Re: antivirus for linux

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2004-06-15 Bruno França dos Reis wrote:
> I'm kinda new to linux, and getting more and more worried about
> security. I was wondering: is it necessary for me to have an
> anti-virus application? If so, is it a "live scanner", like the ones I
> know for windows?

Running a virus scanner is never necessary, though running one may be a
Good Idea(tm), since it allows you to identify certain malware. However,
keep in mind that any scanner is only as good as its signatures are. If
you are using outdated signatures, then the scanner won't be very
useful. Also keep in mind that a scanner may be fooled in some way or
the other, e.g.:

- compressed file in a compressed file in a ...
- compression-algorithm unknown to the scanner
- encrypted files
- compressed large files may DoS the scanner

> Do you recommend using an anti-virus software?

If you are running on Linux only, you probably won't need AV software.
If you have some Windows clients in your network, you would probably
want a virus scanner to scan directories your Linux box shares over the
network.

> If so, which?

I won't recommend any, but there are various AV products available for
Linux, e.g.:

- ClamAV [1]
- F-Prot [2]
- AntiVir [3]

> Moreover, I have a linux firewall. Is there any way for me to detect
> virus activity trying either to break into a computer (like Sasser or
> others like it)

Sasser and the like are not viruses but worms. A virus scanner won't
help against those, because when the scanner detects them, the intrusion
has already happened. I would recommend preventing infection by not
providing the exploited services to the outside world rather than just
detecting that you've been hosed. To be more precise, provide only
services to the outside world that definitely must be accessible from
there. Not to forget: keep your system patched.

> or to detect incoming mail with virus? Note: my firewall isn't my mail
> server. I was wondering if it could sniff connections to pop mail
> servers and detect virus code.

AMaViS [4] will allow you to scan mails.

[1] http://www.clamav.net/
[2] http://www.f-prot.com/products/home_use/linux/
[3] http://www.antivir.de/en/
[4] http://www.amavis.org/

HTH

Regards
Ansgar Wiechers

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------