LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-06-2003, 07:26 AM   #1
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Rep: Reputation: 15
test my virus protection


I have installed sophos and everything seems fine, at least from the "news" I get from the config files. But how can I really test it? Is there any "nice and kind" viruses that I can try with? Or how do I know it works??

Thanks in advance
 
Old 02-06-2003, 08:15 AM   #2
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
I have now made an "eicar file" and It works perfectly with my f-secure on windows, but from sophos I do not get any reaction. Anyone with clues? Could it be config problem perhaps
 
Old 02-06-2003, 09:34 AM   #3
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
Finally.. I had made a configuration failure in one of my paths..
 
Old 02-11-2003, 06:02 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you haven't got access to viruses, worms and malware already I'm sure if you d/l selected stuff from say a Packetstorm mirror you'll find lotsa stuff to test it with.
 
Old 02-12-2003, 01:23 AM   #5
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
UnSpawn, the thing is I do not want a REAL virus (I sit at my work doing these tests) but a file that the virus protection softwares think is a virus. I have now found one.. thanks..
 
Old 02-13-2003, 07:18 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Anything interesting besides std EICAR stuff?
I'm asking cuz EICAR detection could as well be done tru hardcoded string in the binary if a vendor sees fit, I can't compare it to working with "in the wild" samples. And IMHO working with viruses isn't that difficult if you take precautions...
 
Old 02-13-2003, 07:43 AM   #7
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
UnSpawn

Only Eicar, yes, but the virus protection works also with other infected files. I received an infected file with my hotmail and the Antivirus protection detected it..

do you have a "wild sample" that cannot effect my company's network??? I do not wish to try, we actually got some samples from the Sophus company to test with..

thanks..
 
Old 02-13-2003, 08:52 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Hmm. No, I don't hand out live stuff, that would make me an accomplice by any decent standards, and sharing nfo on where to get that kind of stuff will certainly not pass the LQ FAQ/AUP/moderation tests. I'll just say it ain't that hard to find.

we actually got some samples from the Sophos company to test with..
I think your Hotmail example is a better way compared to using Sophos' samples. AV SW tests/reports where vendor submitted samples are used should be viewed with appropriate caution IMNSHO.
 
Old 02-14-2003, 02:14 AM   #9
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
UnSpawn

Well we do not only have samples from Sophos and the Eicar file. Actually we got a CD with some games (small) and jokes the company's virus protection and Sophos are reacting with the same files. And also my hotmail virus protection. But these files are not any real viruses..
 
Old 02-14-2003, 03:02 AM   #10
membrax
Member
 
Registered: Nov 2002
Location: 50'48''N - 4'21''E
Distribution: SuSE7.1 - SuSE8.1 - SuSE8.2 - RH6.2 - RH7.1 - RH7.3 - RH8.0 - RH9.0 - Fedora Core 1
Posts: 281

Rep: Reputation: 30
Viruses under Linux ?
I always heard this could be quite impossible.
 
Old 02-14-2003, 05:21 AM   #11
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
Membrax

I have a webserver and also a mailserver on my linux. My customers have windows, os/390 and linux as workstations. They connect to my linux machine through the mailserver to check their mail accounts. When they pick up mail, the virus protection must recognize the viruses..
 
Old 02-14-2003, 05:25 AM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Well, strictly speaking we're not talking about viruses under Linux cuz there are only about 5 proof of concept samples around but then again on Linux there are other things you could be interested in like worms, LRK's, sniffers and such.

Say you want to get positive ID on odd/unknown binary/tarballs contents. You could be running strings on each of them, but using AV SW is faster and you don't have to remember default backdoor login strings etc etc.

I'm not into spreading FUD and I know I'm handling stuff I know maybe hostile, but hey, if I can determine within 5 mins what I've got I'm happy. Here's an example of someone's / :
DoS:Linux/Slice
Linux/OSF.A
Linux/RST.A
Linux/RST.B
Linux/Slapper.worm.gen
PERL/Rootkit.C*
SH/Rootkit.C*
Trojan:Blitz
Trojan:Linux/RootKit.40
Trojan:Linux/Rootkit.C
Trojan:Linux/RootKit.C
Trojan:Linux/RootKit.C2
Worm:Linux/Lion
If you know the packages names it's easy, if you don't then at least you got a hunch OSF.A indicates rootkit stuff, RST DoS tools/scanners and Slice/Blitz DoS tools or logcleaners.
 
Old 02-14-2003, 07:06 AM   #13
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
The mail handler is not attaching/downloading the infected file if the Sophos recognize it. I explained wrong before, my linux has a mail handler, or a sort of a client to the real mail server. The mailserver itself does not handle tcp/ip or smtp and can therefor not be infected by those, or at least not sending worms and those things forward. After the handler the mail goes to a connector that interprets the smtp mail to our protocol..

But thanks for all help, I have now finished testing and will now evaluate..

thanks again
 
Old 02-14-2003, 07:10 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
If you have any leads like where you got the HOWTO's/help from on how you set it up the way you described, please post 'em. it would make this thread somewhat complete.

TIA.
 
Old 02-14-2003, 09:00 AM   #15
KaktusKnight
Member
 
Registered: Dec 2002
Location: Gothenburg, Sweden
Distribution: Suse2.7, Mandrake 8, Redhat ?, Suse 8.2
Posts: 71

Original Poster
Rep: Reputation: 15
UnSpawn,

DO you mean how I installed and configured the Sophos?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus Protection for Mandrake 10.0 atulhi Mandriva 5 11-10-2004 07:13 PM
Virus protection wmeler Linux - Security 1 02-23-2004 12:16 PM
Free Virus Protection MandrakeNewbie Linux - Security 12 12-10-2002 06:32 PM
need virus protection FLuff_Suit Linux - General 5 05-06-2002 01:08 AM
virus protection p_murugappan Linux - General 1 07-11-2001 09:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration