[AntiVirus + Ubuntu] was - Re: And another Ubuntu convert!

Mario Vukelic mario.vukelic at dantian.org
Thu Jan 22 08:20:51 UTC 2009 

NoOp, with all due respect, but ...

On Wed, 2009-01-21 at 20:50 -0800, NoOp wrote:
> Perhaps you fail to take into consideration the enviroment(s)?

I don't know what you mean. I should maybe specify that I'm only talking
about AV on desktops. Servers that serve for Windows clients should of
course scan.

> https://help.ubuntu.com/community/Antivirus

So? 

"However, there are many reasons you might want a virus scanner on your
Linux PC: 

      * to scan a Windows drive in your PC 
      * to scan Windows machines over a network 
      * to scan files you are going to send to other people 
      * to scan e-mail you are going to forward to other people 
      * some Windows viruses can run with Wine. 
      * Linux virus infections are theoretically possible"

Note: they don't say that one of the reasons was to protect the linux
machine from a real threat.

> Even in a simple dual-boot environment it is a good idea to at least be
> aware of AV tools, and actually use them.

The discussion was not, to my knowledge, about whether linux can serve
as a protection and diagnosis tool for Windows. Or course it can.

I am just opposed to wasting effort, cycles and whatnot to scan for
something that does not exist, namely malware that is a threat to linux
desktop users.

> Further, making statements such as "no known viruses exist in the wild"
> for linux is just plain silly, but I think you already know that.
>   Malware, rootkits, trojans, vulnerabilities et al *do* exist for linux
> - particularly servers, and will increase as desktop versions become
> more popular.

Well, these claims would be more credible if they were supported, for
once, by links that demonstrate a threat. Links that look scary but fail
to impress if one actually reads the contents do not count. I am still
waiting

> One could ignore the fact that many botnets are linux machines with ELF
> backdoor viruses with Linux/Rst-B for example, 

[citation needed]

> but these seem to be
> pretty real:
> 
> http://ubuntuforums.org/showthread.php?t=224805
> [my server just got hacked by the LINUX/Rst.B virus!]

Oh come on. Did you READ the page? This is TOTALLY inconclusive.

As for Rst.B itself, see
http://www.symantec.com/security_response/writeup.jsp?docid=2004-052312-2729-99&tabid=2

The Symantec page is from 1991, the risk level is "Risk Level 1: Very
Low". And if you read the technical details you will find that the virus
never had a real way to propagate.

See, this is what I mean. A link or list that says "linux virus!" always
looks scary, but for christ's sake, dig up something substantial to
support your case.

> <http://www.shandyking.com/2006/04/20/linux-exploit-linuxrstb-my-server-was-just-hacked/>

This guy is talking about a crack executed by a human. I stopped reading
right there in the first sentence, because this has NOTHING to do with
AV. Show me the Windows AV product that even claims to help against
manual cracking attempts.

> And perhaps you missed the Mozilla security announcement:
> http://www-archive.mozilla.org/security/older-alerts.html
> <quote>
> Security Advisory (September 21, 2005) The Mozilla Foundation is aware
> of the Linux.RST.b virus that infected Linux Korean contributed versions
> of Mozilla Suite 1.7.6 and Thunderbird 1.0.2, as reported by Kaspersky
> Lab. No versions of Mozilla Firefox were infected. Infected files have
> been removed from the Mozilla ftp mirror network as of September 17.
> </quote>

The binaries were infected on the download server with human
involvement.  I don't know if this person had a key to sign them, but
whatever the case: if someone can put trojans into your repo, you are
dead anyway, AV or not.
It's not as if the "virus" actually propagated and people got infected
that way.

> And more recently:
> http://www.viruslist.com/en/viruses/encyclopedia?virusid=21703
> [Virus.Linux.Alaeda]

*Very* little info there, and I could hardly find any on other AV sites.
McAffe writes "Virus Discovered : 11/05/2003,Risk: Low"

> ClamAV is pretty well respected in linux circles:

Yeah, as a tool to help Windows users
> 
> I reckon that ClamAV would have folded up shop long ago were there not
> reasons for their existence.

They are valuable to run ClamAV on mail servers

'Nuff said on this

More information about the ubuntu-users mailing list