Anti-Virus is NOT Security

Posted: November 27, 2011 in Random pontifications
Tags: , ,

I came to a realization as I was helping someone today. They were previously a Windows user, and had never really had any experience with Linux or Ubuntu whatsoever. They had a Windows 7 laptop that had become a haven for some pretty nasty malware. In short — they pretty much needed to start over; they had asked me for help, and I tried fix it the best I could however they did not have their Windows 7 Installation disc, and I was not in posession of an additional license. I told them they would probably have to buy a Windows License if they wanted me to be able to repair the system, to any workable state. This was not an option — so they opted to try Ubuntu Linux.

Of course, given the scenario by which they came to try this new operating system, they were somewhat concerned by the security implications of a “Free Open Source” operating system. I configured the system myself. I created a decent firewall using UFW, performed all the necessary updates, set up mandatory access controls for Firefox (via Apparmor) and made sure they had a decently configured NoScript addon. I also used home folder encryption and a decent password during install time. One would say this is a pretty nice desktop installation in terms of security. Upon returning the machine to its owner I was greeted with the question

“What about Anti-Virus?”

Now — after having spent a considerable amount of time configuring this system (for free I might add) I was slightly frustrated. Why? I don’t know… I think I’ve answered the Anti-Virus question about 1200 times on Ubuntu Forums (coincidentally I have about 1200 posts lol) so answering it once more shouldn’t be a big deal.

It’s really become a serious issue for me lately — so many end users particularly those transitioning to Ubuntu from Windows are asking the same question. The simple truth is Anti-Virus really isn’t that effective on Windows and to an even lesser extent on Linux. Blasphemy, I know!

If you read my blog at all , you’ll know I love nothing more than to scare the living bejebus out of Ubuntu users who are convinced it’s secure. Why? I don’t know it gives me some sick pleasure to spread FUD like that. No, I’m kidding I do it because I believe people should be informed about what actually affects the security of a system. Not hide behind Anti-Virus from the Lulzsec boogieman.

That being said, know your threats! The majority of threats can be stopped or otherwise mitigated without even using AV. Don’t believe me? Let’s discuss that.

Common threats to a desktop user

Browser exploits are huge, in fact I would wager well over 90% of the threats that plague home users originate in a browser, and a good portion of those can be stopped by simply using an Addon like NoScript. See the thing about AV is it is a reactive measure, it’s something you do to remove Malware once it gets on your system. This makes it ineffective, as there are many ways for malware to hide itself from even the most advanced AV solutions. However let’s look at how the process commonly works (and by commonly I mean almost every time).

For instance take a look at this Proof of Concept exploit code for Firefox 8.0, 4.0 and 7.1 which works under Windows and Linux. For those who have no idea what I just linked them focus on this line.

<script type="text/javascript">// <![CDATA[

Yes — NoScript would block this, before whatever payload is injected. The payload is what brings the malware, not the exploit itself. Thus if this script were blocked by NoScript, the exploit would not run, the payload would never be injected and there would be no point in AV.

What about other things like cross site scripting? Well — these are operating system agnostic, they can be used to install malware, though often times are utilized to target other things like your credentials. AV won’t help you here anyway, because AV is concerned about what’s happening on your hard drive, this doesn’t touch your hard drive. However, NoScript will stop this once again.

So why don’t more people use NoScript? Great question — probably because it’s not set it and forget it like AV. You have to engage it regularly, and it might ask you a question about what to allow. Unforunately that’s the way of things, sometimes the best protection requires a little bit of input from the end user.

What if I download something malicious?

Well if you download something malicious and run it, particularly with elevated user privileges it’s pretty much game over. If you really think Anti-Virus is going to help you here I suggest you check this article out. In that article, we showed it’s possible to gain a root shell on Ubuntu Linux without being picked up by AV at all. I’ll give you a hint, it took me less than an hour to put that whole thing together.

So what’s your best defense? Common sense.

Additionally, things like Mandatory Access Controls (Apparmor) and a well configured firewall can help mitigate many of the risks in the event your common sense fails you.

The truth is, AV is not the magic security bullet. Education, and understanding those will get you some where in the nuclear arm’s race that is information security.

If you’re interested in Basic Desktop Security for Ubuntu I suggest you check out the following links.

Ubuntu 11.10 Oneiric Ocelot Desktop Security Guide
Basic Ubuntu Security Guide (Ubuntu Forums Community Project)

Advertisements
Comments
  1. Tushar Kumar says:

    I laughed when they said ‘What about AV?’ lol but I agree that many people ask this question.

  2. If (
    Internet_Security == The things that bad guys knows/learn more about it than good guys
    &&
    Malware == An evil concept against the purity of the internet )
    { Then you’re right. Common sense is the best protection ever. }

    else

    printf(“HUH ??”); execvp(“mv FUTURE_INTERNET /dev/null”, NULL);return 0;

    • dangertux says:

      This made me chuckle — but you’re absolutely right. Long story short the internet as we know it is going to hell in a hand basket because someone coined the term APT which roughly translates into “stuff your AV can’t pick up”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s