ClamAv: is anyone paying attention?

Mario Vukelic mario.vukelic at dantian.org
Tue Nov 21 06:19:08 UTC 2006


On Mon, 2006-11-20 at 23:34 +0000, Andy wrote:
> Shouldn't a virus scanner scan for worms as well?

No

> Maybe we should agree on what a virus is, and what a virus scanner
> should detect, maybe just more than viruses?

I think we should agree on using the standard definitions that
differentiate viruses, worms, and trojans by their attack vector:
      * Virus propagages by attachin to a binary and is executed when
        the binary is executed, infecting other binaries
      * Worm propagates on its own by using holes in system daemons
      * Trojan propagates by posing as a useful program, luring the user
        in to running it

> Symantec seems to suggest the only difference is the way worms and
> viruses use a 'host file', (not DO NOT confuse this with 'the hosts
> file').

How is that an "only" difference - it's a very fundamental one that
makes the threat scenarios and the defense plans very different.

> I would want my virus scanner to detect worms and Trojans as well.

I would not want any of them in my system in in the first place. This
can be done by a combination of technical measures and common sense. If
you don't follow the rules below no scanner will save you:

Virus: do not run binaries from untrusted sources. That goes for the
user (don't download and rund crap from the web) and software (don't
stupidly run attachments, see Outlook until a while ago)

Worm: have no exploitable holes in daemons. What would it mean to "scan
for worms" in the first place. As long as they are outside the system
you can run a nmap or something. Once they are in, it's too late

Trojans: again, don't run untrusted binaries. And again, how would
scanning be done? If I downloaded an untrusted file from the Internet,
then ran a trojan scanner on it and it came up negative, I would STILL
not execute it. Al those scanners (and that goes for the Windows ones
too) are not 100% accurate and can only scan for threats that are
already known, which is a bit late

It certainly is a good idea in principle to be sure that not binaries
have changed on your system without your consent. This is as general a
measure against all three as it comes. There are plenty of tools for
this such as Tripwire. There are also plenty of rootkit scanners, and a
host of other security tools. They all do what they are supposed to do,
there is not need to lump it all into a useless virus scanner

> Now to the 'there are no viruses', if we use virus in its more generic
> sense then are you sure there are none?

If we redefine words arbitrarily as we go along, discussing makes no
sense. 

> Why does Symantec and Sophos list a Linux 'virus' (Symantec lists
> several) in their threats? Are you accusing them of lying?

1. Show me a valid link to a virus that poses a threat, then we can talk
about them

2. Remember that those companies' business plan dies if the OS is
secure. Virus companies certainly are known to overstate the
effectiveness of their tools, and they are also known to have talked up
ridiculous threat scenarios in the past 
http://www-math.uni-paderborn.de/~axel/bliss/

> I think you (or someone else) pointed out that there are no Linux
> viruses that _pose a credible threat_ to your system, as the issues
> have been fixed. It is important to note you can't know what is and
> isn't fixed on my computer, how do you know its not old and never been
> patched? 

I certainly know as reliably as possible that Ubuntu or any other
up-to-date distribution does not still contain holes that have been
fixed in the upstream software in 1996 (see my postings in reply to
linux viruses that have been mentioned)

> OK the fact that I am asking about AV and securing my system
> suggest that I would not be so stupid as to be running a really old
> system (in fact I think those virus are pre-ubuntu, and thus Ubuntu
> was never vulnerable so my system, as it is Ubuntu isn't vulnerable
> and wouldn't be unless I had explicitly tried to make it vulnerable)

See, that's exactly the thing. There is no absolute security anyway,
it's always about making trade-offs. The time and effort spent on virus
scanners (installing, running, or updating them; learning about them;
CPU cycles spent on them) is much better invested into other security
measures if you feel the need. E.g., the already mentioned Tripwire, or
installing SELinux 

> (ClamAv warning messages snipped)

> Of course you will probably point out they are windows viruses so only
> a problem if you run windows. WRONG!!! Can you honestly say that
> windows viruses are not a threat to a Linux machine

Yes, if you could run a Windows binary under Linux, Linux would already
have world domination. As it stands, you'd have to run them under Wine
http://os.newsforge.com/article.pl?sid=05/01/25/1430222&from=rss

There were a few cross-platform proof-of-concept attempts but they went
nowhere and as all other viruses have really really hard time
propagating under Windows
http://computerworld.com/securitytopics/security/virus/story/0,10801,110330,00.html

> Linux is still
> attackable via DDoS, anything is really. 

You cannot lump wildly different attack vectors into one. It just makes
no sense

> Windows viruses could be used
> to compromise enough windows machines to launch a DDoS against Linux,

But you certainly would not be able to stop that via a scanner that
scans for linux viruses or any other security measures under Linux,
except those that protect you agains a DDoS in general. The threat you
mentioned can only be stopped by ending the Windows monoculture

> but this is an indirect threat, and highlights 2 things, 1. we want to
> be able to stop all Windows viruses, so scanning files to prevent
> distribution of a virus file is a good thing,

Yes but this scanning will certainly not happen on my workstation but
only on mail servers I am responsible for (and I am not responsible for
any)

> 2. We want to get more people onto Linux so their machine can't be
> used as a launching platform. However at such time Linux will make
> itself a target, but some would argue its easier to run Linux securely
> than windows. (I don't know enough about this so *no comment*)

There are many security advantages for Linux but if it starts to attract
moronic users that run every binary they find on their pr0n sites they
will be used under Linux as well.

> In summary:
> - Both Sophos and Symantec list nasties that can attack Linux.

Sure, but being a bit more specific than "nasties" helps the discussion

> - These are as you (or someone else) pointed, old and the attacks they
> used to get into a machine will now fail (unless you have a really old
> machine)

Correct as far as the viruses go 

> - ClamAV is outdated, but the warning is a little to severe, you do
> not _need_ the newer version till it says 'required' not
> 'recommended'.

I think I have cleared that up days ago by posting the changelogs as
found on the ClamAv site

> - Detecting Windows viruses is useful, especially if you run a mail
> server or have a dual boot, and want to scan your windows partition
> from Linux.

Agreed I guess

> - Windows viruses pose a threat to the computer community at large (IMHO).

I would not say a "threat" so much as far as for the purposes of
security discussions, "threat" usually is defined as the danger of
compromising a machine. But certainly it concerns also Linux users if
50% of the emails are spam sent by botnets of infected Windows machines

> Correct me as required, some how I don't doubt that you will ;)

Done :)

> (p.s. anyone else thinking that if its only a 'recommended' warning to
> use a newer version then it shouldn't be so loud about it, it could
> cause not very wise people to panic (aka me) (yes I know it says don't
> panic, but what do you do when someone says don't look down ;))

I guess the ClamAV people assume that the software is run for its main
purpose, that is running on a mail server, and therefore assume
admin-level knowledge in their users.





More information about the ubuntu-users mailing list