Some thoughts about anti-virus software for Linux
Jeff Silverman
jeffsilverm at gmail.com
Thu Jan 22 06:03:47 UTC 2009
People,
There has been much discussion about the need for anti virus software on
linux.
There seems to be little need for anti virus software up to this time.
There are very few viruses that run on linux. My concern is that
somebody is going to write a Trojan horse and get in one of the
repositories. Such a Trojan could sleep for a long time and then wake
up and do whatever it decides to do. The amount of damage such a Trojan
could do to its own system is rather limited, if that system is
reasonably well managed (don't use root, use sudo, that sort of thing).
However, such a Trojan could be used to attack other vulnerable systems
around it. A well-written Trojan could be cross platform, written in
Java or Perl for example. A Trojan is hard to hide in source code, and
it would be easy to track down the bastard that wrote it. I think.
The other thing that needs to be discussed is other ways to attack a
system besides a virus. For example, programs that fail to sanitize
their inputs properly may fall prey to SQL injection attacks and similar
problems. Programs written in PHP seem to be particularly susceptible
to this class of problem. Again, good system design can mitigate the
risks (run your DBMS in a dedicated account, run Apache in the apache or
nobody account, write your CGI scripts in perl with taint checks turned
on). Poorly written code is a risk on any machine. Open source
mitigates that risk because lots of eyeballs get to see the code and can
file bug fixes if errors are found. That assumes that somebody looks at
code - I know that I don't spend the time looking at other people's
software.
These risks are not amenable to detection using conventional anti virus
scanning technology. New technologies such as behavior based malware
detection may solve these problems or at least reduce their magnitude.
Linux has a variant, selinux, which implements such a system. I don't
know much about it, but if you are concerned about such things, selinux
would be a good thing to study.
Jeff
--
Jeff Silverman
Linux sysadmin
To get my addresses:
perl -wlpe 'y/a-zA-Z/n-za-mN-ZA-M/' << EOF
924 20gu NIR R
Frnggyr, JN, 98112
wrssfvyirez at tznvy.pbz
EOF
More information about the ubuntu-users
mailing list