Re: Debian virus/spy-ware detection and detection technique.
On Wed, 21 Jul 2010 01:28:00 +0700, Sthu Deus wrote:
> Thank You for Your time and answer, Camaleón:
>> What are you afraid of? I mean, what is your main concern?
> Spying, programs modifications. I have seen already unexplainable weird
> things - one text file was in size - zero - that never has been so for a
> long time, another, .ods - was partially damaged...
Those "weird things" could have been caused by many other sources or
"simple things", i.e., an unexpected shutdown can delete your current
(being used/edited/modified) files or corrupt others.
Filesystems are not 100% prepared to handle such scenarios (full power
downs or just small voltage spkies), so if you don't have a UPS, "weird
things" can indeed happen.
>> ClamAV can scan local files but is not very accurate with rootkits/
>> malware, just plain common viruses.
> So, what should I do for the distro install cds - regarding both -
> spyware and viruses?
You can do -mainly- two things:
1/ Analyze it with standard tools (AV/anti-rootkits). Remember that you
can always mount the ISO image as a loop device to get the full image
structure (directories and files).
2/ Verify the ISO integrity (md5sum).
> If we speak about checksumming - sometimes it fails
It can fail not just because it has been manipulated but also due to a
download error. It's not uncommom to get a corrupted image when you are
downloading 650 MiB or 4,5 GiB file.
> though I believe the
> problem lays in not accurate or whatever downloading, the images being -
> I believe - unmodified... - Redownloading is hard because of bandwith.
Yes, but *it is required* that you do it that way. A corrupted ISO image
can be the cause of later nightmare problems (installation errors,
rebooting, bad hardware detection...).
>> Then you maybe interested in anti-rooktiks, like "chkrootkit" or
>> "rootkit hunter" solutions.
> I guess it does not fit distro cd scanning right?
You can scan whatever file or directory you have in your system.
>> > Do You know such a skillful AV engine available for Debian?
>> Mmm, not by first hand, I was just told that they did. But take a look
> In apt-cache search ... ?
No, on each manufacturer's sites ;-)