On 20 January 2013 11:48, Rob Malpass <li...@getiton.myzen.co.uk> wrote > …and while I’m on the subject – what do folks use on Linux machines for this > kind of thing? >
Linux can be approached quite differently from Windows with regards to viruses. If I wish to check if something virus like is on a Linux box, I can boot from a USB stick, and proceed to run a checksum on the kernel, modules, and all binary files, to check that they have the same checksum as the package that installed them. This is the way I would check for viruses on Linux. For Virutal machine it is also quite easy, you take a snapshot of the VM file system and then check the snapshot on another machine. Saves having to reboot the machine you wish to scan. You cannot do this in Windows as the base pre-calculated checksums do not exist. Windows also uses a "patch" mechanism when doing upgrades, so it is very difficult to build up a list of all possible versions of a pariticular binary file and have their pre-caculated checksums. Searching for changes to the system from what it is supposed to be is the only sure fire way of detecting zero day viruses. You can also repair the system more easily be simply replacing the virus infected binary files with known good ones. The Windows virus scanner approach is really just a technically floored approach. In my view, a virus scanner is only really useful for identifying which virus has infected a binary file that fails its checksum. Another possible use for a virus scanner is for it to only scan for viruses based on your currently installed security patches. I.e. Only scan for virus that can actually infect your currently configured system. This would make existing virus scanners much quicker. This would cover the gap between virus detection, and vendor security patch arriving. The best virus protection is: 1) Ensure the latest security patches are installed. If a virus scanner can detect a virus, the software supplier should also have a security patch to fix the hole. 2) Use a good method to detect "unexpected changes" to files. 3) Make sure tools like apparmor are enabled, "enforcing", for every application you run, and not just in "ignore" mode. This reduces the zero day virus attach surface. The best virus management is: 1) Assume you have caught a zero day virus. 2) Make sure you have proceedures in place for detecting it, and removing it from your systems. E.g. Automatic isolation of infected machines so they cannot infect other machines. 3) Have the zero day virus analysed and make sure you have the needed security in place to prevent that particular virus from infecting your systems again. 4) From the list of all known viruses, make sure you have protection from all of them. The problem here is no single vendor of virus scanning/protection software has the full list. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
