Clamav
jdow
jdow at earthlink.net
Sat Apr 17 07:41:04 UTC 2010
From: "Patrick O'Callaghan" <pocallaghan at gmail.com>
Sent: Friday, 2010/April/16 22:49
> On Fri, 2010-04-16 at 19:43 -0700, jdow wrote:
>> From: "Patrick O'Callaghan" <pocallaghan at gmail.com>
>> Sent: Friday, 2010/April/16 16:51
>>
>>
>> > On Fri, 2010-04-16 at 13:47 -0700, jdow wrote:
>> >> From: "Patrick O'Callaghan" <pocallaghan at gmail.com>
>> >> Sent: Thursday, 2010/April/15 13:31
>> >>
>> >>
>> >> > On Thu, 2010-04-15 at 13:02 -0700, Michael Miles wrote:
>> >> >> Is Fedora really that secure?
>> >> >
>> >> > Even if we limit the discussion to email viruses, that's a very
>> >> > complex
>> >> > and difficult question (to which the answer is "yes" :-). It's not
>> >> > an
>> >> > attribute exclusive to Fedora as such, but to all Unix-based
>> >> > systems,
>> >> > mainly for three reasons:
>> >> >
>> >> > 1) The mail client isn't running as root.
>> >> > 2) Even when running as root, Linux mail clients won't blindly
>> >> > execute
>> >> > attachments.
>> >> > 3) Even for executable attachments, the virus is written for Windows
>> >> > and
>> >> > won't run on Linux.
>> >> >
>> >> > Of course it's in principle possible to get past all the above
>> >> > barriers,
>> >> > so *in theory* you can have a Linux virus, assuming the user is
>> >> > stupid
>> >> > enough to run an unknown executable. As I say, I've never seen one
>> >> > in
>> >> > the wild.
>> >> >
>> >> >> I come from windows and I am amazed at how not secure windows is.
>> >> >
>> >> > See (3) above. Most viruses are written for Windows as it's the most
>> >> > popular platform. MS likes to pretend that's the only reason it gets
>> >> > all
>> >> > the grief, but there are other factors.
>> >>
>> >> Patrick, the best AV tool of all is a savvy user given the number of
>> >> social engineering attacks of late. And, at least historically, 'ix
>> >> users
>> >> have been quite savvy about security. That makes a huge difference. A
>> >> single mistake running something you should not have because it looks
>> >> important can bust your whole day. Based on the security forums I read
>> >> I'd not consider Linux bullet-proof "today" - kernel null pointer
>> >> dereferences and mmap are your enemy du jour.
>> >
>> > Again, you're answering the wrong question. This thread is not about
>> > the
>> > general security or otherwise of Linux. It's about vulnerability to
>> > viruses.
>>
>> If you are being picky regarding "virus", "trojan", etc then begone
>> little
>> boy, you bother me. It does not matter one bit the means of transmission
>> if the system is compromised in a manner than a piece of what is
>> conventionally called "anti-virus software" would have prevented the
>> problem?
>
> Which of the vulnerabilities discussed on the kernel list is
> communicable via an email message in such a way as to compromise the
> security of the target system without manual intervention on the part of
> its user? Please be specific.
Here is a non-LKML reference with a full explanation of the problem:
Some background:
http://blog.ksplice.com/2010/03/null-pointers-part-i/
How to exploit it:
http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
The exploit can be delivered through email and introduced into the
machine via targeted social engineering. If you can be tricked into
allowing it to run, you're toast. ANY means of getting into the
machine and having code execute is sufficient to allow the exploit
to run within the kernel at kernel privilege.
Such means have existed in the past. I've read about the victims' problems
here on this and predecessor lists. That's why chkrootkit and rkhunter
exist. If somebody wishes to make Linux his main computing environment
something which traps intrusions and malware as it enters the machine and
before it's executed can probably save a world of hurt.
I've lost disk drives and suffered the hurt of discovering the first level
backup was bad. I lost some work and emails. If your machine becomes
compromised, what can you save? What can you trust? You have to make an
executive decision and hope your backup is from before the attack. Then
maybe you can recover more recent data and email, if you can trust your
backup to be safe. I prefer to spend some money to protect valuable data
and save valuable recovery time.
What you actually said was, "Clamav is usually installed by people running
mail servers for users who access them from Windows. If all you're doing
is reading mail in Linux, it's extremely unlikely that you even need it."
The first sentence is true. The second one is true but limiting beyond
belief. Computer users do not only use the machine for email. It leaves
an implication that it's probably safe for email. The null pointer
dereference issue makes you vulnerable within email if you can be tricked
into running a program send in the email. If this is not closed up VERY
quickly I expect a nasty problem problem for Linux, shortly. The wakeup
call will have the good effect of waking up the community to the little
detail that "nothing's perfect".
As for running other things on the 'ix system, it seems a wine install
so that a person can run something not available for Linux can lead you
into problems. Seems somebody here mentioned an infected Wine install.
I'd not bet all 7 were false alarms. And, if one could manage to escape
the wine cellar....
{^_^}
More information about the users
mailing list