| 1 |
Mick wrote: |
| 2 |
> On 28/03/2008, 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote: |
| 3 |
|
| 4 |
>> |
| 5 |
>> Anti-Virus on Linux. No. |
| 6 |
>> (presuming that you don't run as root, and have lots of unprivileged |
| 7 |
>> users for individual applications.) |
| 8 |
>> |
| 9 |
>> Anti-Malware on Linux. Yes. |
| 10 |
>> (Malware gets to the box via spoofed or hacked software distribution or |
| 11 |
>> creation sites; bad links or poisoned DNS caches; or via (e.g.) browser |
| 12 |
>> memory attacks - at plugins or exploits) |
| 13 |
>> |
| 14 |
>> The oldtimers will tell you that safe hex and perhaps integrity |
| 15 |
>> monitoring (e.g. Samhain or tripwire) are all that's needed. But desktop |
| 16 |
>> Linux with Browsing, IM, etc. is changing that, IMHO. |
| 17 |
>> |
| 18 |
>> The three packages above have Linux Trojan and Rootkit signatures, as |
| 19 |
>> well as Windows malware sigs. Easy enough to run an occasional scan of |
| 20 |
>> the Linux box (or Windows partition); and to scan each Linux download |
| 21 |
>> before reading, compiling, or passing on. |
| 22 |
>> |
| 23 |
>> (Dazuko additionally allows realtime scans of compilation read/writes). |
| 24 |
>> |
| 25 |
>> IMHO, Linux and MAC are the next frontier for malware, and -SADLY- |
| 26 |
>> AntiMalware signature and heuristic techniques are one thing we can |
| 27 |
>> learn about from Windows :-( |
| 28 |
> |
| 29 |
> http://news.yahoo.com/s/pcworld/20080327/tc_pcworld/143901 |
| 30 |
> |
| 31 |
> What worries me is the reference to Safari . . . (khtml rendering engine?) |
| 32 |
> |
| 33 |
> What is an appropriate anti-malware for Linux, other than safe-hex? |
| 34 |
|
| 35 |
As a "monitor" (a.k.a. real-time access), I've had good experience with |
| 36 |
AntiVir and Dazuko. AntiVir has lots of Linux signatures and heuristics, |
| 37 |
and Dazuko/Antivir has both caught bugs in downloads, and blocked |
| 38 |
"suspicious scripts" in my browser cache when visiting bad sites. |
| 39 |
|
| 40 |
As a "scanner", I tend to scan my box from a second "maintenance OS" on |
| 41 |
another partition hoping to avoid stealthing by any RootKits on the |
| 42 |
primary partition. Scanning includes Samhain, equery md5 checks, the |
| 43 |
three Anti-Malware products mentioned earlier, Rootkithunter, and |
| 44 |
Checkrootkit. I'll run this occasionally overnight. |
| 45 |
|
| 46 |
Interesting that this year's exploit was a "safe" browser Safari, on a |
| 47 |
"safe" 'nix/BSD OS.... MAC. And last year's exploit winner, QuickTime, |
| 48 |
can also appear on multiple OS's. Both of these were likely online |
| 49 |
attacks; via streaming in the case of quicktime. |
| 50 |
|
| 51 |
Seems to me that WAN-connected applications should be sequestered from |
| 52 |
the rest of the system in the same way that a server sequesters |
| 53 |
WAN-connected processes - i.e. put them each in their own chroot jail. |
| 54 |
In addition to individual chroot jails, I run my mail client and browser |
| 55 |
in RamDisk - so that any changes to them (other than bookmarks and mail) |
| 56 |
are discarded at shutdown |
| 57 |
|
| 58 |
Using Hardened Sources (GRSecurity) with both memory protection and |
| 59 |
access control, one gets a particularly resilient, hardened chroot jail |
| 60 |
(i.e. OpenBSD theory :-) ) and a kernel that restricts where the browser |
| 61 |
user/application can go, and what it can do. |
| 62 |
|
| 63 |
hth |
| 64 |
|
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-user@l.g.o mailing list |
Archives