[Wylug-discuss] Eeepc and virus protection

Jim Jackson jj at franjam.org.uk
Tue Apr 15 16:05:12 BST 2008 



On Tue, 15 Apr 2008, ALLEN, David wrote:

> It is good to see this topic is raising some serious discussion rather
> than "it's linux so it won't get viruses" head in the sand attitude!
>
> One of the real neat features of the eeepc ( for me anyway) is how it
> comes preinstalled with all the features most users need and requires
> minimal config to get it working. If you have to resort to re-installing
> the OS, you may as well put XP on it (perish the thought) and use SMS to
> update it automatically. For a virus to run it obviously has to install
> and be executeable, so a very aggessive lock down policy may be the
> answer. What prompted me to start thinking about this was all the talk
> about sudo, which, of course, whould bypass any such security!

See the sudo thread, elsewhere on wylug-discuss. The way the OS is put 
together by default, is highly dependant on sudo working and being 
password-less!

One of the interesting features of the Eeepc setup is that it uses a 
UnionFS to make the root file system out of a ReadOnly mount of the base 
installed setup and a r/w filesystem for the changes. To restore to the 
factory default one reformats the r/w partition, and there is an option 
under the F9 boot menu to do that.

If you get a virus (cough!) then reseting to factory default gets rid of 
it, and your mods and data :-( But for some uses that may not be an issue.

As far as I can see, to get at the readonly partition to install a 
permanent virus, one needs to interrupt the boot process in the initrd 
stage before the boot has create the unionfs and done a pivot root to it.
I'm not sure how a virus would install itself against the factory reset.


>
> David
>
>
>
> -----Original Message-----
> From: Paul Brook [mailto:paul at codesourcery.com]
> Sent: 15 April 2008 15:11
> To: wylug-discuss at wylug.org.uk
> Cc: ALLEN, David
> Subject: Re: [Wylug-discuss] Eeepc and virus protection
>
>> The eeepc is so impressive, we are thinking of giving them to our
>> service engineers, which raises the question about virus protection.
>> Before anyone comments, I know it runs Linux and consequently is much
>> more robust than windows etc etc
>>
>> However,  this is a serious point if this bit of kit is to make the
>> transition from school desk to work desk. Asus have now shipped 1
>> million of these laptops so before too long someone is going to try
>> and break one. Any suggestions/views anyone? It does have antivirus
>> software
>> pre- installed but I am not sure how effective it is.
>
> Virus checkers only really check for known viruses signatures. Some
> claim to do "heuristic detection", but in practice these just catch
> minor variants of existing viruses.  Given there are approximately no
> linux viruses, /bin/true is a fairly effective virus checker :-)
>
> The existing "linux virus checkers" are actually checking for windows
> viruses.
>
> A rootkit generally needs to get its claws fairly deep into the OS. The
> linux kernel explicitly doesn't have a stable in-kernel binary ABI, so
> in practice rootkits need significant maintenance work for every new
> kernel release.
>
> The most important thing is to make sure you keep your software properly
> updated. Annother poster implied that Asus aren't doing security updates
> for the eepc. I really hope this isn't true as unpatched linux machines
> aren't really much better than your average windows box. As a rule of
> thumb you should never let a machine into the wild unless it has an
> active support/security update mechanism.
>
> The linux distro system also helps to avoid a lot of problems. A decent
> distro makes it fairly easy to have a policy of never installing third
> parts software, which significantly reduces the attach vectors.
>
> If you're really paranoid you can (with a bit of work, and maybe not
> with
> Xandros) make your root FS readonly.
>
> Paul
>
> CONFIDENTIALITY NOTICE  The information contained in this
> e-mail is intended only for the confidential use of the above
> named recipient. If you are not the intended recipient or person
> responsible for delivering it to the intended recipient, you have
> received this communication in error and must not distribute or
> copy it. Please accept the sender's apologies, notify the sender
> immediately by return e-mail and delete this communication.
> Thank you.
>
> _______________________________________________
> Wylug-discuss mailing list
> Wylug-discuss at wylug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/wylug-discuss
>

More information about the Wylug-discuss mailing list