Linux - Confused over viruses......

[Rons]

I'm still confued over viruses and Linux.I went to Symantec's site - did a search on Linux - and got back some 8300+ hits. 15 viruses are listed. Do we need a anti-virus program on Linux or not?Thanks in advance. http://search.symantec.com/custom/us/query.htmlNot sure if the above link will work or not since it is a search link. Type in Linxux.

[jodef]

The number of viruses in Linux are almost negligible compared to windows that said in my opinion always good to have an antivirus just in case; I myself have not installed one as yet but I intend too Here is one antivirus that I've seen recommended for linux:F-Prot AntivirusTop 20 Vulnerabilities Windows&Linux:SANS Top 20 VulnerabilitiesThere were a couple of other interesting threads on the topic here as well.Edit Did a search here's some interesting info provided by LilBambi(about 4 or 5th post in thread):Thread

Edited February 14, 2004 by jodef

[mhbell]

I'm still confued over viruses and Linux.I went to Symantec's site - did a search on Linux - and got back some 8300+ hits. 15 viruses are listed.  Do we need a anti-virus program on Linux or not?Thanks in advance. http://search.symantec.com/custom/us/query.htmlNot sure if the above link will work or not since it is a search link. Type in Linxux.

HI RonsI can certainly see why. On the one hand I have been told and read that there are only 127 known Linux Virus. (as of 6 months ago) Now Symantec Lists 8000 plus. However I don't believe that is the whole story. I don't even have a Virus Scanner for Linux although they are available. I have never felt the need for one due to the way that Linux is structured and the fact that a virus would have to have root privleges to do any real bad damage. I hope that I am not wrong and have not been misled. As a PC Consultant it would be a disaster for me. Guess I will have to research further and maybe talk to Vexira virus scanner for linux people. I met one of their managers at a trade show for desktop Linux last year in San Diego. You can bet one thing I will be doing more research on this subject..Mel

[Guest LilBambi]

Hey, thanks zox! :thumbsup:Rons,Definitely on the face of it appears confusing but I hope it will be a little more clear after reading the topic that zox referenced.

Edited February 14, 2004 by LilBambi

[Rons]

Thanks everyone! I still know Linux is safer than Windows.

[mhbell]

Thanks everyone! I still know Linux is safer than Windows.

Hi again RonsSo far that is true. I just downloaded the free F-Prot antivirus program for workstations and ran it on every file on my main computers Linux Partition, 243,000 files and no virus. After thinking about the previous posts in regards virus infections for Linux I decided to get a virus scanner following the Old Adage " a ounce of prevention is worth a pound of cure ". Anyway I feel better now..Mel

[Guest LilBambi]

Way to go Mel! So true, so true!

[Rons]

Thanks Mel - agree.

[linuxdude32]

I have never felt the need for one due to the way that Linux is structured and the fact that a virus would have to have root privleges to do any real bad damage.

That pretty much sums up the virus situation in Linux, Mel. What a lot of Windows users don't seem to comprehend is that a virus has to be installed to do damage, infect other programs, or spread. This is all too simple to do in Windows even by regular users. Linux only lets the root user install software and so a Linux virus will need permission. A windows virus need never ask.Everything I've read indicates that almost all the Linux viruses that are known with created by programmer-researchers as proof of concept and have never been found in the wild. Lindows makes itself very vulnerabable to future viruses by virtue of the fact everyone runs as root, though non-privileged users can, and should, be created. I have 25 Linux guys in PLUG and nobody runs a virus scanner on their Linux system.

[SonicDragon]

Clam AV is another one to check out.

[nlinecomputers]

I'm still confued over viruses and Linux.I went to Symantec's site - did a search on Linux - and got back some 8300+ hits. 15 viruses are listed.  Do we need a anti-virus program on Linux or not?Thanks in advance. http://search.symantec.com/custom/us/query.htmlNot sure if the above link will work or not since it is a search link. Type in Linxux.

Rons,Your search was too broad. You got so many hits because it has references to systems affected/not affected. Also I saw a link to Symantec Ghost and how well it works with Linux which had nothing to do with Linux viruses.Also I use Google for your search. An AV vendor is out first to make money. Truth is not always helpful to the bottom line, if you get my drift.I'm with Mel on this. There are VERY few Linux viruses and those that do exist do so by exploiting known security holes in Linux. So if have a modern distro and are keeping up to date on security patches then these viruses can't infect you. Now if your running Red Hat 6 and never patch it.....Also as Linuxdude has pointed out. A Linux virus would have to gain root access either by trickery or exploiting a hole and be granted rights as an executable in order to run.Windows makes it far to easy for code to run. Linux makes it hard.Kind of off the subject I was having a discussion with a tech the other day and he remarked that one of the problems with Linux was that it is hard for users to install stuff. To me that is one of the few benefits. Windows makes it TOO easy to install programs. So websites can install stuff just be visiting it. People can install a program attached to email from with in the email by just double clicking. I agree that most efforts with computers should be easy, after all we use our computers to automate dull and annoying tasks. But for safety shouldn't installing software remain at least slightly difficult, less automatic, and more deliberate?Just my two cents.

[linuxdude32]

But for safety shouldn't installing software remain at least slightly difficult, less automatic, and more deliberate?

You're so right. I used to think that was a weakness of Linux too but it's a lot more sensible. Too many users install things without ever thinking about what it is or the risks.It also is interesting to note that Linux (and other similar Open Source OS and software) have been using md5sums for a while. And the initial reason wasn't just to make sure files didn't get corrupted through downloading. It was to prove the file hadn't been manipulated since the developer/maintainer placed it on the server. Changing a single character in the file causes the md5sum to become invalid.

[Guest LilBambi]

There is another side to this ... If one lived in a vacuum and only ran Linux then maybe one might not have to worry about these things ... but many folks dual boot to other OSes, or have other computers on their local network that are Windows computers or at least share Windows partitions. Or perhaps run VMWare or other emulators to make use of Windows programs and files.In these cases in particular I think the ounce of prevention is definitely worth a pound of cure....many viral vulnerabilities are network aware and do not care if you are running Windows or Linux .. they will propagate across the network, even if it's just to jump from one Windows box to another through shares.Sometimes it's just a matter of being a good network steward.Just something to think about.Edit: Referenceshttp://www.detnews.com/2002/techcolumns/02.../b05-527249.htmGoogle search results on network aware viruses

[rolanaj]

There are some really valid points here, I think an ounce of prevention is worth a pound of cure too. I am using the Mandrake firewall and the security is set at the default, I am wondering if these are enough. I see other people here have added antivirus software, how easy was it to set up?

[nlinecomputers]

In these cases in particular I think the ounce of prevention is definitely worth a pound of cure....many viral vulnerabilities are network aware and do not care if you are running Windows or Linux .. they will propagate across the network, even if it's just to jump from one Windows box to another through shares.

I disagree. The only way that a Win32 based virus could do that is if it somehow could spead via a SaMBa share. SaMBa only emulates a windows box, the code driving it isn't the same. The only way network based viruses spread is by expoliting problems in the way Windows handles the shares which couldn't be triggered when they hit a SaMBa box. OTOH if you are running a email server while the virus itself isn't going to harm your Linux box the added load caused by viruses can be an issue. So having a virus scanner on the sever can be helpful to stop an email born virus from spreading via your sendmail server.

[linuxdude32]

The first article has inaccuracies in it. I've said it before and I'll say it again, a data file doesn't execute, that's why it's data and not a program. A data file could have executable code in it but when a program tries to load that data, it will crap out, generate an error message or just show garbage on the screen. The Perrun virus can only infect JPGs if your system already has another virus on it in order to execute the JPG file as if it were a program. See this Slashdot.org article for more information:http://slashdot.org/article.pl?sid=02/06/14/1343223The other virus she refers to - Simile.D can infect executables only if you execute the file itself. Surprise, surprise, same as all the other viruses. Would anybody in the Linux world besides a programmers actually download and execute an .elf file? I've been using Linux since '98 or '99 and I've never had reason to run an .elf file.The whole virus situation is overblown. People need to learn the difference between executable programs and readable data and they'd be safe from viruses on *any* platform regardless of if they have an antivirus. That having been said, yeah, if your Linux machine is connecting to Windows machine(s) then either it or the Windows machine(s) should have virus protection. This reminds me of the old Badtimes virus joke:http://www.perryland.com/humor8.shtml

This has got to be the millenium virus! NEW VIRUS ALERT If you receive an email entitled "Badtimes," delete it immediately. Do not open it. Apparently this one is pretty nasty. It will not only erase everything on your hard drive, but it will also delete anything on disks within 20 feet of your computer. It demagnetizes the stripes on ALL of your credit cards. It reprograms your ATM access code, screws up the tracking on your VCR and uses subspace field harmonics to scratch any CD's you attempt to play. It will re-calibrate your refrigerator's coolness settings so all your ice cream melts and your milk curdles. It will program your phone autodial to call only your mother-in-law's number. This virus will mix antifreeze into your fish tank. It will drink all your beer. It will leave dirty socks on the coffee table when you are expecting company. Its radioactive emissions will cause your toe jam and bellybutton fuzz (be honest, you have some) to migrate behind your ears. It will replace your shampoo with Nair and your Nair with Rogaine, all while dating your current boy/girlfriend behind your back and billing their hotel rendezvous to your Visa card. It will cause you to run with scissors and throw things in a way that is only fun until someone loses an eye. It will give you Dutch Elm Disease and Tinea. It will rewrite your backup files, changing all your active verbs to passive tense and incorporating undetectable misspellings which grossly change the interpretations of key sentences. If the "Badtimes" message is opened in a Windows95 environment, it will leave the toilet seat up and leave your hair dryer plugged in dangerously close to a full bathtub. It will not only remove the forbidden tags from your mattresses and pillows, but it will also refill your skim milk with whole milk. It will replace all your luncheon meat with Spam. It will molecularly rearrange your cologne or perfume, causing it to smell like dill pickles. It is insidious and subtle. It is dangerous and terrifying to behold. It is also a rather interesting shade of mauve. These are just a few signs of infection.   Jack Anacker

[Guest LilBambi]

Thanks Jason ... I probably shouldn't have even linked to that article, it was from 2002 and they were only just trying to understand the impact at that time.As far as Elf goes, wouldn't programs based on Elf -- if installed through self compilation as opposed to using RPM or some other package manager that has already done the compilation for you -- possibly execute the code??Just trying to understand where all this fits in.I totally agree that the FUD from the AV companies is way out of hand. Trying to sort out the reality from the far fetched is interesting these days at best.My point was what I said in my posting, not the referenced articles:

There is another side to this ...If one lived in a vacuum and only ran Linux then maybe one might not have to worry about these things ... but many folks dual boot to other OSes, or have other computers on their local network that are Windows computers or at least share Windows partitions. Or perhaps run VMWare or other emulators to make use of Windows programs and files.In these cases in particular I think the ounce of prevention is definitely worth a pound of cure....many viral vulnerabilities are network aware and do not care if you are running Windows or Linux .. they will propagate across the network, even if it's just to jump from one Windows box to another through shares.Sometimes it's just a matter of being a good network steward.Just something to think about.

And as you noted:

That having been said, yeah, if your Linux machine is connecting to Windows machine(s) then either it or the Windows machine(s) should have virus protection.

[Guest LilBambi]

Elf was not really the issue, the real problem that allowed this was buffer overflows. There are no vulnerable Linux in this particular area anymore for the Ramen Worm. Most of these buffer overflows that allowed the .sh files to get in and execute are no longer a problem, they have been taken care of by RedHat, but discovery of new buffer overflows is an ongoing battle and making use of them by unethical coders is always a possibility.Thankfully Linux developers are much faster than Windows developers in fixing these problems. That's why you see these Worms out there, but they are not propagating. http://www.avp.ch/avpve/worms/linux/ramen.stmI just do not want to take a chance that I know more about the workings of Linux than those creating these vulnerabilities.Really LSAT (Linux System Administration tools) are really the best tools for knowing what is going on with our Linux systems .. but one has to learn how to interpret what they tell you. And check the MDSums on downloads.And we should all take the time to do so. It is important. But many folks don't have the time to do this or the inclination.Mainly virus scanners on Linux are my safeguard to make sure nothing dangerous passes to our local network Windows computers or partitions.

[mhbell]

There are some really valid points here, I think an ounce of prevention is worth a pound of cure too.  I am using the Mandrake firewall and the security is set at the default, I am wondering if these are enough.  I see other people here have added antivirus software, how easy was it to set up? 

I downloaded F-Prot workstation version and the instructions were very simple and easy to follow. It is command line driven but can be automated using Cron. It is also free for personal use. I really don't think that you have much to worry about Linux getting infected in your case. In the nine years that I have used Linux off and on with several different computers, I have never had a virus that I know of. On MS Win machines I have averaged as many as 5 and 6 a day. I get e-mail from all over the world and up to 100 messages a day. The reason that I was concerned is because of the fact that I have a confidential information data base on over 100 of my clients. I do online banking and business with several hundred vendors. I can't afford to have my info destroyed or compromised. This is the main reason that I have switched to Linux for personal and business. I only use MS Windows because of clients.Mel

[linuxdude32]

As far as Elf goes, wouldn't programs based on Elf -- if installed through self compilation as opposed to using RPM or some other package manager that has already done the compilation for you -- possibly execute the code??

I'm not completely sure what an .ELF file is but if memory serves me correctly (good luck!), it was an old way of distributing Linux source code. Yeah, if you were to compile it and install it then it could have scripts in it to start up on its own and start infecting other programs (especially if the SUID bit was set). Of course, you'd have to be root for this to work. You can't do a make install without being root anyway.Buffer overflows are a big problem in programming. Much of Linux is done in C code and probably most of the Linux exploits are because of this. My knowledge of C is pretty limited but from what I've read, they can be avoided by being very careful when allocating memory in programs - IOW, secure programming techniques. A lot of people are self-taught and that's probably why there are so many buffer overflows out there.

[rolanaj]

Out of curiousity I went to GRC.com and did the shieldsup test. I was using Mandrake 9.1 and my system failed. The problem was that my system wasn't operating in full stealth mode. All ports were closed but they responded to the probe letting them know the computer was there, it also failed the ping test. I know this is a firewall thing not an antivirus thing but they kind of go together. Anyway I use Zonealarm while in windows and always pass this test, I realize that the firewall isn't really as important when on dialup but I like the fact that if a program tries to call home I know about it. I am curious how important is it for my system to be in stealth mode, if you have to have root access to do any damage?

[teacher]

Root access is required. Since you are on dial-up you really don't need to be as concerned about full stealth mode in Linux. Unless, of course, you leave it connected all the time. My router provides the firewall for my Linux and it does fine on the tests. It compares favorably to hubby's with Zone Alarm and the router. I would never leave my DSL connection on without a firewall. Configuring a firewall in Linux requires you to know what ports are used for what and to stealth the ones you don't use. You can go that route if you are concerned. Drake firewall can be set up in the MCC.Julia