Re: Debian virus/spy-ware detection and detection technique.

To: debian-user@lists.debian.org
Subject: Re: Debian virus/spy-ware detection and detection technique.
From: Camaleón <noelamac@gmail.com>
Date: Tue, 20 Jul 2010 21:05:27 +0000 (UTC)
Message-id: <[🔎] pan.2010.07.20.21.05.26@gmail.com>
References: <[🔎] 4c4156a3.ce7c0e0a.6a17.ffffa666@mx.google.com> <[🔎] pan.2010.07.17.09.31.09@gmail.com> <[🔎] 4c4484b9.ce7c0e0a.15d2.1815@mx.google.com> <[🔎] pan.2010.07.19.18.05.54@gmail.com> <[🔎] 4c45eab7.1eeb640a.4de6.22bd@mx.google.com>

On Wed, 21 Jul 2010 01:28:00 +0700, Sthu Deus wrote:

> Thank You for Your time and answer, Camaleón:
> 
>> What are you afraid of? I mean, what is your main concern?
> 
> Spying, programs modifications. I have seen already unexplainable weird
> things - one text file was in size - zero - that never has been so for a
> long time, another, .ods - was partially damaged...

Those "weird things" could have been caused by many other sources or 
"simple things", i.e., an unexpected shutdown can delete your current 
(being used/edited/modified) files or corrupt others. 

Filesystems are not 100% prepared to handle such scenarios (full power 
downs or just small voltage spkies), so if you don't have a UPS, "weird 
things" can indeed happen.

>> ClamAV can scan local files but is not very accurate with rootkits/
>> malware, just plain common viruses.
> 
> So, what should I do for the distro install cds - regarding both -
> spyware and viruses?

You can do -mainly- two things:

1/ Analyze it with standard tools (AV/anti-rootkits). Remember that you 
can always mount the ISO image as a loop device to get the full image 
structure (directories and files).

2/ Verify the ISO integrity (md5sum).

> If we speak about checksumming - sometimes it fails 

It can fail not just because it has been manipulated but also due to a 
download error. It's not uncommom to get a corrupted image when you are 
downloading 650 MiB or 4,5 GiB file.

> though I believe the
> problem lays in not accurate or whatever downloading, the images being -
> I believe - unmodified... - Redownloading is hard because of bandwith.

Yes, but *it is required* that you do it that way. A corrupted ISO image 
can be the cause of later nightmare problems (installation errors, 
rebooting, bad hardware detection...).

>> Then you maybe interested in anti-rooktiks, like "chkrootkit" or
>> "rootkit hunter" solutions.
> 
> I guess it does not fit distro cd scanning right?

You can scan whatever file or directory you have in your system.

>> > Do You know such a skillful AV engine available for Debian?
>> 
>> Mmm, not by first hand, I was just told that they did. But take a look
> 
> In apt-cache search ... ?

No, on each manufacturer's sites ;-)

Greetings,

-- 
Camaleón

Reply to:

References:
- Debian virus/spy-ware detection and detection technique.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Debian virus/spy-ware detection and detection technique.
  - From: Camaleón <noelamac@gmail.com>
- Re: Debian virus/spy-ware detection and detection technique.
  - From: Sthu Deus <sthu.deus@gmail.com>
- Re: Debian virus/spy-ware detection and detection technique.
  - From: Camaleón <noelamac@gmail.com>
- Re: Debian virus/spy-ware detection and detection technique.
  - From: Sthu Deus <sthu.deus@gmail.com>

Prev by Date: Re: dosfslabel finds problem, e2fsck does not
Next by Date: Re: When is best time to upgrade lenny to squeeze
Previous by thread: Re: Debian virus/spy-ware detection and detection technique.
Next by thread: Re: Debian virus/spy-ware detection and detection technique.
Index(es):
- Date
- Thread