Re: Debian virus/spy-ware detection and detection technique.
On Mon, 19 Jul 2010 15:12:26 +0700, Sthu Deus wrote:
>> On Sat, 17 Jul 2010 14:06:58 +0700, Sthu Deus wrote:
>>
>> > I have 3 questions on virus/spy-ware detection and detection
>> > technique.
>>
>> He, sounds like a test...
>
> Would You like to take it?
Sure! I like tests (almost) more than cakes :-)
>> > 1. Which software (may that is even packaged for Debian) is the best
>> > at Your opinion and why for virus/spy-ware (the software that scans
>> > for interesting data and sends it to some host) detection?
>>
>> - For scanning/detecting virus/malware for Windows systems or linux
>> systems?
>
> Please, do not be amazed, but... LINUX. And preferably.... DEBIAN 5/6.
What are you afraid of? I mean, what is your main concern?
I have not heard for any malware affecting massively linux users for...
when? I cannot remember any threat I had to be care of since I am using
Linux (that is from 2003).
I cannot say the same for another OSs.
>> - For local scanning (e-mails, Internet browsing) or a bunch of network
>> share files?
>
> For the local files on HDD and the whole CD/DVD of a distro (live or
> installable).
ClamAV can scan local files but is not very accurate with rootkits/
malware, just plain common viruses.
>> - By "(sic) and sends it to some host" you mean "keep the admin
>> informed by sending an alert to a host" or you mean "collaborative
>> tools to benefit others"?
>
> Here I mean malicious software that scans for sensitive data like saved
> passwords in files and the typed on keyboard as well, then sends it to
> the people that have created / infested my OS w/ the software.
Then you maybe interested in anti-rooktiks, like "chkrootkit" or "rootkit
hunter" solutions.
>> > 3. Is it possible to scan for this very purposes (virus & spy-ware)
>> > the distro CD/DVD -s - as it is from the media, without explicit
>> > manual unpacking - to be sure the software is OK (in case when check
>> > sums are not available OR it is impossible for some reasons to
>> > re-download the images)?
>>
>> I think yes. Many AV scanners will scan ISO files (no "unpacking"
>> required) but that depends on the AV engine itself.
>
> Do You know such a skillful AV engine available for Debian?
Mmm, not by first hand, I was just told that they did. But take a look
into the major linux AV websites (Karpesky, Avira or Avast) and check
their features.
>> But (and I think this is important) when you scan and ISO file for
>> malware and the result is clean/passed, that is not proving the ISO
>> image could have been manipulated and/or changed. Checksum (or
>
> If so, then AV engines gives false negatives, why should I use it? In
> case we misunderstand each other, I try to rephrase my this question: I
> have s live/installable-CD/DVD. I use its normal/rescue mode - I do
> somethings w/ my OS on HDD in order to make it working. I had no ability
> to check its checksum, so, is there a way I can be sure that the
> software I used is "clean"?
Don't you remember that phrase of "computer security is just an
attitude" (or something like that, I barely remember the right statement)?
No, unless you manually examine (and understand) the full code, you
cannot be 100% safe.
I'll give a you a recent example:
http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/
To make it short, a Mozilla third party plugin was encountered to be a
sniffer created to steal the user's passwords. Nice...
So, one can be paranoid and back to the typewriter or just remove the
ethernet plug... but we'll miss the funny part of the Internet (if any :-
P).
I mean, checking the MD5SUM or SHA1SUM should be enough guarantee to mark
the source as valid/clean and go on.
>> I hope I've passed the test :-P
> You truly did. Thank You, once again.
Great! :-)
Greetings,
--
Camaleón
Reply to: