Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: The Issue of Anti-Virus Scanners

  1. #11
    Join Date
    Sep 2011
    Location
    Pennsylvania, U.S.A.
    Beans
    1,880
    Distro
    Ubuntu Development Release

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by Chayak View Post
    ...................................
    And no, Android malware is no threat to mainstream linux because it's all Dalvik based so unless you go installing a Dalvik VM on your machine by some means and I'm not even sure that would work properly.
    Thank you. I'm quite ignorant about this sort of thing.

  2. #12
    Join Date
    Feb 2010
    Location
    QLD, Australia
    Beans
    479
    Distro
    Kubuntu 12.04 Precise Pangolin

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by Chayak View Post
    I use to analyze malware for a living before being promoted to solutions engineering so I have a decent perspective on the question.

    The truth about all Anti-Virus programs is they don't detect new threats. I'll lump them all into the term AV for brevity.
    I have a few hundred out of 4TB of malware samples that are not detected by any vendor's AV. It's a fact of life. AV software signatures only detect samples that have been in circulation for a bit or are widespread enough to become a priority. The most dangerous malware is the ones you never know you have and it can be months if ever before a signature is produced.

    As to not being an idiot on the web you can get malware from anywhere. A script inserted into an ad can exploit your browser and inject a malicious payload. Many people assume only porn and shady sites are a risk but your more likely to get malware from religious based sites. It's easy to get malware. There's a reason why malware analysts tend to work in virtual machines. There's a huge number of computers running AV software infected with malware and there's zero signs operationally until you forensically examine the system for it. The malware isn't detected because it doesn't draw attention to itself, hence no analysts have spared time to look at it and make signatures.

    There's a reason most malware analysts become rather paranoid and end up using Linux, or Macs. Yes, I know malware isn't unknown on the platforms but compared to Windows the number of malware threats combined are far less than .01%

    But as for Linux as long as you're not running an SSH server on a system with weak passwords so a bruteforce bot doesn't infect your system you're quite safe. There's a reason most malware labs run on Linux and just use windows virtual machines for analysis. The system I use to archive all the samples is running Ubuntu Server.

    The AV available for Linux is crap anyway. If you're concerned with windows malware then run a good windows AV like Kaspersky on a windows machine.

    And no, Android malware is no threat to mainstream linux because it's all Dalvik based so unless you go installing a Dalvik VM on your machine by some means and I'm not even sure that would work properly.
    Thanks for your input Chayak, your knowledge and experience is appreciated in this discussion. I do have a couple of questions for you though if your still following this thread.

    If there a lot of virus/malware are unknown and go un detected form the scanners, does that mean that they can't be cleaned until the AV companies have picked up on them?

    What is the point of the silent malware that show no sign of harm to the computer? Are they spyware or are just slowly breaking the system down behind the scene?

    I ask as I'm a computer tech and a lot of the work I get is removing virus/malware from infected systems.

    For those that mentioned web browsing as being part of the cause, that's why I recommend for people to use browser addons such as AdBlockPlus and WOT. These won't completely stop an infection but they are just another line of defence for novice users.
    Ubuntu 12.04
    “To mess up a Linux box, you need to work at it; to mess up your Windows
    box, you just need to work on it”.
    TrinhamTechnologies.com.au

  3. #13
    Join Date
    Nov 2013
    Beans
    401

    Re: The Issue of Anti-Virus Scanners

    If there a lot of virus/malware are unknown and go un detected form the scanners, does that mean that they can't be cleaned until the AV companies have picked up on them?
    I'm sure Chayak can and will answer your questions. I can offer you this: All AV does is look at the hashes of the files on your system. It compares your hashes with all the bad hashes it knows about. The reason that's so limited is because you can very easily change the hash of a file by changing a few lines in the code. For instance an executable malware might hard code a call out to evildomain.com. That gets hashed by an AV vendor. Then the malware author changes the domain to superevil.com. Totally different hashes. That's over-simplistic but you get the idea. It's fairly easy for the bad guy to use the same malware by modifying it to create dozens/hundreds of new hashes. It takes AV vendors a lot of work to analyze and hash every single variant of that malware.

    Personally I'm not a fan of "cleaning" malware. Because AV is so bad at detecting all malware, it's quite hard to be certain that you've removed every single malicious thing without an intensive and time consuming forensic investigation. Ain't nobody got time for that. I find it hard to justify anything other than reimaging.
    I've been using vi for years, mostly because I can't figure out how to exit.

  4. #14
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by kurt18947 View Post
    Unmentioned (..) is a more savvy user base.
    One portion of Linux users aren't aware they're using Linux. More importantly, if you look at the amount of spam, malware hosting and scanning that comes from compromised machines at resellers and large hosting providers like Rackspace, 1AND1, OVH, Hertzner you'll find a large portion of Linux users is drawn to Linux by its (perceived) cost. They aren't savvy at all. Worse, they're not even remotely interested. And unless you want to focus purely on the part of the on-line Community that are seasoned Netizens you'll find social engineering attacks have to do with gullibility and greed. So that can happen to anyone susceptible enough. The OS really plays no role in that.

  5. #15
    Join Date
    Nov 2005
    Location
    Nashville, TN
    Beans
    437
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by Jonny87 View Post
    Thanks for your input Chayak, your knowledge and experience is appreciated in this discussion. I do have a couple of questions for you though if your still following this thread.

    If there a lot of virus/malware are unknown and go un detected form the scanners, does that mean that they can't be cleaned until the AV companies have picked up on them?

    What is the point of the silent malware that show no sign of harm to the computer? Are they spyware or are just slowly breaking the system down behind the scene?

    I ask as I'm a computer tech and a lot of the work I get is removing virus/malware from infected systems.

    For those that mentioned web browsing as being part of the cause, that's why I recommend for people to use browser addons such as AdBlockPlus and WOT. These won't completely stop an infection but they are just another line of defence for novice users.
    AV can't delete malware it doesn't detect.

    Some of the worst kinds of malware are the ones that sit quietly and collect information. Most modern malware is about money, so they want credit card numbers, industrial secrets, or anything that might be of value. The more aggressive malware such as cryptolocker holds your files for ransom and punishes you if you fail to pay.

    There's all kinds of malware. You can have the amateur hour script driven brute force bots, or you can have examples that implement their own network stack to be invisible to any network tool on the infected system. I've seen stuff that will also write itself out to firmware and hide then as it was built modularly it can quietly pull in extra functionality when needed.

    If a piece of malware is detected it's trivial to rearrange the code so the signatures will no longer detect it as well. Polymorphic malware will do this itself, sometimes actively while running, to keep itself hidden.

    Malware is getting so difficult to remove that it's best even for the experts to wipe the system and reinstall. That is of course if you haven't gotten a really sophisticated one that writes itself out to hardware firmware and then pulls stuff back in as soon as the operating system will support it. That's pretty rare and normally smells of state sponsored items, but it does exist.
    Last edited by Chayak; June 9th, 2014 at 08:30 PM.
    -Chayak

  6. #16
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by Chayak View Post
    But as for Linux as long as you're not running an SSH server on a system with weak passwords so a bruteforce bot doesn't infect your system you're quite safe.
    That may be the case for amateur machines safely tucked away behind non-port-forwarding CPE (also saying "weak passwords" suggests somebody here isn't adhering to SSH best practices like using only pubkey auth...) but it definitely is not wnough for the rest of the 'net. There's more precautions to take. If you don't get that see recent major compromises involving Linux. Definitely not SSH alone.

  7. #17
    Join Date
    Nov 2005
    Location
    Nashville, TN
    Beans
    437
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by unspawn View Post
    That may be the case for amateur machines safely tucked away behind non-port-forwarding CPE (also saying "weak passwords" suggests somebody here isn't adhering to SSH best practices like using only pubkey auth...) but it definitely is not wnough for the rest of the 'net. There's more precautions to take. If you don't get that see recent major compromises involving Linux. Definitely not SSH alone.
    Yes, but not everyone is technically savvy with linux to configure things. The number one reason linux systems are compromised is weak passwords on SSH and FTP. The easiest thing that any user can do, other than not running SSH/FTP, to improve their security is to use strong passwords. Security isn't absolutes, it's just about raising the bar. I guarantee most users on this forum aren't using strong passwords in general, not just on their systems. Once they get past step one they can read the stickies and raise the bar higher as they learn. Number two, which is a no-brainer, is updates.

    It's constantly the top remediation item when I submit reports on network assessments. When they get past keeping computers updated and using strong passwords then I'll start preaching best practices for SSH and exploits. Internet facing servers are a whole different animal as you know and a very deep subject.
    -Chayak

  8. #18
    Join Date
    Oct 2007
    Location
    Yaffo
    Beans
    86
    Distro
    Ubuntu Studio

    Thumbs up Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by Jonny87 View Post
    I will start by stating that I am not a novice user to Linux and so this not a direct question of naivety from someone that doesn't understand Linux. I have never really run my linux systems with a virus scanner as I have always been of the belief that Linux doesn't need it, unless it's to scan file that could potentially infect a windows computer.

    Though I'm wondering what other users think of this claim from Comodo regarding their Anti-Virus for Linux;

    http://www.comodo.com/home/internet-....comodo.com%2F
    Under "Frequent Questions"

    I'm interested to know what are the opinions of other seasoned Linux Admins and Users out there? Is there any truth in it perhaps? Has the world of Linux taken a turn toward viruses? Or is Comodo just trying to scaremonger people in the Linux market into using their product?

    For the record, just out of curiosity, I have downloaded and am trying it just to see if it any good any way.
    These days Anti-Virus is needed.
    For simple Solution in Ubuntu I use Clamav with clamtk interface

    try them
    Uncle Sam

  9. #19
    Join Date
    Aug 2013
    Beans
    13

    Re: The Issue of Anti-Virus Scanners

    Quote Originally Posted by sam-c View Post
    These days Anti-Virus is needed.
    For simple Solution in Ubuntu I use Clamav with clamtk interface

    try them
    Uncle Sam
    I have been running Linux since Ubuntu 6.10 back in 2006. Not once have I had an AV installed on my systems.

    At the end of the day, when the talk is about security, it all comes down to the users being to lazy to develop their own skills and knowledge to keep themselves safe on the Internet. Pure bad habit from their days on Windows.

    It is no art just to sit back after installing an AV scanner, then blame the scanner when the fool finds out that the scanner can't keep him/her safe from malicious software. Nor is it fruitful cry out on the forums in claim of bad advice.

    Many a user will, sadly, experience malware on their system simply because they didn't read the subject seriously when experienced users tell them to use strong passwords, strong encryption on their system and so on. Being an "expert" on the Windows platform is worth nothing on the Linux platform, one will still be a novice on numerous areas of the OS. Having used Linux for eight years does not make me an expert, far from.

    Your best friend on Linux and the use thereof is your lust to learn more. No matter what OS you use it will be a never ending learning process. No one will ever know everything there is to know about his/her OS. Admitting that will make you a bit safer in your use of it.

  10. #20
    Join Date
    Feb 2010
    Location
    WI USA
    Beans
    10,030
    Distro
    Ubuntu Development Release

    Re: The Issue of Anti-Virus Scanners

    Moved to Recurring Discussions
    Infinite diversity in infinite combination.

    Ubuntu Documentation Search: Popular Pages
    Ubuntu: Security Basics
    Ubuntu: Manual

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •