Antivirus is a bad solution to bad security.

Posted Oct 23, 2006 19:16 UTC (Mon) by penguin (guest, #36771)
Parent article: Critical Linux security API is still a kludge (Inquirer)

Antivirus isnt a solution to virii and worms. At best its a bandaid to mitigate the most widespread viruses. The problem is that the virii can get into the system and wreak havoc. If virii is common on the platform it is because something is inherently wrong with the security model. Virii is just a symptom, not the cause.

The cause is the holes are the bad design choices that let virii in to easy, thats where work should be done. SELinux, GRSecurity and apparmour are some techniques to strap on added security that i like. Them in conjunction with good base security makes for several layers of security. Antivirus does not add to security, it just mitigates already sighted and known threats. Any unknown virii just sails on through.

Windows needs antivirus because Microsoft doesnt give a rats behind about security. Linux can avoid this by focusing on better security instead of slapping on some bandaid afterwards. If Linux starts seeing more virii i would hate it if we ended up with antivirus because that solution has been tried for 10+ years without any success.

As for scanning for eg windows files in linux fileservers etc that should be done by hooking up to the daemon in question serving theese files, not the kernel.

Antivirus is a bad solution to bad security.

Posted Oct 23, 2006 22:19 UTC (Mon) by i3839 (guest, #31386) [Link]

Monoculture invites havoc too. Diversity is good for other reasons too, and quite underrated.

Cause of virii

Posted Oct 24, 2006 3:25 UTC (Tue) by ringerc (subscriber, #3071) [Link] (1 responses)

I disagree. While Microsoft's design decisions have not helped the virus issue at all (system & program files writable by all users; applications that automatically execute code coming from *email*), many viruses only explioit user stupidity.

I don't personally see how a trojan that asks a user to run it in order to "speed up their computer" or whatever and when run mails itsself to everyone in their addressbook is Microsoft's problem. Their involvement is limited to making it easy to send programs around and easy to run them.

For trojans (as opposed to worms and the even rarer old-school executable infecting viruses), which are the most common threat these days, I think Linux is probably less exposed largely beceause:

- It's harder to run a program you've been sent. You need to do more
than just double click.
- The variety of software used means that something like
scanning the user's addressbook becomes a rather non-trivial task.

But wait? What do all these trojans do? They don't just propagage - they set themselves up as backdoors to be used as spam relays etc. Is there anything that'd prevent that being done on Linux?

- User base. Why bother when there are all those Windows machines
just waiting to be exploited by their helpful users.

After all, adding some start-up code to .bash_login, .xinitrc or whatever isn't too hard, nor is building a neat little static executable that'll run on most distros. Networking isn't a big deal - an outbound IRC control channel where it "phones home" eliminates the firewall issue, and is how most of them work anyway. As far as I can tell it all comes down to the fact that there are fewer Linux machines out there and it's harder to get the user to actually run the trojan (since they need to do more than double-click).

Microsoft has a role here, but not IMO as big a role as people tend to make out. These days. They certianly did - the outlook worms, SMB worms etc were the result of plain bad security. These days, the user should take equal blame.

Cause of virii

Posted Oct 24, 2006 7:19 UTC (Tue) by khim (subscriber, #9252) [Link]

As far as I can tell it all comes down to the fact that there are fewer Linux machines out there

That's not 100% true. If you count number of systems (including unattached systems) - then it's of course true, but if you count available bandwidth... How many ADSL Windows PC will you need to match just one 1GBit-connected Linux server ? If you'll cound available bandwidth (and that's what spam relay's are need, right?) then Linux is already more attractive target. And we do see attacks from that angle (sendmail worms few years back, PHP-worms today, etc). I fail to see how Dazuko will help anything there: it's way too easy to write PHP worm if you know the bug in it... You need to fix PHP to stop PHP worms!