Anti-Virus programs (revisted)

**Cuddles** · 10-25-2004, 12:00 AM

Goal of this thread:
*** Gain insight to what people are doing, or not doing, about a viri threat, either currently, or in the future.
*** Trying to gain information on the fact that "currently" viri are not an issue in a "Linux" OS, but, that, this will probably become an issue, as it becomes more popular.
*** Poll the resources of all those who run Linux, and all the information they can provide, on where the future of this "situation" is heading.

Background:
I have run Windows OS's, for many years, and the "constant" threat of security they have to tackle, on a daily basis. Some of these issues must also be the same, if not currently exploited, by the viri creators in the world. We ( the Linux Community ) have the same issues, we run web browsers, we send and receive e-mail, with and without attachments.

Subject:
Since we do the same things that Windows' OS's do, even if we dont run the "os layer" they do, can we not be "infected" the same, and if we are not "involved" in the attack of a viri, can we not be a "carrier" of the viri to infect another system ?

I, for one, do not run a "server", nor do I "share" my files or drives with a Windows intranet, or through the internet, but, as I found out in my old Windows machine, which had these same properties, I could be infected, or be an unwilling particapent in carrying a virus to someone else.

The big question here is, what are people doing? Are we just standing back from all of this, and saying that "we cant be infected, so dont worry about it", or are we actively taking a "proactive" approach to making sure that "if", or "when", the day comes, that we do become part of this, that we have something in place to tackle it? I, for one, would like to be ready...

I run a firewall, even though the census is that if you dont "open the door" to the outside world, they wont have a way in, nor should you have to "bar the door". I keep a constant watch on my ports for suspicious activity. I watch remote access channels, to ensure that "someone" hasnt found a way in. But, the common thought is, if they want in, they will get in. You cant have a "working" system, that is "completely" secure, you can get close, but, going nuts on this can only lead down the path of a "sterile" computer, that only runs alone, and never goes "anywhere".

I guess the F-Protect anti-virus that is working in Linux, is, for those using shares, or dibbing out resources, or drives, or hardware, to those "Windows based" systems, through a intrnet, or a WAN / LAN support, and that "we as Linux are safe from infection" because of our OS's differances, complexities, and file systems, but, is that to say we are really safe, or just hiding, and hoping that the viri creators dont notice us?

I have been watching the Debian Security Allerts, and, they appear to be finding "holes" in the security, from simple things like how a temp file is created with less than "root" priveledges, when it can be used by "some malicious person" to run rogue code. Or, a jpeg png image can be "crafted" to run malicious code on the recipiants system. These kinds of allerts are, in my thinking, the predicessor of a virus being created specifically to target an OS that is not Windows. I dont want to go into a "paranioa" mode, but, we may be seeing that Linux is not as secure as we all thought, or want, it to be. Being that, we are safe, because these things are being found, reported, and "closed up", is a good thing, but, this all could be a sign of the times to come. Possibly, to take this to its full conclusion, possibly, a virus that becomes smart enough to know what system it is running on, and to take advantage of that systems weaknesses, and not be "dependant" on it only being of one kind of OS...

I have "earned" the right to run Linux, for years and years of fighting with a Windows OS, and all of its painful pitfalls. I have worked hard to get Knoppix running, happy I might add, and to be able to sit back and watch it run days upon days, without a single problem. But, I am not going to sit back and allow someone to create something that can tear it all down on me. To just sit back and wait for someone to attack my system, and watch my data go down the drain. If that attack comes from a person who sends me an email that has something in it, that does something to my system, even though my system is not the same OS as theres is, or if I "accidently" go to a site that "pushes" one of these things into my system, or the attack has been "finely crafted" to exploit my OS, makes no differance.

Coming from the Windows World, I am cautious, I dont open email from someone I dont know, I delete them immediately. I dont "surf" blindly to sites I dont know. In more than 15 years of running a Windows OS, I have yet to be infected, in fact, the only time I have ever been infected was when I was doing Newsletter Publishing, and was getting email, or floppy, media articles from people to include in the monthly newsletter. One person in particular, always giving me a Word Document that had a "script virus" within the document, which both McAffee and AVast would consistantly locate and eradicate for me. Linux is not bullet-proof, it isnt something that cant be attacked, to believe that, has to be foolish, and what is done knowing that, is what will make Linux more, or less, powerful when the day comes that it is a "main-stream" OS in the world. ( if that day does come, main-stream that is )

Are people just relying on Debian to locate these "holes", are people "protecting" themselves now, or are we just going to wait, and see what happens when? Am I just being paranoid, or is this really something of concern? Can a person get a email from someone running Windows, and have an email infect something in a Linux email program? I would take a guess, that those "email viri" that would hi-jack your address book, and then send out to everyone you know, its infection, would, be a concern in a Linux OS as well. We, the Linux Community, may not be able to be infected, or have the infection do something on our system, but, can we become an "unwilling" party to the virus propagating itself?

I am trying to gain insight on this whole thing, I appreciate feedback, and view points, and honest oppinions on this subject. I dont want to scare anyone, even if the threat is real, or not, just want ideas, and even our "moral" obligation to any other OS that runs, if we can propagate but not infect ourselves, kinda thing... Consider this posting to be me "personally", and without my "moderator" signification, I want to know what people think, honest input, no "pulled punches" or "yes man" answers...

Thank you,
Cuddles
( a concerned Linux user )

**monkymind** · 10-25-2004, 03:04 PM

I run clamav .... there's a script that works with kmail's filters (kmail_clamav.sh) but I actually use this script (unmodified) with evolution.

Like most linux users I'm not worried about virus attacks at this stage but also don't want to pass any (70,000+ in circulation) onto poor beseiged windows users when forwarding email etc. either

If you want to play around a bit more, there's a nice KDE frontend you can compile called KlamAV. It's at version 0.06 and works but is listed as planning,pre-alpha in the Installation Instructions.
http://klamav.sourceforge.net

Cheers
rob

**monkymind** · 11-26-2004, 09:14 AM

Here's another linux AV program with GUI combo (independently developed).

BitDefender AV program (deb)
http://www.bitdefender.com/bd/site/products.php?p_id=16

GUI - BitDefender FE http://www.kde-apps.org/content/show...2e6ff2e4c76dee
BTW Since the clamav setup in my last post works well for me I may not get around to trying it out ....... but the screen shots make it look very tempting

Cheers
rob

**Jameson** · 11-26-2004, 09:47 AM

You know I have a feeling that a speach/letter like this has happend many times before, I mean once windows began to get popular someone must have approached the (at that point small) windows community and said something of the same nature... lol you may have sparked something there cuddles

-Jameson

**roberto** · 11-26-2004, 11:25 AM

for what my tired self can muster up on this topic here are my thoughs:

1.) Some insight on what I run and maintain.
a.) Day job = PC repair tech / Network Admin / Onsite Guy for small computer dealer.
b.) Windows and Linux User/Admin alike.
c.) Run a hybrid network at home, 12 machines total, almost a 50/50 split windows / linux. 1 web server / file server is debian. 1 mail server / A/V server is Windows Server 2003. workstations are mostly windows with linux test machines and workstations that dual-boot.
d.) Knoppix user since late 2002. Gave FabianX (Fabian Franz) original idea for f-prot auto-installer script that has been in knoppix since 3.4 I think. Is definately in 3.6.

2.) Windows angle:
a.) Windows is buggy by nature because the exact people that are charged with maintaining it are powerless to fix it directly when its crunch time.
b.) Windows always has a certain set of software loaded on it in every installation regardless of version (i.e. Internet explorer, Outlook Express, (lately MSN messenger)).
c.) Almost every version of windows maintains some link to previously used code that has since been obsoleted or found to be insecure.. (i.e. Netbios, IPX/SPX, etc.) It is also sometimes very difficult to remove offending outdated "bindings" under most versions of windows.
d.) (complete opinion) Microsoft has something to gain by having a consistant turnout of bugfixes. (Almost guarenteed support calls, OS upgrades, and maintenance contracts) each of which they make money on.
e.) Being as how they have their 75-95% market share for home users. they happen to have one of the most vulnerable markets for virus writers to prey upon. The clueless computer illetate society or the completely powerless to stop it (i.e. the ppl that know how to debug software can't because its closed source.)
f.) On windows people dont know what is normal and what is not. Everything can be spoofed in the exact manner in which Microsoft hides things from the end user. This includes running tasks that dont show up in taskman (when you press ctrl-alt-del). Your current temporary internet files folder (you can only accress it through the command prompt). your perminant I.E. URL history list. (only accessible through another os) (on a second note... what good is that file anyways?) Too many things are hidden from the people that need to know. Administrator is just as powerless as the user because the user is set to run as Administrator. That may seem a little confusing. But windows has evolved from a single user OS to a many single user OS... Admins get sick of dealing with permission denied errors so they say screw it and assign the user to the administrator group. etc... (this isn't strictly microsofts problem but...) This makes it very easy for viruses to get away with things... someone sees TaskMan.exe in their taskmanager list they dont think anything of it. little do they know that the real name of the program is @#Fksmd.com or something and was just changed to look legit ( i guess this could be possible under linux). Nor does the user have any method of checking to be sure.

2.) Linux angle:
a.) Not a large portion of the population is using linux. Which makes linux a smaller target for virus writers. Also the populace using linux generally either has an interest in their computers or has a network admin who does. This helps to mitigate the "stupid user" syndrome.
b.) Every install of linux is different. you might use elm to read e-mail while you might use thunderbird while someone else might use another app... my kernel is a different kernel than your kernel. my web browser is different than your browser. since there is no guarenteed application on each and every install... it makes a much less appealing target than the fairly stationary IE, OE, Windows Explorer, MSN messenger, Media Player, etc... since for almost every exploit you must know two things. the program you are breaking, and the location in RAM of the program that you want to run. (this is very setup specific so you need machines that are as similar as possible for you to successfully guess it)
c.)Code for Linux and GNU or open source apps can be edited by the owner, read by the owner, etc.... For example we have bob and tom. bob uses Windows XP, tom uses Debian. Someone found a critical bug in windows and a bug in linux. Both now have a virus waiting to be released into the wild. Someone hears about these viruses and e-mails microsoft and the Debian maintainers. The Debian maintainer in charge of the piece of code in question looks over his packages and hunts down the suspect code in question... edits it... and releases it. 3 hours later the patch is available to most every user by simply typing apt-get update folllowed by apt-get upgrade. turn time <24 hours for critical bugs. now Microsoft on the other hand.. adds thsi new bug report on top of the pile of bug reports to be filed... and maybe 1-2 weeks to 3-4 months from now will realease a "patch" that "fixes" this problem... by now there has been a virus released into the wild that is rampaging through all these users machines... most of which dont know, dont care, or cant even figure out where the power button even is. Many linux security bugs get squashed by attentive community code readers while they are still in "Conceptual bug" phase instead of realized and exploited bug phase.
d.) there is real system level user privelidge differences between the normal user and the root user. if a user clicks on a file that says rm -Rf /* (the administrators worst typo) the most they can do damage wise is to simply delete the files that they have been assigned permissions to... no on a windows machine a siimilar command can be run that basically removes all non running files from the computer... and the user wouldnt know until next reboot or application change.
e. the programs that you are breaking (for a virus to work) have to have a level of priveledges you want to gain. i.e. root or administrator rights. if the users programs are running as that user. you can break it all you want and still be stuck with only that users priviledges.
f. Linux is vulnerable to viruses, exploits, stupid users, spyware, misconfiguration, negligence, stupidity, oversight, etc. but the real difference is how much of that you can avoid using common sense. with windows you can get stuck right in the rear wether or not you were doing all of your updates and virus scans or not... on the other hand if you pay the same amount of attention to a linux machine... suddenly your sertup is so much more secure and since your machine is different from the next. theres no magical combination to your computer.

If all bank safes were made the exact same way.... would you feel safe having your money in it? what happens when you find a way to crack one of them? suddenly you have them all !!! I would rather have a diverse computer universe... iI feel like a nice small target and i like that...

yes linux can be broken... no its not as easy, untraceable, or convenient as windows but it can be done. should you worry about your linux install? no. you will know if it ever becomes a problem. if you need to know just ask someone in the community ^^ enough ranting though... time for bed -burnt-toast

**firebyrd10** · 11-26-2004, 06:59 PM

I think both cuddles and roberto have made some very good points.
Basicly I'll sum up what I have to say,

Linux is multiuser,
Windows is single user now disguised as multi-user.

Linux by deufalt give user permission to change only files in their home directory.
Windows by defualt give the user access to change just about anything.

Linux have lots of differnet kernels are being run at the same time by differnt computers. All of which can be changed on what they can and can't do.
Windows has one kernel that can't be changed and will be running for 3-4+ years intill a new version of windows comes out.

Linux has a group of writers for each aspect of the OS.
Windows has one group of writing that are probably months behind schedule.

Linux scares stupid people.
Windows invites stupid people.

Linux doesn't have alot of stupid people
Windows has stupid people that do stupid things against all common sense.

Linux isn't forced to use software, its completly up to the user.
Windows install its own software, then allows the user to uninstall it (sometimes) in a way that is more trouble then its worth.

I probably missed a few points but I got my message through.

As much like it as that sounds, I'm not bashing ether OS. I still use and enjoy windows, and I use and enjoy linux.

**erichill** · 12-16-2004, 04:28 PM

Originally Posted by monkymind

I run clamav .... it comes with a script that works with kmail's filters (kmail_clamav.sh) but I actually use this script (unmodified) with evolution.

Like most linux users I'm not worried about virus attacks at this stage but also don't want to pass any (70,000+ in circulation) onto poor beseiged windows users when forwarding email etc. either

If you want to play around a bit more, there's a nice KDE frontend you can compile called KlamAV. It's at version 0.06 and works but is listed as planning,pre-alpha in the Installation Instructions.
http://klamav.sourceforge.net

Cheers
rob

Rob,

Please would you tell me how to use this script in Evolution? Tools - filter - pipe to prgram - ????

What next and what should I use for "returns"??

Thank you

Eric

**monkymind** · 12-24-2004, 02:00 PM

Originally Posted by erichill

Rob,

Please would you tell me how to use this script in Evolution? Tools - filter - pipe to prgram - ????

What next and what should I use for "returns"??

Thank you

Eric

Hi Eric,
sorry about taking so long to get back to you (I don't come here very often).

Anyway ... here's the info in case you still need it :-
---------------------------------------------------

If you have Knoppix installed it will already have Kmail (and with it the script kmail_clamav.sh)
if not then apt-get kmail.
You will also need to install clamav (and clamav-freshclam for auto updates).

1) Go to Evolution's inbox

2) Select <Filters..> from the Tools menu

3) And create an incoming Filter rule called AV-Check

4) Set-up the AV-Check rule like this :

5) Then create another filter rule (see #3) called AV-Found and set-up like this :

That's pretty much it. Just make sure they are the first two rules (move to top of Filter list if necessary).
Note: If you're using any IMAP mail accounts .. don't forget to tick the Apply Filters option :

It should now check all incoming mail and move the infected ones to the "Quarantine" folder.

If you want to check mail you have received in the past. Then select all the messages (inbox or whatever). Right-click on the selected messages and use the <Apply Filters> option.
Warning: It make take a long time if you have a lot of messages .......

Ironically - the Quarantined emails I've had are faked Microsoft support or security announcements.

Re: what should I use for "returns"?
I'm not sure what you mean? Outgoing attachments? (downloaded zip and exe files?)

If you want a nice frontend to scanning files, updating the virus databases, integration into konqueror's "Action" menu etc. try KlamAV
(the guys at Mepislovers have packed it up as a deb here: http://mepislovers.com/modules/mydow...p?cid=3&lid=45 )

Hope this helps

If you find I've left something out or can't get it running feel free to PM me.)

Cheers
rob

**gnarvaja** · 12-25-2004, 12:20 AM

Originally Posted by firebyrd10

As much like it as that sounds, I'm not bashing ether OS. I still use and enjoy windows, and I use and enjoy linux.

I fully agree with you on this one, and many of the points made by others before. As I was reading though, something occured to me:
Has anyone tried to run an antivirus within Wine to check a disk on another PC mounted with Samba? If you did, let me know your experience.

Cheers for the holidays,

--GN