OpenSuSE 11.1 On-Access Virus Scanning

I realise that many people don’t see the need for anti-virus protection on UNIX-based systems such as Mac OSX and Linux. However, it seems to me bad form, to be in a situation where you might unknowingly pass on a file containing a virus to friends running Windows.

Although a new comer to Linux, I have installed SuSE 11.1 (KDE 4.1.3) on a computer for myself and also on one for my parents. I have spent some time without success trying to get the on-access virus scanning to run.

KlamAV 0.46 (using ClamAV 0.95.2) almost always comes up with the following message “The auto-scan process died unexpectedly!” I have tried adjusting the settings in freshclam.conf and clamd.conf but this has made no difference.

Please could someone walk me though the process of setting up on-access scanning or point me to a clearly explained solution already published on the web?

I note that there are other free Linux anti-virus products from AVG and Avast but it is not clear whether either of these provide on-access scanning. Any help or information would be most welcome.

Well, I have a very simple way on handling this.

I never send executable code (no matter if “exe”, “pif” or documents containing macros, why/how should I download them to my system in the first place? I also _never_download attachments from sources I don’t know, so where’s the “attack vector” here?) to anybody nor do I use HTML email.

What ways of “sending other people bad files” do you have in mind?

In any way, why allocating unnecessary resources for an “on Access scanner” when you would possibly (if you don’t send any of the stuff I mentioned above via Email, then why even needing that?) only need it on demand, scanning your Email attachments before you send them?

Thanks for your suggestion. My parents are nearly 80 years old and have just switched from Windows 98! I am looking for a solution I can implement on their computer and forget about.

This type of solution does not exist, no matter what “security software experts” may tell you.

If your parents use linux and you configure their system simple and secure, they will have high protection against virii/worms/trojans, the more complex you make the system (i.e. by installing an IMHO completely unnecessary “on access” scanner) the less you won’t be able to “just forget”.

Not more code makes a system more secure, less code does, especially if you install more code with the idea of then having to care less.

This conception is always flawed.

Okay it sounds like my approach may be over the top. Perhaps this is because of the time I spend working with Windows. What does “system simple and secure” mean? Is it a predefined set of configuration options?

Kmail would not work with my parents ISP so I ended up installing Thunderbird. Do you know if it is possible to setup automatic scanning of outgoing email attachments or am I missing your point about simplicity by asking this?

No, it is excessive use of “common sense” (aka. “brian 1.0 or higher”).

There is no predefined set, just don’t install more than needed, don’t activate stuff you don’t need (or don’t know what it does/how it is working) and configure software with the “whitelist” (aka “anything which is not explicitly allowed should be forbidden”) concept, take care of regularly updating the machine (security updates), etc. …

Vendors of “Security Software” (mostly known in the Windows world) like “Personal Firewalls” or “Virus Scanners” or “Spyware Removal Tools” tell you that their tools “make you secure by default”, this is a blatant (but very lucrative) lie.

Tools you don’t know what they do and how they work will only give you false sense of security, in most cases using common sense is much easier and a very often more effective.

Example:

Typical statement of “Security software vendors”:

“Your Windows system has a lot of services running which most people don’t need.”

=> True

“Your system will show lots of open ports exposed to the internet, this is a security risk”

=> True

“Use our Personal Firewall product to block these ports and you will be secure”.

=> False

1. If the extra code installed (Personal Firewall) has a bug, it will open new attack vectors, and believe me, there are lots of examples where you were more vulnerable because you installed “security software”. software is written by humans, humans make mistakes. The more software, the more potential mistakes, the more possible security holes.

2. And for the “more effective common sense” part.

If I have services I don’t need running, which will put me at risk, why should I use another program denying access to those services?

Wouldn’t it be more logic to deactivate the services I don’t need so they won’t be accessible at all?

This is also even more secure, because even if the service has a security hole, my machine won’t be vulnerable, because a non running service can not be attacked (not mentioning that this will also save system resources).

I think you get the idea.

Are they likely to send windows virusses to people? Are they likely to receive Linux virusses?

I personally wouldn’t bother with any virus scanner for the same reason as explained by Akoellh

I also had a bad experience with a virus scanner under Linux. Partly due to my own stupidity AVG noted I had a windows virus in my email box. Since this was a legacy email box from a windows machine this was very likely. I told AVG to heal the file but when it couldn’t I told it to remove the email… at least I thought I did. Turns out it deleted my whole email box. Thunderbird stored it as one file and since the file could not be cleaned it got deleted. Thank god for backups

Since then I do not bother with antivirus on my Linux pc.

Also, you would likely get phonecalls saying that the antivirus caught something, it can’t update, it’s broken, etc… Less is more!

Not mentioning those lovely “false positives” …

P.S.

Lord Flasheart: Always treat your plane like you treat your woman.
Lieutenant George: Take her home at the weekend to meet your mother?
Lord Flasheart: No, get inside her five times a day and take her to heaven and back!

Lord Flashheart: Woof!

“20 minuters” class: Woof!

Baldrick: Bark!

Not much in this discussion i would disagree with, but it begs the question “why does klamav/dazuko/on-access scanning crash?”

this is one of those chicken/egg questions but it identifies that “if” we needed it, we would be disappointed.

good thing we are a small target, eh?

Dazuko had several issues in the past with newer kernel versions (IIRC there were problems with some virtual fs no longer compatible/available for newer version).

Consider also, that all “online” virus scanners (= running on the system they actually scan) are not very reliable, especially “disinfecting” an infected system is something that can not work (by design).

If you don’t believe me, then read what security experts (no, no “” here) from Microsoft have to say about that:

Help: I Got Hacked. Now What Do I Do?

sorry, i do not know how to help you because i’ve never felt like it
was my job to use my CPU cycles to help Redmond users protect
themselves…that is their job…

another way to look at it is: wait until one of your parents friends
tell them they were sent a virus from your parents machines…and
THEN go to the trouble to set up a scanning AV…

i’d bet it will be a long long long time before that happens…

well, it hasn’t happened to me yet, and i’ve not been using Redmond’s
stuff since 1995…(think of all the cycles, electricity, setup time
and etc i’ve saved by NOT trying to protect folks won’t protect
themselves and CHOOSE to use a virus bait operating system)

–
platinum

You don’t say where you got Klam from. Did you get it from the openSUSE repositories? If not, that is probably the reason for the crash.

If you did, it is often possible to identify the problem by running it in console mode and looking at the log.