On Tuesday 17 February 2009 17:11:20 Martin Hinner wrote: > Hi, > > I will start one more hot discussion. Sorry if it was discussed > earlier, I am not regular reader of this mailing-list. I tried to > search google, found several discussions, but no real result: > > http://www.linux.com/feature/42031 > http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus > https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 > wine-devel mailing list google results > > The problem is that some (almost all?) distributions simply execute > .exe file when you click on it. I was amazed when testing JTAGTest on > Linux! This is in my opinion quite big issue as ordinary users do not > have problem clicking on "New folder.exe" on their flashdisk etc. It's > good that wine is so compatible that it runs even viruses, but I think > there should be some (optional) protection. The biggest problem seem > to be removable media, in many distributions mounted under /mnt or > /media. Please think about this twice before writing "problem is in > Microsoft not in Wine", "it's not a bug but feature", etc. It's too > childish IMO.
People who analyze malware seem to use wine to figure out what API calls the malware is making. Seems like a very good use of Wine to beat the bad guys. I don't see anything childish about Wine's decision to be bug-for-bug compatible with Windows. > - What about creating a configurable list of directories, where wine > would first ask if you really want to execute the program? It would be > up to distribution what is set-up by default. What about having the system virus scanner scan all files you download before executing them in Wine or any other program? Just because there's not that many viruses/trojans for Linux yet doesn't mean it's going to stay that way. > - It's long time I have been interested in viruses, but I think that > 90% of most common virus infected/trojan .exe files can be pretty > easily identified. Yes, if you keep a virus data base like virus scanners do. It's a huge pain to keep those up-to-date. We don't want to deal with that stuff in Wine, there's enough work left without also pretending to be a virus scanner. > Almost every modern virus is trying to connect to > the internet either by opening socket or using few standard DLL > functions. What about adding some checks to Wine that would check the > calling function code sample against some small database to see if > this is a virus and ask user? Or adding some "API" functions to allow > someone to write such program? I have done quite a lot of work with PE > loading and code modification and I think it could be moved to level > when it works without crashing anything. Right. A pop-up box is going to be the solution. Especially as users (especially people used to Windows, like most Wine users) learned that these pop-ups have two buttons, one saying "Go away and do what I told you" and one saying "Annoy me by not running my program". How many normal users will ever bother to read the text on Vistas UAC pop-ups? > Obviously this would have to be global for wine (libwine.so?), not as > a PE exported API function. Pre-loaded "antivirus" would be able to > hook Winsock functions + some other important stuff and then check if > the binary code is not on the list. If you're really interested, look into resurrecting http://wiki.winehq.org/ClamAntiVirusIntegration It has probably bitrottet in the last two years, but it'd at least get you an idea how something like this could be done. Cheers, Kai -- Kai Blin WorldForge developer http://www.worldforge.org/ Wine developer http://wiki.winehq.org/KaiBlin Samba team member http://www.samba.org/samba/team/ -- Will code for cotton.
signature.asc
Description: This is a digitally signed message part.