Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Have you considered Avast for Linux? Maybe it will offer what you want.
http://www.avast.com/linux-unix-edition

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

AV software is useful on Linux only if you plan to forward infected email to your Windows running friends. The malware won't infect Linux but if you forward it .....

Besides social engineering, the next "biggest" threat, even though it is really miniscule, is from manual back door hack. Kubuntu comes with a basic firewall installed. Wireless routers using Linux also have a firewall installed. If you set your wireless router to not respond to pings, your computer will essentially be invisible to the Internet and won't handshake with a potential hacker. Test your system using grc.com's "Shields Up!" You should get all greens on all ports.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

I referred him to Avast because he said he did not want a discussion of why, only of how. I use Linux AV software on windows machines by removing the hard drive and mounting it in in my machine. It works very well, especially useful on machines that have an infection that sometimes won't let them boot, or will not let AV software run.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

You have descended into the why, rather than the how, please stop. What you say is not true and urban myth. Please stop perpetuating it.

You have again avoided addressing the given question, rather than the how, please stop. What you say is not true and urban myth. Please stop perpetuating it.

- your comments do not address: current or latent issues, individual machines instead of the first hop (router), only a point in time, while ports are opened/closed dynamically, e.g. UPnP. Threats are less from without, than from within - including those inadvertently invited within.

Systems will always be vulnerable, and effort goes towards the richest target. That Linux is not the richest target today does not mean it won't be tomorrow. (Since you can't say exactly when it will be, yet you can put in safeguards today, doing so is the only prudent action.)

A firewall, although I agree, necessary, and accompanying black lists a good idea, won't prevent a stupid or misled user from doing bad things.

If, however, that bad thing is prevented from landing in the first place, that risk is much reduced.

- I mean no offence, but I would like to prevent the flamewar such questions as this seem to provoke, where urban legend and opinion go around in circles - somehow the opinions of which become assumed fact (without) basis. Some think Linux to not be vulnerable - I don't happen to agree. Thus I have posed the question.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

I did, thanks, AVG too. AVG Linux, apparently, will detect, but not remove issues found, nor scan for them on the fly.

Avast (Home) does not do on access. For on access the non-Free / FOSS avast4guard appears to be necessary - and it requires Dazuko.

Dazuko, as per my prior note, apparently no longer maintained. Maintenance stopped around March 2011, I think, so it looks to be good to go for 2.6.x kernels. I expect, however, all bets are off, going forward - Isn't kernel 3.x.x coming (Oneiric?) - so it seemed to me if I'm going to traverse a learning curve, I may as well find out more about clamfs first.

A user file system does appear (to my uninitiated eye) to be a reasonable approach, and one maintained / in the repositories even - thus my posed question.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

For which I thank you. It is a good / reasonable suggestion / line of inquiry.

You may want to check out clamav / clamfs yourself. I saw references to it being (optionally) restrictable to samba shares only, optionally on the fly. I don't suppose accessing a cifs file system remotely as administrator should be much different. [I've actually done this many times (remote scan) - however, it was from the windows branch server to each windows workstation, overnight. Ultimately I stopped - with sufficiently effective on-access scanners, periodic scanning becomes pointless.)

I would have thought, even by now, boot preventing malware has gotten pretty rare. Given today's ability to boot from usb (drive), perhaps with the assistance of a boot cd that passes control over to a usb drive, perhaps it would be worthwhile to make up the equivalent of a live cd to scan such systems as you describe? At least you wouldn't have to pull the hardware apart / bring it back to the bench, to deal with. Even if you don't do an entire disk scan at that point, you should be able to get it to boot, they get on with their day sufficiently well, and you can remotely scan that night, or manually. Just a thought. (Granted: there are only so many hours in a day for such solution establishment.)

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Thanks for the suggestions. I have used those methods (live usb or cd). I use calmav. Not familiar with clamfs, but i will check it out. I have found running the scan on a disk from my computer is much faster when I am dealing with the hard drive from an older system. It only takes me a few minutes to yank a hard drive and slap the power and ide or sata cabl from my computer, which is handily hanging out the side as I do this often. Most of the computers I deal with are several years old, and slow. I'll not get into the discussion about the necessity for AV software on a Linux machine except to say in all the years I've been using Linux I have never encountered any kind of infection and have never felt the need for it.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

And to add to it, most av software in linux is geared towards the server/industrial side, meant specifically for things such as mail and web servers, so that could be why they are somewhat clunky for the home user.

I also don't believe that these av programs handle the only real threat to a linux box - the rootkit, which as far as I know still requires physical access to the machine with admin privileges. Just something else to consider in this arena.


Nearly 12 years and I myself have neither seen nor heard of a linux system being infected.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Apparently all clamfs really does is provide a mechanism to feed a file to clamd on the fly. i.e. Makes clamav on-access. And act appropriately depending upon the result - e.g. deny access / infected.

[My issue, and reason for posing of the question due to the dearth of documentation - is whether its prudent to point it at /, instead of, say, /<data>, or /<samba>.]

Ah. Old hardware = PITA. Laptop and USB(3?) or eSata doohickey?

Yes, always handy to have a case with the sides off sitting in a corner doing nothing. Let alone monitor / power (KVM even), left in place. Take advantage of today's horsepower, such as our old / test clunker hardware tends to be.

Fair enough, but I don't believe past experience is a reasonable expectation moving forward. Witness the progression on DOS / Windows - be it boot, shares, docs. Problems most always due to lack of security, unenforced policies, and other user mistakes. Linux is not immune from these human mistakes.

I'm not saying it's prevalent today, merely that it's easier to put in place today reasonable mechanisms, than to try guess when it will become an issue, and react in an unplanned 'panic', then. And it will come. Perhaps not in a form we see in Windows today, but still in an undesirable form, nonetheless. (And we live in a Windows world, all fantasizing to the contrary. To one degree or another, a Windows presence is felt.)

The presence of the undesired is the issue, not whether it will affect the local system. e.g. .doc macro may not affect you, but will affect windows machines that connect to you. It should not be there, and it should not have been permitted to land. And the most appropriate / effective point of dealing with it is on the local system hosting the disk.

I'm not suggesting that the list of things to check for is not significantly reduced. An .exe in /usr/bin is not likely to affect my Linux system (but it should not be there, still). [Assume user error, which is what we're mostly talking about here]. The list of things to check for will be dynamic. With processes in place, when issues arise, presumably the list of things to check for will be updated faster than the rate at which they actually take a crack at your system.

Part of the evolution of such software on Windows has been an expansion from boot problem detection to file macro protection to 'bad' cookies to "prevent clicking on bad links that will do bad things to your system". Part of that evolution has been to single (solution) pieces of software that take care of the various points of possible entry, rather than having to run multiple different applications - and the inherent problem of the user not knowing that yet another avenue of attack is being exploited.

So, rather than having a separate firewall (which I always will, regardless of any other app), separate addon to the (various) browser(s), open office add-in, and who knows what all else / where all else, that software has evolved to closer to one stop shopping. [Even though I detest that such have gone too far, making addressing the problem far more convoluted than it should be.] An oo writer attachment containing a macro with unintended consequences, still has unintended consequences. And I'd rather fewer applications to maintain than fiddly bits to monitor in each and every potentially vulnerable application, if I could ever keep up with the list of them.

From what I have been able to read thus far, clamfs seems to be the linux equivalent of that one stop shopping. If I could but find out more. And if I could get confirmation that what I would like it to be, is what it is.

Which all describes my intent. So, more information on clamfs, or alternate solutions, would be welcome.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Fair point. Mind you ... a bad file in a mail folder may still be detectable. (If not handled as intelligently as the e-mail system might. e.g. Deny access to file rather than just deny access to attachment.) But at least you'd know it was there, if only to discover it's time to implement additional mechanisms.

- no offence, but what is the basis of your belief? And I ask because if your belief is based on evidence elsewhere, that evidence will likely point towards the sort of information I'm interested in.

Even if such doesn't do rootkit today, it seems that FOSS evolves dynamically, so it may do so tomorrow. (We can hope?)

Fair enough, but we all live in different environments, with different levels of exposure. e.g. Some samba share their files with Windows machines, that can then have undesirable impact upon other Windows machines - may not impact the Linux box, but will have an impact. Let alone different levels of paranoia. The real problem being the ever evolving quantity of potential risks, that I long ago gave up on being able to personally track. (Thus the need for automation.)

I don't believe in regular pointless time and horsepower consuming scans, let alone the time consumed to track results and that scans actually happened - badness should never have been allowed to land in the first place. Badness being a dynamic and evolving thing - executable, document, cookie, link, ...

And dealing with the issue then effects better results than coming back later - who's file is it, what should be done with it, and so on and so forth. vs. That bad attachment coming in at the time, and the user can accept / reject / save it elsewhere / quarantine it / whatever - knowing what it is, it's importance, and so on and so forth.

So, no offence, but information and pointers towards clamfs information and use cases would be welcome. googling 'man clamfs' for example, reveals a pretty useless page, and the sourceforge site seems only a holding place for source / distributables. (Kubuntu, for example, having clamfs in the repository.)

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

There really isn't any more info on clamfs that is more deep than its man page. Which is basically you edit the well-commented config file, and start the daemon. All the AV options are from clamav itself

Some helpful comments here
http://it.toolbox.com/blogs/locutus/...der-time-42416

clamfs is a FUSE filesystem, all its av actions are taken by the AV software so clamfs itself does nothing more than act as a non-root (sandboxed if you will) file-system that allows clamav to scan on demand. The config file just defines certain parameters you can edit, so in theory it should be simple to install and set up, the 'difficult' part might be setting it up to run at boot time automatically.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

It is sounding like you want to protect 'Windows' systems, and that's fair enough. Even though a properly setup Linux system ('root' account is not activated/bypassed, leaving the system 'open') is for all practical purpose 'immune' from virus attacks, that doesn't mean that a virus 'attached/embedded' in a file received by a Linux system (email) can't be transmitted (email forward/send) to a Windows system that can be affected. That said then, a good Linux Virus daemon that is always running and up to date (virus definition file/database) and properly configured is your best defense. From what I've seen/read, the Linux ClamAV is probably your best option.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

I get (had? got?) that - my question is more to do with the ramifications of pointing it at /, rather than a subdirectory. Figuring some up front investigation being prudent beforehand. (But haven't found where.)


Yes, found that.

Yes, I know. Which is to say, I understand the term - I just don't understand the ramifications. e.g. I can easily envision problems handing off root files for inspection, even temporarily. And I seem to recall hints that files get remounted elsewhere, e.g. /data -> /clamfs/data, which would be bad. e.g. /sbin getting moved to /clamsf/sbin ... BOOM!


Fair enough, those are all technical implementation problems I believe I will be able to handle. That I can, doesn't mean I should - thus my question(s). e.g. Undesired / unexpected impact, self-inflicted aggravation, ...

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

No - I want to protect, or (intelligently/appropriately) take advantage of any protection, for any system. Windows or not is not relevant. I do not buy the unsubstantiated premise that Linux isn't vulnerable. Or, rather, just because it is today, doesn't mean it will be tomorrow.


You are presuming a perpetually properly set up Linux system. Not a valid assumption. The biggest security hole is always the user doing dumb things. That the user (even administrator) failed to do a smart thing (be aware of yet another avenue of attack and take steps to protect applications vulnerable), is reverse marketing - horse has left. On access system scanning, built in detection / prevention / alerting rules, is a mechanism for notification.

And also doesn't mean a stupid thing accidentally done while root isn't harmful. (Think of what I'm talking about as backchecking, notification, and the like.)


Yes, that's my reading too. clamfs is the beastie that facilitates clamav on access / on the fly scanning.

Thus, my question has been, use of clamfs. Pointed at /.