Debian virus/spy-ware detection and detection technique.
in [Debian]
|
From: Camaleón on 20 Jul 2010 17:10 On Wed, 21 Jul 2010 01:28:00 +0700, Sthu Deus wrote: > Thank You for Your time and answer, Camaleón: > >> What are you afraid of? I mean, what is your main concern? > > Spying, programs modifications. I have seen already unexplainable weird > things - one text file was in size - zero - that never has been so for a > long time, another, .ods - was partially damaged... Those "weird things" could have been caused by many other sources or "simple things", i.e., an unexpected shutdown can delete your current (being used/edited/modified) files or corrupt others. Filesystems are not 100% prepared to handle such scenarios (full power downs or just small voltage spkies), so if you don't have a UPS, "weird things" can indeed happen. >> ClamAV can scan local files but is not very accurate with rootkits/ >> malware, just plain common viruses. > > So, what should I do for the distro install cds - regarding both - > spyware and viruses? You can do -mainly- two things: 1/ Analyze it with standard tools (AV/anti-rootkits). Remember that you can always mount the ISO image as a loop device to get the full image structure (directories and files). 2/ Verify the ISO integrity (md5sum). > If we speak about checksumming - sometimes it fails It can fail not just because it has been manipulated but also due to a download error. It's not uncommom to get a corrupted image when you are downloading 650 MiB or 4,5 GiB file. > though I believe the > problem lays in not accurate or whatever downloading, the images being - > I believe - unmodified... - Redownloading is hard because of bandwith. Yes, but *it is required* that you do it that way. A corrupted ISO image can be the cause of later nightmare problems (installation errors, rebooting, bad hardware detection...). >> Then you maybe interested in anti-rooktiks, like "chkrootkit" or >> "rootkit hunter" solutions. > > I guess it does not fit distro cd scanning right? You can scan whatever file or directory you have in your system. >> > Do You know such a skillful AV engine available for Debian? >> >> Mmm, not by first hand, I was just told that they did. But take a look > > In apt-cache search ... ? No, on each manufacturer's sites ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/pan.2010.07.20.21.05.26(a)gmail.com
From: Tzafrir Cohen on 21 Jul 2010 06:00 On Wed, Jul 21, 2010 at 01:19:30AM +0700, Sthu Deus wrote: > Thank You for Your time and answer, Andrei: > > > > question: I have s live/installable-CD/DVD. I use its normal/rescue > > > mode - I do somethings w/ my OS on HDD in order to make it working. > > > I had no ability to check its checksum, so, is there a way I can be > > > sure that the software I used is "clean"? > > > > Why can't you check the checksum? > > For two reasons: > > 1. I do not know how to get image from a cd/dvd - I believe by simple > dd-ing it will not work w/ checksum, but some more options should be > used. Actually, a simple dd should work. > > 2. not for all cd/dvd-s I know checksums or places where I can obtain > it - it is for a bit older Debian and Ubuntu. - For I have noticed that > on their sites the chcksums are gone as soon as new images are uploaded > to the sites. Or there is a archive for the checksums? Could you please be more specific as to the version? Both Debian and Ubuntu keep copies of older images. -- Tzafrir Cohen | tzafrir(a)jabber.org | VIM is http://tzafrir.org.il | | a Mutt's tzafrir(a)cohens.org.il | | best tzafrir(a)debian.org | | friend -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100721095056.GC17569(a)pear.tzafrir.org.il
From: Clive Standbridge on 21 Jul 2010 13:50 > 1. I do not know how to get image from a cd/dvd - I believe by simple > dd-ing it will not work w/ checksum, but some more options should be > used. You might want to read http://www.troubleshooters.com/linux/coasterless.htm - especially the section "Accurately Reading a CD Device". -- Cheers, Clive -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100721165736.GA6824(a)rimmer.esmertec.com
From: Rob Owens on 21 Jul 2010 20:20 On Wed, Jul 21, 2010 at 01:28:00AM +0700, Sthu Deus wrote: > So, what should I do for the distro install cds - regarding both - > spyware and viruses? > > If we speak about checksumming - sometimes it fails though I believe > the problem lays in not accurate or whatever downloading, the images > being - I believe - unmodified... - Redownloading is hard because of > bandwith. > You need to make sure the md5sum or sha1sum, etc. is correct, otherwise your iso either: 1) did not download correctly or 2) has been tampered with The md5sum files usually have gpg signatures that you can also check. You might need to do some research on gpg/pgp to understand how that works. I saw you mentioned live cds as well. Debian has the tools to build your own live cd. The command line tool is live-helper, and there's a GUI called live-magic. -Rob -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/20100722001131.GA5721(a)aurora.owens.net
From: Sthu Deus on 23 Jul 2010 12:20
Thank You for Your time and answer, Clive: > You might want to read > http://www.troubleshooters.com/linux/coasterless.htm > - especially the section "Accurately Reading a CD Device". I have read an article on the tompic from ubuntu's site. Now I have another problem: n order to retrive iso from burned CD/DVDs I have to know their exact size, but I can not find them for old versions of Ubuntu (it is what I used to repair my OS). May, You know of such a storage on Inet - from the their releases site I did not get it - they write in Mb while I need bytes... -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4c49c0bc.887b0e0a.5d1c.1d95(a)mx.google.com |