AntiVirus?

[Mike Hearn]

On Sun, 20 Mar 2005 11:11:09 -0500, Gregory Maxwell wrote:
> Fixes don't magically appear... But code to detect instances of
> exploitation of the bug are magically written, and magically appear on
> systems?

Well, this is a good point. It's possible though to write generic scanners
that detect suspicious behaviour. Also generally AV definitions are much
smaller than software patches. Binary patch RPMs could help with that.

I think it is often easier to write a AV detection update than a bugfix
update though, especially if the flaw is a design issue and not a simple
typo/mis-use of strcpy.

> If download times are really the crux of the issue, then we should
> develop a binary patching service. Xdelta diffs for little bug fixes
> will likely end up being much smaller than 'anti-virus' definitions.

I'm not so sure, some fixes can be quite large. But I don't have any
numbers either way so maybe you are right.

> The malware of the day on windows these days is binary patching the
> shell to hide their files, and the task manager to hide their operation.

Yes, I know. Still there are many viruses (as opposed to spyware) which
just exploit a buffer overflow and replicate, or even just mail/IM
themselves to people in the address book. 

> Long before windows ends it's reign of terror this arms race process
> will have caused  superior malware which is near impossible to remove to
> become commonplace. There is no  reason to think the malware authors
> will forget all their skills when they reset their sights on Linux
> desktops.

Indeed, you are right that it's an arms race. Unfortunately we are in the
unfortunate position here: without some way to try and clean up after a
widespread outbreak we are relying on getting lucky every time, but the
bad guys only need to get lucky once or twice.

> In the windows world, If I'm someone concerned about security and I
> detect a hole in some windows program. .. My only legal options are to
> scream and cry about it, and maybe write some anti-virus code to catch
> it being exploited. If the creator of the software doesn't care, I'm
> pretty much out of luck for getting a real fix.
> 
> In the free software world, if I find a bug I have the right to fix it,
> and the ability to share my fix... Which will likely be quickly accepted
> into the mainline code, since I did all the work already.

Yes, that's true if it's still maintained. But most exploits are for the
OS or OS-level services. How often do you hear about Photoshop viruses? Or
Half-Life viruses?

> It's already done, see clamav, so it's a moot point. Also other tools
> list host and network based IDSes can be put to work on this
> application.

Well ClamAV is a server product for detecting Windows viruses, right? It's
not an end-user level product for the Linux desktop.

> It's an entirely different game in windows. The system is fundamentally
> insecure, and users have been conditioned through years of social norms
> to perform unsafe behaviors.  It's very difficult to live a life as a
> windows user without routinely downloading executing binaries from
> unaccountable random places on the Internet. With linux, it's quite
> reasonable to only run software that comes from a handful of widely used
> package repositories.

Oh well I'm not convinced that works better either :) After all, who
audited all the code going into Fedora Extras? Including all 100,000 lines
of configure script? Hmm, I think we trust upstream ...

thanks -mike