Anti-virus/malware

Should I install an antivirus program in qubes?
I know I would use a template for the install.

I have a qube I use for email and browsing my trusted sites, and another qube I use for temporary files before moving them.
I feel like I want these things scanned. Does that make sense or is Qubes already secure that I don’t need it?

Also, any recommendations for antivirus/malware package?

Thanks,
Jon

Hi. Quoting from the FAQ:

Aren’t antivirus programs and firewalls enough?

Unfortunately, conventional security approaches like antivirus programs and (software and/or hardware) firewalls are no longer enough to keep out sophisticated attackers. For example, nowadays it’s common for malware creators to check to see if their malware is recognized by any signature-based antivirus programs. If it’s recognized, they scramble their code until it’s no longer recognizable by the antivirus programs, then send it out. The best of these programs will subsequently get updated once the antivirus programmers discover the new threat, but this usually occurs at least a few days after the new attacks start to appear in the wild. By then, it’s too late for those who have already been compromised. More advanced antivirus software may perform better in this regard, but it’s still limited to a detection-based approach. New zero-day vulnerabilities are constantly being discovered in the common software we all use, such as our web browsers, and no antivirus program or firewall can prevent all of these vulnerabilities from being exploited.

The security guarantees you have with Qubes is that compartments are well isolated. Unknown security flaws could still break that, but it is way less likely than a typical system.

What Qubes doesn’t do is providing security within each compartment. That’s beyond the scope of the Qubes project. This is where you have space to add an extra layer of security. Antivirus software could contribute to this, but as the quote argues AV software isn’t really well suited today. However, other security methods may be non-trivial newcomers (not sure if that’s your case) and the security effects may not be too significant.

So my suggestion would be for you to start off doing effective compartmentalization. For example using the idea of domains. Instead of just having a work qube, having a:

  • work-mail
  • work-documents
  • etc.

Whatever you feel comfortable with. This way you’re relying on Qubes’ mechanisms to make you safe.

You can also look into split-* implementations. These allow you to have sensitive information securely and persistently stored in one Qube and then have another qube who manually requests this information. Examples include:

4 Likes

Thank you deeplow,
I’m new to Qubes and rethinking my domains as I work in it.
I’ve implemented split-gpg and will look into the others. Thanks for those pointers.
Jon

1 Like

This. I have used Sophos AV in some of my template VMs in the past. It has been neither helpful nor harmful. If one is prioritizing their choices by impact, I would not rate deploying endpoint protection high on that list.

Ive never been a fan of running an AV solution in a Linux environment. AV (at a basic level) look for signatures/hashes of things they know. If the AV provider has not seen a virus before - or maybe the virus uses metaphorphic techniques - then the AV is just going to not even know it exits (generally!). There are good examples of Virus that will fly right under the noses of the Linux AV detection engines for literally years (such as RotaJakiro)

In my personal view, IDS is a good approach along with making sure you keep your QubesOS and templates up to date with the latest sec patches and updates. Couple this with attestation of BIOS and kernel/initrd/boot parameters (such as heads firmware or Anti Evil Maid if you dont want to mess with BIOS/dont have a compatible machine) and you have a pretty robust solution.

1 Like

Some linux AVs, maybe. Most ‘free’ AVs on the market today have heuristics built in on top of sending any unsigned unseen exe to the cloud for analysis. Most of them outgrew being “just” AVs and became full anti-hacker solutions combining anti malware engines with firewalls, sandboxing and sometimes very low level anti exploitation techniques. In that process they became MUCH better at being an IDS that the traditional IDS you seem to be describing here.

Thanks, my system is a Librem Mini from Purism with BIOS protection in the form of their LibremKey so pretty comfortable there. IDS and fuller av/malware programs per billystonka’s comments are my next thing to mull over.

Then you are already using Heads firmware :wink: Thats what librem firmware is, they just use the HOTP version with the librem key.

Like I said, and others in the sec space point out, Antivirus in linux isnt the best. I find it most useful for scanning FTP uploads to shared hosting platforms. not so useful on individual Qubes if a IDS is in place. I personally feel billystonka is being a bit over confident saying “most of them…” are “full anti hacker solutions” - they scan for signatures of known viruses. Some are a bit more advanced and use sandboxing/VMs to check what a program does when it runs, and if it does something unsavory flags it up. But there are viruses out there that are metamorphic and deliberately change themselves and their behaviors when sandboxed. I also love when people say “send to the cloud for analysis” - that is generally borged marketing speak for “runs in a virtual machine on a AWS instance” and “we submit samples to virustotal” .

I mean, each to their own. If you or any others put stock in virus checkers under linux, go for it. My feeling is, and always will be, that a thread advanced enough to get to you though a Qube, while running QubesOS and attested firmware/neutered ME, signed kernel/initrd and some form of IDS and rkhunter on the template is highly unlikely to see a COTS Linux AV solution as a challenge.

1 Like

a thread advanced enough to get to you though a Qube, while running QubesOS and attested firmware/neutered ME, signed kernel/initrd and some form of IDS and rkhunter on the template is highly unlikely to see a COTS Linux AV solution as a challenge.

do you think it is worth have rkhunter in the template?
The reasoning being:

  • the template is minimaly exposed to the internet (only for update through signed packages)

  • the appVM can (most will) be exposed to the internet, but any changes to the root filesystem are discarded.

  • if there is a place to look for a rootkit, then it must be in dom0 (I think)

I personally do, some may not. Its just a personal preference. My thinking is that if anything manages to compromise the template via a compromised update (lets say a valid, signed update was actually compromised on the developers side) and that is used to inject a rootkit into my template, then it will show up. Probably overkill, but i do it.

That would be an attack worth reverse engineering.