AntiVirus?

Paul A. Houle ph18 at cornell.edu
Mon Mar 21 15:19:55 UTC 2005 

On Fri, 18 Mar 2005 21:49:15 -0500, Paul Iadonisi <pri.rhl3 at iadonisi.to>  
wrote:

>
>   Both Chuck and Geoff are correct, IMO.  AV is the wrong solution to
> the *alleged* future problem with Linux viruses.  Go read
> http://www.linuxmafia.com/~rick/faq/index.php?page=virus for a good
> debunking of that threat, as well as some good entertainment ;-).
>   But something like clamav to protect *Windows clients* in a GNU/Linux
> based server environment does makes sense.  At least until FOSS takes
> over the world.

	The arguments in that essay are specious,  IMO.

	The root privilege separation would be no barrier to making an e-mail  
worm that propagates on Linux systems,  or a "botnet" that can launch  
attacks on other network hosts.

	It's true that the root separation limits the damage that a hostile  
program can do,  but it doesn't eliminate it,  and in the area of network  
attacks,  the restrictions are quite limited.  (Yeah,  you need root to do  
an ICMP flood,  but a UDP flood does the same damages and confounds  
sysadmins more;  there are lots of phun things you can do with packets,   
but you can make any server go off the air without root privilege if you  
control 6000 bots.)

	The 'immunity' of Linux and MacOS X is mainly immunological and  
cultural.  People who use those OSes don't assume they can mail a binary  
to random people and expect them to run it.  So mail clients require a few  
more clicks to do it in Linux (but not MacOS X;)  nobody expects to fill  
up a Linux machine with commercial junkware,  so nobody bothers writing  
spyware that hitches a ride on it.  "root" separation does make the junk  
easier to remove than it would be otherwise,  but doesn't stop it from  
being a problem.

	When it comes down to it,  the number of vulnerable machines that run  
non-Windows operating systems just isn't enough to get over the  
percolation threshold that makes many kind of worm attacks worthwhile.

	Privilege escalation attacks are legion in all operating systems,  and  
it's a good bet to assume that there will be some way to break root in  
FC4.  Assuming that many people don't patch,  this 'identical  
configuration' could be worth attacking if it goes over the percolation  
threshold.

------

	I'm no fan of AV software.  It causes problems.  (For instance,  during a  
virus crisis I have to turn it off if I want to read my e-mail,  because  
it will b0rk my e-mail program otherwise.)  We had problems at a place  
where we worked because our AV filter was being triggered by an ordinary  
english string that happened to be inside a common virus.

       The trouble with the whole "digital immune system" paradigm is that  
same as that of the real immune system.  Our immune system is full of  
interlocks designed to prevent it from attacking 'self' cells.  For  
instance,  an immune receptor on a T- or B- cell won't get activated  
unless co-receptors get activated,  and B-cells won't pump out antibodies  
until they get confirmation from a helper T-cell that there really is a  
problem.

	Despite all that,  almost 10% of people in the US are walking around with  
an asthma inhaler.  50 million Americans have allergies...  Anything that  
tries to recognize "bad" patterns of bits or "bad" patterns of bad  
software behavior is going to have false alarms that sometimes makes the  
machine inoperable.

More information about the devel mailing list