“The talk lately has centred about Vista’s security APIs, but Linux certainly needs improvements in this area, because AV vendors still rely on an external kernel module to implement ‘real time’ file scanning.” The Inq also reviews AVG antivirus for Linux, and concludes it is a must-have
‘Critical Linux Security API is Still a Kludge’
165 Comments
2006-10-23 3:20 pm
stestagg
I don’t know what’s got you so worked up. I stated I got a virus (see below) and an AntiVirus software helped me detect and delete it. Why are you trying to pick this apart. IT HAPPENED. Now read below…
It’s not a trojan at all
This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it in case the virus has been executed on account with root priviledges.
While not technially a trojan, it exhibits similar behaviours. To quibble this is just pedantry.
Even worse, it doesn’t work unless you launch it with root priviledges.
Wrong. It works with normal privileges. It is a remote-backdoor program that also happens to spread itself across a machine in a viral manner. It only replicates if it has root privileges.
So your “Linux virus in the wild” is actually a 2002 experimental virus that was released only in a lab and never got out.
If it never got out then wtf. did my server get?
either a) I (& my colleagues) dreamed it in a mass-hallucination. OR b) Sophos mis-classified a different virus (quite possible – in which case I still got a native linux virus) OR c) You got your facts wrong, it was released.
Your system seems really fishy, but something’s sure here : noone except you is vulnerable to this
I would like to point out that that I didn’t loose any data from this, but my server was turned into a Zombie for a few hours. There was no privilege escalation. It could have happened to anyone who didn’t have SELinux (Even then, there are variants of the attack that might have worked) If I didn’t have AntiVirus software, I might not have detected the infection. It could still be running
The security alert and it’s fix are noted in the Horde changelog look at the 3.1.2 changelog:
[cjh] SECURITY: Fix remote code execution vulnerability found by Jan Schneider.
the virus you talk about could not infect any of your executables, unless in 2 very stupid cases
The virus didn’t infect any executable. It acutally a allowed a remote script to be run that downloaded a Botnet client into the /tmp dir and executed it – with www-data privileges.
2006-10-23 4:22 pm
Ookaze
I don’t know what’s got you so worked up. I stated I got a virus (see below) and an AntiVirus software helped me detect and delete it. Why are you trying to pick this apart. IT HAPPENED. Now read below…
I’m so worked up because you spread FUD. What you describe is not a virus but a rootkit at best. It can’t even replicate or propagate itself.
This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it in case the virus has been executed on account with root priviledges.
While not technially a trojan, it exhibits similar behaviours. To quibble this is just pedantry
It doesn’t even work without root proviledges like you say and like I said, and can’t gain these privileges.
Wrong. It works with normal privileges. It is a remote-backdoor program that also happens to spread itself across a machine in a viral manner. It only replicates if it has root privileges
Where is the wrong. You yourself say it can’t spread without root privileges !!
If it never got out then wtf. did my server get?
either a) I (& my colleagues) dreamed it in a mass-hallucination. OR b) Sophos mis-classified a different virus (quite possible – in which case I still got a native linux virus) OR c) You got your facts wrong, it was released
OR d) you were rootkited manually by a black hat that launched an attack on random addresses once he knew of the Horde exploit, and now, you believe there’s a Linux virus in the wild. This thing can’t propagate itself, it’s not a virus at all.
It could have happened to anyone who didn’t have SELinux (Even then, there are variants of the attack that might have worked) If I didn’t have AntiVirus software, I might not have detected the infection. It could still be running
OK, I agree on this one, except that an IDS could do the same thing as your AV.
The virus didn’t infect any executable. It acutally a allowed a remote script to be run that downloaded a Botnet client into the /tmp dir and executed it – with www-data privileges
So it’s not a virus. Like I said, it’s a rootkit at best. Linux is not immune to rootkits or worms or trojans, only to viruses.
Funny as this would have been killed by a noexec /tmp.
2006-10-23 4:37 pm
stestagg
This is growing quite long. I agree with most of your points, and with other security packages installed, (I have SNORT now) and SELinux things would have been better for me.
However this whole distinction between rootkits / tojans and viruses is quite difficult. Technically you’re right. Unfortunately I live in the real world where if a user tells me he has a ‘virus’ it can be anything from a PUA(Adware/Toolbar) to a rootkit.
This is relevant because my ‘Anti-Virus’ software (Sophos) actually detects: Adware, PUAs, Viruses, Trojans, Rootkits (where possible) and anything else that isn’t wanted.
Everyone on this list is saying ‘Well set-up linux is immune to viruses’ but then AV software will pick-up all variants of malware. And has a fair chance of picking up any ‘viruses’ that get through due to ‘user error’, ‘adminstrator error’ or some new attack vector.
Stephen.
2006-10-23 12:03 am
tmack
Considering basically all of your software comes from a distributions repository, which tend to be checked for this stuff, why do you need AV on your Linux desktop again?
Edited 2006-10-23 00:03
-
2006-10-23 2:11 pm
helfwell, in the windows world, files like images, docs etc can have viruses embedded in them. So, until something exploits some vulnerability in linux that grants it root privs somehow, a virus can still del everything in your ~/home directory. Which would suck
-
Ookaze
well, in the windows world, files like images, docs etc can have viruses embedded in them. So, until something exploits some vulnerability in linux that grants it root privs somehow, a virus can still del everything in your ~/home directory. Which would suck
A hard disk crash or a mistake can still del everything in your ~/home directory. Which would suck
See ? It’s nothing virus related.
Even if it was a problem, it’s far better than on another OS, where the user himself destroys his data when reinstalling his system because he’s fed up it doesn’t work anymore.
2006-10-23 12:04 am
ozulala
rsbac (www.rsbac.org) can protect the system from the antivirus and at the same time provides a dazuko-compatible interface to talk to it.
to me this seems like the perfect solution !
clamav, fsecure, etc, seems to be compatible with dazuko so are working with it (i use clamav/clamuko!), the antivirus cannot access the whole system, only the files that rsbac ask it to scan, when the scan has to be performed. Caching is done on the rsbac side (in kernel) so its both faster and secure (even than windows counterparts)
check it you, it’s worth trying!
-
2006-10-23 7:29 am
-
netpython
Fedora core 5 has something similar.Clamav for example is protected by SELinux as default.Clamav is in repository.
A GUI could be clamtk or klamav.
2006-10-23 12:05 am
SEJeff
Of *course* AVG says antivirus for Linux is a “must have”, they sell antivirus software. Linux is secure because of design choices like normal users do not have administrative access. This contrasts Windows XP where normal users are Administrators and have full access to break the box.
The reason Linux is secure is more due to architecture and less because of it being “not as prolific”.
-
tmack
Whats more important, the health of your computer or the information stored on it? Most of the time, it’s the info.
Yes, Linux does have a better security model. But a vast majority of the Windows viruses come from foreign, untrusted software. Linux is safer because you typically do not install foreign software. You install software from a central repository.
This would be akin to Microsoft providing all of your software through something like Synaptic.
If that was the case, would you need AV software? No.
But this type of thing is only really possible with Open Source, so Windows users get to “keep on truckin'”
with their viruses, malware, etc. Linux is not less susceptible to viruses because of the default security privileges.
Edited 2006-10-23 00:15
-
2006-10-23 12:54 am
hal2k1“Yes, Linux does have a better security model. But a vast majority of the Windows viruses come from foreign, untrusted software. Linux is safer because you typically do not install foreign software. You install software from a central repository.”
This is all perfectly true, but it leaves out an important consideration.
On Windows, the “paradign” is that end users install only binary versions of closed-source programs. Viruses can easily hide in these binaries.
On Linux, for the most part, applications are not closed-source. People are able to inspect the source code of most applications (at least, those people who have the skills can do so), and they are able to verify that the published source code produces the installable binary versions that are in the repositories. The same people who can and do inspect the source code also use these applications themselves. Worldwide.
So it necessarily follows from this that the installable binary open-source applications necessarily have no “nasties” in them that end users would not want.
One can therefore ensure having a “clean” Linux system by following a simple policy: “Only install open-source applications direct from the repositories”. Simply following that policy completely removes the need for any anti-virus program at all.
This is not the straightjacket that it would at first glance seem to be, BTW. There are over 20,000 packagaes in the Ubuntu repositories, for example.
-
2006-10-23 1:12 am
smittal> Whats more important, the health of your computer or
> the information stored on it? Most of the time,
> it’s the info.
I don’t think anyone would disagree with this. Losing control of your system, however, puts you at greater risk because data that isn’t normally saved[1] can be captured. It’s also easier to return to a safe state if only a user account is compromised since there are far fewer places for the infection to hide.
[1] think passwords, credit card information, etc.
-
2006-10-23 1:47 am
jessta“Whats more important, the health of your computer or the information stored on it? Most of the time, it’s the info. ”
Yep, but it’s not just your data.
It’s every user on the system’s data.
If you screw up and run something stupid and at least your mother’s, father’s, brother’s data is still safe.
Even better, run SELinux and limit what programs could access certain data. So if you do something stupid, only some of your data is screwed…But ofcourse you keep backups right?
-
2006-10-23 3:16 am
ma_dYou’re taking importance from the wrong perspective.
Viruses aren’t written to give people a bad day. They don’t exist to annoy people. They’re not made by people who just want to make life miserable for someone.
They’re written to aid someone in profiting. And 99.9999% of the files on everyones computers are utterly worthless to this person (just like all of your files are probably worthless to me, or I certainly think as much without seeing them). But viruses are written to infect 99.9999% of the computers they possibly can, right? So what are they after?
1.) Your attention. Adware.
2.) Your information, ie personal information. Spyware (it doesn’t care about your word docs, and if it does it certainly wouldn’t damage them on purpose…).
3.) Your bandwidth. Worms/some viruses.
What’s the fun in deleting people’s files anyway? It’s just going to make them more likely to try and track you down…
-
2006-10-23 3:34 pm
Havin_itYou left out one: Ransomware. Not a big player at the moment, but on the rise. If badware has access to your Word docs (on Linux? eh?) it can encrypt them and hold them to ransom.
2006-10-23 12:16 am
Shaman
…let’s provide a nice clean root user access to the whole box from every userid on it… only virus checkers will be able to use it, not viruses… right?
2006-10-23 12:46 am
nzjrs
Because when I read it the author spent most of the time complaining how hard it was to install AVG (valid complaits i might add), and then concluded with;
Since Grisoft has a good reputation, efficient code and releases signature updates regularly, I found this program a must-have for my desktop Linux system(s)
What? My brain hurts. How does the author conclude that AVG for linux is a must have? Why?
Did I miss something?
-
2006-10-23 9:27 am
2006-10-23 1:23 am
Xaero_Vincent
On Linux, its the users fault if they recieve a Linux virus. The user has to grant root privilages before they can do anything beyond mangle the home directory and files in /tmp. If you remember to periotically backup your home directory then you should be fine.
Unless they’re using Linspire/Freespire, which allows any program to run as root without requring a sudo/su password. These users need to fix their sudoers file ASAP or try a different distribution.
Its Windows viruses that Linux users need to watch out for when they use compatability layers like Crossover, Wine and Cedega. They can wreak havoc inside the fake Windows directory structure. Luckily they cant do much outside the hidden (.) cedega, wine, crossover folders.
For that reason, its a good idea to download the AVG anti-virus and scan those directories every so often.
-
2006-10-23 5:07 am
Bending UnitThe user’s own fault. How convenient. You realise the same can be said for most other operating systems?
So only the stuff in your home directory can be destroyed? Great, except that those are the only files that are important.
-
2006-10-23 7:32 am
TemcatWell, the parent was not entirely correct. What he meant was that user has to make a downloaded binary or script executable for it to be able to destroy anything at all, including home files. However, the malicious stuff can reside, for example, in an RPM package; in this case damage can result already during the installation (because of pre- and post-installation scripts), as well as at runtime. Still, in the runtime scenario at least all other users will be protected, unless the user chooses for some reason to run the software as root.
-
hal2k1
“However, the malicious stuff can reside, for example, in an RPM package; in this case damage can result already during the installation (because of pre- and post-installation scripts), as well as at runtime.”
This is why respositories are digitally signed. If you install RPM’s from repositories, you get the open-source “audited by many eyes” trustworthiness assurance. If you just install an unsigned RPM from God-knows-where, then you are no better off than if you were installing stuff on Windows from an .exe.
-
Temcat
Well, the “many eyes” advantage starts already at the upstream level, repositories only add to it somewhat. Basically, it has to do with the very open source model, not with the specific distribution method such as a central repository. Repositories are good for basic automated checks (like a check for known viruses), but nobody in reality conducts regular, thorough security audits of even all core system software in a repository.
-
hal2k1
//but nobody in reality conducts regular, thorough security audits of even all core system software in a repository.//
This is not correct.
People download from repositories all day every day. As soon as there was ever a problem with this there would be immediate howls of protest.
Put it this way – there is not one recorded case of a system being “infected” by malware from using an open-source repository.
Not one. AFAIK.
I have been waiting a long time to hear tell of a case of that happening. So far, zilch. Nada.
Edited 2006-10-23 09:58
-
Temcat
//but nobody in reality conducts regular, thorough security audits of even all core system software in a repository.//
This is not correct.
Yes it is. Security audit is not what you think it is.
As soon as there was ever a problem
You surely mean a visible problem. It’s not like all problems are immediately visible to the user – and in the specific case of spyware, they usually are not.
If some insane person decides to sneak spyware in an open source application, it is more likely to be caught upstream by the fellow devs than by a repo maintainer who is not familiar with this particular app, library, or programming language, or is not a coder at all.
-
hal2k1
//You surely mean a visible problem. It’s not like all problems are immediately visible to the user – and in the specific case of spyware, they usually are not.
If some insane person decides to sneak spyware in an open source application,//
You aren’t thinking this through properly.
Open source code development runs on a “meritocracy” system. Code is submitted for review … it is not submitted anonymously. A lot of people examine it to determine:
(1) what it does,
(2) how well it does it,
(3) if it solves a problem or makes an improvement,
(4) if it inteferes with existing software that might already be installed, and
(5) if it is the best solution if more than one is offered.
“insane person decides to sneak spyware in”
That would be a very impressive trick. get past all those “meritocracy” acceptance gates, and hide your spyware undetectably in plain sight amongst a useful new addition that was better than all other offers yet still carried a malware payload.
The mind boggles how one could even attempt to “sneak spyware in an open source application”. It is beyond belief that this is possible.
More to the point, there is no documented case of it ever happening, and just one case of a half-attempt (a backdoor into the C compiler, I believe it was).
“it is more likely to be caught upstream by the fellow devs than by a repo maintainer who is not familiar with this particular app, library, or programming language, or is not a coder at all.”
Agreed. Don’t forget, there are many upstream users who are in fact devs.
Even if by some unimagineable miracle some piece of malware made it into the repositories, it wouldn’t last long.
-
Temcat
Well, you’re just repeating what I was saying – that the security is basically provided by the open source development model itself, not repos as such.
As for repo maintainers being coders themselves, security audit of even one not so big app is a rather difficult and time consuming task, which can be even more daunting if you didn’t develop the specific app in question. And it is not paid for and doesn’t have that “coolness factor”. Maintainer resources are limited, apps are great many. Therefore it just isn’t done commonly.
-
hal2k1
//As for repo maintainers being coders themselves, security audit of even one not so big app is a rather difficult and time consuming task, which can be even more daunting if you didn’t develop the specific app in question. And it is not paid for and doesn’t have that “coolness factor”. Maintainer resources are limited, apps are great many. Therefore it just isn’t done commonly.//
One doesn’t have to audit the entire application, in the case of a large application.
One starts with a codebase with no known exploits. One adds functionaily improvements … auditing each of the improvements as they are added.
Please note that the “many eyes meritocracy” system does not guarantee that there are no security holes. It does, however, guarantee that there is no deliberate malware included … which was the original point made.
Please note that saying “there is no malware in open-source code, guaranteed” is not at all the same claim as “there are no security holes in open-source code”. Please don’t confuse the former statement with the latter.
The claim actually being made is the first one, to whit “there is no malware in open-source code, guaranteed”. Please address your comments at what was said, not at what was not said.
Edited 2006-10-23 23:14
-
hal2k1
“So only the stuff in your home directory can be destroyed? Great, except that those are the only files that are important.”
The users files are important, but at the same time there is no “paydirt” for malware to destroy users files. Read them, yes, send them off to someone else, yes, but destroy them? Why would a piece of malware do that? There is no “profit” in it.
I point to the Windows world as the ultimate authority on malware. Malware is rife in the Windows world. Untold millions of Windows machines are infected with malware, and the number grows daily. There are countless thousands of different pieces of live Windows malware circulating around right now, and the number grows daily. Malware on Windows certainly does have the ability to destroy user’s files, but it rarely does so.
Why? Because there is no payoff in doing so, thats why.
-
Xaero_Vincent
Linux, Unix, OS X and Vista yes; XP and below no. In Win XP you run as administrator by default. So any malicious program can be downloaded and executed on a victims computer without their knowelege. They would only find out if they ran some background monitoring program that can executing intercept programs.
The home directory is indeed important but there are ways to secure it. You could change the permissions of all or some of files in your home directory with the chmod, chgrp commands, or in the properties window. This can disallow normal users and/or groups from having full read/write access. Or leave it as is for convience and backup all or some of the files in it.
Edited 2006-10-23 07:51
-
2006-10-23 9:40 am
Soulbender“So any malicious program can be downloaded and executed on a victims computer without their knowelege”
This has no relation to running as Administrator. Malware does NOT need or rely on administrative privs to do their dirty deeds.
“The home directory is indeed important but there are ways to secure it. You could change the permissions of all or some of files in your home directory with the chmod,”
This does in no way “secure” your home directory. Ever noticed that rm and many other tools have an option to ignore file permissions, ie force write on a 000 file? Well, malware could do the same.
Ponder the following theoretical scenario:
A remote exploit is found in Evolution that will allow arbitrary code to run.
Now all a malware developer needs to do is code an exploit that adds a hidden executable to your home dir and modify your profile/loginscript to run this on every login.
You know have a nice little piece of malware running every time you log in.
Of course, Evolution can be replaced with Firefox or Flash or similar but the principle is the same.
It is VERY difficult to protect against this on any platform because only user files are modified and the user needs to, well, have the right to modify their own files. Sure, you could have a dialog box popup every time a program write to any of your files but that would get tedious VERY fast.
I really dont see any solution for this other than writing as bugfree software (OSS or otherwise) as possible.
Edited 2006-10-23 09:57
-
hal2k1
“This has no relation to running as Administrator. Malware does NOT need or rely on administrative privs to do their dirty deeds.”
Except that, in order to do any damage to the system (such as get itself installed), the malware needs escalated priveledges. This does in fact rely on the malware gaining administrative privs. If malware doesn’t gain that, it can do only very limited scope damage to the one user. There is nothing to be gained (from the malware author’s point of view) from deleting that users files, or corrupting them. So the “no gain, no pain” principle should be applied here.
There are just two things bad that can relistically happen: (1) install a keylogger for that one user, or (2) scan that user’s file to seek personal info and send that back to the malware home.
-
Soulbender
‘Except that, in order to do any damage to the system (such as get itself installed)”
It doesnt need admin privs for that, all it has to do is drop an executable somewhere, anywhere and then modify the user registry to run that executable on login. There’s no limit to what such malware can do to a users files.
-
hal2k1
“It doesnt need admin privs for that, all it has to do is drop an executable somewhere, anywhere and then modify the user registry to run that executable on login. There’s no limit to what such malware can do to a users files.”
User’s directories should be mounted by the OS with “noexec” attribute. User’s with normal permissions should have no permission to “drop” files anywhere else other than their own home directories … which as I say should be configured such that the OS will refuse to execute anything that is stored there.
BTW, “Registry” is a Windows term. It is a place in Windows systems in which to hide the instructions to execute malware.
BTW: Windows has the exact opposite of the “noexec” (meaning do not execute from this location) concept. Windows instead has the “if it has an .exe extension, execute it regardless of what permissions it has or doesn’t have, regardles of where it is stored or where it came from” concept.
Edited 2006-10-23 10:32
-
Soulbender
“User’s directories should be mounted by the OS with “noexec” attribute.”
And we all know Windows doesnt have that feature.
For noexec to be effective you’d have to mount all filesystems writable by users noexec.
Plus you’d have all these other fun issues like that “sh myscript.sh” works regardless of noexec mount option, among other things. I also seem to recall it being possible to run executables on a noexec partition with Linux ld but my memory is a bit hazy on that one so I might be wrong.
“”Registry” is a Windows term”
Yes, of course. We ARE talking about Windows here.
-
hal2k1
“Yes, of course. We ARE talking about Windows here.”
This is what was said originally:
“”It doesnt need admin privs for that, all it has to do is drop an executable somewhere, anywhere and then modify the user registry to run that executable on login. There’s no limit to what such malware can do to a users files.”
The poster was not talking about Windows, but rather speculating on a possible vector for infecting Linux systems.
That particular vector is going to be a bit of a problem on Linux systems since Linux systems don’t have a registry. Not even a user registry.
-
Soulbender
The OP that I responded to said:
“In Win XP you run as administrator by default. So any malicious program can be downloaded and executed on a victims computer without their knowelege.”
This is clearly Windows we are talking about.
-
hal2k1
//For noexec to be effective you’d have to mount all filesystems writable by users noexec.
Plus you’d have all these other fun issues like that “sh myscript.sh” works regardless of noexec mount option, among other things. I also seem to recall it being possible to run executables on a noexec partition with Linux ld but my memory is a bit hazy on that one so I might be wrong. //
But within the script “sh myscript.sh” one still cannot run binaries from the ‘noexec’ locations. So the only type of thing that can be done is muck up that user’s files. This as we have already pointed out is a pointless exercise from the malware author’s point of view.
One cannot, for example, have the “sh myscript.sh” install anything or run something like a keylogger.
-
Soulbender
“But within the script “sh myscript.sh” one still cannot run binaries from the ‘noexec’ locations.”
True, but there are many other interesting things that can be done with shellscript, such as uploading or download data, opening connections to remote hosts etc.
And what about scripting languages like Perl, Ruby and Python?
-
Ookaze
True, but there are many other interesting things that can be done with shellscript, such as uploading or download data, opening connections to remote hosts etc.
And what about scripting languages like Perl, Ruby and Python?
What you don’t understand, is that as long as your script is on a noexec location (be it /home or /tmp), your script just won’t work, even if you do “sh yourscript.sh”.
The same with python, perl, whatever …
-
2006-10-23 3:03 pm
WereCatfWhat you don’t understand, is that as long as your script is on a noexec location (be it /home or /tmp), your script just won’t work, even if you do “sh yourscript.sh”.
The same with python, perl, whatever …
Mostly home directories aren’t set to noexec. The reason: most users want to be able to do small shell scripts or whatever. Or maybe even install Picasa/Google Earth/Pixel/something else.
-
2006-10-23 4:09 pm
Zan Lynx“What you don’t understand, is that as long as your script is on a noexec location (be it /home or /tmp), your script just won’t work, even if you do “sh yourscript.sh”.”
Haven’t tried it yourself, have you? Watch this:
mount -t tmpfs none /mnt/tmp -o noexec
cd /mnt/tmp
cat > test.sh
echo This is a shell script running in noexec
[Ctrl-D]
chmod a+x test.sh
./test.sh: Permission denied
sh test.sh
This is a shell script running in noexec
-
2006-10-23 12:02 pm
wirespotIt doesnt need admin privs for that, all it has to do is drop an executable somewhere, anywhere and then modify the user registry to run that executable on login. There’s no limit to what such malware can do to a users files.
Except it would never run in the first place. Drop an executable somewhere? Where? Only the user home dir and /tmp are writable by the user. And it’s very simple to mount them as separate partitions and flag them “noexec”. I do that on all desktop systems I install. Poof, no more malware execution.
Modify the user registry? Are you talking about Windows?
-
Ookaze
A remote exploit is found in Evolution that will allow arbitrary code to run.
Now all a malware developer needs to do is code an exploit that adds a hidden executable to your home dir and modify your profile/loginscript to run this on every login.
You know have a nice little piece of malware running every time you log in.
…
It is VERY difficult to protect against this on any platform because only user files are modified and the user needs to, well, have the right to modify their own files.
I see a pretty simple one : make executables not possible on the home partition. Problem solved.
So there’s actually at least one solution against this on Linux OS. Besides that, this attack is still a very difficult scenario.
Your scenario just won’t kick in dependant on which dm your Linux OS uses. If it works on gdm, it won’t work on kdm or xdm or bash, for example.
If it changes bash shell user init scripts, your user still will have to launch a terminal.
Well, not so easy.
-
Soulbender
“I see a pretty simple one : make executables not possible on the home partition.”
Indeed that would odo it. But is that reasonable to expect from mainstream distros?
You’d also have to use noexec on any filesystem writable by users and that may break stuff.
Then there’s the added fun of removable media.
“If it works on gdm, it won’t work on kdm or xdm or bash, for example.”
Since the majority of users will be running either gnome or kde it’s not that hard. Also, many login managers will source your .profile/.bashrc on login even if you use gnome/kde. It’s a little more work than Windows, sure, but not that much.
“Well, not so easy.”
I never said it was easy. It’s feasible and doable.
-
hal2k1
//You’d also have to use noexec on any filesystem writable by users and that may break stuff. //
This is the whole point.
Linux and Linux applications are designed by default so that this doesn’t break stuff.
Executables are supposed to be in the path. Anywhere in the path is writeable to only by root.
//Then there’s the added fun of removable media. //
Again, on a secured Linux, the only places from which executables can run require root priv to write to.
Windows OTOH – is designed to run executables from anywhere, without that executable having been given any permission at all.
The typical use case on a Windows system is to have a “setup.exe” file on a removeable media (typically CDROM) … without any local user explicitly giving that file permission to run … Windows will not only happily execute it, but it will automatically execute it if it is part of the “autostrat” and it will be allowed to install stuff on the system.
Therefore, it is possible to infect a Windows system by the mere act of putting a CDROM in the drive!
Edited 2006-10-23 10:40
-
Soulbender
“Linux and Linux applications are designed by default so that this doesn’t break stuff. ”
And you are sure that there are no tools, for example package tools, the executes scripts from, say, /tmp or /var/tmp?
-
wirespot
Ever noticed that rm and many other tools have an option to ignore file permissions, ie force write on a 000 file? Well, malware could do the same.
Umm, you need a basic course on Linux. rm cannot ignore permissions. It honors directory permissions, and it needs write access to the directory. File permissions in case of unlinking are irrelevant. Directory permissions matter.
-
Soulbender
“rm cannot ignore permissions. It honors directory permissions, and it needs write access to the directory.”
You are confusing permissions with ownership. rm can remove any file you own regardless of it’s permissions. It can of course not remove files you dont own.
-
2006-10-23 1:38 pm
signalsrm can remove any file you own regardless of it’s permissions. It can of course not remove files you dont own.
This is not true. It honors the directory permissions:
[/tmp]$ mkdir test
[/tmp]$ cd test
[/tmp/test]$ touch removeme
[/tmp/test]$ chmod 500 .
[/tmp/test]$ ls -la
total 5
dr-x—— 2 myuser mygroup 72 Oct 23 09:33 .
drwxrwxrwt 19 root root 5080 Oct 23 09:33 ..
-rw-r–r– 1 myuser mygroup 0 Oct 23 09:33 removeme
[/tmp/test]$ rm removeme
rm: cannot remove `removeme’: Permission denied
[/tmp/test]$ rm -f removeme
rm: cannot remove `removeme’: Permission denied
[/tmp/test]$ chmod 777 removeme
[/tmp/test]$ rm -f removeme
rm: cannot remove `removeme’: Permission denied
[/tmp/test]$
-
Soulbender
“[/tmp/test]$ rm removeme
rm: cannot remove `removeme’: Permission denie
“total 5
dr-x—— 2 myuser mygroup 72 Oct 23 09:33 .”
Ah right, that’s correct BUT…
You do realize that this mean you can not create or modify files in this directory yourself and that all that needs to be done is a chmod on the dir for your files to be removable again? I doubt a home dir set to 0500 is of much use and I doubt that it’s any use at all for this scenario. What are you going to set to 0500? The evolution configdir? The dir with your documents? Not really practical.
-
jessta
Important to you.
But if you happen to run some malicious software that wipes out not only your files, but also your boss’ files then you’re really screwed.
The file permission won’t protect you from yourself. But they will protect others.
Making backups, storing important files under a different user, using SELinux to limit the things that a program can do.
These are real computer security practise. Anti-virus is not.
-
2006-10-23 8:19 am
unapersson“So only the stuff in your home directory can be destroyed? Great, except that those are the only files that are important.”
Could those files not also be destroyed by a hard disk failure or a power surge or even by an accidental delete? Isn’t a backup the best protection against that?
2006-10-23 2:34 am
FishB8
Why would anybody waste all kinds of time developing AV solutions for Linux when you can just go to the source and fix the problem?
Perhaps you’ve never heard of this novel concept we in Linux land call a “patch”? It works wonders. Really. You should try it some time.
-
hal2k1
“Why would anybody waste all kinds of time developing AV solutions for Linux when you can just go to the source and fix the problem?”
Precisely. Fix the problem at the source. Entirely possible for a Linux system, utterly foreign to the closed paradign of Windows systems.
2006-10-23 4:34 am
de_wizze
… is ask the OpenBSD guys how they do it. If you focus on proper design, you can approach a situation in which wiruses will not be a concern.
-
-
2006-10-23 5:39 am
Soulbender
While the possible problem of viruses on *nix is interesting this article adds nothing to the mix, except bad grammar.
The title states that some Linux API is a kludge but the article itself is just an prolonged whining about how Linux distros arent including dazuka. Now, while including dazuke may be a good thing it has NOTHING to to with an API being a kludge. It’s not even clear exactly what API it is that is supposed to be kludgy. The kernel module API? The dazuko API? We are left in the dark.
Should dazuko be in the kernel? Maybe, maybe not. Again, the article doesn’t really present any evidence that it should (other than some people saying that) and it does not investigate why it isn’t in the kernel (license issue? code quality?). Again, we are not told.
We also get some inaccurate and uninformed statements on virtualization and how win32/64 files stored on a Linux system somehow needs on-access scanning to be, uh, scanned.
And some more whining about that dazuko isn’t in the kernel or that not every single distro ships it.
In the end, a rather pointless article that sheds no light whatsoever on the topic. Way to go.
2006-10-23 7:36 am
netpython
An internet security suite incl firefwall and virus scanner for linux such as Panda Desktop Secure is way more easy to install and maintain.
Better yet it’s as trial version in ubuntus commerciall repository.
2006-10-23 7:50 am
smitty
There have been a bunch of comments about how Linux doesn’t need antivirus software because people should just install open source stuff from their repositories. Think for a second, though. How do most windows viruses get transmitted? By someone stupid running an attachment from an email they got. People running Linux right now tend to be smarter than that, but if it ever gets a significant share of the market that will change. The problem on Windows has proven that simply saying “don’t open attachments or run software we don’t trust” just doesn’t work for a large percentage of the population.
-
Xaero_Vincent
Its not going to change. Vista will get greater market penetration than Linux on the first day of release. Its the power Microsoft possess towards OEMs and such.
If a Linux program needs full system access, it will prompt for a root or super user password. If a email attachment needs that, then you’d automatically be suspicious. I personally delete all mail that is sent to the bulk folder and all other mail with attachments not sent by me or trusted people.
Note: I do send myself email with attachements. Its a neat way to use more than 1% of my multi GB accounts. 😛
Edited 2006-10-23 08:27
-
2006-10-23 8:39 am
Morin> If a Linux program needs full system access, it will prompt for a root or
> super user password. If a email attachment needs that, then you’d
> automatically be suspicious.
That’s nice theory. In practice, the average user doesn’t really know what the super user *is*. It’s some strange technical term that somehow forces you to enter some password time and again. No problem, they’ll just note that password on a piece of paper and stick it to the monitor, and enter it every time the computer wants to hear it.
This is not even stupid, it’s learning. In the real world, computers of all kinds (especially mobile phones and automatic teller machines) ask you for passwords all the time, and if it asks you again it means something went wrong and entering the password again is correct.
-
-
Ookaze
How do most windows viruses get transmitted? By someone stupid running an attachment from an email they got. People running Linux right now tend to be smarter than that, but if it ever gets a significant share of the market that will change
No, people on Linux are no smarter. That’s just that right now and for the foreseeable future, it’s plain impossible to run anything directly from an attachment in Linux, on any email client you can find. The only option you’ll get is to save the executable somewhere, and it won’t even have execute permissions.
Design decisions, that’s all it’s about, not people being smarter. My wife is no smarter when she gets on the family Linux computer, than when she is on her Windows at work. She is not more stupid either on Windows, that’s Windows that’s stupid.
2006-10-23 2:57 pm
WereCatf
It seems the biggest arguments here for not needing an antivirus software is that Linux is so secure by nature and that you can’t anyway get viruses if you install software from your distro’s repository..Well, it’s true that in that case viruses most likely won’t come from downloaded software. But everyone still forgets that not all viruses come from installing software. Like when you’re installing Windows, you’ll get dozens of viruses just by having network cable plugged in. And they come through bugs in IE (and/or FireFox). Sure, there aren’t any real viruses for Linux, but if Linux ever gains enough attention, I’m sure there will be. And they will most likely attack through web-browser, IM applications and such, pretty much anything which has access to Internet. Even if they couldn’t infect the machine, they could still cause lots of damage by destroying all the files they have access to.
-
Ookaze
It seems the biggest arguments here for not needing an antivirus software is that Linux is so secure by nature and that you can’t anyway get viruses if you install software from your distro’s repository
No, the argument is that all security cases are covered by already existant FOSS, and that AV is redundant, dangerous, not efficient, and doesn’t even cover all the cases the other FOSS software cover. An IDS will detect consistently all these modifications to your important binaries (executables, libraries), while an AV just won’t, it depends on what it knows about. AV doesn’t even fix the real problem : the security hole.
Sure, there aren’t any real viruses for Linux, but if Linux ever gains enough attention, I’m sure there will be
Kaspersky said the same in 2000, we’re still waiting …
Meanwhile, these virus writers prefer attacking easy targets (Windows) to be able to attack the hardest ones (Unix, Linux, BSDs).
And they will most likely attack through web-browser, IM applications and such, pretty much anything which has access to Internet. Even if they couldn’t infect the machine, they could still cause lots of damage by destroying all the files they have access to
If they can’t propagate, they’re not viruses. Viruses must have 3 basic capabilities :
– reproduce themselves (infect other files)
– propagate themselves (get more rights, go on other systems)
– hide themselves until they can do their purpose
At any given time, at least one of these capabilities is impossible on a Unix derivative security model.
That’s why you don’t see any virus in the wild on these systems, Linux included.
And no, these viruses won’t destroy all the files they have access to, just like no Windows viruses (among the 100 000+ ones) does this.
Even if they do, no AV will save you from that, only a backup will.
-
WereCatf
If they can’t propagate, they’re not viruses. Viruses must have 3 basic capabilities :
– reproduce themselves (infect other files)
– propagate themselves (get more rights, go on other systems)
– hide themselves until they can do their purpose
I don’t see why a virus would have to infect other files, but anyway, what do you want it called then? For most end-users it’d still be a “virus”. Also, a virus doesn’t necessarily need to get more rights if it can function with the rights is has. And if a virus came in for example through a web-browser or an IM app, why couldn’t it send itself forth too? Hiding the virus (or whatever) isn’t that big deal.
Oh, and all those IDS, SELinux and such degrade performance. I’d just like to check my machine like once a day and continue doing whatever I was doing without the problems and overhead of SELinux. But well, guess that’s just me then..
-
2006-10-24 12:01 am
sbergman27“””Oh, and all those IDS, SELinux and such degrade performance. I’d just like to check my machine like once a day and continue doing whatever I was doing without the problems and overhead of SELinux.”””
I’m not following this thread, so pardon me if this has already been said. But I do happen to know that SELinux has extremely low overhead. (Does checking traditional Unix FS permissions introduce overhead? Yes, but you couldn’t time it with a stop watch. Same with SELinux.)
On the otherhand, I know people who turn their Windows antivirus off because it “slows down their machine” too much.
The kernel guys don’t let stuff in that adds pointless overhead.
-
2006-10-23 7:29 pm
evadNo no no!
A virus cannot “propagate” itself. If the code can infect other systems via a network then it is a worm. It is not a virus.
Viruses spread via humans – they must do something in order for it to spread. A worm is able to get onto other systems without human interaction.
http://en.wikipedia.org/wiki/Computer_worm
2006-10-23 3:22 pm
Yamin
long thread, so I’ll just too in my useless tidbit.
I was at a friends house and removed their ‘Norton Security Center’. It ran out of the subcription and doing popups like crazy. He says to me
“put something on there. Just not that AVG one. That Pig is evil. It looks crazy and makes that weird sound. I don’t know what to do when it comes up”
You know, it never crossed my mind that would be an issues. But looking at it now. What were they thinking? Who knew it would be a deal breaker for some people. I tossed on Avast this time.
2006-10-23 4:45 pm
poohgee
.. just cant resist … but OpenBSDlers certainly have something so smile about .. in a time when security is a big issue ..
There are several hardened Linux projects & similair patches etc but nothing gets into mainline .. dont they want as much security as possible ?
SeLinux & AppArmor are security technologies – they seem to me to be rather external – there just doesnt seem to be as big of an interest in security in the Linux project as Id expect from a “community” which always claims very high security – but then seemingly ignores the fact that there are quite a few security advisories reg the kernel throughout the year .
Okay so much more secure than windows – but that would be keeping to a rather low standard when we trumpet Linux for its great security .
Okay Im oversimplyfying & rather less knowledgable about the whole topic but the fact that there are special better security patches & things like hardened Gentoo & even virus scanners for Linux etc does mean that oviously there isnt as much being done as possible .
Why is that ?
-
Shaman
Pretty much all modern UNIX distributions have GCC 4.x with built-in stack protection, etc. and have recompiled their packages including GLibC to take advantage of it. Many also have ProPolice and other measures installed to do the same thing with older C compilers.
BSD is not immune and neither is OpenBSD. That’s a myth, sir. They are much better and pioneered much of this technology, to be fair to Theo and the boys, but they do not have a monopoly on stack smashing protection and the like anymore (if they ever did). GCC and GLibC changes over the past three years have made immense improvements over the entire Linux community, not to mention all the other attention that has been given to buffer overruns, etc.
From above:
Everyone on this list is saying ‘Well set-up linux is immune to viruses’ but then AV software will pick-up all variants of malware. And has a fair chance of picking up any ‘viruses’ that get through due to ‘user error’, ‘adminstrator error’ or some new attack vector.
Unless the virus, trojan, malware etc. can infect the actual operating system (which is highly unlikely), then the point is moot. Removing infections from a user’s writable directories is far easier than removing binary-modifying virii that attach themselves directly to DLLs and executables as you have in the Windows environment. That does not exist in the *nix world as a demonstrable threat, unless one is foolish enough to try out new, unverified software running as the root user.
2006-10-23 5:59 pm
CrLf
I admit, I didn’t read the whole thread…
A linux box with an on-acess AV scanner running is a security liability. The scanner will have access to _every _file read and written, no matter what the owner is. This makes it a very interesting target for attack, as it can compromise the whole box.
Being mostly closed-source, the AV engines are hard to audit for security bugs, and nobody will have any interest in doing so (or the time/skills), except the AV companies themselves (which will hide them as long as they can) or the black hats (which will hide them as long as they can), which will exploit them.
A fileops interceptor inside the kernel can be useful for a lot of things, but with some limits. Such a thing being used by an all-seeing daemon is just bad.
-
Shaman
A linux box with an on-acess AV scanner running is a security liability. The scanner will have access to _every _file read and written, no matter what the owner is. This makes it a very interesting target for attack, as it can compromise the whole box.
Absolutely agree, which was my point in an earlier post. You said it better than I have.
Edited 2006-10-23 18:04
2006-10-28 7:15 pm
hylas
Reflections on Trusting Trust
Ken Thompson
http://www.acm.org/classics/sep95/
It’s not the “little” bugs. You’re not thinking low-level enough.
Keep reading until you understand.
Excerpt:
“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect.”
This is also instructive.
A Taste of Computer Security
Amit Singh
http://kernelthread.com/publications/security/
Yes, I know I’m harping … 🙂
Edited 2006-10-28 19:20
So, what’s the total amount of Linux viruses in active circulation these days? Still zero?
So the only reason I might want antivirus on a linux box is checking for Windows viruses on a file storage/email server, and since Windows viruses won’t affect my linux system, there is no need for the antivirus to have low level hooks.
———-there is no need for the antivirus to have low level hooks.————-
There will be. It’s not a matter of if, it’s when.
One of the great things that I like about linux is the greater inherent security over windows but in the real world no software is perfect. There will at some point be viruses that need to be addressed.
Hopefully by the time that active real time file/virus scanning is needed we will have a much improved subsystem for it to run on.
Let’s not become microsoft and wait for the problem to become huge *then* fix the problem. Let’s address it now.
What do you think? I say it’s a fantastic idea.
Hopefully by the time that active real time file/virus scanning is needed we will have a much improved subsystem for it to run on.
Hopefully by that time, if it comes, people will realize how terrible AV software is at handling the problem.
I’ll take a terrible solution over no solution.
If we improve it, it will be an adequate solution.
Ok, but we’re not talking about now, we’re talking about sometime in the future. It makes sense to push for the better solution in the long run, or are you content with your “adequate” solution?
“Ok, but we’re not talking about now, we’re talking about sometime in the future. It makes sense to push for the better solution in the long run, or are you content with your “adequate” solution?”
Anti-virus programs are not a better solution.
A better solution is to have a good security model for your system in the first place, and then to install only applications for which the source code can be and is inspected and auditable by independent people who have the same interest as you (ie, they are not being paid by the vendors of the programs, and they are end users of the programs themselves).
Anti-virus programs are not a better solution.
I didn’t say it was. I’m saying the complete opposite of this, which you’d probably known if you’d bothered to read my other post…
A better solution is to have a good security model for your system in the first place, and then to install only applications for which the source code can be and is inspected and auditable by independent people who have the same interest as you (ie, they are not being paid by the vendors of the programs, and they are end users of the programs themselves).
That’s a terrible solution. It’s impossible to catch all the bugs. The best security policy is that of containment, not perfection.
“That’s a terrible solution. It’s impossible to catch all the bugs. The best security policy is that of containment, not perfection.”
Not at all.
Despite the ironical similarity in names, a virus is not a bug. A virus is malware by intention.
One doesn’t have to “catch all bugs” in order to ascertain if the code being inspected is not malware. One only has to work out what the code being inspected is trying to do.
If it is trying to catch key presses, cache them, then later send them all off as data to an IP address coded via its numbers only … one would have to think … “hmm, keylogger … reject”.
If it is a bunch of code trying to append a binary blob to the end of system libraries, one would have to think … “hmm, virus … reject”.
One doesn’t have to completely debug the program in order to spot malware. One just works out what the code is trying to do. If there is code included with a suspect purpose … reject it. If it has good purpose but obscure hard-to-spot bugs, it still isn’t malware. It is just buggy application software.
Edited 2006-10-23 03:00
That line has historically been thin, see Robert Tappan Morris.
It’s a bit thicker these days, but probably only because of those who’ve barely crossed over in the past and served time.
No, but viruses exploit bugs to gain access to your computer. Besides, you expect normal users to audit source code to make sure it’s secure and not malicious? Heh.
//No, but viruses exploit bugs to gain access to your computer. Besides, you expect normal users to audit source code to make sure it’s secure and not malicious? Heh.//
Oh my goodness, not that one again.
I don’t have to audit source code. I can nevertheless gain the “many eyes audit of open source” assurance of trustworthiness merely through the fact that there are many programmers who can and do audit the source code, and use the software themselves.
That’s why firefox has so little bugs? In any event, it seems you’ve taken that out of context, since I explained later on why any amount of auditing isn’t an effective strategy.
“That’s why firefox has so little bugs? In any event, it seems you’ve taken that out of context, since I explained later on why any amount of auditing isn’t an effective strategy.”
This comment also confuses a “security hole” bug with what was actually claimed which was “no deliberate malware included”. Firefox has indeed no deliberate malware included. This fact however does not mean it does not have security bugs.
Please address any counter-arguments at the original ponits made, and refrain from arguing against something that was never the original position.
BTW, auditing code is an entirely effective measure against having deliberate malware included in it. So effective in fact that it has never happened – there has been no case ever of deliberate malware making it into released open-source code. Not once. So it turns out you are dead wrong in the context of the original point made.
Edited 2006-10-23 23:24
A better solution is to have a good security model for your system in the first place, and then to install only applications for which the source code can be and is inspected and auditable by independent people who have the same interest as you (ie, they are not being paid by the vendors of the programs, and they are end users of the programs themselves)…
…And still you will have viruses. If you think that it is possible to have an operating system and software set that is 100% invulnerable, then you’ll be waiting a long time.
Anti-virus isn’t a nice catch-all solution but it adds an extra layer of system-awareness. If you’ve got a nice partitioned system with all permissions set-up etc… This doesn’t stop a virus/viruses from getting into memory and waiting for someone to make a mistake on the host sytem.
“And still you will have viruses.”
… except that we don’t.
Apart from that observation, carry on.
It’s not an adequate solution. If On-Access scanning could be made perfect (not the definitions but the scans need to be unavoidable) and only slowed things minorly (less than a 10% drop in performance) then it would be an adequate solution.
But On-Access scanning misses stuff, and it’s probably more than 60% slower than just opening the file and reading it (on average).
I’ve seen 2GHz Pentium 4’s appear slow compared to my 700 Celeron just because they ran McCafee (and probably had some spyware as well) and I didn’t. I’m not exaggerating.
After-infections “solutions” are not solutions, they’re ugly hacks. It may be better than nothing, but it still sucks.
“It’s not an adequate solution.”
This is an unsupported assertion on your part.
You have yet to explain exactly how it is not adequate to just do the following: “Stick to a strict policy of installing only open-source applications via the package manager installing from signed repositories”.
If you simply do that, exactly how is your Linux system going to get malware?
This is an immesurably better solution to the malware problem than any amount of virus scanning.
“If you simply do that, exactly how is your Linux system going to get malware?”
Easily, just like other OSes get it. You open Firefox to a website running a malicious advertisement, or a blog hit with a cross site scripting attack. Firefox is far from guaranteed secure. The attack reaches out and trojans your shell or your session or other init files. A nice emulation of sudo to capture your root access.
Or instead of Firefox, it could be your email client. Or your MP3 player. Or IM client. Any of those can have security holes.
Easily, just like other OSes get it. You open Firefox to a website running a malicious advertisement, or a blog hit with a cross site scripting attack. Firefox is far from guaranteed secure. The attack reaches out and trojans your shell or your session or other init files. A nice emulation of sudo to capture your root access.
The only problem with your flawed example, is that you failed to explain the part about “The attack reaches out and trojans your shell or your session or other init files”.
Trojaning the shell or init files is plain impossible for your Firefox. Trojan your session at the very max would be possible, even though it has no purpose unless you can escalate to root after that. An emulation of sudo is even harder. I mean, there is nothing easy about any of these processes, it’s actually very hard for any malware to install on any Linux with this method. It would have to be REALLY lucky for this to succeed (flaw in Firefox + Linux with privilege escalation + right distro + no update).
Or instead of Firefox, it could be your email client. Or your MP3 player. Or IM client. Any of those can have security holes
Or your AV software. So what’s your point ?
“Easily, just like other OSes get it. You open Firefox to a website running a malicious advertisement, or a blog hit with a cross site scripting attack. Firefox is far from guaranteed secure. The attack reaches out and trojans your shell or your session or other init files. A nice emulation of sudo to capture your root access.
Or instead of Firefox, it could be your email client. Or your MP3 player. Or IM client. Any of those can have security holes.”
Nice in theory.
In practice, rare. Very rare. Extremely rare. So rare, in fact, that I do not believe that credible documented cases of this happening have ever surfaced.
So much for “Easily”.
if the repository gets hacked, all bets are off. And before you say that’ll never happen, check this out:
http://www.zdnet.com.au/news/security/soa/Debian_server_hacked/0,13…
http://news.netcraft.com/archives/2004/05/31/cvs_exploit_leads_to_p…
http://www.zdnet.com.au/news/security/soa/Gentoo_Linux_server_hacke…
now these are not current, but they just show that vulnerabilities exist in everything, and also that the distribution’s servers themselves are not immune. You can trust the official repository more than most sites, but it is not invulnerable.
if the repository gets hacked, all bets are off. And before you say that’ll never happen, check this out:
http://www.zdnet.com.au/news/security/soa/Debian_server_hacked/0,13…..
http://news.netcraft.com/archives/2004/05/31/cvs_exploit_leads_to_p…..
http://www.zdnet.com.au/news/security/soa/Gentoo_Linux_server_hacke…..
now these are not current, but they just show that vulnerabilities exist in everything, and also that the distribution’s servers themselves are not immune. You can trust the official repository more than most sites, but it is not invulnerable.
You’re wrong on all counts because it just shows we can trust these repositories, so where exactly did you get that all bets are off ?
Every one of these attacks were detected and dealt with, with no impact at all on users.
I’m not sure where you got that, in the first article it is talking about one of Debian’s servers being hacked, it could have easily been a CVS repository. if you think that just because it wasn’t one, it can’t be one, I got some muskeg in nunavit to sell you, real cheap
//I’m not sure where you got that, in the first article it is talking about one of Debian’s servers being hacked, it could have easily been a CVS repository. if you think that just because it wasn’t one, it can’t be one, I got some muskeg in nunavit to sell you, real cheap//
What has this got to do with the topic at hand?
Some devs on some open source servers had weak passwords. The accounts were hacked. Protections were in place to detect that, and the hacking was spotted. As a consequence, no damage occurred.
The point remains that, despite the odd hacking & break-in here & there of a development server, no-one has yet successfully managed to insert malware whatsoever into any open-source code repository. Not once, in about 15 years of Linux history to date.
Compared this with the scene for Windows with literally billions of malware-infested Windows machines around the globe, and the point is perhaps underlined even more vividly for your consideration.
the original thread was about how you didn’t need security software on linux because it was OSS and had the benefit of “many eyeballs” I responded saying that there is too many people that you have to trust, including the repositories and CVS servers. I then posted the links to show that if the distro’s servers can be hacked, then that chain of trust is broken. therefore, if you can’t trust the distributer’s of your flavour of linux, then you need security software.
“The point remains that, despite the odd hacking & break-in here & there of a development server, no-one has yet successfully managed to insert malware whatsoever into any open-source code repository. Not once, in about 15 years of Linux history to date.”
No human has been to mars either, but that doesn’t mean it won’t happen sooner or later. they fact that you have to trust all these different organizations, people and machines is not so different from trusting closed source software providers, as most users can’t read source.
“Compared this with the scene for Windows with literally billions of malware-infested Windows machines around the globe, and the point is perhaps underlined even more vividly for your consideration.”
None of that code was injected in to Windows source code either, so what is your point? Windows needs AV software mostly because it’s users are not geeks like us, and will do most anything, including opening attachements or clicking yes to a dialog, to get back to that Paris Hilton video they were watching. The other half of the coin is the fact that Windows users usually run as admin, and that lets the addmittedly insecure IE/OE combo run anything, if they didn’t, most viruses would die in thier tracks, so your argument is moot. It’s not malignant code in the source that you have to worry about, it’s bad practices and stupidity.
Basically, OSS is distributed by humans, and humans make mistakes, and can be coereced. There is a story about how one of the original Unix developers put a backdoor into Unix, then hacked the compiler to detect when it was compiling Unix, and place the backdoor into the Unix code. The compiler was also hacked to detect when it was compiling itself, and to inject the backdoor code into the new compiler, thereby propogating the hack. I read this in the Jargon File back in the 90s. OSS has the ability to be just as untrustworthy as Windows, the only thing that protects it is the trustworthiness/competence of the devs.
And acutally solve the problem with a 20 minute training session explaining to people how best to judge the trustworthyness of software they run.
“And acutally solve the problem with a 20 minute training session explaining to people how best to judge the trustworthyness of software they run.”
It doesn’t take 20 minutes to say to people “don’t run closed-source applications”.
There are of course some closed-source applications that are indeed trustworthy, but the real problem is that an end user has no way to tell which applications these are.
Even “from a reputable company” doesn’t do it. reputable companies do not have the same interest as end users, and we see this in some cases as software such as the Sony rootkit and Windows Vista DRM produced by reputable companies but still effectively being malware from the end users point of view.
There is just one way for an end user to be assured of the trustworthiness of any program, and that is to ask these few simple questions:
(1) Is the source code available for inspection?
(2) Is the source code inspected by capable people other than those who wrote it?
(3) Do those same people who inspected the code then use that code themselves as end users?
Any application program for which the answers to the three questions above is “yes” is a trustworty application.
“There are of course some closed-source applications that are indeed trustworthy, but the real problem is that an end user has no way to tell which applications these are. ”
Case in point, Apple recently released some iPods with a Windows virus on them.
In an eerily close analogy, determining what software has a virus based on appearance is like determining who has AIDS by appearance….. appearance means nothing when it comes to infection.
Edited 2006-10-23 02:00
There are of course some closed-source applications that are indeed trustworthy, but the real problem is that an end user has no way to tell which applications these are.
They also have no way to tell which open source applications are trustworthy. 99.9999% are not programmers you know. And even most programmers don’t inspect every single application they install. Your post is mostly propaganda.
“They also have no way to tell which open source applications are trustworthy. 99.9999% are not programmers you know. And even most programmers don’t inspect every single application they install. Your post is mostly propaganda.”
One doesn’t have to be a programmer. All that is required is that (a) the source code is available for anyone to examine, and (b) people who are programmers (yet who did not write that code) do examine it, and (c) those programmers who do examine it then endorse it and use it themselves.
When one sees that happening, in open view, then one can deduce the code is trustworthy even though one has no idea oneself how to program.
One doesn’t have to view the code onself.
One doesn’t have to be a programmer oneself.
Even if one is a programmer, one doesn’t have to audit all of the code – as long as some programmers somewhere do.
No, my post is not propoganda. Not at all.
My post is in fact anti-propoganda to the notion that “you have to be a programmer to derive a benefit from open source”. That is simply not the case.
PS: I was tempted to mod you down for the unwarranted personal attack, but I refrained.
Edited 2006-10-23 07:21
Except that you have trust a) the programmers who examine the code on your behalf, without ever meeting or talking to them, b) you have to trust the repository not to have been hacked, and you have to c) trust the original programmers intentions in the first place. If you can’t read source code, that’s almost as much trust as you have to put into a closed source application.
Hopefully by that time, if it comes, people will realize how terrible AV software is at handling the problem.
I’m in total agreement. Hardening Linux is a much better route. Making things like SELinux, SSP, and PIE not only usable by the masses but enabled by default on Linux distributions is a much saner approach. In addition smaller code, fast patching, and code auditing certainly help.
It’s useless to attempt to try to keep up with virus writers by constantly updating virus signatures. Make the code secure in the first place! Hardened code will prevent all kinds of nasty things from many attack vectors, while a virus definition will only prevent one virus from one attack vector. Tomorrow there will be another attack vector and the need for another definition. There are thousands of viruses floating about that could be made useless by following secure coding practices. No need for AV scanners.
No software is perfect, and that includes AV programs. They create a single point of failure, which is unacceptable in terms of real security.
I was waiting for the v word to be mentioned.
There are thousands of viruses floating about that could be made useless by following secure coding practices. No need for AV scanners.
There are also thousands of viruses floating about that can’t be stopped by secure coding practices. A simple ‘botnet’ style DDOS client can do everything it needs just using the same privileges that Apache2 needs to run, so any sort of injection attack (they exist) against any child process of Apache will be able to make the machine/server a zombie.
A single mistake in (for example) the SSH source (Unlikely I know but there are other packages with similar security needs) would make a system vulnerable.
99% of attacks on my servers come in the form of automated ‘skriptkiddie’ style scans. Most of these try to infect the target with malware that would be detectable by bog standard Antivirus software. So I refute your claim that there is ‘No need for AV scanners’
Thats why there is a thing called Mandatory Access Control.
AppArmor, RSBAC, SELinux are all MAC systems. If you use SLE*/openSUSE, RedHat, Fedora, Mandriva then you already have the kernel patches and utilities.
AppArmor is especially nice on SUSE. You can configure it with CLI or YaST and its very easy to create policy.
You’re right
. However (unless I’ve completely missed the point), without some other system for protecting executable memory during runtime, code injection can be made to run within the Apache process. Therefor MAC will allow our DDOS client to do everything it needs becuase our Apache module is trying to create a network connection (allowed) and read/write to it (allowed). Also, I have PHP installed. If the PHP opcode cache gets corrupted by a vulnerability, then a PHP script could be injected to run a DDOS client, using the PHP MAC profile.
Rather than set-up a system that I think is secure and then leaving it, I would prefer to have a system that monitors itself for known problems, as well as being securely set up.
There are also thousands of viruses floating about that can’t be stopped by secure coding practices. A simple ‘botnet’ style DDOS client can do everything it needs just using the same privileges that Apache2 needs to run, so any sort of injection attack (they exist) against any child process of Apache will be able to make the machine/server a zombie
The only problem with your flawed argument being that “secure coding practices” prevent injection attacks …
A single mistake in (for example) the SSH source (Unlikely I know but there are other packages with similar security needs) would make a system vulnerable
A single mistake in (for example) the antivirus source (Unlikely I know but there are other packages with similar security needs) would make a system vulnerable.
One more potential SPOF, thanks a lot.
“secure coding practices” relies on every programmer who contributes to your system implementing the “secure coding practices” all the time. And not making mistakes/typos. With the number of security alerts floating around these days, I would have thought that you would realise that ‘secure software’ is somewhat similar to ‘the perfect society’. A nice ideal but (at the moment) pretty far from reality.
When I mention injection attacks, I mean more than just buffer-overruns. Interpreted languages especially are subject to injections becuase they tend to include function calls to interpret user-supplied data as code.
“secure coding practices” relies on every programmer who contributes to your system implementing the “secure coding practices” all the time. And not making mistakes/typos. With the number of security alerts floating around these days, I would have thought that you would realise that ‘secure software’ is somewhat similar to ‘the perfect society’. A nice ideal but (at the moment) pretty far from reality.
That’s why proper security is layered. A single mistake will not cause a system to crumble like a house of cards. An exploit may easily pass through one layer but will be blocked by another layer, and if not, it will be blocked by yet another layer. Suppose malware gets installed by bypassing security through an unknown exploit. Now the malware has to break even more security to run and break even more security to get itself to run on system startup. Not only that, now that the malware is running it needs to actually do something. Not a very easy thing to do. SSP, ASLR, and PaX are preventitive security measures that protect systems against very common, and most importantly generic attack vectors. SELinux and similar ACL technologies protect by using policy, which means your application cannot do something it was not intended to do.
Secure coding practices are only a part of the equation. We still need these other technologies to mitigate exploits that are bound to happen. AV is not an ideal solution and is in fact the most inefficient solution. It’s more of a “kludge” than anything else.
There are also thousands of viruses floating about that can’t be stopped by secure coding practices. A simple ‘botnet’ style DDOS client can do everything it needs just using the same privileges that Apache2 needs to run, so any sort of injection attack (they exist) against any child process of Apache will be able to make the machine/server a zombie.
I think you’re missing the point. With proper security a DDOS client will never get the same priveledges that Apache2 has.
A single mistake in (for example) the SSH source (Unlikely I know but there are other packages with similar security needs) would make a system vulnerable.
Proper security is layered so a single mistake will not make a system vulnerable. Let’s pretend that openssh has a buffer overflow. One layer of protection is SSP. Another layer of protection is SELinux. If SSP doesn’t protect against that particular overflow, SELinux should be able to stop openssh from running arbitrary code based on policy. PIE allows users to take advantage of address space layout randomization, which eliminates another vector of attack.
99% of attacks on my servers come in the form of automated ‘skriptkiddie’ style scans. Most of these try to infect the target with malware that would be detectable by bog standard Antivirus software. So I refute your claim that there is ‘No need for AV scanners’
That’s not a very good refutation. With proper security in place none of the malware would ever touch your system. SELinux policies wouldn’t allow free reign, even with root access. SSP would stop a lot of buffer overflows from even happening, which is a very common vector of attack. ASLR eliminates another vector.
I agree with you. SElinux modules are very good at keeping out bad things, besides you’re obviously much better read than me on the whole Pax Selinux area.
However I doubt very much wether they are perfect. I mean if SELinux is perfect, and people are willing to stake reputations on it being perfect, then great. Otherwise, Anti Virus is Another layer of protection in the security battle.
However I doubt very much wether they are perfect. I mean if SELinux is perfect, and people are willing to stake reputations on it being perfect, then great. Otherwise, Anti Virus is Another layer of protection in the security battle.
I would say that having AV as another security layer is a good point if I did not believe AV is a kludge in the first place. It is a band-aid for bad security practices. On-access scanning incurs huge overhead on virutally everything that is done with a system. Now heuristic engines are becoming more and more important because of polymorphism and just the sheer rate of malware being produced. We’ll never keep up this way. Proper security doesn’t care what the signature of the application running looks like, if it doesn’t have a policy then it isn’t doing anything.
SELinux policies
chroot jails
ExecShield
PaX/SSP
Linux Distros have had these tools for quite some time now. Windows is just now embracing concepts such as making it difficult to execute code off the stack.
Also Linux Distros usually ship with package managers that use trusted repositories.
It is not a question of “when” it’s a question of “will distros be ready for the security issues of the future”. The tools need to be made available and pre-configured. The users need to be educated so they don’t enter their login password into a javascript message box masquerading as a graphical sudo box.
One of the main reasons AV companies have made so much money is that Microsoft has not taken responsibility for Window’s security until quite recently. Nor have they educated their users until recently. Nor have they added warning messages to potentially dangerous actions such as downloading an *.exe until recently.
touche
So, what’s the total amount of Linux viruses in active circulation these days? Still zero?
So the only reason I might want antivirus on a linux box is checking for Windows viruses on a file storage/email server, and since Windows viruses won’t affect my linux system, there is no need for the antivirus to have low level hooks.
Exactly. There tends to be alot of naysayers when one thing threatens a big thin. (Linux v. Microsoft) It’s David against Goliath and david won.
<blockquote>and since Windows viruses won’t affect my linux system, there is no need for the antivirus to have low level hooks.</blockquote>
May be you don’t care as user, but when you administer a server thing changes.
If your email/storage clients get infected throug your server, if all your bandwith is wasted transfering useless viruses atached to emails, when your clients get pissed and ask you responsibilities because one stored file contains malicious code….. then you care about antivirus software for linux.
“May be you don’t care as user, but when you administer a server thing changes.
If your email/storage clients get infected throug your server, if all your bandwith is wasted transfering useless viruses atached to emails, when your clients get pissed and ask you responsibilities because one stored file contains malicious code….. then you care about antivirus software for linux.”
In this role, anti-spam and anti-virus software for Linux does exist. Clamav. Spamassasin. etc.
http://en.wikipedia.org/wiki/Clamav
http://en.wikipedia.org/wiki/Spam_Assassin
These applications still do not need low-level hooks into the Linux system. They just scan and delete files.
Edited 2006-10-23 03:35
I know about that software and some more (spambayes for example) but all help is welcome.
I’ve read even on filesystem level on access virus detection. Don’t ask where because I can’t remember or find the link
So you run a high-volume mail/ftp/web server. You have Clamav that scans every file in the system every day (reducing server performance during these times).
How many viruses would be transmitted in the time between infection and the A/V scan? Thousands?
If you have a mailserver you scan when a message arrives via SMTP and not periodicallly.
Clamav works great for that and it is just as good as any commercial solution.
Yeah. I suddenly realised that
. That’s why I included web / ftp servers. Any time there is data transfer, there is the potential for malitious / badly formed information to cause damage,
I’ve never ever seen a Linux virus, and the day I have to scan my Linux boxes for native viruses is the day I switch to something else.
Antivirus is a big ugly bandaid on a severe chest wound. It is *not* a security solution. It is a kluge to try to make up for poor security design in the OS and apps.
That said, if you have Windows boxes on your network that just won’t go away, SquidClamAV Redirector + ClamAV-milter can be useful. This covers SMTP, FTP, HTTP, and HTTPS.
You’re wrong.
Not monitoring security (Anti-Virus / Network Traffic scans) is like setting up a prison and then not guarding it but relying on the walls / fences to keep people in.
Security isn’t pretty, or easy. But hiding your head in the sand and hoping that you’re secure enough is an irresponsible thing to do. Espesially when you’re dealing with servers that serve data to other people.
Someone once said: Security is a journey, not a process.
AV on linux ? Besides why we’d want or not AV software on linux – I wouldn’t, selinux, grsec, pax, etc sound much better -, it also has some hidden unwanted consequences. I have this wierd hallucination about big buck company buying large PR trains about how also Linux also needs AV protection these days, so their security is not better than our security. It won’t matter whether we use them or not, their existance in itself can give them enough ammunition.
If someone said to you: we’re building a prison camp. There’s a nice high fence so we’ll just throw the prisoners behind it and then leave them to it, would you trust the prisoners not to escape?
Having good defenses (Pax grsex firewalls bars on windows) is important, but so is constant monitoring.
Saying that there are Zero Linux viruses is a bit naive. There ARE Linux viruses ‘in the wild’ and as a server manager, I’ve had contacts with a couple of them, they’re pretty subtle and require some form of automatic scanning system to reliably detect them.
Just because you don’t know you’ve got a virus doesn’t mean that you don’t. At the very least, Linux A/V software lets you know when you are infected.
Stephen
Saying that there are Zero Linux viruses is a bit naive
Yes, it’s the naive truth. You should try it too.
There ARE Linux viruses ‘in the wild’ and as a server manager, I’ve had contacts with a couple of them, they’re pretty subtle and require some form of automatic scanning system to reliably detect them
OK. NAMES please. I call FUD.
Or you’re really clueless and confuse trojans or rootkits with virus.
Just because you don’t know you’ve got a virus doesn’t mean that you don’t. At the very least, Linux A/V software lets you know when you are infected
BS, Linux AV software mostly run with email servers and don’t tell you you’re infected at all.
They just tell you if your email are infected.
They won’t protect you against trojans or rootkits.
BS, Linux AV software mostly run with email servers and don’t tell you you’re infected at all.
Actually, ClamAV and Sophos for linux both do scheduled scans AND on-access scanning of all documents/processes in a system.
Or you’re really clueless and confuse trojans or rootkits with virus.
You must remember that a Rootkit/Trojan can be a Virus as well. Also, remember than, except in technically-sensitive contexts (not in this case), Language is defined by usage. Most people, when talking of Viruses mean the full gamut of malware (minus adware). In the same way that people are excused when they misuse the term hacker.
Common Virus Definition: self-replicating computer program written to alter the way a computer operates, without the permission or knowledge of the user.
I was infected by Linux.RST. This self-replicates (to all executables in the system) without the permission or knowledge of the user. The fact that it doesn’t broadcast itself to other machines is irrelevant here.
They won’t protect you against trojans or rootkits.
No, most of them don’t but at least you are aware that you have a compromised/degraded system and allow you to take corrective action. Burying you head in the sand and declaring ‘My system is secure’ won’t help anyone.
I was infected by Linux.RST. This self-replicates (to all executables in the system) without the permission or knowledge of the user. The fact that it doesn’t broadcast itself to other machines is irrelevant here.
Oh, I beg to differ, it’s very relevant.
What you just proved is how hard it is to get a virus under Linux. You have to:
1) “Manually” bring an infected executable into the machine. How would that happen, pray tell, if the virus has not networking capabilities and all installed software is either a signed binary from a repository or a source package?
2) In order for it to infect “all” the executables you’d have to run it as root. Otherwise it would infect nothing; ordinary users don’t have write priviledges to any system-installed executable.
It’s like that joke about you being asked to delete your own files because the virus can’t.
1) A hacker ‘injected’ it through a buggy piece of software into memory. (A well known/used PHP application.) 2 zero-day attacks happend on the server before it could be patched.
2) I develop compiled software for web applications. That machine is used to test/compile some of these applications. I compile, them. Give them the same permissions as the Apache user, run them. Now they are infected, If I then push the software to a client’s machine. Who knows what permissions he will run the program as.
The point I’m making is that If I have Anti Virus software, I stop the virus the moment it is loaded. If I don’t have anti-virus, that particular virus would probably be still running, and my server would be a Zombie on a bot-net.
“There ARE Linux viruses ‘in the wild’ “
An anti-virus vendor made this claim once. Said there were about 800 Linux viruses (compared with countless thousands for Windows). Even provided a list on their website.
Someone did an investigation.
Turns out that nearly every last one they listed was a Windows virus with “linux” in the name.
http://lwn.net/Articles/166984/
http://archives.seul.org/seul/edu/Apr-2002/msg00285.html
Edited 2006-10-23 10:21
Turns out (someone claimed above that Trojans are not viruses) that Trojans can be viruses. Take a look at Linux.RST. It exhibits viral behaviour.
http://www.viruslibrary.com/virusinfo/Linux.htm
BTW. Linux.RTS is one of the ones that I was infected with. I also had SSHD22-B which is a piece of malware that I can’t find a description for.
(Both these viruses got in through a small security hole in Horde, but did minimal damage to the system becuase of the security setup. However NO sysadmin wants viruses resident on a system)
//Take a look at Linux.RST. It exhibits viral behaviour. //
http://www.symantec.com/security_response/writeup.jsp?docid=2004-05…
Risk level: very low.
Wild
* Wild Level: Low
* Number of Infections: 0 – 49
* Number of Sites: 0 – 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Low
No idea on the vector. I’d put the chance of getting this vey rare virus for real at next-to-nothing, especially if your policy is “install only from repositories”.
1. I didn’t get it from a repository, or a software install.
2. It was remotely run through a security hole in a piece of software (since patched).
3. If there had been a mistake in my security-setup, it would have infected every executable in my system (Removal: Very Difficult).
4. If I didn’t have anti-virus software, it would still be on that system, waiting for someone to make a mistake so that it could infect, and destroy my system.
5. From direct experience, I think that the Symantec Assessment is wrong. At best it is a guess. This isn’t a mass-distribution virus sent out in spam, It will only be sent to a system ONCE a vulnerability has been found in a system (i.e. a SkriptKit might deploy it Automatically).
//If there had been a mistake in my security-setup, it would have infected every executable in my system (Removal: Very Difficult). //
Well, no. Just re-install the whole OS (assuming you have a separate /home partition or a NAS server or similar). For my systems at least this operation wouldn’t take more than a couple of hours.
//1. I didn’t get it from a repository, or a software install.
2. It was remotely run through a security hole in a piece of software (since patched). //
There is not a claim that “there is no malware for Linux”. The claim is rather that malware for Linux is very rare, with an exceedingly poor vector, and as soon as one such as that is detected in the wild the hole is patched.
Propogation is exceedingly limited.
You would have to have been dead unlucky for this to have happened. I wouldn’t stand anywhere where a meteorite might hit you if I were you.
Edited 2006-10-23 11:44
Saying Linux users don’t need AV is like saying, “Hey I have a Hummer, no need to wear seatbelts because I’ll simply crush everybody in my path without me getting even a scratch.”
Until you hit a concrete building. Or have a minor tail-crash giving you a whiplash.
Production desktops/servers running Linux/MacOS/whatever need antivirus protection, as simple as that. noexec and root passwords are all fine, but they’re software barriers, which means they can be broken. And if that has happened, security software, incl. AV, might save you.
The ancient Greek culture had a good word for all those people here saying Linux is so secure you don’t need AV: hubris. And what happend to people that showed hubris?
Exactly.
Edited 2006-10-23 12:01
“Production desktops/servers running Linux/MacOS/whatever need antivirus protection, as simple as that.”
Actually you dont need it. At this point in time. You might need in the future though but even then the need for it would depend on the role and software said server/desktop runs.
Edited 2006-10-23 12:10
Actually you dont need it. At this point in time. You might need in the future though and even then the need for it would depend on the role and software said server/desktop runs.
Yes you do. Who knows when the really dangerous piece of malware/virus/whatever comes out? When is the line crossed?
Any good sysadmin has his servers/desktops locked down and secured, including AV, no matter what they run.
Edited 2006-10-23 12:12
//Yes you do. Who knows when the really dangerous piece of malware/virus/whatever comes out? When is the line crossed?//
If a “really dangerous piece of malware/virus/whatever comes out” for Linux, then you would have a race condiition: which would become available first … the security patch for the software, or the virus definition for your anti-virus scanner?
Therefore, “the line is crossed” when the security holes remain open for longer than the propogation time for virus definition updates. This is the only situation under which a virus scanner is any help at all.
Linux hasn’t reached that point. For a start, there are precious few viruses. But viruses for which there is no security update available in repositories? They don’t exist at this time, AFAIK.
Remember, with Linux systems and applications, we typically aren’t at the mercy of a possibly uninterested proprietary vendor.
“Any good sysadmin has his servers/desktops locked down and secured, including AV, no matter what they run.”
When your *nix servers are locked down and secure you dont need an AV. There are many and better ways (mtree, Tripwire, Aide, immutable bits, read-only filesystems, SElinux etc) to ensure system integrity and security for a server than AV.
Desktops, well, that’s a different matter but right now Linux does not have nearly a large enough userbase for it to be a feasable target for malware authors.
Even though it’s possible to create them there has been no (or at least extremely few) Linux malware/spyware to date.
It’s all about threat evaluation. Simply put; sure it could happen but the chances aren’t that big at this point in time.
Do you also stock up on bird flu vaccine, aids medication and canned food? You know, just in case?
Edited 2006-10-23 12:36
Do you also stock up on bird flu vaccine, aids medication and canned food? You know, just in case?
My government actually has. Large stockpiles of anti-flu vaccins have been bought in case bird flu indeed strikes over here.
So yes.
//noexec and root passwords are all fine, but they’re software barriers, which means they can be broken. And if that has happened, security software, incl. AV, might save you. //
The problem with this reasoning is that it assumes that the virus is known, in the wild, has a valid vector into Linux systems, and no patch for the hole that it uses has yet been made available.
Then you might, just might get saved from the virus by having an anti-virus scanner. If it is up to date, that is.
In practice it is probably more likely that the hole will have a patch and the vector will be closed down via a software security update before any virus signature has time to get around to virus scanners.
Just to summarise: it is not that viruses for Linux are impossible. It is just that they have an extremely tough job to propogate. You’d have to be tremendously unlucky to get infected by one.
Then again, I suppose there are some types who always wear two condoms. You know, to be sure, to be sure.
You really refuse to get it, don’t you?
It is IRRELEVANT whether or not a piece of malware propagates. When it has gotten hold of your system the system is COMPROMISED, propagating or not. And, AV software can FIND the malware, and destroy it. THAT is why you NEED AV software on production servers and desktops, because as some have shown in this thread, there ARE pieces of malware Linux AV can detect and get rid of.
No, on your current home desktop which gets updated every new Ubuntu release, AV is overkill. But on production machines, it is a necessity.
//And, AV software can FIND the malware, and destroy it.//
Only if the AV software happens to have the virus definition and the vulnerable Linux application still has no patch.
Rare.
Lets all worry about meteorites falling on our heads. A lot more of a clear and present danger.
Only if the AV software happens to have the virus definition
Which in some cases it will have, as described in this thread by other people.
and the vulnerable Linux application still has no patch.
Hubris, hubris, hubris. It’s all over you. The time it takes for a patch to find its way from programmer to end user, which includes the process of being made available via official distro repositories, can take MUCH longer than it takes an AV company to release a new alert and definition.
But, you believe Linux software is magically less buggy than their Windows counterparts, and that nothing in this whole wide world will ever be able to bypass noexec and the user/root divide.
Which is fine.
//The time it takes for a patch to find its way from programmer to end user, which includes the process of being made available via official distro repositories, can take MUCH longer than it takes an AV company to release a new alert and definition. //
Name one case for Linux systems for which this claim holds.
Name one case for Linux systems for which this claim holds.
Like I said: CAN take longer. There is no reason to assume that when you make a trip to the equator, you will surely get malaria. Would you still travel there without taking malaria medication?
//Like I said: CAN take longer. //
But you know of no case where it has done so. I thought so.
//There is no reason to assume that when you make a trip to the equator, you will surely get malaria. Would you still travel there without taking malaria medication?//
What in heavens name are you talking about?
I’m not sure if this comment was another strawman:
http://en.wikipedia.org/wiki/Strawman
… or simply a non-sequitur
http://en.wikipedia.org/wiki/Non_sequitur_%28logic%29
… but it makes little sense in this context where we can’t seem to find any actual, real, valid use of an AV scanner for a Linux end-user system.
Only there are numerous documented instances of people getting malaria in the tropics (a verified risk) and none of Linux malware (baseless speculation at best).
//But, you believe Linux software is magically less buggy than their Windows counterparts, and that nothing in this whole wide world will ever be able to bypass noexec and the user/root divide. //
Strawman.
http://en.wikipedia.org/wiki/Strawman_arguments
Whoa!
That is rich.
I make a perfectly valid point about Thom’s arguement being invalid by virtue of it being a strawman, and I get modded down?
ROFL. Some people are precious, aren’t they!
Even richer … when Thom decides to insult someone else, his own posts are “mod down proof”.
How precious is that!
Edited 2006-10-23 12:59
Hubris, hubris, hubris. It’s all over you. The time it takes for a patch to find its way from programmer to end user, which includes the process of being made available via official distro repositories, can take MUCH longer than it takes an AV company to release a new alert and definition
OK, so you base your opinion on a supposition ?
Well, we’re basing our opinion on facts : to this day, NOT EVEN ONE security hole that a virus can use had an AV signature before the hole was closed on every distro.
But, you believe Linux software is magically less buggy than their Windows counterparts, and that nothing in this whole wide world will ever be able to bypass noexec and the user/root divide
Strawman. Linux being less buggy than Windows has nothing to do with magic and a lot to do with design. Like Linux was multiuser, preemptive multitasking and network aware from the start.
OK, so you base your opinion on a supposition ?
When it comes to security, YES. When you’re talking important production machines, you have to prepare for even the most unlikely of scenarios. A clean security record does not mean it cannot be broken in the future.
Where I work, we are specialised in securing homes by using police-approved locks, door knobs, you name it. Yet the most important thing to clarify to a customer is that if someone really wants to break into their house, not any lock will stop them, police-approved or not.
Same with software. No matter how clean a security record may be, you need to take every precaution to prevent anything from happening.
When it comes to security, YES. When you’re talking important production machines, you have to prepare for even the most unlikely of scenarios. A clean security record does not mean it cannot be broken in the future.
…
Same with software. No matter how clean a security record may be, you need to take every precaution to prevent anything from happening
This is what IDS and IPS are for, there’s absolutely NO need for AV software on Linux.
AV software serves absolutely no purpose except on Windows systems.
But go on trying to find one, it can only help. Just don’t say such nonsense like it’s a needed solution now, because it’s not.
This is what IDS and IPS are for, there’s absolutely NO need for AV software on Linux.
I absolutely disagree. There is a huge need for AV software on Linux.
It’s imperative to check incoming e-mail for Windows virii on mail servers. Clamav FTW!
//there ARE pieces of malware Linux AV can detect and get rid of. //
AFAIK there are none for which the original vulnerability has no patch.
If one is on the net and therefore exposed to viruses, one can also apply security patches and become unexposed. AFAIK in nearly every case the security patch is available in the same order of time as the virus definition is.
//No, on your current home desktop which gets updated every new Ubuntu release, AV is overkill.//
Yes. This is the use case about which I am talking.
It is IRRELEVANT whether or not a piece of malware propagates. When it has gotten hold of your system the system is COMPROMISED, propagating or not. And, AV software can FIND the malware, and destroy it. THAT is why you NEED AV software on production servers and desktops, because as some have shown in this thread, there ARE pieces of malware Linux AV can detect and get rid of
What a load of BS. If your system is compromised, your AV is IRRELEVANT like you say. As long as the hole is not fixed at least, your AV won’t do you any good, as you will be compromised again and again. You DON’T need AV software at all, because it is another vector of attack, especially if it can modify all your executables like you say. A tripwire equivalent is MUCH more efficient that your stupid AV that won’t fix the problem in the first place.
The tripwire equivalent will alert you that your executables changed and which ones : far better than your AV.
And nobody showed anything on this thread, only one FUDder said things.
No, on your current home desktop which gets updated every new Ubuntu release, AV is overkill. But on production machines, it is a necessity
BS, even a production machine with, say, Debian (or Ubuntu) can be updated constantly, no need for a release.
You would have to have been dead unlucky for this to have happened. I wouldn’t stand anywhere where a meteorite might hit you if I were you.
You’re wrong. My webservers run SNORT and they get about 600 security alerts a day from various skriptkiddies around the world. The moment a well-known piece of software gets expoited, about 1,000 attacks happen, trying to expoit that hole. If you’re unlucky enough to have that piece of software installed (in my case, a PHP script), then you’re very likely to have a security breach.
Turns out (someone claimed above that Trojans are not viruses) that Trojans can be viruses. Take a look at Linux.RST. It exhibits viral behaviour