LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (http://www.linuxquestions.org/questions/linux-general-1/)
-   -   (Not a question) Anti-virus can be useful on Linux. (http://www.linuxquestions.org/questions/linux-general-1/not-a-question-anti-virus-can-be-useful-on-linux-861283/)

DaneM 02-07-2011 08:25 PM

(Not a question) Anti-virus can be useful on Linux.
 
Fair warning: while I do intend for this thread to be informative and/or useful, it is a bit of a rant.

I'm posting this on the General topic, since those who read the Security topic likely already know this.

Linux is not in any way "magically immune" to malware...and by "magically immune," I mean "not immune by design or implementation."

I wouldn't bother writing about this (since it's likely to be mistaken for a troll) if I hadn't seen so many threads asking about antivirus software on Linux get answers like:

Quote:

YOU DON"T NEEED ANTIVIRUS ON LINUUUUUXXXXX!!!!!11!11!one
:doh:

The fact of the matter is that there are good uses for Linux anti-virus programs, both to ensure that you don't infect Windows (or other non-Linux-OS) systems accidentally (whether by sharing infected files, or by being compromised, yourself and spamming them to unsuspecting users, etc.), and because there absolutely ARE security exploites that work on Linux--even in virus form. Here is an article about this that I saw today:

http://nakedsecurity.sophos.com/2011...e-linux-users/

And another one:

http://en.wikipedia.org/wiki/Linux_malware

I don't claim to be an expert on computer security (although I have done a lot of professional computer repair, including the removal of viruses), but I want those who think that Linux is bullet-proof (or close enough to it), and/or that it has absolutely no need for a good anti-virus system in any event to please keep your opinions to yourselves! People come to sites like LinuxQuestions.org for answers to questions, not for your opinions on why they shouldn't bother to ask such silly questions.

For example, even for those not worried about the security of their own systems, did you know that a good Linux anti-virus program can be quite effective in helping clean up a Windows machine when booted from a Live CD? In my experience, it's much more effective (although by no means a complete cleaning solution) than trying to clean viruses off of a running Windows machine. Sure, it can require a goot bit of RAM at times, but it's a lot better than seeing "Permission Denied" every time you try to remove an infected file.

Gladly, I haven't seen so many of these kinds of "silly question" posts lately, but in case you were thinking of writing one...please refrain! :)

Thanks.

frankbell 02-07-2011 09:05 PM

Just so you'll know you're not alone, I agree with you completely.

Linux certainly has a far more effective internal security model than Windows (in other news, a closed door is more effective than an open one), but it's not immune.

The main reason it's been safe is that it has such a small market share that the bad guys figure it hasn't really been worth their while to learn how to attack it. What one person builds another can crack.

It is wise to practice safe HEX.

It can't hurt and it might help.

DaneM 03-21-2011 11:58 PM

Thanks for the second, frankbell. I'm happy to see I'm not alone.

(Note: if I checked my mail more often I would have replied sooner.)

Have a good one, everybody.

--Dane

Telengard 03-22-2011 01:52 AM

I'm not against the idea of anti-virus software for Linux, I just don't have much use for it myself. Sure I have clamav installed but I almost never use it. Maybe some day that will change if there is ever a widespread outbreak of Linux malware in the wild, but I'm not aware of anything that would affect me right now.

I am pretty selective about what I install and how I configure it. I stick to my distro's repos whenever possible because I know all the packages are cryptographically signed and have had some level of review by the packagers. I only compile from source if I have a specific need to, and even then I check hashes to verify the origin of the code.

I don't install server daemons (SSH, FTP, etc.) unless I absolutely need them. If I need them, I secure them the best I can and use very strong passwords.

I don't run with root like some crazy people do. (Some folks tell me they enjoy browsing the web in Firefox as root.) My system provides sudo and I use it sparingly. If I wanted to be even more secure I could disallow my everyday account from using sudo and create a separate admin account for my administration only.

I'm behind a firewalled router, so I'm shielded from random port scans and other such garbage.

I use the NoScript addon in Firefox to block Javascript, Java, and Flash on the web. Even if there were an exploit for one of these which could affect Linux systems, I'd have to manually allow it to run before it got to me. I like having the opportunity to review and decide for myself.

I encrypt my super secret data in my KeePassX database with a really strong password.

Could someone craft a malware targeting Linux systems and have it become widespread? I think it is possible, but unlikely due to reasons already mentioned. Even if it happened (hypothetically) I think my measures have a good chance of protecting me.

I think Unix permissions provide a very strong defense for the system itself, although perhaps not a perfect and complete defense. It is the potential for application exploits that I think is a more serious concern.

A script on a web page would have a reallly hard time writing to files outside my home directory. If a script on a web page can exploit a flaw in Firefox, Flash, or Java however (such as the common and frequent code execution with privilege escalation) then maybe it could do some damage. At the very least the files in my home directory would be exposed to such a malware. (If it could then encrypt my home directory and demand ransom, I think I might cry for the rest of forever!)

I think many Linux users upgrade their systems with each new release. For Ubuntu users this means every six months or so. If you do a backup/wipe/install cycle with every release then you get a virgin system every time. The only files carried over from the old system are files you restore to your home directory from backup. Even if you somehow managed to get a virus, rootkit, or other malware it will be destroyed during the cycle. Of course if your old user configuration files for Firefox/Flash/Java were compromised in some way then they probably still are.

That's about all I can think of to contribute to the discussion for now, so I'll just close with this little anecdote.

When I first began using Windows 95 it took me less than a month to get the system so riddled with malware that it no longer functioned. I've now been using Linux systems on and off since before 2006, full time since 2009, and I have not yet encountered a piece of malware which negatively impacted my system. That doesn't mean it can't happen, but I hope the probability of such incidents will rapidly approach zero as I continue my study and learning.

Thanks for opening an interesting topic, and thanks for the opportunity to share what I've been thinking.
:)

Edit
Here's a nice read, intended for Ubuntu users but the concepts apply to other distros too:
http://ubuntuforums.org/showthread.php?t=510812

k3lt01 03-22-2011 04:46 AM

I love topics like this when people readily admit they are not experts yet say people should not ask silly questions. The only silly question is the one that isn't asked.

Let's actually go though this with an open mind as there are statements that have been made that, I think, are misguided.

1. "Linux has been safe because it has a small share market."

This is misleading and incorrect. If it wasn't for Unix/Linux we wouldn't have the internet. The majority of web servers around the planet are run on Linux. Governments around the world run there servers on Linux. If you are seriously going to try to take something out wouldn't you aspire to take out a high impact target. Disrupting peoples personal computers causes an issue for many people sure but disrupting entire governments can have an impact that any serious script kiddy would be proud of.

2. "The fact of the matter is that there are good uses for Linux anti-virus programs, both to ensure that you don't infect Windows (or other non-Linux-OS) systems accidentally (whether by sharing infected files, or by being compromised, yourself and spamming them to unsuspecting users, etc.), and because there absolutely ARE security exploites that work on Linux--even in virus form."

There are good uses for an AV system on a Linux machine but I'm not sure it is a Linux users responsibility to safe guard a Windows machine when the Windows owner hasn't taken adequate precautions to safe guard themselves. IF you run a web or file server then by all means install an AV but if you have a standalone Linux machine and you are careful with your security measures there is practically no need for you to install an AV on your Linux machine.

3. "in any event to please keep your opinions to yourselves! People come to sites like LinuxQuestions.org for answers to questions, not for your opinions on why they shouldn't bother to ask such silly questions."

"Gladly, I haven't seen so many of these kinds of "silly question" posts lately, but in case you were thinking of writing one...please refrain!"

In one sentence you're telling us to keep our opinions to ourselves when people ask questions, then you'r telling people not to ask the same questions. Security issues are full of opinions thats why we have open and closed source OSs. 1 type has security by obscurity while the other has security by being open. Both claim they are correct and that is based on peoples opinions. There are positives and negatives for both styles, if someone asks a question wouldn't it be remiss of us not to give both sides of the story.

4. "For example, even for those not worried about the security of their own systems, did you know that a good Linux anti-virus program can be quite effective in helping clean up a Windows machine when booted from a Live CD? In my experience, it's much more effective (although by no means a complete cleaning solution) than trying to clean viruses off of a running Windows machine. Sure, it can require a goot bit of RAM at times, but it's a lot better than seeing "Permission Denied" every time you try to remove an infected file."

Why should a Linux user with their own PC that is secure and unaffected carry around a LiveCD with an AV installed just so he/she can go and fix a Windows PC that the owner hasn't taken the necessary precautions? Aren't we trying to assist Linux users keep their own systems safe? Shouldn't the Windows user have enough sense to carry around their own Rescue CD? I think our time would be better spent teaching the Windows user the benefit of NOT using a system that needs multiple tools (such as an AV, Spybot, Firewall, Windows Update which brings in new vulnerabilities anyway, etc.)

This thread was obviously started with good intentions and I applaud that. However, not considering both sides of the discussion and contradicting yourself as you did in point 3 just helps to further the confusion that many people have when it comes to Linux. We would, as a community, be much better off having an open discussion and giving people a range of methods/tools to use to keep their PCs safe.

DaneM 04-13-2011 05:15 PM

Hi, k3t01. Thanks for replying.

I agree with most of the points you made, but I do think that several of the things I said were misinterpreted.

#2 has mostly to do with servers and file-sharing peers. If you don't run a server or use file sharing of any kind, or you don't share any of the types of things that can get infected, then this is pretty unimportant, and like you said, comes back to how safe your own use of your personal computer is. The main reason why this has been a concern for me is because often more than just simple text-like data gets shared in a home or office environment. People often download stuff and share it around. If you only download Linux software (from trusted sources), and don't share data files that can get infected (including Office documents--with macro viruses, etc.), then it's not an issue. If, like on most networks, there's a machine on it running Windows (or some other OS that occasionally/frequently gets exploited via downloads, documents, etc.), then it could be considered a courtesy to help ensure that your own Linux machine doesn't act as a way point for something that gets temporarily stored there--not necessarily required in such cases, but maybe a nice thing to do.

In #3, I was not trying to keep people from asking or answering questions to the best of their ability, and not even exactly saying that people shouldn't tell their opinions about whether Linux truly needs antivirus programs. I was more getting at the posts that answer a question about "what antivirus should I use?" with a statement like, "don't use one," without bothering to suggest that IF they do decide to, they might look here, or there, etc. The difference is between completely shooting down the question, as opposed to more politely suggesting that it may not be an issue. Of course, there are some good reasons why one might not need a Linux antivirus, and it's not wrong to say so; but if a person asks which one to use, the question asked deserves an answer. When I was referring to the "silly questsions" posts, I meant the answers to decent questions that tell the poster they shouldn't have asked.

#4 was with in relation to fixing Windows computers, for those who do such things. I've worked a long time as a computer technician, and almost all of my work involves fixing a Windows computer somehow. This is a very different scenario, in most ways, to simply running a desktop PC that may or may not need antivirus, but it relates to the topic of "which one to use" quite well.

Have a good day.

--Dane

frankbell 04-13-2011 09:31 PM

k3lt01, regarding your point number one:

The great majority of malware attacks these days are designed either to phish information or to establish botnets for propagating spam.

Servers are not useful targets for these purposes.

Attacks on servers are generally intended to gain access to information that resides on the servers (witness the attack on Google about a year ago--and Google runs on Linux).

The malware artists are hunting rabbits. Telling me that that there's a lot of *nix servers out there is all well and good, but the malware artists are hunting rabbits and you're talking about bears.

So I maintain that my comment about market share is valid. The issue is not absolute market share--it's market share among the target population. What matters is the number of the rabbits in the warren, not the number of bears in the cave.

Were Linux to gain even 20% of home market share, the big brains among the malware artists would start to pay attention. Because *nix security is inherently better, they would likely not have the success they've had with DOS/Windows, but a dollar to a doughnut the pace and intensity of attacks would increase.

By the way, the first computer virus was a Unix virus.

And I do agree that the *nix security model is a much stronger one, but strength is not immunity. The best way to protect immunity is to take due care.

jefro 04-13-2011 10:06 PM

I think you are confusing a simple virus to any type of data breach.

There is no secure OS. All are weak to some attack.

As above you can reduce by using as many best practices as you can.

Everyday we hear about servers getting hacked and data being stolen. They are not all Windows servers.

spazticclown 04-13-2011 10:14 PM

I just want to chime in that it is everyone's responsibility, as a community, to decrease or prevent malicious code, viruses, malware and even socially engineered scams from spreading. Liken it to the real world, just because you have a big fence around your house, your doors locked and barred and your windows (glass, not M$) secured you shouldn't be okay with someone walking into your neighbors' homes and taking all their belongings including that key you lent them to feed your dog does it? The average person reading this forum isn't going to have need for antivirus on their Linux computer at home and it isn't going to make a difference if they do. However every server that distributes publicly available data should have some form of malicious code checking and enhanced security.

By the way, to frankbell, the linked article notes that a boot sector virus for the Apple-II was dated a year before the Unix proof of concept. Also Creeper struck ARPAnet in the 70s and targeted Tenex systems.

k3lt01 04-13-2011 11:06 PM

Let me start by saying I agree with things that are said but, there are always buts aren't there, this thread is in Linux-General not Linux-Server. Even though I said Linux does have a fair market share due to the internet I still believe that it is not a general Linux users obligation to run an AV to keep other platforms malware free and most people who would post a question in Linux-General are just average users.

Now that is out he way, yes DameM I did misinterpret your post, sorry about that.

frankbell, I wont repeat everything spazticclown has said but I will go a little further and state that apart from cross-platform malware, of which no one is immune, there is no Linux specific malware out in the wild and the only ones that do exist are merely proof-of-concept exercises. MS and Mac both suffer from platform specific malware yet *nix doesn't (afaik).

chrism01 04-14-2011 12:22 AM

I believe rootkits are platform specific malware & I believe there are some for for Linux.
You may be right as far as Linux specific viruses go, although I thought I read somewhere at least one has been seen in the wild.

DaneM 04-14-2011 03:46 PM

I think that everyone who has posted has made some very good points.

My purpose in starting this thread (even in General, rather than Server) is to simply increase awareness that some people find AV useful on Linux. I agree that most Linux users don't really need AV, but at the same time, I don't think it hurts to use it without needing to. I have seen people responding to questions of "which is better" inappropriately, and I thought that a polite "stop that" thread would be good for the community here. I hope that I haven't set anybody off into an angry mindset by posting, as I really didn't mean to do such a thing.

spazticlown, I like your point about keeping malware (like other crime) down, as a community effort. I think that isolated strongholds amongst "soft target" neighbors are easier targets than are communities where the strong (or more security-conscious) help the weak (the security-illiterate) protect themselves. I see it something like putting a village with a trained militia in your keep, and sending out armed patrols, instead of relying solely on the soldiers assigned to the walls.

k3lt01, I think you've made some valid points about whether we actually *need* AV in many cases where AV is in use. Lots of Desktop users who think they need it actually don't, and I think it's quite fair to say so, as long as those responding to their questions are considerate to the possibility that they may want AV regardless, or that the response posters may not know the whole situation. From what I've seen lately, most people have been pretty reasonable about that, so I'm not trying to "call [anyone specific] to the table" for saying that someone doesn't need AV, based on the context given. I appreciate your input on this topic, and again, I think your points are valid.

crism01, I, too have seen reports of Linux malware in the wild, both rootkits or otherwise, and while I think that in most cases, keeping up with security patches and staying away from obvious trouble (that is, obvious for those who know to avoid suspicious web pages, etc.) is enough, extra precautions aren't generally a bad thing. Seems like once every year or two, somebody will find a *nix bug floating about that isn't just proof of concept. I don't know of many examples where this has led to much, but it's still worth taking note of for the purpose of stopping such possible threats from becoming a problem. AV when you probably don't need it won't usually hurt, and in some cases (such as where data is being shared) it seems warranted.

Anyway, thanks, all, for posting. Have a nice day.

--Dane

spazticclown 04-17-2011 07:29 PM

Quote:

I see it something like putting a village with a trained militia in your keep
Now I just want to play Age of Empires II.

DaneM 04-21-2011 06:41 AM

LOL, spazticclown! Man, it's been a while...


All times are GMT -5. The time now is 08:53 PM.