From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JuqX8-0008Mc-M3 for garchives@archives.gentoo.org; Sat, 10 May 2008 14:58:46 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 750E0E0067; Sat, 10 May 2008 14:58:44 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2BFC7E0067 for ; Sat, 10 May 2008 14:58:44 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id B67D8676AB for ; Sat, 10 May 2008 14:58:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.46 X-Spam-Level: X-Spam-Status: No, score=-2.46 required=5.5 tests=[AWL=0.139, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V1BuEb4mpaOt for ; Sat, 10 May 2008 14:58:36 +0000 (UTC) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.236]) by smtp.gentoo.org (Postfix) with ESMTP id 13F1C67502 for ; Sat, 10 May 2008 14:58:36 +0000 (UTC) Received: by wx-out-0506.google.com with SMTP id i27so1300618wxd.6 for ; Sat, 10 May 2008 07:58:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:references:in-reply-to:content-type; bh=8aSDuJIPCQ5X5U6BMrYusW8PtxwB54U+sNYmdGbZ8qg=; b=JALTx+j8tZrbWPnNDMIjMp7y/GqtJXc0zVR4dXMcuTeAkP4CTSyfXWkllP+2j1qiiwImMgyaTomdL8UwkFXRnFNIwJ+rtSdMhiOxUxt9DZIynB6YvGFYlv4o6FEQjdY1b3JvwKkxOxKXCkRkLSKFdA+sCrefQqnTUTm3g3R+2h4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:references:in-reply-to:content-type; b=VhLHWVKar/Yxf4V2AxFVlxL0P+p83jtSPeVMyS0EUnxhLv9At7/Z0T4RaRrUUrs/1chzzLsQAvGSy1XGHnl7EpfyvAOqkQWGH83PenkufVtY6CBetbYuog/7vSTlV9tluSgTlJqzzbbYH0bLfm29nw9yE+BTTSFP8Fk1qNTtciQ= Received: by 10.90.83.2 with SMTP id g2mr8044772agb.67.1210431515290; Sat, 10 May 2008 07:58:35 -0700 (PDT) Received: from ?192.168.1.4? ( [71.233.85.48]) by mx.google.com with ESMTPS id 18sm5883280agb.16.2008.05.10.07.58.32 (version=SSLv3 cipher=RC4-MD5); Sat, 10 May 2008 07:58:32 -0700 (PDT) Message-ID: <4825B7FB.20402@gmail.com> Date: Sat, 10 May 2008 10:58:03 -0400 From: 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: Best anti-virus References: <2b0b0d2d0805082023t5dbb240av49634fa4cf15e8b3@mail.gmail.com> <4824E891.4060404@gmail.com> <4a2decfc93fe677999694fd8863f1256@smtp.hushmail.com> In-Reply-To: <4a2decfc93fe677999694fd8863f1256@smtp.hushmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: bd1242cc-2984-44b0-8f01-2a5b47848beb X-Archives-Hash: 3323fff2eeb085a959fc8744f22851cc forgottenwizard wrote: > On 20:13 Fri 09 May , 7v5w7go9ub0o wrote: >> I am extremely pleased with Antivir (aka Avira) and its realtime LKM, >> Dazuko! >> >> 1. The Antivir database and heuristics contain dozens of Linux-specific >> rootkits and Trojans. These in addition to Windows sigs. FWICT, the only >> freeware AntiMalware that take Linux seriously (Kaspersky payware does). >> >> 2. With Dazuko - a LKM, developed by AntiVir/Avira which provides >> real-time, on-access (read/write) scanning within directories you specify >> in configuration. I scan mail (in a chroot jail), browser and downloads >> (within a chroot jail, within RamDisk), Portage and portage work areas, and >> /home. >> >> Given that emerges are done with Root privilege, this scanning for >> signatures may keep your box from being borked, should someone hack a >> distribution site, or poison the DNS system, or etc. >> >> 3. Recent testing by Windows testers indicate that Antivir is now one of >> the better windows AV's, and that their heuristics are quite effective. I'd >> guess the same to be true for 'ix. >> >> 4. It scans for Linux screwups. :-) :-) e.g. here's one that I have left >> unrepaired because I think it's so great: >> >> "ANTIVIR 2008-05-05_05:49:12.39449 Mon May 5 01:49:12 2008 WARNING: file >> '/etc/openvpn/trustconnect/pwd' is group or others accessible" >> >> 5. its heuristics have notified me of XSS script attacks (at test sites) >> after scanning scripts loaded into the browser cache, with "suspicious >> script" warnings - and blocking that script from use by the browser. The >> only other tool of similar function that I know of is "NoScript", an >> extension for use in FireFox. >> >> 6. I run WAN/LAN-connected applications in chroot jails (Grsecurity >> Hardened). Anything downloaded into a browser jail, lftp or TBird jail is >> moved to a "download" area via a script that invokes a deep scan by Antivir >> after it gets there. Dazuko invokes a second scan, as it also monitors >> that area. >> >> 7. AntiVir is not in portage. Dazuko is. Dazuko can be used with other >> AntiMalwares, or customized to respond to user-created tests (e.g. changed >> file). >> >> 8. Linux and Unix oldtimers will scoff at real-time malware scanning - but >> I'm convinced that in todays world, realtime scanning is one important >> thing (perhaps the only thing) that we can learn from Windows. >> >> HTH >> > > I think alot of old-timers also realize that, unless you specifically > allow something to run, then it can't hurt you. Agreed! Keep the power off; allow nothing to run; a safe state. > > Chances are, unless you are allowing XSS and are surfing sites you can't > trust, you're close to bullet-proof, with the exception of program > exploits that you really can't do anything about. Well, nowadays you can take a significant steps against "those" exploits as well - memory protection and RBAC are two obvious ones. Hardened kernels and hardened chroot jails also effectively confine many of "those" exploits. Realtime Linux Anti-Trojan signature scanning overhead is simply cheap (almost free) insurance IMHO, and may be most important when compiling and installing new or updated sourcecode. Or installing a new plugin to your browser; or opening a media file. But I sure acknowledge the majority opinion - almost ALL Linux users, and many Windows users as well, choose not to run real-time AntiMalware scanners. -- gentoo-user@lists.gentoo.org mailing list