Re: Clamav

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


From: "Michael Miles" <[email protected]>
Sent: Saturday, 2010/April/17 09:02

> On 04/17/2010 12:41 AM, jdow wrote:
>> From: "Patrick O'Callaghan"<[email protected]>
>> Sent: Friday, 2010/April/16 22:49
>>> On Fri, 2010-04-16 at 19:43 -0700, jdow wrote:
>>>> From: "Patrick O'Callaghan"<[email protected]>
>>>> Sent: Friday, 2010/April/16 16:51
>>>>> On Fri, 2010-04-16 at 13:47 -0700, jdow wrote:
>>>>>> From: "Patrick O'Callaghan"<[email protected]>
>>>>>> Sent: Thursday, 2010/April/15 13:31
>>>>>>> On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote:
>>>>>>>> Is Fedora really that secure?
>>>>>>> Even if we limit the discussion to email viruses, that's a very
>>>>>>> complex
>>>>>>> and difficult question (to which the answer is "yes" :-). It's not
>>>>>>> an
>>>>>>> attribute exclusive to Fedora as such, but to all Unix-based
>>>>>>> systems,
>>>>>>> mainly for three reasons:
>>>>>>> 1) The mail client isn't running as root.
>>>>>>> 2) Even when running as root, Linux mail clients won't blindly
>>>>>>> execute
>>>>>>> attachments.
>>>>>>> 3) Even for executable attachments, the virus is written for Windows
>>>>>>> and
>>>>>>> won't run on Linux.
>>>>>>> Of course it's in principle possible to get past all the above
>>>>>>> barriers,
>>>>>>> so *in theory* you can have a Linux virus, assuming the user is
>>>>>>> stupid
>>>>>>> enough to run an unknown executable. As I say, I've never seen one
>>>>>>> in
>>>>>>> the wild.
>>>>>>>> I come from windows and I am amazed at how not secure windows is.
>>>>>>> See (3) above. Most viruses are written for Windows as it's the most
>>>>>>> popular platform. MS likes to pretend that's the only reason it gets
>>>>>>> all
>>>>>>> the grief, but there are other factors.
>>>>>> Patrick, the best AV tool of all is a savvy user given the number of
>>>>>> social engineering attacks of late. And, at least historically, 'ix
>>>>>> users
>>>>>> have been quite savvy about security. That makes a huge difference. A
>>>>>> single mistake running something you should not have because it looks
>>>>>> important can bust your whole day. Based on the security forums I 
>>>>>> read
>>>>>> I'd not consider Linux bullet-proof "today" - kernel null pointer
>>>>>> dereferences and mmap are your enemy du jour.
>>>>> Again, you're answering the wrong question. This thread is not about
>>>>> the
>>>>> general security or otherwise of Linux. It's about vulnerability to
>>>>> viruses.
>>>> If you are being picky regarding "virus", "trojan", etc then begone
>>>> little
>>>> boy, you bother me. It does not matter one bit the means of 
>>>> transmission
>>>> if the system is compromised in a manner than a piece of what is
>>>> conventionally called "anti-virus software" would have prevented the
>>>> problem?
>>> Which of the vulnerabilities discussed on the kernel list is
>>> communicable via an email message in such a way as to compromise the
>>> security of the target system without manual intervention on the part of
>>> its user? Please be specific.
>> Here is a non-LKML reference with a full explanation of the problem:
>> Some background:
>> How to exploit it:
>> The exploit can be delivered through email and introduced into the
>> machine via targeted social engineering. If you can be tricked into
>> allowing it to run, you're toast. ANY means of getting into the
>> machine and having code execute is sufficient to allow the exploit
>> to run within the kernel at kernel privilege.
>> Such means have existed in the past. I've read about the victims' 
>> problems
>> here on this and predecessor lists. That's why chkrootkit and rkhunter
>> exist. If somebody wishes to make Linux his main computing environment
>> something which traps intrusions and malware as it enters the machine and
>> before it's executed can probably save a world of hurt.
>> I've lost disk drives and suffered the hurt of discovering the first 
>> level
>> backup was bad. I lost some work and emails. If your machine becomes
>> compromised, what can you save? What can you trust? You have to make an
>> executive decision and hope your backup is from before the attack. Then
>> maybe you can recover more recent data and email, if you can trust your
>> backup to be safe. I prefer to spend some money to protect valuable data
>> and save valuable recovery time.
>> What you actually said was, "Clamav is usually installed by people 
>> running
>> mail servers for users who access them from Windows. If all you're doing
>> is reading mail in Linux, it's extremely unlikely that you even need it."
>> The first sentence is true. The second one is true but limiting beyond
>> belief. Computer users do not only use the machine for email. It leaves
>> an implication that it's probably safe for email. The null pointer
>> dereference issue makes you vulnerable within email if you can be tricked
>> into running a program send in the email. If this is not closed up VERY
>> quickly I expect a nasty problem problem for Linux, shortly. The wakeup
>> call will have the good effect of waking up the community to the little
>> detail that "nothing's perfect".
>> As for running other things on the 'ix system, it seems a wine install
>> so that a person can run something not available for Linux can lead you
>> into problems. Seems somebody here mentioned an infected Wine install.
>> I'd not bet all 7 were false alarms. And, if one could manage to escape
>> the wine cellar....
>> {^_^}
> Wow, That was my machine with the Wine virtual drive infected.
> I will run it again and post the virus results

>From the windows side of my experience run several different online AV
tests. (For F-Secure you need java installed on the emulator. I'm not
sure how the AVG test works.) I figure if Avira found seven different
problems you have a fixup issue for your wine install. If it was seven
copies of the same file that's another picture.

It MIGHT be that parts of wine trigger normal Windows AV software's
detection mechanisms. That's worth investigating, too. Knowing which
files were declared infected is a good start to telling AV software
that a given file is probably safe to ignore.

(I've only had Avira misfire once here - for the RockKey dongle software.
They fixed it.)


users mailing list
[email protected]
To unsubscribe or change subscription options:

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux