Antivirus

Bart Silverstrim bsilver at chrononomicon.com
Tue Jun 17 20:52:18 BST 2008


Michael "TheZorch" Haney wrote:
> Bart Silverstrim wrote:
>> I've seen people claim they don't need it for Windows, but there's just 
>> too many cases where just web browsing with your user privileges under 
>> Windows architecture can cause problems. Maybe the way Vista annoys 
>> users for every damn action short of sneezing requires you to click 
>> through it the situation's different, but I don't trust it. 
>> Unfortunately there's a number of Windows programs that can't deal with 
>> the security settings, so if you don't want to deal with hassle you end 
>> up running in a less secure state and so...it's a pain.
> UAC is cruel and unusual punishment for Vista users.  I've never seen an 
> OS like it which so thoroughly ticks off users than Windows Vista.  

The funny part is, as I understand it, that UAC was specifically 
designed to annoy the user. Something about putting pressure on 
developers to follow programming guidelines that Microsoft has had out 
there for awhile now but people just plain ignored, like where to store 
preferences for applications and library files. Google should be able to 
find where that was actually quoted from an MS insider.

<story snipped>

> In the end Zone Alarm and Avast were installed on that machine and its 
> been infection free ever since then.  I've never had to use anti-virus 
> software for Linux during the time I've used the OS.  I know there is 
> anti-virus software for Linux in the form of Clamwin Anti-Virus but how 
> many Linux viruses and Trojans are there out there compared to viruses, 
> worms and Trojan Horses for Windows?  Probably only about as many as 
> there are for Mac OS X which is pretty small list.

Some points...
A) that bot was taking advantage of a vulnerability in Windows, tying 
into point B.

B) That scripting host app that was being accessed still could only do 
what it had privileges to; i.e., if it ran as the user, it could access 
parts of the system the user could alter; it if ran as the system or 
administrator, it had free reign of the system. With Linux today, this 
is addressed by having common components run in their own context so 
Apache could only affect Apache's directory structure, and in some cases 
is running in it's own "jail".

C) Again, Windows evolved as a platform from the personal computing 
world, unlike Linux which is modeled after UNIX which came from the 
multiuser world. This affects the architecture that in turn affects 
security and how it is handled. Windows is not designed in any way to 
head off problems, or block zero-day type exploits. Thus your defenses 
are reactive and not proactive.

D) Unless you do this for a living, it probably wouldn't have occurred 
to you, but for those of us wandering in the world of Windows support we 
quickly learned NEVER to plug a Windows system into an 
Internet-connected network unless it's NAT'ed and pseudo-firewalled; 
there are too many idiots still zombied and probing for other systems to 
infect with old vulnerabilities, and the time it takes to get updates 
leaves a HUGE window of opportunity to get infected. It only takes a 
minute or two for infection. If you can't NAT it, you need to use 
offline updates with a slipstreamed update CD before trying to connect it.

E) There are worms that affect Linux. Mainly because %99.9 of them 
aren't Linux-based. They're vulnerable in Apache, or MySQL, or some 
other popular Internet-facing application. It's not Ubuntu's fault if 
there's an Apache bug...they are packaging the fix as they come from the 
Apache project. While it affects perception of Ubuntu when it happens it 
still isn't their fault. Also...

F) Most services don't run by default, even if they can be installed. 
Personally I hadn't run a software firewall until it became installed 
and partially configured by default...why? I didn't run services I 
didn't use, didn't need to shape or throttle traffic, and when I ran 
services, I wanted it open to all IP's. I didn't want or have a need to 
limit SSH from whatever machine I sat at...when probing became the "in" 
thing to do, I installed denyhosts. I don't run Apache, so it didn't 
matter if it had a vulnerability in it when I evaluate my home machine's 
status. For most home users, software firewalls really shouldn't be 
necessary because your OS shouldn't be running unused services; this 
isn't part of the Windows mindset, unfortunately, and now various 
sources of propaganda make users think they need a firewall like they 
think they needed fins on cars in the 50's.

That being said, one of the handier things I'd want and could find 
useful was an easy to use application for visualizing network traffic in 
and out of a computer. Yes, I'm aware of netstat, or socklist, or 
grepping and awking and otherwise twisting the $!@#$ out of an iptables 
command, but it's still not an at-a-glance useful tool. The closest I 
found was Zonealarm's outgoing filters in Windows showing applications 
running, where the connections were going, how much data was attempting 
to flow through...again, though, that would go back to my references 
about tools and a need for VM advances, since applications running 
within your own login context (or system context) could be attacked, so 
you kind of need a way to view your computer from the outside in. Can't 
do that unless you were in a VM or had a special router that monitored 
such things inline with your network traffic.




More information about the ubuntu-users mailing list