Time for Linux users to start using Anti-Virus?
 

I read someware that a prototype for a virus that would run on both linux and windows had been released.

Does this fortell a future of viruses for Linux.

I assume primarly the reason for Linux being virus free is because it is not as common as windows. Along with the fact that is is more secure. However, this will soon change as linux is repidly growing.

The problem is, I get the impression that not many linux users (myself included) use antivirus. What happens when more and more linux viruses start appearing, the linux world will be taken by suprise. Vunerable linux users will just lead to additional reasons for virus creators to make viruses for linux.

So my question is, is it time for linux users in general to start using anti-virus?

If linux users start using anti-virus now, then linux viruses will be less effective in the first place, this will decrease the chance of hackers taking advantage of un-prepared linux users.

Good topic. My concern is cookie and email mining. I suspect that our vunerability is in browsers and email clients. I have both rkhunter and chkrootkit.

A Linux virus still won't able to do much to the system itself unless it's able to exploit some vulnerability to get root access (or someone catches a virus while running as root). Still a malicious script that does something like "rm -rf /home/$USER/*" would be a nasty thing to behold. Fortunately every Linux browser I've come accross asks for confirmation before doing things like running scripts on your system. As long as your browser is patched up to date, you should be relatively safe.

In other words, I still think the major use of anti virus software on Linux is on servers to protect Windows clients that connect to them.

being that there are far less linux users than windows explains why there are few linux viruses.

for a virus to be effective (in humans,animals or computers) the rate of infection HAS to exceed the rate of eradication, otherwise the virus just disapears. If theres only a few hosts available to carry the virus then the rate of infection is very low. (and by FEW I mean Linux boxes copared to MS boxes.

Plus linux is far more secure "out-of-the-box"

So NO right now I DO NOT use anti-virus in Linux, but I do have Gaurd Dog setup for my firewall and I don't run any server software like SSH (wich Gaurd Dog disables by default)

Also, there needs to be better ways of setting up real-time scanning, 'cause right now its a pain in the ass.

hey guys do you think the new compilation techniques of gcc is somehow connected to this problem? :confused:

What problem and what new compilation techniques?

I don't see gcc as being related to viruses at all.

nah nothing. just asking if it's related.

Edit: I was just thinking that maybe with the newer techniques of gcc, binary outputs are getting more and more alike even with different architectures. It's only a possibility i guess.

Edit2: btw i voted for no.

I disagree with you a little. I don't think the number of viruses for Linux and Unix has anything to do with the number of users, but more related to the security model. I believe at one time there were more Unix users than Windows users, but Unix machines were not plagued by viruses whilst from the beginning, Windows suffered many virus outbreaks.

I won't bother getting antivirus solutions for Linux because it would be just a waste of money, time and effort for an extremely small risk. Anyway most of the current antivirus solutions are actually for checking for Windows viruses, so if you don't share files with Windows users, then there is not point of even using such solutions. Unix and Linux main problems are probably rootkits and inexperienced users/admins (those that don't bother with security or prefer running as root all the time).

Number one virus protection: Common sense
 

If you're an administrator (even if only for your family) then you may want to think of virus protection, whether it be today or in a couple of years. But if your the sole user, and you use some common sense, you probably don't need virus software.

Personally, I don't use virus software on my Linux box or on my Windows box and I've never had a single virus.

The one area I can see that isn't really in my control is automatic updates. Whether it's yum, apt, or even installing modules for perl using cpan.

hah - you cant CANT no way surf without a virus proggy --- not anymore ...
you MUST do this in windows - and prolly linux too..

these days just loading a page results in a infection

Did my own little poll looking at the reponses to this thread. People who think you need virus protection on Linux have very low post counts. People who think you do not need it have very high ones.

Poll conclusion: New Linux users have been brainwashed by Windows considerations to believe that virus protection MUST be necessary. People who have used Linux for quite a while know why that is a crock of bull.

:confused: I guess that it depends on what websites you visit. Stop browsing for naked women and you'll be fine :tisk:

-- nevermind -- :p

When I was using windows, I used almost all free software. Not Open Source, but free. I was getting viruses all the time because 99.9% of all free win software contains viruses.

Also, The only anti-virus software I know of on linux is Clam Antivirus. That scans for linux viruses right?

Okay, my twopenneth -

No. A virus running on your system means that executable code is running in the privileges of a particular user. In Windows, unfortunately, this is usually the administrator or some system account because of the relatively poor security and also extremely poor user experience [in that you have to be admin to do most things easily].

Code running is a BAD thing no matter what is happening on the computer - something you're not in direct control of is executing on your machine.

Now, under UNIX/Linux (which, BTW, runs more Internet and infrastructure servers than Windows by a LARGE majority), this is accepted under certain circumstances - e.g. compile farms etc. but there it's seen as a HUGE risk and it's HEAVILY locked down. Don't let unknown people execute unknown code on your PC.

Unfortunately, mistakes are made and holes found all the time even in the most secure systems (take, for example, the recent Debian compromise which occurred via a "local" developers account on a server). Some places with multiple users just don't allow any executable apart from system executables to run AT ALL by using permissions, SELinux etc. These sorts of systems are MUCH, MUCH less vulnerable as ALL software is under the administrators control and not a single machine code instruction will execute that he does not already know about.

For a home system, if you have "rogue" code executing in any manner then you are dead - eventually you will run some code that does something out of your control and nasty (a rootkit).

The only code that should ever be running on a single-user server is code supplied with the distribution and that which you have made run yourself (not code run through exploits, downloads, attachments, websites etc.). Those pieces of code that YOU choose to execute are your responsibility - YOU must keep them up to date, including your distribution software. Very little can be done to allow you to run arbitrary executable code safely on a computer for the rest of eternity (although there are linux websites that allow uploading of arbitrary C/bash code in order for you to try to hack their systems but they are run as part of a demonstration of a particular piece of Linux security software... you just CAN'T do that on Windows).

This is where Windows falls down because (in the past at least) it's been quite easy to *unintentionally* execute code (LOOKING at an email in Outlook, ActiveX controls etc.). Linux has had similar problems but, in general, is much more careful about what it executes (even more so with SELinux and filehashes etc.). The only way in today is via some obscure mistake made by a progammer in an application that you are already running - e.g. Apache, sendmail etc. Even then, things like chroots, SELinux et al will detect or stop most attacks from actually running dangerous code.

The problem with antivirus is that it can only detect malicious code that's ALREADY on your computer. It's too late. Far too late. The damage is already done because it's executing. It's like trying to win the war after the entire enemy force has already walked through the front door and is standing in front of you.

Prevention is better than the cure. Not running executable code that you don't want to is the key - no autorun, no executing AT ALL of attachments (unless the user specifically saves them and runs them theirselves), etc. This is where Linux wins. By default, things on Linux will NOT load or run an executable program at all. If they do, the privilege structure of the system interferes as much as technically possible to prevent it from happening (e.g. if someone didn't allocate a big enough buffer somewhere in Apache etc. This would be caught by all manner of layers from NX CPU architecture, randomised kernel stack addresses, SELinux and so on).

Take ANY up-to-date browser, run it around every website you can find, read every email you're sent, BROWSE every samba share on your network and click NO to every message. Chances are that any "Linux-targeted" viruses just will not execute without permission, no matter what browser you are using, what SAMBA shares you look at (so long as you don't double-click any files), what emails you recieve or what packets come in over your network. Any action that prompts execution will either be denied or will ask the user FIRST. This is where Windows has, historically, failed miserably, and where the majority of viruses continue to come from - people who click Yes and people who don't KNOW what is running on their system.

Having said that, Linux viruses do exist but they are so few in number because most Linux systems just will not let you execute something in an email, catch something "over the wire" from your network, etc. At the very least, they will ask you if you are sure first. This is where ALL viruses come from - the ability to be executed on your PC. Windows has now, pretty much, eliminated all the original silly design mistakes (e.g. auto-executing certain HTML attachments etc.) and it's left with the same as Linux - specific program overflows and exploits for programs that are ALREADY RUNNING on your PC. So now, pretty much, Linux and Windows are even, at least at stopping code from executing in the first place.

Stupid users exist. Windows, however, just doesn't have the same capability to deal with maliciously executing code once it HAS been executed on your PC - Linux will, on the whole, do what's it's told and follow through every check and every permission that it can.

Windows viruses commonly elevate privileges and hide themselves in inaccessible parts of the filesystem, kill running programs, intercept the keyboard etc. no matter what user "caught" them. Linux viruses are, to the most part, short-lived, based on a single kernel vulnerability that raises privileges (for example, I believe, the Debian flaw was a previously-undiscovered kernel privilege escalation). If a piece of software can't raise privileges, all it can do it do whatever user it's running as could do - under a properly secured system this means next-to-nothing outside of modifying their own files.

This is where another difference comes - privilege escalation is MUCH harder on Linux systems and therefore it's much harder to "control" a computer. Yes, it happens, it happens all the time in fact. Every month there is some theoretical privilege escalation in Apache, SSH, the kernel, sendmail or some other major piece of Linux software. The difference is that they are normally fixed while still theoretical or fixed before a virus can take advantage of them (usually the very same day).

Obviously, not everyone updates their software to fix the flaw but most places do. On average, though, on a securely managed system (unmanaged systems are pointless to consider given that any unsecured OS is vulnerable by definition), the fix is applied with hours or, at worst days. MS patches come once a month unless you pay enormous amounts for support.

Partially, the spread of Linux viruses is tempered by the knowledgeable users (an arguably greater proportion than on Windows), the fast fixes, the difficulty in producing an exploit in the first place and the least-privilege rule (don't let any software be able to do anything that it doesn't need to do).

There are thousands of Linux users that get viruses and rootkits every week (read these forums) because they don't update. The difference is that Linux doesn't attract them particularly (most of Linux's appeal is to people who understand security issues), it's deployed much more carefully (all distributions are secured with firewalls and some with SELinux etc.), it's less vulnerable in the first place (because of not allowing silliness to creep into the code like executable controls in HTML code) and because people know that once you set something running, there's NOTHING you can do to stop it trying to break your system (whether by fork-bomb or kernel exploit etc.).

The way to stop viruses is NOT to go looking for them on your computer once a week in every single file you ever touch anywhere on your home machine and scan in memory for them constantly - it's too late by then. The way to stop viruses is to not let them get into memory EVER, either by least-privilege or sensible user control (i.e. NEVER use a browser that sets the X permission on anything it downloads, NEVER chmod +x everything on your system "just because", NEVER run a binary that you do not know EXACTLY what it is, where it's come from and what it does etc.).

Anti-virus can only see what is ALREADY on your computer (with the possible exception of email-scanning sections). They can't do anything about STOPPING them getting there. Anti-virus for any group of users (whose IQ's dip in proportion to the size of the group involved) is probably necessary, yes, to stop them running things that they haven't checked. Much better, though, to remove the decision from them and stop them being able to run ANYTHING that isn't installed by the admin (for 99% of users this is perfectly legitimate - the exception comes when they start programming and want to execute their own creations, by which time they should know better... and yes, I've been a network admin several times).

If you are sensible in using Linux, you don't NEED antivirus (though it's a nice piece-of-mind thing). If you are sensible on Windows you don't NEED antivirus (but you will need software more secure by default than, for example, Internet Explorer). You only NEED it when you are on a system that can't defend itself from arbitrary executables (either by preventing them executing or by SECURELY limiting their capabilities) and you don't know what you're clicking Yes to.

As more people migrate to Linux, this will become more of an issue but, on the whole, their new Linux systems will take much of the decision making away from them. Download an exe from a random website with Internet Explorer and click Open. Now try to download a Linux executable with a Linux browser - chances are you CAN'T run it until you save it manually and set the permission bit yourself. Same with email attachments.

Antivirus is for finding already-compromised machines and for presenting stupid users from clicking yes to things that may damage their computer. Depending on who you are and what you do determines whether you need it or not.

BTW: I've run DOS, Windows 3.1, Windows 95, Windows 98, Windows 2000, Windows XP and Linux on my home machines and never NEEDED any antivirus (I have them installed purely to scan other people data, e.g. floppies, usb sticks, networks etc. but I don't have them resident in memory) and never caught any (except for a single harmless one on a coverdisk of a very reputable magazine that SOMEONE ELSE executed at my computer without my permission).

I have always had a firewall, I have always had up-to-date software, I have always had least-privilege principles applied to everything (I don't install software I don't need, don't let it access things it doesn't need to, etc) as much as possible and THAT'S what stops viruses getting onto my machine. Not some rubbish scanner that takes up 50% of my CPU time and slows down my computer.

And yes, I would know if I had had one as I perform regular virus scans from several vendors - purely for piece of mind for my clients.