Security for windows 2000 enough?

[jaclaz]

I am not attempting to persuade you of the opposite at all , I am simply telling you that Linux Antivirus are usually going to scan "files" including (actually mainly targeting) Windows viruses.

Their use is mainly to avoid that "infected files" pass through a Linux server.

If you prefer, the Linux Antivirus programs that you can find will all look for (and hopefully find) Windows viruses, another example, JFYI:

http://www.eset.com/us/home/products/nod32-for-linux/

Uniquely designed for Linux

No Operating System is completely safe. Even though the Linux platform may not have as many threats as other platforms and is targeted directly, it can still act as a malware carrier and cause serious damage to Windows-based systems in the network.

jaclaz

[HarryTri]

Well, it may be so, perhaps you are right. Yet I would use an antivirus program for Windows to check a Windows partition, just to be sure.

[jaclaz]

Well, it may be so, perhaps you are right. Yet I would use an antivirus program for Windows to check a Windows partition, just to be sure.

Perhaps?

No one ever told that you should use a Linux system to scan a windows partition (though you can ), you stated (twice) that Linux antivirus only look for "linux viruses", you were shown how these statements were inaccurate.

jaclaz

[HarryTri]

Allright, you are probably right, it's OK.

[allen2]

As linux kernel doesn't support ntfs r/w by default, there are many different ntfs drivers that works quite fine for most of the tasks but i don't find very clever to mess with an ntfs partition from linux especially to find viruses that might sometime hide in alternate datastream.

Taken from lastest kernel source Kconfig file:

bool "NTFS write support"
depends on NTFS_FS
help
This enables the partial, but safe, write support in the NTFS driver.

The only supported operation is overwriting existing files, without
changing the file length. No file or directory creation, deletion or
renaming is possible. Note only non-resident files can be written to
so you may find that some very small files (<500 bytes or so) cannot
be written to.

While we cannot guarantee that it will not damage any data, we have
so far not received a single report where the driver would have
damaged someones data so we assume it is perfectly safe to use.

Note: While write support is safe in this version (a rewrite from
scratch of the NTFS support), it should be noted that the old NTFS
write support, included in Linux 2.5.10 and before (since 1997),
is not safe.

This is currently useful with TopologiLinux. TopologiLinux is run
on top of any DOS/Microsoft Windows system without partitioning your
hard disk. Unlike other Linux distributions TopologiLinux does not
need its own partition. For more information see
<http://topologi-linux.sourceforge.net/>

It is perfectly safe to say N here.

[jaclaz]

 

As linux kernel doesn't support ntfs r/w by default, there are many different ntfs drivers that works quite fine for most of the tasks but i don't find very clever to mess with an ntfs partition from linux especially to find viruses that might sometime hide in alternate datastream.

Because the Linux NTFS drivers via FUSE that all the world senselessly uses since several years do not see Alternate Data Streams, right?

http://www.tuxera.com/community/ntfs-3g-manual/

http://www.tuxera.com/community/ntfs-3g-manual/#5

http://www.tuxera.com/community/ntfs-3g-faq/

 

jaclaz

[allen2]

I never said that. Ntfs-3g is the best choice right now to read/write files on a ntfs partition but i still wouldn't use it for AV scanning.

As any malware intend  to protect themselves from being cleaned, there is alway a chance that it could mess with the file system and/or any other thing (mbr/boot sector/bios/uefi), so i wouldn't push the luck as to try cleaning it from another OS unless i don't have any other choice. That's all i wanted to say.

[Maxfutur]

Well, it may be so, perhaps you are right. Yet I would use an antivirus program for Windows to check a Windows partition, just to be sure.

While not being specific with antivirus, is better to do scans from linux because there is a chance that viruses get hidden for antivirus for windows.

 

I'm going to talk about kaspersky because i have used sometime ago. When it runs installed in windows environment, you can do a live CD/DVD (from the installed kaspersky) to scan your computer in case that "kaspersky for windows" didn't found anything or windows got scr**ed by some kind of virus. Well, this "live CD" runs only in Linux, if you try, you'll notice when it starts loading linux modules.

 

So, as you stated "an antivirus for Linux would check for linux viruses", is not right and the best option to check for virus in windows, is from Linux because the virus can't hide or protect itself in any running process (sometimes these virus are running its own modules as a service to protect itself from antivirus, can't remember a name to tell but there are many of them acting like that).

[jaclaz]

I never said that. Ntfs-3g is the best choice right now to read/write files on a ntfs partition but i still wouldn't use it for AV scanning.

As any malware intend  to protect themselves from being cleaned, there is alway a chance that it could mess with the file system and/or any other thing (mbr/boot sector/bios/uefi), so i wouldn't push the luck as to try cleaning it from another OS unless i don't have any other choice. That's all i wanted to say.

Well, yes and no, IMHO.

 

Meaning yes , it is logical (and practical) to use "native" tools to do "native" work, but no ,  in some cases it is needed to use an "alien" tool.

I will even go further, affirming that when you access a NTFS (or more generally *any* filesystem) with "external" tools you usually have the possibilities to access things/parts that would be otherwise inaccessible. (this is more about filesystem/files recovery than actual antivirus)

 

To "clean" an infected system, the "common" and "logical" (and easier) choice is to run a "full scan" from the antivirus installed on the actual system, but you will have a number of things "running in the background" that may prevent you from completely cleaning/repairing it.

The next "common" and "logical" thing would be to scan the disk from a PE of some kind, that already gives an added degree of freedom.

Still, the possibility to do a scan from a "completely alien" OS guarantees that *nothing* on th einfected machine can be executed, not even by chance or by mistake.

I do agree that it is not the "first" thing to do as the other two mentioned ways will work in - say - 98.34% of case - but still it is something that should not be considered as "last chance", but rather like a concrete possibility.

 

jaclaz

[allen2]

To "clean" an infected system, the "common" and "logical" (and easier) choice is to run a "full scan" from the antivirus installed on the actual system, but you will have a number of things "running in the background" that may prevent you from completely cleaning/repairing it.

The next "common" and "logical" thing would be to scan the disk from a PE of some kind, that already gives an added degree of freedom.

Still, the possibility to do a scan from a "completely alien" OS guarantees that *nothing* on th einfected machine can be executed, not even by chance or by mistake.

I do agree that it is not the "first" thing to do as the other two mentioned ways will work in - say - 98.34% of case - but still it is something that should not be considered as "last chance", but rather like a concrete possibility.

jaclaz

I agree on the order but remember that windows features (like sfc) might be usefull in somecase (of course, most people here don't use it and prefer to even disable it to be able use custom system files).

There is an example of a dangerous usage of a linux AV (of course as it is an example, it happens after a human error):

- the linux antivirus detect a critical windows boot file as a virus (commonly called false positive) and remove or quarantine it.

- your windows won't boot anymore.

- In that case a windows antivirus might not have been able to remove it and/or an event should be logged in the eventlog and in the event it would have been removed an sfc /scannow might solve the problem when you get the removal notification.

So as usual, if you're knowledgeable enough (and have the time), you don't really need an antivirus (either on linux or on windows). But if you want simple way of protecting your computer, a windows antivirus will be a lot easier to handle.

Also, i know very few people that would be able to handle linux and master windows filesystem properly (that isn't a proof or anything in itself).