I was reading a thread here and noticed that it was marked as "solved" so when I noticed that the person hadn't been actually helped and I tried to post a reply, I got the "your post is awaiting moderation" message. I have no idea what that means, and it's not in the FAQ AFAIK. So sorry if this is a rehash, but seriously why does everyone think that Linux is perfectly safe from all attacks? Maybe you just don't know because your AV solution s*cks or is nonexistent.

Check this out:

http://www.amazon.com/Malware-Forens...dp/1597494704/

Select "look inside" and read the introduction to get an idea of what viruses and security issues have affected Linux lately. You can do that much for free without buying the book. You can also check SANS website, which is about the most trustworthy source of security information there is, though a bit hard to navigate.

Most answers to the question "what antivirus should I use?" are in the range of "you don't need it" although some are in the form of "you should know what you're doing and protect your system properly." This "properly" statement is at least somewhat helpful, but let me illustrate why it is unhelpful for the average computer user...

http://www.sans.org/score/checklists/ID_Linux.pdf

Imagine your mother doing that weekly on her PC? Or your little brother on his "homework computer"? Real time on-access scanning is relevant in the Linux world because people simply won't go to this level of PC care. In fact, automation of these tasks is sorely needed. Just compare the Comodo Windows suite to the Comodo Linux AV solution. It isn't nearly as beefy (Comodo Linux solution link is below).

If I am moving a user from Windows to Linux (I am currently working on an install of OpenSUSE with Comodo CAVL as the AV solution), then I think it is a downgrade to give them no AV solution or just weekly scans they have to manually activate or schedule.

If you have no AV solution, or your AV solution is weak, you have no way of knowing if something is silently recording your keystrokes, collecting your banking information or whatever else you're doing online. (Credit card info? Paypal?)

Other real-time on-access AV solutions for Linux are available from Symantec or McAfee, but check the system requirements. Not all flavors of Linux can be used, or have been tested.

The Comodo website says something like "Mint 13" even though more recent versions are supported. Sometimes the websites are simply not updated. So call the company and ask. You still will probably have to do much of your own troubleshooting. But that's par for the course of a Linux machine.

Most of these on-access real time scanners are either free to try (free as long as you don't turn your PC into a mail server or other business machine) or must be purchased. But they should not be ignored completely by the Linux community if we are to present a professional and complete image of Linux capability today.

ClamAV remains the de-facto standard for on-demand scanning (usually once a week as part of a complete strategy that includes looking for rootkits, maintaing IDS, and SSH issues). However, this system of protection is not something you can hand a mother with a schoolchild and expect them to maintain it.

http://www.mcafee.com/us/products/vi...for-linux.aspx

http://www.symantec.com/business/sup...&id=HOWTO17995

http://www.comodo.com/home/internet-...-for-linux.php

It's my opinion that we should mention these options in one breath with other more typical Linux security solutions when this topic is broached. Otherwise people who are seeking to try Linux will be scared away because they don't feel comfortable enough "yet." You can't please everyone, that's true, but we already have solutions to please people concerned about this. Use them.

can virus affect my SmartTV? it's based on linux.

The thing with AVs on Linux is they look for Windows virus'. As far as I am aware, others are welcome to correct me, there are no Linux virus' in the wild. There is however cross platform malware (I'm moving away from virus deliberately here) and that usually affects cross platform applications such as browsers, office software, etc. There is also the possibility of RootKits.

Your suggestions are valid. However, I would suggest that someone coming from Windows would either be doing all the things (Windows versions) that you are suggesting people wont do on linux and they are trying Linux because they are sick and tired of all the maintainance required with Windows OR they can't do the maintainance on Windows and are looking for something that will give them some free time.

So if you're "seriously medieval about security" my suggestion has 4 aspects to it.
1. Make sure your system is totally up to date, there is no excuse for running a system with known security holes that a fix has been released for.
2. Install a RootKit detector.
3. Don't let your machine connect "online" unless you need to be online.
4. When you go online be careful where you go.

Linux is not Windows and does not need to be treated the same way.

1 members found this post helpful.

You looked inside that book? Did you notice that in the table of contents, there was no use of the word 'virus'? Also, in the index, there is no entry for the word virus?

Honestly, that book is about what it is about and that is malware analysis. It is less than the best place to go if you want to see 'what viruses and security issues have affected Linux lately' because that is not what the book is about. Many of the issues that have affected Linux are, from my point of view, stupid issues that could affect anything - setting/allowing idiotically weak passwords, configuring SSH badly, XSS attacks, etc, etc and these aren't malware per se, although they may be vectors for a malware infestation.

There certainly are issues that have affected Linux itself lately, it is just that they are not viruses. Linux viruses are theoretically possible, but aren't generally seen outside of a lab. Running a virus scanner may well still be a good idea, in order to protect boxes for which viruses are a live issue, but that rather depends on whether files are passed on from the box under question to other boxes (which, in this increasingly connected world, is a very common use case).

Also, I don't recall (but could easily be overlooking something) people saying that "Linux is perfectly safe from all attacks". If they have said that, they are wrong. It is important, however, not to confuse the statements 'In practice, Linux does not get viruses' with 'Linux is perfectly safe from all attacks'; those are very different statements (with the second being, as I say, clearly wrong).

Any attempt to deal with the threats actually confronting Linux without mentioning rootkits is unbalanced; running something like 'Rkhunter' is, at the current state of play, more likely to help an actual Linux user than a virus scanner, which is more likely to help someone else (...not that this would be a bad thing, you understand...).

1 members found this post helpful.

From what I understand, there is no such thing as a simple virus anymore. For example, my Windows partition was affected recently by the hellish ilivid package. When it happened, I knew because I got a few messages saying some files downloaded had been scanned and were safe (it was zero-day, they hadn't been identified yet), but I knew I hadn't downloaded anything. Without active scanning of all downloads and on-access files, I wouldn't have known those files had arrived.

There's no way to tell when or if I will ever be able to clean it without total re-install. It simply has too many components, some of them Trojan, some of them rootkit, others I don't know what, but they seem to write directly to hardware because they affect audio. (Search for "computer making weird sounds" or "sounds like mashup radio" and you might find some confused people affected by the same package. It was a drive by download. The vector was a funny video that was targeted at IT people... here's how:

An IT-oriented video went viral on youtube, then it was taken off youtube and moved to another domain. When you searched for it later, you only found it on some other website that was infected. You played it for your friends... all had a good time.. But once a timer ran out, ilivid package activated. So you couldn't even tell what it was that did it because other windows might be open, or you might've navigated away. Except in my case I knew I'd ONLY gone to that one video because I was at home and showing my also-IT husband.

So it was partly social engineering too.

The ilivid package has been around since 2012, but back then, while annoying and very hard to remove, it wasn't making "my computer is possessed" sounds (according to TrendMicro's description). It would be obvious if something like that affected Linux as the whole point is to serve up ads.

It's much harder though, to know what to do in Linux after the fact. There isn't a phalanx of Malwarebytes, etc. People assume it's not needed. Or they assume they will move data off and reinstall. So we're back to square 1 or manual removal of files. So that's my next question.... what do you do for remediation? On an Irix system, I had to identify the offending files and delete them, but I'm not sure I got all the libraries as it was a rogue java applet and I didn't want to destroy the useful ones. That was in 2005.

I had to laugh at myself when someone mentioned people moving to linux because of the problems managing Windows. I had the same thought of giving up on the Windows side. But then after researching the AV tools, I found they were sill in the baby steps stage. I'm not sure it solves the problem really. Turning a blind eye to it is not what I want to do. And "going manual" seems like not the kind of thing I can trust myself to do "perfectly."

Telling people their system is unsafe because they didn't manage it often enough and well enough is like vegans telling you you failed at veganism because you "didn't do it right" or long enough. It's victim blaming. Computers are supposed to remove drudgery, not add it. And the tools just don't exist yet.

Something funny, when I called Symantec to get more info, I had to pretend I had a home based business to get their help! It can be a challenge even to buy the software you want, even if you want to buy it. I'm thinking of getting a tax ID just to buy Linux AV software!

So I guess I stay at the dual boot stage and rebuild the Windows partition. Mostly because I'd never use Amazon, Swansonvitamins, or Drugstore.com, not to mention online banking from a system I couldn't trust (ie. doesn't have active scanning on-access to all files). I guess it proves I'm not a gambler.

Do you mean the LG television appliance? I'm not sure I'd be worried unless you're going to websites where you are making financial transactions. But if the TV itself gets messed up, I imagine LG has a way to re-image it or set it back to the default out of the box state (this may not even be necessary). If you're concerned, call them up and ask.

It's possible that the hard drive is read only and isn't capable of storing any information. All storage is probably volatile RAM which is erased whenever you turn it off/on. I'm just guessing, so you should check with LG about it. Just from what it looks like on their site, that's how I'd guess it works.

Incident response:

http://www.cert.org/csirts/csirt_faq.html
http://oreilly.com/catalog/incidentr...pter/ch07.html
http://www.symantec.com/connect/arti...e-system-tools
http://www.symantec.com/connect/arti...e-system-tools
http://www.linuxquestions.org/questi...ts-4175430473/

and, of course, there's always more information than you can shake a stick at here (see the "Forensics, recovery, undelete" section in particular (post 5/6, depending on which way you are counting), although the whole thing might be regarded as somewhat to your subject - err, that CERT link, which is probably the most relevant is either broken or currently so slow that it might as well be broken).

Note that checking the validity/unchanged status of your program files is going to be one of your key stages in assessing what has been damaged/what can be done. Don't overlook this just because some other operating systems, without system-wide install utils don't give you that option.

1 members found this post helpful.

Short and to the point:

Most infected systems I deal with have AVs.. Their owners stop having trouble once a security policy is in place (in real-life, on a normal Windows user, that means some firewalling, cleaning software, normal daily user account if possible instead of full-rights user-account, browsing extensions.. and a brief talk about what should he and what shouldn't he click on the webpages). Sometimes, for low-end systems, the Windows AVs do a whole lot more harm then good.

Now, extending this to Linux, where a end-user desktop/portable system is much harder to be full-wide infected than with Windows.. And in which AVs have less than 1k known virus signitures.. I seriously doubt this can be qualified as a need.

Again, there are AVs.. And I would recommend putting one in stations that hold shared documents (ftp servers, SAMBA shares, etc..).. Day-to-day desktop user? Mneah..

@yooy: In theory, yes.. In practice, even if one would exist for your TV, you would require someway of putting it in .. By normal usage that wouldn't be likely...
http://www.palmbeachgeek.com/can-smart-tv-get-virus/
http://blogs.computerworld.com/cyber...liday-tv-deals

You open a root terminal (not a virtual terminal in X). You backup actual data from your user home directory... delete that directory and redo it..
Loose some settings, but it will most "fix" the virus problem..

Now, on the other hand, if you install a package from an unknown source or run something (not even as root, since 0-days privilege escalations do exist) from an untrusted source.. Well sorry, but that would be your fault and an AV would be pointless in that situation..

I must disagree that it would be pointless. Since malware packages are assembled of multiple parts now, the on access scan would have at least a chance of recognizing at least one file as suspicious, or at least heuristics should catch something. That is enough to alert the human user that something is wrong. Then the human user can take further action, but if the alert never comes because AV doesn't exist because of apathy, then you must wait for negative effects on the system to alert you that there is a problem.

Perhaps the reason why there aren't automated tools for incident response (ie. things like the Windows based Malwarebytes or the various Hijackthis analyzers), is because it would perforce limit the choices of Linux flavors. Here's an example from one of the articles mentioned in the list of incident response articles:

"On Solaris and Linux, there are some native commands that help compare the current operating system install against the metadata contained in the package database. The commands are: rpm -Vva (RedHat 8.0), pkgchk -vn (Solaris 9), and debsums -ac (Deb 3.0). Both the rpm and the Debian format[3] can use RFC2440 (OpenPGP) compliant signatures to authenticate the packages. Both also use MD5 hashes as their "checksums"."

No malware removal author or creator of incident response software could possibly cover all the bases, there are too many possible flavors out there, and then versions of each flavor. Then if you get gui development involved, which can radically change every major numeric update (I like KDE as I've said elsewhere, and some parts of the gui have changed enough that I can't even just google how to do something and expect to find an answer... if the version is 12.?, it isn't likely to be of help)... anyway, I think possibly complexity is holding back development more than apathy.

Heuristics? for a pure linux malware... How would that work? In this respect almost all linux services will be suspicious..
Also, you just gave yourself a much more better option to verify packages than the AV..
KDE is now 4.x.y.. I think your thinking of the distribution SuSE..

Let me try to explain this in a different manner:
Most linux attacks involve real and legal tools... Think of netcat, busybox, tinyssh, sendmail.. These are not malwares but can be used as such.. As a matter of fact, think of OpenSSH, apache, sendmail (yes, twice), etc... They could be used to compromise an insecure system.. No AV in the world would complain.

Sure, there are some malicious software out in the wild, but those would be futile to catch.. And the reason they haven't spread as hell is exactly the upper mentioned facts that Linux systems are partially protected by default and most of them have at least a basic firewall installed and most important services shutdowned when not needed or are quite secure and have a very low chance of getting 0-day cracked.. All these means that when your Linux computer gets hacked the AV will most likely be the last piece of software that complains..

Also, please consider that I'm not against AVs, nor do I think that Linux doesn't need them at all.. I just think they have their place and that's not on a desktop Linux system..

To some extent you've answered your own question about how that would work. On Windows, it works by creating a whitelist of current contents of (the equivalent of..) /usr/bin and/or /usr/lib and other significant directories at the time of installation. Then identifying other functions that are in use. Monitoring is then a matter of automating changes to these directories, so time isn't wasted scanning the SAME files over and over again, like you do with weekly scans (ahem, ClamAV, or just about any not on-access scanner).

As I pointed out before, the difference between the Internet Security Products for Windows and a simple on-access scanner available for Linux is still miles apart. The difference is currently made up by non-automated tasks performed manually by the operator/admin. (Sorry, I'm an old mainframe chick, I think like an op). Nothing wrong with that and you could argue that it's better performed by a human, and I'd completely agree with that. However, for adoption of a safe computer system by "the masses" you'd need something equivalent to Norton Internet Security, or at least a group of packages that all do that together without the human having to work at it. Or it's a misery for people who just want a PC.

I'm starting to develop the idea that this is an opportunity for a Linux project that maybe hasn't been thought of yet. A complete automated security package. It won't be as good as a real human doing these things, but it never is. I know a computer savant who doesn't use AV of any kind on any PC using any OS... but he practically doesn't sleep. He lives and breathes his home network, and his job (coworker). I love knowing people like that, they're fun, but I'm not signing up for that much work myself. I suspect most people aren't.

One word: Updates.

Also, this is called monitoring.. A good security practice for production server is to actually do this.. They also are lighter tools for this than the AV...
While I agree monitoring helps, this is not heuristic however, and still doesn't answer how would AV implement heuristic that work for pure Linux malware..

Actually, I'm sorry but I cannot totally agree with you.. Norton Internet Security is by far the worst program ever made. It's a virus by definition.. Just try to uninstall it and you'll see what I mean.. Then there are the number of free security products that, well.. make you want to throw rocks at the screen..
And Linux and Windows can't be compared in this regards because, like I said, a compromised Linux system will rarely have an actual malware installed.. Yet, it will have real legit tools configured to allow malicious behavior. In other words, where in Windows it's easier to write a malware from scratch or use a modified one for a specific job, in Linux you already have them :P

There are some exceptions, but they are rare.. and they get in due to insufficient security policies..

So, a program with an iptables simple GUI and some automation (possible online db with rules for services) .. virus definitions and scanner.. rootkit scanner .. Hmm.. all this kind of automated for desktop/laptop users might be good, who am I to say no.. I simply don't see it in the near future and to be honest, I don't see the need for it in the near future...

And this article is relevant now how? Debian is at 7, RedHat 8 was about 2001-2 and Slackware is at 14. The problem here is reading old material to support a point of view that is still not current (12-13 years later) isn't giving you an accurate picture.

As mentioned before, and not only by myself now, the best thing a Linux user can do to keep their system safe is to keep it up to date.