From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RKVVv-0003uy-Vr for garchives@archives.gentoo.org; Sun, 30 Oct 2011 13:33:28 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6C73C21C091; Sun, 30 Oct 2011 13:33:19 +0000 (UTC) Received: from mail-iy0-f181.google.com (mail-iy0-f181.google.com [209.85.210.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 0A6B021C048 for ; Sun, 30 Oct 2011 13:32:26 +0000 (UTC) Received: by iahk25 with SMTP id k25so8696226iah.40 for ; Sun, 30 Oct 2011 06:32:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=7GzlambE7VN/vd8iIyA3ozwGGX4+7uk3kO4CZyldbLs=; b=vK9K0c+//3oBtqaSAHT5RsTlL1tyeCA8z+phTlFb9Hxvg9j0pyTW4r9yE/JcTRqs+C CCNKLX1G8GmHKf4Jx7rC189zYIeHLNi4ovHSvVeDBJo3xgtcyeFN5mfM3XCeevLQK65Q kJjndtj2HsU0RaHyCjC7cCNKkWWlo2yHtsiHc= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.42.151.4 with SMTP id c4mr15722157icw.39.1319981546461; Sun, 30 Oct 2011 06:32:26 -0700 (PDT) Received: by 10.42.179.7 with HTTP; Sun, 30 Oct 2011 06:32:26 -0700 (PDT) Received: by 10.42.179.7 with HTTP; Sun, 30 Oct 2011 06:32:26 -0700 (PDT) In-Reply-To: <201110301250.51263.michaelkintzios@gmail.com> References: <201110221227.43568.michaelkintzios@gmail.com> <201110291940.52957.michaelkintzios@gmail.com> <201110301250.51263.michaelkintzios@gmail.com> Date: Sun, 30 Oct 2011 13:32:26 +0000 Message-ID: Subject: Re: [gentoo-user] Which desktop antivirus? From: James Broadhead To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=90e6ba1efd822fda2c04b084278d X-Archives-Salt: X-Archives-Hash: 6dfb8f365dda4f3edb8c197d21d4928d --90e6ba1efd822fda2c04b084278d Content-Type: text/plain; charset=UTF-8 I'm surprised that no one has mentioned rkhunter yet - loads of lib exploits allow system access, and there's a pretty solid argument that says that compromising a user account on the average *nix system allows enough resourses to do a lot of malicious activity without even needing privilege escalation. On Oct 30, 2011 1:06 p.m., "Mick" wrote: > On Saturday 29 Oct 2011 19:40:49 Mick wrote: > > On Saturday 29 Oct 2011 19:25:00 Pandu Poluan wrote: > > > On Oct 30, 2011 1:15 AM, "Mick" wrote: > > > > pagefile.sys of a WinXP OS and it thinks it is a Win32:Patched-HO. > > > > > > If pagefile.sys is detected as a malware, most likely the actual > malware > > > was once loaded into (Windows XP's) memory got swapped, and avast! > picked > > > up its remnant. Loaded into memory doesn't mean that the malware was > > > active, if the Windows XP was equipped with a good antivirus. > > > > Interesting! The WinXP has Microsoft Security Essentials on it. I'll > ask > > my wife if it picked up anything lately. > > She can't recall any MSE reports of malware. I did check the WinXP fs for > all > the files and registry entries that this trojan is meant to create and none > were present. Then I've zero'ed the pagefile and a second scan did not > flag > anything up. > > I also checked for a reported trojan in a Windows 7 vdi file (in > virtualbox). > Nothing found there either. I am tempted to think that avast! is rather > super-sensitive. However, avast! also picked up some php files from a > backed > up website - so this may be a worthwhile find. > > Anyway, I can't make it integrate with kmail which was the original user > requirement. Tried this script but the kmail Antivirus Wizard will not > pick > it up: > > http://forum.avast.com/index.php?topic=17898.0 > > So I am now heading for clamav to see how that works with a Linux desktop. > > -- > Regards, > Mick > --90e6ba1efd822fda2c04b084278d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

I'm surprised that no one has mentioned rkhunter yet - loads of lib = exploits allow system access, and there's a pretty solid argument that = says that compromising a user account on the average *nix system allows eno= ugh resourses to do a lot of malicious activity without even needing privil= ege escalation.

On Oct 30, 2011 1:06 p.m., "Mick" <= michaelkintzios@gmail.com&= gt; wrote:
On Saturday 29 Oct 2011 19:40:49 Mick wrote:
> On Saturday 29 Oct 2011 19:25:00 Pandu Poluan wrote:
> > On Oct 30, 2011 1:15 AM, "Mick" <michaelkintzios@gmail.com> wrote:
> > > pagefile.sys of a WinXP OS and it thinks it is a Win32:Patch= ed-HO.
> >
> > If pagefile.sys is detected as a malware, most likely the actual = malware
> > was once loaded into (Windows XP's) memory got swapped, and a= vast! picked
> > up its remnant. Loaded into memory doesn't mean that the malw= are was
> > active, if the Windows XP was equipped with a good antivirus.
>
> Interesting! =C2=A0The WinXP has Microsoft Security Essentials on it. = =C2=A0I'll ask
> my wife if it picked up anything lately.

She can't recall any MSE reports of malware. =C2=A0I did check the WinX= P fs for all
the files and registry entries that this trojan is meant to create and none=
were present. =C2=A0Then I've zero'ed the pagefile and a second sca= n did not flag
anything up.

I also checked for a reported trojan in a Windows 7 vdi file (in virtualbox= ).
Nothing found there either. =C2=A0I am tempted to think that avast! is rath= er
super-sensitive. =C2=A0However, avast! also picked up some php files from a= backed
up website - so this may be a worthwhile find.

Anyway, I can't make it integrate with kmail which was the original use= r
requirement. =C2=A0Tried this script but the kmail Antivirus Wizard will no= t pick
it up:

=C2=A0 http://forum.avast.com/index.php?topic=3D17898.0

So I am now heading for clamav to see how that works with a Linux desktop.<= br>
--
Regards,
Mick
--90e6ba1efd822fda2c04b084278d--