No announcement yet.

AVG Ventures Into Linux Malware Protection

  • Filter
  • Time
  • Show
Clear All
new posts

  • AVG Ventures Into Linux Malware Protection

    Phoronix: AVG Ventures Into Linux Malware Protection

    While anti-virus and anti-malware is not much of a problem on Linux at this time, AVG has added this anti-malware protection to their Linux security software. AVG has supported Linux for sometime when it comes to virus and spam protection, but with version 8.5 they have expanded their anti-malware support...

  • #2
    And what exactly is this good for?


    • #3
      This is *the* thing that Windows users miss! Now they can all switch, because the resource-demanding antivirus, antispam and anti-malware are all there!


      • #4
        An absolute pile of shit for sure. The theory might be that even tho the virus's don't infect linux they could be shared with a windows computer and get infected.

        So maybe you have some windows desktops an a linux file server and want to have it be able to scan itself for viruses, makes sense..

        But fuck that anyway..


        • #5
          lol they don't even have it in 64bit flavour. total trash. Maybe they exchanged Linux for Windows?


          • #6

            The biggest security problem on Linux as I see it is hacking. Especially on servers.

            IMO automated scripts like worms, viruses or other forms of malware is difficult to create for the Linux ecosystem since there's a lot of diversity. But manual hacking is a lot easier.

            There's a lot of great tools out there (snort comes to mind, rootkit removal programs and the usual diagnostics like nmap and the like). What I want is some sort of "super-application", preferable with a GUI, that combines all these different techniques (IDS, IPS, rootkit detection and removal, firewall, user accounts, block root on SSH, sudo management, etc, etc, etc)

            A really nice security suite for Linux. One interface to handle all your security issues. Of course you can add malware and virus stuff just in case if we would ever have to deal with that in the future.

            Right now it's more or less a mess. You have to keep track of a lot of different applications and scripts, set them up one by one and reading the logs is awful.

            So, is there anyone in here how knows if there's some effort on creating such an application for Linux? I would prefer some network support so that I can use my desktop computer in Sweden with a GUI to manage the X-less server in Canada.

            If I did not already have another project on my hands I would totally start something like this. But it's big and would take a lot of time. Maybe there's already a great project to expand upon?

            All tips are welcome.
            Last edited by ephracis; 05-04-2009, 04:03 PM.


            • #7
              I have two words: btrFS and Sub-volumes

              Sub-volumes is a btrFS feature that makes a directory pretend to be /.

              The commercial SSH have this feature, so users can't escape from their user directory.

              But having this in the FS, seams like the right solution.


              • #8
                @curaga, oneman, bulletxt: Gee, what a level-headed discussion we're having here. (NOT)

                @RealNC: This is good for not having to boot into Windows whenever your Windows-using friends hand you an infected drive, becuase they know you can "fix" things like that.

                @TFA: Resource handling improvements? Here we call it "fixing CPU leak bug" but whatever...
                *goes to the site to get the new package*
                *wonders why there's no AVG in the Utils menu anymore*
                *does some Google-fu*...
                Posted by: umelec - Moderator (IP Logged)
                Date: April 30, 2009 12:29PM

                AVG 8.5 does not have UI. It can be accessed and checked only via commandline.
                So that's how they "fixed" the resource hog? Smooth move!
                I hope they use this opportunity to switch to qt.


                • #9
                  Originally posted by myxal View Post
                  @curaga, oneman, bulletxt: Gee, what a level-headed discussion we're having here. (NOT)
                  It remains to be seen that it's anything other than "levelheaded".

                  I don't know about you, but in the large, Anti-Virus stuff as it's defined in Windows is only useful to a Linux user if they're providing Samba shares for Windows users or skimming their E-mail.

                  @RealNC: This is good for not having to boot into Windows whenever your Windows-using friends hand you an infected drive, becuase they know you can "fix" things like that.
                  Considering that one of the BEST programs for this sort of thing, ClamAV, happens to RUN under Linux and is available on live CDs, such as SysRescueCD, I don't think it's of much usefulness. Why spend money on something suboptimal?


                  • #10
                    ClamAV seems to have one of the worst detection rates ever in an anti-virus app.


                    • #11
                      No 64bit....even if I wanted to use it, I wouldn't bother.


                      • #12
                        Originally posted by whaevr View Post
                        No 64bit....even if I wanted to use it, I wouldn't bother.

                        If you use wine religiously or run a fileserver it may be useful (and i stress "may"). For the rest of us this is more-less pointless at the present time.


                        • #13
                          Originally posted by L33F3R View Post

                          If you use wine religiously or run a fileserver it may be useful (and i stress "may"). For the rest of us this is more-less pointless at the present time.
                          Both yes and no.

                          First we share the same flash memory devices with others who might run Windows. While we don't give a darn about it, ohters may not like your pendrive or mp3 player containing bad suprises.
                          Second case are Samba shares.
                          Another one are windows volumes you can fix. I wish I have reliable antivirus software able to scan and remove threats in mbr, boot sector, files and fix windows registry running under Linux.
                          I agree Clamav has bad record here. It's good for email scanning, but it's p*ss poor at detecting malware in files.
                          When one of my customers call for help just go there boot form pendrive, launch scan then have nice chat with his secretary or jut browse the net. When AV does its job, leave the bill, get your cash, call it a day and celebrate it with cold one when you're home. Who wouldn't love such a job

                          In the end, while it's difficult infect Linux systemwide, user files still can get vired. The guys that write viruses target most common software and 'tho Linux is not so popular Firefox and Thunderbird are. Do you really think it is not possible to hijack the browser and make it run some extra code at application launch?
                          Writing viruses it's more a identity theft business than fun it used to be and those guys get really smart. What got vired is less revelant as long as your personal data (bank account logins, passwords etc..) leak or your mails or documents can be deleted.
                          We just have a luxury of being able to login as different user and fix the problem without reinstalling the OS.


                          • #14
                            yea so the majority of it would protect against nasties coded for windows.


                            • #15
                              Some points...

                              1. It's true that Linux is vulnerable to focused human attacks. So is Windows, of course, but due to the diversity and the security model in Linux a generic attack is a waste of time.

                              2. It's very easy to write a Virus for Linux. The binary format used by Linux is called ELF. It's open and easy to manipulate. So it's easy to stick a malicious payload into a existing binary...

                              That is to say a person can take a existing Linux binary and stuff a virus into it. That's the classic definition of a Virus. Like how a real life virus is nothing but protein surround some DNA and infects existing human cells as a generator for making new viruses.

                              This is different from a worm, or rootkit, which tend to be stand alone programs....

                              To prove the fact that Linux is easy target for viruses a person even wrote a how-to on it.

                              Of course like point one it's the Linux security model and diversity, along with low market penetration that keeps virus writers at bay.

                              3. This is one of the major reasons why people are encouraged to use repositories and packaged management software for installing software and not to use source code or binary downloads.

                              Apt-get used signed packaged lists that contain SHA hashes of packages from those repositories. A single bit changed will throw a security alert. RPM packages are individually signed so a similar situation is involved.

                              Otherwise if a attacker was able to subvert a web server hosting your repository then they could modify the packages easy to install malicious software. As long as the signing and hashing of packages is done on a seperate system then what hosts the packages then security for Linux software is very high.

                              4. Virus software is the worst sort of security snake oil being sold to the PC market.

                              Most people think that it is useful for _removing_ viruses. Which it is NOT. It's completely worthless for removing and detecting virus threats that exist on your system. Complete and total shit. Complete shit in Windows and complete shit in Linux. The only reason why it would _seem_ to work is due to the incompitence or laziness of the virus writers.

                              It is EASY to circumvent any sort of Rootkit detection or Virus detection software in any operating system. It's VERY VERY easy to do that in Linux.

                              How they are able to do that is through the use of a LKM rootkit. What this is is that a attacker uses a Linux module to modify how the Linux system operates to disguise the rootkit from administrators and rootkit scanners.

                              Since the attacker is operating at the kernel-level and virus scanning and rootkit scanning is operating at the userland level then the attacker can easily circumvent any attempts to detect him.

                              The ONLY.

                              And I mean this VERY SERIOUSLY.

                              THE ONLY way to RELIABLY (as in you can depend on it) detect a LKM rootkit is to use system-wide checksums were the checksum'ng program is ran from another OS.

                              That is you boot up your Linux server or PC with Knoppix CD or other live media and run a program like Tripwire or other host-based IDS (intrusion detection system) on your system and compare it against the records.

                              This is becuase if you have a LKM in your system then this deactivates it since your booting up using a completely seperate kernel.

                              Other tricks like using RPM's checksumming features or running Tripwire or other host-based IDS from inside your system won't work since those can be subverted by a LKM. It has to be a seperate OS, preferably one that is from read-only media.

                              And you have to run these checks periodically and store the recorded checksums in a secure manner.

                              And that is the _only_ solution right now. Needless to say it's very expensive and irritating to do that so most people do not do that.

                              I don't give a flying fuck what Host-based IDS or Virus scanners or anybody else might say to the contrary. This is the only way to 100% reliably detect a attacker on your system. Anybody who says otherwise is a fool or a lier or both.

                              Except maybe with TPM (trusted platform module). What those can do is that they use checksuming from boot-up to create a 'chain of trust' that can be used to validate a OS.

                              So your motherboard has a TPM module. It checks your bootloader, 'Trusted GRub'. If Trusted Grub is ok then it checks your kernel. If your kernel is OK then it boots your kernel. Your kernel then checks the various LKMs it needs to access your file system and all that. If those are OK then it begins to boot the OS. Then the Linux + LKM check the various sensitive system programs and boots those... then those security programs check your OS. etc etc.

                              But almost nobody does that either.

                              This is also true for Windows. Kernel-level rootkits have existing for Windows since Windows 2000. Nowadays they are very sophisticated and are easily able to subvert and trick virus scanners.

                              These are not secret. They are easy to obtain and modify. Many are even open source and the virus and malware industry is worthless against them.

                              You can put extra software into the kernel to try to detect and fight kernel-level rootkits, but at that point it's a arms race. And as you can imagine shoving all that extra code into the kernel does not do good things for stability or performance.

                              So while very sophisticated anit-malware software can fight against kernel-level rootkits, they are anything but reliable. Any new threats or unkown threats they are worthless against. Only older stuff.


                              5. What Virus scanners are good for is detecting KNOWN threats PRIOR to having them installed on your system. That is they are good for email scanning, scanning removable media before they are accessed by the OS, scanning downloaded files before you open them, etc. etc.

                              However they are not very effective against unkown or targetted attacks, which are the ones that Linux is vulnerable against.

                              This is because the Linux OS developers are quick to address local security vulnerabilities as well as remote security vulnerabilities. So unless a attacker users social engineering to convince a user to install malicious software, which a virus scanner is mostly worthless against, then Linux OS is good against threats of that nature.

                              So Virus scanners do not detect or defend against the sort of threats that are likely to be used against Linux users.

                              6. So use this product as part of a file server that users can upload to (so that Windows users don't infect other Windows users) and for email filtering, and that sort of thing.

                              Clamav is also good for that sort of thing and you can install it using apt-get or yum.