Linux AV

Discussion in 'Linux / Unix Discussion' started by Ozzie, Oct 31, 2007.

  1. Ozzie

    Ozzie Nibble Poster

    55
    0
    18
    I've just been reading an old thread about Linux AV/security. Here's the thread...

    http://www.certforums.co.uk/forums/thread12446.html

    A question for anyone that replied to that thread, or anyone that is a Linux expert. Would you buy goods online using your credit card, on a Linux system that has no AV/malware/spyware software? Or would you place such sensitive info. on the net via a Linux machine?

    I'm just starting to learn about what's "under the hood" of Linux, but I wouldn't make the swith full time yet.:noway
     
    WIP: CompTIA A+
  2. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Absolutely. I buy stuff online all the time, and I do not run any kind of malware protection, AV protection, etc.... What's more, I am completey comfortable doing it too. I do get nervous though if I have to use a Windows client to do that because I'm away from home and don't have my laptop with me.

    When I first started using Linux I was convinced by my Windows experience that I had to have an AV product to protect my computer. No one could have convinced me it wasn't necessary. So, I installed ClamAV. It has a very good reputation, and is used on many large, enterprise level, email systems to protect Windows clients. I thought for sure it would have definitions for viruses that run on Linux. I spent more than 8 hours one day going through the virus definitions. It was the ONLY AV product that ran on Linux at the time. You know how many AV definitions there were for Linux viruses in the definitions database? 0. That's right. There were zip, nada, none at all. How big was its definition database? It had just as many definitions as Symantec's, McAfee's, etc.... It was huge. The definition count was in the 10's of thousands. You could set it up to download AV definitions hourly, and it did a very good job of detecting Windows malware. It simply didn't have a single definition for a Linux virus that I could find, and I really searched.

    What did that tell me? It was a total waste of time to run an AV product on my Linux machines. My experience in the years that have followed has borne out the truth of that too. I mean, what good is AV software on a Linux machine when Windows viruses/worms/etc... won't run on Linux, and there are no Linux virus definitions? What's the point? I couldn't find one back then, and yet I'd been absolutely convinced I needed it. No one would have been able to talk me out of it. Yet I ended up proving to myself that it was a waste of time. It was a major eye opener for me.

    Since I've moved to the Linux desktop I've been affected by only one piece of malware. It would cause Firefox to go to some gay porn site every time I clicked on some link. I don't even remember what the link was now. You know what caused that? I was still running Win2K server as my dns server, and a cache poisoning vulnerability in it was what was affecting my desktop. Once I cleaned out my DNS server cache, my temporary internet files in Firefox, and the client dns cache on my workstation, the problem stopped. So, my only experience with malware on Linux in about 4 years has been a DNS vulnerability on a Windows machine.

    Not long after that I moved my dns server to Linux, and I've never had another cache poisoning problem.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  3. Ozzie

    Ozzie Nibble Poster

    55
    0
    18
    That's a valuable insight into Linux. Thanks. You have a level of knowledge way, way beyond mine. But I could go on and say, for example: What if I was running Windows on Linux using WINE? I know this question might show that I don't understand Linux or the net. fully, but this is a setup I'm going to try (I just don't have enough PCs you know). You don't need to answer that question about WINE btw. Cheers.
     
    WIP: CompTIA A+
  4. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    Well, you won't run Windows, per se, in Wine. You can run some, but not all, Windows programs under Wine. Are you wanting to run IE under Wine? Is that what you're getting around to?

    I'm no real Wine expert. I've played with it a few times, but do not use it on a regular basis. From what I know of it, I'd say most malware for Windows would have a hard time existing on it because only a very limited registry is available, and only a very few .dlls are present. Only those required for whatever software you have manually installed. Even then, Wine isn't something that runs in the background all the time. It's started and stopped whenever you start or stop and the Windows program. They are actually called together.

    Now, just because that Windows program is running under the emulator doesn't mean it has access to the rest of your system. When you set up Wine you set up a directory for it to run it(I used c_drive) and create subdirectories such as C:\, C:\Windows, C:\Program Files, etc... Those may not be the real names you create I just remember having to create subdirectory path resembling a small snapshot of a Windows file system using the Windows naming convention. The Windows programs don't know the rest of the file system on the Linux machine even exists. They run in their own little subworld inside the directory you create(c_drive) in your home directory and have no knowledge of the host system.

    They also don't run with root privileges. They run with the privileges of the user who starts the program and Wine. Just because the program might have had admin priveleges on Windows doesn't mean it has root privileges when run under Wine in Linux. So, if something did happen, the damage would be pretty much contained to the directory you create for Windows programs to run in.

    Whether it's possible for a hacker to break out of that sandbox into and through Wine, I don't know. I'd say the possibility that malware exists out there in the wild that is specifically designed to attack Linux through Windows software under Wine is extremely slim. I don't think it's something I would worry about too much. There has to be a ton of lower hanging fruit than that out there for attackers to take advantage of. What's the chance of the attacker running across a system running IE under Wine? The odds have to be very, very low. Why would anyone run IE under Wine to do general web surfing? I can see someone using it to access some site that is a must have for them that will not work with anything but IE, but not just to surf. That doesn't make sense to me.

    I don't know whether that helps or hurts, but it's what I do know and understand about Wine.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  5. Ozzie

    Ozzie Nibble Poster

    55
    0
    18
    Sorry, I'm giving you the wrong info. I would like to run Windows itself from within/ontop of Linux using either Win4Lin or VMware, for testing and studying (not WINE, which I now realize has a different purpose), I think this would be a handy set up. It's not a priority though, which is why I know little about it.

    I see what you're saying about Windows malware having a hard time existing in WINE. You have enlightend my understanding considerably. So I suppose what I am saying is if Windows is running within/ontop of Linux, would you either:

    i. Install malware protection onto Linux?

    or

    ii. Install malware protection onto Windows which is running within/ontop (not sure which, ontop I guess) of Linux?

    This is assuming that such a setup would attract malware and allow it to exist on said system.
     
    WIP: CompTIA A+
  6. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    If you're going to run a vm you would just run any AV directly inside the vm on Windows. As to Win4Lin, I know absolutely nothing about it. I've seen the name a time or two, but that's it.

    As to whether or not Windows malware inside a vm could harm the host OS? I'm not positive about that. It seems that I've read it is theoretically possible for an attacker to break out of a vm and into a host OS. However, I think you're talking about someone that would have to have cracking skills far and away obove the average cracker--and by that I don't mean script kiddies, and that most malware wouldn't have that capability. Would an attacker be good enough to know he was residing in a VM? Most would with a little inspection. Would he then think that this was a high enough value target to take the time to break out of VM? Who knows. He'd probably do a fair amount of research before putting that amount of effort into it though.

    Whether or not an AV would be worth running, I don't know. It would depend on how much you use the virtual machine, what you use it for, how much data you save in it, if the data is of real value to you, etc.... In VMWare you can just take a snapshot of your VM when you first install it and get it set up. Then if the install gets hosed you just revert back to your initial snapshot, and you're good to go. You lose anything you have saved that you didn't back up, but you don't have to reinstall anything either.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  7. Ozzie

    Ozzie Nibble Poster

    55
    0
    18
    Well, I'm wondering if any data travelling to/from the pc would have to pass through the host OS in order to get to the guest OS, and vice versa. Or does the VM somehow bypass the host OS. The answer to this would inturn indicate ware to install security software.
     
    WIP: CompTIA A+
  8. ffreeloader

    ffreeloader Terabyte Poster

    3,661
    106
    167
    To my understanding, what enters the vm doesn't pass through the host OS. It's completely possible to give the vm it's own connection to the nic. VMWare actually provides a virtual hardware setup for the guest os to install to.

    The real expert on VMware around here isn't me. It's Phoenix. He works with it for a living, so any real detailed info on how vm's, and vmware works would be best answered by him. He's the one that knows it inside and out.

    I don't mind answering your questions, I'm just getting a little out of my depth of understanding about vmware and vm's at this level. I've set a few up, done some reading, and had to troubleshoot a few problems, but other than that I'm pretty limited in this area.
     
    Certifications: MCSE, MCDBA, CCNA, A+
    WIP: LPIC 1
  9. Ozzie

    Ozzie Nibble Poster

    55
    0
    18
    This is certainly beyond what I know, ffreeloader. Thanks for taking the time to discuss this with me.
     
    WIP: CompTIA A+

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.