Linux and Spywares - lack of reading

James Wilkinson james at westexe.demon.co.uk
Wed Feb 16 17:48:04 UTC 2005


jdow wrote:
> There is a basic problem with chkrootkit. It is "reactive" rather than
> "preventative". (Firewalls are an example of a proactive tool, the third
> type.) Unless you are running it every 15 minutes or so considerable
> damage could be done to your system between runs. If you store customer
> records on the machine you'd really like preventative or proactive type
> protection. It is time for proactive system administrators to look into
> this concept and what is available. The danger at present is fairly
> small. And SELinux is a nice method of locking the door. However, over
> time a tool such as Norton's AntiVirus will very likely prove beneficial
> for people who have systems that contain student records, customer
> records, company financial information, and other things which could
> seriously damage their institution if they were released or even merely
> released prematurely.

You mean one that watches what all processes are doing, and terminates
"suspicious"-looking ones? Ones that access the network when they're not
supposed to, or try accessing the MBR?

A lot of this functionality is already here (traditional Unix security
and SELinux, for example). I suspect the rest will come. But what's
already here doesn't look like a traditional anti-virus package, and I
doubt the new stuff will, either.

It's more likely to look like getting SELinux to cover capabilities, and
an easy way for the end user to specify which processes should (for
example) access the network, or the user's address book.

And whereas Norton and co have to guess about the ethics of a program
(good or bad), the Linux equivalents can say "if it's not on the list,
and it's looking here, it's EVIL." That should be a *lot* more secure:
new or old viruses will be caught.

In the best Unix tradition, we are getting two programs to do the
equivalent of Norton. chkrootkit is the "disk scanner", whereas the
"real time scanner" is where it should be: integrated into the system.

James.

-- 
James Wilkinson       | When I was young I wanted to be a fireman, but I
Exeter    Devon    UK | dropped that idea when they explained to me that
E-mail address: james | firemen don't actually make fires.
@westexe.demon.co.uk  |     -- Konqi the dragon, KDE's mascot




More information about the fedora-list mailing list