virus scan programs

Marc Ramirez marc.ramirez at bluecirclesoft.com
Fri Sep 5 10:10:32 PDT 2003 

On Fri, 5 Sep 2003 Lee_Shackelford at dot.ca.gov wrote:

> Dear freeBSD enthusiast,
>      Greetings.  I am a newcomer to the BSD/Unix world.  My place of
> employment is a large agency with thousands of client machines.  Most of
> the clients use Microsoft Windows 2000 Professional operating system.  Most
> of the servers use either Novell operating system, or I.B.M. Domino
> operating system.  A very important ritual that each client computer
> performs every morning at boot-up time is to run a virus scan application
> program.  This program is run whether or not the user desires it, because
> it runs before the user us granted a log-on screen.  In my reading of Unix
> and BSD literature, I have found no mention of virus scan programs for
> these operating systems.  Do such programs not exist? Alternately, is the
> Unix/BSD approach to this problem in a different philosophical and/or
> procedural sphere?  If so, could you describe the Unix/BSD approach to
> locating and eradicating these invaders of one's hard drive?  If the issue
> is already explained in either printed literature, or posted at a world
> wide web site, it is sufficient to cite the location.  Many thanks for your
> response.

Viruses usually aren't the problem on UNIX; you usually find things
like "root kits," where someone has broken into the system and
replaced some common programs with sinister ones. But the effect
isn't that much different from a virus.

This kind of thing is usually monitored on UNIX systems by comparing some
attribute of the system binaries (usually a checksum or some such) to a
set of known good values.  For example, there is a tool called
'chkrootkit' in the ports tree that tests a set of common utilities for
evidence of tampering in certain ways.

My personal theory on the top reason why viruses are not popular on UNIX
is that most people run their software from a non-priveleged account,
which means if they ever did run a binary with a virus, it probably
wouldn't get very far.  It's much more worthwhile to concentrate your
attacks (and therefore your defenses) on worms.

And the defense for worms is simple: turn off every service you don't
need, put the ones you do need in their own jails, and patch, patch,
patch! (see http://windowsupdate.microsoft.com for an example of those
last three steps)

As an aside, there are products for Linux/FreeBSD that will scan e-mail
for Windows viruses, but I don't think that's what you're talking about...

Marc.

--
Marc Ramirez
Blue Circle Software Corporation
513-688-1070 (main)
513-382-1270 (direct)
http://www.bluecirclesoft.com
http://www.mrami.com (personal)

More information about the freebsd-questions mailing list