[sf-lug] Linux Anti-Virus tool - comments requested...

Robert Johnson emailbox6357 at gmail.com
Sun Jul 29 22:33:33 PDT 2018 

Since I am a recovering Windows addict and for the near term have to
continue to use Windows, what AV software do you guys recommend?  Or
are you all using all FOSS?  I got a copy of Ubuntu recently because
it seemed more workable to transition from that OS to BSD (for some
reason, I like BSD) to Linux or, again my favorite BSD...

On 7/27/18, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Robert Johnson (emailbox6357 at gmail.com):
>
>> About six months ago or so I remember reading a story in one of the
>> computer magazines - can't remember which one - and someone reported
>> that a Linux server was "infected" and hacked in some fashion and the
>> business had to pay to get back control of their server.  They also
>> mentioned, surprisingly, that the company had not updated the server
>> in several years!  If it ain't broke, right?!?!  Thanks for the info
>> on your "rant" page.
>
> Yr. very welcome!
>
> One can make a good argument for searching _some_ Linux machines for
> MS-Windows malware, specifically Linux machines that handle files
> destined for Windows machines, e.g., Linux SMTP servers processing
> incoming mail for Windows users, and Linux Samba servers providing file
> and printing shares intended to appear in Network Neighborhood.  Because
> so many Windows boxes are operated in a manner vulnerable to malware
> aimed at them, and run by users who'll never learn how to simply
> _avoid running_ such malware, the need is widely perceived to filter out
> arriving Windows malware before it reaches them.
>
> As it happens, there's a pretty decent and 100% open source virus
> scanner that looks for MS-Windows malware on Linux (and other OSes).
> It's called ClamAV.  Not (IMO) in the least bit coincidentally, ClamAV
> is almost the _only_ malware scanning program that warned users about
> Sony's infamous corporate-issued BMG rootkit in 2005.  Practically
> all the others corruptly (or incompently, take your pick) ignored Sony's
> corporate malware.
>
> About that magazine story you mentioned:  As most folks are aware,
> reporters at magazines and newspapers are almost always starved for
> easily usable material and must find enough of it, just about invariably
> on short deadline.  And there, like a miracle, there appear press
> releases from AV/security companies.  Do they mind the reporter
> copy/pasting and publishing the press releases as news?  Heck no.
> That's basically what they're there for.
>
> As you suggest, a Linux server unmaintained for long periods of time is
> at even greater risk (generally speaking) of security compromise than a
> Linux desktop box given the same treatment.  So, the course of action
> that follows tends to be as follows:
>
> 1.  After years of neglect (accumulating unfixed security bugs in
>     public-facing software), someone finds a path in.
>
> 2.  That person probes the system's security from _inside_[1] to
>     escalate privilege to superuser authority.
>
> 3.  Then, still later, the intruder installs custom software to
>     hide his/her presence (a 'rootkit').
>
> 4.  Then, still later, the intruder installs a backdoor feature
>     to permit re-entry if discovered and ejected.
>
> 5.  Much later, the backdoor is discovered and proclaimed a 'virus',
>     and the rootkit is maybe discovered and called 'malware'.
>
> 6.  Some antivirus company then writes a press release about this,
>     carefully omitting the entire history up to step #4[2] and acting
>     like it was incomprehensible black magic.
>
> 7.  Profit!
>
>
>> About a year ago I switched to Bitdefender because they have a package
>> that is Linux compatible.  I never purchased it, but I kept thinking
>> about it.  Everytime some new virus was discovered I would think about
>> it.
>
> My own view about that, which I offer for your kind consideration, to
> agree with or not:  IMO, the only truly interesting question about a
> piece of malware is this one -- how does it get loaded and run?
>
> Code that isn't ever loaded and run is by definition _inert_.  E.g.,
> starting back in the 1980s when I was IT staff at a software firm, I had
> a 'library' of dozens of MS-Windows viruses stored on a stack of
> floppies (plus a separate stack of MacOS viruses), that I'd captured
> copies of for my ongoing amusement.  People visiting my desk would see
> the floppies and ask if I weren't afraid of them.  Me:  'What, because
> they're going to leap out and bite me?'  The visitors were making no
> effort to understand _mechanism_.  Just sitting there, the files were
> obviously dead.  Only if _executed_ on a compatible OS, with adequate
> system authority to do mischief, could they do anything at all.
> Obviously, part of the entire point of my zoo of viruses was that I was
> _not_ going to go way out of my way to run them.  They were viruses
> under glass, pinned to a specimen display.
>
> Every time you read an article announcing 'new virus discovered', read
> carefully to find the detail about how it gets loaded and run.  99 times
> out of 100, you'll find that detail utterly missing (or that what is
> said makes no sense).  _If_ you are able to track down 'how does it get
> loaded and run', inevitably you find either:
>
> a) User has to carry out extremely and obviously foolhardy actions, or
> b) User left the machine wide-open to intrusion, and the intruder
>    got in through means unrelated to the malware, seized control of
>    the machine, and _then_ installed the malware.  (Thus Moen's
>    Third Law of Security, cited in the footnotes below.)
>
>
>
> [1] http://linuxmafia.com/~rick/lexicon.html#moenslaw-security1
>
>     Moen's First Law of Security
>
>     "It's easier to break in from the inside."  E.g., many Internet
>     break-ins result from masquerading as a legitimate user to gain
>     user-level access, e.g., with sniffed passwords.[link]  The
>     attacker then has a dramatically wider selection of system weak
>     points he/she can attack, compared to penetrating from outside.
>
>
>
> [2] http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3
>
>     Moen's Third Law of Security
>
>     "Malware is _not_ a security problem; malware is a secondary
>     _after-effect_ of a security problem."
>     [...]
>
>
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug
> Information about SF-LUG is at http://www.sf-lug.org/<br>
> Related Information <br>
> http://www.shallowsky.com/blog/<br>
> http://explainshell.com/ <br>
>

More information about the sf-lug mailing list