[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian virus/spy-ware detection and detection technique.

On Wed, 21 Jul 2010 01:28:00 +0700, Sthu Deus wrote:

> Thank You for Your time and answer, Camaleón:
>> What are you afraid of? I mean, what is your main concern?
> Spying, programs modifications. I have seen already unexplainable weird
> things - one text file was in size - zero - that never has been so for a
> long time, another, .ods - was partially damaged...

Those "weird things" could have been caused by many other sources or 
"simple things", i.e., an unexpected shutdown can delete your current 
(being used/edited/modified) files or corrupt others. 

Filesystems are not 100% prepared to handle such scenarios (full power 
downs or just small voltage spkies), so if you don't have a UPS, "weird 
things" can indeed happen.
>> ClamAV can scan local files but is not very accurate with rootkits/
>> malware, just plain common viruses.
> So, what should I do for the distro install cds - regarding both -
> spyware and viruses?

You can do -mainly- two things:

1/ Analyze it with standard tools (AV/anti-rootkits). Remember that you 
can always mount the ISO image as a loop device to get the full image 
structure (directories and files).

2/ Verify the ISO integrity (md5sum).
> If we speak about checksumming - sometimes it fails 

It can fail not just because it has been manipulated but also due to a 
download error. It's not uncommom to get a corrupted image when you are 
downloading 650 MiB or 4,5 GiB file.

> though I believe the
> problem lays in not accurate or whatever downloading, the images being -
> I believe - unmodified... - Redownloading is hard because of bandwith.

Yes, but *it is required* that you do it that way. A corrupted ISO image 
can be the cause of later nightmare problems (installation errors, 
rebooting, bad hardware detection...).
>> Then you maybe interested in anti-rooktiks, like "chkrootkit" or
>> "rootkit hunter" solutions.
> I guess it does not fit distro cd scanning right?

You can scan whatever file or directory you have in your system.
>> > Do You know such a skillful AV engine available for Debian?
>> Mmm, not by first hand, I was just told that they did. But take a look
> In apt-cache search ... ?

No, on each manufacturer's sites ;-)



Reply to: