- This topic has 33 replies, 7 voices, and was last updated Aug 7-5:31 pm by DaveW.
-
Posts
-
BobC
The only one in the repos is Clam…
My phone supposedly got a virus recently, called FinSpy. I read that it attacks Linux systems, too.
Part of the problem on the phone is that I’m just a slightly smarter dumb user on it, a problem I should address. Had I saved things in text files, I wouldn’t have lost them at all.
After losing everything on the phone I’m am looking to prevent problems on my PC’s.
Any suggestions? Commodo and Sophos look hopeless.
Anonymous
Paid:
ESETFree:
SOPHOSAlso:
BitdefenderBitdefender Endpoint Security Tools for Linux
How to install the GravityZone security agent on Linux machinesFor scanning on “From Time to Time” basis:
Desinfec’t (c’t Magazin)The last one is Ubuntu Live DVD with multiple scann engines.
rej
Hi-
I use Firejail (very easy sandboxing program, but is not an AV) and ClamAV.Mozilla FireFox only works with Firejail 9.56 [Sourceforge .deb download] in antiX on my laptops.
Tried Sophos a while back and they wanted registration and more information than I was willing to give them.
Maybe it has changed – it is supposed to be good protection according to most reviews.
DaveW
After reading this thread, I installed ClamAV and ClamTK (GUI) with Synaptic.
I can run clamd from a terminal. It seems to work, but I am not familiar with it.There is a link to clamtk in the Accessories menu. When clicked, clamtk GUI opens, but it is not functional. Clicking on any feature just highlights its icon. So, it can’t be used for configuring, scheduling, scanning, etc. I uninstalled and re-installed clamtk (also clamtk-gnome), But there was no change.
Clamd runs at startup. No doubt, there is a way to change that.
But first, why doesn’t clamtk work?System is antix 17, ClamAV is 0.100.3. Clamtk is 5.24.
Thanks for your thoughts.
After reading this thread, I installed ClamAV and ClamTK (GUI) with Synaptic.
I can run clamd from a terminal.To make some things clear:
ClamAV doesn’t work. The fact that one can “run it”, doesn’t help in no way.The sole point of good AV is to detect as many Windows malware as possible — the only free Linux AV software that does it, is Sophos.
However, in some cases, there is no protection at all — it’s only a matter of time when you’ll get it.
EvilGnome combined with Spear Phishing is just one such example.FinFisher (FinSpy) is another good one. It’s mostly used by the governments.
It’s regularly updated and it exploits security holes long before any AV company developed protection.
Such kind of stuff one even often gets from the own internet provider — you know, “national security letters” type of countries, care for your data.The best protection is still the same as ever — 19.95 supermarket, no name brand phone.
It can do all one could ever need on the way; make phonecalls and send SMS.
Nobody sane is watching movies on a 6” instead of 40”+.Tried Sophos a while back and they wanted registration and more information than I was willing to give them.
They didn’t want anything that one wouldn’t find on some Facebook account or in the telephone book.
noClue why that should ever change …Also, I can’t recall that they ever tried to prevent anybody, registering under some name like (just example):
Anti Capital Ista
Perivolos
Perissa 847 03
Santorini Island
Greece
00 30 2286 082702
anti_CI@spam-mail.meThat might not be what you want, if you are ordering the stuff and also wanna get the support, in case something goes wrong.
I got the impression from looking at the messages on sophos site that you are getting a 30 free trial and if you don’t renew, bad things happen.
I didn’t register or try it because of that
Is anyone running a free version of sophos or tried it recently?
All the reviews I found seemed to be very very old but magically redated to appear recent, probably to make money from clicks.
- This reply was modified 3 years, 9 months ago by BobC.
@BobC
I got the impression from looking at the messages on sophos site that you are getting a 30 free trial and if you donβt renew, bad things happen.
Bad things happen??? π π π π π π π π π π π π π π π π π π π π π π π π
Scared of getting a reminder that you’ll stay unprotected if you don’t buy the license? π π π
Bob, don’t be such ‘Bob’! π π π
Is it really that hard to read? π π π
The thread with the complaints was actually for a another product originally sold by another company that sophos bought, so is unrelated to their linux program.
I have nothing against the company, I was just looking for an antivirus program that works, and doesn’t just expire in 30 days unless you pay $39 per year for a license.
Noclue, Thank you for the link. It took me to a completely different area than the links from the main sophos site https://home.sophos.com/en-us.aspx , and I was able to install the program.
I can test its scanner, but not sure how to test its ability to protect.
From what I could find and read there are no menu options. I checked and it says it’s running, but not sure if it will restart after a reboot. I haven’t tried any scanning, yet. That is done manually via the command line from what I read. I have 2 separate worries about what will it do if it detects a virus, and if it detects something saying it has a virus that doesn’t really have a virus.
These 2 pdf files seem important:
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_sgeng.pdf
https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_cgeng.pdfI found a separate forum for this particular program at:
https://community.sophos.com/products/server-protection-integration/f/sophos-anti-virus-for-linux-basicThere was an error during the install because the kernel wasn’t one of the ones they support:
Installing Sophos Anti-Virus….
Selecting appropriate kernel support…
When Sophos Anti-Virus starts, it updates itself to try to find a Sophos kernel interface module update. This might cause a significant delay.
Sophos Anti-Virus starts after installation.Installation completed.
Your computer is now protected by Sophos Anti-Virus.NOTE: You are running Sophos Anti-Virus on a kernel for which Sophos does not provide binary kernel modules. Therefore the kernel modules have been locally compiled. Please see
KBA14377 for supported platforms and kernels.https://community.sophos.com/kb/en-us/14377
I see that Fanotify is not disabled, so maybe it is working in place of Talpa
https://community.sophos.com/kb/en-us/118216Scan found no viruses
savscan /- This reply was modified 3 years, 9 months ago by BobC.
- This reply was modified 3 years, 9 months ago by BobC.
- This reply was modified 3 years, 9 months ago by BobC.
ile
Hello BobC, anticapitalista, and everyone
I wish to write this with as little authority as possible, with a wish to simply point at it; found just. It appears that following the Blog or News on the site might give a heads-up for a manual file search on the linux file system for threats already identified. There is a free edition file analyzer that amongst you all you might determine its usability.
Makes for some interesting reading about method of tracking unusual code into what is an exploit. and then creates a rule for discovery.
It is enterprise level. www .intezer. com creates YARA rules. search terms intezer and yara. intezer labs on github. see what you can find out?Well… Sophos for Linux sounds very interesting.
I read through the two PDF files “savl_9_sgeng.pdf” abd “savl_9_cgeng.pdf” (see links from BobC above), and also followed some of the links in those articles to Sophos knowledge base articles.One disappointing note is: “Support for 32-bit versions of Linux on Sophos Anti-Virus version 9 was retired 30th June 2018, with the exception of Red Hat Enterprise Linux 6 which will be supported until 30 November 2020.” Other service end dates may apply to your machine (see https://community.sophos.com/kb/en-us/119018)
Another potential snag is that Sophos must be configured for the specific Kernel version. They provide updated pre-configured TALPA Binary Packs for major distributions. I wonder… would these be “close enough” to kernels adapted for AntiX, or would special TALPA packs need to be compiled for AntiX (see https://community.sophos.com/kb/en-us/13503). According to their literature, and as BobC noted, if Sophos does not find a preconfigured package for a given Kernel, it will try to build one. But errors are possible.
Since I am running 32 bit AntiX, this may be irrelevent for me. One of my machines has 64 bit architecture, so it is a possibility there, but I was hoping to maintain a common operating system for all devices.
Edit: I also checked into Intezer Analyze (http://www.intezer.com). This also sounds very interesting. But at present, there are notable limitations. The free community edition allows scanning of up to 10 files per day (32 MB maximum file size), plus one endpoint per day. The endpoint scanner must be downloaded to your computer. But at present, they do not support Linux (at least, not in the free version). As per their FAQs: Which operating systems are supported?
The endpoint scanner currently supports 64-bit Windows machines (desktops and servers). We plan to support 32-bit machines in the near future. The scanner was tested on Windows 10, Windows 7, Windows Server 2016, Windows Server 2012r2, Windows Server 2008r2.So, at the moment, it won’t handle Anti-Virus for AntiX… unless you need to scan a suspect infected file.
- This reply was modified 3 years, 9 months ago by DaveW.
- This reply was modified 3 years, 9 months ago by DaveW.
Let’s face it: 32-bit is dead.
Every computer made in the past 10 ~ 12 years supports 64-bit.
Museum-Computing is not suitable for daily use and doesn’t need a protection (since it’s not being used any more).If you wanna protect your OS, you need a special Kernel modules/configurations since the Kernel is a part of Linux too.
The enterprise world is using Debian, RedHat, SuSe and Ubuntu and the “Home” Linux AV versions are the enterprise versions given to you for free.Means: take it or leave it. Nobody ever’s gonna write antiX or Puppy AV solution.
There’s no good reason why you shouldn’t use what enterprises use — it’s given to you for free too.Rules based analyzers are not meant to be used as a stand alone solutions, but in addition to an AV.
Even those couple of multi-billion companies out there, use Snort and Loki (open source) as additional protection, besides Bitdefender, Kaspersky, Symantec …
And, despite all the protection, even they still catch some minor infections from time to time or, have a trojan for years, without ever noticing.Means: There’s no absolute protection at all and for nobody.
If a secret services or some really good hacker wants your data, they’ll get it.Also, in both cases you don’t get full-fledged versions for free but, you get ‘community’ versions.
The fact that you’re not willing to pay for your protection tells much about you — that’s how much your security is worth to you.
As much money, so much music… For investing nothing, you get nothing in return.The good news: nobody cares for ‘nobody”s data — so, you’re not in some great danger, except if you caught yourself something purely accidentally.
The worst thing it could happen is, you use the online banking and a couple of bucks magically disappear from your account.
In most cases, all you need to do is to prove that you used some AV solution and a some serious OS (Windows, Mac, Ubuntu, RedHat, Debian, SuSe) and you’ll get money back.Since you’re not using any OS without some kind of AV solution and no other OS’s than one of those 6 above (well, not for something else than toying around), you don’t have that much to worry about.
You might not be interested in still trying ClamAV, but if you are, these are the instructions I used and it worked quite well for me:
https://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav
I should have thought to include this on the first reply.
ClamAV does not run in the background. It scans whatever files or folders you tell it to, or the entire system, if you choose.
rej,
Thank you for your post. The snag I had with with ClamTK was embarrassingly simple. The default mouse click setting requires two clicks. I clicked once, waited… clicked again, waited… pressed enter (etc.) to no avail. Somewhere I stumbled on another user’s similar experience, and reset the setting to one click. So, it is working for me, both from the GUI and from CLI. Thus far, zero threats found. Of course, I realize this is after infection discovery, rather than real time protection.noClue,
Thank you for your post also. I’m sure you are correct that, for best security Sophos is a better solution than ClamAV. I have read and respect your viewpoint… and I have benefited from several of your forum contributions, to date. However, since that solution doesn’t appear to fit my antique device, then some protective measure is probably better than none.In your post, you suggest that it is foolish to use AntiX online… at least the 32 bit versions.
The enterprise world is using Debian, RedHat, SuSe and Ubuntu and the βHomeβ Linux AV versions are the enterprise versions given to you for free.
Means: take it or leave it. Nobody everβs gonna write antiX or Puppy AV solution.
Since AntiX is billed as an OS to breathe life into old systems, may I ask how you make use of AntiX?
Thank you all.
ile
DaveW thanks for finding that intezer information. I have looked at intezer enough to get the impression that they are a core provider for anti-virus. The message is that linux needs to submit more samples to get on par with the success for detection. It might follow that providing a scanner at low cost would enable the submission of greater sample base; but it is not the case for current availability. in place for running processes is not common for linux desktops yet. (some limited to redhat and centos with specific older kernels.) Their blog will tell of files that can be manually searched for intrusion threats when necessary. In looking at intezer docs and videos I have seen it refer to keeping clamav updated and in use. clamav seems the way to go. has always been the standard has it not? and encryption helps.
I am going through the intezer yara list of partners looking for that one odd opportunity for linux desktop protection… … …
The server side better gateway with serious prevention, but for us on desktop
It has always been as noClue says, let them hack, can’t lose anything but the system, making a backup right now, covered with antiX tools best practice is the malware solution.ile,
Regarding Intezer, I inquired about a Linux scanner, and received this reply…Indeed, our endpoint scanner currently does not support Linux systems, while we do support ELF file analysis.
We don’t have plans on creating a similar scanner for Linux systems, but we plan on releasing a more holistic solutions for actively protecting Linux systems and devices. We’ll probably be releasing more information on this in the coming months.In the meantime, you can upload any ELF / ARM file you deem suspicious, and get a full analysis for it. I’ll also be happy to walk you through our different features, so let me know if you’d be interested in a demo.
So, it will be interesting to see what their “holistic solution” for Linux might be.
Meanwhile, I stumbled on something called Linux Malware Detect (also known as maldet or LMD). Apparently, it can be configured alongside ClamAV to provide real time monitoring, in addition to running scheduled scans.
Here is the provider’s Readme: https://www.rfxn.com/appdocs/README.maldetect
Here is a prettier discussion of installation on Debian: https://www.itzgeek.com/how-tos/linux/debian/install-linux-malware-detect-on-debian-ubuntu-linuxmint-a-malware-scanner-for-linux-operating-system.html
Is anyone familiar with it?
- This reply was modified 3 years, 9 months ago by DaveW.
- You must be logged in to reply to this topic.
