Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature: Security
Note to new Linux users: No antivirus needed
By Joe Barr
on
February 26, 2007 (8:00:00 AM)
Share
Print
Comments
One of the most common questions I hear new Linux users ask is "What program should I use for virus protection?" Many of them lose faith in me as a source of security information when I reply, "None." But you really don't need to fear malware on your new platform, thanks to the way Linux is built.
Savvy Windows users have to watch their virus checkers as closely as the head nurse in the ICU keeps an eye on patient monitors. Often, the buzz in the Windows security world is about which protection-for-profit firm was the first to discover and offer protection for the malware du jour -- or should I say malware de l'heure? The only thing better than having backed the winning Super Bowl team come Monday morning at the office coffeepot is having the virus checker you use be the one winning the malware sweepstakes that weekend.
If a rogue program finds a crack in your Windows armor, paying $200 per infection to have your machine scrubbed and sanitized by the local goon^H^H^H^H geek squad not only helps to reinforce the notion that you have to have malware protection, but that it has to be the right protection, too. The malware firms are aware of this, and all of their advertising plays upon the insecurity fears of Windows users and the paranoia that results. Chronic exposure and vulnerability to malware has conditioned Windows users to accept this security tax.
It's no wonder, then, that when Windows users are finally able to break their chains and experience freedom on a Linux desktop, they stare at me in disbelief when I tell them to lay that burden down. They are reluctant to stop totin' that load. They have come to expect to pay a toll for a modicum of security.
I try to explain that permissions on Linux make such tribute unnecessary. Without quibbling over the definitions of viruses and trojans, I tell them that neither can execute on your machine unless you explicitly give them permission to do so.
Permissions on Linux are universal. They cover three things you can do with files: read, write, and execute. Not only that, they come in three levels: for the root user, for the individual user who is signed in, and for the rest of the world. Typically, software that can impact the system as a whole requires root privileges to run.
Microsoft designed Windows to enable outsiders to execute software on your system. The company justifies that design by saying it enriches the user experience if a Web site can do "cool" things on your desktop. It should be clear by now that the only people being enriched by that design decision are those who make a buck providing additional security or repairing the damage to systems caused by it.
Malware in Windows Land is usually spread by email clients, browser bits, or IM clients, which graciously accept the poisoned fruit from others, then neatly deposit it on their masters' systems, where malware authors know it will likely be executed and do their bidding -- without ever asking permission.
Some malware programs require that you open an attachment. Others don't even require that user error. By hook or by crook, malware on Windows often gets executed, infecting the local system first, then spreading itself to others. What a terrible neighborhood. I'm glad I don't live there.
On Linux, there is built-in protection against such craft. Newly deposited files from your email client or Web browser are not given execute privileges. Cleverly renaming executable files as something else doesn't matter, because Linux and its applications don't depend on file extensions to identify the properties of a file, so they won't mistakenly execute malware as they interact with it.
Whether newcomers grok permissions or not, I try to explain the bottom line to them: that because they have chosen Linux, they are now free of having to pay either a security tax up front to protect themselves from malware, or one after the fact to have their systems sterilized after having been infected.
So Linux is bulletproof? No. Bulletproof is one of the last stages of drunkenness, not a state of security. Linux users, like users on every operating system, must always be aware of security issues. They must act intelligently to keep their systems safe and secure. They should not run programs with root privileges when they are not required, and they should apply security patches regularly.
Misleading claims and false advertising by virus protection rackets to the contrary, you simply don't need antivirus products to keep your Linux box free of malware.
Comments
on Note to new Linux users: No antivirus neededNote: Comments are owned by the poster. We are not responsible for their content.
Linux beginners should not be installing random programs from random places, they should stick with programs that come with their distro. To do otherwise is to court disaster, for many reasons. As the parent comment points out, if you install a "rouge application" it can do bad things. The distro has vetted all the programs it supplies and until the new Linux user knows better those are the programs he should stick with.
Remember, Linux is not like Microsoft Windows. It comes with all the programs you need.
Karl O. Pinc
kop@meme.com
Remember, Linux is not like Microsoft Windows. It comes with all the programs you need.
Karl O. Pinc
kop@meme.com
"Remember, Linux is not like Microsoft Windows. It comes with all the programs you need."
Photoshop.
"Linux beginners should not be installing random programs from random places, they should stick with programs that come with their distro."
I seem to remember a "suspicious" package getting onto a distro's server.
Photoshop.
"Linux beginners should not be installing random programs from random places, they should stick with programs that come with their distro."
I seem to remember a "suspicious" package getting onto a distro's server.
Re:Linux Anti-Virus - Photoshop? Oh, you mean GIMP
Posted by: Anonymous Coward on February 27, 2007 10:13 PM
(
"Remember, Linux is not like Microsoft Windows. It comes with all the programs you need."
Photoshop.
)
Gnome Image Manipulation Program
- provides most of the same pixel editing functions
- runs most Photoshop plugins
"Remember, Linux is not like Microsoft Windows. It comes with all the programs you need."
Photoshop.
)
Gnome Image Manipulation Program
- provides most of the same pixel editing functions
- runs most Photoshop plugins
Just a minor detail, but I think you'll find that Ubuntu asks for the user's password, not root's. The popup is in effect a GUI wrapper around the sudo command, which by default wants the user's password.
Yes, a virus could flash the password box, but can it gain root priviledge to run? If Ubuntu is configured `sanely', then it will not allow arbitrary code to be run in this manner, since sudo has a list of which users are allowed to run which applications. Don't know offhand how Ubuntu configures sudo.
Incidently, if you want get a proper root login on Ubuntu, try `sudo passwd root', and then go from there.
Yes, a virus could flash the password box, but can it gain root priviledge to run? If Ubuntu is configured `sanely', then it will not allow arbitrary code to be run in this manner, since sudo has a list of which users are allowed to run which applications. Don't know offhand how Ubuntu configures sudo.
Incidently, if you want get a proper root login on Ubuntu, try `sudo passwd root', and then go from there.
The answer is "poorly". Any user in the admin group is allowed to use sudo (or GTKsu) to execute anything. What it probably should do is use a whitelist of applications that may actually need root access, and only allow the GTKsu to run those applications. But it doesn't, so any program could try to re-launch itself with root access, hoping the user will just allow it.
Command-line sudo should probably be left alone - you could potentially want to run any command as root from the command line, even if there are only a small number of GUI apps that you'd want to run as root. Either that, or you need a real root account.
Some kind of mandatory access control system (SELinux, RSBAC, GrSecurity) would be better, but much more difficult.
Command-line sudo should probably be left alone - you could potentially want to run any command as root from the command line, even if there are only a small number of GUI apps that you'd want to run as root. Either that, or you need a real root account.
Some kind of mandatory access control system (SELinux, RSBAC, GrSecurity) would be better, but much more difficult.
That's true enough but until there actually are some Linux viruses there is no need to install AV software.
Unfortunately until it is popular enough to warrant virus production we will not really know nor will we stress the limitations of the safeguards in effect. And I must question the harm of installing something like ClamTK for your average user or Avast now offers a Linux AV, these programs most likely will not hurt your system. I have ClamTk installed, albeit on my SME box for my Mail (Which may go to Windows systems).
Ubuntu doesnt ask for root pass. It asks for YOUR pass as a sudoer. And it's just when you try to install new programas or change your system's configuration.
You hit the nail on the head with this one. I'm so glad you worte an article to refer people to. Even on line I run into people who think you need to add an AV to Linux. This situation is not helped by distros that include an AV product with their purchased Enterprise Edition or whatever they call their for pay edition. I imagine they do this for the very reasons that people consistently don't believe that you don't need AV. They also commonly mistake AV products as defense against hacking and malware. So used are they to all-in-one (usually inferior) products such as Mcafee and Norton.
Note to Linux users. You don't need that Clam AV unless you are running an email server that serves windows machines or you are one of those idiots that forwards every joke and tearjerker that you receive to all your friends
Note to Linux users. You don't need that Clam AV unless you are running an email server that serves windows machines or you are one of those idiots that forwards every joke and tearjerker that you receive to all your friends
Re:hoo boy - can I get your consent on this one
Posted by: Anonymous Coward on February 27, 2007 10:19 PM
I don't have an internal mail server but I do provide Samba shares to my families few Windows systems. Is it ok if I use ClamAV in that situation or is only acceptable for mail and stupid forwards?
Re:hoo boy - can I get your consent on this one
Posted by: Anonymous Coward on March 02, 2007 11:48 AM
OK, you may run AV software too<nobr> <wbr></nobr>;-)
You know, virus attachments are usually a good sign that the message is either spam or you just don't want to see it anyways. It's helpful to scan for them along with spamassassin (or whichever filters you want to use) to help reduce the amount of crap that gets in your inbox.
Misleading claims and false advertising by virus protection rackets to the contrary, you simply don't need antivirus products to keep your Linux box free of malware.
I'll agree with this statement and the general article with the "YET" caveat. Daily, I see new holes being discovered and opened in a wide variety of Linux system and desktop applications. Vulnerabilities are being discovered in everything including the kernel, Firefox, email applications, and more.
Contrary to the boasts of imperviousness, I am absolutely certain that when the Linux userbase reaches a point that makes the platform a target, we will see viruses/worms and spyware ruin our antivirus free lives. I'll go a step further and suggest that Flash or Javascript will likely be the first infection vector for spyware. I can already see a couple of likely routes but, I don't have the inclination or the desire to be labeled a pariah for writing a proof of concept. Woe be the name of the first DDoSed bastard that writes Linux malware. They'l skin him alive!
The file permission protection that we have relied on so far is bypassed with the mime type association execution that our desktops add to provide us convenience. When last did you chmod an javascript script or a<nobr> <wbr></nobr>.jar? Disabling Java and javascript and Flash is not really an option as Web 2.0 has rendered the web useless without these applications.
I don't want to have to use antivirus software. Ever. The performance hit alone makes it highly undesirable but, additional OS and desktop features always bring new attack vectors and the features in Linux desktops are growing everyday. It's only a matter of time/adoption before we are forced to implement some form of defensive software like antivirus/antispyware.
What I would like to see is an application level firewall. That is a ZoneAlarm-esque firewall that would trap/control applications trying to access the network. It's a nice capability that has been available to Windows users for years but, so far as I know, none exist for the Linux desktop. Mandriva have a firewall applet that seems close but, it's more like BlackIce, blocking external attacks with IPTables, than ZoneAlarm, blocking internal apps from accessing the network. A "firewall" such as this would go a long way toward preventing rootkits and other malware form invading the Linux desktop.
Your favorite "Microsoft shill".
I'll agree with this statement and the general article with the "YET" caveat. Daily, I see new holes being discovered and opened in a wide variety of Linux system and desktop applications. Vulnerabilities are being discovered in everything including the kernel, Firefox, email applications, and more.
Contrary to the boasts of imperviousness, I am absolutely certain that when the Linux userbase reaches a point that makes the platform a target, we will see viruses/worms and spyware ruin our antivirus free lives. I'll go a step further and suggest that Flash or Javascript will likely be the first infection vector for spyware. I can already see a couple of likely routes but, I don't have the inclination or the desire to be labeled a pariah for writing a proof of concept. Woe be the name of the first DDoSed bastard that writes Linux malware. They'l skin him alive!
The file permission protection that we have relied on so far is bypassed with the mime type association execution that our desktops add to provide us convenience. When last did you chmod an javascript script or a<nobr> <wbr></nobr>.jar? Disabling Java and javascript and Flash is not really an option as Web 2.0 has rendered the web useless without these applications.
I don't want to have to use antivirus software. Ever. The performance hit alone makes it highly undesirable but, additional OS and desktop features always bring new attack vectors and the features in Linux desktops are growing everyday. It's only a matter of time/adoption before we are forced to implement some form of defensive software like antivirus/antispyware.
What I would like to see is an application level firewall. That is a ZoneAlarm-esque firewall that would trap/control applications trying to access the network. It's a nice capability that has been available to Windows users for years but, so far as I know, none exist for the Linux desktop. Mandriva have a firewall applet that seems close but, it's more like BlackIce, blocking external attacks with IPTables, than ZoneAlarm, blocking internal apps from accessing the network. A "firewall" such as this would go a long way toward preventing rootkits and other malware form invading the Linux desktop.
Your favorite "Microsoft shill".
Contrary to the boasts of imperviousness, I am absolutely certain that when the Linux userbase reaches a point that makes the platform a target, we will see viruses/worms and spyware ruin our antivirus free lives. I'll go a step further and suggest that Flash or Javascript will likely be the first infection vector for spyware. I can already see a couple of likely routes but, I don't have the inclination or the desire to be labeled a pariah for writing a proof of concept.
On the contrary, this is exactly what you should do. I would not argue linux is impossible to infect either. If you know a real way, you should most certainly implement it and send it to bugtraq ASAP. If it's a proof of concept and doesn't do anything really nasty, you will not be labelled a pariah, any more than guys who currently report bugs in the kernel, browsers, etc.
In terms of the article, it would be more accurate to say that linux is a substantially harder target than windows due to the restrictions Joe mentions. It's certainly not impossible though. It just requires a lot more work as you have to start off by compromising security flaws on the user's system, rather than just get them to execute an attachment.
This happens all the time though and it has happened on linux (though not all that recently -- the Ramen worm being an example). Good advice for users who are worried about their security would be to:
GMC
On the contrary, this is exactly what you should do. I would not argue linux is impossible to infect either. If you know a real way, you should most certainly implement it and send it to bugtraq ASAP. If it's a proof of concept and doesn't do anything really nasty, you will not be labelled a pariah, any more than guys who currently report bugs in the kernel, browsers, etc.
In terms of the article, it would be more accurate to say that linux is a substantially harder target than windows due to the restrictions Joe mentions. It's certainly not impossible though. It just requires a lot more work as you have to start off by compromising security flaws on the user's system, rather than just get them to execute an attachment.
This happens all the time though and it has happened on linux (though not all that recently -- the Ramen worm being an example). Good advice for users who are worried about their security would be to:
- make sure security updates are downloaded automatically and promptly applied.
- do not install network services (eg web server, file sharing) unless you know what you're doing and need them.
- look into setting up a firewall, eg firestarter <a href="http://www.fs-security.com/" title="fs-security.com">http://www.fs-security.com/</a fs-security.com>
GMC
The first part of Linux security is to not use a single partition setup as MS has taught everyone. The reason for this is simple; it provides improved protection because you can then set sane permissions that enhance the basic Linux security.
For example, I always create seperate partitions for /<nobr> <wbr></nobr>/usr<nobr> <wbr></nobr>/tmp<nobr> <wbr></nobr>/var<nobr> <wbr></nobr>/home and<nobr> <wbr></nobr>/boot and set permissions correctly. EG<nobr> <wbr></nobr>/tmp<nobr> <wbr></nobr>/home get the noexec flag set and that blocks 90+% of the script kiddies from doing anything and on a production system I normally set<nobr> <wbr></nobr>/usr to read-only as the only time I allow anything to be installed-upgraded is when it's scheduled.
Of course when I'm suggesting to someone that they should look at Linux, I also provide a simple checklist and basic partitioning schema list for them to look at and yes it really doesn't take much time to create such a checklist with the partitioning schema while keeping it distro agnostic. Sheesh, I keep a few copies on hand in my various class notebooks for those times I'm asked about my OS choice.
For example, I always create seperate partitions for /<nobr> <wbr></nobr>/usr<nobr> <wbr></nobr>/tmp<nobr> <wbr></nobr>/var<nobr> <wbr></nobr>/home and<nobr> <wbr></nobr>/boot and set permissions correctly. EG<nobr> <wbr></nobr>/tmp<nobr> <wbr></nobr>/home get the noexec flag set and that blocks 90+% of the script kiddies from doing anything and on a production system I normally set<nobr> <wbr></nobr>/usr to read-only as the only time I allow anything to be installed-upgraded is when it's scheduled.
Of course when I'm suggesting to someone that they should look at Linux, I also provide a simple checklist and basic partitioning schema list for them to look at and yes it really doesn't take much time to create such a checklist with the partitioning schema while keeping it distro agnostic. Sheesh, I keep a few copies on hand in my various class notebooks for those times I'm asked about my OS choice.
Spot on! Telling users that Linux is immune to viruses does a disservice. There already are Linux viruses in use, most target servers but user space is just as vulnerable.
A virus on Linux will most likely only effect the user it is executed, but if you're that user and its your files that are trashed or posted to alt.test then you aren't going to care much what OS you are running.<nobr> <wbr></nobr>.cp
A virus on Linux will most likely only effect the user it is executed, but if you're that user and its your files that are trashed or posted to alt.test then you aren't going to care much what OS you are running.<nobr> <wbr></nobr>.cp
"There already are Linux viruses in use, most target servers but user space is just as vulnerable."
This is exactly the kind of misinformation that confuses people. There are no Linux viruses in use. I beieve there was one virus released that targeted Red Hat but it was really more a proof of concept than anything. Except for that one instance there are no linux viruses in the wild. Zip, nada, nought.
This is exactly the kind of misinformation that confuses people. There are no Linux viruses in use. I beieve there was one virus released that targeted Red Hat but it was really more a proof of concept than anything. Except for that one instance there are no linux viruses in the wild. Zip, nada, nought.
That they have minimal impact does not mean that there are no viruses. Have a look at these two links (the second link obtained from the first one):
<a href="http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses" title="wikipedia.org">http://en.wikipedia.org/wiki/List_of_Linux_comput<nobr>e<wbr></nobr> r_viruses</a wikipedia.org>
<a href="http://www.viruslibrary.com/virusinfo/Linux.htm" title="viruslibrary.com">http://www.viruslibrary.com/virusinfo/Linux.htm</a viruslibrary.com>
<a href="http://en.wikipedia.org/wiki/List_of_Linux_computer_viruses" title="wikipedia.org">http://en.wikipedia.org/wiki/List_of_Linux_comput<nobr>e<wbr></nobr> r_viruses</a wikipedia.org>
<a href="http://www.viruslibrary.com/virusinfo/Linux.htm" title="viruslibrary.com">http://www.viruslibrary.com/virusinfo/Linux.htm</a viruslibrary.com>
I did not say there are no Linux viruses. There are no Linux viruses in use and there are none in the wild.
I looked at your links. One of the worms was from 2004. The other 6 (yes 6, not 60,000) were from 2002 or earlier.
I'm not worried about old viruses and easily-corrected buffer overflow attacks. Are you?
I'm not worried about old viruses and easily-corrected buffer overflow attacks. Are you?
What I would like to see is an application level firewall. That is a ZoneAlarm-esque firewall that would trap/control applications trying to access the network. It's a nice capability that has been available to Windows users for years but, so far as I know, none exist for the Linux desktop. Mandriva have a firewall applet that seems close but, it's more like BlackIce, blocking external attacks with IPTables, than ZoneAlarm, blocking internal apps from accessing the network. A "firewall" such as this would go a long way toward preventing rootkits and other malware form invading the Linux desktop.
I think you should take look at SELinux or AppArmor, these "programs" should protect your system perfectly for exploits or other nasty stuff..
I think you should take look at SELinux or AppArmor, these "programs" should protect your system perfectly for exploits or other nasty stuff..
SELinux and AppArmor offer application level protection but they do it in a far different way than the likes of ZoneAlarm. With SELinux and AppArmor you have to configure policies and profiles for each application you choose, but they don't do anything for applications that you don't specify and they are difficult and cumbersome to setup for applications that you do choose. I don't want to create an AppArmor profile for ls and cp and mv and less and... You get the idea.
ZoneAlarm et al simply deny all applications access to the network by default and prompt the user as to whether or not to allow that application access in the future. For example:
'Kwrite is attempting to access the network.
Allow Once, Allow Always, Deny Once, Deny Always?'
Perhaps someone will adapt AppAmor and add a simple GUI interface to make this happen but, so far, I haven't seen anything like this for the Linux platform.
ZoneAlarm et al simply deny all applications access to the network by default and prompt the user as to whether or not to allow that application access in the future. For example:
'Kwrite is attempting to access the network.
Allow Once, Allow Always, Deny Once, Deny Always?'
Perhaps someone will adapt AppAmor and add a simple GUI interface to make this happen but, so far, I haven't seen anything like this for the Linux platform.
I appreciate your insight but, I assure you that I am very well versed in IPTables. I'm well aware that IPTables can block outbound traffic and that the use of strict egress filtering by way of deny all and allow only these ports/protocols/IP addresses could have a similar end result to what I requested. But, this is a rather cumbersome and tedious option that does NOT do the same thing as application firewalls like ZoneAlarm.
ZoneAlarm et al trap applications, not ports/protocols/addresses, that try to access the network. They then pop-up and advise the user what application it is that is attempting to access the network and wait for the user to authorize or deny access temporarily or permanently. Once authorized the user does not have to worry about other ports or protocols for that application. For instance while it would be necessary to configure multiple IPTables rules for ports and protocols, inbound and outbound, in order to authorize an IPSec VPN client, with ZoneAlarm the user would only have to authorize the FreeSWAN application and they're done.
But there is more to it than that. Suppose you have used IPTables to authorized SMTP outbound for your email client. IPTables will then allow any and all applications on that host outbound SMTP access. But, lets suppose that a worm gets on the system and starts sending spam. IPTables will happily permit that(I know about source and destination rules thanks). But with the likes of ZoneAlarm you would authorize Kmail to access the network for your email and when the worm tried to send its spam the user would get a message saying 'someworm.so is trying to access the network. Allow or Deny'. This gives the user control over what applications can access the network AND indicates that someworm.so is a file/application that needs to be investigated/eliminated.
There is also the matter of ease of use. While most users easily manage with the graphical Allow/Deny pop-ups from application "firewalls", I'm sure that you will agree that IPTables rules are not for amateurs. Granny can't configure IPTables, even with the best available graphical frontends. Just imaging dear old Grans wading through Firewall Builder or Firestarter. There's no way that's going to work! But, Granny has no problem clicking Allow/Deny when a message about someworm.so pops up. Even a mistake on her part may create undesirable results but is won't be an insurmountable configuration issue for her.
The application "firewall" to which I am referring is really quite different from a basic packet filter like IPTables. It may be possible to combine IPTables with other software to create such a "firewall" but, IPTables by itself or even in combination with AppArmor is definitely not it.
Thanks for your input. I'm sure that you didn't really mean for it to be as smug, condescending and incorrect as it seemed.
ZoneAlarm et al trap applications, not ports/protocols/addresses, that try to access the network. They then pop-up and advise the user what application it is that is attempting to access the network and wait for the user to authorize or deny access temporarily or permanently. Once authorized the user does not have to worry about other ports or protocols for that application. For instance while it would be necessary to configure multiple IPTables rules for ports and protocols, inbound and outbound, in order to authorize an IPSec VPN client, with ZoneAlarm the user would only have to authorize the FreeSWAN application and they're done.
But there is more to it than that. Suppose you have used IPTables to authorized SMTP outbound for your email client. IPTables will then allow any and all applications on that host outbound SMTP access. But, lets suppose that a worm gets on the system and starts sending spam. IPTables will happily permit that(I know about source and destination rules thanks). But with the likes of ZoneAlarm you would authorize Kmail to access the network for your email and when the worm tried to send its spam the user would get a message saying 'someworm.so is trying to access the network. Allow or Deny'. This gives the user control over what applications can access the network AND indicates that someworm.so is a file/application that needs to be investigated/eliminated.
There is also the matter of ease of use. While most users easily manage with the graphical Allow/Deny pop-ups from application "firewalls", I'm sure that you will agree that IPTables rules are not for amateurs. Granny can't configure IPTables, even with the best available graphical frontends. Just imaging dear old Grans wading through Firewall Builder or Firestarter. There's no way that's going to work! But, Granny has no problem clicking Allow/Deny when a message about someworm.so pops up. Even a mistake on her part may create undesirable results but is won't be an insurmountable configuration issue for her.
The application "firewall" to which I am referring is really quite different from a basic packet filter like IPTables. It may be possible to combine IPTables with other software to create such a "firewall" but, IPTables by itself or even in combination with AppArmor is definitely not it.
Thanks for your input. I'm sure that you didn't really mean for it to be as smug, condescending and incorrect as it seemed.
You really should take a look at the "owner" iptables-module
I think the biggest issue with creating something like ZoneAlarm, which I always found annoying, but I do agree on the premise you're asking about. An application based firewall would be nice. The problem is that anytime a new application wanted access to the internet, it would pop up (annoyance) and then also have to ask for the admin password, since firewall rules are system wide.
Less experienced and technical users should use.
Posted by: Anonymous Coward on February 26, 2007 11:48 PM
While Linux is globally safer than windows, there are reasons why people, specially less experienced and less technical should use:
- Users like to install everything they find without questioning. It's very easy to distribute a trojan horse. For example, Ubuntu users normally install Automatix which can be a potential target for a trojan horse or any other kind of virus. I bit of social engineering and it's done. Easy.
- Buffer overflows are still very common and browsers are easy targets. While arbitrary code wouldn't be executed with privileges, privilege escalation it's a hacking technique. Even if escalation is very difficult, annoying stuff is possible with user privileges. Using cron to execute malicious code regularly with user privileges is also possible.
Other techniques might exist. Only by the fact that Linux anti-virus exist people should question. If it was safe, no one would build a Linux anti-virus.
- Users like to install everything they find without questioning. It's very easy to distribute a trojan horse. For example, Ubuntu users normally install Automatix which can be a potential target for a trojan horse or any other kind of virus. I bit of social engineering and it's done. Easy.
- Buffer overflows are still very common and browsers are easy targets. While arbitrary code wouldn't be executed with privileges, privilege escalation it's a hacking technique. Even if escalation is very difficult, annoying stuff is possible with user privileges. Using cron to execute malicious code regularly with user privileges is also possible.
Other techniques might exist. Only by the fact that Linux anti-virus exist people should question. If it was safe, no one would build a Linux anti-virus.
Re:Less experienced and technical users should use
Posted by: Anonymous Coward on February 27, 2007 12:10 AM
The only antivirus programs I've seen for Linux are anti-Windows-virus programs. They are useless at protecting your Linux box: kind of hard to defend against a virus when virus writers haven't figured out how to write the thing in the first place.
Re:Less experienced and technical users should use
Posted by: Anonymous Coward on February 27, 2007 08:45 AM
AV software won't prevent buffer overflows, hacking, privilege escalation, social engineering. All those vulnerabilities exist but AV software won't help.
Re:Less experienced and technical users should use
Posted by: Anonymous Coward on February 27, 2007 10:49 PM
"
Only by the fact that Linux anti-virus exist people should question. If it was safe, no one would build a Linux anti-virus
"
I don't know.. I can think of a few reasons to use AV on *nix
- shared storage server providing space to Windows clients
- mail server providing smtp/pop to Windows clients
- emailing attachements to friends who use Windows exclusively
- sharing documents with friends who use Windows exclusively
There's a common thread in those points but like it or not, the majority of the world does not follow the Unix tradition.
Only by the fact that Linux anti-virus exist people should question. If it was safe, no one would build a Linux anti-virus
"
I don't know.. I can think of a few reasons to use AV on *nix
- shared storage server providing space to Windows clients
- mail server providing smtp/pop to Windows clients
- emailing attachements to friends who use Windows exclusively
- sharing documents with friends who use Windows exclusively
There's a common thread in those points but like it or not, the majority of the world does not follow the Unix tradition.
Sure, Linux may not be incredibly vulnerable and the access controls and priv levels are nice, but the fact is, we Linux and OSX users should do our part to help stop the spread, and let's face it, we all interact with users of other OS's. I deploy ClamAV on my boxes (And it's available for OSX) so I don't unknowingly spread a virus to someone. Sure, it doesn't affect me if a Excel file is infected, but it's just bad karma to be a carrier.
Karma literally translates from the Hindi as "doing". It is a good choice for describing the outcome of a decision not to use Clam or other AV; if sys admins find that Linux boxes are "Typhoid Marys", we can forget ever penetrating the enterprise.
You are misusing the word Grok. It's a common mistake but it bothers me. Grok shouldn't be used in place of understand. Grok derives it's meaning from "to drink". Basically that you understand something so intimately the it's like it touches the inside of who you are. You don't need to grok permissions to understand Linux computer security, I'd be scared of anyone who did grok them.
I'd say you do need to be worried about security on Linux. It's quite easy to download little programs off the net not knowing what they do that will open up back doors on your computer or send out info you don't want sent out. This is very easy to do with Firefox. In Linux, so have security you should install your software from a trusted source who has verified the programs are safe. If you start installing binary blobs in the form of Firefox extensions, who knows what you'll get.
I'd say you do need to be worried about security on Linux. It's quite easy to download little programs off the net not knowing what they do that will open up back doors on your computer or send out info you don't want sent out. This is very easy to do with Firefox. In Linux, so have security you should install your software from a trusted source who has verified the programs are safe. If you start installing binary blobs in the form of Firefox extensions, who knows what you'll get.
Please read the definition at <a href="http://dictionary.reference.com/browse/grok" title="reference.com">Dictionary.reference.com</a reference.com>
Yes, it can mean "To Drink", however, it primarily now means "To understand profoundly through intuition or empathy."
Look how badly "Hacker" has been twisted in recent years!<nobr> <wbr></nobr>;^)
Disclaimer: I'm a Linux user and I don't use any antivirus or antimalware program because I don't think I need any.
However, there are a couple of weak points when people say Linux doesn't and probably won't need antivirus or antimalware programs. First, as somebody already mentioned, the MIME type associations are a weak point because you can use them to launch scripts by clicking.
Second, we have the<nobr> <wbr></nobr>.desktop files, which have been a matter of discussion in several mailing lists.<nobr> <wbr></nobr>.desktop files, currently, allow anybody to send you any program and make it look however they want, ready to be triggered by a mouse click. Just like it happens on Windows, one of the weakest points is the user. If an unexperienced user is sent a joke.jpg.desktop file in an email and told to right click on it, save it to the desktop and then click it, they _may_ do it. And the file may even have the icon of an image MIME type. Or what's worse: it could create a spam-sending program or script in your Autostart folder _and_ display a joke image, so you won't even suspect you've been infected.
So don't use your Linux machine with a sense of fake confidence that nothing will happen and you're safe. That's the worse thing you can do. Users should be aware of the danger of opening unexpected attachments and visiting malicious websites, and we should still remind them of those dangers despite the fact that they're running Linux. Say "You won't need an AV, but be careful" instead of "Oh, don't worry, you won't need an AV if you run Linux".
Also, not running programs as root has the advantage that malware infections are easier to clean (delete mail, crontab and user home directory and you'll be ready), but you still need to apply security fixes carefully to avoid privilege escalation vulnerabilities. And let's not forget that you can't say "Don't worry. Your Linux system will be OK in 5 minutes. It's only your private emails, documents, gpg and ssh keys which have been exposed to this malware program." That's not acceptable.
However, there are a couple of weak points when people say Linux doesn't and probably won't need antivirus or antimalware programs. First, as somebody already mentioned, the MIME type associations are a weak point because you can use them to launch scripts by clicking.
Second, we have the<nobr> <wbr></nobr>.desktop files, which have been a matter of discussion in several mailing lists.<nobr> <wbr></nobr>.desktop files, currently, allow anybody to send you any program and make it look however they want, ready to be triggered by a mouse click. Just like it happens on Windows, one of the weakest points is the user. If an unexperienced user is sent a joke.jpg.desktop file in an email and told to right click on it, save it to the desktop and then click it, they _may_ do it. And the file may even have the icon of an image MIME type. Or what's worse: it could create a spam-sending program or script in your Autostart folder _and_ display a joke image, so you won't even suspect you've been infected.
So don't use your Linux machine with a sense of fake confidence that nothing will happen and you're safe. That's the worse thing you can do. Users should be aware of the danger of opening unexpected attachments and visiting malicious websites, and we should still remind them of those dangers despite the fact that they're running Linux. Say "You won't need an AV, but be careful" instead of "Oh, don't worry, you won't need an AV if you run Linux".
Also, not running programs as root has the advantage that malware infections are easier to clean (delete mail, crontab and user home directory and you'll be ready), but you still need to apply security fixes carefully to avoid privilege escalation vulnerabilities. And let's not forget that you can't say "Don't worry. Your Linux system will be OK in 5 minutes. It's only your private emails, documents, gpg and ssh keys which have been exposed to this malware program." That's not acceptable.
Can one of these Linux-knowledgable eperts explain me why it should not be possible for malicious code from a website, if clicked on via a link, to excute in the same way a program does when it is downloaded by the klik system (klik.atekon.de).
I have tested this with one of my not production critical desktops: all I ever had to do was to click on a link of the atekon website. This downloaded OpenOffice.org, opened it, and got it running, without any further intervention on my part. I never was asked to, or had a chance to, make anything executable.
Now somebody explain me why, if what I clicked on would have been hiding a malicious program, it could not have wiped out everything accessible by me as the user with write permissions - which is most of my valuable data. And somebody please further explain me why such malicious code cannot be hidden in a picture of a website I click on in order to e.g. increase its size? Of course, yes, I fully understand, my system itself would always have been completely safe and could never have been touched as I was not running as root, but would I care in the least about my system if I would loose most of my far valuable data? That system I can reinstall in less than an hour.
I am a Linux user, or perhaps rather consumer, but I cannot understand how these Linux people can feel that safe with a system on which something like klik is possible.
If I am wrong, thanks for any comprehensible education, WH.
I have tested this with one of my not production critical desktops: all I ever had to do was to click on a link of the atekon website. This downloaded OpenOffice.org, opened it, and got it running, without any further intervention on my part. I never was asked to, or had a chance to, make anything executable.
Now somebody explain me why, if what I clicked on would have been hiding a malicious program, it could not have wiped out everything accessible by me as the user with write permissions - which is most of my valuable data. And somebody please further explain me why such malicious code cannot be hidden in a picture of a website I click on in order to e.g. increase its size? Of course, yes, I fully understand, my system itself would always have been completely safe and could never have been touched as I was not running as root, but would I care in the least about my system if I would loose most of my far valuable data? That system I can reinstall in less than an hour.
I am a Linux user, or perhaps rather consumer, but I cannot understand how these Linux people can feel that safe with a system on which something like klik is possible.
If I am wrong, thanks for any comprehensible education, WH.
It's impossible to make anything foolproof...
Posted by: Anonymous Coward on February 27, 2007 08:52 AM
It's impossible to make anything foolproof because fools are so ingenious.
The only way to prevent users from installing malicious software is to dis-allow installation of _any_ software. Newbie Linux users should stick to installing the software provided by their distribution of choice. Linux is not like Microsoft Windows, it comes with all the software you need. (At least if you choose the right distro.)
That said, there's a big difference between a virus, which installs itself, and a user deciding to install some program. If you decide to use a web browser that automatically installs anything you happen to click on, well then you're using a web browser designed to poke holes in your system's security.
Don't do that.
Nobody said Linux was perfectly secure. Basic security precautions are still required. The simple rule "Only install software provided by your Linux supplier" is about all the new user needs to know. This rule is a whole lot easier to follow than the corresponding rule for Microsoft Windows, "Don't click on anything you don't trust."
Karl O. Pinc
kop@meme.com
(Doctor! It hurts when I poke my finger in my eye!)
The only way to prevent users from installing malicious software is to dis-allow installation of _any_ software. Newbie Linux users should stick to installing the software provided by their distribution of choice. Linux is not like Microsoft Windows, it comes with all the software you need. (At least if you choose the right distro.)
That said, there's a big difference between a virus, which installs itself, and a user deciding to install some program. If you decide to use a web browser that automatically installs anything you happen to click on, well then you're using a web browser designed to poke holes in your system's security.
Don't do that.
Nobody said Linux was perfectly secure. Basic security precautions are still required. The simple rule "Only install software provided by your Linux supplier" is about all the new user needs to know. This rule is a whole lot easier to follow than the corresponding rule for Microsoft Windows, "Don't click on anything you don't trust."
Karl O. Pinc
kop@meme.com
(Doctor! It hurts when I poke my finger in my eye!)
> but I cannot understand how these Linux people can feel that safe with a system on which something like klik is possible.
A klik package won't do anything unless you install the klik client. If you install the klik client, then you're responsible for the security implications of doing so.
James Dixon
A klik package won't do anything unless you install the klik client. If you install the klik client, then you're responsible for the security implications of doing so.
James Dixon
If I remember correctly, there have been some live-cd distributions, which were very easy to install, which had the klik client enabled by default. This might (?) be a good thing overall, but it does encourage inexperienced users to have a klik client running without even knowing that they are.
> If I am wrong, thanks for any comprehensible education, WH.
You're not wrong. Linux has many openings for malicious code. Just take a look at Secunia's long list of advisories about Linux. The 2.6.x Linux kernel had 44 advisories in 2006: <a href="http://secunia.com/product/2719/?task=statistics_2006" title="secunia.com">http://secunia.com/product/2719/?task=statistics_<nobr>2<wbr></nobr> 006</a secunia.com>
There are two main reasons why Windows has had so many virus problems and Linux hasn't:
1. Initially, Internet Explorer was setup for convenience, not security (can you say ActiveX?). Microsoft has learned a very painful lesson and has largely fixed that issue.
2. Linux has such a low share of the total market that it's not worth the trouble of creating viruses for it. These days, malware is created in order to commit crimes. If you're such a criminal, would you aim at 90% of the market?
You're not wrong. Linux has many openings for malicious code. Just take a look at Secunia's long list of advisories about Linux. The 2.6.x Linux kernel had 44 advisories in 2006: <a href="http://secunia.com/product/2719/?task=statistics_2006" title="secunia.com">http://secunia.com/product/2719/?task=statistics_<nobr>2<wbr></nobr> 006</a secunia.com>
There are two main reasons why Windows has had so many virus problems and Linux hasn't:
1. Initially, Internet Explorer was setup for convenience, not security (can you say ActiveX?). Microsoft has learned a very painful lesson and has largely fixed that issue.
2. Linux has such a low share of the total market that it's not worth the trouble of creating viruses for it. These days, malware is created in order to commit crimes. If you're such a criminal, would you aim at 90% of the market?
Interesting follow-up to point #1 above: In an interview, Sun security chief Whitfield Diffie said: "I think the critical thing [is] that Microsoft showed that it's judgment was correct. If it had paid less attention to security, maybe it would have had less market share."
<a href="http://news.yahoo.com/s/pcworld/20070226/tc_pcworld/129349" title="yahoo.com">http://news.yahoo.com/s/pcworld/20070226/tc_pcwor<nobr>l<wbr></nobr> d/129349</a yahoo.com>
<a href="http://news.yahoo.com/s/pcworld/20070226/tc_pcworld/129349" title="yahoo.com">http://news.yahoo.com/s/pcworld/20070226/tc_pcwor<nobr>l<wbr></nobr> d/129349</a yahoo.com>
Come on Joe. While I agree with your article for now, Linux will not always be safe from viruses. Sooner or later some schmoe will figure out a hole and *poof* we'll have our first virus. How hard is it to install ClamAV in the background and just let it run?
When a Linux newbie asks; What about antivirus? Yours is the best answer. Simply tell them; Sure, use ClamAV it's included in your $DISTRO and it's free like all the other applications in $DISTRO.
They're protected. They feel safe. You didn't digress into a complicated, distracting and divisive conversation that might put them off or cause them to think you're one of those Gentoo zealots. For example: <a href="http://ozguru.mu.nu/Photos/2005-11-11--Dilbert_Unix.jpg" title="ozguru.mu.nu">Is this Joe Barr?</a ozguru.mu.nu>
Joe's favorite "Microsoft Shill"
They're protected. They feel safe. You didn't digress into a complicated, distracting and divisive conversation that might put them off or cause them to think you're one of those Gentoo zealots. For example: <a href="http://ozguru.mu.nu/Photos/2005-11-11--Dilbert_Unix.jpg" title="ozguru.mu.nu">Is this Joe Barr?</a ozguru.mu.nu>
Joe's favorite "Microsoft Shill"
Personally I find it disgusting that on the BBC's Click programme the only use for dual core machines the 'experts' (see: salesmen) could come up with was "You can use one core for all of your regular tasks and use the other core for antivirus and firewall software." Please oh please oh please oh please do not end up with such monstrous resource wastage on GNU/Linux systems. If you need to run antivirus software on SAMBA servers and stuff then fine, but I would say the only vulnerability mature Free systems have (aside from software ones which are patched within hours anyway) is user education. That isn't "You need antivirus software" brainwashing from Windows land (I would say a more accurate phrase would be: "You need a secure system. You can either get this free no maintainance one with free updates, or this expensive one with a load of crazy little tools which you need to run again and again, pay for the updates when they come out, oh and did I mention that those crazy little applications use up half of your computer?") but more about backing up data regularly and only using trusted sources for packages and things.
Ah, of course, the Microsoft Way. Lie to users from the beginning.
why waste so much talking...
just tell them that linux comes with a built-in, free (as in speech) virus protection system... it does - the av system is called "permissions"<nobr> <wbr></nobr>;)
just tell them that linux comes with a built-in, free (as in speech) virus protection system... it does - the av system is called "permissions"<nobr> <wbr></nobr>;)
Anyone running wine in an unprotected way (and no-one tells you how to protect it) is even more exposed to malware than a windows user. The wine people almost pride themselves that it will run this crap. What makes it worse is that you can even use quite misleading suffix eg malware.jpg and wine will still run it with a single click.
Biggest users of wine ??? dunno but linux newbies must be candidates.
Biggest users of wine ??? dunno but linux newbies must be candidates.
Large numbers of windows virues don't work under wine. Lots of games hacks don't work and will never work. Wine does not support process injection. Luckly a lot of viruses like h
Winehq does need security improvements. There is a prototype to embed clamav into winehq.
A winehq running a virus cannot get out of current user restrictions.
Big problem with new users is getting them not using root to do things.
Winehq does need security improvements. There is a prototype to embed clamav into winehq.
A winehq running a virus cannot get out of current user restrictions.
Big problem with new users is getting them not using root to do things.
Re:Not are I see it. - another problem the new
Posted by: Anonymous Coward on February 28, 2007 12:51 AM
"Big problem with new users is getting them not using root to do things."
and on the other side of that:
Another problem with new users is getting them not to log in as root for normal day to day.
"what? you mean I don't just log in as Administrator? But that's what I did on WindowsXP."
and on the other side of that:
Another problem with new users is getting them not to log in as root for normal day to day.
"what? you mean I don't just log in as Administrator? But that's what I did on WindowsXP."
Re:Not are I see it. - another problem the new
Posted by: Anonymous Coward on February 28, 2007 06:47 AM
Infected Wine is fairly much harmless to total system from a normal user. It destroys one user directory.
From root on some systems its deadly.
Now selinux can be placed above linux. Fixs problem. And annoys experienced users big time. Log into root to fix something only selected programs run and work.
Simpler and less painful long term to fix wine. Most linux distros force users to create a normal account.
Its simpler not to cover users from Windows to Linux but start them off with Linux they don't come with bad habits. I should have been more targeted. Past Windows users are hard to get using linux correctly because they think login in at admin level and doing work is normal.
From root on some systems its deadly.
Now selinux can be placed above linux. Fixs problem. And annoys experienced users big time. Log into root to fix something only selected programs run and work.
Simpler and less painful long term to fix wine. Most linux distros force users to create a normal account.
Its simpler not to cover users from Windows to Linux but start them off with Linux they don't come with bad habits. I should have been more targeted. Past Windows users are hard to get using linux correctly because they think login in at admin level and doing work is normal.
I belive this meaning comes from the novel "Stranger in a Strange Land" by Robert A. Heinlein <a href="http://en.wikipedia.org/wiki/Stranger_in_a_Strange_Land" title="wikipedia.org">http://en.wikipedia.org/wiki/Stranger_in_a_Strang<nobr>e<wbr></nobr> _Land</a wikipedia.org>
You are exactly correct. In fact the use of grok to mean understand was common slang in the late sixties, early seventies when this sci fi novel was at its peak in popularity.
I agree with most people that we shouldn't sit on our high horse about security.
BUT...
Antivirus (And Anti-Spyware) software is a kludge!
It waste's computer resources as well as human resources. It's a treadmill! And a race!!
What is needed is a multilevel approach.
Program level. Build a descripter file into executables that list largest amount of access a program needs to function (Incoming Ports, Outgoing ports, File trees:/etc<nobr> <wbr></nobr>/proc<nobr> <wbr></nobr>/var/log etc, Exec other programs, fork etc). Like apparmor but built into all executables and enforced by OS. Programming tools to help automate process.
Signed Executables. Not for DRM. Check that programs haven't been changed or added without athority. User can manualy sign/resign binaries, or import certificates, but must have privs, and only root could sign for system use, or import certificates for all users.
System admin/Distibution level. Think of it like chroot, but locks in a security profile instead of a root folder. Use for system services. Security profiles can only tighten for a process and it's subprocess, but not loosen. Apache like config file. selinux's file level config too hard to admin. Don't know about apparmor.
comand like follows.
chsecur conffile executable.
===Example ===
#use this for sendmail
#stop denial of service
processes 20;
#if policy violation kill all processes
# running in this security root
enforce super-strict
#default no network
<port *>
deny all
</port>
#All privs on 25
<port 25>
allow bind,connect,establish
</port>
#after connecting on 25 we can jump to above 1000
<port 1000+ >
allow preestablished
</port>
#dns
<port 53>
allow connect
</port>
#strict to begin with
<directory<nobr> <wbr></nobr>/>
deny all
</directory>
<directory<nobr> <wbr></nobr>/etc>
deny read,write
allow chdir, list
</directory>
<directory<nobr> <wbr></nobr>/etc/mail >
allow read,chdir
</directory>
<directory<nobr> <wbr></nobr>/var/spool/mail >
deny links
allow read, write, full,2 sublevels,mkdir
</directory>
<directory<nobr> <wbr></nobr>/var/spool/mqueue >
allow read,write,delete
</directory>
#Permisions for first fork
#only master process allowed to fork
<fork 1>
allow
</fork>
<fork 2+>
deny
</fork>
== End example ==
Just an example, don't know enough about sendmail to configure correctly.
BUT...
Antivirus (And Anti-Spyware) software is a kludge!
It waste's computer resources as well as human resources. It's a treadmill! And a race!!
What is needed is a multilevel approach.
Program level. Build a descripter file into executables that list largest amount of access a program needs to function (Incoming Ports, Outgoing ports, File trees:/etc<nobr> <wbr></nobr>/proc<nobr> <wbr></nobr>/var/log etc, Exec other programs, fork etc). Like apparmor but built into all executables and enforced by OS. Programming tools to help automate process.
Signed Executables. Not for DRM. Check that programs haven't been changed or added without athority. User can manualy sign/resign binaries, or import certificates, but must have privs, and only root could sign for system use, or import certificates for all users.
System admin/Distibution level. Think of it like chroot, but locks in a security profile instead of a root folder. Use for system services. Security profiles can only tighten for a process and it's subprocess, but not loosen. Apache like config file. selinux's file level config too hard to admin. Don't know about apparmor.
comand like follows.
chsecur conffile executable.
===Example ===
#use this for sendmail
#stop denial of service
processes 20;
#if policy violation kill all processes
# running in this security root
enforce super-strict
#default no network
<port *>
deny all
</port>
#All privs on 25
<port 25>
allow bind,connect,establish
</port>
#after connecting on 25 we can jump to above 1000
<port 1000+ >
allow preestablished
</port>
#dns
<port 53>
allow connect
</port>
#strict to begin with
<directory<nobr> <wbr></nobr>/>
deny all
</directory>
<directory<nobr> <wbr></nobr>/etc>
deny read,write
allow chdir, list
</directory>
<directory<nobr> <wbr></nobr>/etc/mail >
allow read,chdir
</directory>
<directory<nobr> <wbr></nobr>/var/spool/mail >
deny links
allow read, write, full,2 sublevels,mkdir
</directory>
<directory<nobr> <wbr></nobr>/var/spool/mqueue >
allow read,write,delete
</directory>
#Permisions for first fork
#only master process allowed to fork
<fork 1>
allow
</fork>
<fork 2+>
deny
</fork>
== End example ==
Just an example, don't know enough about sendmail to configure correctly.
> Antivirus (And Anti-Spyware) software is a kludge!
><nobr> <wbr></nobr>...
> What is needed is a multilevel approach.
There is a multi-level approach. The last level is anti-virus. It's there to prevent problems when all else fails.
><nobr> <wbr></nobr>...
> What is needed is a multilevel approach.
There is a multi-level approach. The last level is anti-virus. It's there to prevent problems when all else fails.
So we need to tax our processor, and slow our disks scanning files for virusus. When we could just patch the hole that allowed the virus. Nothing slows a computer down like installing virus software.
Should we spend our time making signiture files, or spending money on signiture files. Just to have the black hat modify his virus slightly, to get around the signature, and exploit the same hole. Lather, Rinse, Repeat. Continuing the arms race.
Or, we could we fix the bugs in the software that caused the problem in the first place, as well as engineer the system to resist such problems. I believe this is the way Unix like systems have been engineered up until now, and should continue, instead of giving up, and relying on virus scanners.
Should we spend our time making signiture files, or spending money on signiture files. Just to have the black hat modify his virus slightly, to get around the signature, and exploit the same hole. Lather, Rinse, Repeat. Continuing the arms race.
Or, we could we fix the bugs in the software that caused the problem in the first place, as well as engineer the system to resist such problems. I believe this is the way Unix like systems have been engineered up until now, and should continue, instead of giving up, and relying on virus scanners.
> So we need to tax our processor, and slow our disks scanning files for virusus.
Only if you want the best security available. If you don't need or want the best security then don't run AV software.
An analogy: You can put solid locks on the doors to your house. But if an intruder still gets in, you want to be able to call the cops to get him out.
Btw, most systems use a miniscule portion of the available CPU power.
Only if you want the best security available. If you don't need or want the best security then don't run AV software.
An analogy: You can put solid locks on the doors to your house. But if an intruder still gets in, you want to be able to call the cops to get him out.
Btw, most systems use a miniscule portion of the available CPU power.
"NTFS on Windows has permissions too. Doesn't save you when you root as administrator aka root."
LOL. To seriously screw-up like that...well, *that* takes an MCSE.
LOL. To seriously screw-up like that...well, *that* takes an MCSE.
Huh?
Linux file permission and MS NTFS file permissions are not the same. Linux file permission has a x (execute) permission for every file. If this x permission is not set then the file can never be executed. MS NTFS does *not* have this file permission.
File execution on Linux OS and MS OS work very differently. May I suggest researching the topic before posting such a comment.
By the way I am an MCSA certified professional. So I do know how NTFS permissions work.
File execution on Linux OS and MS OS work very differently. May I suggest researching the topic before posting such a comment.
By the way I am an MCSA certified professional. So I do know how NTFS permissions work.
A file doesn't need a x (execute) permission. I can run any shell script with "sh filename", and same goes for perl, python and any other scripting language.
And you know very well that even shell scripts can contain executables.
And you know very well that even shell scripts can contain executables.
Many, MANY of the Windows worms worked by Outlook / OE autoexecuting emailed content in some way. If you don't have the "autoexecute everything" mentality when you are designing your system, then you are much less likely to get hit. THIS is the big reason why Unix based systems have historically been less vulnerable to email worms. Microsoft has been bitten time and time again by looking at the content of a file and if it looks like it might be executable, executing it! Even their media player and image viewing code was doing this! The reason Microsoft gave for this behavior? They claimed that customers were demanding that "feature." We've seen this problem in image files, sound files, video files, help files, etc. NONE of those has any reason to contain executable content.
>Only if you want the best security available.
Only if somebody else has already discovered the exact same virus, and created a signiture.
>But if an intruder still gets in, you want to be able to call the cops to get him out.
Yes, but to be correct to your analogy, the cops live at your house, eat your food, and use your facilities. Plus you pay them. And, then they will only do something after calling the station to make sure he is a known criminal. Worse yet, for a lot of criminals, they aren't compentent enough to handle them correctly, and just lock them in your bedroom with your files. And more yet, his twin brother breaks in tomorrow.
>Btw, most systems use a miniscule portion of the available CPU power.
Yes, but cpu's use a lot of current also. Consider your laptap wasting battery life to scan files, or a whole datacenter full of servers, and your electric bill.
Only if somebody else has already discovered the exact same virus, and created a signiture.
>But if an intruder still gets in, you want to be able to call the cops to get him out.
Yes, but to be correct to your analogy, the cops live at your house, eat your food, and use your facilities. Plus you pay them. And, then they will only do something after calling the station to make sure he is a known criminal. Worse yet, for a lot of criminals, they aren't compentent enough to handle them correctly, and just lock them in your bedroom with your files. And more yet, his twin brother breaks in tomorrow.
>Btw, most systems use a miniscule portion of the available CPU power.
Yes, but cpu's use a lot of current also. Consider your laptap wasting battery life to scan files, or a whole datacenter full of servers, and your electric bill.
> Only if somebody else has already discovered the exact same virus, and created a signiture.
1. That's so three years ago. Modern AV software from all the leading AV vendors use heuristics to detect viruses they've never seen before.
2. Even if it were true, it would be much better than nothing.
> Consider your laptap wasting battery life to scan files
I don't consider security a waste. You apparently do. My condolences to anyone who has to work with you.
> or a whole datacenter full of servers, and your electric bill.
Consider the cost of downtime when a virus gets into a system. Consider the cost of lost bank account numbers and passwords. Consider the cost of lost social security numbers.
AV software is insurance, you hope you never need it, but when you do it's damned nice to have.
1. That's so three years ago. Modern AV software from all the leading AV vendors use heuristics to detect viruses they've never seen before.
2. Even if it were true, it would be much better than nothing.
> Consider your laptap wasting battery life to scan files
I don't consider security a waste. You apparently do. My condolences to anyone who has to work with you.
> or a whole datacenter full of servers, and your electric bill.
Consider the cost of downtime when a virus gets into a system. Consider the cost of lost bank account numbers and passwords. Consider the cost of lost social security numbers.
AV software is insurance, you hope you never need it, but when you do it's damned nice to have.
"Anyone running wine in an unprotected way (and no-one tells you how to protect it) is even more exposed to malware than a windows user."
1. There are several posts (be they wiki or whatever) and documents telling users how to scan their system (which includes ~/.wine and the subdirectories) with ClamAV and the like. You may also run Windows antivirus programs with Wine but I have not tested this second method where the first works like a charm but it's still not going to catch anything (but will everything malicious run?).
2. You should take this up with the wine devs on the mailing list or the Wine user mailing list if you're concerned. To say the Linux Wine user is "even more exposed to malware than a windows user" is, IMO, unfounded FUD. Are you able to back up this claim with fact? What I have seen time and again was much of the malware simply wouldn't run and/or affect the rest of the Linux system. Let's also remember no one should be running Wine as root.
"The wine people almost pride themselves that it will run this crap."
IMO more FUD, are you making this up as you go along? Show us the proof or kindly STFU.
"What makes it worse is that you can even use quite misleading suffix eg malware.jpg and wine will still run it with a single click."
I don't know about this, but<nobr> <wbr></nobr>.exe files will run with a click with Wine in Linux. While I haven't seen any malware executed with success in Wine, multiplayer games and the like which reach out of your system to communicate with others do often work very well, which could mean a cleverly crafted program developed (perhaps FOR Wine by some rogue?) with bad intentions could become a problem, who knows. To date, I haven't seen anything surface that's a proven problem, have you? If it's so dangerous to run Wine, where are the reports of all this bad malware working in it?
"Biggest users of wine ??? dunno but linux newbies must be candidates."
Anyone who wants to run Windows applications, be they newbies or veterans. Rather than anyone placing blame on Wine, why not place the blame where it belongs: on the individuals and companies who continue to develop closed source software and refuse to release the source code.
1. There are several posts (be they wiki or whatever) and documents telling users how to scan their system (which includes ~/.wine and the subdirectories) with ClamAV and the like. You may also run Windows antivirus programs with Wine but I have not tested this second method where the first works like a charm but it's still not going to catch anything (but will everything malicious run?).
2. You should take this up with the wine devs on the mailing list or the Wine user mailing list if you're concerned. To say the Linux Wine user is "even more exposed to malware than a windows user" is, IMO, unfounded FUD. Are you able to back up this claim with fact? What I have seen time and again was much of the malware simply wouldn't run and/or affect the rest of the Linux system. Let's also remember no one should be running Wine as root.
"The wine people almost pride themselves that it will run this crap."
IMO more FUD, are you making this up as you go along? Show us the proof or kindly STFU.
"What makes it worse is that you can even use quite misleading suffix eg malware.jpg and wine will still run it with a single click."
I don't know about this, but<nobr> <wbr></nobr>.exe files will run with a click with Wine in Linux. While I haven't seen any malware executed with success in Wine, multiplayer games and the like which reach out of your system to communicate with others do often work very well, which could mean a cleverly crafted program developed (perhaps FOR Wine by some rogue?) with bad intentions could become a problem, who knows. To date, I haven't seen anything surface that's a proven problem, have you? If it's so dangerous to run Wine, where are the reports of all this bad malware working in it?
"Biggest users of wine ??? dunno but linux newbies must be candidates."
Anyone who wants to run Windows applications, be they newbies or veterans. Rather than anyone placing blame on Wine, why not place the blame where it belongs: on the individuals and companies who continue to develop closed source software and refuse to release the source code.
One of the finest examples of "pathological denial" I have collected so far.
Unfortunately you will never be called upon the refund the losses when they start rolling in.
Unfortunately you will never be called upon the refund the losses when they start rolling in.
>That's so three years ago. Modern AV software from all the leading AV vendors use heuristics to detect viruses they've never seen before.
So I'm wasting more resources with complex algorithms. Plus I get the joy of false positives to top it of.
>I don't consider security a waste
I consider kludge security a waste.
>My condolences to anyone who has to work with you.
Personal attacks don't help your case any.
>Consider the cost of downtime when a virus gets into a system. Consider the cost of lost bank account numbers and passwords. Consider the cost of lost social security numbers.
You definitly use a virus scanner on your windows systems. You would be a fool not to for windows.
For your unix systems (Unless it's a windows file server) you configure the system correctly, and use best practices to make sure your data is protected. You use other tools to check for problems (tripwire, portscan detectors, etc). But you generaly do not use a virus scanner, expecialy live scanners.
If there are any sysadmins out there who do use these, let me know.
So I'm wasting more resources with complex algorithms. Plus I get the joy of false positives to top it of.
>I don't consider security a waste
I consider kludge security a waste.
>My condolences to anyone who has to work with you.
Personal attacks don't help your case any.
>Consider the cost of downtime when a virus gets into a system. Consider the cost of lost bank account numbers and passwords. Consider the cost of lost social security numbers.
You definitly use a virus scanner on your windows systems. You would be a fool not to for windows.
For your unix systems (Unless it's a windows file server) you configure the system correctly, and use best practices to make sure your data is protected. You use other tools to check for problems (tripwire, portscan detectors, etc). But you generaly do not use a virus scanner, expecialy live scanners.
If there are any sysadmins out there who do use these, let me know.
> So I'm wasting more resources with complex algorithms.
LOL!
Your view that security is a waste is truly sad -- and dangerous.
> I consider kludge security a waste.
That's fine. AV ain't a kludge.
> Personal attacks don't help your case any.
Don't hurt it either. Btw, I was serious about what I wrote.
> For your unix systems (Unless it's a windows file server) you configure the system'
> correctly, and use best practices to make sure your data is protected.
Yeah, 'cause UNIX systems are such a small percentage of all systems they targeted by the malware writers. If UNIX had significant market share it'd be targeted too.
LOL!
Your view that security is a waste is truly sad -- and dangerous.
> I consider kludge security a waste.
That's fine. AV ain't a kludge.
> Personal attacks don't help your case any.
Don't hurt it either. Btw, I was serious about what I wrote.
> For your unix systems (Unless it's a windows file server) you configure the system'
> correctly, and use best practices to make sure your data is protected.
Yeah, 'cause UNIX systems are such a small percentage of all systems they targeted by the malware writers. If UNIX had significant market share it'd be targeted too.
Joe,
Why do we always butt heads like this? Where did I say to lie? There is NO untruth anywhere in my comment or my recommendation. I said to give them what they ask for. It is not the "Microsoft way", it is the sensible and logical way.
If they are concerned about viruses, most major distributions include a ClamAV package. A simple click will allay their fears. It will also allow you and them to concentrate on more interesting and more important things when using Linux desktops.
Besides, a free antivirus package with free updates is another feather in Linux' cap, in my opinion. Why not use it as a "selling" point? 'Free antivirus, yet another Linux advantage.'
The long lectures on why Linux doesn't need antivirus only serves to confuse the neophytes and it makes you look like the condescending blowhard in the Dilbet comic. Is that your goal? There's simply no need for it.
Calling my recommendation a lie... How do you justify that?
Your favorite "Microsoft Shill".
P.S. Did you like the Dilbert? I thought is was a rather amusing taunt.
Why do we always butt heads like this? Where did I say to lie? There is NO untruth anywhere in my comment or my recommendation. I said to give them what they ask for. It is not the "Microsoft way", it is the sensible and logical way.
If they are concerned about viruses, most major distributions include a ClamAV package. A simple click will allay their fears. It will also allow you and them to concentrate on more interesting and more important things when using Linux desktops.
Besides, a free antivirus package with free updates is another feather in Linux' cap, in my opinion. Why not use it as a "selling" point? 'Free antivirus, yet another Linux advantage.'
The long lectures on why Linux doesn't need antivirus only serves to confuse the neophytes and it makes you look like the condescending blowhard in the Dilbet comic. Is that your goal? There's simply no need for it.
Calling my recommendation a lie... How do you justify that?
Your favorite "Microsoft Shill".
P.S. Did you like the Dilbert? I thought is was a rather amusing taunt.
(
IDGNS: When the PC went on the network, there were security implications that nobody thought about. Microsoft has spent the last five years fixing all of the security problems that maybe could have been foreseen...
Diffie: Wait a minute. I think there are two issues. I think you'll find that lots of them were foreseen. I think the critical thing [is] that Microsoft showed that it's judgment was correct. If it had paid less attention to security, maybe it would have had less market share.
It had no real motivation, I think, until the last few years to try to fix these things. The interesting thing to me is why it's been so hard for them to do so, because they must have half the smart people I know about in the industry, and in security, working for them. And I think it has to do with the problems of legacy code, and the legacy interface expectations of their customers.
)
It seems a little clearor with the whole question and response. I understand the second point fully but I'm just not understanding the first point you commented.
If Microsoft showed that it's judgement was right? If it had paid "less attention to security" it may have less market share than 90% of the computer world. This seems counter intuitive.. They developed a fundamentally insecure system and somehow this is the reason they have such market share.
I'm actually not looking for a fight on this one.. I just seem to be not grasping the nugget of knowledge that makes that statement correct. They guy has got a world more experience than I so how does he come to this conclusion?
IDGNS: When the PC went on the network, there were security implications that nobody thought about. Microsoft has spent the last five years fixing all of the security problems that maybe could have been foreseen...
Diffie: Wait a minute. I think there are two issues. I think you'll find that lots of them were foreseen. I think the critical thing [is] that Microsoft showed that it's judgment was correct. If it had paid less attention to security, maybe it would have had less market share.
It had no real motivation, I think, until the last few years to try to fix these things. The interesting thing to me is why it's been so hard for them to do so, because they must have half the smart people I know about in the industry, and in security, working for them. And I think it has to do with the problems of legacy code, and the legacy interface expectations of their customers.
)
It seems a little clearor with the whole question and response. I understand the second point fully but I'm just not understanding the first point you commented.
If Microsoft showed that it's judgement was right? If it had paid "less attention to security" it may have less market share than 90% of the computer world. This seems counter intuitive.. They developed a fundamentally insecure system and somehow this is the reason they have such market share.
I'm actually not looking for a fight on this one.. I just seem to be not grasping the nugget of knowledge that makes that statement correct. They guy has got a world more experience than I so how does he come to this conclusion?
> They guy has got a world more experience than
> I so how does he come to this conclusion?
(shrug)
My best guess is that he sees that not having tight security didn't keep MS/Windows from getting great market share in the beginning. Thus, anything that might have made Windows more difficult to use might have cost them market share.
As you note, he's in a better position than either of us to know what's been happening and why - and he works for a company that's not inclined to give MS the benefit of the doubt on much of anything. Thus, he should be taken seriously (of course, that doesn't mean he's correct).
> I so how does he come to this conclusion?
(shrug)
My best guess is that he sees that not having tight security didn't keep MS/Windows from getting great market share in the beginning. Thus, anything that might have made Windows more difficult to use might have cost them market share.
As you note, he's in a better position than either of us to know what's been happening and why - and he works for a company that's not inclined to give MS the benefit of the doubt on much of anything. Thus, he should be taken seriously (of course, that doesn't mean he's correct).
brillian exchange. It kept me giggling for hours.
It's the same old same old though; Security, Efficiency, Usability - pick any two. You have no issue with security at the expense of some efficency, the other post values efficiency over security. His analogy of the Police living in your closet was more accurate though the performance hit for AV isn't really that great on *nix so there are really only a very few instances where the performance gain from no AV makes any difference. (supercomputing clusters.. well, that's another world entirely.)
I might take issue with this last turn though with the falsehood of security by obscurity. Unix is only more secure and less targeted because it is a small percentage of the market. I reject all but a very few arguments based on anything sounding like this.
Yes, when *nix becomes more widespread among home users, it'll more often present itself as the target. The difference is architecture I think. Windows, from the first line of msDos code at it's core right up to the pretty touches on XPsp2 (we don't really know how Vista stands up yet) is fundamentally insecure. There's a few protective layers on the outside of the onion but the middle is all rotted and waiting for worms. *nix architecture, by contrast is a hostile environment. Bad stuff can be written but it's harder to do and not going to flurish like the plegue feasting on Redmond's users.
Unix tradition has always been about security and stability too though so we also have a community of people ready to address threats when the come up.
That's just to discuss the BS about obscurity security. There's no viruses for Unix because Windows get's all the retail revenue.. bah..
At the same time, Linux isn't Fort Knox. I think the bigger threat will be from active hacking rather than passive distribution of malware. Not running any AV may be great if your in a unix only network with no outside gatway but it's just irresponsible to have no AV software when chances are good that your intracting with a Windows user at some point.
It's the same old same old though; Security, Efficiency, Usability - pick any two. You have no issue with security at the expense of some efficency, the other post values efficiency over security. His analogy of the Police living in your closet was more accurate though the performance hit for AV isn't really that great on *nix so there are really only a very few instances where the performance gain from no AV makes any difference. (supercomputing clusters.. well, that's another world entirely.)
I might take issue with this last turn though with the falsehood of security by obscurity. Unix is only more secure and less targeted because it is a small percentage of the market. I reject all but a very few arguments based on anything sounding like this.
Yes, when *nix becomes more widespread among home users, it'll more often present itself as the target. The difference is architecture I think. Windows, from the first line of msDos code at it's core right up to the pretty touches on XPsp2 (we don't really know how Vista stands up yet) is fundamentally insecure. There's a few protective layers on the outside of the onion but the middle is all rotted and waiting for worms. *nix architecture, by contrast is a hostile environment. Bad stuff can be written but it's harder to do and not going to flurish like the plegue feasting on Redmond's users.
Unix tradition has always been about security and stability too though so we also have a community of people ready to address threats when the come up.
That's just to discuss the BS about obscurity security. There's no viruses for Unix because Windows get's all the retail revenue.. bah..
At the same time, Linux isn't Fort Knox. I think the bigger threat will be from active hacking rather than passive distribution of malware. Not running any AV may be great if your in a unix only network with no outside gatway but it's just irresponsible to have no AV software when chances are good that your intracting with a Windows user at some point.
Let's not confuse desktop with server, Linux is already in the enterprise. MS got into the server room by eating Novell's lunch and now even that is ebbing away.
Regardless, whether or not a server becomes an electronic chernobyl of malware like your average Windows server is after short order, won't affect a thing. People, especially managers, are so conditioned into accepting malware as part of the natural order that it won't have any effect on marketshare at all. If it did, Windows would have disappeared by 2002.
Linux Anti-Virus
Posted by: Anonymous Coward on February 27, 2007 03:06 AM#