|
|
Subscribe / Log in / New account

Way forward to on-access antivirus in Linux

Way forward to on-access antivirus in Linux

Posted Nov 9, 2019 12:31 UTC (Sat) by pizza (subscriber, #46)
In reply to: Way forward to on-access antivirus in Linux by Cyberax
Parent article: Filesystem sandboxing with eBPF

> People who run Linux in corporate settings?

Ah yes, to meet the "poorly implemented rootkit that does more harm than good" market.

to post comments

Way forward to on-access antivirus in Linux

Posted Nov 9, 2019 20:39 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link] (9 responses)

Nope. Linux is freakingly insecure. It's protected right now basically by being very niche, so that attackers are not interested in it.

If this changes, get ready for Linux ransomware and undetectable rootkits. There is no hardening at all in mainstream Linux distros.

Way forward to on-access antivirus in Linux

Posted Nov 9, 2019 21:28 UTC (Sat) by amacater (subscriber, #790) [Link] (1 responses)

Linux is no longer niche - it's universal. Exploitable root hole every three months? Please be so good as to look at the average Mean Time to Repair [MTTR] in Linux and common applications and compare this to the speed of comparable patching in the commercial applications.

If, say, Amazon and the Linux components of Microsoft's Azure are too small to be regarded, please advise what you regard as important.

Way forward to on-access antivirus in Linux

Posted Nov 9, 2019 21:31 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Android is universal. Desktop Linux is not, it barely exists.

> Exploitable root hole every three months? Please be so good as to look at the average Mean Time to Repair [MTTR] in Linux and common applications and compare this to the speed of comparable patching in the commercial applications.
Uh, what? Most IoT and Android devices are not repaired at all, they just exist in a vulnerable state.

The only thing preventing mass infections are gatekeepers in Play Store and the fact that most IoT devices don't execute arbitrary code.

Way forward to on-access antivirus in Linux

Posted Nov 10, 2019 2:14 UTC (Sun) by pizza (subscriber, #46) [Link] (6 responses)

> If this changes, get ready for Linux ransomware and undetectable rootkits. There is no hardening at all in mainstream Linux distros.

Neither of which are (or can be) addressed by the current "enterprise antivirus" paradigm.

Way forward to on-access antivirus in Linux

Posted Nov 10, 2019 2:23 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (5 responses)

They can. Modern antiviruses have extensive anti-patching and with kernel integrity checks. It's possible to work around them, but not at all trivial even in the kernel mode.

Way forward to on-access antivirus in Linux

Posted Nov 11, 2019 7:41 UTC (Mon) by zlynx (guest, #2285) [Link] (4 responses)

Which is a reason that they result in crashing Windows so often. And then Windows has to create little simulated environments for the AV so it can "watch" a pretend operating system.

Way forward to on-access antivirus in Linux

Posted Nov 11, 2019 8:41 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (3 responses)

I'm using Windows with an AV for work and so far I haven't seen it crashing. Not once.

> And then Windows has to create little simulated environments for the AV so it can "watch" a pretend operating system.
Windows doesn't do anything like this. It provides official hooks for AV software in the kernel mode, but doesn't do any emulation.

Way forward to on-access antivirus in Linux

Posted Nov 11, 2019 15:46 UTC (Mon) by zlynx (guest, #2285) [Link] (2 responses)

Microsoft has to build hacks for nearly every release of Windows 10 because some company's idiot AV thinks it knows Windows better than Microsoft does.

Way forward to on-access antivirus in Linux

Posted Nov 11, 2019 15:52 UTC (Mon) by pizza (subscriber, #46) [Link] (1 responses)

Similarly, "enterprise" AV is responsible for reducing brand-new ultrabooks with nvme storage and making them perform about as well as a much older system with spinning rust.

(seriously; I just saw a thread on my employer's intermal messaging boards about how our current enterprise AV suite makes compiles take nearly 3x longer than without it..)

Way forward to on-access antivirus in Linux

Posted Nov 11, 2019 16:17 UTC (Mon) by dezgeg (subscriber, #92243) [Link]

Not to mention all the extra security holes introduced by AVs doing complex parsing of file formats in processes running with SYSTEM permissions, e.g. https://googleprojectzero.blogspot.com/2015/09/kaspersky-...

Way forward to on-access antivirus in Linux

Posted Nov 17, 2019 5:29 UTC (Sun) by daurnimator (guest, #92358) [Link] (3 responses)

Indeed. However its a requirement of e.g. PCI-DSS Requirement 5.1.

From https://www.pcisecuritystandards.org/documents/PCI_DSS_v3...

> 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers)

In most corporate settings where there is card data (and unless the business is willing to convince an auditor that Linux is not commonly affected by malicious software), you have to deploy *something* antivirusy.

Way forward to on-access antivirus in Linux

Posted Nov 18, 2019 23:29 UTC (Mon) by flussence (guest, #85566) [Link] (2 responses)

SELinux not good enough any more?

Way forward to on-access antivirus in Linux

Posted Nov 18, 2019 23:34 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

SELinux has been crap all along. It's pretty much impossible to use on a regular desktop system.

Way forward to on-access antivirus in Linux

Posted Nov 21, 2019 16:20 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

I haven't had to disable it for years. I even have it enabled on some servers I have running too. So maybe your experience is out-of-date (it was indeed much harder to useā€¦6, maybe 7 years ago)?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds