AntiVirus?
Mike Hearn
mike at navi.cx
Sun Mar 20 23:29:12 UTC 2005
On Sun, 20 Mar 2005 16:10:03 -0500, Gregory Maxwell wrote:
> I've used xdelta in the past on update rpms... they are small.. but
> with current practice of not backporting fixes, they might end up
> bigger.
Yeah, OK. It'd be nice to have them anyway, the sheer volume of updates
makes them a pain to install even on ADSL.
> It's useless to only attack viruses, spyware is by *far* the bigger
> problem on windows desktops these days, and antiviruses are usually
> ineffective at stopping worms (since the whole internet gets infected
> before someone can identify the spreading method).
Right. Actually I have a prototype SELinux "quarantine zone" policy file
open in emacs right now. I've been writing a packaging/installer system
for a while and the spyware question is common enough to be in the FAQ:
http://www.autopackage.org/faq.html#4_3
Not saying it's the right solution, but it's something I (we) have been
thinking about a fair bit.
> It's not even an arms race.. Once someone has gotten root priv code to
> run on your system it's terribly difficult to remove it. There are
> quite a few linux rootkits today that are harder than a reinstall to
> remove, and even once you've done that you fundamentally can't be sure
> that the system is secure.
There are rootkits that can't be removed by a format/reinstall? How does
that work?
> ClamAV is a cross platform antivirus package that supports both server
> scanning techniques (such as operating as a milter) and desktop style
> virus scanner support (intercepting file IO). It has definitions for
> the existing linux viruses and worms, in addition to all the windows
> cruft. As I said, it's a solved problem.
Ah interesting, I eat my words then. I guess you are right, solved problem
(though it'd have to be installed by default I guess, with some GUI?)
> Write software code that tracks changes to packages and detects changes
> that might introduce security weaknesses. It's also a difficult
> problem, but probably an easier problem than antivirus in the long
> run... It would be useful today (since as you pointed out, bugs are
> added, often unintentionally), and isn't quite as vulnerable to the
> antivirus arms race.
The new GCC mudflap system might help here. I don't know how badly it hits
performance but I seem to recall reading it was meant to be used during
development only, so I guess a fair bit ...
I think it'd be more interesting to try developing some kind of
whitelist/trust system to counter spyware/malware. Still it's a good idea.
Thanks for correcting some of my misconceptions!
-mike
More information about the fedora-devel-list
mailing list