruses have been around a long time, but look at say the 100 biggest infectors at the moment, none of them I would say are polymorphic, all of them can be picked up by signatures. And all of those are hitting machines that are either unpatched or have vulnerabitlites that should have been patched. Not 100% safe, you can still have users doing things they shouldn't like giving a screensaver root privileges. A user dumb enough to do this shouldn't have root privileges. Virus writers are as lazy as the rest of us But as soon as virus scanners catch all non-polymorphic viruses virus writers will stop writing non-polymorphic viruses. My thesis is that continuing the virus arms race with virus scanners results in a situtaion where the virus scanners are unable to detect 99% of all viruses. I think effort should be invested in heading all viruses that exploit code rather than users off at the pass by fixing the software bugs viruses exploit. The user problem needs to be dealt with separately. 100% secure code is also nigh-on impossible to write if you want it to be flexible to the user. I think the people here in Sydney who worked on the Sel4 project: http://ertos.nicta.com.au/research/sel4/ http://www.sigops.org/sosp/sosp09/papers/klein-sosp09.pdf would say that the level of difficulty is not nigh-on impossible but is at the phd research in compsci level of difficulty. Going by the experience of the Sel4 project, I would say that it is currently not possible to economically write provably correct code, but it possible. As more research goes on in the field of provably correct code, the techniques will improve, become easier to apply and become more widespread. Long term, that is the only hope for secure computing. Most of the people on this list are not the average user, but my point still stands if we continue along the line that Linux is immune to viruses we will get bitten as Apple has, one day, and it will be harder than the gnome-look screensaver of the Proftpd compromise. That was a user failure. Dumb users need to be locked down so they can't compromise the systems they work on. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Re: Virus Scanner
To answer OP's question, my Linux mail server uses spamassassin and ESET for filtering. My Linux file server also periodically performs full scans with ESET. I do not yet run any virus scanning on my desktop though. On Mon, 2011-04-04 at 11:30 +1000, Nick Andrew wrote: On Mon, Apr 04, 2011 at 06:46:36AM +1000, Erik de Castro Lopo wrote: Morgan Storey wrote: I think it is going to come back and bite the Linux community if we go via the line that we are immune to viruses, Unfortunately, the alternative, virus scanners that look for particular virus signatures is nothing more than security theatre. I agree. What would a virus scanner look for anyway, if there are no extant viruses on linux systems? The biggest market for antivirus scanners on Linux is when the system in question is acting as a server for other systems. This is evidenced by the fact that there are quite a few commercial A/V systems available for Linux, almost none of which are suitable for desktop use. And, for better or for worse, you need to demonstrate that you're performing regular virus scans on *all* of your systems on a regular basis for quite a few security-related standards. Regardless of whether you think you need it or not. Yes, I'm looking at you, Payment Card Industry. That leads to rule #2 - defense-in-depth. The only hope we have to survive this untrusted and potentially malicious code being executed by our browsers is to implement sandboxes, language-level restrictions and strict limits on authorization. I think that eliminating a reasonably large swathe of of your attack vector through a regularly-maintained virus scanner is a good contribution to solid defence-in-depth... -- Pete -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
