How good is clamav?
Martha Adams
systems. I came across a strongly negative review of Clamav, but I
don't know that that was a third-party, unbiased review. If someone
here has observations concerning Clamav effectiveness in Linux and in
Windows environments, I'd like to hear those observations. I think
others would be interested too.
Thanks -- Martha Adams [2011 Jly 27]
Aragorn
enlightened humanity with the following words...:
I don't use antivirus software, because I don't use any Microsoft
operating systems (or "excuses for"), so I can't really tell how good or
how bad it is.
What I can tell you is that the ClamAV software for GNU/Linux only scans
for _Windows_ viruses - e.g. if your GNU/Linux box is a mailserver for
Windows clients, or if you want to scan a Windows partition from within
GNU/Linux. There are no GNU/Linux viruses in the wild.
There is of course malware for GNU/Linux (or UNIX in general) and this
is called a rootkit, but a rootkit does not gain anyone root access to
your machine. A rootkit is installed _by_ someone who already _has_
access to your machine so as to hide his presence. This encompasses
(among other things) the replacement of "/bin/ls" and "/bin/ps" by
versions which hide some files or processes from view, respectively.
There is software you can use for scanning for rootkits - e.g.
chkrootkit - and of course, you can also install an intrusion detection
system, like prelude or snort.
Hope this was somewhat helpful. ;-)
--
Aragorn
(registered GNU/Linux user #223157)
Eef Hartman
> What I can tell you is that the ClamAV software for GNU/Linux only scans
> for _Windows_ viruses - e.g. if your GNU/Linux box is a mailserver for
> Windows clients, or if you want to scan a Windows partition from within
> GNU/Linux. There are no GNU/Linux viruses in the wild.
There are also F-Secure
www.f-secure.com/en/web/business_global/products/servers/overview
and F-Prot
www.f-prot.com/download/home_user/download_fplinux.html
but the same restrictions apply:
they scan E-mail that passes THROUGH your Linux "server" and/or
Windows executables that are stored on its disks, i.e. because it is
a samba server, no Linux files.
--
******************************************************************
** Eef Hartman, Delft University of Technology, dept. SSC/ICT **
** e-mail: E.J.M....@tudelft.nl - phone: +31-15-27 82525 **
******************************************************************
Helmut Hullen
Du meintest am 27.07.11:
> I don't use antivirus software, because I don't use any Microsoft
> operating systems (or "excuses for"), so I can't really tell how good
> or how bad it is.
> What I can tell you is that the ClamAV software for GNU/Linux only
> scans for _Windows_ viruses -
That's wrong.
> e.g. if your GNU/Linux box is a mailserver for Windows clients, or if
> you want to scan a Windows partition from within GNU/Linux. There are
> no GNU/Linux viruses in the wild.
That's wrong too.
> There is of course malware for GNU/Linux (or UNIX in general) and
> this is called a rootkit, but a rootkit does not gain anyone root
> access to your machine.
And that's wrong too.
Viele Gruesse
Helmut
"Ubuntu" - an African word, meaning "Slackware is too hard for me".
Helmut Hullen
Du meintest am 27.07.11:
> I'm looking for anti malware resources to use in my Windows and Linux
> systems. I came across a strongly negative review of Clamav, but I
> don't know that that was a third-party, unbiased review.
What do you want to scan?
You should run "rkhunter" on the Linux side, perhaps "chkrootkit" too.
If you want to check your e-mail online: many virus scanners need many
hours for updating their virus signature base - within that time that
scanner doesn't recognize some virii.
If you want to scan home directories (p.e. from users who use your
machine as a samba server): that may need many hours. And the machine is
occupied from the scanner and runs slow for most other applications.
ClamAV does a good job - compared with many other scanners, it does no
excellent job (but I don't know any other scanner which always does an
excellent job).
Perhaps you take a look at "virusbuster". It's (after 30 days for
testing) not "free", but it works (for my purposes) better than ClamAV.
And both programs can add their capabilities.
http://arktur.de/Wiki/Zusatzprogramme:Virenschutz#VirusBuster
http://virusbuster.de/node/9
(there may be an english page too ...)
Aragorn
> Hallo, Aragorn,
>
> Du meintest am 27.07.11:
>
>> I don't use antivirus software, because I don't use any Microsoft
>> operating systems (or "excuses for"), so I can't really tell how good
>> or how bad it is.
>
>> What I can tell you is that the ClamAV software for GNU/Linux only
>> scans for _Windows_ viruses -
>
> That's wrong.
Kindly provide evidence to substantiate that claim.
>> e.g. if your GNU/Linux box is a mailserver for Windows clients, or if
>> you want to scan a Windows partition from within GNU/Linux. There
>> are no GNU/Linux viruses in the wild.
>
> That's wrong too.
Kindly provide evidence to substantiate that claim. And please do note
that I am talking of viruses, specifically.
>> There is of course malware for GNU/Linux (or UNIX in general) and
>> this is called a rootkit, but a rootkit does not gain anyone root
>> access to your machine.
>
> And that's wrong too.
Kindly provide evidence to substantiate that claim.
> Viele Gruesse
> Helmut
>
> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
Says a guy who posts from Windows...
Douglas Mayne
I saw a review that did not like ClamAV, too. I think I was looking into
ClamXAV, and I was surprised that it was not universally loved.
If this thread is "recommend your favorite AV," then I would recommend
F-Prot. The virus definitions are cross platform and there is a scanner
app for linux, windows, bsd, and dos: http://www.f-prot.com/products/
The windows version requires a paid license, but the cost is reasonable
(IMO). The windows version can be setup to update its definitions from a
local LAN share. The contents of the definition directory can be updated
via a cron job- that automates the process and minimizes external
bandwidth requirements.
If cost is a primary consideration, then I think a lot more people are
trusting "Microsoft Security Essentials." YMMV. For some people, going to
one vendor is not a problem because they argue that the Windows platform
is already reliant on how competently MS staff is at patching and finding
bugs that are patched monthly. YMMV. I have not personally tested it; I
have used only f-prot (above) and trend micro's online scanner.
--
Douglas Mayne
Helmut Hullen
Du meintest am 27.07.11:
>>> I don't use antivirus software, because I don't use any Microsoft
>>> operating systems (or "excuses for"), so I can't really tell how
>>> good or how bad it is.
>>> What I can tell you is that the ClamAV software for GNU/Linux only
>>> scans for _Windows_ viruses -
>> That's wrong.
> Kindly provide evidence to substantiate that claim.
You may distinguish between virus, root kit, worm et. al. - I use
"virus" as a short form for "malware".
And I know that ClamAV (and - p.e. - Virusbuster) not only finds Windows
malware but also Linux malware, p.e. "Linux.RST.B".
>>> e.g. if your GNU/Linux box is a mailserver for Windows clients, or
>>> if you want to scan a Windows partition from within GNU/Linux.
>>> There are no GNU/Linux viruses in the wild.
>> That's wrong too.
> Kindly provide evidence to substantiate that claim. And please do
> note that I am talking of viruses, specifically.
"virus" is not strictly defined, and "root kit" too.
"root kits" may work like a virus, or like a worm, or they may work in
some other way.
>>> There is of course malware for GNU/Linux (or UNIX in general) and
>>> this is called a rootkit, but a rootkit does not gain anyone root
>>> access to your machine.
>> And that's wrong too.
> Kindly provide evidence to substantiate that claim.
Hmm - I have seen some root kits on some Linux machines. They had "root"
access.
>> Viele Gruesse
>> Helmut
>>
>> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
> Says a guy who posts from Windows...
Ah - a purist. Perhaps a crusader.
I'm not interested in a purebred IT environment. For some jobs I use
Linux, for some jobs I use Windows, for some jobs I use DOS, and then
there may be some microcontroller jobs which use their very special OS.
And for many jobs I use no computer (regardless of its OS).
Please excuse my gerlish!
Martin
> virii.
whatever the plural of virus, it cannot be virii.
Aragorn
> Hallo, Aragorn,
>
> Du meintest am 27.07.11:
>
>>>> I don't use antivirus software, because I don't use any Microsoft
>>>> operating systems (or "excuses for"), so I can't really tell how
>>>> good or how bad it is.
>
>>>> What I can tell you is that the ClamAV software for GNU/Linux only
>>>> scans for _Windows_ viruses -
>
>>> That's wrong.
>
>> Kindly provide evidence to substantiate that claim.
>
> You may distinguish between virus, root kit, worm et. al. - I use
> "virus" as a short form for "malware".
When I'm talking of malware in general, I will use the term "malware".
I was speaking specifically about viruses here.
> And I know that ClamAV (and - p.e. - Virusbuster) not only finds
> Windows malware but also Linux malware, p.e. "Linux.RST.B".
>
>>>> e.g. if your GNU/Linux box is a mailserver for Windows clients, or
>>>> if you want to scan a Windows partition from within GNU/Linux.
>>>> There are no GNU/Linux viruses in the wild.
>
>>> That's wrong too.
>
>> Kindly provide evidence to substantiate that claim. And please do
>> note that I am talking of viruses, specifically.
>
> "virus" is not strictly defined, and "root kit" too.
Oh but they are very well-defined. Just because popular lore - i.e. the
incompetent news media - describe any kind of malware as "a virus"
doesn't make it correct yet. I prefer to use the term for what it means
in this context. ;-)
> "root kits" may work like a virus, or like a worm, or they may work in
> some other way.
You probably misunderstand what the term "rootkit" means, then. Again,
a rootkit does not gain you root access to a remote machine. A rootkit
is something you install on a remote machine to which you have already
obtained root access, so as to hide the fact that you 0wn the box
already.
Rootkits hide processes and files by replacing the system utilities that
would expose them, such as "ps" and "ls", and by routing certain
processes to other ports, or make them appear as something other than
what they are in the process list. That's what a rootkit does/is,
nothing else.
Besides, gaining root access is often easy. I have had my share of
experience with very lax UNIX administrators who allow root access via
ssh, and then use a ridiculously easy to guess password. And of course,
they never check their logs for remote logins. We've had lots of
(failed) break-in attempts into our systems from rooted UNIX boxen - one
was a machine belonging to an ISP in Croatia - and when we contacted the
sysadmins with evidence (in the form of logs and traceroutes), they
never got back in contact with us.
>>>> There is of course malware for GNU/Linux (or UNIX in general) and
>>>> this is called a rootkit, but a rootkit does not gain anyone root
>>>> access to your machine.
>
>>> And that's wrong too.
>
>> Kindly provide evidence to substantiate that claim.
>
> Hmm - I have seen some root kits on some Linux machines. They had
> "root" access.
Of course they did. But it already takes root access to _install_ the
rootkit, and the rootkit is there to hide the fact that whomever
installed it does indeed have root access.
>>> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
>
>> Says a guy who posts from Windows...
>
> Ah - a purist. Perhaps a crusader.
Not necessarily. But you seemed to doubt my words in a rather terse
manner, without providing evidence for why you thought I was being
wrong, and all while you were posting from Windows. So that was just my
way of rubbing your nose in that. <grin>
> I'm not interested in a purebred IT environment. For some jobs I use
> Linux, for some jobs I use Windows, for some jobs I use DOS, and then
> there may be some microcontroller jobs which use their very special
> OS.
I'm not being a purebred fanatic, but I will either way never use
Windows if I can help it, even if only because Windows is a perpetual
beta product of an outdated (single-user) design, with poor reliability,
poor performance and poor security. And it's proprietary and is more
trouble than it's worth.
UNIX systems are much more reliable and much more flexible.
> And for many jobs I use no computer (regardless of its OS).
But of course. That goes for myself as well.
> Please excuse my gerlish!
I will not criticize a man over any grammatical mistakes if his native
tongue isn't English. From the official point of view, it is not my
native language either - I'm Belgian myself - although for all intents
and purposes, one could say that it is, since I speak more English than
any other language, and I even think in English.
Even only yesterday I was on the phone with someone and I was constantly
looking for the proper words in Dutch because my thoughts are all in
English.
Helmut Hullen
Du meintest am 27.07.11:
>> You may distinguish between virus, root kit, worm et. al. - I use
>> "virus" as a short form for "malware".
> When I'm talking of malware in general, I will use the term
> "malware". I was speaking specifically about viruses here.
I admire you! The original poster asked for ClamAV, a program which
scans for malware, not only for virii (however "virus" may be defined).
>> "virus" is not strictly defined, and "root kit" too.
> Oh but they are very well-defined.
Where? How?
Are that definitions "official" definitions, like laws or "standards"?
>> "root kits" may work like a virus, or like a worm, or they may work
>> in some other way.
> You probably misunderstand what the term "rootkit" means, then.
No.
Please tell me: what is (in your opinion) the difference between a virus
and a rootkit?
> Again, a rootkit does not gain you root access to a remote machine.
> A rootkit is something you install on a remote machine to which you
> have already obtained root access, so as to hide the fact that you
> 0wn the box already.
> Rootkits hide processes and files by replacing the system utilities
> that would expose them, such as "ps" and "ls", and by routing certain
> processes to other ports, or make them appear as something other than
> what they are in the process list. That's what a rootkit does/is,
> nothing else.
Ok - you seem to believe that some/many/all root kits are really
harmless.
> Besides, gaining root access is often easy.
Yes - that's right. I have (allowed/known) root access on many machines
in several locations. None of the administrators would call me a "root
kit".
>> Hmm - I have seen some root kits on some Linux machines. They had
>> "root" access.
> Of course they did. But it already takes root access to _install_
> the rootkit, and the rootkit is there to hide the fact that whomever
> installed it does indeed have root access.
May be - for what is that explanation good? "root kits" are malware.
>>>> "Ubuntu" - an African word, meaning "Slackware is too hard for
>>>> me".
>>> Says a guy who posts from Windows...
>> Ah - a purist. Perhaps a crusader.
> Not necessarily. But you seemed to doubt my words in a rather terse
> manner, without providing evidence for why you thought I was being
> wrong, and all while you were posting from Windows. So that was just
> my way of rubbing your nose in that. <grin>
Should I understand your explanation? I can't see any relation between
my "no" and the OS of the machine I'm just working with. Or with the OS
of the machine which manages the internet connection (it runs under
Linux).
Might you believe there's any correlation between an OS and the way to
argue?
>> I'm not interested in a purebred IT environment. For some jobs I use
>> Linux, for some jobs I use Windows, for some jobs I use DOS, and
>> then there may be some microcontroller jobs which use their very
>> special OS.
> I'm not being a purebred fanatic, but I will either way never use
> Windows if I can help it, even if only because Windows is a perpetual
> beta product of an outdated (single-user) design, with poor
> reliability, poor performance and poor security. And it's
> proprietary and is more trouble than it's worth.
> UNIX systems are much more reliable and much more flexible.
Hallelujah!
Sorry - I choose my applications mostly regarding their usability, not
regarding the OS they want to use.
Viele Gruesse
Helmut
Aragorn
> Hallo, Aragorn,
>
> Du meintest am 27.07.11:
>
>>> You may distinguish between virus, root kit, worm et. al. - I use
>>> "virus" as a short form for "malware".
>
>> When I'm talking of malware in general, I will use the term
>> "malware". I was speaking specifically about viruses here.
>
> I admire you! The original poster asked for ClamAV, a program which
> scans for malware, not only for virii (however "virus" may be
> defined).
The name of the application is ClamAV, which stands for "Clam
AntiVirus". I was therefore emphasizing virus protection in my reply.
>>> "virus" is not strictly defined, and "root kit" too.
>
>> Oh but they are very well-defined.
>
> Where? How?
> Are that definitions "official" definitions, like laws or "standards"?
Please use a browser of your choice and direct it towards Wikipedia.
>>> "root kits" may work like a virus, or like a worm, or they may work
>>> in some other way.
>
>> You probably misunderstand what the term "rootkit" means, then.
>
> No.
>
> Please tell me: what is (in your opinion) the difference between a
> virus and a rootkit?
A computer virus is a piece of code that attaches itself to executable
files and propagates when the infected executables are being run. Such
viruses do exist for GNU/Linux as "proof of concept", but only under
controlled conditions, since the security model of a UNIX system - to
which GNU/Linux adheres, since it is after all a UNIX clone - disallows
the spreading of the virus onto executables beyond the user's home
directory. Given that most binary executables will be living exactly
outside of the user's home directory on a GNU/Linux system, it requires
the cooperation of the root user for the virus to be able to spread
across the system and gain some privileged access. Ergo, it exists as
proof of concept, but it cannot "survive" in the wild.
A rootkit is not a piece of code that attaches itself to an executable.
A rootkit replaces entire executables by modified ones, so that whatever
the system is clandestinely doing is being hidden from the system
administrator. So for instance, "ls" will not show certain files or
directories (where other malicious code is installed), and "ps" will not
show such malicious code in the process list. Commonly, syslogd is also
replaced by a version that masks what is really going on, and there are
yet other such binaries - "lsmod" for instance.
In essence, a rootkit can best be described as "part of an operating
system", intended to convert a bonafide system into a clandestine remote
workstation for an intruder and hide this intruder's presence on the
system.
>> Again, a rootkit does not gain you root access to a remote machine.
>> A rootkit is something you install on a remote machine to which you
>> have already obtained root access, so as to hide the fact that you
>> 0wn the box already.
>
>> Rootkits hide processes and files by replacing the system utilities
>> that would expose them, such as "ps" and "ls", and by routing certain
>> processes to other ports, or make them appear as something other than
>> what they are in the process list. That's what a rootkit does/is,
>> nothing else.
>
> Ok - you seem to believe that some/many/all root kits are really
> harmless.
Please clearly point out where exactly I would have made such a
ridiculous claim. Rootkits are anything /but/ harmless. But they are
not viruses, and they do not _grant_ root access to anyone. They _hide_
someone's root access. In order to install the rootkit on the system,
the perpetrator must _already_ _have_ root access in the first place.
>> Besides, gaining root access is often easy.
>
> Yes - that's right. I have (allowed/known) root access on many
> machines in several locations. None of the administrators would call
> me a "root kit".
Like I said, rootkits do not give someone root access. They get the
root access by other means. The rootkit is simply there to hide that
fact from the real sysadmin.
>>> Hmm - I have seen some root kits on some Linux machines. They had
>>> "root" access.
>
>> Of course they did. But it already takes root access to _install_
>> the rootkit, and the rootkit is there to hide the fact that whomever
>> installed it does indeed have root access.
>
> May be - for what is that explanation good? "root kits" are malware.
If you don't understand the difference, then with all due respect, you
are also not qualified to give advice with regard to security, because
then you would be proverbially trying to fasten the spare tire to a car
by way of duct tape instead of using the bolts.
>>>>> "Ubuntu" - an African word, meaning "Slackware is too hard for
>>>>> me".
>
>>>> Says a guy who posts from Windows...
>
>>> Ah - a purist. Perhaps a crusader.
>
>> Not necessarily. But you seemed to doubt my words in a rather terse
>> manner, without providing evidence for why you thought I was being
>> wrong, and all while you were posting from Windows. So that was just
>> my way of rubbing your nose in that. <grin>
>
> Should I understand your explanation?
Given that I have been trying very hard to put it in very understandable
and grammatically correct English, yes, you should at least make an
attempt at trying to understand.
Now I am very sorry, but I haven't spoken German in over twenty years,
and I have never really learned to properly spell it anyway. In
addition to that, given that this is an international newsgroup, English
is the preferred language here. So English is the best I can do in
order to explain things to you, and I think I've done quite a good job
at that.
And that leads me to two possible explanations as to why you appear to
still not understand.
1) Either your English is very, very bad and you really don't
understand what I'm saying - but that does not appear to be
the case here - and then it is unfair of you to want to try
and be pedantic with regard to my correct and your incorrect
usage of certain technical terms;
2) Or, you are deliberately being obtuse, and refuting the
correct terminology in favor of the incorrect but in the
popular media often touted terminology.
Quite frankly, given your broken signature - about which I'm sure you've
already had certain remarks from other posters - and your apparently
willful persistence at continuing to post that way, and given that you
do write well enough in English to also be able to understand English
properly, I suspect that the above #2 explanation is the correct one.
And _that_ means that you are trollbaiting me, which I do not appreciate
in a group like alt.os.linux.slackware. I can accept it from
alt.os.linux.ubuntu, because that group is full of trollbait and I
simply killfile the trolls there. But not here. This is a serious
group, so please try to keep it serious.
> I can't see any relation between my "no" and the OS of the machine I'm
> just working with.
Okay, let me rephrase it then, and I'll be very terse this time.
Perhaps you'll understand that.
Sequence of the conversation.
1) I make correct statements.
2) You tersely comment on each of those statements that they
are wrong, but without providing any explanation as to
why that would be the case.
3) You sign your posts with a signature, which makes a
sneer at Ubuntu in favor of Slackware, while that signature
is:
a) broken - it is not separated from the message body;
b) not original - you're only copying Dan C's
signature; and
c) you are showing all this terseness towards me /and/
cockiness with regard to Ubuntu and Slackware while
posting from Microsoft Windows, which undermines
your credibility, especially since you failed to
provide an explanation as to why I was supposedly
wrong (while I was, in fact, not).
4) Given all of the above, I made a comment about you posting
from Windows, as a hint that it wasn't exactly granting you
a lot of credibility in your terse subversion of my
statements.
Does this make it a little more clear to you?
> Or with the OS of the machine which manages the internet connection
> (it runs under Linux).
Irrelevant. See above.
> Might you believe there's any correlation between an OS and the way to
> argue?
If you are attempting to start an argue by questioning my credibility
without providing evidence and you are doing that with a cocky but
broken signature, in a post coming from a Windows machine, then the
answer is "yes". And please note the conditional aspect of the afore
sentence, indicated by the words "if" and "then".
>>> I'm not interested in a purebred IT environment. For some jobs I use
>>> Linux, for some jobs I use Windows, for some jobs I use DOS, and
>>> then there may be some microcontroller jobs which use their very
>>> special OS.
>
>> I'm not being a purebred fanatic, but I will either way never use
>> Windows if I can help it, even if only because Windows is a perpetual
>> beta product of an outdated (single-user) design, with poor
>> reliability, poor performance and poor security. And it's
>> proprietary and is more trouble than it's worth.
>
>> UNIX systems are much more reliable and much more flexible.
>
> Hallelujah!
>
> Sorry - I choose my applications mostly regarding their usability, not
> regarding the OS they want to use.
The strength and reliability of an application still depend on the
strength and reliability of the underlying operating system. You can
run the finest Apache webserver with the best MySQL implementation and
the most securely set up PHP on top of Windows on a machine with four
quadcore processor chips and 256 GB of RAM, and it would still be a load
of crap.
Your applications don't control your machine, nor its integrity. The
operating system does that. And Microsoft Windows just so happens to be
the worst possible operating system design on the planet. I would in
fact not even call it an operating system, but rather an appliance
system.
I'm going to be rude now - with my apologies to the ladies in this
group, and the disclaimer that I normally refrain from using expletives
and from swearing on Usenet - but a crack whore with a fancy dress on is
still a crack whore. And when it comes to security, Microsoft Windows
is as promiscuous as a crack whore in dying need of "a fix".
> Viele Gruesse
> Helmut
>
> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
The correct signature delimiter on Usenet is two dashes followed by a
space and a newline. Any decent newsreader - even the ones available
for Microsoft Windows - should allow you to set up a proper signature,
so that it doesn't needlessly get quoted in the text body by the
newsreader of the person replying to you.
Dan C
Indeed. Also a guy who steals (my) signature, but doesn't know what a
"sig delimiter" is for (and he's been told by many).
A loser, for sure.
--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me".
"Bother!" said Pooh, as he cut his initials in the snow.
Usenet Improvement Project: http://twovoyagers.com/improve-usenet.org/
Thanks, Obama: http://brandybuck.site40.net/pics/politica/thanks.jpg
Dan C
>> Viele Gruesse
>> Helmut
>>
>> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
>
> The correct signature delimiter on Usenet is two dashes followed by a
> space and a newline. Any decent newsreader - even the ones available
> for Microsoft Windows - should allow you to set up a proper signature,
> so that it doesn't needlessly get quoted in the text body by the
> newsreader of the person replying to you.
This is where Helmut-boy will disappear. He's been told numerous times
by numerous folks about his signature issues, and just stops responding.
He's an ignorant fuck who can't learn, and a troll. Best to ignore him.
--
"Ubuntu" -- an African word, meaning "Slackware is too hard for me".
"Bother!" said Pooh, as he wiped the vomit from his chin.
Aragorn
My thoughts exactly, and I was actually telling him that in the reply I
just sent off when I saw yours come in. ;-)
> A loser, for sure.
Well, I'll refrain from using expletives, but it's definitely fishy, and
it smells like he's trollbaiting me. And that is something I find very
strange in a serious newsgroup like alt.os.linux.slackware. It would be
more "on-topic" - in uhh, a /strange/ sort of way - for
alt.os.linux.ubuntu. [*] <grin>
[*] OT for alt.os.linux.slackware, but as you may have seen already by
now, I've had to add two more identities/filters for "DanS", as he
was obviously so attention-starved that he wanted to get out of my
killfile... again!
<shake head>
Aragorn
> On Wed, 27 Jul 2011 23:10:16 +0200, Aragorn wrote:
>
>>> Viele Gruesse
>>> Helmut
>>>
>>> "Ubuntu" - an African word, meaning "Slackware is too hard for me".
>>
>> The correct signature delimiter on Usenet is two dashes followed by a
>> space and a newline. Any decent newsreader - even the ones available
>> for Microsoft Windows - should allow you to set up a proper
>> signature, so that it doesn't needlessly get quoted in the text body
>> by the newsreader of the person replying to you.
>
> This is where Helmut-boy will disappear. He's been told numerous
> times by numerous folks about his signature issues, and just stops
> responding.
>
> He's an ignorant fuck who can't learn, and a troll. Best to ignore
> him.
I appreciate the warning, and I shall be paying more close attention to
what he's writing from here on, so that I will be more properly able to
determine whether I should be setting up scores for this group...
(So far, I think my only filter for the Slack group is on Sidney Lambe.)
Helmut Hullen
Du meintest am 27.07.11:
>>> When I'm talking of malware in general, I will use the term
>>> "malware". I was speaking specifically about viruses here.
>>
>> I admire you! The original poster asked for ClamAV, a program which
>> scans for malware, not only for virii (however "virus" may be
>> defined).
> The name of the application is ClamAV, which stands for "Clam
> AntiVirus". I was therefore emphasizing virus protection in my
> reply.
And this company uses "virus" as a short description for malware, just
as many other companies do, just as many people do.
>>>> "virus" is not strictly defined, and "root kit" too.
>>> Oh but they are very well-defined.
>> Where? How?
>> Are that definitions "official" definitions, like laws or
>> "standards"?
> Please use a browser of your choice and direct it towards Wikipedia.
Wikipedia sets no rules, no definitions, no standards.
The german Wikipedia tells "Der Ausdruck Computervirus wird
umgangssprachlich auch f�r Computerw�rmer und Trojanische Pferde
genutzt, da es oft Mischformen gibt und f�r Anwender der Unterschied
kaum zu erkennen ist.".
>>>> "root kits" may work like a virus, or like a worm, or they may
>>>> work in some other way.
>>
>>> You probably misunderstand what the term "rootkit" means, then.
>>
>> No.
>>
>> Please tell me: what is (in your opinion) the difference between a
>> virus and a rootkit?
> A computer virus is a piece of code that attaches itself to
> executable files and propagates when the infected executables are
> being run.
[...]
> A rootkit is not a piece of code that attaches itself to an
> executable. A rootkit replaces entire executables by modified ones,
[...]
Ok - both types change files. For what purpose: that depends.
Both are malware.
> In essence, a rootkit can best be described as "part of an operating
> system", intended to convert a bonafide system into a clandestine
> remote workstation for an intruder and hide this intruder's presence
> on the system.
And that's the purpose of malware, like virii.
>> Ok - you seem to believe that some/many/all root kits are really
>> harmless.
> Please clearly point out where exactly I would have made such a
> ridiculous claim. Rootkits are anything /but/ harmless.
Ok. Root kits are malware, trojans are malware, virii are malware, worms
are malware, ... (to be continued).
And many people use the word "virus" as a synonym for "malware".
> But they are not viruses, and they do not _grant_ root access to
> anyone. They _hide_ someone's root access. In order to install the
> rootkit on the system, the perpetrator must _already_ _have_ root
> access in the first place.
Ok - what's the big difference to other malware? "root kits" do their
(bad) work on Linux machines just like any other malware on other (or
the same) machines.
On Windows machines malware tries to get administrator rights - where is
the difference?
>> May be - for what is that explanation good? "root kits" are malware.
> If you don't understand the difference, then with all due respect,
> you are also not qualified to give advice with regard to security,
"Bother, said Poo".
> because then you would be proverbially trying to fasten the spare
> tire to a car by way of duct tape instead of using the bolts.
Ok - lack of substantiel arguments? Or why do you now argue "ad
personam"?
>> Should I understand your explanation?
> Given that I have been trying very hard to put it in very
> understandable and grammatically correct English, yes, you should at
> least make an attempt at trying to understand.
I'v tried, without success. But that may be related to your try to
correlate uncorrelated things.
> And that leads me to two possible explanations as to why you appear
> to still not understand.
> 1) Either your English is very, very bad and you really don't
> understand what I'm saying - but that does not appear to be
> the case here - and then it is unfair of you to want to try
> and be pedantic with regard to my correct and your incorrect
> usage of certain technical terms;
> 2) Or, you are deliberately being obtuse, and refuting the
> correct terminology in favor of the incorrect but in the
> popular media often touted terminology.
3) You have written nonsense.
Aragorn
> Hallo, Aragorn,
>
> Du meintest am 27.07.11:
>
>>>> When I'm talking of malware in general, I will use the term
>>>> "malware". I was speaking specifically about viruses here.
>>>
>>> I admire you! The original poster asked for ClamAV, a program which
>>> scans for malware, not only for virii (however "virus" may be
>>> defined).
>
>> The name of the application is ClamAV, which stands for "Clam
>> AntiVirus". I was therefore emphasizing virus protection in my
>> reply.
>
> And this company uses "virus" as a short description for malware, just
> as many other companies do, just as many people do.
Oddly enough, it would appear that I am not employed in your company. I
prefer using correct terminology.
>>>>> "virus" is not strictly defined, and "root kit" too.
>
>>>> Oh but they are very well-defined.
>
>>> Where? How?
>>> Are that definitions "official" definitions, like laws or
>>> "standards"?
>
>> Please use a browser of your choice and direct it towards Wikipedia.
>
> Wikipedia sets no rules, no definitions, no standards.
No, but it does often mention them.
> The german Wikipedia tells "Der Ausdruck Computervirus wird
> umgangssprachlich auch für Computerwürmer und Trojanische Pferde
> genutzt, da es oft Mischformen gibt und für Anwender der Unterschied
> kaum zu erkennen ist.".
So that says that people are often using the term virus to refer to any
kind of malware. But that is incorrect usage of the language.
Lots of people also say that they've caught a virus - of the biological
variety - when they have a bacterial infection. Oh, they're both germs,
so it's the same thing. No, it's not. They're both microscopic
organisms, but that's where the comparison ends. Bacteria have a
cellular membrane and DNA, while viruses do not have a cellular
structure and their genetic code is (usually) only made up of RNA. An
infection with either of them requires a different approach to
treatment. You kill bacteria by way of antibiotics. You kill a virus
by way of your body's immunity system.
Same thing here. A virus modifies existing files by attaching itself to
those files, and if these are executable files, the virus spreads by
infecting other files whenever an already infected executable is being
run. A rootkit is an entirely different kind of malware.
>>>>> "root kits" may work like a virus, or like a worm, or they may
>>>>> work in some other way.
>>>
>>>> You probably misunderstand what the term "rootkit" means, then.
>>>
>>> No.
>>>
>>> Please tell me: what is (in your opinion) the difference between a
>>> virus and a rootkit?
>
>> A computer virus is a piece of code that attaches itself to
>> executable files and propagates when the infected executables are
>> being run.
>
> [...]
>
>> A rootkit is not a piece of code that attaches itself to an
>> executable. A rootkit replaces entire executables by modified ones,
>
> [...]
>
> Ok - both types change files. For what purpose: that depends.
>
> Both are malware.
Sure. But they're not both viruses, and the approach to removing them
is different. (Unless you prefer the Microsoft methodology, which is a
"one size fits all", i.e. reboot and reinstall.)
>> In essence, a rootkit can best be described as "part of an operating
>> system", intended to convert a bonafide system into a clandestine
>> remote workstation for an intruder and hide this intruder's presence
>> on the system.
>
> And that's the purpose of malware, like virii.
"Virii" is not an existing word. It is not the plural form of the word
virus. It's as incorrect as the term "Lini" to refer to multiple
different GNU/Linux installations, used frequently by a Win-troll in
alt.os.linux.ubuntu.
>>> Ok - you seem to believe that some/many/all root kits are really
>>> harmless.
>
>> Please clearly point out where exactly I would have made such a
>> ridiculous claim. Rootkits are anything /but/ harmless.
>
> Ok. Root kits are malware, trojans are malware, virii [...
The correct English plural form of "virus" is "viruses".
> ...] are malware, worms are malware, ... (to be continued).
>
> And many people use the word "virus" as a synonym for "malware".
Whether "many people" do that or not doesn't make it any more correct.
In the middle ages, "many people" believed that the earth was flat. And
what "many people" - read: most people - today think of the world and of
society, or how they think about scientific things, is utterly wrong.
>> But they are not viruses, and they do not _grant_ root access to
>> anyone. They _hide_ someone's root access. In order to install the
>> rootkit on the system, the perpetrator must _already_ _have_ root
>> access in the first place.
>
> Ok - what's the big difference to other malware? "root kits" do their
> (bad) work on Linux machines just like any other malware on other (or
> the same) machines.
There are also rootkits for Windows.
> On Windows machines malware tries to get administrator rights - where
> is the difference?
There is a huge difference, characterized by the following...:
- the mechanism of operation of the malware;
- the mechanism through which the machine became infected with
the malware;
- whether the malware propagates of itself or not [*];
- the objectives of the malware;
- the degree of damage to the system, inflicted by the malware;
- the methods required for removal of the malware.
In addition to that, a virus does not necessarily aim at attaining root
privileges. It simply spreads or seeks to spread, which is what
biological viruses also do, and that is whence came the name "computer
virus".
[*] Some malware requires so-called social engineering for it to be able
to spread. Rootkits are to be found among that category of malware.
Viruses do not. They are able to propagate on their own account,
through the simple operation of the computer.
>>> May be - for what is that explanation good? "root kits" are malware.
>
>> If you don't understand the difference, then with all due respect,
>> you are also not qualified to give advice with regard to security,
>
> "Bother, said Poo".
Playing childish games with me while I'm trying to debate a serious
issue is a sure way to end the conversation.
>> because then you would be proverbially trying to fasten the spare
>> tire to a car by way of duct tape instead of using the bolts.
>
> Ok - lack of substantiel arguments? Or why do you now argue "ad
> personam"?
Because that was the very innuendo in your own original comments to what
I wrote. You accused me of being wrong - while I was not and still am
not - and without providing any further clarification. In any social
context, this comes across as publically questioning the reliability and
credibility of a person. And I am that person.
>>> Should I understand your explanation?
>
>> Given that I have been trying very hard to put it in very
>> understandable and grammatically correct English, yes, you should at
>> least make an attempt at trying to understand.
>
> I'v tried, without success. But that may be related to your try to
> correlate uncorrelated things.
Well, let's see. Because viruses and rootkits are both malware, _you_
redefine the meaning of a computer virus to mean "malware in general".
So who's correlating unrelated things here?
(Note: The term "malware" is itself an abbreviation for "malicious
software.)
>> And that leads me to two possible explanations as to why you appear
>> to still not understand.
>
>> 1) Either your English is very, very bad and you really don't
>> understand what I'm saying - but that does not appear to be
>> the case here - and then it is unfair of you to want to try
>> and be pedantic with regard to my correct and your incorrect
>> usage of certain technical terms;
>
>> 2) Or, you are deliberately being obtuse, and refuting the
>> correct terminology in favor of the incorrect but in the
>> popular media often touted terminology.
>
> 3) You have written nonsense.
No, I have not. But all your arguments so far have been, yes, and the
more I read your replies and the tenacity behind them, the more I am
convinced that it's a mixture of willful ignorance and deliberate
shifting of the goalposts. And that makes you a troll.
A computer virus is a computer virus. A rootkit is a rootkit.
Malicious software is a catch-all term.
<historical overview of the logic of this debate>
MY INITIAL STATEMENTS:
Dolphins are warmblooded and they do not have gills.
YOUR VERY ENLIGHTENING COMMENTS TO MY STATEMENT:
You are wrong about the first thing. You are also wrong
about the second thing.
MY INQUIRY:
And why would that be?
YOUR REPLY:
Dolphins are fish. They live in water.
MY EXPLANATION:
Dolphins are are mammals. They live in water, like fish,
but they have evolved into marine animals from a land animal.
They breathe air by way of lungs, they are viviparous, they
nurture their offspring through mammalian glands, and they
are homeothermic. Therefore my comments still stand.
YOUR REPLY:
Most people don't know the biology of dolphins and consider
them to be fish. Therefore they _are_ fish, and thus they are
coldblooded and they do have gills. They live in water, so
what's the difference anyway?
</historical overview of the logic of this debate>
--
goarilla
> On Wednesday 27 July 2011 18:03 in alt.os.linux.slackware, Helmut Hullen
> enlightened humanity with the following words...:
>
>> Hallo, Aragorn,
>>
>> Du meintest am 27.07.11:
>>
>>> I don't use antivirus software, because I don't use any Microsoft
>>> operating systems (or "excuses for"), so I can't really tell how good
>>> or how bad it is.
>>
>>> What I can tell you is that the ClamAV software for GNU/Linux only
>>> scans for _Windows_ viruses -
>>
>> That's wrong.
>
> Kindly provide evidence to substantiate that claim.
>
>>> e.g. if your GNU/Linux box is a mailserver for Windows clients, or if
>>> you want to scan a Windows partition from within GNU/Linux. There are
>>> no GNU/Linux viruses in the wild.
>>
>> That's wrong too.
>
> Kindly provide evidence to substantiate that claim. And please do note
> that I am talking of viruses, specifically.
>
Modern malware isn't easily categorised opaquely like it used to be. A
piece of malware doesn't need to be a worm or a trojan or a virus or a ...
It's usually a hybrid.
But here is some info about a very recent linux worm.
http://www.linuxplanet.com/linuxplanet/tutorials/6726/1
It was very primitive in nature but still caused lots of havoc since it
targeted network infrastructure devices.
goarilla
That's just one way to do it, another common way is to insert a kernel
module or edit the kernel itself.
Aragorn
Yes, I have mentioned that elsewhere already. It is common to either
have them insert a kernel module or replace the kernel binary so that
upon the next boot, a compromised kernel is loaded instead of the
bonafide kernel.
With bootloader set-ups that use symlinks to the kernel binary image and
the initrd, rather than refer to the actual files directly, it is
trivial to trick a bootloader into booting a compromised kernel.
Still, none of the above does away with the requirement that the
blackhat must first and foremost already /have/ root access to your
machine, and the rootkit is not what grants access to the blackhat.
It's merely that which hides his presence and activities on your
machine.
goarilla
> Hallo, Martha,
>
> Du meintest am 27.07.11:
>
>> I'm looking for anti malware resources to use in my Windows and Linux
>> systems. I came across a strongly negative review of Clamav, but I
>> don't know that that was a third-party, unbiased review.
>
> What do you want to scan?
> You should run "rkhunter" on the Linux side, perhaps "chkrootkit" too.
>
> If you want to check your e-mail online: many virus scanners need many
> hours for updating their virus signature base - within that time that
> scanner doesn't recognize some virii.
>
> If you want to scan home directories (p.e. from users who use your
> machine as a samba server): that may need many hours. And the machine is
> occupied from the scanner and runs slow for most other applications.
>
Iirc samba allows vfs modules which allows you to use clamav as an on
access scanner with vscan-samba.
> ClamAV does a good job - compared with many other scanners, it does no
> excellent job (but I don't know any other scanner which always does an
> excellent job).
>
> Perhaps you take a look at "virusbuster". It's (after 30 days for
> testing) not "free", but it works (for my purposes) better than ClamAV.
>
I'm very sceptical about virus programs which come from a windows based
version. I would not want the level of intrusion these 'scanners' impede
on a windows system on my linux system.
goarilla
> On Thursday 28 July 2011 15:09 in alt.os.linux.slackware, goarilla
> enlightened humanity with the following words...:
>
>> On Wed, 27 Jul 2011 21:34:38 +0200, Aragorn wrote:
>>
>>> Rootkits hide processes and files by replacing the system utilities
>>> that would expose them, such as "ps" and "ls", and by routing certain
>>> processes to other ports, or make them appear as something other than
>>> what they are in the process list. That's what a rootkit does/is,
>>> nothing else.
>>
>> That's just one way to do it, another common way is to insert a kernel
>> module or edit the kernel itself.
>
> Yes, I have mentioned that elsewhere already. It is common to either
> have them insert a kernel module or replace the kernel binary so that
> upon the next boot, a compromised kernel is loaded instead of the
> bonafide kernel.
>
waar ?
> With bootloader set-ups that use symlinks to the kernel binary image and
> the initrd, rather than refer to the actual files directly, it is
> trivial to trick a bootloader into booting a compromised kernel.
>
Why is remaking a symlink easier than overwriting the image ?
goarilla
> On Wed, 27 Jul 2011 18:32:00 +0200, Helmut Hullen wrote:
>
>> Hallo, Martha,
>>
>> Du meintest am 27.07.11:
>>
>>> I'm looking for anti malware resources to use in my Windows and Linux
>>> systems. I came across a strongly negative review of Clamav, but I
>>> don't know that that was a third-party, unbiased review.
>>
>> What do you want to scan?
>> You should run "rkhunter" on the Linux side, perhaps "chkrootkit" too.
>>
>> If you want to check your e-mail online: many virus scanners need many
>> hours for updating their virus signature base - within that time that
>> scanner doesn't recognize some virii.
>>
>> If you want to scan home directories (p.e. from users who use your
>> machine as a samba server): that may need many hours. And the machine
>> is occupied from the scanner and runs slow for most other applications.
>>
>>
> Iirc samba allows vfs modules which allows you to use clamav as an on
> access scanner with vscan-samba.
>
Vscan-samba seems old an unmaintained, but it looks like
scannedonly (vfs module already part of the samba package ) and/or
clamfs have replaced it.
Helmut Hullen
Du meintest am 28.07.11:
>> What do you want to scan?
>> You should run "rkhunter" on the Linux side, perhaps "chkrootkit"
>> too.
>>
>> If you want to check your e-mail online: many virus scanners need
>> many hours for updating their virus signature base - within that
>> time that scanner doesn't recognize some virii.
>>
>> If you want to scan home directories (p.e. from users who use your
>> machine as a samba server): that may need many hours. And the
>> machine is occupied from the scanner and runs slow for most other
>> applications.
>>
> Iirc samba allows vfs modules which allows you to use clamav as an on
> access scanner with vscan-samba.
Yes - that's possible. But you need a big machine p.e. for a school with
some hundred clients.
If I want a LAN with the speed of C64 clients that's one approach.
I prefer a mix of "rsnapshot -diff" and "clamscan --file-list=xyz" for
scanning only the new files early in the morning (when no client has to
work). "VirusBuster" seems to be the only other scanner which can read
the jobs from a file.
>> Perhaps you take a look at "virusbuster". It's (after 30 days for
>> testing) not "free", but it works (for my purposes) better than
>> ClamAV.
> I'm very sceptical about virus programs which come from a windows
> based version. I would not want the level of intrusion these
> 'scanners' impede on a windows system on my linux system.
The servers I have to watch use ClamAV (and VirusBuster) for the many
Windows clients, and they use rkhunter and chkrootkit for the Linux
side.
And I'm quite sure that there exist some virusses (or other malware)
which can intrude into the system. "stuxnet" shows what is possible.
Aragorn
> On Thu, 28 Jul 2011 15:25:11 +0200, Aragorn wrote:
>
>> On Thursday 28 July 2011 15:09 in alt.os.linux.slackware, goarilla
>> enlightened humanity with the following words...:
>>
>>> On Wed, 27 Jul 2011 21:34:38 +0200, Aragorn wrote:
>>>
>>>> Rootkits hide processes and files by replacing the system utilities
>>>> that would expose them, such as "ps" and "ls", and by routing
>>>> certain processes to other ports, or make them appear as something
>>>> other than
>>>> what they are in the process list. That's what a rootkit does/is,
>>>> nothing else.
>>>
>>> That's just one way to do it, another common way is to insert a
>>> kernel module or edit the kernel itself.
>>
>> Yes, I have mentioned that elsewhere already. It is common to either
>> have them insert a kernel module or replace the kernel binary so that
>> upon the next boot, a compromised kernel is loaded instead of the
>> bonafide kernel.
>>
> waar ?
In "/boot", of course. If GRUB uses symbolic links to point to the
kernel image and the initrd - which is the case by default in most
distributions - then it's trivial for anyone with root access to install
another kernel in "/boot" and recreate the symlink. A modified "ls"
would not show the presence of the "new" kernel, and the GRUB menu won't
either - albeit that the GRUB interactive boot shell probably would, but
why would you use that if booting from the menu works?
>> With bootloader set-ups that use symlinks to the kernel binary image
>> and the initrd, rather than refer to the actual files directly, it is
>> trivial to trick a bootloader into booting a compromised kernel.
>
> Why is remaking a symlink easier than overwriting the image ?
Because the actual image has a version number in its filename, and it is
difficult to nigh impossible for an attacker to know in advance what
kernel version that is going to be. So the easier way would be to
install the rootkit - which encompasses a modified "/bin/ls" - and with
it, a compromised kernel, and to simply recreate the symlink, so that
the GRUB configuration need not be touched upon.
On the other hand, the above is all hypothetical and rare. More common
is to load a malicious kernel module - which would not affect the output
of "uname" - and replace "/sbin/lsmod" by a version that does not list
the malicious module in its output.
goarilla
dat is niet wat ik bedoelde ik vroeg aan u *waar* heb je de vermelding van
de rootkit als kernel module geplaatst ?
>>> With bootloader set-ups that use symlinks to the kernel binary image
>>> and the initrd, rather than refer to the actual files directly, it is
>>> trivial to trick a bootloader into booting a compromised kernel.
>>
>> Why is remaking a symlink easier than overwriting the image ?
>
> Because the actual image has a version number in its filename, and it is
> difficult to nigh impossible for an attacker to know in advance what
> kernel version that is going to be. So the easier way would be to
uname ?
> install the rootkit - which encompasses a modified "/bin/ls" - and with
> it, a compromised kernel, and to simply recreate the symlink, so that
> the GRUB configuration need not be touched upon.
>
and you can't just look at the grub.conf and/or resolve the symlink and
overwrite the file it links to ?
> On the other hand, the above is all hypothetical and rare. More common
> is to load a malicious kernel module - which would not affect the output
> of "uname" - and replace "/sbin/lsmod" by a version that does not list
> the malicious module in its output.
You're overthinking.
Aragorn
> On Thu, 28 Jul 2011 17:36:17 +0200, Aragorn wrote:
>
>> On Thursday 28 July 2011 15:45 in alt.os.linux.slackware, goarilla
>> enlightened humanity with the following words...:
>>
>>> On Thu, 28 Jul 2011 15:25:11 +0200, Aragorn wrote:
>>>
>>>> On Thursday 28 July 2011 15:09 in alt.os.linux.slackware, goarilla
>>>> enlightened humanity with the following words...:
>>>>
>>>>> That's just one way to do it, another common way is to insert a
>>>>> kernel module or edit the kernel itself.
>>>>
>>>> Yes, I have mentioned that elsewhere already. It is common to
>>>> either have them insert a kernel module or replace the kernel
>>>> binary so that upon the next boot, a compromised kernel is loaded
>>>> instead of the bonafide kernel.
>>>>
>>> waar ?
>>
>> In "/boot", of course. If GRUB uses symbolic links to point to the
>> kernel image and the initrd - which is the case by default in most
>> distributions - then it's trivial for anyone with root access to
>> install another kernel in "/boot" and recreate the symlink. A
>> modified "ls" would not show the presence of the "new" kernel, and
>> the GRUB menu won't either - albeit that the GRUB interactive boot
>> shell probably would, but why would you use that if booting from the
>> menu works?
>
> dat is niet wat ik bedoelde ik vroeg aan u *waar* heb je de vermelding
> van de rootkit als kernel module geplaatst ?
In één van mijn antwoorden aan Helmut, maar vraag me niet om een
Message-ID. Heel ver verwijderd van deze post hier in de thread zal het
wel niet zijn, denk ik.
>>> Why is remaking a symlink easier than overwriting the image ?
>>
>> Because the actual image has a version number in its filename, and it
>> is difficult to nigh impossible for an attacker to know in advance
>> what kernel version that is going to be. So the easier way would be
>> to
>
> uname ?
Sure, but they could replace the uname binary too. A rootkit replaces
lots of common system tools and utilities.
>> install the rootkit - which encompasses a modified "/bin/ls" - and
>> with it, a compromised kernel, and to simply recreate the symlink, so
>> that the GRUB configuration need not be touched upon.
>
> and you can't just look at the grub.conf and/or resolve the symlink
> and overwrite the file it links to ?
Sure, all of that would be possible, but I presume that the blackhat
would choose the path of least obstruction.
>> On the other hand, the above is all hypothetical and rare. More
>> common is to load a malicious kernel module - which would not affect
>> the output of "uname" - and replace "/sbin/lsmod" by a version that
>> does not list the malicious module in its output.
>
> You're overthinking.
Possibly, but not with regard to the kernel modules and the replacing of
"lsmod". I've actually read a report from a sysadmin who happened to
have had a rootkit on his system, and he reported this as one of the
binaries from the toolchain that had been replaced.
Anyway, we're way too far off track here. There are utilities such as
rkhunter and chkrootkit which do a good job at identifying the problem.
Of course, getting rid of a rootkit is not that easy. In practice, it
usually boils down to reformatting and reinstalling, and then making
sure that you don't run into the same compromised situation a second
time.
In my personal opionion, I think this makes yet another case for
virtualization solutions like Xen. Virtual machines are usually rapidly
deployed from preconfigured templates, so it's easier that way to nuke a
compromised installation and replace it with an integer one from a
template. But of course, it's always better to prevent the compromise
from happening in the first place than to have to clean up the mess
afterwards.
Henrik Carlqvist
wrote:
> Modern malware isn't easily categorised opaquely like it used to be. A
> piece of malware doesn't need to be a worm or a trojan or a virus or a ...
> It's usually a hybrid.
>
> But here is some info about a very recent linux worm.
> http://www.linuxplanet.com/linuxplanet/tutorials/6726/1
I would still say there is a big difference in how different malware
behaves and how you try to avoid becoming a victim of malware.
A virus is bad code in an executable file which when executed will spread
to other executables. You can use antivirus software to detect executables
with such code and by doing that before you run executables you might
avoid becoming the victim of a virus.
A worm is malware which spreads from system to system through the network
without the need of any clumsy user to download and execute a file. You
avoid becoming the victim of worms by keeping networked systems up to date
by installing security patches, using firewalls and educate your users in
the importance of choosing good passwords.
(ok mail worms might need clumsy users to click attachements and they
might be detected by antivirus scanners, but usually antivirus software
does not help against worms and firewalls does not help against viruses.)
regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc123(at)poolhem.se Examples of addresses which go to spammers:
root@localhost postmaster@localhost