I am not happy with The Utility of Antivirus Tools (my edit years ago didn’t prevail and than forgot about it). Quote as now:
Antivirus products and personal firewalls[archive] are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [2]Polymorphic code[archive] and rootkits[archive] essentially render antivirus products helpless. [3][4]
Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system’s kernel, since they almost always run with administration level privileges. [5] Antivirus software also harms privacy by sending system files back to the company servers for analysis.[6] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. [7]
“Antivirus tools are actually worse than useless.” - Really? It’s a good argument but empirically true too? Perhaps people who wouldn’t fall for popular methods of infection wouldn’t benefit from antivirus, actually suffer from increased attack surface. But for most users I guess antivirus might help and increased attack surface is theoretic.
ClamAV nowadays does have a background scanner / guard.
I might be able to develop activating the background scanner by default, refuse execution of malicious files and graphically notify the user about it.
ClamAV nowadays developed by Cisco and might have made huge progress since I checked ages ago.
Also interesting:
We have LKRG, perhaps rootkit detection system - AIDE, then why not antivirus too? We’d be the first Open Source, public Linux distribution that installs Antivirus, rootkit scanner and kernel guard by default.
Yeah. In the cited article there was NSA exploits that got root by targeting the AV specifically (Kaspersky in that case) so not really theoretic, but something done in practice. Also the privacy problems make it a nonstarter.
AIDE is no more an “AV” than LKRG is. They focus on shutting down entire mechanisms of attack than try to compile a signature blacklist for every bad file in existence - which isn’t productive and is the first thing any blackhat tests their kit against before deploying. AIDE keep track of file hashes on the clean system and alerts you if something changed.
AIDE is an intrusion detection system that detects changes to files on the local system. It creates a database from the regular expression rules that it finds from the config file. Once this database is initialized it can be used to verify the integrity of the files. It has several message digest algorithms (md5, sha1, rmd160, tiger, haval, etc.) that are used to check the integrity of the file.
If ClamAV doesn’t report to a remote server, doesn’t have an unacceptable perf penalty and doesn’t run as root then it shouldn’t be that bad. If it does any of these it shouldn’t be considered.
It is definitely not theoretic. There’s stuff like Avast that had insecure javascript interpreters run with system privileges.
The methods used by antiviruses are terrible and I really don’t think we should embrace them. Antiviruses are even worse on Linux since there have been so little virus outbreaks that AVs’ databases are tiny. They’re essentially useless.
Software like ClamAV only serves to detect Windows viruses to prevent them from being infected when passing data to a Windows machine from Linux.
AV = Another Vulnerability
They aren’t the same at all. AVs are basically a blacklist of some software and attempts to enumerate badness. LKRG works by detecting any modifications to the kernel (well not all of the kernel, only parts that LKRG is designed to cover but you get the idea).
LKRG isn’t too effective either since it relies on the attacker not knowing about it but it’s at least effective against a lot of off-the-shelf malware.
I don’t have a good list of questions which could help to resolve this. Here is a starter: How relevant it would these viruses in Whonix’s case have been and could AV have helped?
That doesn’t make sense. If an exploit knows about LKRG, it can disable it entirely without too much effort in which case, LKRG won’t have any effect on later events.
Please follow these LKRG Upstream Resources, specifically the video of the initial presentation where Adam mentions that some classes of vulnerabilities are rendered dysfunctional even with full knowledge of LKRG, full read/write primitive required. See also this old version of Whonix’s LKRG wiki page, comparison table. That version was deprecated since it wasn’t accurate enough and too many conditionals to simplify it that much.