Lindows sells virus protection [LWN.net]

Lindows.com has announced a new offering for its distribution: for $29/year, Lindows users can run the new "VirusSafe" utility which protects the system from viruses. It seems like a reasonable product: other desktop systems have had anti-virus applications for years. And, apparently, virus protection is at the top of the list of features requested by Lindows users.

There's only one problem: Linux viruses are rather hard to find. In fact, the list of "in the wild" Linux viruses that have actually infected systems is short - there are none. The case of SirCam infection via Wine is, if anything, the exception that proves the rule. It demonstrates how far one has to go to infect a Linux system - and, even then, the virus was not able to propagate.

A Linux-based virus is not impossible; one could imagine, say, a hostile email message which, taking advantage of a fetchmail buffer overflow, managed to spread itself over the net. But the fact is that this sort of thing simply does not happen. Linux systems are harder to break into, and they are better at containing the effects of breaches that do occur. When a program is found to allow unpleasant things like arbitrary command execution (as in the recent vim modeline vulnerability), it gets fixed in a hurry rather than being presented as a feature.

So we thought it might be worthwhile to ask Lindows exactly what it is defending its users against. What virus (or other) infections would have been presented by running VirusSafe on a target system? Unfortunately, Lindows did not respond to repeated inquiries, so we are left having to guess.

Lindows, perhaps, is defending its users against the fear of running systems without virus scanners installed. It is difficult to explain to users why they probably do not need explicit virus protection; and, besides, it seems they are willing to pay for that protection whether they need it or not. As a business plan, it may make some sense - as long as you don't mind selling your customers something they almost certainly do not need.

to post comments

Lindows sells virus protection

Posted Feb 20, 2003 2:34 UTC (Thu) by rknop (guest, #66) [Link] (3 responses)

Lindows, perhaps, is defending its users against the fear of running systems without virus scanners installed.

I'd say that there is no question but that this is what they're doing.

I mean, heck, if it's the #1 requested feature, might as well sell it to 'em.

The fun thing is that it's very easy to write. "This virus scanner protects against all known extant Linux viruses! Source code available:

int main() { }

-Rob

Lindows sells virus protection

Posted Feb 20, 2003 9:35 UTC (Thu) by beejaybee (guest, #1581) [Link] (2 responses)

"The fun thing is that it's very easy to write. "This virus scanner protects against all known extant Linux viruses! Source code available:

int main() { }
"

Sure: incomplete (there needs to be some sort of hooking into the file system to actually get files "scanned") but it's still snake oil. My thinking on this is, is it ethical to try to sell (for real money) a product they need about as much as the average fish needs a bicycle?

virus protection placebo

Posted Feb 23, 2003 22:30 UTC (Sun) by giraffedata (guest, #1954) [Link] (1 responses)

>is it ethical to try to sell (for real money) a product they need
>about as much as the average fish needs a bicycle?

Good point. It's the placebo question. Placebos validly treat some medical complaints. But is it fraudulent for my doctor to tell me he's prescribing a drug when he isn't? For the pharmacy to take money for a substance I could get for free? And note that the pharmacy has to charge a lot. Sugar pills at 5 cents apiece wouldn't fool anyone.

No

Posted Feb 27, 2003 19:43 UTC (Thu) by ikm (guest, #493) [Link]

Placebos cure real illnesses. But in this case there's no illness at all. Just fear, induced by the lack of relevant information on the topic. That's not a placebo because fear is not an illness, nor it is likely to cause one.

Lindows sells virus protection

Posted Feb 20, 2003 2:48 UTC (Thu) by erat (guest, #21) [Link] (3 responses)

Okay, I confess... My only exposure to this issue is this article on LWN. However, as a minor defense for Lindows I will say that I've heard of virus scanners being used on Linux-based email servers (for scanning email attachments, of course). The fact that there's a virus scanner available on Linux doesn't automagically mean that the scanner is for Linux itself. Just my $0.02...

Lindows sells virus protection

Posted Feb 20, 2003 3:25 UTC (Thu) by yodermk (subscriber, #3803) [Link] (2 responses)

Except that Lindows is for desktops, not corporate mail servers.......

Lindows sells virus protection

Posted Feb 20, 2003 14:43 UTC (Thu) by mathijs (guest, #4948) [Link] (1 responses)

The point is still valid. A lindows user can forward an infected mailmessage to a friend or ftp upload an infected diskette. Protecting against this makes sense to me. (running as root doesn't, is this really true)

Lindows sells virus protection

Posted Feb 20, 2003 17:23 UTC (Thu) by rjamestaylor (guest, #339) [Link]

This is a good point: while Linux may not be affected by a virus, it could be a carrier for viruses and transport them to other systems that can be infected. Home computer users, like my mom, love to forward emails to other people. Lindows, meant for the casual home user, could be such a carrier/distributor of Windows-targeting email viruses, for example.

In our corporate office we not only scan incoming mail but outgoing as well. As bad as an incoming virus may be it can't compare to the humiliation, loss of trust and goodwill and possible liability of us sending viruses to client, vendors and colleagues.

No idea what Lindows is doing, exactly, but this does raise a valid point for all of us to consider: our obligation to filter our outgoing content to others using targetted, infectable systems.

Lindows sells virus protection

Posted Feb 20, 2003 2:52 UTC (Thu) by svachi (guest, #2177) [Link] (1 responses)

I have heard that people running Lindows always run as root.
This might be a cause to take extra care about the virus issue. If a user happens to run a trojaned binary, it might be able to screw the system, but the antivirus *may* be able to prevent the disaster.

Of course, the cheaper solution is to use appropiate user account instead of root account. But that will harm the business plan :-)

Lindows sells virus protection

Posted Feb 20, 2003 18:36 UTC (Thu) by jzbiciak (guest, #5246) [Link]

The always-run-as-root issue is a pretty major one, IMHO. Just as MacOS X and WinXP finally start bringing "Administrator vs. Mortal" to the masses, Lindows takes a step backwards. *sigh* It'd be far better to always run as a mortal, and then have an administrator password for installing software, whatever. MacOS X does this in a pretty non-intrusive and intuitive manner, so I think it can be done.

If nothing else, VirusSafe should behave like Tripwire and detect changes in files that shouldn't be changing. It also should detect and stomp Windows viruses so that Lindows boxes don't become Typhoid Mary's, unaffected by viruses but acting like a carrier for them.

Lindows sells virus protection

Posted Feb 20, 2003 10:32 UTC (Thu) by pascal.martin (guest, #2995) [Link] (1 responses)

My experience with anti-virus is that you don't really buy a software: you buy a virus protection service.

Included in that service are the updates. These updates are essential: without them the anti-virus will do nothing to protect you against the next virus to show up on the net.

Therefore you buy a service that is to block the next viruses to come.

If Lindows is selling a virus detection and removal tool that works for its intended purpose, comes with no actual virus description (because there are none to be known) but include a, say, 1 year subscription for new virus updates, then they are really selling a insurance against new viruses.

Considering new viruses on Linux are technically feasible, this is a valid service.

No one cannot know if the service is worth it before one viruse strikes.

Lindows sells virus protection

Posted Feb 20, 2003 14:29 UTC (Thu) by torsten (guest, #4137) [Link]

But the virus writers will target Lindows - imaging a whole community of technical idiots running root on a Linux box!

So Lindows is selling the sickness and the cure.

It's kind of like the telemarketing SCAM the phone companies run. They sell you an unlisted number, then they turn around and sell the telemarketer your number at a premium, then they sell you a $50 box to block telemarketers, and sell the telemarketers a "special" way to get around the block boxes.

Get it?

Lindows sells virus protection

Posted Feb 20, 2003 12:15 UTC (Thu) by arcticwolf (guest, #8341) [Link]

What are they protecting the user against? Why, it's quite easy - they are protecting them against injuries caused by overly big wallets. Same thing they've been doing all the time, too. :)

Lindows sells virus protection

Posted Feb 20, 2003 13:20 UTC (Thu) by danielpf (guest, #4723) [Link]

Another point not mentioned, Linux in general is less
sensitive to viruses that windows also because at any time there
are much more active different binary versions of kernels,
libraries, applications and combinations of them,
which make the propagation of viruses much harder.

Now if Lindows becomes popular, the same "monoculture"
weakness as windows increases the infection risk
and an epidemy specific for Lindows becomes more likely.
Since Lindows has a particularly weak immune system
(user as root), it is reasonable to think about a
preventive vaccine.

Lindows sells virus protection

Posted Feb 20, 2003 15:01 UTC (Thu) by martinfick (subscriber, #4455) [Link]

I think that a point about open source software and viruses is being overlooked.
As far as I understand it, a virus can only taking advantage of a weakness in a
system, i.e. a misconfiguration, a bad design, or a bug. If you control the source,
you can control any fixes to such weaknesses, thus there is no need for
anti-virus software. Why would anyone create software to detect a program
which will take advantage a known weakness instead of simply fixing the
weakness? (Unless, of course, you are running proprietary software and you
cannot fix the weakness) So either Lindows is realeasing software with known
weaknesses (thus justifying the anti-virus software) or the anti-virus software
must be bogus, what could it be looking for? (As others pointed out already, this
is all mute if we are talking about anti-virus software for non-Lindows systems.)

There may not be any viruses yet...

Posted Feb 20, 2003 15:58 UTC (Thu) by hazelsct (guest, #3659) [Link] (2 responses)

...but with the increasing complexity of end-user software, they are bound to come around at some point. For example, a buffer overflow in OpenOffice could be exploited by an email attachment, which would look for address books for Mozilla, KMail and Evolution and mail itself to everyone on them. And it doesn't need to be root to do damage, stealing cookies is sufficient. It's not that hard.

Furthermore, as software becomes componentized to allow attachments to open inline, this requires minimal user interaction -- just open the email for viewing, and it's propagated. Consider, for example, this post to the AbiWord list and screenshot...

There may not be any viruses yet...

Posted Feb 20, 2003 19:32 UTC (Thu) by dbreakey (guest, #1381) [Link]

Nice.

However, Evolution does not, and will not (according to what I've read a while ago, anyway; don't have the time to track down the reference—sorry), include the automated scripting support necessary to make e-mail viruses the serious threat that they are on Windows.

Granted, this doesn't mean that the embedded component itself can't include such capabilities, nor does it preclude the possibility of quiet installation of a component that will permit even worse nastiness…

Anyone know if these kinds of possibilities have been raised to the appropriate developers and, if so, whether a potential solution has been posited? My guess would be some sort of administrator-sanctioned control of whether new components can be activated or not; perhaps a config file somewhere that explicitly lists what components may be safely run, and maybe another list where the application will be required to obtain approval from the user before activating the component.

Whatever the solution ends up being, we can't rely on the old Microsoft saw-horse of hard-coded security (eg: Outlook containing a hard-coded list of what attachments are "safe" or not). Whatever we settle on needs to be configurable by the administrator, including whether or not regular users can decide what's safe or not.

There may not be any viruses yet...

Posted Feb 20, 2003 20:26 UTC (Thu) by iabervon (subscriber, #722) [Link]

In that case, though, you should update your OpenOffice, fixing the actual bug rather than using a virus scanner to stop a particular exploit of that bug. After all, if there's a virus which exploits a bug (or feature) in your software, a scanner might catch that virus, but it won't catch a different exploit for the bug or an exploit which arrives in a different fashion (you might download it by ftp or get it from an NFS mount, perhaps).

The reason to have a virus scanner is to try to deal with a bad design, where an exploit cannot be prevented by bug fixing; DOS viruses exploited the inability of DOS to prevent programs from modifying each other, Word viruses exploit the inability of Word to restrict macros to safe actions, etc. Linux as a whole is better designed (the user can't write to most programs) and Linux software is generally better designed.

Lindows sells virus protection

Posted Feb 20, 2003 20:04 UTC (Thu) by yohan555 (guest, #4253) [Link] (1 responses)

There is a use for virus scanners under Linux!

Let's say one is running a Linux file server that shares files to windows users via samba. Now the client window machine gets infected and the involved virus starts dumping files all over the Linux server (naturally only in directories where the user has write access, but still). We have had a case, where within 10 seconds, the users directory grew by about 1.5 GB in size just because of this. In this case, it would be handy to be able to remove the infected files natively under Linux. (I know, we could also restore from backups, but there still might be a loss of a day or so of data).

Real antivirus software

Posted Feb 20, 2003 20:27 UTC (Thu) by ranger (guest, #6415) [Link]

And that is why real antivirus software companies sell antivirus software that is intended for servers. Such as Sophos, Trend, MKS, Kaspersky etc.

Plus, there are plugins for samba for real-time scanning, plus you can use almost any scanner with almost any MTA.

Linux servers with windows clients should not be without AV softare, but we will not buy from Lindows ...

Definitions

Posted Feb 20, 2003 20:17 UTC (Thu) by Ross (guest, #4065) [Link] (1 responses)

Hmm... the fetchmail issue you describe sounds more like a worm to me.

A virus is a code fragment that inserts itself into other programs. When those programs are executed they in turn infect other programs. The fragment may also do something destructive like delete files or crash the system. A virus may also insert itself into startup code like the master boot record.

Viruses are actually pretty rare these days, even on Windows.

Linux doesn't have much of a problem with them because users aren't allowed to write to the system directories.

The virus scanner people tend to call all harmful programs "viruses". Most of them are actually trojan horses or worms these days.

Definitions - oops, forgot one thing

Posted Feb 20, 2003 20:19 UTC (Thu) by Ross (guest, #4065) [Link]

Except Linux users who do everything as root are susceptable to viruses when they run software they obtain through non-trusted channels (downloaded from random pages or from friends).

And Linux distributions (Lindows) which force everything to run as root are just asking for trouble. The distribution will let the user write to any file, and these users are probably not experienced enough to know what programs to trust and which not to trust.

It won't take any fetchmail bugs to allow viruses to spread on Lindows.

Lindows sells virus protection

Posted Feb 21, 2003 3:14 UTC (Fri) by stock (guest, #5849) [Link]

If they want to boost their sales, they might as well create/design some linux virusses themselves. Hopefully they are not compatible with the major Linux distro's.
I really hate to see a company like Lindows introduce "anti"-virus crap and rituals into linux, we should stop that, it sucks. The lack of viruses is a reason why people are interested in linux.

Robert

Lindows sells virus protection

Posted Feb 27, 2003 13:32 UTC (Thu) by PaulDickson (subscriber, #478) [Link]

Having used a Lindows PC for about two days, I can see why it might need virus protection. The system boots up without login prompts directly into root (although it has a very nice graphical boot process).

I found the user environment to be too limited and I did not want to pay $99/year to be able access the man pages (or download several 100 MBs over a dialup link). I replaced Lindows with RH 8.0 which I bought for $25 and I'm much happier.