forgottenwizard wrote:
On 20:13 Fri 09 May , 7v5w7go9ub0o wrote:
I am extremely pleased with Antivir (aka Avira) and its realtime LKM,
Dazuko!
1. The Antivir database and heuristics contain dozens of Linux-specific
rootkits and Trojans. These in addition to Windows sigs. FWICT, the only
freeware AntiMalware that take Linux seriously (Kaspersky payware does).
2. With Dazuko - a LKM, developed by AntiVir/Avira which provides
real-time, on-access (read/write) scanning within directories you specify
in configuration. I scan mail (in a chroot jail), browser and downloads
(within a chroot jail, within RamDisk), Portage and portage work areas, and
/home.
Given that emerges are done with Root privilege, this scanning for
signatures may keep your box from being borked, should someone hack a
distribution site, or poison the DNS system, or etc.
3. Recent testing by Windows testers indicate that Antivir is now one of
the better windows AV's, and that their heuristics are quite effective. I'd
guess the same to be true for 'ix.
4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left
unrepaired because I think it's so great:
"ANTIVIR 2008-05-05_05:49:12.39449 Mon May 5 01:49:12 2008 WARNING: file
'/etc/openvpn/trustconnect/pwd' is group or others accessible"
5. its heuristics have notified me of XSS script attacks (at test sites)
after scanning scripts loaded into the browser cache, with "suspicious
script" warnings - and blocking that script from use by the browser. The
only other tool of similar function that I know of is "NoScript", an
extension for use in FireFox.
6. I run WAN/LAN-connected applications in chroot jails (Grsecurity
Hardened). Anything downloaded into a browser jail, lftp or TBird jail is
moved to a "download" area via a script that invokes a deep scan by Antivir
after it gets there. Dazuko invokes a second scan, as it also monitors
that area.
7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other
AntiMalwares, or customized to respond to user-created tests (e.g. changed
file).
8. Linux and Unix oldtimers will scoff at real-time malware scanning - but
I'm convinced that in todays world, realtime scanning is one important
thing (perhaps the only thing) that we can learn from Windows.
HTH
I think alot of old-timers also realize that, unless you specifically
allow something to run, then it can't hurt you.
Agreed! Keep the power off; allow nothing to run; a safe state.
Chances are, unless you are allowing XSS and are surfing sites you can't
trust, you're close to bullet-proof, with the exception of program
exploits that you really can't do anything about.
Well, nowadays you can take a significant steps against "those" exploits
as well - memory protection and RBAC are two obvious ones. Hardened
kernels and hardened chroot jails also effectively confine many of
"those" exploits.
Realtime Linux Anti-Trojan signature scanning overhead is simply cheap
(almost free) insurance IMHO, and may be most important when compiling
and installing new or updated sourcecode. Or installing a new plugin to
your browser; or opening a media file.
But I sure acknowledge the majority opinion - almost ALL Linux users,
and many Windows users as well, choose not to run real-time
AntiMalware scanners.
--
gentoo-user@lists.gentoo.org mailing list