forgottenwizard wrote:
> On 20:13 Fri 09 May   , 7v5w7go9ub0o wrote:
>> I am extremely pleased with Antivir (aka Avira) and its realtime LKM,
>> Dazuko!
>>
>> 1. The Antivir database and heuristics contain dozens of Linux-specific
>> rootkits and Trojans. These in addition to Windows sigs. FWICT, the only
>> freeware AntiMalware that take Linux seriously (Kaspersky payware does).
>>
>> 2. With Dazuko - a LKM, developed by AntiVir/Avira which provides
>> real-time, on-access (read/write) scanning within directories you specify
>> in configuration. I scan mail (in a chroot jail), browser and downloads
>> (within a chroot jail, within RamDisk), Portage and portage work areas, and
>> /home.
>>
>> Given that emerges are done with Root privilege, this scanning for
>> signatures may keep your box from being borked, should someone hack a
>> distribution site, or poison the DNS system, or etc.
>>
>> 3. Recent testing by Windows testers indicate that Antivir is now one of
>> the better windows AV's, and that their heuristics are quite effective. I'd
>> guess the same to be true for 'ix.
>>
>> 4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left
>> unrepaired because I think it's so great:
>>
>> "ANTIVIR 2008-05-05_05:49:12.39449 Mon May 5 01:49:12 2008 WARNING: file
>> '/etc/openvpn/trustconnect/pwd' is group or others accessible"
>>
>> 5. its heuristics have notified me of XSS script attacks (at test sites)
>> after scanning scripts loaded into the browser cache, with "suspicious
>> script" warnings - and blocking that script from use by the browser. The
>> only other tool of similar function that I know of is "NoScript", an
>> extension for use in FireFox.
>>
>> 6. I run WAN/LAN-connected applications in chroot jails (Grsecurity
>> Hardened). Anything downloaded into a browser jail, lftp or TBird jail is
>> moved to a "download" area via a script that invokes a deep scan by Antivir
>> after it gets there. Dazuko invokes a second scan, as it also monitors
>> that area.
>>
>> 7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other
>> AntiMalwares, or customized to respond to user-created tests (e.g. changed
>> file).
>>
>> 8. Linux and Unix oldtimers will scoff at real-time malware scanning - but
>> I'm convinced that in todays world, realtime scanning is one important
>> thing (perhaps the only thing) that we can learn from Windows.
>>
>> HTH
>>
>
> I think alot of old-timers also realize that, unless you specifically
> allow something to run, then it can't hurt you.

Agreed! Keep the power off; allow nothing to run; a safe state.

>
> Chances are, unless you are allowing XSS and are surfing sites you can't
> trust, you're close to bullet-proof, with the exception of program
> exploits that you really can't do anything about.

Well, nowadays you can take a significant steps against "those" exploits
as well - memory protection and RBAC are two obvious ones. Hardened
kernels and hardened chroot jails also effectively confine many of
"those" exploits.

Realtime Linux Anti-Trojan signature scanning overhead is simply cheap
(almost free) insurance IMHO, and may be most important when compiling
and installing new or updated sourcecode. Or installing a new plugin to
your browser; or opening a media file.

But I sure acknowledge the majority opinion - almost ALL Linux users,
and many Windows users as well, choose not to run real-time
AntiMalware scanners.











--
gentoo-user@(protected)