Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: AVG Ventures Into Linux Malware Protection

  1. #11
    Join Date
    Dec 2008
    Posts
    11

    Default

    No 64bit....even if I wanted to use it, I wouldn't bother.

  2. #12
    Join Date
    Apr 2009
    Location
    Toronto/North Bay Canada
    Posts
    877

    Default

    Quote Originally Posted by whaevr View Post
    No 64bit....even if I wanted to use it, I wouldn't bother.
    agreed

    If you use wine religiously or run a fileserver it may be useful (and i stress "may"). For the rest of us this is more-less pointless at the present time.

  3. #13
    Join Date
    May 2009
    Posts
    44

    Default

    Quote Originally Posted by L33F3R View Post
    agreed

    If you use wine religiously or run a fileserver it may be useful (and i stress "may"). For the rest of us this is more-less pointless at the present time.
    Both yes and no.

    First we share the same flash memory devices with others who might run Windows. While we don't give a darn about it, ohters may not like your pendrive or mp3 player containing bad suprises.
    Second case are Samba shares.
    Another one are windows volumes you can fix. I wish I have reliable antivirus software able to scan and remove threats in mbr, boot sector, files and fix windows registry running under Linux.
    I agree Clamav has bad record here. It's good for email scanning, but it's p*ss poor at detecting malware in files.
    When one of my customers call for help just go there boot form pendrive, launch scan then have nice chat with his secretary or jut browse the net. When AV does its job, leave the bill, get your cash, call it a day and celebrate it with cold one when you're home. Who wouldn't love such a job

    In the end, while it's difficult infect Linux systemwide, user files still can get vired. The guys that write viruses target most common software and 'tho Linux is not so popular Firefox and Thunderbird are. Do you really think it is not possible to hijack the browser and make it run some extra code at application launch?
    Writing viruses it's more a identity theft business than fun it used to be and those guys get really smart. What got vired is less revelant as long as your personal data (bank account logins, passwords etc..) leak or your mails or documents can be deleted.
    We just have a luxury of being able to login as different user and fix the problem without reinstalling the OS.

  4. #14
    Join Date
    Apr 2009
    Location
    Toronto/North Bay Canada
    Posts
    877

    Default

    yea so the majority of it would protect against nasties coded for windows.

  5. #15
    Join Date
    Sep 2006
    Posts
    714

    Default

    Some points...

    1. It's true that Linux is vulnerable to focused human attacks. So is Windows, of course, but due to the diversity and the security model in Linux a generic attack is a waste of time.





    2. It's very easy to write a Virus for Linux. The binary format used by Linux is called ELF. It's open and easy to manipulate. So it's easy to stick a malicious payload into a existing binary...

    That is to say a person can take a existing Linux binary and stuff a virus into it. That's the classic definition of a Virus. Like how a real life virus is nothing but protein surround some DNA and infects existing human cells as a generator for making new viruses.

    This is different from a worm, or rootkit, which tend to be stand alone programs....

    To prove the fact that Linux is easy target for viruses a person even wrote a how-to on it.
    http://www.linuxsecurity.com/resourc...tml/index.html

    Of course like point one it's the Linux security model and diversity, along with low market penetration that keeps virus writers at bay.




    3. This is one of the major reasons why people are encouraged to use repositories and packaged management software for installing software and not to use source code or binary downloads.

    Apt-get used signed packaged lists that contain SHA hashes of packages from those repositories. A single bit changed will throw a security alert. RPM packages are individually signed so a similar situation is involved.

    Otherwise if a attacker was able to subvert a web server hosting your repository then they could modify the packages easy to install malicious software. As long as the signing and hashing of packages is done on a seperate system then what hosts the packages then security for Linux software is very high.



    4. Virus software is the worst sort of security snake oil being sold to the PC market.

    Most people think that it is useful for _removing_ viruses. Which it is NOT. It's completely worthless for removing and detecting virus threats that exist on your system. Complete and total shit. Complete shit in Windows and complete shit in Linux. The only reason why it would _seem_ to work is due to the incompitence or laziness of the virus writers.

    It is EASY to circumvent any sort of Rootkit detection or Virus detection software in any operating system. It's VERY VERY easy to do that in Linux.


    How they are able to do that is through the use of a LKM rootkit. What this is is that a attacker uses a Linux module to modify how the Linux system operates to disguise the rootkit from administrators and rootkit scanners.

    Since the attacker is operating at the kernel-level and virus scanning and rootkit scanning is operating at the userland level then the attacker can easily circumvent any attempts to detect him.

    The ONLY.

    And I mean this VERY SERIOUSLY.

    THE ONLY way to RELIABLY (as in you can depend on it) detect a LKM rootkit is to use system-wide checksums were the checksum'ng program is ran from another OS.

    That is you boot up your Linux server or PC with Knoppix CD or other live media and run a program like Tripwire or other host-based IDS (intrusion detection system) on your system and compare it against the records.

    This is becuase if you have a LKM in your system then this deactivates it since your booting up using a completely seperate kernel.

    Other tricks like using RPM's checksumming features or running Tripwire or other host-based IDS from inside your system won't work since those can be subverted by a LKM. It has to be a seperate OS, preferably one that is from read-only media.

    And you have to run these checks periodically and store the recorded checksums in a secure manner.

    And that is the _only_ solution right now. Needless to say it's very expensive and irritating to do that so most people do not do that.

    I don't give a flying fuck what Host-based IDS or Virus scanners or anybody else might say to the contrary. This is the only way to 100% reliably detect a attacker on your system. Anybody who says otherwise is a fool or a lier or both.

    Except maybe with TPM (trusted platform module). What those can do is that they use checksuming from boot-up to create a 'chain of trust' that can be used to validate a OS.

    So your motherboard has a TPM module. It checks your bootloader, 'Trusted GRub'. If Trusted Grub is ok then it checks your kernel. If your kernel is OK then it boots your kernel. Your kernel then checks the various LKMs it needs to access your file system and all that. If those are OK then it begins to boot the OS. Then the Linux + LKM check the various sensitive system programs and boots those... then those security programs check your OS. etc etc.

    But almost nobody does that either.


    This is also true for Windows. Kernel-level rootkits have existing for Windows since Windows 2000. Nowadays they are very sophisticated and are easily able to subvert and trick virus scanners.

    These are not secret. They are easy to obtain and modify. Many are even open source and the virus and malware industry is worthless against them.

    You can put extra software into the kernel to try to detect and fight kernel-level rootkits, but at that point it's a arms race. And as you can imagine shoving all that extra code into the kernel does not do good things for stability or performance.

    So while very sophisticated anit-malware software can fight against kernel-level rootkits, they are anything but reliable. Any new threats or unkown threats they are worthless against. Only older stuff.

    http://en.wikipedia.org/wiki/Rootkit
    http://www.rootkit.com/



    5. What Virus scanners are good for is detecting KNOWN threats PRIOR to having them installed on your system. That is they are good for email scanning, scanning removable media before they are accessed by the OS, scanning downloaded files before you open them, etc. etc.

    However they are not very effective against unkown or targetted attacks, which are the ones that Linux is vulnerable against.

    This is because the Linux OS developers are quick to address local security vulnerabilities as well as remote security vulnerabilities. So unless a attacker users social engineering to convince a user to install malicious software, which a virus scanner is mostly worthless against, then Linux OS is good against threats of that nature.

    So Virus scanners do not detect or defend against the sort of threats that are likely to be used against Linux users.



    6. So use this product as part of a file server that users can upload to (so that Windows users don't infect other Windows users) and for email filtering, and that sort of thing.

    Clamav is also good for that sort of thing and you can install it using apt-get or yum.

  6. #16
    Join Date
    Aug 2007
    Posts
    153

    Default

    Quote Originally Posted by RealNC View Post
    ClamAV seems to have one of the worst detection rates ever in an anti-virus app.
    http://blog.untangle.com/?p=96

    We learn something new every day. :3

    ~ C.

  7. #17
    Join Date
    May 2007
    Location
    Third Rock from the Sun
    Posts
    6,584

    Default

    Bah, it doesn't work. PulseAudio still gets kept on the system.

  8. #18
    Join Date
    May 2007
    Location
    Third Rock from the Sun
    Posts
    6,584

    Default

    Quote Originally Posted by MostAwesomeDude View Post
    http://blog.untangle.com/?p=96

    We learn something new every day. :3

    ~ C.
    That test is REALLY old (Aug 2007). AV's have come a long way in 2 years as has the malware and spyware. If you want a constant up to date list (unfortunately no clamAV) check out av comparatives.

    http://www.av-comparatives.org/

  9. #19
    Join Date
    Oct 2008
    Posts
    891

    Default

    Quote Originally Posted by Xeno View Post
    The guys that write viruses target most common software and 'tho Linux is not so popular Firefox and Thunderbird are. Do you really think it is not possible to hijack the browser and make it run some extra code at application launch?
    There was a beautiful java-script crack that worked on FireFox 2 that would give someone access to all of the users files demoed at Black Hat last year. With Firefox 3 not only do we get shitty performance because of its design we get the possibility of SQL injection exploits on top of the inherent insecurity of java-script.

    It is not that it can't be done, its that it is only a matter of time before someone does it. Look at the recent Mac OS X botnet for reference where many people said it couldn't be done.

    It has also been shown that the pgp signed packages from distributions could be circumvented with dns cache poisoning and various other means. Remember it was not so long ago Red Hat and Fedora repositories were cracked.

    If it can be locked, it can be unlocked by a determined individual and probably for a profit on their part.

  10. #20
    Join Date
    Feb 2009
    Posts
    10

    Default

    It has also been shown that the pgp signed packages from distributions could be circumvented with dns cache poisoning and various other means. Remember it was not so long ago Red Hat and Fedora repositories were cracked.
    To "circumvent" GPG signatures, you would need to have a copy of the private keys in order to sign the packages.
    .. Either that or invent some way to quickly factor LARGE numbers.
    I still think it takes somewhere in the region of the billions of years mark with most of the computing power of the world.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •