Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
02-06-2003, 07:26 AM
|
#1
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Rep:
|
test my virus protection
I have installed sophos and everything seems fine, at least from the "news" I get from the config files. But how can I really test it? Is there any "nice and kind" viruses that I can try with? Or how do I know it works??
Thanks in advance
|
|
|
02-06-2003, 08:15 AM
|
#2
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
I have now made an "eicar file" and It works perfectly with my f-secure on windows, but from sophos I do not get any reaction. Anyone with clues? Could it be config problem perhaps
|
|
|
02-06-2003, 09:34 AM
|
#3
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
Finally.. I had made a configuration failure in one of my paths..
|
|
|
02-11-2003, 06:02 AM
|
#4
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you haven't got access to viruses, worms and malware already I'm sure if you d/l selected stuff from say a Packetstorm mirror you'll find lotsa stuff to test it with.
|
|
|
02-12-2003, 01:23 AM
|
#5
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
UnSpawn, the thing is I do not want a REAL virus (I sit at my work doing these tests) but a file that the virus protection softwares think is a virus. I have now found one.. thanks..
|
|
|
02-13-2003, 07:18 AM
|
#6
|
Moderator
Registered: May 2001
Posts: 29,415
|
Anything interesting besides std EICAR stuff?
I'm asking cuz EICAR detection could as well be done tru hardcoded string in the binary if a vendor sees fit, I can't compare it to working with "in the wild" samples. And IMHO working with viruses isn't that difficult if you take precautions...
|
|
|
02-13-2003, 07:43 AM
|
#7
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
UnSpawn
Only Eicar, yes, but the virus protection works also with other infected files. I received an infected file with my hotmail and the Antivirus protection detected it..
do you have a "wild sample" that cannot effect my company's network??? I do not wish to try, we actually got some samples from the Sophus company to test with..
thanks..
|
|
|
02-13-2003, 08:52 AM
|
#8
|
Moderator
Registered: May 2001
Posts: 29,415
|
Hmm. No, I don't hand out live stuff, that would make me an accomplice by any decent standards, and sharing nfo on where to get that kind of stuff will certainly not pass the LQ FAQ/AUP/moderation tests. I'll just say it ain't that hard to find.
we actually got some samples from the Sophos company to test with..
I think your Hotmail example is a better way compared to using Sophos' samples. AV SW tests/reports where vendor submitted samples are used should be viewed with appropriate caution IMNSHO.
|
|
|
02-14-2003, 02:14 AM
|
#9
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
UnSpawn
Well we do not only have samples from Sophos and the Eicar file. Actually we got a CD with some games (small) and jokes the company's virus protection and Sophos are reacting with the same files. And also my hotmail virus protection. But these files are not any real viruses..
|
|
|
02-14-2003, 03:02 AM
|
#10
|
Member
Registered: Nov 2002
Location: 50'48''N - 4'21''E
Distribution: SuSE7.1 - SuSE8.1 - SuSE8.2 - RH6.2 - RH7.1 - RH7.3 - RH8.0 - RH9.0 - Fedora Core 1
Posts: 281
Rep:
|
Viruses under Linux ?
I always heard this could be quite impossible.
|
|
|
02-14-2003, 05:21 AM
|
#11
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
Membrax
I have a webserver and also a mailserver on my linux. My customers have windows, os/390 and linux as workstations. They connect to my linux machine through the mailserver to check their mail accounts. When they pick up mail, the virus protection must recognize the viruses..
|
|
|
02-14-2003, 05:25 AM
|
#12
|
Moderator
Registered: May 2001
Posts: 29,415
|
Well, strictly speaking we're not talking about viruses under Linux cuz there are only about 5 proof of concept samples around but then again on Linux there are other things you could be interested in like worms, LRK's, sniffers and such.
Say you want to get positive ID on odd/unknown binary/tarballs contents. You could be running strings on each of them, but using AV SW is faster and you don't have to remember default backdoor login strings etc etc.
I'm not into spreading FUD and I know I'm handling stuff I know maybe hostile, but hey, if I can determine within 5 mins what I've got I'm happy. Here's an example of someone's / :
DoS:Linux/Slice
Linux/OSF.A
Linux/RST.A
Linux/RST.B
Linux/Slapper.worm.gen
PERL/Rootkit.C*
SH/Rootkit.C*
Trojan:Blitz
Trojan:Linux/RootKit.40
Trojan:Linux/Rootkit.C
Trojan:Linux/RootKit.C
Trojan:Linux/RootKit.C2
Worm:Linux/Lion
If you know the packages names it's easy, if you don't then at least you got a hunch OSF.A indicates rootkit stuff, RST DoS tools/scanners and Slice/Blitz DoS tools or logcleaners.
|
|
|
02-14-2003, 07:06 AM
|
#13
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
The mail handler is not attaching/downloading the infected file if the Sophos recognize it. I explained wrong before, my linux has a mail handler, or a sort of a client to the real mail server. The mailserver itself does not handle tcp/ip or smtp and can therefor not be infected by those, or at least not sending worms and those things forward. After the handler the mail goes to a connector that interprets the smtp mail to our protocol..
But thanks for all help, I have now finished testing and will now evaluate..
thanks again
|
|
|
02-14-2003, 07:10 AM
|
#14
|
Moderator
Registered: May 2001
Posts: 29,415
|
If you have any leads like where you got the HOWTO's/help from on how you set it up the way you described, please post 'em. it would make this thread somewhat complete.
TIA.
|
|
|
02-14-2003, 09:00 AM
|
#15
|
Member
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71
Original Poster
Rep:
|
UnSpawn,
DO you mean how I installed and configured the Sophos?
|
|
|
All times are GMT -5. The time now is 09:16 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|