Re: Clamav broke
I downgraded to clamd 0.99.4-3 and it works. so something broke in 0.100.0-2 Suggestions on how to track down the failure cause to see if it is a configuration error on my part or a broken package/dependency? Jeff On 2018-06-12 13:46, Jeffrey Ross wrote: > this morning I did a dnf upgrade and clamav was upgraded, since then clamav > will not stay running, the output from "journalctl -xef |grep clamd". Notice > clamav finishes starting up but upon receiving a file to process it simply > closes. > > System is Fedora 28 and clamd --version -c /etc/clamd.d/exim.conf returns: > > ClamAV 0.100.0/24656/Tue Jun 12 08:35:50 2018 > > Jun 12 13:33:39 myhost.com clamd[11931]: BlockMax heuristic detection > disabled. > Jun 12 13:33:39 myhost.com clamd[11931]: Algorithmic detection enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: Portable Executable support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: ELF support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: Mail files support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: OLE2 support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: PDF support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: SWF support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: HTML support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: XMLDOCS support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: HWP3 support enabled. > Jun 12 13:33:39 myhost.com clamd[11931]: Self checking every 600 seconds. > Jun 12 13:33:39 myhost.com clamd[11931]: Listening daemon: PID: 11931 > Jun 12 13:33:39 myhost.com clamd[11931]: MaxQueue set to: 100 > Jun 12 13:33:39 myhost.com clamd[11931]: fds_poll_recv: timeout after 600 > seconds > -- Subject: Unit clamd.exim.service has finished start-up > -- Unit clamd.exim.service has finished starting up. > Jun 12 13:33:41 myhost.com audit[1]: SERVICE_START pid=1 uid=0 > auid=4294967295 ses=4294967295 msg='unit=clamd.exim comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' > Jun 12 13:35:08 myhost.com clamd[11931]: Received POLLIN|POLLHUP on fd 6 > Jun 12 13:35:08 myhost.com clamd[11931]: Got new connection, FD 11 > Jun 12 13:35:08 myhost.com clamd[11931]: Received POLLIN|POLLHUP on fd 7 > Jun 12 13:35:08 myhost.com clamd[11931]: fds_poll_recv: timeout after 5 > seconds > Jun 12 13:35:08 myhost.com clamd[11931]: Received POLLIN|POLLHUP on fd 11 > Jun 12 13:35:08 myhost.com clamd[11931]: got command SCAN > /var/spool/exim/scan/1fSnCF-000388-Is/1fSnCF-000388-Is.eml (63, 5), argument: > /var/spool/exim/scan/1fSnCF-000388-Is/1fSnCF-000388-Is.eml > Jun 12 13:35:08 myhost.com clamd[11931]: mode -> MODE_WAITREPLY > Jun 12 13:35:08 myhost.com clamd[11931]: Breaking command loop, mode is no > longer MODE_COMMAND > Jun 12 13:35:08 myhost.com clamd[11931]: Consumed entire command > Jun 12 13:35:08 myhost.com clamd[11931]: Number of file descriptors polled: 1 > fds > Jun 12 13:35:08 myhost.com clamd[11931]: fds_poll_recv: timeout after 600 > seconds > Jun 12 13:35:08 myhost.com clamd[11931]: THRMGR: queue (single) crossed low > threshold -> signaling > Jun 12 13:35:08 myhost.com clamd[11931]: THRMGR: queue (bulk) crossed low > threshold -> signaling > Jun 12 13:35:08 myhost.com audit[11931]: ANOM_ABEND auid=4294967295 uid=93 > gid=93 ses=4294967295 pid=11931 comm="clamd" exe="/usr/sbin/clamd" sig=6 res=1 > Jun 12 13:35:08 myhost.com systemd[1]: clamd.exim.service: Main process > exited, code=killed, status=6/ABRT > Jun 12 13:35:08 myhost.com systemd[1]: clamd.exim.service: Failed with result > 'signal'. > Jun 12 13:35:08 myhost.com audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 > ses=4294967295 msg='unit=clamd.exim comm="systemd" > exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' > ___ > users mailing list -- users@lists.fedoraproject.org > To unsubscribe send an email to users-le...@lists.fedoraproject.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/F7MBLSABO2LTIGKNDXXCLPJUHXXUFP2Q/___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/message/4WKLZWHPMZMS4M5U62SBZITCEBVA4X7D/
Re: Clamav tell's me rkhunter is a worm!
Hi On Thu, Apr 10, 2014 at 4:53 AM, Frank Murphy wrote: /usr/bin/rkhunter: Osx.Worm.Inqtana-3 FOUND /usr/bin/rkhunter: moved to '/var/cache/clam/rkhunter.001' rkhunter-1.4.2-2.fc20.noarch Rkhunter was updated to this during the week,http://ask.fedoraproject.org rkhunter is likely getting confused because anti-virus db's have the same signature stored in them as the viruses/worms themselves. File a bug report against rkhunter, preferably upstream on this Rahul -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Clamav tell's me rkhunter is a worm!
On Thu, 2014-04-10 at 09:53 +0100, Frank Murphy wrote: /usr/bin/rkhunter: Osx.Worm.Inqtana-3 FOUND /usr/bin/rkhunter: moved to '/var/cache/clam/rkhunter.001' The ClamAV Inqtana-3 check looks for a couple of phrases (actually parts of filenames) which also occur in rkhunter as part of its Inqtana checks. I would say the ClamAV check is too simple, whereas rkhunter actually tests that the filenames exist. Example: echo w0rms.l0ve.apples w0rm-support | clamdscan - stream: Osx.Worm.Inqtana-3 FOUND (I actually changed the above slightly - it should be 'love' - otherwise this mail message may well be rejected by ClamAV running on mail servers!) John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Clamav tell's me rkhunter is a worm!
On Thu, 10 Apr 2014 22:46:56 +0100 John Horne john.ho...@plymouth.ac.uk wrote: On Thu, 2014-04-10 at 09:53 +0100, Frank Murphy wrote: /usr/bin/rkhunter: Osx.Worm.Inqtana-3 FOUND /usr/bin/rkhunter: moved to '/var/cache/clam/rkhunter.001' The ClamAV Inqtana-3 check looks for a couple of phrases (actually parts of filenames) which also occur in rkhunter as part of its Inqtana checks. I would say the ClamAV check is too simple, whereas rkhunter actually tests that the filenames exist. So If I exclude rkhunter in clamav should be ok. ___ Regards Frank frankly3d.com -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Clamav
On Tue, Apr 20, 2010 at 6:52 PM, Marko Vojinovic vvma...@gmail.com wrote: Bugfix (by a non-Albanian): FIRST send this mail to everyone you know, and AFTER THAT delete all the files on the disk. See. Open source works! -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
Tim: If you read the reviews of anti-virus software, from time to time, you will see that none of them are 100% effective. The last review I read came to the conclusion that the most effective checkers only managed to find about 60% of the viruses, and not all the same viruses. That is a pretty poor rating - just a bit less than half will get through. jdow: The last time I ran though a complete rating of AV tools none of them were as bad as you declare. Please enhance your assertions with facts not fantasy. It makes your assertions stronger. It's been a while since I last bothered to check up on software that I don't run, however 60% was the effectiveness rating at that time, and it did draw (internet) headlines. Are you seriously telling me that you hadn't encountered that? I'm talking about news stories that circulated somewhere around a year ago, if I recall correctly. It was notably surprising because of that low effectiveness rate, even running multiple anti-virus software still left a lot undetected. At the time, it was used to sink the boot into the silly notion that anti-virus software was enough to protect you from bad software. From time to time, the figure will change, but there can't be any sane argument that they're 100% effective, as it's simply not possible. I didn't bookmark the info, since I've no desire to go bookmarking every tidbit that I come across, but it's not hard to Google search this sort of thing, and come across quite a lot of less-than-encouraging info: http://www.anti-malware-test.com/?q=taxonomy/term/17 http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness http://blogs.cisco.com/security/comments/the_effectiveness_of_antivirus_on_new_malware_samples/ http://www.zdnet.com.au/why-popular-antivirus-apps-do-not-work-139264249.htm -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Tim ignored_mail...@yahoo.com.au Sent: Tuesday, 2010/April/20 06:00 Tim: If you read the reviews of anti-virus software, from time to time, you will see that none of them are 100% effective. The last review I read came to the conclusion that the most effective checkers only managed to find about 60% of the viruses, and not all the same viruses. That is a pretty poor rating - just a bit less than half will get through. jdow: The last time I ran though a complete rating of AV tools none of them were as bad as you declare. Please enhance your assertions with facts not fantasy. It makes your assertions stronger. It's been a while since I last bothered to check up on software that I don't run, however 60% was the effectiveness rating at that time, and it did draw (internet) headlines. Are you seriously telling me that you hadn't encountered that? I'm talking about news stories that circulated somewhere around a year ago, if I recall correctly. It was notably surprising because of that low effectiveness rate, even running multiple anti-virus software still left a lot undetected. At the time, it was used to sink the boot into the silly notion that anti-virus software was enough to protect you from bad software. From time to time, the figure will change, but there can't be any sane argument that they're 100% effective, as it's simply not possible. I didn't bookmark the info, since I've no desire to go bookmarking every tidbit that I come across, but it's not hard to Google search this sort of thing, and come across quite a lot of less-than-encouraging info: http://www.anti-malware-test.com/?q=taxonomy/term/17 http://en.wikipedia.org/wiki/Antivirus_software#Effectiveness http://blogs.cisco.com/security/comments/the_effectiveness_of_antivirus_on_new_malware_samples/ http://www.zdnet.com.au/why-popular-antivirus-apps-do-not-work-139264249.htm Bum reading of the data. All that shows is that some products that call themselves Anti-Virus are dreadful. Some are very good. Here is a set of comparisons with a selection of products and a detailed methodology. You can find the tests you want by digging. For a test of responsiveness to malwares on 100 brand new samples detection was between 60% and 99% depending on the product tested. http://www.av-comparatives.org/ It's time to stop this. We're wandering off the Linux malware discussion, which I suspect is finished. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
DEAR RECEIVER, You have just received an Albanian virus. Since we are not so technologically advanced in Albania, this is a MANUAL virus. Please delete all the files on your hard disk yourself and send this mail to everyone you know. Thank you very much for collaboration. Dr. Alban, the Hackerprof. Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 = How do you explain school to a higher intelligence? -- Elliot, E.T. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Wednesday 21 April 2010 00:07:57 kalinix wrote: DEAR RECEIVER, You have just received an Albanian virus. Since we are not so technologically advanced in Albania, this is a MANUAL virus. Please delete all the files on your hard disk yourself and send this mail to everyone you know. Thank you very much for collaboration. Dr. Alban, the Hackerprof. Bugfix (by a non-Albanian): FIRST send this mail to everyone you know, and AFTER THAT delete all the files on the disk. ;-) Best, :-) Marko -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 18 Apr 2010 17:46:56 -0400 Steven W. Orr ste...@syslang.net wrote: I have this feeling that most people are missing the point of why CLAMAV is a useful tool. If you do it to protect yourself against a virus then that's the wrong reason. We can debate this till we're blue in the face, but AFAICT there is no threat of a virus against anything other than Windows. There have been some limited Linux viruses but they are perfectly writable. The reasons they don't exist are often put down to three things - There are more windows users - More of the gullible people use Windows - More people who don't care run Windows. In many workplaces having the computer down for a day with a virus is effectively rewarded with a day of less work, and more interest... I don't know why, but people love to think all computers are susceptible to viruses, but more viruses target windows because there are more of them. There may be a virus out there that could hurt a linux of os/x platform, but I haven't seen one yet. At least not since the Morris Worm of '81? There have been two or three. Windows gets viruses because they are architecturally open to such things. People who run Windows tend to run with full admin privs. Windows has gone out of their way to make programs that run under DOS be compatible with running under Windows 7. And last but not least, people who run Windows are frequently not even aware of the concept of the difference between code and data. It's an attachment. You just *open* it. And *opening* an attachment could be a jpg that is displayed with something trusted or running some nasty binary that could do literally anything. The number of Linux people who don't realise that this is just as true viewing a PDF or PS file in the wrong way is astounding. PDF and PS have a safe mode but an alarming number of people set their helper apps up to view them without the safe flag being on or save them to disk and later view them directly with apps that are not in safe mode. Windows certainly makes it easier to fool users, but architecturally it's fairly robust nowdays - which is one reason viruses took to email and file sharing to get around this. Alan -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Mon, Apr 19, 2010 at 09:16:02 +0100, Alan Cox a...@lxorguk.ukuu.org.uk wrote: The number of Linux people who don't realise that this is just as true viewing a PDF or PS file in the wrong way is astounding. PDF and PS have a safe mode but an alarming number of people set their helper apps up to view them without the safe flag being on or save them to disk and later view them directly with apps that are not in safe mode. What's more astounding is that SAFER mode still isn't the default for ghostscript. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 11:20 -0500, Bruno Wolff III wrote: Anti virus is still the wrong way to go for this stuff. It doesn't scale well. It sucks a lot of resources. It doesn't match all bad stuff. Yes, it's always been a bit of a fail... It lags behind in detecting new things, they only ever manage to detect about 60% of the possible viruses, it frequently doesn't prevent a virus from doing it's thing, it frequently can't repair the damage... There are other ways to keep foreign code from hosing your system Yes, prevention is definitely better than cure. Better designed systems, in the first place. Repairing faults as they're discovered, rather than hoping something else will circumvent the fault. More restrictions on what things can do by default (it can't write here, read there, publish that, execute something else). What were Microsoft thinking with the I dunno what to do with this, let's try executing it... mentality? Obviously Linux is not immune, nothing can be. But I don't ever recall reading about there being swags of buffer overflow faults with really serious consequences, like Windows seems to be *PLAGUED* with. Yes, I've seem some notices about such exploits with Linux, but here they seem to be the exception, rather than the norm. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 12:28 -0700, Michael Miles wrote: If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. All virus definitions should be included with the scan Especially if Wine and virtualbox are running on a linux system If you read the reviews of anti-virus software, from time to time, you will see that none of them are 100% effective. The last review I read came to the conclusion that the most effective checkers only managed to find about 60% of the viruses, and not all the same viruses. That is a pretty poor rating - just a bit less than half will get through. If you run Windows, one way or another, you're at some level of risk. A level much higher than running Windows. One reason people run virtual machines, is as an isolation method. If it's sandboxed, only that virtual machine is affected/vulnerable. If you deliberately break the sandboxing, then you make everything vulnerable. That isn't a Linux deficiency, it's a flaw in the OS running in the virtual environment. If that OS is a Windows one, it's definitely a Windows fault. -- [...@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686 Don't send private replies to my address, the mailbox is ignored. I read messages from the public lists. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Tim ignored_mail...@yahoo.com.au Sent: Monday, 2010/April/19 10:29 On Sun, 2010-04-18 at 12:28 -0700, Michael Miles wrote: If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. All virus definitions should be included with the scan Especially if Wine and virtualbox are running on a linux system If you read the reviews of anti-virus software, from time to time, you will see that none of them are 100% effective. The last review I read came to the conclusion that the most effective checkers only managed to find about 60% of the viruses, and not all the same viruses. That is a pretty poor rating - just a bit less than half will get through. The last time I ran though a complete rating of AV tools none of them were as bad as you declare. Please enhance your assertions with facts not fantasy. It makes your assertions stronger. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sat, Apr 17, 2010 at 19:54:10 -0700, jdow j...@earthlink.net wrote: When giving advice it's best to presume the user is going to do something unusual, such as run Wine, and receive an infection. A Wine install needs ClamAV. Without Wine I'd suggest chkrootkit and rkhunter, at the least. I have seen too many perhaps careless people ask is this an infection? And in more than a few cases the answer has been yes. Linux is ahead in the arms race. Windows is behind. Nonetheless, some protection is worthwhile depending on how important your system's function, your relationship with your ISP, and your data might be. I happen to be biased towards very. So I bristle when somebody suggests, intentionally or not, that Linux is probably safe. So is flying, unless you happened to be on the last flight of Pan Am 103, for example. Low probability of a high value loss - what you do is your call. Anti virus is still the wrong way to go for this stuff. It doesn't scale well. It sucks a lot of resources. It doesn't match all bad stuff. There are other ways to keep foreign code from hosing your system (notably selinux). Unless you are protecting other systems that the data is being passed to, anti virus is not a very good solution for Fedora. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/17/2010 07:54 PM, jdow wrote: From: Sam Sharpelists.red...@samsharpe.net Sent: Saturday, 2010/April/17 13:20 On 17 April 2010 21:05, jdowj...@earthlink.net wrote: From: Sam Sharpelists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:25 On 17 April 2010 10:17, jdowj...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. Are you sanguine to declare Linux cannot be taken over by malware given that the most recent rather dramatic hole found is less than a year old AND new features (hence bugs) are being introduced every day? How much is the data on the machine worth to you? You seem to have a general problem with comprehension. That is not what I said - I simply said that the exploit you referred to wouldn't work. If it means nothing, then why not run Windows wide open and make yourself a hero to the botnet operators? {^_-} Don't be an idiot. I simply gave the extremes. And this discussion is not all that silly considering J. Random User yclept Michael Miles has found a way to get a virus on his machine that ClamAV might have detected on its way in or from a scan. When giving advice it's best to presume the user is going to do something unusual, such as run Wine, and receive an infection. A Wine install needs ClamAV. Without Wine I'd suggest chkrootkit and rkhunter, at the least. I have seen too many perhaps careless people ask is this an infection? And in more than a few cases the answer has been yes. Linux is ahead in the arms race. Windows is behind. Nonetheless, some protection is worthwhile depending on how important your system's function, your relationship with your ISP, and your data might be. I happen to be biased towards very. So I bristle when somebody suggests, intentionally or not, that Linux is probably safe. So is flying, unless you happened to be on the last flight of Pan Am 103, for example. Low probability of a high value loss - what you do is your call. {^_^} I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install So the myth is just that, a myth -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 10:13 -0700, Michael Miles wrote: [...] I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install So the myth is just that, a myth IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 10:22 AM, Patrick O'Callaghan wrote: On Sun, 2010-04-18 at 10:13 -0700, Michael Miles wrote: [...] I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install So the myth is just that, a myth IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? poc No, non of linux was actually infected and not harmed in any way that I can see. My point is if wine is part of a Fedora install because it installs with Fedora automatically it is part of the system in general. Considering the way it works I really dont know why it is there is there if it can be infected as easily as this. I have removed wine altogether. Also I did have Clamav running with this machine and even after finding the viruses with Avira, Clamav would not see them at all. That to me does spell trouble if 1. A person is relying on linux reputation for not getting a virus then does something dumb like using wine and getting infected. 2. Thinks that protection is needed and uses Clamav for that protection and the software fails them by not finding the culprit I know one thing Avira free is staying on this machine for a while Better to be safe than sorry -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
So the myth is just that, a myth IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? poc No, non of linux was actually infected and not harmed in any way that I can see. My point is if wine is part of a Fedora install because it installs with Fedora automatically it is part of the system in general. Nope, Wine is not part of Fedora default install, it is packaged for Fedora and available through yum # yum install wine Considering the way it works I really dont know why it is there is there if it can be infected as easily as this. Malware exists, it is frequent and if one is not careful, it could come in to any system. But one has to be asking for it with Linux based and other Unix based operating systems. Through wine, it can come in, but no harm was done right? I have removed wine altogether. Also I did have Clamav running with this machine and even after finding the viruses with Avira, Clamav would not see them at all. Maybe the ClamAV is looking for other types of virii not specific to windows. That to me does spell trouble if 1. A person is relying on linux reputation for not getting a virus then does something dumb like using wine and getting infected. This is like a user shooting (him/her)self on the foot. 2. Thinks that protection is needed and uses Clamav for that protection and the software fails them by not finding the culprit I know one thing Avira free is staying on this machine for a while Better to be safe than sorry -- running wine on fedora or other linux based systems is something most people do and do not get infections. What Patrick wrote is right on the money. IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? It was not and you have stated that. So all in all, it is not Fedora's fault it is between the user and wine; Also as Bruno and others have pointed out, Selinux is there to protect us. It can also let you know that somethings are going on and that somewhere a file was mislabeled and , the setroubleshoot star appears and guides you to find solutions and where the solution offered does not work, you may report the issue on selinux list, bugzilla, etc. You may also disable it like some other users have because it gets in the way too much! But it is there to protect you, not to make your life miserable. I have encountered difficulties with it too, and Mr. Dan Walsh, Tom London, and others have been very helpful and thus I can't complain about selinux. Regards, Antonio -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 10:39 -0700, Michael Miles wrote: On 04/18/2010 10:22 AM, Patrick O'Callaghan wrote: On Sun, 2010-04-18 at 10:13 -0700, Michael Miles wrote: [...] I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install So the myth is just that, a myth IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? poc No, non of linux was actually infected and not harmed in any way that I can see. My point is if wine is part of a Fedora install because it installs with Fedora automatically it is part of the system in general. Considering the way it works I really dont know why it is there is there if it can be infected as easily as this. I have removed wine altogether. Also I did have Clamav running with this machine and even after finding the viruses with Avira, Clamav would not see them at all. That to me does spell trouble if 1. A person is relying on linux reputation for not getting a virus then does something dumb like using wine and getting infected. 2. Thinks that protection is needed and uses Clamav for that protection and the software fails them by not finding the culprit when all you have is a hammer, everything tends to look like a nail. pattern matching is always going to provide some false positives - that's the nature of the beast. It seems to me that it's folly to run Windows without protection and if all your Windows systems are protected, it's pretty much not needed on Linux but knock yourself out. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 10:54 AM, Antonio Olivares wrote: So the myth is just that, a myth IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? poc No, non of linux was actually infected and not harmed in any way that I can see. My point is if wine is part of a Fedora install because it installs with Fedora automatically it is part of the system in general. Nope, Wine is not part of Fedora default install, it is packaged for Fedora and available through yum # yum install wine Considering the way it works I really dont know why it is there is there if it can be infected as easily as this. Malware exists, it is frequent and if one is not careful, it could come in to any system. But one has to be asking for it with Linux based and other Unix based operating systems. Through wine, it can come in, but no harm was done right? I have removed wine altogether. Also I did have Clamav running with this machine and even after finding the viruses with Avira, Clamav would not see them at all. Maybe the ClamAV is looking for other types of virii not specific to windows. That to me does spell trouble if 1. A person is relying on linux reputation for not getting a virus then does something dumb like using wine and getting infected. This is like a user shooting (him/her)self on the foot. 2. Thinks that protection is needed and uses Clamav for that protection and the software fails them by not finding the culprit I know one thing Avira free is staying on this machine for a while Better to be safe than sorry -- running wine on fedora or other linux based systems is something most people do and do not get infections. What Patrick wrote is right on the money. IOW, when you run Windows apps, you get infected. Where's the myth? Did your Linux system crash? Were any of your system files corrupted? Was any of your non-Wine data leaked? Was your root password compromised? Did anything happen that would still have happened if you weren't running a Windows API? It was not and you have stated that. So all in all, it is not Fedora's fault it is between the user and wine; Also as Bruno and others have pointed out, Selinux is there to protect us. It can also let you know that somethings are going on and that somewhere a file was mislabeled and , the setroubleshoot star appears and guides you to find solutions and where the solution offered does not work, you may report the issue on selinux list, bugzilla, etc. You may also disable it like some other users have because it gets in the way too much! But it is there to protect you, not to make your life miserable. I have encountered difficulties with it too, and Mr. Dan Walsh, Tom London, and others have been very helpful and thus I can't complain about selinux. Regards, Antonio Thank you all for the help -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
--- On Sun, 4/18/10, Daniel B. Thurman d...@cdkkt.com wrote: From: Daniel B. Thurman d...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora users users@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan -- Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sunday 18 April 2010, Antonio Olivares wrote: --- On Sun, 4/18/10, Daniel B. Thurman d...@cdkkt.com wrote: From: Daniel B. Thurman d...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora users users@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio I have hoped that this thread would self-destruct. IMO it has no business on a linux oriented mailing list considering that this company has no visible, runs on linux products. To me, all it amounts to is tons of free advertising because some less than attentive person hosed his wine install with a windows virus. Excrement happens. Shrug. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Conversation enriches the understanding, but solitude is the school of genius. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 11:48 AM, Antonio Olivares wrote: --- On Sun, 4/18/10, Daniel B. Thurmand...@cdkkt.com wrote: From: Daniel B. Thurmand...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora usersusers@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan -- Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio That's what concerns me about Clamav. It clearly did not trap any of these viruses and if it is the mainstream av scanner for Fedora then people could be in for a surprise if they run a different scanner on the system. I have removed wine altogether and all virtualbox win installs. If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. All virus definitions should be included with the scan Especially if Wine and virtualbox are running on a linux system I just thank god the virus in question was not too severe and just renamed core windows files and appended .xxx to them making them easy to find but effectivly stopping xp from running Michael -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 12:00 PM, Gene Heskett wrote: On Sunday 18 April 2010, Antonio Olivares wrote: --- On Sun, 4/18/10, Daniel B. Thurmand...@cdkkt.com wrote: From: Daniel B. Thurmand...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora usersusers@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio I have hoped that this thread would self-destruct. IMO it has no business on a linux oriented mailing list considering that this company has no visible, runs on linux products. To me, all it amounts to is tons of free advertising because some less than attentive person hosed his wine install with a windows virus. Excrement happens. Shrug. One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 12:37 -0700, Michael Miles wrote: One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild from your description it sounds as if the other AV program identified and renamed the files - whether it is a real positive or a false positive is probably debatable. Sometimes I think the Windows AV products like to 'find' things to demonstrate that they are working and have some value. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 12:53 PM, Craig White wrote: On Sun, 2010-04-18 at 12:37 -0700, Michael Miles wrote: One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild from your description it sounds as if the other AV program identified and renamed the files - whether it is a real positive or a false positive is probably debatable. Sometimes I think the Windows AV products like to 'find' things to demonstrate that they are working and have some value. Craig No, I did not do any action from Avira when they were found because that is what I assumed they were, false positive. Maybe Clamav did automatically but there was no notification and Clamav reported no virus at all so I would have to discount it. I do think the virus renamed files The only thing Clamav caught was the test virus that comes with it. I removed wine and virtual box installations and re ran the scan. Clean as a whistle -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sunday 18 April 2010, Michael Miles wrote: On 04/18/2010 12:00 PM, Gene Heskett wrote: On Sunday 18 April 2010, Antonio Olivares wrote: --- On Sun, 4/18/10, Daniel B. Thurmand...@cdkkt.com wrote: From: Daniel B. Thurmand...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora usersusers@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio I have hoped that this thread would self-destruct. IMO it has no business on a linux oriented mailing list considering that this company has no visible, runs on linux products. To me, all it amounts to is tons of free advertising because some less than attentive person hosed his wine install with a windows virus. Excrement happens. Shrug. One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild Chuckle, bit of advice: Never take a knife to a gunfight. Question is, what did you do between that xp install and the attack? If it sat dormant for all that time, then the obvious conclusion is that the src of your xp install is itself hosed. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) You know, Callahan's is a peaceable bar, but if you ask that dog what his favorite formatter is, and he says roff! roff!, well, I'll just have to... -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sunday 18 April 2010, Craig White wrote: On Sun, 2010-04-18 at 12:37 -0700, Michael Miles wrote: One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild from your description it sounds as if the other AV program identified and renamed the files - whether it is a real positive or a false positive is probably debatable. Sometimes I think the Windows AV products like to 'find' things to demonstrate that they are working and have some value. Craig For a change we are in agreement Craig. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) You know, Callahan's is a peaceable bar, but if you ask that dog what his favorite formatter is, and he says roff! roff!, well, I'll just have to... -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Michael Miles mmami...@gmail.com Sent: Sunday, 2010/April/18 10:13 On 04/17/2010 07:54 PM, jdow wrote: From: Sam Sharpelists.red...@samsharpe.net Sent: Saturday, 2010/April/17 13:20 On 17 April 2010 21:05, jdowj...@earthlink.net wrote: From: Sam Sharpelists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:25 On 17 April 2010 10:17, jdowj...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. Are you sanguine to declare Linux cannot be taken over by malware given that the most recent rather dramatic hole found is less than a year old AND new features (hence bugs) are being introduced every day? How much is the data on the machine worth to you? You seem to have a general problem with comprehension. That is not what I said - I simply said that the exploit you referred to wouldn't work. If it means nothing, then why not run Windows wide open and make yourself a hero to the botnet operators? {^_-} Don't be an idiot. I simply gave the extremes. And this discussion is not all that silly considering J. Random User yclept Michael Miles has found a way to get a virus on his machine that ClamAV might have detected on its way in or from a scan. When giving advice it's best to presume the user is going to do something unusual, such as run Wine, and receive an infection. A Wine install needs ClamAV. Without Wine I'd suggest chkrootkit and rkhunter, at the least. I have seen too many perhaps careless people ask is this an infection? And in more than a few cases the answer has been yes. Linux is ahead in the arms race. Windows is behind. Nonetheless, some protection is worthwhile depending on how important your system's function, your relationship with your ISP, and your data might be. I happen to be biased towards very. So I bristle when somebody suggests, intentionally or not, that Linux is probably safe. So is flying, unless you happened to be on the last flight of Pan Am 103, for example. Low probability of a high value loss - what you do is your call. {^_^} I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install To be fair we've not determined exactly whether the files are something wine installed rather than a virus. If wine has not been used much, particularly for browsing or email, then I'd suspect rpm -qf on those files would show that they are part of wine. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Gene Heskett gene.hesk...@verizon.net Sent: Sunday, 2010/April/18 12:00 On Sunday 18 April 2010, Antonio Olivares wrote: --- On Sun, 4/18/10, Daniel B. Thurman d...@cdkkt.com wrote: From: Daniel B. Thurman d...@cdkkt.com Subject: Re: Clamav To: Community support for Fedora users users@lists.fedoraproject.org Date: Sunday, April 18, 2010, 11:37 AM On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? ClamAV is not just for email-servers but for scanning infected drives. The effectiveness of virus detection is only as good as the design and the latest virus database, and even then, there is no guarantee against newly created viruses and its variants, and one could argue damned if you do, damned if you don't, but I could argue 'Tis better to reduce the chances of infection, than none at all'? If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. Again, experiences makes proof, not. I prefer the data, please. po I have a fully installed, F-12 w/ SELinux including clamav, spamassassin and it has found several rejected virus infected incoming email messages. If I get one again, I will be happy to post what the viruses are, as I just don't remember. Most of my viruses are coming from overseas, mostly cn and ru and via incoming email, not visited websites. We are talking about AV, not malware or other modes of attacks. As far as I know, clamav has not detected any infected local files but of course that does not mean there are NO viruses, just undetected ones, if any. And no, I do not run doz via wine nor virtualbox, on this Linux email system and it has a separate public IP address apart from another email system, (W-doz) exchange, again on a separate public IP address. Neither one of these email servers, 'talks' to one or another, nor overlaps, they are mutually exclusive. It is interesting to watch which of the two are infected and which is not. FWIW, Dan Dan, The virii that hit Michael's machine were via wine. In which case ClamAV did not find them, Avira did. Most of your post is also correct. If you have an email server it makes good sense to have antivirus to scan incoming mail/messages and also send clean messages as well. It you have Selinux, Antivirus, Firewall, all enabled and configured properly, virii should not make it into your machine but one is not entirely 100% safe :( Again, it depends on experiences that one has had/has and you summoned it up DAMMNED IF YOU DO, DAMMED IF YOU DON'T Regards, Antonio I have hoped that this thread would self-destruct. IMO it has no business on a linux oriented mailing list considering that this company has no visible, runs on linux products. To me, all it amounts to is tons of free advertising because some less than attentive person hosed his wine install with a windows virus. Excrement happens. Shrug. Forget the advertising aspect. Read the company's name as an AV vendor's product running under wine. Then before going off the cliff let's decide the files really do represent a virus or not. They MIGHT be part of the wine installation. If not, the question becomes, how did they get there? Michael says he hardly used it. It also is an infection that has appeared on a Linux system. GNU/Linux is not bulletproof. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Gene Heskett gene.hesk...@verizon.net Sent: Sunday, 2010/April/18 13:39 On Sunday 18 April 2010, Craig White wrote: On Sun, 2010-04-18 at 12:37 -0700, Michael Miles wrote: One other weird thing i forgot to mention. I install xp via wine 2 months ago. Have not touched it since. Started scanning just to see a week ago. The files that were renamed by the virus were done two days ago, according to time stamps. So this thing sat dormant until I started looking for them and that is when it attacked. Now that's wild from your description it sounds as if the other AV program identified and renamed the files - whether it is a real positive or a false positive is probably debatable. Sometimes I think the Windows AV products like to 'find' things to demonstrate that they are working and have some value. Craig For a change we are in agreement Craig. For the larger Windows AV vendors that does not seem to be the case. Of course, at least one of them behaves, itself, more like a virus than an anti-virus with regards to system stability. (And one printer manufacturer has addon software for windows that seems to fall under that rubric.) {^_-} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 10:39 -0700, Michael Miles wrote: My point is if wine is part of a Fedora install because it installs with Fedora automatically it is part of the system in general. Wine is not installed automatically. In no sense is it part of the system. Anyone who installs Wine should take the same precautions as they would when running Windows. Is that clear enough? poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 11:37 -0700, Daniel B. Thurman wrote: Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. Where is the proof that an AV is not needed for Linux sans w-dozs, regardless of the pathways to infection? You want proof of a negative? Dream on. Proof of security does not exist anywhere in the real world. I've mentioned my own anecdotal evidence (that in over 3 decades of use I have never seen a single Linux virus). It's my belief that this is the experience of the overwhelming majority of Linux users. Given that I answered a question from a Linux novice, I gave the best advice I could based on my experience, and I stand by it. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 12:28 -0700, Michael Miles wrote: If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. You seem to be rather confused about ClamAV. AFAIK it's designed to trap Windows viruses in email, since these are the ones that actually matter. Perhaps it looks for some other stuff, I wouldn't know, but I'm pretty sure Windows malware is its main focus. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 13:58 -0700, jdow wrote: I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install To be fair we've not determined exactly whether the files are something wine installed rather than a virus. If wine has not been used much, particularly for browsing or email, then I'd suspect rpm -qf on those files would show that they are part of wine. not possible because 'drive_c' is actually created when you execute wine for the first time (or subsequent user creation) and thus... $ rpm -qf /home/craig/.wine/drive_c/windows/twain_32.dll file /home/craig/.wine/drive_c/windows/twain_32.dll is not owned by any package is the only answer that one could ever have. Seems as though it must have something to do with something that he did/has on his Windows files/network or as I really suspect, a false alarm and alterations caused by some anti-virus program and this is all just mental masturbation of the kind that seems peculiarly unique to Windows. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 16:57 -0430, Patrick O'Callaghan wrote: On Sun, 2010-04-18 at 12:28 -0700, Michael Miles wrote: If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. You seem to be rather confused about ClamAV. AFAIK it's designed to trap Windows viruses in email, since these are the ones that actually matter. Perhaps it looks for some other stuff, I wouldn't know, but I'm pretty sure Windows malware is its main focus. more than e-mail though... the database patterns are of course Windows but the various clam implementations are suitable for file server as well as e-mail. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 02:28 PM, Craig White wrote: On Sun, 2010-04-18 at 13:58 -0700, jdow wrote: I think that it is a must to have protection on your machines considering I am looking at a machine that was supposed to be bullet proof, and proved to be infectable with windows crap through wine. If you are running wine without protection then you are taking a chance. I am not sure how it happened but it did. The Virus even went to work renaming core files from the xp install To be fair we've not determined exactly whether the files are something wine installed rather than a virus. If wine has not been used much, particularly for browsing or email, then I'd suspect rpm -qf on those files would show that they are part of wine. not possible because 'drive_c' is actually created when you execute wine for the first time (or subsequent user creation) and thus... $ rpm -qf /home/craig/.wine/drive_c/windows/twain_32.dll file /home/craig/.wine/drive_c/windows/twain_32.dll is not owned by any package is the only answer that one could ever have. Seems as though it must have something to do with something that he did/has on his Windows files/network or as I really suspect, a false alarm and alterations caused by some anti-virus program and this is all just mental masturbation of the kind that seems peculiarly unique to Windows. Craig Has been nuked Got rid of wine all together Virtualbox as well. If I am going to run windows products I will do it in it's own PC and that's that. Too bad I really liked virtualbox Re ran scans with Avira , Bitdefender for unices and Clamav All clear for now Thank you all for your input and I hope these machines stay clear -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
I have this feeling that most people are missing the point of why CLAMAV is a useful tool. If you do it to protect yourself against a virus then that's the wrong reason. We can debate this till we're blue in the face, but AFAICT there is no threat of a virus against anything other than Windows. I started running my home sendmail server and all was good. Then someone invented spam and things have escalated ever since. My sendmail installation now runs spamassassin from spamass-milter and I reject all messages that are tagged as spam before reception completes. I used to run a bunch of RBLs from inside sendmail but I learned that spamassassin never got the opportunity to *learn* from the rejected messages, so now all the RBL activity is enabled from inside spamassassin. I added the tests to use CLAMAV from inside spamassassin, not to protect myself from viruses, but as an adjunct to being able to decide what is spam and what is not. If there's a virus in the message then it simply counts as a contributory weight to my decision to reject it. In addition, there are messages that spamassassin has not caught but I found a dandy tool called scamp that adds another 20+K signatures to the clamav database. The scamp stuff is not looking for viruses but it does a good job of picking up a lot of spam that the rest of the system might miss. I don't know why, but people love to think all computers are susceptible to viruses, but more viruses target windows because there are more of them. There may be a virus out there that could hurt a linux of os/x platform, but I haven't seen one yet. At least not since the Morris Worm of '81? Windows gets viruses because they are architecturally open to such things. People who run Windows tend to run with full admin privs. Windows has gone out of their way to make programs that run under DOS be compatible with running under Windows 7. And last but not least, people who run Windows are frequently not even aware of the concept of the difference between code and data. It's an attachment. You just *open* it. And *opening* an attachment could be a jpg that is displayed with something trusted or running some nasty binary that could do literally anything. So yes, I run clamav and it does good things for me. -- Time flies like the wind. Fruit flies like a banana. Stranger things have .0. happened but none stranger than this. Does your driver's license say Organ ..0 Donor?Black holes are where God divided by zero. Listen to me! We are all- 000 individuals! What if this weren't a hypothetical question? steveo at syslang.net signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 14:12 -0700, jdow wrote: the question becomes, how did they get there? Michael says he hardly used it. It also is an infection that has appeared on a Linux system. GNU/Linux is not bulletproof. {^_^} 99% of the cases the interference between the chair and the keyboard. Calin Key fingerprint = 37B8 0DA5 9B2A 8554 FB2B 4145 5DC1 15DD A3EF E857 = I'd give my right arm to be ambidextrous. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Sunday, 2010/April/18 14:27 On Sun, 2010-04-18 at 12:28 -0700, Michael Miles wrote: If the virus definitions from Clamav is written for linux based viruses and not windows based then what real good is it. You seem to be rather confused about ClamAV. AFAIK it's designed to trap Windows viruses in email, since these are the ones that actually matter. Perhaps it looks for some other stuff, I wouldn't know, but I'm pretty sure Windows malware is its main focus. Just as a point here their web page does not imply this. Although email injection is not as common with Linux there are still some other injection routes that get discovered from time to time. The nice thing about Linux is that you can run several products of that type easily. ClamAV might be setup to filter email, at least. Then it can be used for periodic scans. So can other tools. Needed or not, I personally believe it is wise to use them. And if you feel ClamAV is inappropriate do mention tools that are appropriate such as chkrootkit and rkhunter. They only go after specific types of threats. These threats seem to be the most common nasties Linux users get saddled with. {o.o} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Michael Miles mmami...@gmail.com Sent: Sunday, 2010/April/18 14:39 ... Has been nuked Got rid of wine all together Virtualbox as well. If I am going to run windows products I will do it in it's own PC and that's that. Too bad I really liked virtualbox Re ran scans with Avira , Bitdefender for unices and Clamav All clear for now Thank you all for your input and I hope these machines stay clear That is an expected result. I'd check periodically, nonetheless. It can hurt, although it might lower your SETI at home score. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Steven W. Orr ste...@syslang.net Sent: Sunday, 2010/April/18 14:46 ... Another thing ClamAV does on an email scan is pick off a goodly number of phishes, some of which are really well done. It helps mitigate a wetware failure mechanism. {o.o} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 15:32 -0700, jdow wrote: Needed or not, I personally believe it is wise to use them. And if you feel ClamAV is inappropriate do mention tools that are appropriate such as chkrootkit and rkhunter. This is the last time I'm going to say it: I wasn't then and am not now engaging in a general discussion of threats against Linux. I was answering a specific question about the usefulness of ClamAV. Nothing I've seen in this thread has made me change my mind. My original answer expresses my position very clearly and I stand by it. As far as I'm concerned this thread is now over. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sun, 2010-04-18 at 14:39 -0700, Michael Miles wrote: Virtualbox as well. If I am going to run windows products I will do it in it's own PC and that's that. Too bad I really liked virtualbox VB (and VMware, and KVM) are entirely different from Wine. Perhaps you need to understand the concept of a virtual machine, which Wine is not. The risks of running Windows under one of these environments are no greater than those of running it on a separate physical machine. Naturally I run AV software on my Windows VMs, but I'm completely sanguine about any of the nasties getting through to the Linux host. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/18/2010 03:36 PM, jdow wrote: From: Michael Milesmmami...@gmail.com Sent: Sunday, 2010/April/18 14:39 ... Has been nuked Got rid of wine all together Virtualbox as well. If I am going to run windows products I will do it in it's own PC and that's that. Too bad I really liked virtualbox Re ran scans with Avira , Bitdefender for unices and Clamav All clear for now Thank you all for your input and I hope these machines stay clear That is an expected result. I'd check periodically, nonetheless. It can hurt, although it might lower your SETI at home score. {^_^} Not by much with the s...@home score I average 6000 a day -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Sunday, 2010/April/18 16:18 On Sun, 2010-04-18 at 15:32 -0700, jdow wrote: Needed or not, I personally believe it is wise to use them. And if you feel ClamAV is inappropriate do mention tools that are appropriate such as chkrootkit and rkhunter. This is the last time I'm going to say it: I wasn't then and am not now engaging in a general discussion of threats against Linux. I was answering a specific question about the usefulness of ClamAV. Nothing I've seen in this thread has made me change my mind. My original answer expresses my position very clearly and I stand by it. As far as I'm concerned this thread is now over. poc Then you made a Microsoft answer, correct (as you see it) and useless. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 On Fri, 2010-04-16 at 19:43 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 16:51 On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. If you are being picky regarding virus, trojan, etc then begone little boy, you bother me. It does not matter one bit the means of transmission if the system is compromised in a manner than a piece of what is conventionally called anti-virus software would have prevented the problem? Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Such means have existed in the past. I've read about the victims' problems here on this and predecessor lists. That's why chkrootkit and rkhunter exist. If somebody wishes to make Linux his main computing environment something which traps intrusions and malware as it enters the machine and before it's executed can probably save a world of hurt. I've lost disk drives and suffered the hurt of discovering the first level backup was bad. I lost some work and emails. If your machine becomes compromised, what can you save? What can you trust? You have to make an executive decision and hope your backup is from before the attack. Then maybe you can recover more recent data and email, if you can trust your backup to be safe. I prefer to spend some money to protect valuable data and save valuable recovery time. What you actually said was, Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. The first sentence is true. The second one is true but limiting beyond belief. Computer users do not only use the machine for email. It leaves an implication that it's probably safe for email. The null pointer dereference issue makes you vulnerable within email if you can be tricked into running a program send in the email. If this is not closed up VERY quickly I expect a nasty problem problem for Linux, shortly. The wakeup call will have the good effect of waking up the community to the little detail that nothing's perfect. As for running other things on the 'ix system, it seems a wine install so that a person can run something not available for Linux can lead you into problems. Seems somebody here mentioned an infected Wine install. I'd not bet all 7
Re: Clamav
On 17 April 2010 08:41, jdow j...@earthlink.net wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Read the page more carefully. Particularly the comments. - Nelson Elhage says: April 13, 2010 at 12:35 pm After all the NULL pointer vulnerabilities last year, every major distro has now turned mmap_min_addr on by default. So if you need to run old DOS programs in Wine you can still change it, but it should be much harder to exploit these things by default. - - Nelson Elhage says: April 14, 2010 at 9:54 am Tomoe: I believe that, on recent kernels, SELinux blocks mmap’ing the zero page separately from the mmap_min_addr mechanism. You should be able to disable this protection for the purposes of experimentation by running setsebool -P mmap_low_allowed 1 as root. - -- Sam -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:09 On 17 April 2010 08:41, jdow j...@earthlink.net wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Read the page more carefully. Particularly the comments. - Nelson Elhage says: April 13, 2010 at 12:35 pm After all the NULL pointer vulnerabilities last year, every major distro has now turned mmap_min_addr on by default. So if you need to run old DOS programs in Wine you can still change it, but it should be much harder to exploit these things by default. - - Nelson Elhage says: April 14, 2010 at 9:54 am Tomoe: I believe that, on recent kernels, SELinux blocks mmap’ing the zero page separately from the mmap_min_addr mechanism. You should be able to disable this protection for the purposes of experimentation by running setsebool -P mmap_low_allowed 1 as root. - -- Sam jdow How many people get frustrated with SELinux and simply disable it? {o.o} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 17 April 2010 10:17, jdow j...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. -- Sam -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, Apr 16, 2010 at 20:29:25 -0700, Craig White craigwh...@azapple.com wrote: Clearly no OS is safe from exploit. The most effective security method employed on Linux is simply not to run as superuser where most Windows and Macintosh users are running as superuser and the software leaves it to the user to figure out how to run with less privileges (very possible but not the typical usage). I disagree. This can help with restoring a system, but is more useful for protecting users from each other than users from malware. User accounts have all of the power needed to replicate malware. User accounts have valuable data (may be private or hard to recreate), where as data owned by root typically isn't. There have historically been a lot of local root exploits on linux systems that allow malware to elevate its privilieges. I think selinux is going to of more use in this area than standard unix file system privileges and having a separate root account. It won't solve all of the problems, but it can help protect users from processes running as themselves. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Sat, 2010-04-17 at 00:41 -0700, jdow wrote: Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Did I say that Linux had no vulnerabilities? No. Did I say it could never be crashed or taken over from a console session? No. I asked for an example of a security bug exploitable via email with no manual intervention (other than downloading the mail of course). You produce a kernel bug which before it was fixed would have required the user to manually run a downloaded program. (Note by the way that if the user fetched the exploit via a web page or ftp session, i.e. via a slightly different social engineering vector, ClamAV would not have intervened.) In other words, you don't have an answer to the question I actually asked, so you produce an answer to a different question which no-one asked and is outside the scope of the OP's initial query. Discussions of Linux security are useful and IMHO well within the scope of this mailing list, but they aren't the subject of this thread. Feel free to start a different thread if you wish. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Saturday 17 April 2010, jdow wrote: From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:09 On 17 April 2010 08:41, jdow j...@earthlink.net wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Read the page more carefully. Particularly the comments. - Nelson Elhage says: April 13, 2010 at 12:35 pm After all the NULL pointer vulnerabilities last year, every major distro has now turned mmap_min_addr on by default. So if you need to run old DOS programs in Wine you can still change it, but it should be much harder to exploit these things by default. - - Nelson Elhage says: April 14, 2010 at 9:54 am Tomoe: I believe that, on recent kernels, SELinux blocks mmap’ing the zero page separately from the mmap_min_addr mechanism. You should be able to disable this protection for the purposes of experimentation by running setsebool -P mmap_low_allowed 1 as root. - -- Sam jdow How many people get frustrated with SELinux and simply disable it? {o.o} Well, here is one, who gave it about a 6 month play last year, determined to see if its was actually an every day usable scheme. But I have things I want to do with this machine, and I finally grokked that I was spending more time on the selinuix list, fussing about this, and fixing that, from documentation that at best can only be described as extremely obtuse, found I was fiddling with it more than half the time, and said to hell with it and shut it off and got on with my life. I have a router that supposedly stops the external attacks, I don't automatically render html emails and my SA triggers to /dev/null at five stars. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) hangover, n.: The wrath of grapes. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/17/2010 04:17 AM, jdow wrote: jdow How many people get frustrated with SELinux and simply disable it? {o.o} It is hard to say. How many people get frustrated with iptables and simply disable the firewall? It is the same type of fix. I have seen some people on this list recommend it as the first step in fixing just about any permission problem, even if a SELinux problem is a low possibility for causing the problem. Then again, some people also advocate routinely running as root as well. I have had few problems with SELinux. They were usually caused by mis-labeled files, and easily fixed. There is also a nice GUI that will translate the cryptic SELinux error messages to something more easily understood, and offers advice on how to fix the problem. Mikkel -- Do not meddle in the affairs of dragons, for thou art crunchy and taste good with Ketchup! signature.asc Description: OpenPGP digital signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/17/2010 12:41 AM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 On Fri, 2010-04-16 at 19:43 -0700, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Friday, 2010/April/16 16:51 On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. If you are being picky regarding virus, trojan, etc then begone little boy, you bother me. It does not matter one bit the means of transmission if the system is compromised in a manner than a piece of what is conventionally called anti-virus software would have prevented the problem? Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Such means have existed in the past. I've read about the victims' problems here on this and predecessor lists. That's why chkrootkit and rkhunter exist. If somebody wishes to make Linux his main computing environment something which traps intrusions and malware as it enters the machine and before it's executed can probably save a world of hurt. I've lost disk drives and suffered the hurt of discovering the first level backup was bad. I lost some work and emails. If your machine becomes compromised, what can you save? What can you trust? You have to make an executive decision and hope your backup is from before the attack. Then maybe you can recover more recent data and email, if you can trust your backup to be safe. I prefer to spend some money to protect valuable data and save valuable recovery time. What you actually said was, Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. The first sentence is true. The second one is true but limiting beyond belief. Computer users do not only use the machine for email. It leaves an implication that it's probably safe for email. The null pointer dereference issue makes you vulnerable within email if you can be tricked into running a program send in the email. If this is not closed up VERY quickly I expect a nasty problem problem for Linux, shortly. The wakeup call will have the good effect of waking up the community to the little detail that nothing's perfect. As for running other things on the 'ix system, it seems a wine install so that a person can run
Re: Clamav
From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:25 On 17 April 2010 10:17, jdow j...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. Are you sanguine to declare Linux cannot be taken over by malware given that the most recent rather dramatic hole found is less than a year old AND new features (hence bugs) are being introduced every day? How much is the data on the machine worth to you? If it means a lot, a good backup policy and running an anti-malware program even if it's only chkrootkit or rkhunter before taking any backups is a good thing (tm). If it means nothing, then why not run Windows wide open and make yourself a hero to the botnet operators? {^_-} {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Michael Miles mmami...@gmail.com Sent: Saturday, 2010/April/17 09:02 On 04/17/2010 12:41 AM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Friday, 2010/April/16 22:49 On Fri, 2010-04-16 at 19:43 -0700, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Friday, 2010/April/16 16:51 On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. If you are being picky regarding virus, trojan, etc then begone little boy, you bother me. It does not matter one bit the means of transmission if the system is compromised in a manner than a piece of what is conventionally called anti-virus software would have prevented the problem? Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. Here is a non-LKML reference with a full explanation of the problem: Some background: http://blog.ksplice.com/2010/03/null-pointers-part-i/ How to exploit it: http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/ The exploit can be delivered through email and introduced into the machine via targeted social engineering. If you can be tricked into allowing it to run, you're toast. ANY means of getting into the machine and having code execute is sufficient to allow the exploit to run within the kernel at kernel privilege. Such means have existed in the past. I've read about the victims' problems here on this and predecessor lists. That's why chkrootkit and rkhunter exist. If somebody wishes to make Linux his main computing environment something which traps intrusions and malware as it enters the machine and before it's executed can probably save a world of hurt. I've lost disk drives and suffered the hurt of discovering the first level backup was bad. I lost some work and emails. If your machine becomes compromised, what can you save? What can you trust? You have to make an executive decision and hope your backup is from before the attack. Then maybe you can recover more recent data and email, if you can trust your backup to be safe. I prefer to spend some money to protect valuable data and save valuable recovery time. What you actually said was, Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. The first sentence is true. The second one is true but limiting beyond belief. Computer users do not only use the machine for email. It leaves an implication that it's probably safe for email. The null pointer dereference issue makes you vulnerable within email if you can be tricked into running a program send in the email. If this is not closed up VERY quickly I expect a nasty problem problem for Linux, shortly. The wakeup call will have the good effect of waking up the community to the little detail that nothing's perfect. As for running other things on the 'ix system, it seems a wine install so that a person can run something not available for Linux can lead you into problems. Seems
Re: Clamav
On 17 April 2010 21:05, jdow j...@earthlink.net wrote: From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:25 On 17 April 2010 10:17, jdow j...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. Are you sanguine to declare Linux cannot be taken over by malware given that the most recent rather dramatic hole found is less than a year old AND new features (hence bugs) are being introduced every day? How much is the data on the machine worth to you? You seem to have a general problem with comprehension. That is not what I said - I simply said that the exploit you referred to wouldn't work. If it means nothing, then why not run Windows wide open and make yourself a hero to the botnet operators? {^_-} Don't be an idiot. -- Sam -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 13:20 On 17 April 2010 21:05, jdow j...@earthlink.net wrote: From: Sam Sharpe lists.red...@samsharpe.net Sent: Saturday, 2010/April/17 02:25 On 17 April 2010 10:17, jdow j...@earthlink.net wrote: jdow How many people get frustrated with SELinux and simply disable it? I don't know, but stupidity appears to be an infinite resource. I tend to believe that if you disable SELinux and you get exploited by something that SELinux would prevent, then the only thing at fault is *you*. However in this case, both a sysctl and SELinux prevent what this attack claims to do, so if you disable SELinux it still won't work. Are you sanguine to declare Linux cannot be taken over by malware given that the most recent rather dramatic hole found is less than a year old AND new features (hence bugs) are being introduced every day? How much is the data on the machine worth to you? You seem to have a general problem with comprehension. That is not what I said - I simply said that the exploit you referred to wouldn't work. If it means nothing, then why not run Windows wide open and make yourself a hero to the botnet operators? {^_-} Don't be an idiot. I simply gave the extremes. And this discussion is not all that silly considering J. Random User yclept Michael Miles has found a way to get a virus on his machine that ClamAV might have detected on its way in or from a scan. When giving advice it's best to presume the user is going to do something unusual, such as run Wine, and receive an infection. A Wine install needs ClamAV. Without Wine I'd suggest chkrootkit and rkhunter, at the least. I have seen too many perhaps careless people ask is this an infection? And in more than a few cases the answer has been yes. Linux is ahead in the arms race. Windows is behind. Nonetheless, some protection is worthwhile depending on how important your system's function, your relationship with your ISP, and your data might be. I happen to be biased towards very. So I bristle when somebody suggests, intentionally or not, that Linux is probably safe. So is flying, unless you happened to be on the last flight of Pan Am 103, for example. Low probability of a high value loss - what you do is your call. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/15/2010 05:32 PM, Michael Miles wrote: On 04/15/2010 01:09 PM, Daniel J Walsh wrote: On 04/15/2010 03:22 PM, Michael Miles wrote: How on earth do I set this up to get virus definitions that selinux won't jump all over I just want email scanned out and in I tried the latest 96 could only find i686 rpm for clamav, clamd, freshclam I am running Fedora 12 x86_64 The fedora repo has version 95 only I installed the i686 version of 96 but selinux is freaking out stopping the update I have removed all and I will wait for proper instruction as I really do not know enough about this OS Is there a proper order for install? What avc messages are you seeing? Are you saying the yum update is failing or after you start clamd, you get lots of avc messages? After service clamd start I get can't access memory, access denied Please send me your /var/log/audit/audit.log Sounds like you have a bad library, or a bad label. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvIWxsACgkQrlYvE4MpobMAVgCg4T9GB0yvQj5jq8YklATxGeFu CbYAnilJsxBwhtQJ/NgC+IX1rwuJ95Ve =XWqw -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in my mumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. 3) If you read the kernel list a little more you'd discover enough chatter about obvious items of vulnerability you'd want to put a condom on your computer. 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. {^_^} Fortunately Joanne has not had to reinstall YET. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Michael Miles mmami...@gmail.com Sent: Thursday, 2010/April/15 13:02 On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. poc This is really what I have been wrestling with myselfwhy do I really need it Is Fedora really that secure? If you learn it and don't subvert its features it is apparently more secure than Windows through at least XP. (Vista is the NT world's ME. 7 might be decent. But it's protections are too easy to subvert, and alas, too necessary.) I come from windows and I am amazed at how not secure windows is. I'm not. Building bullet-proof software is really difficult. Otherwise the newly revealed kernel null pointer dereference exploits would not exist. So thank you as I don't really need it. The only time I get a reaction from Virus software with linux is when I put in a windows 7 backup dvd I don't make a practice of keeping live bugs around. Of course, I do have something too many AV tools false alarm on. Ah well. {^_-} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, Apr 16, 2010 at 13:39:42 -0700, jdow j...@earthlink.net wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. Anti virus is still a poor solution. Better web and email client design (particularly sandboxing and good defaults) and selinux are better ways forward. Trying to enumerate malicious stuff doesn't scale well and relies on someone doing the enumeration and providing you with updates before it gets to you. Not having people treat programs as data would be another nice thing to have happen, but there are a lot of entities pushing that, so don't expect those to go away soon. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/16/2010 01:39 PM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in mymumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. 3) If you read the kernel list a little more you'd discover enough chatter about obvious items of vulnerability you'd want to put a condom on your computer. 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. {^_^} Fortunately Joanne has not had to reinstall YET. I started with the Vic 20 then went to the 64 I had a Amiga 3000 up to a 68060 and of course lightwave and the video toaster by newtek. Now that Amiga was a system which I adored I find Linux similar but I love the drag and drop of the amiga especially for devices. I run an Amd Phenom 2 945 now initialy with Win 7 x64 ultimate. Am totally fed up with Windows I like Fedora very much and am extremely impressed with security. I freaked out when Clamav found a trojan in my mozilla directory only to see it was the test virus that comes with clamav. I have a home network here with 2 other computers on it. Both Win 7 machines We do not share mail service and only share music and videos from this machine (fat 4 tera byte hd) Anyway I think I will let it run for a bit but I'm still not sure I want it on. Still have really no need unless viruses start to take hold with linux. At the very same time once the damage is done by a nasty virus it is too late. Some protection is needed, I would think I put in a backup Win 7 dvd and scanned it Clam av found 4 on the dvd. Bitdefender for unices found 15 Michael -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
Michael Miles wrote: On 04/16/2010 01:39 PM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in mymumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. 3) If you read the kernel list a little more you'd discover enough chatter about obvious items of vulnerability you'd want to put a condom on your computer. 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. {^_^} Fortunately Joanne has not had to reinstall YET. I started with the Vic 20 then went to the 64 I had a Amiga 3000 up to a 68060 and of course lightwave and the video toaster by newtek. Now that Amiga was a system which I adored I find Linux similar but I love the drag and drop of the amiga especially for devices. I run an Amd Phenom 2 945 now initialy with Win 7 x64 ultimate. Am totally fed up with Windows I like Fedora very much and am extremely impressed with security. I freaked out when Clamav found a trojan in my mozilla directory only to see it was the test virus that comes with clamav. I have a home network here with 2 other computers on it. Both Win 7 machines We do not share mail service and only share music and videos from this machine (fat 4 tera byte hd) Anyway I think I will let it run for a bit but I'm still not sure I want it on. Still have really no need unless viruses start to take hold with linux. At the very same time once the damage is done by a nasty virus it is too late. Some protection is needed, I would think I put in a backup Win 7 dvd and scanned it Clam av found 4 on the dvd. Bitdefender for unices found 15 Michael It is mostly a personal choice, but if you want to protect the two doze computers from infecting each other with shared files that are controlled on the Fedora box, you can run clam on that to catch it. I run Symantec Corporate on all my workstations, and on my fileserver (a Fedora box with a large amount of space) to protect my systems from spreading virus'. I am less concerned with the linux box getting infected, though, as was pointed out earlier in the thread, the attackers go for the lowest hanging fruit first. At the very least it can help protect against spreading of known viruses. As a note, Virus Total is a good proving ground on how most AV programs just plain suck half the time especially with bleeding edge bugs. (Search Sans ISC for articles on that aspect, interesting read if you have time to kill) ~Seann smime.p7s Description: S/MIME Cryptographic Signature -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/16/2010 03:00 PM, Seann Clark wrote: Michael Miles wrote: On 04/16/2010 01:39 PM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in mymumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. 3) If you read the kernel list a little more you'd discover enough chatter about obvious items of vulnerability you'd want to put a condom on your computer. 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. {^_^} Fortunately Joanne has not had to reinstall YET. I started with the Vic 20 then went to the 64 I had a Amiga 3000 up to a 68060 and of course lightwave and the video toaster by newtek. Now that Amiga was a system which I adored I find Linux similar but I love the drag and drop of the amiga especially for devices. I run an Amd Phenom 2 945 now initialy with Win 7 x64 ultimate. Am totally fed up with Windows I like Fedora very much and am extremely impressed with security. I freaked out when Clamav found a trojan in my mozilla directory only to see it was the test virus that comes with clamav. I have a home network here with 2 other computers on it. Both Win 7 machines We do not share mail service and only share music and videos from this machine (fat 4 tera byte hd) Anyway I think I will let it run for a bit but I'm still not sure I want it on. Still have really no need unless viruses start to take hold with linux. At the very same time once the damage is done by a nasty virus it is too late. Some protection is needed, I would think I put in a backup Win 7 dvd and scanned it Clam av found 4 on the dvd. Bitdefender for unices found 15 Michael It is mostly a personal choice, but if you want to protect the two doze computers from infecting each other with shared files that are controlled on the Fedora box, you can run clam on that to catch it. I run Symantec Corporate on all my workstations, and on my fileserver (a Fedora box with a large amount of space) to protect my systems from spreading virus'. I am less concerned with the linux box getting infected, though, as was pointed out earlier in the thread, the attackers go for the lowest hanging fruit first. At the very least it can help protect against spreading of known viruses. As a note, Virus Total is a good proving ground on how most AV programs just plain suck half the time especially with bleeding edge bugs. (Search Sans ISC for articles on that aspect, interesting read if you have time to kill) ~Seann Thanks for all the input. Is Clamav the best alternative? It missed viruses that Bitdefender for unices caught. Although Bitdefender will cost me $$$ which I do not like Other than just good practice. I did mess up and was leaving terminal open in root for a while just for convenience but that practice has been stopped -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Michael Miles mmami...@gmail.com Sent: Friday, 2010/April/16 14:55 On 04/16/2010 01:39 PM, jdow wrote: From: Patrick O'Callaghanpocallag...@gmail.com Sent: Thursday, 2010/April/15 12:50 On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in mymumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. 3) If you read the kernel list a little more you'd discover enough chatter about obvious items of vulnerability you'd want to put a condom on your computer. 4) I will agree with you as far as to say Linux is not as vulnerable as Windows. That is mostly because it is still perceived as being a boutique OS with savvy users. When that changes I expect to see numbers of active exploits out on the Internet to increase sharply. I would prefer a casual date put on his condom BEFORE rather than AFTER he makes mostions to impregnate me, which at my age is hopeless. {^_^} Fortunately Joanne has not had to reinstall YET. I started with the Vic 20 then went to the 64 I had a Amiga 3000 up to a 68060 and of course lightwave and the video toaster by newtek. Now that Amiga was a system which I adored I find Linux similar but I love the drag and drop of the amiga especially for devices. I run an Amd Phenom 2 945 now initialy with Win 7 x64 ultimate. Am totally fed up with Windows I like Fedora very much and am extremely impressed with security. I freaked out when Clamav found a trojan in my mozilla directory only to see it was the test virus that comes with clamav. I have a home network here with 2 other computers on it. Both Win 7 machines We do not share mail service and only share music and videos from this machine (fat 4 tera byte hd) Anyway I think I will let it run for a bit but I'm still not sure I want it on. Still have really no need unless viruses start to take hold with linux. At the very same time once the damage is done by a nasty virus it is too late. Some protection is needed, I would think I put in a backup Win 7 dvd and scanned it Clam av found 4 on the dvd. Bitdefender for unices found 15 ClamAV is well regarded. It's not one of the top three or four around. It is free. It also catches and marks many (not all) social engineering attacks. I use a ClamAssassin configuration. ClamAV scans the email. I so seldom browse from the Linux machine I don't scan it. (Now, if I was PAID (well) to do Linux software I'd start doing that instead.) (The first computer I worked on was an IBM 7090. Some time later I played with HP 2100s with nice vector graphics CRT displays. I did some nice electronics circuit design using those toys - built my own circuit analysis program. So I've been at it awhile. {^_-} = = If you had a Microbotics HD controller for that Amiga, I did the software.) {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 16:50 On Fri, 2010-04-16 at 13:39 -0700, jdow wrote: 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in my mumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) What has this got to so with viruses? Are any of the exploits you mention communicable by virus? Every one I've seen so far requires the attacker to be physically sitting in front of a system console. I don't care how malware is transmitted, if it can infect the machine I want it discovered and eliminated. Perhaps a better term would be anti-malware. So focusing minutely on virus alone is silly and tendentious on your part. 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. Which is exactly what I said, if you care to re-read my earlier post. You also said Linux machines were perfectly safe. And I reacted by saying I don't believe that. Active exploits exist for Linux. Some are transmitted by email and activated in one of the more or less standard ways. People said MacOS was perfectly safe, too. Once attention turned to them the exploits started flowing. As a little point of interest, why do I see many times as many updates for Linux come down the pike as compared to Windows? If I turned off automatic updates how long before I had problems? shrug You have your machines to deal with. I have mine. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 16:51 On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. If you are being picky regarding virus, trojan, etc then begone little boy, you bother me. It does not matter one bit the means of transmission if the system is compromised in a manner than a piece of what is conventionally called anti-virus software would have prevented the problem? I do not consider Linux to be bullet proof for malware, particularly web and email distributed malware, at this moment. It's pretty good. But if it takes your personal machine down with all your records it kinda ruins your whole day even if you have good backups. Reinstalling everything is rather a pain in the place upon which you sit. {^_^} -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, 2010-04-16 at 19:37 -0700, jdow wrote: You also said Linux machines were perfectly safe. And I reacted by saying I don't believe that. Active exploits exist for Linux. Some are transmitted by email and activated in one of the more or less standard ways. People said MacOS was perfectly safe, too. Once attention turned to them the exploits started flowing. As a little point of interest, why do I see many times as many updates for Linux come down the pike as compared to Windows? If I turned off automatic updates how long before I had problems? more attitude and useful information is being exchanged here in general. I would tend to agree that the current trend is malicious web code rather than e-mail borne virus and I presume that is because the various mail servers have gotten fairly effective at blocking them. Clearly no OS is safe from exploit. The most effective security method employed on Linux is simply not to run as superuser where most Windows and Macintosh users are running as superuser and the software leaves it to the user to figure out how to run with less privileges (very possible but not the typical usage). As for the number of updates from Fedora, some are security related fixes and most are not but as you surely realize by now, Fedora packaging allows for updates from various packages which tend to be numerous and small whereas for comparison purposes, the last monolithic update for OS X 10.6 was almost 3/4 of a Gigabyte. Clamav is essentially a detector for known Windows exploits, useful if you are running a mail server or file server for Windows systems but little else. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/16/2010 04:26 PM, jdow wrote: From: Seann Clarknombran...@tsukinokage.net Sent: Friday, 2010/April/16 15:00 As a note, Virus Total is a good proving ground on how most AV programs just plain suck half the time especially with bleeding edge bugs. (Search Sans ISC for articles on that aspect, interesting read if you have time to kill) ~Seann jdow Two good sources. I don't TOUCH the Symantec viruses. My partner is stuck using the corporate version through his work at UniSys. I personally use Avira. It's done VERY well so far. They even responded nicely and promptly to a false alarm I found in some software I wrote that used some (over the top) encryption. {^_^} I looked at the Avira antivirus free and it is a very well done package I could not find a x64 version or is it packaged in a i386 file Turned up trojans in wine when I did a full system scan I did not do anything to them in case they were false positive, but there were 7 in total -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, 2010-04-16 at 19:37 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 16:50 On Fri, 2010-04-16 at 13:39 -0700, jdow wrote: 1) I have seen at least one active exploit, I fortunately recognized myself, for Linux in my mumble years with computers. (longer than yours, sonny, although I took a 6 year hiatus in there. {^_-}) (Even my beloved Amiga (made some money off that system) had online exploits.) What has this got to so with viruses? Are any of the exploits you mention communicable by virus? Every one I've seen so far requires the attacker to be physically sitting in front of a system console. I don't care how malware is transmitted, if it can infect the machine I want it discovered and eliminated. Perhaps a better term would be anti-malware. So focusing minutely on virus alone is silly and tendentious on your part. On the contrary, the tendentiousness is on your part for insisting on turning the thread into something it wasn't about. The OP asked whether he needed an AV. I said he probably didn't unless he was supporting Windows machines as a server. That is the entire content of the exchange between the OP and myself. I have no interest whatever in turning this thread into a discussion of the merits or otherwise of Linux versus Windows (or MacOS or anything else) in regard to anything except what the OP asked about. Is this so hard to understand? 2) Some of us live on mixed networks. Open Sores does NOT pay for my bread, water, and roof, let alone any recreation. So I have Windows machines around. ClamAV is handy to have in the Linux machine, which is the master server for the system. Which is exactly what I said, if you care to re-read my earlier post. You also said Linux machines were perfectly safe. This is simply untrue. You seem to be taking part in some fantasy version of this conversation which has no relation to what anyone actually said. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Fri, 2010-04-16 at 19:43 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Friday, 2010/April/16 16:51 On Fri, 2010-04-16 at 13:47 -0700, jdow wrote: From: Patrick O'Callaghan pocallag...@gmail.com Sent: Thursday, 2010/April/15 13:31 On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. Patrick, the best AV tool of all is a savvy user given the number of social engineering attacks of late. And, at least historically, 'ix users have been quite savvy about security. That makes a huge difference. A single mistake running something you should not have because it looks important can bust your whole day. Based on the security forums I read I'd not consider Linux bullet-proof today - kernel null pointer dereferences and mmap are your enemy du jour. Again, you're answering the wrong question. This thread is not about the general security or otherwise of Linux. It's about vulnerability to viruses. If you are being picky regarding virus, trojan, etc then begone little boy, you bother me. It does not matter one bit the means of transmission if the system is compromised in a manner than a piece of what is conventionally called anti-virus software would have prevented the problem? Which of the vulnerabilities discussed on the kernel list is communicable via an email message in such a way as to compromise the security of the target system without manual intervention on the part of its user? Please be specific. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On 04/15/2010 12:50 PM, Patrick O'Callaghan wrote: On Thu, 2010-04-15 at 12:22 -0700, Michael Miles wrote: I have removed all and I will wait for proper instruction as I really do not know enough about this OS Given that you say so yourself, the logical question is why do you need Clamav? Clamav is usually installed by people running mail servers for users who access them from Windows. If all you're doing is reading mail in Linux, it's extremely unlikely that you even need it. In 35 years of using first Unix and then Linux, I have yet to see a single virus that wasn't a proof-of-concept demo. poc This is really what I have been wrestling with myselfwhy do I really need it Is Fedora really that secure? I come from windows and I am amazed at how not secure windows is. So thank you as I don't really need it. The only time I get a reaction from Virus software with linux is when I put in a windows 7 backup dvd -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/15/2010 03:22 PM, Michael Miles wrote: How on earth do I set this up to get virus definitions that selinux won't jump all over I just want email scanned out and in I tried the latest 96 could only find i686 rpm for clamav, clamd, freshclam I am running Fedora 12 x86_64 The fedora repo has version 95 only I installed the i686 version of 96 but selinux is freaking out stopping the update I have removed all and I will wait for proper instruction as I really do not know enough about this OS Is there a proper order for install? What avc messages are you seeing? Are you saying the yum update is failing or after you start clamd, you get lots of avc messages? -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkvHcnoACgkQrlYvE4MpobMNFACfesPPKZ7PJqjJnl2jr23SBQKM idcAn08qB5h2qGU6Praq5AFQHRopx1y0 =3vJl -END PGP SIGNATURE- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Re: Clamav
On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote: Is Fedora really that secure? Even if we limit the discussion to email viruses, that's a very complex and difficult question (to which the answer is yes :-). It's not an attribute exclusive to Fedora as such, but to all Unix-based systems, mainly for three reasons: 1) The mail client isn't running as root. 2) Even when running as root, Linux mail clients won't blindly execute attachments. 3) Even for executable attachments, the virus is written for Windows and won't run on Linux. Of course it's in principle possible to get past all the above barriers, so *in theory* you can have a Linux virus, assuming the user is stupid enough to run an unknown executable. As I say, I've never seen one in the wild. I come from windows and I am amazed at how not secure windows is. See (3) above. Most viruses are written for Windows as it's the most popular platform. MS likes to pretend that's the only reason it gets all the grief, but there are other factors. poc -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines