On 20 January 2013 11:48, Rob Malpass <linux@???> wrote
> …and while I’m on the subject – what do folks use on Linux machines for this
> kind of thing?
>
Linux can be approached quite differently from Windows with regards to viruses.
If I wish to check if something virus like is on a Linux box, I can
boot from a USB stick, and proceed to run a checksum on the kernel,
modules, and all binary files, to check that they have the same
checksum as the package that installed them.
This is the way I would check for viruses on Linux. For Virutal
machine it is also quite easy, you take a snapshot of the VM file
system and then check the snapshot on another machine. Saves having to
reboot the machine you wish to scan.
You cannot do this in Windows as the base pre-calculated checksums do not exist.
Windows also uses a "patch" mechanism when doing upgrades, so it is
very difficult to build up a list of all possible versions of a
pariticular binary file and have their pre-caculated checksums.
Searching for changes to the system from what it is supposed to be is
the only sure fire way of detecting zero day viruses.
You can also repair the system more easily be simply replacing the
virus infected binary files with known good ones.
The Windows virus scanner approach is really just a technically
floored approach.
In my view, a virus scanner is only really useful for identifying
which virus has infected a binary file that fails its checksum.
Another possible use for a virus scanner is for it to only scan for
viruses based on your currently installed security patches. I.e. Only
scan for virus that can actually infect your currently configured
system. This would make existing virus scanners much quicker. This
would cover the gap between virus detection, and vendor security patch
arriving.
The best virus protection is:
1) Ensure the latest security patches are installed. If a virus
scanner can detect a virus, the software supplier should also have a
security patch to fix the hole.
2) Use a good method to detect "unexpected changes" to files.
3) Make sure tools like apparmor are enabled, "enforcing", for every
application you run, and not just in "ignore" mode. This reduces the
zero day virus attach surface.
The best virus management is:
1) Assume you have caught a zero day virus.
2) Make sure you have proceedures in place for detecting it, and
removing it from your systems. E.g. Automatic isolation of infected
machines so they cannot infect other machines.
3) Have the zero day virus analysed and make sure you have the needed
security in place to prevent that particular virus from infecting your
systems again.
4) From the list of all known viruses, make sure you have protection
from all of them. The problem here is no single vendor of virus
scanning/protection software has the full list.
--
Please post to: Hampshire@???
Web Interface:
https://mailman.lug.org.uk/mailman/listinfo/hampshire
LUG URL:
http://www.hantslug.org.uk
--------------------------------------------------------------