[gentoo-user] Re: Best anti-virus

[7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>]

forgottenwizard wrote:
> On 20:13 Fri 09 May     , 7v5w7go9ub0o wrote:
>> I am extremely pleased with Antivir (aka Avira) and its realtime LKM, 
>> Dazuko!
>>
>> 1. The Antivir database and heuristics contain dozens of Linux-specific 
>> rootkits and Trojans. These in addition to Windows sigs. FWICT,  the only 
>> freeware AntiMalware that take Linux seriously (Kaspersky payware does).
>>
>> 2. With Dazuko - a LKM, developed by AntiVir/Avira which provides 
>> real-time, on-access (read/write) scanning within directories you specify 
>> in configuration. I scan mail (in a chroot jail), browser and downloads 
>> (within a chroot jail, within RamDisk), Portage and portage work areas, and 
>> /home.
>>
>> Given that emerges are done with Root privilege, this scanning for 
>> signatures may keep your box from being borked, should someone hack a 
>> distribution site, or poison the DNS system, or etc.
>>
>> 3. Recent testing by Windows testers indicate that Antivir is now  one of 
>> the better windows AV's, and that their heuristics are quite effective. I'd 
>> guess the same to be true for 'ix.
>>
>> 4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left 
>> unrepaired because I think it's so great:
>>
>> "ANTIVIR 2008-05-05_05:49:12.39449 Mon May  5 01:49:12 2008 WARNING: file 
>> '/etc/openvpn/trustconnect/pwd' is group or others accessible"
>>
>> 5. its heuristics have notified me of XSS script attacks (at test sites) 
>> after scanning scripts loaded into the browser cache, with "suspicious 
>> script" warnings - and blocking that script from use by the browser. The 
>> only other tool of similar function that I know of is "NoScript", an 
>> extension for use in FireFox.
>>
>> 6. I run WAN/LAN-connected applications in chroot jails (Grsecurity 
>> Hardened). Anything downloaded into a browser jail, lftp or TBird jail is 
>> moved to a "download" area via a script that invokes a deep scan by Antivir 
>> after it gets there.  Dazuko invokes a second scan, as it also monitors 
>> that area.
>>
>> 7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other 
>> AntiMalwares,  or customized to respond to user-created tests (e.g. changed 
>> file).
>>
>> 8. Linux and Unix oldtimers will scoff at real-time malware scanning - but 
>> I'm convinced that in todays world, realtime scanning is one important 
>> thing (perhaps the only thing) that we can learn from Windows.
>>
>> HTH
>>
> 
> I think alot of old-timers also realize that, unless you specifically
> allow something to run, then it can't hurt you.

Agreed! Keep the power off; allow nothing to run; a safe state.

> 
> Chances are, unless you are allowing XSS and are surfing sites you can't
> trust, you're close to bullet-proof, with the exception of program
> exploits that you really can't do anything about.

Well, nowadays you can take a significant steps against "those" exploits
as well - memory protection and RBAC are two obvious ones. Hardened
kernels and hardened chroot jails also effectively confine many of
"those" exploits.

Realtime Linux Anti-Trojan signature scanning overhead is simply cheap
(almost free) insurance IMHO, and may be most important when compiling 
and installing new or updated sourcecode. Or installing a new plugin to 
your browser; or opening a media file.

But I sure acknowledge the majority opinion - almost ALL Linux users, 
and many Windows users as well, choose not to run real-time
AntiMalware scanners.











-- 
gentoo-user@lists.gentoo.org mailing list