1 |
Mick wrote: |
2 |
> On 28/03/2008, 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote: |
3 |
|
4 |
>> |
5 |
>> Anti-Virus on Linux. No. |
6 |
>> (presuming that you don't run as root, and have lots of unprivileged |
7 |
>> users for individual applications.) |
8 |
>> |
9 |
>> Anti-Malware on Linux. Yes. |
10 |
>> (Malware gets to the box via spoofed or hacked software distribution or |
11 |
>> creation sites; bad links or poisoned DNS caches; or via (e.g.) browser |
12 |
>> memory attacks - at plugins or exploits) |
13 |
>> |
14 |
>> The oldtimers will tell you that safe hex and perhaps integrity |
15 |
>> monitoring (e.g. Samhain or tripwire) are all that's needed. But desktop |
16 |
>> Linux with Browsing, IM, etc. is changing that, IMHO. |
17 |
>> |
18 |
>> The three packages above have Linux Trojan and Rootkit signatures, as |
19 |
>> well as Windows malware sigs. Easy enough to run an occasional scan of |
20 |
>> the Linux box (or Windows partition); and to scan each Linux download |
21 |
>> before reading, compiling, or passing on. |
22 |
>> |
23 |
>> (Dazuko additionally allows realtime scans of compilation read/writes). |
24 |
>> |
25 |
>> IMHO, Linux and MAC are the next frontier for malware, and -SADLY- |
26 |
>> AntiMalware signature and heuristic techniques are one thing we can |
27 |
>> learn about from Windows :-( |
28 |
> |
29 |
> http://news.yahoo.com/s/pcworld/20080327/tc_pcworld/143901 |
30 |
> |
31 |
> What worries me is the reference to Safari . . . (khtml rendering engine?) |
32 |
> |
33 |
> What is an appropriate anti-malware for Linux, other than safe-hex? |
34 |
|
35 |
As a "monitor" (a.k.a. real-time access), I've had good experience with |
36 |
AntiVir and Dazuko. AntiVir has lots of Linux signatures and heuristics, |
37 |
and Dazuko/Antivir has both caught bugs in downloads, and blocked |
38 |
"suspicious scripts" in my browser cache when visiting bad sites. |
39 |
|
40 |
As a "scanner", I tend to scan my box from a second "maintenance OS" on |
41 |
another partition hoping to avoid stealthing by any RootKits on the |
42 |
primary partition. Scanning includes Samhain, equery md5 checks, the |
43 |
three Anti-Malware products mentioned earlier, Rootkithunter, and |
44 |
Checkrootkit. I'll run this occasionally overnight. |
45 |
|
46 |
Interesting that this year's exploit was a "safe" browser Safari, on a |
47 |
"safe" 'nix/BSD OS.... MAC. And last year's exploit winner, QuickTime, |
48 |
can also appear on multiple OS's. Both of these were likely online |
49 |
attacks; via streaming in the case of quicktime. |
50 |
|
51 |
Seems to me that WAN-connected applications should be sequestered from |
52 |
the rest of the system in the same way that a server sequesters |
53 |
WAN-connected processes - i.e. put them each in their own chroot jail. |
54 |
In addition to individual chroot jails, I run my mail client and browser |
55 |
in RamDisk - so that any changes to them (other than bookmarks and mail) |
56 |
are discarded at shutdown |
57 |
|
58 |
Using Hardened Sources (GRSecurity) with both memory protection and |
59 |
access control, one gets a particularly resilient, hardened chroot jail |
60 |
(i.e. OpenBSD theory :-) ) and a kernel that restricts where the browser |
61 |
user/application can go, and what it can do. |
62 |
|
63 |
hth |
64 |
|
65 |
|
66 |
|
67 |
-- |
68 |
gentoo-user@l.g.o mailing list |