[Previous entry: "Iran-Syria pact"] [Main Index] [Next entry: "ABBOTT and COSTELLO Buy A Computer"]
02/18/2005 Archived Entry: "Linux Anti-Virus software"
I've now done eleven out of twelve computer security resolutions. This week I installed anti-virus software on our Linux computers. (If I had a Windows box connected to the Internet, I wouldn't have gone a day without AV software, but Linux users get a bit complacent about viruses.)
Actually, I've tried three free Linux AV packages. Two I had mentioned previously: BitDefender and F-Prot, commercial products that are available free for home Linux users. I've also attempted ClamAV, an open-source project. (A version of ClamAV is also available for Windows.)
To make a long story short, I'm recommending F-Prot.
F-Prot was a simple install. It's distributed as a DEB package (or an RPM), so I all had to do was download it and then double-click on the downloaded file. Xandros' package installer did the rest.
It did, however, come without obvious documentation. I'm experienced enough with Linux to type "man f-prot" in this situation, and sure enough, this displayed the manual for f-prot. It runs from the command line, with the command "f-prot ." in my home directory.
I was pleased to see that it searched my Mozilla and Thunderbird mailboxes and discovered some viral emails (paths truncated for brevity):
.../Inbox->screensaver.zip->data.rtf Infection: W32/Netsky.P@mm
.../Trash->screensaver.zip->data.rtf Infection: W32/Netsky.P@mm
.../Junk->screensaver.zip->data.rtf Infection: W32/Netsky.P@mm
.../Junk->message.zip->message.txt Infection: W32/Lovgate.X@mm
.../win/Program Files/.../Flash.elf could be infected with an unknown virus
.../Trash->nomoney.zip->nomoney.rtf.scr Infection: W32/Netsky.B@mm
.../Junk->nomoney.zip->nomoney.rtf.scr Infection: W32/Netsky.B@mm
.../Junk->about_you.zip->document.txt Infection: W32/Netsky.P@mmResults of virus scanning:
Files: 17015
MBRs: 0
Boot sectors: 0
Objects scanned: 19884
Infected: 7
Suspicious: 1
Disinfected: 0
Deleted: 0
Renamed: 0Time: 5:27
It also checked my Win4Lin directory (win/), and found a "suspicious" file. This result comes from a "heuristic" scanner that attempts to identify new viruses not in the database. (In this case it made a mistake; that can happen.)
The documentation doesn't say how to update the virus definition files, but I see some .DEF files in /usr/local/f-prot, and I'll assume those are the files I can download from the F-Prot web site.
F-Prot is also available for Windows, and still available for DOS. (Yes, I do still run some DOS machines.)
BitDefender does come with PDF documentation, which makes up for the fact that it doesn't install a man page. But the update documentation is incomplete and wrong: it neglects to tell you that you must update as root, and it specifies the wrong directory. By poking around and experimenting I managed to discover that the update directory in my system is /opt/bdc/Plugins. With those facts -- which I would not expect a newbie to be able to discover -- I was able to run "bdc --update" and then "bdc ." to scan my home directory.
Folders :7703
Files :6310
Packed :579
Infected files :0
Suspect files :0
Warnings :0
I/O errors :0
Files/second :22
Scan time :00:04:35
Clearly BitDefender is more selective about what files it scans. And even with the "--mail" option, it didn't detect the viruses in my mailboxes. Disappointing.
I'll be poking around with BitDefender to see if I can get it to scan email. I'll also send some constructive suggestions to the company; after our recent travels, I have a soft spot for a Romanian software firm. BitDefender is also available for Windows.
Update: I've learned how to make BitDefender scan mailboxes.
I discovered that ClamAV was available for a single-click install through Xandros Networks, so naturally I tried that first. Unfortunately this draws upon the Debian archives, which are notoriously out-of-date, so I shouldn't have been surprised to find that an old version (0.6) of ClamAV was installed. It comes with a utility "freshclam" to update -- or in my case, download -- the virus signature files. Unfortunately, it wasn't able to -- it kept reporting that it couldn't verify the checksum on the file from the update site.
It occured to me that this update problem might be because I had such an old version, so I went to the download page on the ClamAV web site. To get the latest version (0.8) for my system I needed to specify a new package source. The Xandros package software will do this, but it's not a task for the newbie. The problem is, having specified the new source, Xandros was unable to install the latest package version.
I'll have to try again, using the "stable" rather than the "testing" version, and hope for better results. Failing that, I'll poke around with the command line "apt" package utilities and see if they can install this software. Clearly, installing ClamAV is an exercise for an experienced Linux user.
ClamAV is an open-source project licensed under the GPL, unlike F-Prot and BitDefender which are commercial products. Perhaps for this reason, ClamAV is the only one of the three which won't (yet) disinfect files: it's limited to detection. (This might also be because ClamAV is targeted at mail servers, which only need to intercept and quarantine infected emails.) On the up side, ClamAV is available for a number of platforms, including BSD Unix, Solaris, Windows, and Mac. Its virus signature files seem to be kept very up-to-date.
If the market for Linux desktops is still small, the market for desktop Linux anti-virus products is miniscule squared. So that's probably why there hasn't been a lot of effort devoted to making these products newbie-friendly. (A paid product might fare better.) I'll keep tinkering with ClamAV to see if I can get it to work, but for now, my recommendation is F-Prot.
brad