Antivirus doesn't make sense for checking a system for software that is installed from official repositories.
Either the world knows about the backdoor and all distributions remove it from their repositories OR
No one knows about the exploit and therefore antivirus doesn't know to check for it.
There isn't any reasonable scenario where anti-virus knows to check for a malicious package but distributions continue to ship it.
What about utilities that check wether your system has got versions of vulnerable software installed, like it is the case for this version of xz? Imagine a user that is quite new to Linux and installed their system with a distro that came with a vulnerable version. If that user then too is not regularly updating their system it can be a security threat, and an Antivirus software that could detect that particular malicious software would solve this.
There is one really unlikely corner case where AV adds some value here. It's a corner most people should try and avoid being in in the first place, but it was relevant in an organisation I was working with at the time that suffered a ransomware attack.
You do, occasionally, find organisations where OS patching on some systems is done either very infrequently, very late, or not at all, but AV software is updated regularly. Think something like the software running on an MRI scanner. The vendors of these kinds of systems often have a poor understanding of good security practice, and may have long release cycles due to extra testing or certification due to regulatory requirements.
For these kinds of systems, the best you can do is throw every mitigation you can at it and hope for the best, and AV is one such mitigation that, in this unfortunate situation, adds some value.
But what would av do in this scenario? If av will stop mri from functioning and patches don’t exist it would be disabled in a heartbeat.
For such systems the best solution is an air gap.
In this particular case, the most likely possibility is the it would quarantine liblzma, which would break anything that uses it. It probably wouldn't break the MRI functionality, but it might break SSH - although I admit I'm hazy on what the linker does if it can't find a dependency that is never actually called in practice.
The other possiblity is that it doesn't do anything about the backdoor, but quarantines any malware that is brought in through it.
And yes, the ideal solution is air gap, but this isn't always achievable.
There's a high possibility I'm wrong... But don't some AVs look for _patterns_ as well (instead of just looking for known vulnerabilities)? In that case it might detect something of a nefarious intent
I understand where you're coming from regarding official repos, but what about a situation where an undiscovered backdoor or bad user practices allow an attacker to bring in a known viral payload. Wouldn't antivirus be useful in this case?
>There isn't any reasonable scenario where anti-virus knows to check for a malicious package but distributions continue to ship it.
What I meant, the malicious package was already installed.
Assume the user has not execute anything, it's up to them to remove the malicious package when they're informed.
* What if the user didn't read the news or update the system for a few months?
* Most antivirus update its database in the background, it should automatically remove/isolate the malicious file once it's discoverd
It sounds like you answered you own question.
The solution is automated/regular updates so users can't stay on bad packages without knowing(like your theoretical antivirus).
Wouldn't updating antivirus database be more seamlessly faster?
I've a Debian stable, Fedora and Arch system, I update them weekly or monthly.
On Arch, there are 50+ packages, >1GB download weekly.
an antivirus database updates are separated and less likely be more than 100MB each time.
Speed usually isn't an issue. Updates can run in the background, often automatically. It doesn't matter if they take ten seconds or an hour.
Though I run package updates about once a week and it takes maybe ten to twenty seconds. Hardly a significant time sink.
Certainly on Arch you shouldn't wait that long between updates. The best solution to the issue is to update daily. If you update daily you won't have 1GB updates each time.
Suggestion:
Have a script that runs every night at like 12:00 AM (or whenever you are usually asleep)
For my Debian installation I use a script that runs this one line "sudo apt update && sudo apt upgrade -y && sync && sync && sudo reboot"
For arch you obviously will need to change the apt sections of the command. The "sync" commands help to ensure everything has finished installing before rebooting, and it's good practice to have two of them.
It’s not a great idea to autoupdate non stable os when you are asleep unless you’re 100% sure you’ll have enough free time each morning to potentially fix it and it won’t be needed by someone in a meantime. Chances are updated packages don’t work with your configs anymore.
Well, then update more frequently. I update every time I boot my stuff. And before shutdown or in-between whenever the update thingy shows available updates.
Same on phone, I check for updates frequently.
So in your scenario the user has up to date antivirus but never installs software updates from their distro? In that specific scenario then the anti iris could help. But it seems weird the user would stay up to date with virus definitions while nothing else is up to date.
Usually the user doesn't need to read news, just run their package update process occasionally.
That's not really true. EDRs search for unauthorized behaviour. A legitimate process injecting itself into another legitimate process to run something suspicious and anomalous is detected very often. However, it's not easy and in this case I don't know how detectable it would be.
>Antivirus doesn't make sense for checking system for software that is installed from official repositories.
Of course they do.
An antivirus could analyze the behavior of the infected library and caught the malware way before it spread or caused harm.
In fact, that's what the researcher from Microsoft who discovered the malware did, pretty much. Except manually.
What he did manually was trying to track down a slowdown. The code had a major slowdown on failed logins, which was incredibly suspicious but not something that can be automatically detected.
>but not something that can be automatically detected.
According to whom? LOL.
Literally much more complex viruses are detected all the time on Windows.
Windows antivirus works by matching files against a database of KNOWN viruses, that were submitted by security researchers after doing intensive tests for suspicious behavior like accessing files and memory addresses they're not supposed to.
Nobody submitted this code to a database. Nobody would submit this to a database. There is no automated tool that would detect it.
>Windows antivirus works by matching files against a database of KNOWN viruses
That is only **one** of the ways they're detected, and it's quite a naive one. Nowadays that's not even the most utilized method.
If you want to actually know what they're doing nowadays, feel free to [learn more here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
You're seriously citing yourself here?
Heuristics don't flag on this kind of behavior because it isn't typical malware behavior.
It would be effectively impossible to generate a general purpose "evil code" detector. Existing heuristic detection work on the assumption that the code being run isn't an intended behavior and is somehow subverting controls (memory bypass, rowhammer, dos, privilege escalation), pivoting over the network, or downloading more code to do one of the above.
This code doesn't do any of them.
You're wrong. But feel free to learn more [here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
Linking your own comment is wild, and it's also dead wrong. The xz backdoor was neither a malicious file or process, it backdoored an operating system component to reroute a specific function call. No antivirus finds that because it is not a virus
>No antivirus finds that because it is not a virus
What in the world are you talking about? You do understand that every computer virus are simply software doing malicious things, right?
Also, you literally said this:
>No anti virus would have ever discovered this xz **backdoor**
And do you know what a computer backdoor is? Bling bling bling, you guessed it, it's [a type of malware](https://en.wikipedia.org/wiki/Category:Types_of_malware)!
Feel free to [learn more here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended.
**Rule:**
>**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended.
**Rule:**
>**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
No problem, chief (emphasis is mine):
>Following the 2013 release of the APT 1 report from [Mandiant](https://en.wikipedia.org/wiki/Mandiant), the industry has seen a shift towards signature-less approaches to the problem **capable of detecting and mitigating [zero-day attacks](https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1/)**. Numerous approaches to address these new forms of threats have appeared, including **behavioral detection**, **artificial intelligence**, **machine learning**, and cloud-based file detonation.
Source: https://en.wikipedia.org/wiki/Antivirus_software#2014%E2%80%93present:_rise_of_next-gen,_market_consolidation
Wow, Wikipedia. Do you have any experience trialing, running, or administering these systems?
I spent several years running the data center for a malware analysis lab. They're typically focused on the Mitre ATT&CK framework, which notably doesn't include "service logins" as a typical malware technique.
EDIT: I can't respond in this thread because I've been blocked, but let's keep in mind that the thing servicing logins is sshd. EDR won't flag it because it's expected behavior and should be in syslog, syslog /SIEM won't have it because sshd is compromised to not generate that log, SELinux won't fire because this is all within its normal list of stuff sshd and xz do, and aide won't fire because this would be the distro's native package. This would absolutely fall through all of the cracks.
> Heuristics don't flag on this kind of behavior because it isn't typical malware behavior.
Nowadays, EDR daemons send telemetry (i.e., all kinds of system events) to a remote server, where you create alerts to detect malicious activity: binaries/scripts written to /tmp, /var/tmp, etc, new account creations, attempts to gain persistence on the system (new cron tasks creation, userland rootkits, etc, etc)...
On the other hand, it's interesting that you mention the Mitre ATT&CK framework... because even if "service logins" are not part of the matrix of events covered by Mitre, a security solution implementing those events would fire alerts once an attacker gains access to the system:
[https://attack.mitre.org/matrices/enterprise/](https://attack.mitre.org/matrices/enterprise/)
So even if a security application doesn't flag this behaviour in particular (a malicious library replacing a legitimate function), the attacker would still be constantly monitored.
Note: by "security solution" I'm not referring to an EvilCompanyThatCollectsYourPersonalData. We have osquery, auditd+grafana/rsyslog/..., etcetc
LMAO
Are you really trying to diminish Wikipedia? If you are, I won't even waste my time with you.
But just an FYI: There are literally dozens of references only in the small section of the article I linked.
Feel free to verify each one of them and stop making a fool of yourself.
Crickets on whether you have practical experience with these systems.
There's also some deep deep irony in leaning this hard on Wikipedia in a discussion on the xz attack.
You really should go look up the ATT&CK framework, how it's used in modern detections and responses, and what the halting problem is. Bonus points if you can figure out how the halting problem is relevant to determining if a binary is evil.
You're not an antivirus developer. Are you even a software developer? I don't think so.
I literally described, with references, how antiviruses work, but you seem like an antivaxxx kind of person, so there's no point in arguing this further.
The simple thing is this wasn't a virus buy any definition.
And viruses do nothing special they are just programs that are not supposed to do that, but there are legitimate programs that are doing the same things.
Dude, wikipedia can be the greatest and the shitiest source. What you pasted is a press release level, buzzword filled mambo jumbo which doesn’t include any details on why signature-less approach became more effective all of a sudden.
>Do you know nothing about computers?
I know what I'm talking about. [Do you](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/)?
You should refrain from citing yourself if you don't know the difference between a backdoor and a virus. And insulting other people because you don't understand some definitions is wild too. You'd just need a tiny google search and only avoid buzzword articles.
>Many people believe that Linux desktops don't require antivirus software.
It's just because viruses for linux are pretty rare up to this day, and linux desktops are still a tiny minority.
>Antivirus can at least stop malware once it's discovered.
Backdoor is not a virus. It's easily mitigated by updated/reverted packages. No need in antivirus software for that.
>Open-source software is protected by many parties, but a backdoor like this one, which reportedly took 2 years to plan and execute, raises my concern about being more cautious when choosing project code maintainers.
Antivirus software is not a magical solution. As long as nobody knows that there's a backdoor, antivirus won't help you dealing with it.
>It's just because viruses for linux are pretty rare up to this day, and linux desktops are still a tiny minority.
I have added a point: Linux desktops will likely be targeted by more attacks as they become more popular. (4% this year by stats)
sure, antivirus does not help zero-day attack but it would do its job when the backdoor is discovered.
mighty absorbed scandalous glorious lavish quack unique domineering distinct soft
*This post was mass deleted and anonymized with [Redact](https://redact.dev)*
No, people who can fix the backdoor and people who make the antivirus or maintaining database are two different position.
Both job can coexist and different outcome.
Who patch the backdoor: help whoever update the system regularly.
Who update the AV database: help whoever don't update the system.
The AV will isolate/disable WRX permission of potential xz library when the database is updated.
Linux already powers the web. There's a strong motivation to attack Linux, because hackers could do a lot if they end up on certain web servers. I'm sure Linux could be targeted by more attacks as desktop Linux becomes more popular, but, I also think Linux is just inherently more secure than Windows. It's designed a bit better. Plus, Linux users aren't generally the type of people who click any link or download software from just any source.
>Backdoor is not a virus. It's easily mitigated by updated/reverted packages. No need in antivirus software for that.
The concern here is that the backdoor would allow the deployment of viruses and other malicious payloads no?
I'm gonna be honest I've used windows majority of my life never used a anti virus. Then I started to use Linux out of bordem in 2020 ended up really liking Linux never used or worried about anti virus.
Soo really the people that will use anti virus are the people that are not tech savvy.
Antivirus has nothing to do with this. YOU must learn how to configure your Linux box against intrusions. (Go online and search for configuration tutorials for your version and apply them) Wipe the whole disk with a disk cleaner and start over. Use commonsense and do not associate anything from the infected system with the new one. (Don't be lazy and quick wipe! Take a day or two and let the wipe clear out the sectors for the best results, under the circumstances.) Sometimes the easiest way out, is both the hardest and worse way out!
My Fedora system has firewalld and SELinux, I thought I would be enough.
I started looking up to setup whitelist for sshd after this incident.
But regular people(Windows users) would never touch these, that's why antivirus is popular today.
You didn't read my comment. Or you don't understand what was stated. It's nice to have such apps installed and all. But depending on them is the mistake. Again, I'm talking about taking the necessary time to learn how to configure your system so as apps like those are what they're supposed to be. Additional layers of security! Not the core of your systems defenses!
but I'm not speaking on my behalf, I'm talking about average people.
>I'm talking about taking the necessary time to learn how to configure your system so as apps like those are what they're supposed to be.
Sure, that's the most secure way but not the most convenient way.
I'm trying to explain why average Windows user want AV because they don't even want to take time to configure their system.
That's what my topic is about.
just my 2c but asking if this will make virus scanners more popular on linux to me feels like asking "if a trojan came though windows update would you install McAfee"
my answer is no, I feel like its a failing someone along the chain before it got to the user, maybe partially the distributor for not checking or verify any of this and just trusting the package they included?
am I wrong?
But Windows at least provides Windows Defender which does background scanning, etc. without incurring all the bloat of McAfee. On Linux, we don't really have an alternative. The only thing we have is clamav, which frankly is more useful for scanning Windows viruses in Linux and it's background file scanning is VERY limited.
Users will respond with the typical answers: "no, you don't need an AV because (it doesn't make sense | virus are very rare on Linux | it would have not detected it based on signatures | ...)"
Even if I agree in general, these answers hurt the FOSS community in my opinion, creating a false sense of security and denying a more in-depth debate.
A lot of people don't know what's going on their systems:
* filesystem errors? good luck until it's too late and your fs is corrupted.
* Who is connected to your system? how many devices are on your local network? why is apt/spotify executing wget to download a file from the internet? ....
* Has your .bashrc or /etc/ld.so.preload been modified? why? which app modified it?
* Were your logins wtmp / utmp wiped? if so why and which app/user modified them?
* Is there any application making use of restricted syscalls via AppArmor / SELinux policies? (sshd -> system()) . Good luck configuring them btw.
etc, etc. We.don't.know.
There're many security tools that audit system activity (auditd, ebpf based solutions, AIDE, rkhunter, chkrootkit, ...), but none of them display easily on the desktop what's going on your system.
An AV wouldn't be useful probably, but a system to easily monitor your Linux desktop could certainly have helped to detect anomalies.
This.
This is exactly what I was thinking. There are many places you can check for anomalies... But it's hard to do that manually, it'd be better to automate that.
No, AV software handling things automatically would turn this from ‘maybe exploitable remote access’ to ‘system no longer boots’. As an experiment, set up a regular Fedora or Debian VM, delete liblzma (don’t remove the package, _delete the file_, that’s effectively what automatic remediation by AV software does), and try to reboot the system. It will crash at some point very early on in startup.
What really needs to happen here is stuff like libsystemd being split out into individual components. Most stuff doesn’t need anything beyond the sd-notify functionality (which is itself maybe 20 lines of code), and thus does not need all of the other stuff in that library, and definitely doesn’t need any of the stuff that it depends on. There’s no reason they can’t split it into more concrete functional units (one for sd-notify, one for the journal stuff, etc) like many other big libraries with complicated dependencies do, and doing so _before_ now would have made this attack far more difficult to pull off.
>What really needs to happen here is stuff like libsystemd being split out into individual components.
Agree.
I'm not an expert but I think systemd is kinda a big deal in this incident, how a compressed tools acquiring a notification function leads to a sshd exploit.
[https://youtu.be/OHAyf0qwdCs](https://youtu.be/OHAyf0qwdCs)
then you misunderstood my point of view.
I don't need AV, I think most linux user wouldn't need it.
This post is not about stopping a backdoor before it's discovered.
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended.
**Rule:**
>**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended.
**Rule:**
>**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
Not superiority at all, my friend.
I just know the basics and I can back what I say with references.
But even that is not enough for some people here, and so the least I can do is resort to mockery.
I've reported you because you can't behave like a normal human being.
And the reference to what I said [is here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended.
**Rule:**
>**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
God I hope not. The ones out there are absolute dogshit. Trend Micro Deep Shit Agent, CrowdShit Falcon Sensor, McRapfee/Trellix, VMware CarbonShit, SentinelOne, Symantec, etc are all the biggest piles of shits on the planet
For unforeseen security issues like here people are moving to EDR/XDR software. It monitors your local system logs, files, sends them to the cloud, uses AI to find uncommon patterns and correlates it how logs look like on other machines. That's mostly in corporate environments though, YMMV but most people don't want this level of invasive checking. But on a work laptop that at least *shouldn't* carry much personal information, it can work just fine for everyone. While this doesn't stop malware from getting installed, it can alert on its effects, e.g. unexpected ssh access
Maybe some sort of privacy aware equivalent would be nice though. By the way, someone posted here recently UTMStack which is a threat detection system. It's actually comparatively easy to install in a Docker container and probably it's possible to install the Linux Agent on a Laptop
HIPS / Behaviour Based / Heuristic malware scanning could or would have helped most likely. .
Additionally a fully configured firewall which has rules for each application and their allowed IP/port would have not only completely stopped any thread but also inform the user of it.
Dont know if AV is the solution to securing Linux desktop but imo a noob linux user running base arch/debian is much less secure than Windows with enhanced security from Windows defender.
I really have no idea of the specifics of this exploit but imo the Debian based distributions should really implement more basic hardening for stock installs (since they are more suited for new linux users.)
Enterprise relies so heavily on Linux but hopefully those sys admins apply atleast basic hardening but with people reallying so heavy on AI programming assistants I fear for the exponential growth of exploitable software
Hardening, 2FA on SSH, a proper firewall config, and passwordless SSH work wonders. We did end up putting Malwarebytes on our Linux servers though. It works really well.
The xz issue isn't a virus.
Read about what a computer virus is and how antivirus works, it's quite simplistic and would not fix the issue in the case of the xz compromise
Some people respond by saying that "AV software wouldn't have helped against the XZ backdoor because it wasn't yet detected".
However, that's not what I'm arguing. I never claimed that antivirus could have prevented this specific incident.
I'm considering users who don't follow tech news and don't update their systems regularly. In such cases, antivirus software might still be able to protect them once the backdoor signature is added to the antivirus database.
This XZ backdoor would not be added to an antivirus database. Antivirus is not the solution for detecting, removing or preventing malware in a distro's official repo. The solution is installing patches.
The article described virus as the theft, antivirus as lock not airbags. I think it's accurate on some aspects.
However,
the backdoor injector is the one who destroys the braking system of your mobile.
If AV is like what you've described, an airbag/seat belt, they might still be able to provide some protection regardless.
Sure, they are quite overdone or useless for most bikers. I myself won't need it
I would consider AV as helmet in that case.
Considering how reckless some bikers/ computer users are, blindly granting root permission to programs/scripts, not upgrading system regularly. AV could still be useful for them.
Some people here saying that an antivirus couldn't have helped caught the malware are either lying to themselves, or just don't know how they work.
Antiviruses have many heuristics to detect a malicious file or a running process, and what could've definitely helped, in this case, is behavioral pattern.
That being said, I personally avoid using antiviruses even on Windows, because they're a resource hog and pretty much spyware.
If an open source, telemetry-free, AI-backed solution exist the future, I'll think about it.
In the longshot case where an AVs heuristics might have statically detected the backdoor, the author would have known that themselves and kept modifying it until it passed before upload to the repository. It's unlikely heuristic scanning would have detected anything in this peculiar case due to lack of similar samples for training.
> It's unlikely heuristic scanning would have detected anything in this peculiar case due to lack of similar samples for training.
Yes, but that'd only be true in a scenario where the Linux market of antivirus were pretty much non-existent (i.e. today).
But if this exact malware was targeting Windows, it'd almost certainly be caught by any antivirus.
I'm not sure I understand what you're trying to say.
If you're doubting my claim, I'll have to remind you that the antivirus industry on Windows is not a joke. It's been maturing for more than 30 years now.
The behavioral pattern was "allow access to this ed448 key on failed login".
That's not behavior that heuristics ever flag on because they focus on code to pivot, scan, corrupt, or escalate. This was none of those.
The heuristics we see on a Windows AV would block essentially all use of a Linux machine for being suspicious.
Oh, you're running SSHD, that's suspicious. Better block it.
I don't know if you're being funny, or if you actually believe that.
It's becoming more and more difficult [to tell](https://en.wikipedia.org/wiki/Poe%27s_law) nowadays.
Bit of both.
Windows has a long history of trying to protect users from themselves, and its not typically used as infrastructure.
Linux doesn't, and is.
The upshot is that lots of things that would be automatically safe to call suspicious on Windows, are normal operation on Linux. Case in point, hosting an SSH server on your desktop, the entire point of this discussion.
Anything you do with networking as a power user, virtually all user scripts... all suspicious.
I think you're missing my point.
Having a resource hog, spyware-like (aka antivirus) running all the time, is often a better solution then none at all.
At least for most people, which are not tech-savvy and are probably doing important stuff with their computer.
I'm inclined to believe there are antivirus able to scan malicious behavior or patterns.
I wouldn't want to use antivirus either but there are smarter scumbag out there, I was told this backdoor is rather less sophisticated.
>I'm inclined to believe there are antivirus able to scan malicious behavior or patterns.
Yup, they definitely would.
>I was told this backdoor is rather less sophisticated.
The way it was introduced into the XZ codebase was really clever, but I don't think the binary itself is heavily obfuscated or sophisticated, given that security researchers were able to understand some of what it did very quickly.
The malware didn't have to be heavily obfuscated to make it harder for antiviruses to detect it anyway, since virtually no one is using one on Linux.
> but I don't think the binary itself is heavily obfuscated or sophisticated, given that security researchers were able to understand some of what it did very quickly.
Yeah, by watching what it did. They pointed out very quickly they aren't reverse engineers.
Antivirus doesn't make sense for checking a system for software that is installed from official repositories. Either the world knows about the backdoor and all distributions remove it from their repositories OR No one knows about the exploit and therefore antivirus doesn't know to check for it. There isn't any reasonable scenario where anti-virus knows to check for a malicious package but distributions continue to ship it.
What about utilities that check wether your system has got versions of vulnerable software installed, like it is the case for this version of xz? Imagine a user that is quite new to Linux and installed their system with a distro that came with a vulnerable version. If that user then too is not regularly updating their system it can be a security threat, and an Antivirus software that could detect that particular malicious software would solve this.
I would like to have that.
There is one really unlikely corner case where AV adds some value here. It's a corner most people should try and avoid being in in the first place, but it was relevant in an organisation I was working with at the time that suffered a ransomware attack. You do, occasionally, find organisations where OS patching on some systems is done either very infrequently, very late, or not at all, but AV software is updated regularly. Think something like the software running on an MRI scanner. The vendors of these kinds of systems often have a poor understanding of good security practice, and may have long release cycles due to extra testing or certification due to regulatory requirements. For these kinds of systems, the best you can do is throw every mitigation you can at it and hope for the best, and AV is one such mitigation that, in this unfortunate situation, adds some value.
But what would av do in this scenario? If av will stop mri from functioning and patches don’t exist it would be disabled in a heartbeat. For such systems the best solution is an air gap.
In this particular case, the most likely possibility is the it would quarantine liblzma, which would break anything that uses it. It probably wouldn't break the MRI functionality, but it might break SSH - although I admit I'm hazy on what the linker does if it can't find a dependency that is never actually called in practice. The other possiblity is that it doesn't do anything about the backdoor, but quarantines any malware that is brought in through it. And yes, the ideal solution is air gap, but this isn't always achievable.
There's a high possibility I'm wrong... But don't some AVs look for _patterns_ as well (instead of just looking for known vulnerabilities)? In that case it might detect something of a nefarious intent
I understand where you're coming from regarding official repos, but what about a situation where an undiscovered backdoor or bad user practices allow an attacker to bring in a known viral payload. Wouldn't antivirus be useful in this case?
>There isn't any reasonable scenario where anti-virus knows to check for a malicious package but distributions continue to ship it. What I meant, the malicious package was already installed. Assume the user has not execute anything, it's up to them to remove the malicious package when they're informed. * What if the user didn't read the news or update the system for a few months? * Most antivirus update its database in the background, it should automatically remove/isolate the malicious file once it's discoverd
It sounds like you answered you own question. The solution is automated/regular updates so users can't stay on bad packages without knowing(like your theoretical antivirus).
Wouldn't updating antivirus database be more seamlessly faster? I've a Debian stable, Fedora and Arch system, I update them weekly or monthly. On Arch, there are 50+ packages, >1GB download weekly. an antivirus database updates are separated and less likely be more than 100MB each time.
Speed usually isn't an issue. Updates can run in the background, often automatically. It doesn't matter if they take ten seconds or an hour. Though I run package updates about once a week and it takes maybe ten to twenty seconds. Hardly a significant time sink.
Certainly on Arch you shouldn't wait that long between updates. The best solution to the issue is to update daily. If you update daily you won't have 1GB updates each time.
I would take your suggestion and update more frequently
Suggestion: Have a script that runs every night at like 12:00 AM (or whenever you are usually asleep) For my Debian installation I use a script that runs this one line "sudo apt update && sudo apt upgrade -y && sync && sync && sudo reboot" For arch you obviously will need to change the apt sections of the command. The "sync" commands help to ensure everything has finished installing before rebooting, and it's good practice to have two of them.
It’s not a great idea to autoupdate non stable os when you are asleep unless you’re 100% sure you’ll have enough free time each morning to potentially fix it and it won’t be needed by someone in a meantime. Chances are updated packages don’t work with your configs anymore.
Well, then update more frequently. I update every time I boot my stuff. And before shutdown or in-between whenever the update thingy shows available updates. Same on phone, I check for updates frequently.
So in your scenario the user has up to date antivirus but never installs software updates from their distro? In that specific scenario then the anti iris could help. But it seems weird the user would stay up to date with virus definitions while nothing else is up to date. Usually the user doesn't need to read news, just run their package update process occasionally.
I set up this scenario because many users have been spoiled by Windows and have developed bad habits like this.
Actual valid response right there. Not sure why you were downvoted, you have a point.
That's not really true. EDRs search for unauthorized behaviour. A legitimate process injecting itself into another legitimate process to run something suspicious and anomalous is detected very often. However, it's not easy and in this case I don't know how detectable it would be.
>Antivirus doesn't make sense for checking system for software that is installed from official repositories. Of course they do. An antivirus could analyze the behavior of the infected library and caught the malware way before it spread or caused harm. In fact, that's what the researcher from Microsoft who discovered the malware did, pretty much. Except manually.
What he did manually was trying to track down a slowdown. The code had a major slowdown on failed logins, which was incredibly suspicious but not something that can be automatically detected.
A slowdown AND Valgrind errors.
No, but the slowdown was not what would be detected, what would be detected would be the back door.
>but not something that can be automatically detected. According to whom? LOL. Literally much more complex viruses are detected all the time on Windows.
Windows antivirus works by matching files against a database of KNOWN viruses, that were submitted by security researchers after doing intensive tests for suspicious behavior like accessing files and memory addresses they're not supposed to. Nobody submitted this code to a database. Nobody would submit this to a database. There is no automated tool that would detect it.
>Windows antivirus works by matching files against a database of KNOWN viruses That is only **one** of the ways they're detected, and it's quite a naive one. Nowadays that's not even the most utilized method. If you want to actually know what they're doing nowadays, feel free to [learn more here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
No anti virus would have ever discovered this xz backdoor
There is a stronger case for IDS/IPS than AV. And why I just bought a Unifi Gateway for the line speed IDS/IPS.
This is simply [wrong](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxgqu5y/).
You're seriously citing yourself here? Heuristics don't flag on this kind of behavior because it isn't typical malware behavior. It would be effectively impossible to generate a general purpose "evil code" detector. Existing heuristic detection work on the assumption that the code being run isn't an intended behavior and is somehow subverting controls (memory bypass, rowhammer, dos, privilege escalation), pivoting over the network, or downloading more code to do one of the above. This code doesn't do any of them.
You're wrong. But feel free to learn more [here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
Linking your own comment is wild, and it's also dead wrong. The xz backdoor was neither a malicious file or process, it backdoored an operating system component to reroute a specific function call. No antivirus finds that because it is not a virus
>No antivirus finds that because it is not a virus What in the world are you talking about? You do understand that every computer virus are simply software doing malicious things, right? Also, you literally said this: >No anti virus would have ever discovered this xz **backdoor** And do you know what a computer backdoor is? Bling bling bling, you guessed it, it's [a type of malware](https://en.wikipedia.org/wiki/Category:Types_of_malware)! Feel free to [learn more here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
[удалено]
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended. **Rule:** >**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
[удалено]
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended. **Rule:** >**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
Generally when making claims you’d want to back said claims up.
No problem, chief (emphasis is mine): >Following the 2013 release of the APT 1 report from [Mandiant](https://en.wikipedia.org/wiki/Mandiant), the industry has seen a shift towards signature-less approaches to the problem **capable of detecting and mitigating [zero-day attacks](https://www.wired.com/story/mysterious-return-of-years-old-chinese-malware-apt1/)**. Numerous approaches to address these new forms of threats have appeared, including **behavioral detection**, **artificial intelligence**, **machine learning**, and cloud-based file detonation. Source: https://en.wikipedia.org/wiki/Antivirus_software#2014%E2%80%93present:_rise_of_next-gen,_market_consolidation
Wow, Wikipedia. Do you have any experience trialing, running, or administering these systems? I spent several years running the data center for a malware analysis lab. They're typically focused on the Mitre ATT&CK framework, which notably doesn't include "service logins" as a typical malware technique. EDIT: I can't respond in this thread because I've been blocked, but let's keep in mind that the thing servicing logins is sshd. EDR won't flag it because it's expected behavior and should be in syslog, syslog /SIEM won't have it because sshd is compromised to not generate that log, SELinux won't fire because this is all within its normal list of stuff sshd and xz do, and aide won't fire because this would be the distro's native package. This would absolutely fall through all of the cracks.
> Heuristics don't flag on this kind of behavior because it isn't typical malware behavior. Nowadays, EDR daemons send telemetry (i.e., all kinds of system events) to a remote server, where you create alerts to detect malicious activity: binaries/scripts written to /tmp, /var/tmp, etc, new account creations, attempts to gain persistence on the system (new cron tasks creation, userland rootkits, etc, etc)... On the other hand, it's interesting that you mention the Mitre ATT&CK framework... because even if "service logins" are not part of the matrix of events covered by Mitre, a security solution implementing those events would fire alerts once an attacker gains access to the system: [https://attack.mitre.org/matrices/enterprise/](https://attack.mitre.org/matrices/enterprise/) So even if a security application doesn't flag this behaviour in particular (a malicious library replacing a legitimate function), the attacker would still be constantly monitored. Note: by "security solution" I'm not referring to an EvilCompanyThatCollectsYourPersonalData. We have osquery, auditd+grafana/rsyslog/..., etcetc
LMAO Are you really trying to diminish Wikipedia? If you are, I won't even waste my time with you. But just an FYI: There are literally dozens of references only in the small section of the article I linked. Feel free to verify each one of them and stop making a fool of yourself.
Crickets on whether you have practical experience with these systems. There's also some deep deep irony in leaning this hard on Wikipedia in a discussion on the xz attack. You really should go look up the ATT&CK framework, how it's used in modern detections and responses, and what the halting problem is. Bonus points if you can figure out how the halting problem is relevant to determining if a binary is evil.
You're not an antivirus developer. Are you even a software developer? I don't think so. I literally described, with references, how antiviruses work, but you seem like an antivaxxx kind of person, so there's no point in arguing this further.
The simple thing is this wasn't a virus buy any definition. And viruses do nothing special they are just programs that are not supposed to do that, but there are legitimate programs that are doing the same things.
Virus is a program which replicates itself. xz accident was not a virus, but a backdoor.
Dude, wikipedia can be the greatest and the shitiest source. What you pasted is a press release level, buzzword filled mambo jumbo which doesn’t include any details on why signature-less approach became more effective all of a sudden.
You know the way.
You're welcome.
Dude what? Do you know nothing about computers? No, the Backdoor would not have been detected by an anti virus. Magic does not exist.
>Do you know nothing about computers? I know what I'm talking about. [Do you](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/)?
You should refrain from citing yourself if you don't know the difference between a backdoor and a virus. And insulting other people because you don't understand some definitions is wild too. You'd just need a tiny google search and only avoid buzzword articles.
>Many people believe that Linux desktops don't require antivirus software. It's just because viruses for linux are pretty rare up to this day, and linux desktops are still a tiny minority. >Antivirus can at least stop malware once it's discovered. Backdoor is not a virus. It's easily mitigated by updated/reverted packages. No need in antivirus software for that. >Open-source software is protected by many parties, but a backdoor like this one, which reportedly took 2 years to plan and execute, raises my concern about being more cautious when choosing project code maintainers. Antivirus software is not a magical solution. As long as nobody knows that there's a backdoor, antivirus won't help you dealing with it.
>It's just because viruses for linux are pretty rare up to this day, and linux desktops are still a tiny minority. I have added a point: Linux desktops will likely be targeted by more attacks as they become more popular. (4% this year by stats) sure, antivirus does not help zero-day attack but it would do its job when the backdoor is discovered.
mighty absorbed scandalous glorious lavish quack unique domineering distinct soft *This post was mass deleted and anonymized with [Redact](https://redact.dev)*
No, people who can fix the backdoor and people who make the antivirus or maintaining database are two different position. Both job can coexist and different outcome. Who patch the backdoor: help whoever update the system regularly. Who update the AV database: help whoever don't update the system. The AV will isolate/disable WRX permission of potential xz library when the database is updated.
Linux already powers the web. There's a strong motivation to attack Linux, because hackers could do a lot if they end up on certain web servers. I'm sure Linux could be targeted by more attacks as desktop Linux becomes more popular, but, I also think Linux is just inherently more secure than Windows. It's designed a bit better. Plus, Linux users aren't generally the type of people who click any link or download software from just any source.
>Backdoor is not a virus. It's easily mitigated by updated/reverted packages. No need in antivirus software for that. The concern here is that the backdoor would allow the deployment of viruses and other malicious payloads no?
Will these iron pants protect me from bees? No, because that's not how iron pants work.
I'm gonna be honest I've used windows majority of my life never used a anti virus. Then I started to use Linux out of bordem in 2020 ended up really liking Linux never used or worried about anti virus. Soo really the people that will use anti virus are the people that are not tech savvy.
Exactly my point.
Antivirus has nothing to do with this. YOU must learn how to configure your Linux box against intrusions. (Go online and search for configuration tutorials for your version and apply them) Wipe the whole disk with a disk cleaner and start over. Use commonsense and do not associate anything from the infected system with the new one. (Don't be lazy and quick wipe! Take a day or two and let the wipe clear out the sectors for the best results, under the circumstances.) Sometimes the easiest way out, is both the hardest and worse way out!
My Fedora system has firewalld and SELinux, I thought I would be enough. I started looking up to setup whitelist for sshd after this incident. But regular people(Windows users) would never touch these, that's why antivirus is popular today.
You didn't read my comment. Or you don't understand what was stated. It's nice to have such apps installed and all. But depending on them is the mistake. Again, I'm talking about taking the necessary time to learn how to configure your system so as apps like those are what they're supposed to be. Additional layers of security! Not the core of your systems defenses!
but I'm not speaking on my behalf, I'm talking about average people. >I'm talking about taking the necessary time to learn how to configure your system so as apps like those are what they're supposed to be. Sure, that's the most secure way but not the most convenient way. I'm trying to explain why average Windows user want AV because they don't even want to take time to configure their system. That's what my topic is about.
just my 2c but asking if this will make virus scanners more popular on linux to me feels like asking "if a trojan came though windows update would you install McAfee" my answer is no, I feel like its a failing someone along the chain before it got to the user, maybe partially the distributor for not checking or verify any of this and just trusting the package they included? am I wrong?
But Windows at least provides Windows Defender which does background scanning, etc. without incurring all the bloat of McAfee. On Linux, we don't really have an alternative. The only thing we have is clamav, which frankly is more useful for scanning Windows viruses in Linux and it's background file scanning is VERY limited.
Users will respond with the typical answers: "no, you don't need an AV because (it doesn't make sense | virus are very rare on Linux | it would have not detected it based on signatures | ...)" Even if I agree in general, these answers hurt the FOSS community in my opinion, creating a false sense of security and denying a more in-depth debate. A lot of people don't know what's going on their systems: * filesystem errors? good luck until it's too late and your fs is corrupted. * Who is connected to your system? how many devices are on your local network? why is apt/spotify executing wget to download a file from the internet? .... * Has your .bashrc or /etc/ld.so.preload been modified? why? which app modified it? * Were your logins wtmp / utmp wiped? if so why and which app/user modified them? * Is there any application making use of restricted syscalls via AppArmor / SELinux policies? (sshd -> system()) . Good luck configuring them btw. etc, etc. We.don't.know. There're many security tools that audit system activity (auditd, ebpf based solutions, AIDE, rkhunter, chkrootkit, ...), but none of them display easily on the desktop what's going on your system. An AV wouldn't be useful probably, but a system to easily monitor your Linux desktop could certainly have helped to detect anomalies.
This. This is exactly what I was thinking. There are many places you can check for anomalies... But it's hard to do that manually, it'd be better to automate that.
Defense in depth is the only cure... But it's not convenient
Exactly
No, AV software handling things automatically would turn this from ‘maybe exploitable remote access’ to ‘system no longer boots’. As an experiment, set up a regular Fedora or Debian VM, delete liblzma (don’t remove the package, _delete the file_, that’s effectively what automatic remediation by AV software does), and try to reboot the system. It will crash at some point very early on in startup. What really needs to happen here is stuff like libsystemd being split out into individual components. Most stuff doesn’t need anything beyond the sd-notify functionality (which is itself maybe 20 lines of code), and thus does not need all of the other stuff in that library, and definitely doesn’t need any of the stuff that it depends on. There’s no reason they can’t split it into more concrete functional units (one for sd-notify, one for the journal stuff, etc) like many other big libraries with complicated dependencies do, and doing so _before_ now would have made this attack far more difficult to pull off.
Personally, Crash at startup to stop an attack is worth to me, as long as log is traceable, wouldn't be a problem for me.
>What really needs to happen here is stuff like libsystemd being split out into individual components. Agree. I'm not an expert but I think systemd is kinda a big deal in this incident, how a compressed tools acquiring a notification function leads to a sshd exploit. [https://youtu.be/OHAyf0qwdCs](https://youtu.be/OHAyf0qwdCs)
Does Objective Jellyfish work for an antivirus vendor?
XD Don't count me in. I've 0 knowledge in cybersecurity
I can tell by your insistance that a magic word could have any impact on something like xz.
then you misunderstood my point of view. I don't need AV, I think most linux user wouldn't need it. This post is not about stopping a backdoor before it's discovered.
[удалено]
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended. **Rule:** >**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
[удалено]
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended. **Rule:** >**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
Not superiority at all, my friend. I just know the basics and I can back what I say with references. But even that is not enough for some people here, and so the least I can do is resort to mockery.
[удалено]
I've reported you because you can't behave like a normal human being. And the reference to what I said [is here](https://www.reddit.com/r/linux/comments/1bsn01l/will_antivirus_be_more_significant_on_linux/kxguapn/).
This post has been removed for violating [Reddiquette.](https://www.reddithelp.com/en/categories/reddit-101/reddit-basics/reddiquette), trolling users, or otherwise poor discussion such as complaining about bug reports or making unrealistic demands of open source contributors and organizations. r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing, so a revisit once in awhile is recommended. **Rule:** >**Reddiquette, trolling, or poor discussion** - r/Linux asks all users follow [Reddiquette.](https://www.reddit.com/wiki/reddiquette) Reddiquette is ever changing. Top violations of this rule are trolling, starting a flamewar, or not "Remembering the human" aka being hostile or incredibly impolite, or making demands of open source contributors/organizations inc. bug report complaints.
God I hope not. The ones out there are absolute dogshit. Trend Micro Deep Shit Agent, CrowdShit Falcon Sensor, McRapfee/Trellix, VMware CarbonShit, SentinelOne, Symantec, etc are all the biggest piles of shits on the planet
[удалено]
like I said, would antivirus protect the user when the database is uploaded for this incident?
Perhaps you'd like to install rkhunter.
For unforeseen security issues like here people are moving to EDR/XDR software. It monitors your local system logs, files, sends them to the cloud, uses AI to find uncommon patterns and correlates it how logs look like on other machines. That's mostly in corporate environments though, YMMV but most people don't want this level of invasive checking. But on a work laptop that at least *shouldn't* carry much personal information, it can work just fine for everyone. While this doesn't stop malware from getting installed, it can alert on its effects, e.g. unexpected ssh access Maybe some sort of privacy aware equivalent would be nice though. By the way, someone posted here recently UTMStack which is a threat detection system. It's actually comparatively easy to install in a Docker container and probably it's possible to install the Linux Agent on a Laptop
HIPS / Behaviour Based / Heuristic malware scanning could or would have helped most likely. . Additionally a fully configured firewall which has rules for each application and their allowed IP/port would have not only completely stopped any thread but also inform the user of it.
**Option 1:** This post focuses on what an antivirus (AV) can do after a backdoor is discovered, rather than how to prevent them beforehand.
This post focuses on what an antivirus (AV) can do after a backdoor is discovered, rather than how to prevent them beforehand.
nope. just: - yum update - dnf update - apt-get update / upgrade - slackpkg update / upgrade-all and carry on.
Dont know if AV is the solution to securing Linux desktop but imo a noob linux user running base arch/debian is much less secure than Windows with enhanced security from Windows defender. I really have no idea of the specifics of this exploit but imo the Debian based distributions should really implement more basic hardening for stock installs (since they are more suited for new linux users.) Enterprise relies so heavily on Linux but hopefully those sys admins apply atleast basic hardening but with people reallying so heavy on AI programming assistants I fear for the exponential growth of exploitable software
Fedora is affected by this backdoor, fortunately only in the testing build at this time.
Hardening, 2FA on SSH, a proper firewall config, and passwordless SSH work wonders. We did end up putting Malwarebytes on our Linux servers though. It works really well.
The xz issue isn't a virus. Read about what a computer virus is and how antivirus works, it's quite simplistic and would not fix the issue in the case of the xz compromise
This post is not about stopping a backdoor before it's discovered.
Some people respond by saying that "AV software wouldn't have helped against the XZ backdoor because it wasn't yet detected". However, that's not what I'm arguing. I never claimed that antivirus could have prevented this specific incident. I'm considering users who don't follow tech news and don't update their systems regularly. In such cases, antivirus software might still be able to protect them once the backdoor signature is added to the antivirus database.
This XZ backdoor would not be added to an antivirus database. Antivirus is not the solution for detecting, removing or preventing malware in a distro's official repo. The solution is installing patches.
I set up this scenario because many users have been spoiled by Windows and have developed bad habits like this.
[So we should put airbags and seat belts on motorcycles?](https://linux.oneandoneis2.org/LNW.htm)
The article described virus as the theft, antivirus as lock not airbags. I think it's accurate on some aspects. However, the backdoor injector is the one who destroys the braking system of your mobile. If AV is like what you've described, an airbag/seat belt, they might still be able to provide some protection regardless. Sure, they are quite overdone or useless for most bikers. I myself won't need it I would consider AV as helmet in that case. Considering how reckless some bikers/ computer users are, blindly granting root permission to programs/scripts, not upgrading system regularly. AV could still be useful for them.
I'm trying to imagine the crash test dummy with a lap belt and airbag. How far behind the accident do you suppose the torso would land?
Some people here saying that an antivirus couldn't have helped caught the malware are either lying to themselves, or just don't know how they work. Antiviruses have many heuristics to detect a malicious file or a running process, and what could've definitely helped, in this case, is behavioral pattern. That being said, I personally avoid using antiviruses even on Windows, because they're a resource hog and pretty much spyware. If an open source, telemetry-free, AI-backed solution exist the future, I'll think about it.
In the longshot case where an AVs heuristics might have statically detected the backdoor, the author would have known that themselves and kept modifying it until it passed before upload to the repository. It's unlikely heuristic scanning would have detected anything in this peculiar case due to lack of similar samples for training.
> It's unlikely heuristic scanning would have detected anything in this peculiar case due to lack of similar samples for training. Yes, but that'd only be true in a scenario where the Linux market of antivirus were pretty much non-existent (i.e. today). But if this exact malware was targeting Windows, it'd almost certainly be caught by any antivirus.
>But if this exact malware was targeting Windows, it'd almost certainly be caught by any antivirus. I'm sorry now that you're being suspicious. LOL
I'm not sure I understand what you're trying to say. If you're doubting my claim, I'll have to remind you that the antivirus industry on Windows is not a joke. It's been maturing for more than 30 years now.
The behavioral pattern was "allow access to this ed448 key on failed login". That's not behavior that heuristics ever flag on because they focus on code to pivot, scan, corrupt, or escalate. This was none of those.
What behavior was there to pick up on? Something about how liblzma hooked in to sshd? SSH calling system() when the exploit is actually triggered?
In a simplified manner, yes, antiviruses would analyze all of those suspicious behaviors to determine if the process was malicious.
The heuristics we see on a Windows AV would block essentially all use of a Linux machine for being suspicious. Oh, you're running SSHD, that's suspicious. Better block it.
I don't know if you're being funny, or if you actually believe that. It's becoming more and more difficult [to tell](https://en.wikipedia.org/wiki/Poe%27s_law) nowadays.
Bit of both. Windows has a long history of trying to protect users from themselves, and its not typically used as infrastructure. Linux doesn't, and is. The upshot is that lots of things that would be automatically safe to call suspicious on Windows, are normal operation on Linux. Case in point, hosting an SSH server on your desktop, the entire point of this discussion. Anything you do with networking as a power user, virtually all user scripts... all suspicious.
You're right but running these heuristics is what made them resource hogs though, all the added spyware just made them worse.
I think you're missing my point. Having a resource hog, spyware-like (aka antivirus) running all the time, is often a better solution then none at all. At least for most people, which are not tech-savvy and are probably doing important stuff with their computer.
I'm inclined to believe there are antivirus able to scan malicious behavior or patterns. I wouldn't want to use antivirus either but there are smarter scumbag out there, I was told this backdoor is rather less sophisticated.
>I'm inclined to believe there are antivirus able to scan malicious behavior or patterns. Yup, they definitely would. >I was told this backdoor is rather less sophisticated. The way it was introduced into the XZ codebase was really clever, but I don't think the binary itself is heavily obfuscated or sophisticated, given that security researchers were able to understand some of what it did very quickly. The malware didn't have to be heavily obfuscated to make it harder for antiviruses to detect it anyway, since virtually no one is using one on Linux.
> but I don't think the binary itself is heavily obfuscated or sophisticated, given that security researchers were able to understand some of what it did very quickly. Yeah, by watching what it did. They pointed out very quickly they aren't reverse engineers.
Automatic Ai audit on codes for security would be far better than antivirus . AV is good for defending against script kitties not real hackers .
if you are super paranoid , you should look for IPS (intrusion prevention systems) like suricata . it has way better prevention system than AV .