On Wed, Jun 27, 2001 at 02:59:54PM -0700, Donald Dunn wrote: > What anti-virus tools available that run on Linux? > Please name your favorites. > > Don Dunn There are two ways to interpret this this, and I'll address each of them. 1. You mean tools to protect against viruses (yes, that's the correct term. Virii isn't a word. Viri would be correct also.) that are harmful to Linux systems. There aren't any viruses for Linux, so no useful virus protection software can exist. There have been many recent news articles contradicting this, but they didn't have their facts straight. In particular, the so-called "cross-platform" virus is not a virus at all, at least not on the Linux side. It requires you to download an attachment and physically run it, as root, manually. This is very clearly a trojan, which is extremely different from a virus. This sort of attack has always been possible, and the very easy protection against it is: *never* download and run unknown executables as root (duh!). In the past, there have been a couple of UNIX-based worms. One of the first famous ones involved simple login attempts based only on entering the user's name as the password! That's it! This is not a virus, either, it is a brute-force worm, and the simple solution against that is: use better passwords. The other 'virus' I am aware of is the one that was affecting RedHat machines with a (I think it was) vulnerability in BIND (yet *again*). This may qualify as a virus, but I think it's more of a worm (Pete will correct me if I'm wrong). It exploits a buffer-overflow in BIND and the fact that it runs as root. The last one is a more serious threat, but should not affect home users. The only people who ought to be running BIND are sysadmins. This, too, could be avoided with a small amount of intelligence. Linux can be completely protected from viruses by following a few simple rules: 1) Use difficult-to-crack passwords - no dictionary words or names; use a combination of letters, numbers and punctuation and make it at least 8 characters long. Use alternative authentication methods to passwords if you can. 2) Never run anything as root unless you are sure of its functionality and origins. 3) Even if you are sure of its functionality and origins, never run anything as root unless you *absolutely* have to. If you must, then take reasonable precautions: chrooting is always a good idea (and would make the BIND worm problem above go away). If it's something as simple as needing root for something such as a privileged port, discard your root privileges as soon as possible after you've obtained the necessary resources. It drives me crazy that network services still exist in common use that run as root - the whole thing. The frequent security problems in Sendmail and BIND would not have happened if people had been a little more cautious in their treatment of god-mode. 4) Use strcpy, strcat, sprintf very cautiously, if you're a C programmer. Use gets() absolutely *never* at all (use fgets() instead). 2. You mean software that runs on Linux that protects *other* systems from viruses. There exists software for this, but I am very unfamiliar with it - largely because it's fairly trivial to write scripts for the mail system which will automatically reject mail attachments with certain MIME-types or filename extensions. If you scrap all .vbs, .js, etc. scripts, and redirecting html messages, you'd have no problems. HTH, Micah
