Page 4 of 4 FirstFirst ... 234
Results 31 to 35 of 35

Thread: Virus protection Clamav HOWTO

  1. #31
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Virus protection Clamav HOWTO

    stakanov wrote:
    > I then think maybe (if it is not there) one should create a WIKI
    > section about hardening the box. What do you think about this?


    been there, since 2005:

    http://old-en.opensuse.org/Securing_openSUSE

    now, that is the old wiki, i don't know if it will get passed to the
    new wiki or not.....you wanna spruce it up, and do that?? go to its
    "history" page and you can see who has worked on the page in the past...

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

  2. #32
    Join Date
    Jan 2009
    Location
    Somewhere in Fictionland
    Posts
    1,479

    Default Re: Virus protection Clamav HOWTO

    Well, I would but in the very moment I do no have enough time. I should begin though. Especially I would like to have the "encrypted root partition how-to" adapted to all versions out there, working, with /boot on usb key. But this is probably a dream. Init scripts are tough if you are not programmer and especially I am not sure if this method will be still possible if the boot will be done by not using runlevel anymore (parallel booting techniques that if I am not wrong are foreseen also for OpenSUSE to come). But I promise to have a look.

  3. #33
    Carlos E. R. NNTP User

    Default Re: Virus protection Clamav HOWTO


    [longish]

    [ I was writing this the other day. Then I had Thunderbird play jokes on me. No virus, though ;-) ]
    [ I was at the review phase. Then I went to sleep, then Th. failed. Now I don't remember if wanted ]
    [ to correct this more or not - it's too long :-) ]


    On 2010-08-06 10:06, stakanov wrote:
    >
    > Hola Carlos! Que tal estas?


    >
    >
    > Carlos E. R.;2202125 Wrote:
    >> On 2010-08-05 14:36, stakanov wrote:



    >> That's true but arguable. I have to use some pf files that don't work with kpdf, okular, nor evince:
    >> they only display well with acroread. Worse, some of them have _code_ inside. You see them when you
    >> have to fill forms, in my case, from my government.
    >>
    >> For example, the invoices from the utilities, in electronic form, are usually digitally signed pdfs,
    >> at least here (Spain). Last time I looked, you can only verify the
    >> signature with acroread.
    >>

    > I then could argue that it is possible to manually deactivate the
    > functions that require code like embedded flash that generally cause the
    > problem.


    True enough, and that's what I do.

    However, if I were to use an antivirus, I would have it check those files, because that is one of
    the possible (in theory) infection vectors in linux.

    > On the long run I think this is going to change because you
    > will probably see vanish the reputation of Adobe day by day like ice in
    > the sun. PDF came to such a position it has today because it has the
    > reputation to be safe. Now, in the meanwhile because of the bloat
    > functions integrated it is getting insecure. For what I know all flaws
    > "claimed" to be a problem also on Linux systems did NOT have the ability
    > to cause problems further than user-land.


    No, I don't think that feature is going away any time soon.

    Just this morning I had to use it. It was either use it or waste an entire morning on an office line.

    [ that was last Friday ]

    > Carlos E. R.;2202125 Wrote:
    >>
    >>
    >>> Flash might be a problem....for the userland only.

    >>
    >> Well, a malware compromising my userland is to me worse than my system.
    >> The system I can rebuild
    >> with some time. The data, is a lot of work, it is more valuable than
    >> the system.
    >>

    > Carlos, you are not going to tell me that a professional person as you
    > are will proceed to mingle a user account for governmental documents
    > with a private one, with the photos of the last summer and the other
    > activities / mails. When it comes to governmental docs, they do require
    > on whatsoever system a separate account.



    What for? I don't work for them, I can keep whatever they send me where I choose to. I'm not talking
    about secret documents of government scandals or official plans for a motorway and who is going to
    get the contract, or even the secret plans of Spain to invade France :-P

    I'm just talking about things like tax forms, or forms to request a benefit, or some other thing
    like that, that any citizen has to fill and send or print now and then.

    It is private, but AFAIK there is no regulation at all on keeping those documents on a different
    account (regulations I don't know what they could be, exactly).

    Which is a different thing than keeping those private documents in an encrypted folder, if you want.
    Or out of the computer, off-line.


    No, I was talking about a different aspect.

    A piece of malware running as "user me" can do me much more damage, deleting or corrupting my
    documents, than one that corrupts the system making me reinstall all binaries and libraries. It is
    true that they can't bring the system down, yes, unless they get "root". Still... its another kind
    of damage. And very bad.

    Theoretical ;-)


    > You should require only the
    > attachment of your government being signed but also the very email, no?
    > They should have learned by the experience of their 'hacked website
    > during the Madrid - EU lead, last summer.' (http://tinyurl.com/23k3lst)


    Ah, that one. A good laugh it was here :-)


    > Carlos E. R.;2202125 Wrote:
    >>
    >> Which does not mean I'm going to integrate an antivirus with FF. Not
    >> for the time being, at least -
    >> but I watch. Maybe one day.
    >>

    >
    > I* do *acknowledge that Linux one day -*may*- have a problem (probably
    > not with the GNU/Linux kernel but with the implementation of some
    > distribution or with a desktop function). That said, you position is
    > acceptable, what is not acceptable is to "raise awareness of an imminent
    > problem that would require a virus scanner", which IMHO is FUD. Let's
    > play the "hypothetical game". So there would be a virus for let's say
    > KDE. It will not run on gnome, neither on any other desktop. It will run
    > for one distribution (OpenSUSE) but not e.g. on Mandriva with KDE. It
    > would be a very isolated phenomenon even in a future "optimist"
    > scenario.


    Yes, the danger is not inminent.

    No, a virus would probably come as some script or as javascript or java code. I have some programs
    that run in windows or linux with the same code, I believe. That worries me more.

    Look, viruses are harder to propagate in linux. The system is safer. We are harder a target, and
    fewer targets. But the users are the same (except the power-user types), and users can make mistakes
    that are dangerous, regardless of what operating system they use. I'm not saying "Use an antivirus!"
    Just be aware that there are dangerous things around. Same as we tell kids not to eat a candy that
    just fell to the earth, it can have nasty things.

    I'm worried about code in "clever" data files like macros in office documents, pdfs, flashes,
    whatever. Someone might try to exploit that one day. And when it happens, an antivirus will be
    useless, because that malware was not known.

    Good practices are better.


    [above was Friday. New comment on Monday before dawn]

    Yesterday I was astonished when a user here wanting help with his system, whom I had told to find
    the partition that held the non functioning system and do an fsck from a live, did so while the
    partition was mounted, and simply ignored the big warning fsck printed about not going ahead, danger
    of destroying the filesystem, type yes if really sure, and he typed "yes".

    I'm still "trembling" with surprise and... I don't know what. I don't know if I'will try to help
    someone else again or put a disclaimer in my signature. This chap I told to return to Windows,
    sorry. No need to read warnings there, just click enter, enter, enter. And if it happens, blame
    Microsoft instead of the chair-keyboard interface.

    I'm still distraught. :-/


    Anyway... to the subject. The user can do terrible things to his own system by simply not heeding
    messages. No antivirus can protect us from that. The user is far a more serious danger to Linux
    users than viruses.

    [ ]

    > Problems WILL come however if we continue to incentive to "wave" the
    > user to give the same password for root and user. But telling this is
    > info, telling "install an antivirus to protect your Linux is *currently*
    > FUD, because a false argument. And the latter is the object of the
    > discussion, not the hypothetical "one day there may be a malware that
    > works"


    They are two aspects. One, explaining that the idea of using an antivirus makes things safer,
    currently, is false, and another explaining what really we have to do now to keep safe.


    Like the one I read about someone that removed the firewall to try ssh from the office, if I got it
    right.



    > Carlos E. R.;2202125 Wrote:
    >>
    >>
    >>> PS. I would bet that 90% of the people so busy about security and

    >> virus
    >>> here are not even encrypting and digitally signing their mail, nor

    >> will
    >>> they insist with their correspondents to use these easy cheap and
    >>> valuable measures. Proof me wrong.

    >>
    >> Ha! I do sign my email. That's another can of worms, and a different
    >> aspect of security, unrelated
    >> to viruses. Except if you consider that the PGP signatures of the
    >> entire opensuse buildservice has
    >> been broken for three or four months, so perhaps somebody could have
    >> tried to subvert the system
    >> somehow.
    >>

    > Hum, I am worried that you took this on you. I would have expected
    > signing email from a person with your skills (he leido atentamente tus
    > contribucines, sabes :-) ). But the absolute majority doesn't, not even
    > when using Linux, especially noobs. (It is enough to try to send a
    > whatsoever encrypted email to a person and you will find that she
    > doesn't possess a signature on the public server. If you tell them to
    > put it they answer that "they have nothing to hide"). So far about
    > "WHERE" awareness has to be risen without being FUD.


    I have never been able to send encrypted mail to anybody I wanted to. They don't know how. It is
    useless.

    So, I don't email data I want private ans safe.
    Phone, fax, snail-mail, person... No email.


    > The signatures of the repos are an open point of discussion. That they
    > where broken is not a problem, it means that they did not pay attention
    > during the update of the repositories. But that does not mean the server
    > was compromised, and you know that. It means, that if people are
    > intelligent they did NOT update with the message that the software
    > coming in is not conveniently signed.


    Which nobody did. The signatures expired in May, and only now (end of July) some one noticed and
    said something here. Which means that people have been adding repositories that could have been
    faked copies. The signature system has proved useless.

    [what I said above about not reading warning messages]

    Worse, I opened a Bugzilla about this and they repeatedly closed it as wontfix. Nobody cared,
    instead wanted me to shut up. At he end they did, but I took some bashings, and some that I have not
    read.

    Security? Bah! :-(

    > And awareness should be risen that
    > this is the thing to do and that users shall report these messages to
    > the mailing list of OpenSUSE. Am I wrong? This also is not FUD. But it
    > would be FUD to say: install ClamAv antivirus and FF module to protect
    > yourself and scan compromised packages that you did install on your own
    > responsibility and intentionally disregarding the respective warnings.


    That, yes.



    > BTW, time ago I raised a 'proposal to put a group \"security issues\"'
    > (http://tinyurl.com/2atk454) on the forum. The consequent poll set up,
    > at the end showed interest. Nothing happened. I then think maybe (if it
    > is not there) one should create a WIKI section about hardening the box.
    > What do you think about this?


    I wondered about that, I don't see a security related forum.

    [ sending this without more re-checking. maybe there are errors or unclear things. ]

    [ Disclaimer: it is 4:34 AM, I'm sleepy, so blame that if errors ;-) ]
    [ (but if go to bed I stay full awake) ]

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" GM (Elessar))

  4. #34
    Carlos E. R. NNTP User

    Default Re: Virus protection Clamav HOWTO

    On 2010-08-06 08:34, DenverD wrote:
    > Carlos E. R. wrote:


    >> The only danger would be if I tried to run them - which I won't.

    >
    > i can't find it now, but i read a piece a couple of years ago where a
    > guy set out to run some viruses....of course he had to specifically
    > and deliberately run them in WINE to have any chance of doing
    > damage...so he did that and still was quite disappointed at how really
    > difficult it was to do any damage and certainly the little bugs had no
    > idea how to replicate themselves since they couldn't crack win-email
    > programs to pump out millions of infected emails..


    I remember :-)

    > anyone have a link to that??
    >
    > it was kinda funny how much work it was to give those bugs _any_
    > noticeable affect, even it you were *trying* to make them grow..
    >
    > oh, here it is http://www.linux.com/archive/feed/42031


    Mmm... no, that's not the one I read. It was longer and funnier. Maybe a reporter from some
    specialized newspaper.


    > i do see that that article is FIVE years old, so maybe things have
    > changed and "otto oz" is right....oh no! maybe i should be all afraid
    > to surf without ClamAV (or other) running full speed..


    X-)

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" GM (Elessar))

  5. #35
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Virus protection Clamav HOWTO

    Carlos E. R. wrote:
    > Yesterday I was astonished when a user here wanting help with his
    > system, whom I had told to find the partition that held the non
    > functioning system and do an fsck from a live, did so while the
    > partition was mounted, and simply ignored the big warning fsck
    > printed about not going ahead, danger of destroying the filesystem,
    > type yes if really sure, and he typed "yes".
    >
    > I'm still "trembling" with surprise and... I don't know what. I
    > don't know if I'will try to help someone else again or put a
    > disclaimer in my signature. This chap I told to return to Windows,
    > sorry. No need to read warnings there, just click enter, enter,
    > enter. And if it happens, blame Microsoft instead of the
    > chair-keyboard interface.
    >
    > I'm still distraught. :-/


    i understand!

    the fact is that here in these fora we never really know much about
    the technical knowledge level of the question askers..

    my experience is one absolutely can *not* rely on them to tell us..

    and if they do, you still can't rely on them to know what they are
    talking about! [some come here after years of playing games on Redmond
    systems, a month of using Ubuntu, then see a youtube of a rotating
    cube and pile into here telling us they are "power users" with Linux
    experience who now are in love with KDE4!! but their system is now so
    screwed they can't even fix it with "chmod 777"]

    i usually try to imagine one of those types asking the questions....it
    make my answers long, but more complete and possibly usable, and
    _maybe_ safe for their bungling use..

    doing that, i occasionally get a nasty "i knew that" or "i'm not a
    n00b" in which case they can shove off, because i do it the way _i_ do
    it to give myself insurance against the "distraught" you suffered..

    suggest you not assume the folks asking here are at the same technical
    level of those on the mail lists....AND include a disclaimer/caveat..

    and, always remember: the user can always find a way to destroy his
    stuff, whether that is his own data, operating system, iPhone, new car
    or supersonic jet..

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

Page 4 of 4 FirstFirst ... 234

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •