[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: [Q] virus susceptibility data

Hi Olaf,

On 18-Jul-00 Olaf Meeuwissen wrote:
> Dear Debians,
> I'm looking for any kind of info on vulnerability to viruses on Debian
> and/or Linux.  Pointers to anti-virus programs are also very welcome.
> If I can't convince some people here at work, I'm about to be told to
> disconnect from the net or use (heaven forbid!) Windows for any kind
> of internet activity beyond our firewall.  And that seems to include
> sending email like this to the list.  Gack!

As other have pointed out, there are almost no known viruses for
UNIX/Linux as such, and the two or three ever heard of are (as far as I
know) almost never encountered. For some reason, hackers don't bother
to attack UNIX systems that way (probably there's more mileage in other
types of attack).

A line of virus which might well be possible, and platform-independent,
is the planting of Java in HTML. This could hit UNIX/Linux and Windows
equally, though I haven't heard of it on Linux. A lot of Linux MUAs
can open HTML attachments in Netscape, though usually not automatically
(the user has to choose).

DOS/Windows viruses are another matter, in these days when people
routinely mail each other Word/Excel etc attachments in the name of
"communication". Even Linux folk have to deal with these things, which
usually means running Windows on another machine, or in WABI or WINE or
VMWare, and opening the file (though most Word docs can be handled in
Linux-native WordPerfect which should not be vulnerable to a Word macro
virus, for instance).

Once you have done that, your Windows installation may be messed up
(though the Linux part of your installation should survive). In any case,
if you subsequently forward the attachment to a colleague you will be
sending the virus on, whether your Linux system is immune to it or not.

These add up to arguments for virus-checking incoming mail, even on
a UNIX/Linux system.

Clearly, plain-text and similar emails don't need checking, and usually
attachments are not opened automatically either, so there should be
no need to virus-check every mail (which, if it's done on delivery,
really slows things down).

I simply take the precaution of running a virus check only on a mail
containing a possibly suspicious attachment and leaving the rest alone
(having been caught once by a macro virus in a Word/Win-3.1 document
which caused my WABI/Win-3.1 Word to send it on whenever I subsequently
used this Word).

The program I use is VirusScan ('uvscan') from Network Associates:
see in the first place http://www.nai.com and, in particular,


along with the MacAfee virus database (though you can use others). It
seems to work quite well. You can configure it to be run "standalone"
rather than as a filter for incoming mail: then, if you see a mail
attachment that you think might need a check, you just feen that
attachment to the virus checker (My MUA, XFMail, has a flexible MIME menu
which allows you to "View As" any attachment; and you can set one of the
"As" options to be a pipe to the checker).

Phil Brutsche in this thread said that "there is one very
important differece between Linux and Windows in this regard: unlike
Windows email programs, Linux email programs *do not* execute programs
recieved as attachments automatically - you need to 1) save the program to
disk and 2) manually execute it before any damage can be done."

This is not quite true, either in principle or in fact.

First, nothing stops someone from developing an email program (MUA)
which _could_ automatically (without user selection) open an attachment
it thought it knew how to handle (though I don't know of one; but
a naive user could set this up in the rules for filtering incoming mail,
I dare say).

Secondly, when you receive an email consisting (in effect) solely of
an attachment with no other significant information, all you can usefully
do is open the attachment. In many MUAs this is simply a matter of
clicking on the "attachment bar" and the rest is then automatic;
the scope for user discrimination is almost nil (with the exception
of running a virus check on it).

Now, although I wouldn't recommend it to anyone, in XFMail at least
you could have one of your MIME entries of the form

  type/subtype      extn   command
  application/prog   exe   exec

which would have the effect of executing the attachment as a program.

I hope this helps. Olaf's situation is not as straightforward as he
might wish!


E-Mail: (Ted Harding) <Ted.Harding@nessie.mcc.ac.uk>
Fax-to-email: +44 (0)870 284 7749
Date: 18-Jul-00                                       Time: 10:55:45
------------------------------ XFMail ------------------------------

Reply to: