Some thoughts about anti-virus software for Linux

Florian Diesch diesch at spamfence.net
Sat Jan 24 01:07:44 UTC 2009 

Mario Vukelic <mario.vukelic at dantian.org> wrote:

> On Fri, 2009-01-23 at 17:24 +0100, Florian Diesch wrote:
>> During the installation some scripts are run as root.
>
> Certainly
>
>>  An attacker
>> could use this scripts to compromise your system if he can make you to
>> install a compromised package.
>
> True, but if you install from compromised media and/or run untrusted
> software with root privileges no anti-malware software can save you.

In theory an anti-malware program could check the package scripts
for unusual or potentially dangerous code and warn you. In practise
this would need very much work and could still be circumvented by a
competent attacker.

An IDS could give you some hints that something is wrong but depends
on your knowledge to decide if there's a real attack going on. And it
needs some kind of shelter against tampering, e.g. by using AppArmor,
SELinux or similar, so an attacker could not just switch of
the IDS or modify its configuration, and a secure way to notify you,
e.g. by using a printer to log messages.



>> Therefor it's important to use only trustworthy repositories and be
>> careful if a package's signature can't be verified.
>
> Very much so. And check you installation iso's md5sums. (Question: are
> Ubuntu iso files GPG signed like the packages in the repos? They should
> be)

There is a MD5SUMS and MD5SUMS.gpg file, but of course you have to
check them manually.


>> -----------------------------------------------------------------------
>> **  Hi! I'm a signature virus! Copy me into your signature, please!  **
>> -----------------------------------------------------------------------
>
> How fitting. Quick, fire the AV scanners! ;)

This poor little virus asked politely for some help and all you can
think about is killing it?!!? Shame on you!!!  ;-)



   Florian
-- 
<http://www.florian-diesch.de/>
-----------------------------------------------------------------------
**  Hi! I'm a signature virus! Copy me into your signature, please!  **
-----------------------------------------------------------------------

More information about the ubuntu-users mailing list