On Thu, 10 Jul 2008 01:25:00 +0200, Carlos E. R. wrote:
But if those things have to be initiated by the user - just like a virus - then why do we need AA? We didn't need it 5 years ago, right?
AA is initiated by the admin, not the user. It does not protect programs, but services.
And services are....*programs*, right?
Yes, but not any program. AA would be very difficult to apply, say, to oowriter.
Sure, that's kinda the point. AA does a very good job for what it's designed for; protecting documents isn't what it's designed for. There are a couple of cross-platform macro viruses, including one (proof of concept, I know) for OpenOffice.
For example, if postfix is compromised and suddenly wants to create a new user (write to /etc/passwd), the profile will not allow it.
Sure. And how exactly would Postfix decide to do something like this? Wouldn't it have to run some sort of executable code to do something like this - something that's not in its normal behaviour patterns to do?
It could be in memory, a buffer overflow hack. It could be the main program or a child. Not important.
But it is important. Many people here are saying "you have to explicitly make the file executable before running it" - but a buffer overflow or something similar is a way around that without the user knowing. Then the thing attaches itself to a file already flagged executable - or writes itself out to the filesystem and makes itself executable. No user intervention needd.
This is something an antivirus will not detect and avoid, unless it is a previously known _binary_ pattern.
Yes. And there is value in looking for *known* threats. rkhunter works based on previously known patters, not the unknown. Or are you saying that we should kill off rkhunter as well because it only looks for known threats?
No, I'm pointing the difference and the dificulty. Searching for patterns will seldom protect against new types of attacks.
It doesn't hurt to focus on the *known* types of attacks. Is it hard to protect against new types of attacks? Sure. Has that ever stopped the Linux community? Not that I know of. That doesn't reduce the value of looking for *known* threats. If you know someone's going to commit an armed robbery, you don't say "oh, it's a known threat, I don't have to deal with it". You call the police and you *deal* with the threat.
AA was designed for Linux and for the kinds of attacks Linux suffers. The antivirus were designed for the attacks Windows suffers.
And it's fair to say that Linux will never ever ever *ever* suffer the type of attacks Windows suffers? *ever*?
I have been seeing that argument for at least ten years, and it hasn't happened.
Absence of evidence is not evidence of absence. Again, can you *guarantee* it will *never ever happen*? Jim -- Jim Henderson Please keep on-topic replies on the list so everyone benefits -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org