ok so let’s start with the exploits. Exploit is a bug (problem) in a piece of software that when… umm… “abused” (well the word is just exploited) it allows you to do stuff that you shouldn’t. An exploit could be live from your browser to the program you use to zip files. The top 2 reasons to use an exploit is to either get initial foothold on a machine (e.g. an exploit in a browser that would allow an attacker to execute arbitrary code when you visit their page or an exploit in winrar that when you open a zip file executes code)
From the attackers perspective, you got in, nice. Mind you you got in through means that have nothing to do with windows (and that’s true most times, especially on desktops). but now? what?
You hacked into the machine for a reason! You might wanna grab the browser cookies (giving you direct access to the accounts that the victim is logged into), grab some files, screenshots, passwords
That’s where the AV kicks in. After the initial exploit the malware behaves like a normal program. But not completely. Assuming that the AV hasn’t seen the same exact malware before (which would an insta kick ban) it’s going to see a random process accessing files in chrome’s directory. HUH. ISNT THAT SOMETHING. quarantined.
Wanna start listening to each and every keystroke? quarantined
Meanwhile the way that the exe ended up in your system was not through an installer, you don’t provide an uninstaller and it was downloaded from www.xXxveryNicEsiteyou.got. HUUUUUUUH
the whole process is a bit simplified of course, but it captures the general idea
So why does linux not have an AV?
FUCK IF I KNOW! It would be very, VERY useful. Writing malware that bypasses AV is an art of its own. Can be done for sure, but it’s an extra step and it’s not fun
background: used to get paid to do shit like that (legally, pentest) and it’s a fun hobby (writing code around it, not hacking people)
Makes sense! I guess without an antivirus there’s no way of distinguishing legitimate activity from illegitimate activity at the system level when dealing with downloaded programs. Also, my Voyager app decided that your “link” was actually a link and tried to make an embed lol
I’ve never even considered ClamAV.
I have the idea that it’s just a malware signature DB (changing the signature of a binary is almost as simple as recompiling it with a bit different variables)
Am I incorrect? does it have heruistics/active scanning?
It is pretty exclusively a file scanner, but that, combined with Linux’s privilege separation, any decent firewall and not willfully executing untrusted files is enough for most cases, I would say.
what kind of privilege separation? you’re talking about containers/namespaces?
cause as it is linux desktop has 1 unprivileged user and that’s it. from an attackers perspective privilege escalation is irrelevant - you have access to the screen, keyboard, browser, files. there really is nothing left to gain from gaining root
and if you have any reason to gain root, it’s super easy by just replacing sudo with an alias in .bashrc you’ve got the user’s password
We REALLY need sandboxing and soon, that’s why I want to give fedora silverblue a try but my hopes are quite low
btw windows is in a bit of a better place and M1 mac is in much better place
I’ve not looked into fire jail in depth but I’ve read lots and lots of bad takes on it
What we need is docker with a better graphics integration, in terms of both ease of use and security. maybe wayland can help in that (cause with X you just forward the whole management socket and that’s it, anyone can draw anything)
There’s a chance that snap has done it right (I know that everyone hates it but there’s a CHNACE that they got it right in terms of security and ease of use)
flatpak “is not enough” since the controls it gives you are not enough. first you need flatseal to disable stuff per application and the defaults aren’t good enough and steam for example REQUIRES access to the whole home folder which defeats the whole purpose
ok so let’s start with the exploits. Exploit is a bug (problem) in a piece of software that when… umm… “abused” (well the word is just exploited) it allows you to do stuff that you shouldn’t. An exploit could be live from your browser to the program you use to zip files. The top 2 reasons to use an exploit is to either get initial foothold on a machine (e.g. an exploit in a browser that would allow an attacker to execute arbitrary code when you visit their page or an exploit in winrar that when you open a zip file executes code)
From the attackers perspective, you got in, nice. Mind you you got in through means that have nothing to do with windows (and that’s true most times, especially on desktops). but now? what?
You hacked into the machine for a reason! You might wanna grab the browser cookies (giving you direct access to the accounts that the victim is logged into), grab some files, screenshots, passwords
That’s where the AV kicks in. After the initial exploit the malware behaves like a normal program. But not completely. Assuming that the AV hasn’t seen the same exact malware before (which would an insta kick ban) it’s going to see a random process accessing files in chrome’s directory. HUH. ISNT THAT SOMETHING. quarantined.
Wanna start listening to each and every keystroke? quarantined
Meanwhile the way that the exe ended up in your system was not through an installer, you don’t provide an uninstaller and it was downloaded from www.xXxveryNicEsiteyou.got. HUUUUUUUH
the whole process is a bit simplified of course, but it captures the general idea
So why does linux not have an AV? FUCK IF I KNOW! It would be very, VERY useful. Writing malware that bypasses AV is an art of its own. Can be done for sure, but it’s an extra step and it’s not fun
background: used to get paid to do shit like that (legally, pentest) and it’s a fun hobby (writing code around it, not hacking people)
Makes sense! I guess without an antivirus there’s no way of distinguishing legitimate activity from illegitimate activity at the system level when dealing with downloaded programs. Also, my Voyager app decided that your “link” was actually a link and tried to make an embed lol
exactly!
sorry if I overexplained/oversimplified a bit but I didn’t want to make assumptions ☺️
I can recommend running ClamAV, if anyone is looking for a good one that runs on Linux.
I’ve never even considered ClamAV. I have the idea that it’s just a malware signature DB (changing the signature of a binary is almost as simple as recompiling it with a bit different variables)
Am I incorrect? does it have heruistics/active scanning?
It is pretty exclusively a file scanner, but that, combined with Linux’s privilege separation, any decent firewall and not willfully executing untrusted files is enough for most cases, I would say.
what kind of privilege separation? you’re talking about containers/namespaces?
cause as it is linux desktop has 1 unprivileged user and that’s it. from an attackers perspective privilege escalation is irrelevant - you have access to the screen, keyboard, browser, files. there really is nothing left to gain from gaining root
and if you have any reason to gain root, it’s super easy by just replacing sudo with an alias in .bashrc you’ve got the user’s password
We REALLY need sandboxing and soon, that’s why I want to give fedora silverblue a try but my hopes are quite low
btw windows is in a bit of a better place and M1 mac is in much better place
If you want sandboxing, isn’t firejail pretty exactly what you’re looking for?
I’ve not looked into fire jail in depth but I’ve read lots and lots of bad takes on it
What we need is docker with a better graphics integration, in terms of both ease of use and security. maybe wayland can help in that (cause with X you just forward the whole management socket and that’s it, anyone can draw anything)
There’s a chance that snap has done it right (I know that everyone hates it but there’s a CHNACE that they got it right in terms of security and ease of use)
flatpak “is not enough” since the controls it gives you are not enough. first you need flatseal to disable stuff per application and the defaults aren’t good enough and steam for example REQUIRES access to the whole home folder which defeats the whole purpose