unreal

Story: Linux needs file-scanning API on kernel like it's 1996Total Replies: 12
Author Content
incinerator

Oct 23, 2006
12:12 AM EDT
Why is it that the media seems to write about antivirus software for GNU/Linux nowadays? Is this the new anti-GNU/Linux spin The Enemy(tm) tries to implement? Like "GNU/Linux is less secure because it doesn't have real-time anti-virus file scanning", "Installing anti-virus software on GNU/Linux is sooo complicated."

That's actually quite a clever spin to use. By now every ms windows user has been brainwa^^indoctri^^educated about the fact that anti-virus software is absolutely essential to be installed on every computer in this world. Funny thing, this actually works. I can remember several people I helped migrating to GNU/Linux who did not quite believe me at first when I told them that viruses are a non-threat when running GNU/Linux. Inducing FUD by making people afraid from "exotic" viruses and difficult installation of "absolutely essential" anti-virus software for GNU/Linux could well mean that the non-guru user might decide not to migrate to GNU/Linux, after all.

Strangely, it always seems to be tuxmachines.org where this kind of news seems to accumulate. Either the tuxmachines.org editors haven't really got a clue, or they are run by The Enemy(tm).

Regards, Dominik Anarchist Acolyte (according to Forbes)
dinotrac

Oct 23, 2006
3:35 AM EDT
And what is wrong with writing about antivirus software for Linux?

I haven't used any since I started using Linux. I don't know any Linux users who have ever used it (except for mail servers, which may need to clean loads from e-mails destined for Windows users).

But...

In th old days (OK, only twenty years ago or so), I worked in some pretty secure computing installations. There are many important security concepts, but none more important that paranoia.

I haven't quite wrapped my head around the last couple of articles touting Linux antivirus needs. Both of them have talked about Linux users who run windows software. Sounds like something to think about, but lots of things make you scratch your head on first thought, then say "Nah." I seem to recall that most Windows viruses rely on the predictability of Windows installations. They know where to look for what. If WINE looks enough like a real Windows installation, I guess they could wreak havoc with your WINE setup. To the extent that they did ugliness to your C: drive, they could do ugliness, I suppose, to your WINE C: drive -- which is just a local filesystem or directory structure.

It doesn't seem all that far-fetched that a virus could wreak some havoc with my userland stuff --- which, for a desktop user, is nearly as bad as bonking the whole box. Of course, most viruses come in through e-mail these days, or stupid people downloading stupid things. Anybody dumb enough to use a Windows e-mail client on Linux (Isn't that what it would take for these little executable nasties masquerading as innocent files to do their business?) pretty much deserves what they get.

As to a kernel-based file-scanning API, I have no clue as to whether such a thing is useful, or whether it belongs in kernel space or userland. I don't use anti-virus software, you see, so the issue hasn't much crossed my mind.



nalf38

Oct 23, 2006
8:55 AM EDT
I used KlamAV with on-access file scanning via the dazuko kernel module for a few months, but it never found anything and I realized I didn't really need it. I do an automated scan of my /home directory once a month, but nothing ever turns up.

I guess if you're an enterprise user, it might come in handy.
herzeleid

Oct 23, 2006
9:36 AM EDT
Quoting: And what is wrong with writing about antivirus software for Linux?
OK, let's pretend we know nothing except ms windoze. We've been conditioned to believe that viruses, popups, spyware, crashes, reboots etc are an inevitable part of using a computer. Now imagine that we've just heard there is another type of OS generally referred to as unix, and these unix users seem to be rather smug, and regard our computing experiences as comical. We windoze users are confused and annoyed at these smug unix users and their supposedly superior OS.

We ms fans simply cannot accept that this unix thing is different from ms windoze. We've seen it all during our years of ms windoze use, so how different can unix be, right?

Whaddya mean, you don't get viruses?

Whaddya mean, you don't get popups and spyware?

Whaddya mean, you don't have to reboot after updating software?

Who do these condescending unix bastards think they are?

So yeah, in that context, your question might make sense.

So, why have I never felt the need for an av on linux during all my years of having systems directly connected to the internet?

Um, well, for starters, there are no viruses for linux. Hello?

by "no viruses", I mean no viruses found in the wild. These laboratory "viruses" developed by av companies hyping the supposed coming linux virus onslaught don't count, sorry, as there is no viable attack vector. The "honor system" virus is a non-starter.

So, dinotrac, in answer to your original question, If a determined and enterprising individual wants to write av software for linux, I won't stop him, just as I would not stop someone manufacturing deodorant for mannequins - but when some wise guy calls this a "must have", I have to call BS.
dinotrac

Oct 23, 2006
9:57 AM EDT
herzelaid --

Let's get serious here -- aside from the "must have" aspect, which utterly eludes me.

There being no Linux viruses "out there" - or, to be more accurate, none that we know of - and Linux being invulnerable to viruses are not the same thing.

As I said, I have never felt compelled to use anti-virus software on Linux. It's hard for me to believe that it's very important. But...things change and the day could come. The only completely safe system is off-net and physically locked down.

Which should not be taken by any thinking person as saying that Windows and Linux are the same. They ain't. Linux is safe, just not invulnerable. Windows is a very bad neighborhood to be computing in.
dcparris

Oct 23, 2006
10:03 AM EDT
Right. Any thinking person would just leave Windows on the CD media. :-D
tuxchick2

Oct 23, 2006
10:12 AM EDT
herzeleid is right, this is BS. As long as we're getting serious, let's try approaching this from the real world.

There are no known Linux viruses. AV software is reactive, and somewhat, but not very effectively, preventive, thanks to magical things like "heuristics" and "things".

Sooo...why bother with Linux AV software at all? Answer: No reason whatsoever.

This particular author isn't completely full of crap:

" it's amazing why it is still not part of the kernel, in this day and age. Personally, I didn't even know about this whole state of affairs until it crossed my mind to install an AV solution on my Linux system due to the concern about win32 executables lying around on the file system for use with Wine and Windows virtual machines."

A very limited subset of Linux users doesn't justify the breathless excitement this author invests in this issue. He may be right that Dazuko is teh awsum must-have API, and it would be nice if it were included in distro repos for easy installation for such excitable persons as the author. But he is wrong about the urgency of implementing AV software for Linux. It simply isn't needed, and anyone who says it is is just plain wrong and spreading manure.

I question whether it's even useful for WINE apps- as long as you don't run malware vectors like Outlook, Outlook Express, the windows messenger service, Windows Messenger the IM app, and aieeee the alleged web browser, how are you going to get infected?

edit: also keeping in mind that Windows exploits really are Windows exploits- not application exploits. The applications are merely the delivery vehicles

Sander_Marechal

Oct 23, 2006
11:41 AM EDT
I can imagine the API being usefull for people/enterprises that use Wine a lot. It makes sense that you can better run the AV on your "safe" Linux system than on the potentially compromised Wine sublayer. But such a small subset of users don't justify putting it in the mainline kernel. Hand it off to the distro's. So, what else (besides hooking in AV) is this API usefull for?
Scott_Ruecker

Oct 23, 2006
3:26 PM EDT
Quoting:A very limited subset of Linux users doesn't justify the breathless excitement this author invests in this issue.


It is because of that little sub-set of people that he had anything to write about at all.
jimf

Oct 23, 2006
3:35 PM EDT
The only legitimate justification for running clamav, or any other av, is simply to alleviate any accusations from the Windows people that we assist in spreading their virus. We say it's a courtesy, but let's face it, most of us could care less. Let them drown in their filth.

If I'm communicating with a known Windows box, I usually send the email through my rr account, which I know does a virus scan and marks the email as having been scanned.
tuxchick2

Oct 23, 2006
3:47 PM EDT
Why not just alter the headers to say it's been scanned, and avoid the overhead of actual scanning?
jimf

Oct 23, 2006
4:07 PM EDT
Actually, I thought of just adding a nasty tag line, like 'ha ha, I'm running Linux, but you're gonna get a virus...'.
dcparris

Oct 23, 2006
7:23 PM EDT
Don't give me ideas like this - I might actually do that. I'm a baaad boy, Abbott!

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!