Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

After reading all of these walls of text, I think this is not the place for b_s to be asking his/her questions beyond a reference for an A/V scanner.
I truly am a noob, at least to Linux, and the discussion is going over my head. I suggest that b_s continue his/her elegantly typed, eloquently harsh discussion with the developers of clamfs.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Wow.

All I asked for was a reference to clamfs. I haven't even characterized it as a/v.

And I've had to beat back the non-answers to focus on the question posed.

But it's the questioner's fault for asking a question in a place where questions are to be asked?

I think the target of your statement misplaced.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Why do you think you are having to "beat back the non-answers"? Shouldn't that tip you off that you are asking your questions in the wrong place?

This is the "Kubuntu Forums - Newbie Support - Help the New Guy" forum. Do you want to go in circles with me?

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

New, to a particular thing, is relative.

More non-answers.

Locking.

Re: full time, full disk, on access, anti-malware / anti-virus scanning? (clamfs?)

Experience does not equal expertise. I've met many people with years of experience, and many more with the same one year of experience repeated many years. Some folks never learn from their experiences.

You'll have to pardon the following explanation, but your question was posed in the New Guys forum, and while you claim you aren't a "New Guy" there are true New Guys visiting here.

Without a vaccine ("dat") file an AV application is worthless. To be part of a dat file a virus has to be found in the wild, not on a handful of machines in some lab, analyzed for a signature, which then has to be included in the next released update of the dat file, and that dat file has to be downloaded by the AV user, either automatically or manually.

To use the dat file in real time the AV daemon, clamd, has to running (which makes it a "service") all the time, so it can automatically check the signature of attachments on income emails, or the signature of downloaded files to see if that signature exists in the dat file. If it finds a matchit takes takes what ever action is coded into the AV program in such situations.

The daemon eats up CPU cycles and Interrupt requests, wasting those resources and slowing down the PC when emails aren't hitting the in-box or the user isn't downloading files. If the AV daemon isn't running then perhaps a cron script could be used to run the AV checker automatically on a regular basis? How often is necessary? Once a week? Every day? Every hour? Every 30 minutes? But, if you aren't getting email or downloading files why run it at all? Why waste resources, either a daemon or a cron script? Just run it manually against every attachment when it arrives or every download after the download? Manually checking attachments and downloads is tedious. Cron scripts don't make sense, which is why AV apps install daemons. The daemon usually checks some website or server for the latest dat files.

When scanning an attachment or file the AV program can give a positive, a negative, a false positive or a false negative. A false positive makes the attachment or file suspect. You might say it is better to be safe than sorry, but a false positive unfairly impunes the character or skill of the programmer who created the attachment or file, or the admin of the server which was the source of it. IF the AV program gives an actual virus a false negative it is giving false security, which is like not running the AV program. The signature of the putative virus may not be in the dat file. IF the attachment or file is malware but its signature isn't in the dat file, and the user isn't informed that the signature is unknown, the user is at risk.

This is how the AV application is "keeping an eye on things". Here are a couple examples of the general view of viruses on Linux:
http://ubuntuforums.org/showthread.php?t=683621&page=2
http://ubuntuforums.org/showthread.php?t=1406082

The effectiveness of ClamAV is recorded in the Wikipedia:
The discussion of AV apps and their effectiveness on Linux often ignores several important points.

Linux IS NOT Windows. They don't work the same way.

Windows is promiscuous. Its ActiveX controls run an attachment or a download automatically unless interrupted by the annoying "permission" window, which most users deactivate. Windows users DEPEND on AV software to protect their system. They have no other choice. IMO, their best choice is MS Security Essentials, primarily because it is as good as the commercial AV products and it is free. It's the least MS could do for their users. Even then, the number of false negatives, or zero-day exploits (no signature in the dat file) has been sufficient to help create the 4,300,000+ Windows zombies bot farm found last fall.

Linux users have a choice. EVERTHING in Linux is a file. Everything. For an attachment or download to be run it first must be manually saved. Then the execute permission bit must be manually set. Then the file must be manually executed. Even then, as Rick Moen pointed out so skillfully, the most it usually can do is to trash your user account. There are NO "ActiveX" type components in Linux. Not even the *.desktop file runs automatically. Those three manual steps stop the possibility of automatic infections in Linux dead in its tracks. The applications in the Kubuntu repository are vetted and do not pose a risk. Other repositories either have their own signed keys or they announce that the site is not secure. Even then, the user must manually install the application. It won't install automatically.

Firewalls do not protect against viruses, they protect against against attacks on the ports facing the Internet. Those are the ports that the grc.com application "ShieldsUp!" checks to determine if they are open (red), closed (blue), and stealth (green). If your PC and router are not echoing pings and your ports are all green the only way your presence on the Internet can be established is by analyzing upstream traffic patterns, something that is not easy to do and is beyond most bad guys. Since your ports will not return an ACK with an acknowledgment the third part of the required handshake connection sequence cannot be established and there is no way for an attack program, or a real live hacker, to blindly break into your computer, even if he knew your computer was there.


Perhaps a better security product to consider is AppArmor.
Personally, I don't run AV products and I've turned off AppArmor. I stay green on my firewall. In over a dozen years I haven't seen a single piece of Linux malware on my system, or even on the Internet. They are extremely rare birds.

Almost a decade ago I was concerned about Linux catching a virus infection and did some exploring. The first thing I did was to learn about viruses and Trojans. I did that by installing WINE and running Windows viruses under WINE to see what they did and what they left behind. I found that ALL viruses use one of less than a dozen attack modes (IIRC, there are only eight). The variations arise only out of recompiling existing viruses after minor modifications of their source so that when compiled their "signature", some mathematical manipulation of the first 1K or so HEX bytes in the file, would be altered enough to not match signatures in existing dat files. A simple tool to do that was Visual Basic. Even a 13 year old could copy and paste pieces of the virus VB source file around and recompile it to create YetAnotherVirus executable, but with his particular payload. Rinse and repeat.

Since viruses in Linux are all but non-existent, most hackers focus on Linux platforms that have not secured their ports (they are either red or blue) and they modify the frame of a ShellCode to include the HEX representation of an SQL injection, or a memory overwrite. There are websites devoted to teaching How to write ShellCode on Linux. Despite being easy to write, ShellCodes are not very effective. IF they were, it would not have taken a gang of hackers SIX MONTHS to hijack only 700 Linux boxes.

What do I use to protect against viruses and back door attacks?

Viruses I never worry about because I never do the required three steps to cause an attachment to run, and I never run an unvetted program. IF I can't help myself and I am dying to know what the attachment does/says/is, then I create a chroot jail and run it in there. But, I don't get curious enough to do that very often, because the vast majority of attachments are boringly simple and repetitive. Back door attacks are repelled by keeping all your ports stealth. In a discussion on this topic last year I challenged a critic to give me box his best shot by publishing my IP address. Of all the people who tried, only one even got my general location correct. The rest claimed I was in other locations and that I was lying about where I was. Everyone knew I was running Linux but no one could get past the Linux firewall on my TPLink wireless router.