Group thoughts on: Anti-virus tools

classic Classic list List threaded Threaded
36 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Group thoughts on: Anti-virus tools

deb-12


Starting assumption: I do want to run A/V.

  * I get that it may actually INCREASE attack surface.

  * But I have Windows & Mac stuff going back and forth to Debian 9.8
and just want to check.

  * (Clamscan already caught 4 things)


a. What does the group suggest running on debian beyond

     - chkrootkit

     - rkhunter

     - ClamAV

b. Does the list keep a ~ "pinned" answer for these kinds of questions?


Thank you!


Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Sven Hartge-5
deb <[hidden email]> wrote:

> a. What does the group suggest running on debian beyond

>     - chkrootkit

Useless.

>     - rkhunter

Crap, unmaintained.

Both tools produce more false positives than finding anything, just
creating a false sense of security while providing no security benefit
whatsoever.

Grüße,
Sven.

--
Sigmentation fault. Core dumped.

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Reco
In reply to this post by deb-12
        Hi.

On Sun, Mar 10, 2019 at 10:58:12AM -0400, deb wrote:
> Starting assumption: I do want to run A/V.
>  * I get that it may actually INCREASE attack surface.
>  * But I have Windows & Mac stuff going back and forth to Debian 9.8 and just want to check.
>  * (Clamscan already caught 4 things)

Ok. If it's the poison you want - we'll pour you a cup.


> a. What does the group suggest running on debian beyond
>     - chkrootkit

Thing was good like 15 years ago. The thing is - the world has moved,
chrootkit stayed the same.
Save yourself CPU cycles and do not install the thing.


>     - rkhunter

It's primary purpose - i.e. rootkit detection is severely lacking.
The thing has its uses as IDS and 'best practices auditor toolkit', but
that's it.

But if it's the IDS you need - there are tripwire and debsums.


>     - ClamAV

Can catch a Windoze virus or two. The intended purpose of clamav is to
sit on e-mail relay and scan the mail, which is does fulfill.


> b. Does the list keep a ~ "pinned" answer for these kinds of questions?

Not that I'm aware of. The thing is - instead of taking an insecure OS
and building assorted kludges (in the form of anti-virus) around it,
it's considered wise here to use a secure OS from the beginning.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Richard Owlett-3
On 03/10/2019 10:20 AM, Reco wrote:

> Hi.
>
> On Sun, Mar 10, 2019 at 10:58:12AM -0400, deb wrote:
>> Starting assumption: I do want to run A/V.
>>  [*SNIP*]
>
>> b. Does the list keep a ~ "pinned" answer for these kinds of questions?
>
> Not that I'm aware of. The thing is - instead of taking an insecure OS
> and building assorted kludges (in the form of anti-virus) around it,
> it's considered wise here to use a secure OS from the beginning.
>

Recommended reading list applicable to Debian?



Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Gene Heskett-4
In reply to this post by deb-12
On Sunday 10 March 2019 10:58:12 deb wrote:

> Starting assumption: I do want to run A/V.
>
>   * I get that it may actually INCREASE attack surface.
>
>   * But I have Windows & Mac stuff going back and forth to Debian 9.8
> and just want to check.
>
>   * (Clamscan already caught 4 things)
>
>
> a. What does the group suggest running on debian beyond
>
>      - chkrootkit
>
>      - rkhunter
>
>      - ClamAV
>
> b. Does the list keep a ~ "pinned" answer for these kinds of
> questions?
>
The trouble with a pinned list is that it can't keep up with the latest
attack methods. Clamav has silently stripped about half a megabyte of
stuff since about the first of October last, last hit Feb 12 here.
However while I'm checking, I note that a pastebin installation
(pnopaste) has generated about 20 megabytes of squawks, so its gone now.
I installed it so's I'd have a local pastebin. We get too soon auld, and
too late schmardt. Has pnopaste acted up for others?

>
> Thank you!


Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Curt
In reply to this post by Richard Owlett-3
On 2019-03-10, Richard Owlett <[hidden email]> wrote:

> On 03/10/2019 10:20 AM, Reco wrote:
>> Hi.
>>
>> On Sun, Mar 10, 2019 at 10:58:12AM -0400, deb wrote:
>>> Starting assumption: I do want to run A/V.
>>>  [*SNIP*]
>>
>>> b. Does the list keep a ~ "pinned" answer for these kinds of questions?
>>
>> Not that I'm aware of. The thing is - instead of taking an insecure OS
>> and building assorted kludges (in the form of anti-virus) around it,
>> it's considered wise here to use a secure OS from the beginning.
>>
>
> Recommended reading list applicable to Debian?
>

I thought he was saying the surest approach is not touching Windows with
a ten foot pole, for which I doubt there's a list to read.



--
“Let us again pretend that life is a solid substance, shaped like a globe,
which we turn about in our fingers. Let us pretend that we can make out a plain
and logical story, so that when one matter is despatched--love for instance--
we go on, in an orderly manner, to the next.” - Virginia Woolf, The Waves

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Reco
        Hi.

On Sun, Mar 10, 2019 at 04:32:42PM -0000, Curt wrote:

> On 2019-03-10, Richard Owlett <[hidden email]> wrote:
> > On 03/10/2019 10:20 AM, Reco wrote:
> >> Hi.
> >>
> >> On Sun, Mar 10, 2019 at 10:58:12AM -0400, deb wrote:
> >>> Starting assumption: I do want to run A/V.
> >>>  [*SNIP*]
> >>
> >>> b. Does the list keep a ~ "pinned" answer for these kinds of questions?
> >>
> >> Not that I'm aware of. The thing is - instead of taking an insecure OS
> >> and building assorted kludges (in the form of anti-virus) around it,
> >> it's considered wise here to use a secure OS from the beginning.
> >>
> >
> > Recommended reading list applicable to Debian?
> >
>
> I thought he was saying the surest approach is not touching Windows with
> a ten foot pole,

You're aiming too low. Not touching any non-free OS with a ten foot pole
would be much more like it.


> for which I doubt there's a list to read.

True.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Joe Rowan
On Sun, 10 Mar 2019 19:35:18 +0300
Reco <[hidden email]> wrote:

> Hi.
>
> On Sun, Mar 10, 2019 at 04:32:42PM -0000, Curt wrote:
>
> >
> > I thought he was saying the surest approach is not touching Windows
> > with a ten foot pole,  
>
> You're aiming too low. Not touching any non-free OS with a ten foot
> pole would be much more like it.
>
>
While bearing in mind that 'free' doesn't mean 'problem-free'.

Remember how many people audited the Heartbleed code before it was
released?

--
Joe

Reply | Threaded
Open this post in threaded view
|

And now, from the Nice people? Re: Group thoughts on: Anti-virus tools

deb-12
In reply to this post by Curt

I posted a question A/Vs and got negative waves like the below.


Several people ASS-UMED I was trying to kludge Windows into Linux,
(see Canonical if you want to find Linux-folk sucking up to Windows)
instead of working to bring Linux into Windows strongholds (and
be aware of the problems there.)

Some just crushed my starting points, without alternatives.


N.I.C.E.


It is little wonder that Linux can not beat Windows on the desktop (as
it should),

if this is how people are helped who are trying to Bring In Linux.


Crumogeon tip: It is no longer 1972.   If you have nothing nice or at
least helpful to say on a  USER list, say nothing at all.

But you will anyways...


"assorted help"


Not that I'm aware of. The thing is - instead of taking an insecure OS
and building assorted kludges (in the form of anti-virus) around it,
it's considered wise here to use a secure OS from the beginning.

> I thought he was saying the surest approach is not touching Windows with
> a ten foot pole, for which I doubt there's a list to read.
>

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Mart van de Wege
In reply to this post by deb-12
deb <[hidden email]> writes:

> Starting assumption: I do want to run A/V.
>
>  * I get that it may actually INCREASE attack surface.
>
>  * But I have Windows & Mac stuff going back and forth to Debian 9.8
> and just want to check.

When you say going back and forth, do you mean over the network?

On Linux the best solution right now is clamav, which is not 100%. Is it
an option for you to run a network based solution, like an IDS?

Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Stefan Monnier
In reply to this post by deb-12
> Starting assumption: I do want to run A/V.

You have it: it's called `apt` (i.e. in the world of Debian, the
response to "viruses" is to plug the hole they try to exploit, instead
of leaving those holes gaping while wasting resources trying to look for
known attacks).

>  * (Clamscan already caught 4 things)

I'll bet that none of those 4 "things" exploit a hole to which you
are vulnerable.  Hence catching those attacks has not made you more
secure: it just wasted resources.

My SSHd daemon has probably rejected more attempts to log into my system
while writing this email.  So what?  None of those attempts are real
threats, anyway, just like those 4 "things" that Clamscan says
it caught.


        Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Stefan Monnier
In reply to this post by Joe Rowan
> While bearing in mind that 'free' doesn't mean 'problem-free'.
> Remember how many people audited the Heartbleed code before it was
> released?

Indeed.  But it doesn't take more time to update openssl than to update
a virus scanner.


        Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

mick crane
In reply to this post by Joe Rowan
On 2019-03-10 17:13, Joe wrote:

> On Sun, 10 Mar 2019 19:35:18 +0300
> Reco <[hidden email]> wrote:
>
>> Hi.
>>
>> On Sun, Mar 10, 2019 at 04:32:42PM -0000, Curt wrote:
>>
>> >
>> > I thought he was saying the surest approach is not touching Windows
>> > with a ten foot pole,
>>
>> You're aiming too low. Not touching any non-free OS with a ten foot
>> pole would be much more like it.
>>
>>
> While bearing in mind that 'free' doesn't mean 'problem-free'.
>
> Remember how many people audited the Heartbleed code before it was
> released?

didn't I read openSSL just had the one full time guy for thousands of
lines of code ?

mick
--
Key ID    4BFEBB31

Reply | Threaded
Open this post in threaded view
|

Re: And now, from the Nice people? Re: Group thoughts on: Anti-virus tools

Brian
In reply to this post by deb-12
On Sun 10 Mar 2019 at 13:18:54 -0400, deb wrote:

> I posted a question A/Vs and got negative waves like the below.

It only looks "negative" because you have an agenda. I myself thought
the responses were reasonable and balanced.

> Several people ASS-UMED I was trying to kludge Windows into Linux,
> (see Canonical if you want to find Linux-folk sucking up to Windows)
> instead of working to bring Linux into Windows strongholds (and
> be aware of the problems there.)

Knocking Canonical (who produce a premier Linux distribution) doesn't
advance your argument; it is unclear what that is.
 
> Some just crushed my starting points, without alternatives.
>
>
> N.I.C.E.

Your argument (for what it was) was demolished. Explicit alternatives to
it are unnecessary when it hasn't a leg to stand on.

> It is little wonder that Linux can not beat Windows on the desktop (as it
> should),

Is that part of the agenda?

> if this is how people are helped who are trying to Bring In Linux.

Or is this the nub? The Lone Ranger syndrome.

> Crumogeon tip: It is no longer 1972.   If you have nothing nice or at least
> helpful to say on a  USER list, say nothing at all.

All the responses were helpful. You just have to fit them into your
World View and accomodate them

--
Brian.

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Reco
In reply to this post by Joe Rowan
        Hi.

On Sun, Mar 10, 2019 at 05:13:35PM +0000, Joe wrote:

> On Sun, 10 Mar 2019 19:35:18 +0300
> Reco <[hidden email]> wrote:
> > On Sun, Mar 10, 2019 at 04:32:42PM -0000, Curt wrote:
> >
> > >
> > > I thought he was saying the surest approach is not touching Windows
> > > with a ten foot pole,  
> >
> > You're aiming too low. Not touching any non-free OS with a ten foot
> > pole would be much more like it.
> >
> >
> While bearing in mind that 'free' doesn't mean 'problem-free'.
>
> Remember how many people audited the Heartbleed code before it was
> released?

And that's why security is a process, not a state.
CVE-2014-0160 was fixed upstream days after the discovery, but it took
certain software vendors almost a year to fix openssl 'bundled' with
their 'software products'.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: And now, from the Nice people? Re: Group thoughts on: Anti-virus tools

Felmon Davis-2
In reply to this post by deb-12
On Sun, 10 Mar 2019, deb wrote:

>
> I posted a question A/Vs and got negative waves like the below.
>
>
> Several people ASS-UMED I was trying to kludge Windows into Linux,
> (see Canonical if you want to find Linux-folk sucking up to Windows)
> instead of working to bring Linux into Windows strongholds (and
> be aware of the problems there.)
>
> Some just crushed my starting points, without alternatives.
>
>
> N.I.C.E.
>
>
> It is little wonder that Linux can not beat Windows on the desktop (as it
> should),
>
> if this is how people are helped who are trying to Bring In Linux.
>
>
> Crumogeon tip: It is no longer 1972.   If you have nothing nice or at least
> helpful to say on a  USER list, say nothing at all.
I haven't been able to follow the core of the discussion, partly
because I don't know the technical issues and partly because I didn't
quite understand your question but for a different perspective on
'nice' I actually thought the responses you received were trying to be
helpful; they were warning you against a certain approach to your
issue (especially about using Windows or thinking AV is needed on
Linux).

I think curmudgeons can put people off but I didn't think people were
being curmudgeonly to you (or didn't intend to be) but instead
critical of Windows or Windows-like approaches.

they were pressing the case one doesn't need AV on Linux as such, at
least not if properly configured. this seems helpful.

>
> But you will anyways...
>
>
> "assorted help"
>
>
> Not that I'm aware of. The thing is - instead of taking an insecure OS
> and building assorted kludges (in the form of anti-virus) around it,
> it's considered wise here to use a secure OS from the beginning.
>
>> I thought he was saying the surest approach is not touching Windows with
>> a ten foot pole, for which I doubt there's a list to read.
this seems to support my interpretation.

f.

--
Felmon Davis
Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

Joe Rowan
In reply to this post by mick crane
On Sun, 10 Mar 2019 19:46:42 +0000
mick crane <[hidden email]> wrote:

> On 2019-03-10 17:13, Joe wrote:
> > On Sun, 10 Mar 2019 19:35:18 +0300
> > Reco <[hidden email]> wrote:
> >  
> >> Hi.
> >>
> >> On Sun, Mar 10, 2019 at 04:32:42PM -0000, Curt wrote:
> >>  
> >> >
> >> > I thought he was saying the surest approach is not touching
> >> > Windows with a ten foot pole,  
> >>
> >> You're aiming too low. Not touching any non-free OS with a ten foot
> >> pole would be much more like it.
> >>
> >>  
> > While bearing in mind that 'free' doesn't mean 'problem-free'.
> >
> > Remember how many people audited the Heartbleed code before it was
> > released?  
>
> didn't I read openSSL just had the one full time guy for thousands of
> lines of code ?

I believe only one person other than the writer audited the code, and
this was a piece of core open-source security code. While "given enough
eyeballs, all bugs are shallow", it is clear that code being open
source does not automatically deliver the eyeballs.

--
Joe

Reply | Threaded
Open this post in threaded view
|

Re: Group thoughts on: Anti-virus tools

deloptes-2
In reply to this post by deb-12
deb wrote:

> ClamAV

I recall 15y ago we integrated kasperky into ClamAV. Easy to integrate and
easy to use. Worked great. I left this company couple of years later, but
it will not surprise me if they are still using the same setup.



Reply | Threaded
Open this post in threaded view
|

Re: And now, from the Nice people? Re: Group thoughts on: Anti-virus tools

deloptes-2
In reply to this post by deb-12
deb wrote:

> Not that I'm aware of. The thing is - instead of taking an insecure OS
> and building assorted kludges (in the form of anti-virus) around it,
> it's considered wise here to use a secure OS from the beginning.

If you have windows users in your network, the best is to pay for a server
license for linux and integrate it into clamav. I think most of the popular
anti virus software companies have their products running on linux and able
to integrate in clamav. You have to pay but it pays off, if you have
employes or simply people using windows in your network.

The security of course is not only the antivirus, but also the firewall, VPN
and similar - 1. reduce the risk of intrusion and 2. increase the chance of
detection. Anti virus software is only part of it all.

regards

Reply | Threaded
Open this post in threaded view
|

Re: And now, from the Nice people? Re: Group thoughts on: Anti-virus tools

Curt
On 2019-03-11, deloptes <[hidden email]> wrote:
> deb wrote:

I don't believe he did, actually. I believe that's what Reco wrote.

>> Not that I'm aware of. The thing is - instead of taking an insecure OS
>> and building assorted kludges (in the form of anti-virus) around it,
>> it's considered wise here to use a secure OS from the beginning.
>
> If you have windows users in your network, the best is to pay for a server
> license for linux and integrate it into clamav. I think most of the popular
> anti virus software companies have their products running on linux and able
> to integrate in clamav. You have to pay but it pays off, if you have
> employes or simply people using windows in your network.
>
> The security of course is not only the antivirus, but also the firewall, VPN
> and similar - 1. reduce the risk of intrusion and 2. increase the chance of
> detection. Anti virus software is only part of it all.
>
> regards
>
>


--
“Let us again pretend that life is a solid substance, shaped like a globe,
which we turn about in our fingers. Let us pretend that we can make out a plain
and logical story, so that when one matter is despatched--love for instance--
we go on, in an orderly manner, to the next.” - Virginia Woolf, The Waves

12