1 |
forgottenwizard wrote: |
2 |
> On 20:13 Fri 09 May , 7v5w7go9ub0o wrote: |
3 |
>> I am extremely pleased with Antivir (aka Avira) and its realtime LKM, |
4 |
>> Dazuko! |
5 |
>> |
6 |
>> 1. The Antivir database and heuristics contain dozens of Linux-specific |
7 |
>> rootkits and Trojans. These in addition to Windows sigs. FWICT, the only |
8 |
>> freeware AntiMalware that take Linux seriously (Kaspersky payware does). |
9 |
>> |
10 |
>> 2. With Dazuko - a LKM, developed by AntiVir/Avira which provides |
11 |
>> real-time, on-access (read/write) scanning within directories you specify |
12 |
>> in configuration. I scan mail (in a chroot jail), browser and downloads |
13 |
>> (within a chroot jail, within RamDisk), Portage and portage work areas, and |
14 |
>> /home. |
15 |
>> |
16 |
>> Given that emerges are done with Root privilege, this scanning for |
17 |
>> signatures may keep your box from being borked, should someone hack a |
18 |
>> distribution site, or poison the DNS system, or etc. |
19 |
>> |
20 |
>> 3. Recent testing by Windows testers indicate that Antivir is now one of |
21 |
>> the better windows AV's, and that their heuristics are quite effective. I'd |
22 |
>> guess the same to be true for 'ix. |
23 |
>> |
24 |
>> 4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left |
25 |
>> unrepaired because I think it's so great: |
26 |
>> |
27 |
>> "ANTIVIR 2008-05-05_05:49:12.39449 Mon May 5 01:49:12 2008 WARNING: file |
28 |
>> '/etc/openvpn/trustconnect/pwd' is group or others accessible" |
29 |
>> |
30 |
>> 5. its heuristics have notified me of XSS script attacks (at test sites) |
31 |
>> after scanning scripts loaded into the browser cache, with "suspicious |
32 |
>> script" warnings - and blocking that script from use by the browser. The |
33 |
>> only other tool of similar function that I know of is "NoScript", an |
34 |
>> extension for use in FireFox. |
35 |
>> |
36 |
>> 6. I run WAN/LAN-connected applications in chroot jails (Grsecurity |
37 |
>> Hardened). Anything downloaded into a browser jail, lftp or TBird jail is |
38 |
>> moved to a "download" area via a script that invokes a deep scan by Antivir |
39 |
>> after it gets there. Dazuko invokes a second scan, as it also monitors |
40 |
>> that area. |
41 |
>> |
42 |
>> 7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other |
43 |
>> AntiMalwares, or customized to respond to user-created tests (e.g. changed |
44 |
>> file). |
45 |
>> |
46 |
>> 8. Linux and Unix oldtimers will scoff at real-time malware scanning - but |
47 |
>> I'm convinced that in todays world, realtime scanning is one important |
48 |
>> thing (perhaps the only thing) that we can learn from Windows. |
49 |
>> |
50 |
>> HTH |
51 |
>> |
52 |
> |
53 |
> I think alot of old-timers also realize that, unless you specifically |
54 |
> allow something to run, then it can't hurt you. |
55 |
|
56 |
Agreed! Keep the power off; allow nothing to run; a safe state. |
57 |
|
58 |
> |
59 |
> Chances are, unless you are allowing XSS and are surfing sites you can't |
60 |
> trust, you're close to bullet-proof, with the exception of program |
61 |
> exploits that you really can't do anything about. |
62 |
|
63 |
Well, nowadays you can take a significant steps against "those" exploits |
64 |
as well - memory protection and RBAC are two obvious ones. Hardened |
65 |
kernels and hardened chroot jails also effectively confine many of |
66 |
"those" exploits. |
67 |
|
68 |
Realtime Linux Anti-Trojan signature scanning overhead is simply cheap |
69 |
(almost free) insurance IMHO, and may be most important when compiling |
70 |
and installing new or updated sourcecode. Or installing a new plugin to |
71 |
your browser; or opening a media file. |
72 |
|
73 |
But I sure acknowledge the majority opinion - almost ALL Linux users, |
74 |
and many Windows users as well, choose not to run real-time |
75 |
AntiMalware scanners. |
76 |
|
77 |
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
-- |
88 |
gentoo-user@l.g.o mailing list |