Are non-perfect Defenses that defeat off-the-shelf Viruses a worthwhile Development Goal?

Are non-perfect defenses that defeat off-the-shelf malware [0] a worthwhile development goal?

• Let’s assume there are off-the-shelf viruses, trojan horses [1] which work against major Linux distribution(s).
• Then assume some feature of Whonix / Kicksecure would prevent that exact exploit chain [2].
• Assume that modified malware using a more obscure exploit chain would still be successful.

Is it worth it?

I think yes, it’s worth it. Even though non-perfect, as end result less users will have their data leaked, and be thankful for that.

For example by using GitHub - tasket/Qubes-VM-hardening: Fend off malware at Qubes VM startup / Dev/VirusForget - Kicksecure it may be possible that viruses are non-persistent after reboot or even better, their exploit chain may get interrupted. I.e. it could be that a working exploit wouldn’t result in malware active in memory since it’s installation script is failing due to immutable dotfiles or so.

Malware authors might ultimately work around Qubes-VM-hardening / VirusForget. They might find other application data folders to exploit such as perhaps XFCE settings folder. However, until they get there it could be a few years and if they get their, perhaps the remaining holes can be closed step by step. Without going the first step, we can’t really push for seeing research on that.

Another example is enforce kernel module software signature verification [module signing] / disallow kernel module loading by default. An exploit chain that is trying to load a malicious module might fail. That may or may not be easy to debug for some malware authors.

On the other hand it could be called snakeoil.

I am wondering if it’s not worth to give up preemptively due to someone saying snakeoil.

At the moment it looks like the security of mobile devices such as many Android (and perhaps iPhone) devices is better than the security of Linux desktop computer distributions. Mobile device vendors secure against a different thing. They want to make sure users are running their software. And not custom after market firmware. One can call their defenses snake oil all day. However, fact remains there are tons of devices with locked bootloaders with users who would wish to run an after market firmware but care not capable to do so.

With Linux desktop computer distributions, Whonix / Kicksecure, we could get the same security. But we wouldn’t secure against the user from doing custom modifications. We’d use the same techniques that mobile vendors use for purposes of to protect against malware. Techniques such as verification of the boot chain and all executable and so forth at boot time, untrusted root, boot optional without root access, strong linux user account separation.

Related:

[0] Targeted Malware vs Off-The-Shelf Malware

[1] Malware is a non-ideal term.

[2]
https://static1.squarespace.com/static/5419be5de4b062d1159bbe31/t/546b91d6e4b0e010426d60c8/1416335830344/Examining+the+Exploit-Chain.pdf

Question is if you want to rebuild everything yourself in Debian or base everything on something like Chrome OS which does most if not all of that already by default. i.e. whonixify Chrome OS or chrome-ify Debian.
Most of the world seems to move into this locked down way, and I think security is one of the reasons (not just locking the customer to your software). Android, IOS, MacOS does it, some cloud providers do it, Fedora SilverBlue and ClearLinux also do.
I think an immutable and verified boot is not the problem. But maybe updates and user customization. There would need to be Apps like Flatpacks for stuff the average Whonix user installs on top of the standard Whonix, messengers and cryptocurrency stuff comes to mind.

I think it’s worthwhile if it’s manageable given the resources of Whonix.

I think it is. It’d still stop some malware attempting to exploit that. No defense is really “perfect”. If we didn’t use any “non-perfect” defenses then we’d not really be using anything.