FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-17-2010, 07:06 AM
Sthu Deus
 
Default Debian virus/spy-ware detection and detection technique.

Good day.

I have 3 questions on virus/spy-ware detection and detection technique.

1. Which software (may that is even packaged for Debian) is the best at
Your opinion and why for virus/spy-ware (the software that scans for
interesting data and sends it to some host) detection?

2. What's the technique of scanning for the malicious software? - As I
can understand it should be absolutely trustworthy and at the same time
- up-to-date (the bases it uses) - so, should I have a separate HDD for
the goal that stands most the time separately (on a shelf), updating
alone in computer, then again removed and being used only as a
primary disk for scanning attached disks - as the secondary? Or there
is more easy to perform way of accomplishing this?

3. Is it possible to scan for this very purposes (virus & spy-ware) the
distro CD/DVD -s - as it is from the media, without explicit manual
unpacking - to be sure the software is OK (in case when check sums are
not available OR it is impossible for some reasons to re-download the
images)?

Thank You for Your time.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4c4156a3.ce7c0e0a.6a17.ffffa666@mx.google.com">htt p://lists.debian.org/4c4156a3.ce7c0e0a.6a17.ffffa666@mx.google.com
 
Old 07-17-2010, 08:11 AM
Andrei Popescu
 
Default Debian virus/spy-ware detection and detection technique.

On Sb, 17 iul 10, 14:06:58, Sthu Deus wrote:
> Good day.
>
> I have 3 questions on virus/spy-ware detection and detection technique.

[snip]

This has been discussed several times, but IMVHO the time and resources
invested in scanning for malware on Debian are better used in securing
the system.

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 07-17-2010, 09:01 AM
Jordon Bedwell
 
Default Debian virus/spy-ware detection and detection technique.

On Sb, 17 iul 10, 14:06:58, Sthu Deus wrote:
> Good day.
>
> I have 3 questions on virus/spy-ware detection and detection technique.
>

If you must because of incoming mail try using ClamAV. Which a lot of
servers are readily able to integrate and unless you're dumb enough (and
this is just a subjective opinion) to allow elevated privileges without
knowing what the program is, or you run as root, you won't run into any
problems (normally ~ lets not forget the possible potential security
hole ~ it's happened before) with something jacking your system. Even
though Linux is open too, if it's in the repo somebody manages it, so
you can always assume that software found in official repositories is safe.

--
Cheers,

Jordon Bedwell
http://envygeeks.com


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4C41717E.8000808@envygeeks.com">http://lists.debian.org/4C41717E.8000808@envygeeks.com
 
Old 07-17-2010, 09:31 AM
Camaleón
 
Default Debian virus/spy-ware detection and detection technique.

On Sat, 17 Jul 2010 14:06:58 +0700, Sthu Deus wrote:

> I have 3 questions on virus/spy-ware detection and detection technique.

He, sounds like a test...

> 1. Which software (may that is even packaged for Debian) is the best at
> Your opinion and why for virus/spy-ware (the software that scans for
> interesting data and sends it to some host) detection?

- For scanning/detecting virus/malware for Windows systems or linux
systems?

- For local scanning (e-mails, Internet browsing) or a bunch of network
share files?

- By "(sic) and sends it to some host" you mean "keep the admin informed
by sending an alert to a host" or you mean "collaborative tools to
benefit others"?

> 2. What's the technique of scanning for the malicious software? - As I
> can understand it should be absolutely trustworthy and at the same time
> - up-to-date (the bases it uses) - so, should I have a separate HDD for
> the goal that stands most the time separately (on a shelf), updating
> alone in computer, then again removed and being used only as a primary
> disk for scanning attached disks - as the secondary? Or there is more
> easy to perform way of accomplishing this?

Not sure what OS we are talking here...

If you want to assure a true clean environment, better reformat and start
from scratch. As soon as you plug the disk in a network (or via USB port
to an infected machine) data on it can be also compromised.

> 3. Is it possible to scan for this very purposes (virus & spy-ware) the
> distro CD/DVD -s - as it is from the media, without explicit manual
> unpacking - to be sure the software is OK (in case when check sums are
> not available OR it is impossible for some reasons to re-download the
> images)?

I think yes. Many AV scanners will scan ISO files (no "unpacking"
required) but that depends on the AV engine itself.

But (and I think this is important) when you scan and ISO file for
malware and the result is clean/passed, that is not proving the ISO image
could have been manipulated and/or changed. Checksum (or similiar
techniques) is a must.

...

Final words: In general, I do not trust AV scanners so much, neither for
Windows nor other OS. They are still basing their detection score on
rather older techniques (stock antimalware firm definition files). Any
good designed OS has to have its own defenses... and the user has to be
always alert.

> Thank You for Your time.

I hope I've passed the test :-P

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.07.17.09.31.09@gmail.com">http://lists.debian.org/pan.2010.07.17.09.31.09@gmail.com
 
Old 07-19-2010, 07:47 AM
Sthu Deus
 
Default Debian virus/spy-ware detection and detection technique.

Thank You for Your time and answer, Andrei, giving me and others the
points:

>This has been discussed several times, but IMVHO the time and
>resources invested in scanning for malware on Debian are better used
>in securing the system.
>
>Regards,
>Andrei

> http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4c4484b5.ce7c0e0a.15d2.1812@mx.google.com">http://lists.debian.org/4c4484b5.ce7c0e0a.15d2.1812@mx.google.com
 
Old 07-19-2010, 08:12 AM
Sthu Deus
 
Default Debian virus/spy-ware detection and detection technique.

Thank You for Your time and answer, Camaleón:

> On Sat, 17 Jul 2010 14:06:58 +0700, Sthu Deus wrote:
>
> > I have 3 questions on virus/spy-ware detection and detection
> > technique.
>
> He, sounds like a test...

Would You like to take it?

> > 1. Which software (may that is even packaged for Debian) is the
> > best at Your opinion and why for virus/spy-ware (the software that
> > scans for interesting data and sends it to some host) detection?
>
> - For scanning/detecting virus/malware for Windows systems or linux
> systems?

Please, do not be amazed, but... LINUX. And preferably.... DEBIAN 5/6.

> - For local scanning (e-mails, Internet browsing) or a bunch of
> network share files?

For the local files on HDD and the whole CD/DVD of a distro (live or
installable).

> - By "(sic) and sends it to some host" you mean "keep the admin
> informed by sending an alert to a host" or you mean "collaborative
> tools to benefit others"?

Here I mean malicious software that scans for sensitive data like saved
passwords in files and the typed on keyboard as well, then sends it to
the people that have created / infested my OS w/ the software.

> > 3. Is it possible to scan for this very purposes (virus & spy-ware)
> > the distro CD/DVD -s - as it is from the media, without explicit
> > manual unpacking - to be sure the software is OK (in case when
> > check sums are not available OR it is impossible for some reasons
> > to re-download the images)?
>
> I think yes. Many AV scanners will scan ISO files (no "unpacking"
> required) but that depends on the AV engine itself.

Do You know such a skillful AV engine available for Debian?

> But (and I think this is important) when you scan and ISO file for
> malware and the result is clean/passed, that is not proving the ISO
> image could have been manipulated and/or changed. Checksum (or

If so, then AV engines gives false negatives, why should I use it?
In case we misunderstand each other, I try to rephrase my this
question: I have s live/installable-CD/DVD. I use its normal/rescue
mode - I do somethings w/ my OS on HDD in order to make it working. I
had no ability to check its checksum, so, is there a way I can be sure
that the software I used is "clean"?

> I hope I've passed the test :-P
You truly did. Thank You, once again.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4c4484b9.ce7c0e0a.15d2.1815@mx.google.com">http://lists.debian.org/4c4484b9.ce7c0e0a.15d2.1815@mx.google.com
 
Old 07-19-2010, 08:17 AM
Sthu Deus
 
Default Debian virus/spy-ware detection and detection technique.

Thank You for Your time and answer, Jordon:

> If you must because of incoming mail try using ClamAV. Which a lot of
> servers are readily able to integrate and unless you're dumb enough
> (and this is just a subjective opinion) to allow elevated privileges
> without knowing what the program is, or you run as root, you won't
> run into any problems (normally ~ lets not forget the possible
> potential security hole ~ it's happened before) with something
> jacking your system. Even though Linux is open too, if it's in the
> repo somebody manages it, so you can always assume that software
> found in official repositories is safe.

I was using untrusted live/installable CD/DVDs to rescue my OS - of
course I did use root privileges. And therefore I'm concerned before
and now.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4c4484bb.ce7c0e0a.15d2.1816@mx.google.com">http://lists.debian.org/4c4484bb.ce7c0e0a.15d2.1816@mx.google.com
 
Old 07-19-2010, 05:12 PM
Andrei Popescu
 
Default Debian virus/spy-ware detection and detection technique.

On Lu, 19 iul 10, 15:12:26, Sthu Deus wrote:

[...]

> question: I have s live/installable-CD/DVD. I use its normal/rescue
> mode - I do somethings w/ my OS on HDD in order to make it working. I
> had no ability to check its checksum, so, is there a way I can be sure
> that the software I used is "clean"?

Why can't you check the checksum?

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 07-19-2010, 06:05 PM
Camaleón
 
Default Debian virus/spy-ware detection and detection technique.

On Mon, 19 Jul 2010 15:12:26 +0700, Sthu Deus wrote:

>> On Sat, 17 Jul 2010 14:06:58 +0700, Sthu Deus wrote:
>>
>> > I have 3 questions on virus/spy-ware detection and detection
>> > technique.
>>
>> He, sounds like a test...
>
> Would You like to take it?

Sure! I like tests (almost) more than cakes :-)

>> > 1. Which software (may that is even packaged for Debian) is the best
>> > at Your opinion and why for virus/spy-ware (the software that scans
>> > for interesting data and sends it to some host) detection?
>>
>> - For scanning/detecting virus/malware for Windows systems or linux
>> systems?
>
> Please, do not be amazed, but... LINUX. And preferably.... DEBIAN 5/6.

What are you afraid of? I mean, what is your main concern?

I have not heard for any malware affecting massively linux users for...
when? I cannot remember any threat I had to be care of since I am using
Linux (that is from 2003).

I cannot say the same for another OSs.

>> - For local scanning (e-mails, Internet browsing) or a bunch of network
>> share files?
>
> For the local files on HDD and the whole CD/DVD of a distro (live or
> installable).

ClamAV can scan local files but is not very accurate with rootkits/
malware, just plain common viruses.

>> - By "(sic) and sends it to some host" you mean "keep the admin
>> informed by sending an alert to a host" or you mean "collaborative
>> tools to benefit others"?
>
> Here I mean malicious software that scans for sensitive data like saved
> passwords in files and the typed on keyboard as well, then sends it to
> the people that have created / infested my OS w/ the software.

Then you maybe interested in anti-rooktiks, like "chkrootkit" or "rootkit
hunter" solutions.

>> > 3. Is it possible to scan for this very purposes (virus & spy-ware)
>> > the distro CD/DVD -s - as it is from the media, without explicit
>> > manual unpacking - to be sure the software is OK (in case when check
>> > sums are not available OR it is impossible for some reasons to
>> > re-download the images)?
>>
>> I think yes. Many AV scanners will scan ISO files (no "unpacking"
>> required) but that depends on the AV engine itself.
>
> Do You know such a skillful AV engine available for Debian?

Mmm, not by first hand, I was just told that they did. But take a look
into the major linux AV websites (Karpesky, Avira or Avast) and check
their features.

>> But (and I think this is important) when you scan and ISO file for
>> malware and the result is clean/passed, that is not proving the ISO
>> image could have been manipulated and/or changed. Checksum (or
>
> If so, then AV engines gives false negatives, why should I use it? In
> case we misunderstand each other, I try to rephrase my this question: I
> have s live/installable-CD/DVD. I use its normal/rescue mode - I do
> somethings w/ my OS on HDD in order to make it working. I had no ability
> to check its checksum, so, is there a way I can be sure that the
> software I used is "clean"?

Don't you remember that phrase of "computer security is just an
attitude" (or something like that, I barely remember the right statement)?

No, unless you manually examine (and understand) the full code, you
cannot be 100% safe.

I'll give a you a recent example:

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

To make it short, a Mozilla third party plugin was encountered to be a
sniffer created to steal the user's passwords. Nice...

So, one can be paranoid and back to the typewriter or just remove the
ethernet plug... but we'll miss the funny part of the Internet (if any :-
P).

I mean, checking the MD5SUM or SHA1SUM should be enough guarantee to mark
the source as valid/clean and go on.

>> I hope I've passed the test :-P
> You truly did. Thank You, once again.

Great! :-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2010.07.19.18.05.54@gmail.com">http://lists.debian.org/pan.2010.07.19.18.05.54@gmail.com
 
Old 07-19-2010, 06:28 PM
Ron Johnson
 
Default Debian virus/spy-ware detection and detection technique.

On 07/17/2010 03:11 AM, Andrei Popescu wrote:

On Sb, 17 iul 10, 14:06:58, Sthu Deus wrote:

Good day.

I have 3 questions on virus/spy-ware detection and detection technique.


[snip]

This has been discussed several times, but IMVHO the time and resources
invested in scanning for malware on Debian are better used in securing
the system.



Unless the Debian machine serves mail to Windows users.

--
Seek truth from facts.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C449959.6090603@cox.net">http://lists.debian.org/4C449959.6090603@cox.net
 

Thread Tools




All times are GMT. The time now is 11:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org