Do we really need clamav? Or maybe apparmor?

Here is the place were the team and the community projects meet together. Help us to develop SolydXK projects or contribute your ideas for future releases.
User avatar
ilu
Posts: 1941
Joined: 09 Oct 2013 12:45

Do we really need clamav? Or maybe apparmor?

Postby ilu » 03 Mar 2018 13:36

1. Serious security experts call Antivirus software "snakeoil" because like that "medicine" it promises help where in reality it can't. Viruses use security holes - if they are known, they should be fixed already. And if a virus uses an unknown hole, AV software won't know about it either. Also malware code is typically obfuscated by using cryptographicy, which successfully hinders detection. Whenever in the last years a new attack vector became known, AV software did not help. It can't help. I'm sorry I can't find sources detailing why in english. In the end sticking to security routines and to a certain amount of paranoia are the best and only protection. And backup backup backup (versioned, not synchronized)!

2. AV software opens up additional attack vectors. ClamAV might be better than the usual culprits but fixing the last 9 problems took them about 3 months. Those security flaws were actively exploited as of Jan 26. A security hole from Sept 17 is still unfixed https://security-tracker.debian.org/tra ... 18-1000085. All 10 bugs are classified as "high".

3. To have an up-to-date clamav (which we haven't) we'd need to use the stretch-updates repo, which might be detrimental to stability.

4. AV software is detrimental to software development as detailed f.e. here: https://arstechnica.com/information-tec ... us-is-bad/.

5. Clamav uses significant system ressources. It uses about 500 MB which might be too much on older systems.

User avatar
grizzler
Posts: 1992
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Do we really need clamav?

Postby grizzler » 03 Mar 2018 16:06

Not having AV software on your system can have serious repercussions if you get into any kind of malware or phishing related problem with your bank. Some banks specifically mention AV software in their general terms and conditions for online banking. Doesn't make any difference what OS you use. No AV software means you didn't follow their rules and if there's a problem - whether it has anything to do with virusses or not - you run the risk of taking the fall for any monetary damage.

So yes, I think some kind of AV software should be installed by default, if only to protect our users against clueless banks.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
ilu
Posts: 1941
Joined: 09 Oct 2013 12:45

Re: Do we really need clamav?

Postby ilu » 03 Mar 2018 23:21

Interesting aspect - I haven't heard anything like that. Do you happen to have an example?

kurotsugi
Posts: 2046
Joined: 09 Jan 2014 00:17

Re: Do we really need clamav?

Postby kurotsugi » 04 Mar 2018 05:43

+1 AV is still needed. though, I prefer to stay neutral whether if we installed as default or not. personally I didn't use it.
Serious security experts call Antivirus software "snakeoil" because like that "medicine" it promises help where in reality it can't. Viruses use security holes - if they are known, they should be fixed already.

first of all, let's broaden the topic to all antivirures, including those in windows and the importance of security companies. AV's are developed by security company. on most cases, they're the one who found the security holes, reported them, find the workaround and occacionally create the patch. when a security hole have been found, it took time to report and especially create the patch. finding the workaround to make the attack didn't work usually faster than fixing the bug. this is why AV's better than the patch. the AV didn't fix the bug. they can't and they shouldn't. it should be fixed on the OS level. AV works by using workarounds which blocked the attack. it's faster than waiting the OS patch.

in summaries, the benefits of AV's are:
1. they found the bug faster.
2. stay protected. they already have the workaround before the bug got patched.
3. they provide additional protection. e.x : they blocked the malwares on the browser. the OS can't do that. some AV also provide protection against tracker and other stuffs.
Also malware code is typically obfuscated by using cryptographicy, which successfully hinders detection. Whenever in the last years a new attack vector became known, AV software did not help. It can't help.

they actually helped, in fact, a lot. the crypto stuff didn't really matter since they'll do reverse engineering on it anyway. the AV company seems slow finding new viruses but that mainly because the sheer number of viruses are too large compared to the resources on AV companies. doing a reverse engineering take a lot of resources. though, they already did lot part of the job. even the OS company (windows) didn't have the resource to develop their own AV. AFAIK their built in antiviruses are using the data from the AV companies. they simply use whatever the data send by thoses AV companies. that's also why windows still suggesting to use additional AV.

that being said, it depends on "how secure do you want?". how do you secure your system, and how safe your system. the key point to remember is that more secure means more hassle, more works, more resource needed it applies to whatever security enhancement in your system. using AV's indeed will have some performance penalties just like you mentioned above.
To have an up-to-date clamav (which we haven't) we'd need to use the stretch-updates repo, which might be detrimental to stability.
AFAIK the most important thing is to update the database which I believe is already sufficient. the software itself isn't needed to be newest.
AV software is detrimental to software development as detailed f.e. here: https://arstechnica.com/information-tec ... us-is-bad/.
the article is mainly about window's AV. on top of that it mainly talks on one perspective, from the browser developer. though, I agree with the main point of the article, that the antiviruses on window's are, on most cases, too invasive. there was a trend where the OS company didn't provide a patch to bugs. the security companies, want to gives more protection, works deeper than they should. this is an example on how AV could be made bad. though, it doesn't necessarily means that it should be that bad. if the AV draw a clear line where they should work and where the bug should be fixed on OS level, those examples mentioned on that article will not happened. I think windows defender should be a good example.
This wouldn't necessarily be a problem if AV makers made secure software, but for the most part they don't (except for Windows Defender, because Microsoft is "generally competent," according to O'Callahan).
as the OS company, they surely know where it should works, and it should be fixed on OS level.

User avatar
Arjen Balfoort
Site Admin
Posts: 8720
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Do we really need clamav?

Postby Arjen Balfoort » 04 Mar 2018 09:40

I'd like to add this argument: although you might not be using AV for yourself, you must be certain that you're not forwarding viruses to your clients. I had that once and my client was not happy with me although I just forwarded an e-mail on the clients request.


SolydXK needs you!
Development | Testing | Translations

User avatar
grizzler
Posts: 1992
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Do we really need clamav?

Postby grizzler » 04 Mar 2018 09:48

ilu wrote:Interesting aspect - I haven't heard anything like that. Do you happen to have an example?
Nothing recent, no. There was a list of conditions which included keeping your AV software up-to-date when I started using online banking, years ago. I have seen some stories about what can happen if you don't, but I don't have any links right now.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 8720
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Do we really need clamav?

Postby Arjen Balfoort » 04 Mar 2018 10:43

ilu wrote:Interesting aspect - I haven't heard anything like that. Do you happen to have an example?
I've checked my own bank and found this remark:
De computer of laptop die u gebruikt voor uw bankzaken moet beveiligd zijn met antivirussoftware en een firewall;
Translated:
The computer or laptop that you use for your banking business must be secured with anti virus software and a firewall
Even though you're using Linux, the bank will hold you responsible for the financial consequences in case of fraud when you don't have an up-to-date AV and firewall.


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 1941
Joined: 09 Oct 2013 12:45

Re: Do we really need clamav?

Postby ilu » 04 Mar 2018 18:04

kuritsugi wrote:AFAIK the most important thing is to update the database which I believe is already sufficient. the software itself isn't needed to be newest.
Oh no. The recent clamav bugs opened up additional attack vectors, among them remote code execution. Like in every other piece of software on our systems security holes have to be fixed asap.

The online banking argument is a valid one - what about the firewall aspect? Are we covered in that regard? Would apparmor - kurotsugi brought that up in another thread - be an improvement?

kurotsugi
Posts: 2046
Joined: 09 Jan 2014 00:17

Re: Do we really need clamav? Or maybe apparmor?

Postby kurotsugi » 05 Mar 2018 09:37

IIRC we already enable the firewall by default. please correct me if I'm wrong. as for apparmor, AFAIK apparmor is working by limiting privileges. in some regard it similar with with sandboxing where certain process is limited to what it could see and do. the tech, and how it works is different from AV. using apparmor along with antivirus IMO isn't a very efficient way to secure your system. we should choose whether if we use apparmor or AV but not both of them. personally I think apparmor is a better alternative than AV.

User avatar
MAYBL8
Posts: 1487
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Re: Do we really need clamav? Or maybe apparmor?

Postby MAYBL8 » 05 Mar 2018 12:16

From this article it seem Apparmor is very complicated to set up and as you introduce new applications you would have to learn how to configure it for each application.
https://askubuntu.com/questions/236381/what-is-apparmor


kurotsugi
Posts: 2046
Joined: 09 Jan 2014 00:17

Re: Do we really need clamav? Or maybe apparmor?

Postby kurotsugi » 05 Mar 2018 13:13

compared to similar technology like selinux, apparmor is way easier. AFAIK you'll need to that on selinux, but not on apparmor. on top of that we also live in debian realm where pre-made apparmor profile could be installed from the repo. in debian, if you want to use apparmor, simply install these packages :
- apparmor
- apparmor-utils
- apparmor-profile
- apparmor-profile-extra

after that, enable apparmor LSM via grub boot option...done.

if you want more protection, you could use the profile made by debian community. though, the pre-made profiles are usually enough.


Return to “Suggestions & ideas / Open Projects”

Who is online

Users browsing this forum: No registered users and 3 guests