[AntiVirus + Ubuntu] was - Re: And another Ubuntu convert!

Sat Jan 24 21:19:44 UTC 2009

Mario Vukelic wrote:
> On Fri, 2009-01-23 at 17:40 -0500, Bart Silverstrim wrote:
>> When discussing viruses....I don't bother even pretending people are 
>> talking about viruses. When's the last time people have seen viruses? 
>> *Real* computer viruses? They disappeared years ago...infecting other 
>> executable files, showing off clever little skills from kids with too 
>> much time...if it's self propagating it's probably a worm. And what 
>> people download in drive-by-browsings are trojans or...well, all of this 
>> falls under the umbrella of malware.
> 
> Probably a safe assumption, but I'd like to think that people mean virus
> when they write "virus", I hate it when useful distinction degenerate
> just because people are sloppy. Sometimes I even take them literally out
> of spite :)

Only useful if they are clued enough to catch that you're doing it. Most 
are not.

I've supported far too many people to think that people mean what they 
say if they don't dream of electric sheep.

> In this case, however, ClamAV was repeatedly suggested as a scanner, so
> I'd hope I am safe to assume that people are talking about email
> scanners. That's what ClamAV does, preventing intrusions via ssh is out
> of its scope.

That's what it does, but it is also catching phishing attacks and 
probably some others now. It's not an antivirus. It's a malware scanner, 
and there was a debate awhile back on it's own list about how 
appropriate it was for Clam to start protecting people from themselves 
regarding social attacks and stuff of that nature.

> <snip>
>> If you're wondering about the "BE an infection vector", check out
>> http://www.net-security.org/article.php?id=162
> 
> It's noteworthy that the headline (as well as the content) is about
> "exploiting design flaws in the Win32 API for privilege escalation". So,
> the proper remedy is not to install flawed (as you nicely summarized)
> anti-malware software -- I think that Windows demonstrated well-enough
> where this leads. It seems to me, and I wrote that all along, that the
> remedy is to fix the design flaws in the API (and didn't actually Vista
> do this, at least in part, with the UAC window?)

Yes, true enough; I assumed that the gist is applicable. The reason the 
attack worked was because like a mail server, the application...in this 
case the antivirus...needed system privileges to work, and interacted 
with userspace. Crack that door open and you gain access to 
*everything*. Linux *used* to have a lot of things with limited 
separation of privileges. Part of the reason this slowly changed is due 
to that exploitation vector.

The paper was about sloppy architecture in the Win32 API, and it was 
largely due to backwards compatibility with old mistakes.

Regardless that basic flaw...running something of high privilege with 
interaction potentially accessible to a user process so it could, 
potentially, be cracked and exploited,...is in just about every OS I 
know of meant to have multi-user or different privilege levels of 
protection.

> <snip>
>> You can restore them if that happens. Can't do that with stolen hard 
>> drives without getting a new drive, and other people have your stuff!
> 
> I just mentioned it because some people on the "AV or not" threads
> always keep saying, "but even despite privilege separation a virus can
> still delete the user's files" (to which of course the answer is - I
> already said that somewhere - that without a backup you are toast sooner
> or later, anyway)

Indeed. The difference in my reply is that I'd rather my stuff get 
deleted and restored than stolen by someone else for their own purposes 
and still restored on my own computer :-)