ClamAv: is anyone paying attention?

Mon Nov 20 23:34:58 UTC 2006

On 20/11/06, Michael T. Richter <ttmrichter at gmail.com> wrote:
>  I think at some point you're going to have to start listening to what
> people tell you: there are, currently, zero Linux viruses.
Shouldn't a virus scanner scan for worms as well?

Maybe we should agree on what a virus is, and what a virus scanner
should detect, maybe just more than viruses?

Symantec seems to suggest the only difference is the way worms and
viruses use a 'host file', (not DO NOT confuse this with 'the hosts
file').

I would want my virus scanner to detect worms and Trojans as well.

Now to the 'there are no viruses', if we use virus in its more generic
sense then are you sure there are none?
Why does Symantec and Sophos list a Linux 'virus' (Symantec lists
several) in their threats? Are you accusing them of lying?

I think you (or someone else) pointed out that there are no Linux
viruses that _pose a credible threat_ to your system, as the issues
have been fixed. It is important to note you can't know what is and
isn't fixed on my computer, how do you know its not old and never been
patched? OK the fact that I am asking about AV and securing my system
suggest that I would not be so stupid as to be running a really old
system (in fact I think those virus are pre-ubuntu, and thus Ubuntu
was never vulnerable so my system, as it is Ubuntu isn't vulnerable
and wouldn't be unless I had explicitly tried to make it vulnerable)

Back to the point originally, I think I made a mistake in reading the
clamAV warning message.
If it says 'recommended version' in the warning then I think that
means your OK, its just a suggestion that maybe you want a slightly
more stable, or faster version.

If it says 'required version', then you are in trouble, that means the
engine is too old to be able to use some signatures so some viruses
will not be detected.

Of course you will probably point out they are windows viruses so only
a problem if you run windows. WRONG!!! Can you honestly say that
windows viruses are not a threat to a Linux machine, Linux is still
attackable via DDoS, anything is really. Windows viruses could be used
to compromise enough windows machines to launch a DDoS against Linux,
but this is an indirect threat, and highlights 2 things, 1. we want to
be able to stop all Windows viruses, so scanning files to prevent
distribution of a virus file is a good thing,
2. We want to get more people onto Linux so their machine can't be
used as a launching platform. However at such time Linux will make
itself a target, but some would argue its easier to run Linux securely
than windows. (I don't know enough about this so *no comment*)

In summary:
- Both Sophos and Symantec list nasties that can attack Linux.
- These are as you (or someone else) pointed, old and the attacks they
used to get into a machine will now fail (unless you have a really old
machine)
- ClamAV is outdated, but the warning is a little to severe, you do
not _need_ the newer version till it says 'required' not
'recommended'.
- Detecting Windows viruses is useful, especially if you run a mail
server or have a dual boot, and want to scan your windows partition
from Linux.
- Windows viruses pose a threat to the computer community at large (IMHO).

Correct me as required, some how I don't doubt that you will ;)

(p.s. anyone else thinking that if its only a 'recommended' warning to
use a newer version then it shouldn't be so loud about it, it could
cause not very wise people to panic (aka me) (yes I know it says don't
panic, but what do you do when someone says don't look down ;))

-Andy

-- 
Did you think it should be legal to rip a CD to your PC or MP3 player?
Change the law, sign the petition http://petitions.pm.gov.uk/privatecopy/