On 0, "Jamin W. Collins" <jcollins@asgardsrealm.net> wrote: > On Fri, Oct 11, 2002 at 10:22:08PM -0700, Vineet Kumar wrote: > > > Had my message consisted solely of "Nope." that would have been bad > > advice. But, in fairness, I did mention that there are other steps to > > take in order to secure a debian machine, but that a virs scanner isn't > > necessarily one of them. > > The dismissal of a virus scanner as one of the steps to secure a system > (Linux based or otherwise) is the bad advice. It's somewhat similar to > thinking that just because you might happen to live in a > neighborhood/city with little to no crime that there is no need to lock > your house when you leave. While this may be true the majority of the > time, it's silly not to take the extra precaution. But your analogy is false. More than that, way off. The dismissal of a virus scanner on Linux is a bit like saying I live on the moon so I don't need fire insurance. *IF* the only reason that there are not yet viruses for Linux is that nobody has been bothered to write them yet *THEN* you are correct. But there are several viruses that have been written for linux (you post a link to one yourself) and yet they don't propagate. Isn't that strange? Why could it be? Could it... no, surely not... because... the security model in *nix is effective against viruses? I have not done the numbers, but a cost/benefit analysis would surely show that, if everyone installed virus checkers on their *nix boxen, the aggregate time taken scanning for viruses must be thousands of times the aggregate time taken cleaning up after viruses if nobody did. I have no numbers to back this up, just anecdotal evidence. I have seen how long a virus scan takes on a Windoze box. I know no-one, have met no-one, have read writings by no-one and have heard of no-one who has had a virus infection on a linux system except the guy in the reference you posted, who had to _write the virus himself_ to acheive it. > > All right, so what would you recommend? I can't think of a good scanner > > that will protect a debian system from viruses. That's not to say that > > things like iptables/snort/tripwire aren't important, but I don't think > > that any of them properly fits into the "virus scanner" category. > > That would all depend on the desired end result. Are we talking about > scanning routed IP level traffic, e-mails, or local system files? These > are all very different items. Let's take them one at a time. I think the request was for a *tool* to scan for viruses, not requirements for your ideal one. Since you insist that it is necessary to have one, presumably you have taken this fundamental step of security. So which do you use? > IP traffic: > I've seen very little (even in the MS sector) that is capable of > adequately scanning IP traffic routed through the system. So, I doubt > there is much available in the Linux (or other Unix variant) area. Oh get real. Scan all IP traffic? No-one has the processing power to scan all their IP traffic. Suppose I have a database of 2000 virus signatures, and I have a two gigabit connection (and I do). Say every datagram is 1.5kbit. So that's about seven hundred thousand packets a second, or 1.3 billion pattern matches a second. Suppose each pattern match requires 1000 CPU instructions (an incredibly conservative estimate, I'm sure) and you have 1.3e+12 instructions per second. I don't think it is necessary to go any further into this, it is clearly ludicrous. But even if I did it, what good has it done me? I know that there is a virus on a machine somewhere on my network, and I know the IP address of that machine. I clearly can't sanitise the packets as they go (the latency would be a killer, even if the latency of checking the packets wasn't). So do I just drop the traffic, or what? Of course, if I did that then the originating host would probably retry the transmission, which is just going to increase the traffic and compound the problem. > e-mail: > A quick scan of the Debian package archive shows the following: > messagewall > sanitizer > amavis-exim > amavis-milter > amavis-postfix > blackhole-exim > mailscanner > blacikhole-qmail Email scanners on mail servers are certainly worth-while, if only for the protection of users who don't know better than to run executable attachments or enable javascript in their mail clients. > local system files: > Another quick scan of the Debian package list shows: > scannerdaemon > f-prot-installer > clamav See my above comments on cost/benefit. This idea is clearly preposterous. > So, it would appear that there are a number of options. Again, it > really depends on what the desired end result is. However, my point is > that just because a platform doesn't currently have a large list of > viruses targeted at it (such as in the MS sector), doesn't mean that > the end users shouldn't be prepared with a virus scanner and frequently > updated virus definitions. Well, probably it does mean that. It also means that they should never run untrusted code as root, and it means that they should avoid the root account as often as possible. > Before it's posted as a rebuttal, I'll post it here myself. I am fully > aware of, and have read opinions expressed on the following link > indicating that a virus scanner is not needed. I don't agree with all > of the points the author makes. I'm not saying that a scanner is a > mandatory item, but it is something that _should_ be considered rather > than simply dismissed. > > http://linuxmafia.com/~rick/faq/#virus I can't read that page (it appears to be suffering something similar to slashdotting - can the debian-user list have that many readers?) but I imagine it says similar things to what I said above. I say them anyway on the offchance it is different, and to pass the time of day. > For those that believe that Linux (or other Unix variants) are > completely immune to virus infection, the following link may be of > interest: > > http://www.lwfug.org/~abartoli/virus-writing-HOWTO/_html/ This proves nothing of the sort. That a virus can be written for ELF binaries is a long way from proving that a virus can replicate sustainably on *nix platforms. -- Tom Cook Information Technology Services, The University of Adelaide "Beware of computer programmers that carry screwdrivers." - Leonard Brandwein Get my GPG public key: https://pinky.its.adelaide.edu.au/~tkcook/tom.cook-at-adelaide.edu.au
Attachment:
pgp0lXIApxvV5.pgp
Description: PGP signature