Mick wrote:
> On 28/03/2008, 7v5w7go9ub0o <7v5w7go9ub0o@(protected):

>>
>> Anti-Virus on Linux. No.
>> (presuming that you don't run as root, and have lots of unprivileged
>> users for individual applications.)
>>
>> Anti-Malware on Linux. Yes.
>> (Malware gets to the box via spoofed or hacked software distribution or
>> creation sites; bad links or poisoned DNS caches; or via (e.g.) browser
>> memory attacks - at plugins or exploits)
>>
>> The oldtimers will tell you that safe hex and perhaps integrity
>> monitoring (e.g. Samhain or tripwire) are all that's needed. But desktop
>> Linux with Browsing, IM, etc. is changing that, IMHO.
>>
>> The three packages above have Linux Trojan and Rootkit signatures, as
>> well as Windows malware sigs. Easy enough to run an occasional scan of
>> the Linux box (or Windows partition); and to scan each Linux download
>> before reading, compiling, or passing on.
>>
>> (Dazuko additionally allows realtime scans of compilation read/writes).
>>
>> IMHO, Linux and MAC are the next frontier for malware, and -SADLY-
>> AntiMalware signature and heuristic techniques are one thing we can
>> learn about from Windows :-(
>
> http://news.yahoo.com/s/pcworld/20080327/tc_pcworld/143901
>
> What worries me is the reference to Safari . . . (khtml rendering engine?)
>
> What is an appropriate anti-malware for Linux, other than safe-hex?

As a "monitor" (a.k.a. real-time access), I've had good experience with
AntiVir and Dazuko. AntiVir has lots of Linux signatures and heuristics,
and Dazuko/Antivir has both caught bugs in downloads, and blocked
"suspicious scripts" in my browser cache when visiting bad sites.

As a "scanner", I tend to scan my box from a second "maintenance OS" on
another partition hoping to avoid stealthing by any RootKits on the
primary partition. Scanning includes Samhain, equery md5 checks, the
three Anti-Malware products mentioned earlier, Rootkithunter, and
Checkrootkit. I'll run this occasionally overnight.

Interesting that this year's exploit was a "safe" browser Safari, on a
"safe" 'nix/BSD OS.... MAC. And last year's exploit winner, QuickTime,
can also appear on multiple OS's. Both of these were likely online
attacks; via streaming in the case of quicktime.

Seems to me that WAN-connected applications should be sequestered from
the rest of the system in the same way that a server sequesters
WAN-connected processes - i.e. put them each in their own chroot jail.
In addition to individual chroot jails, I run my mail client and browser
in RamDisk - so that any changes to them (other than bookmarks and mail)
are discarded at shutdown

Using Hardened Sources (GRSecurity) with both memory protection and
access control, one gets a particularly resilient, hardened chroot jail
(i.e. OpenBSD theory :-) ) and a kernel that restricts where the browser
user/application can go, and what it can do.

hth



--
gentoo-user@(protected)