Hey there,
are there any advantages of using clamav, LMD, and chkrootkit on qubes? In other forums it seems controversial. I am not a high value target and will probably never be targeted by nation state actors. I just want to protect not only myself but other people i send documents too who may not have qubes.
I’ve looked into commercial AV products too like bitdefender. Besides the potential data mining, would any commericial licenses be of any benefit vs clamav?
Thanks.
Hi,
An antivirus could help, it may save you one day and it doesn’t cost much to run it. It may never catch anything though and clamav isn’t known to be super effective, but still, if it helps once you may want to run it. It’s more useful against stupid mistakes like downloading an infected file, and certainly won’t help against advanced threats but it’s not its job 
IDS (Intrusion Detection System) are much less useful IMO for Qubes OS users, especially on Qubes OS where most of the system is inherited from a template that is refreshed at every boot. They would only be useful if you actually know how to make use of them.
On mailservers such scanners are possibly good. DNS filtering widely known malicious domains helps, too. But a scanner on the client/endpoint? I‘d consider this „snake oil“:
All in all: Would you put/attach the padlock on/to the gold bars? Or would you rather put the gold bars in a safe? (And some stone walls around …)
I disagree, the antivirus purpose is to scan files before use.
Ok. As long as there is no automation magic (indexing file types, opening previews, calculating thumbnails etc.) going on maybe only lesser things (if any) could happen. But here comes the av scanner … this scanner scans e.g. PDF files, even if I don’t have a PDF viewer installed at all. Then I would have been safe from attacks via PDF without antivirus, and only through the antivirus does a PDF parser come into play, which, like any parser code, is potentially vulnerable … some malware relies solely on those scanners. „Our scanner detects a bazillion of $EVILTYPEs.“ Well … you all are welcome.
Just out of curiosity can LMD, Clamav, chrootkit, or rootkithunter be exploited using administer privileges? Wondering if the additional attack surface is worth it
some programs like aide or rkhunter are just run occasionally so there is no risk of abuse.
clamav is a daemon that is always running, but it has a dedicated daemon user with restricted privilege, system users can send it files for analysis. If clamav is compromised, it can only do things on files that get analyzed, but it can’t modify them and return to the user either.
In an ideal setup, clamav doesn’t have network access, it has another daemon with another dedicated user, both named “freshclam” that can access network to fetch updates to feed clamav.
what if rkhunter and others are scheduled to run daily via crontab. Would there be any risk of abuse?
Page 644 seq. (It is the old 2nd edition, but still good enough. You‘d have to pay for the 3rd.)
If you are still not sure about the implications, read the chapter on multilevel security (and maybe APIs).
thanks
Okay, but… I still want to use ClamAV to scan files on demand. I am aware of its limitations; I have disabled the specific parsers for PDF files, images, XML documents, SWF objects, and HTML documents, among other things.
I have clamd running on an AppVM with no network access. It gets its virus definitions from a local mirror on the same physical Qubes installation, in another AppVM, running cvdupdate update and cvdupdate serve. Then I have clamdscan running on my other Qubes, and forwarding files to the dedicated clamd VM via the Qubes port forwarding / policy mechanism (which is really neat, by the way!).
I understand that ClamAV cannot completely prove the absence of a virus, only the presence of one (more or less). It still helps me feel slightly more at ease to scan downloads before I install them. Is that such a bad idea?
Also, would anyone be interested in my write-up of how I set up my system to do all of the above? Note that it’s not very automated; I have to initiate both scans and updates myself, as it currently stands.
I hope I’m not just beating a dead horse here. Feel free to let me know if I am. Thanks!