Some thoughts about anti-virus software for Linux

Jeff Silverman jeffsilverm at gmail.com
Thu Jan 22 06:03:47 UTC 2009 

People,

There has been much discussion about the need for anti virus software on 
linux.

There seems to be little need for anti virus software up to this time.  
There are very few viruses that run on linux.   My concern is that 
somebody is going to write a Trojan horse and get in one of the 
repositories.  Such a Trojan could sleep for a long time and then wake 
up and do whatever it decides to do.  The amount of damage such a Trojan 
could do to its own system is rather limited, if that system is 
reasonably well managed (don't use root, use sudo, that sort of thing).  
However, such a Trojan could be used to attack other vulnerable systems 
around it.  A well-written Trojan could be cross platform, written in 
Java or Perl for example.  A Trojan is hard to hide in source code, and 
it would be easy to track down the bastard that wrote it.  I think.

The other thing that needs to be discussed is other ways to attack a 
system besides a virus.  For example, programs that fail to sanitize 
their inputs properly may fall prey to SQL injection attacks and similar 
problems.  Programs written in PHP seem to be particularly susceptible 
to this class of problem.  Again, good system design can mitigate the 
risks (run your DBMS in a dedicated account, run Apache in the apache or 
nobody account, write your CGI scripts in perl with taint checks turned 
on).  Poorly written code is a risk on any machine.  Open source 
mitigates that risk because lots of eyeballs get to see the code and can 
file bug fixes if errors are found.  That assumes that somebody looks at 
code - I know that I don't spend the time looking at other people's 
software.

These risks are not amenable to detection using conventional anti virus 
scanning technology.  New technologies such as behavior based malware 
detection may solve these problems or at least reduce their magnitude.  
Linux has a variant, selinux, which implements such a system.  I don't 
know much about it, but if you are concerned about such things, selinux 
would be a good thing to study.


Jeff

-- 
Jeff Silverman
Linux sysadmin
To get my addresses:
perl -wlpe  'y/a-zA-Z/n-za-mN-ZA-M/' << EOF
924 20gu NIR R
Frnggyr, JN, 98112
wrssfvyirez at tznvy.pbz
EOF

More information about the ubuntu-users mailing list