On Mon, Apr 4, 2011 at 6:46 AM, Erik de Castro Lopo <[email protected]> wrote: > Morgan Storey wrote: > >> I think it is going to come back and bite the Linux community if we go >> via the line that we are immune to viruses, > > Unfortunately, the alternative, virus scanners that look for > particular virus signatures is nothing more than security > theatre.
I agree that to an extent it is security theatre, it isn't 100% foolproof, though little is. It does get the lowest common denominator, the most common of viruses, that come along with screen savers (gnome-look.org) and mouse cursor addon's (this is a windows user thing usually). > Firstly, inew viruses can be written so fast that the virus > detection engines have absolutely no way of keep up. Having worked with the clamav guys, this is true that new viruses are coming out all the time, but they update their signatures so quickly it is at least of some value. The record I have seen was two hours from my submission of a sample to them publicly releasing a signature update. > Secondly, self modifing polymorphic virses have been around for > at least a decade. That means for an instruction set like x86, > for any set of 1000 instructions there are probably 10s of > thousands of ways to rewrite those 1000 instructions so they > behave the same but won't be detected by a scanner that detects > the original. Yes polymorphic viruses have been around a long time, but look at say the 100 biggest infectors at the moment, none of them I would say are polymorphic, all of them can be picked up by signatures. Virus writers are as lazy as the rest of us, so the majority of viruses will be written to take over the majority of unsecured systems. > The *only* 100% safe way to guard against viruses to fix all the > security holes that viruses exploit. That means better coding > practices. Not 100% safe, you can still have users doing things they shouldn't like giving a screensaver root privileges. You have to layer your security on, so that your code is secure, and your users activities are restricted and audited. One way to restrict is application white or blacklisting, Av at the moment kind of fills the application blacklisting, which isn't the best method due to malware now outnumbering legitimate software, but whitelisting has its issues to (apparmour/SeLinux), it can be hard for the average user to set this all up. 100% secure code is also nigh-on impossible to write if you want it to be flexible to the user. I know everyone likes to bash Microsoft, but they spend billions on their secure development lifecycle, and they still have holes that get exploited all the time, the only safe code is code that doesn't run. Most of the people on this list are not the average user, but my point still stands if we continue along the line that Linux is immune to viruses we will get bitten as Apple has, one day, and it will be harder than the gnome-look screensaver of the Proftpd compromise. > Erik Most definitely not the average computer user. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
