Antivirus, clamav, LMD, chkrootkit

PostedPortal · April 2, 2024, 5:14pm

Hey there,

are there any advantages of using clamav, LMD, and chkrootkit on qubes? In other forums it seems controversial. I am not a high value target and will probably never be targeted by nation state actors. I just want to protect not only myself but other people i send documents too who may not have qubes.

I’ve looked into commercial AV products too like bitdefender. Besides the potential data mining, would any commericial licenses be of any benefit vs clamav?

Thanks.

solene · April 2, 2024, 5:46pm

Hi,

An antivirus could help, it may save you one day and it doesn’t cost much to run it. It may never catch anything though and clamav isn’t known to be super effective, but still, if it helps once you may want to run it. It’s more useful against stupid mistakes like downloading an infected file, and certainly won’t help against advanced threats but it’s not its job

IDS (Intrusion Detection System) are much less useful IMO for Qubes OS users, especially on Qubes OS where most of the system is inherited from a template that is refreshed at every boot. They would only be useful if you actually know how to make use of them.

OvalZero · April 2, 2024, 6:58pm

On mailservers such scanners are possibly good. DNS filtering widely known malicious domains helps, too. But a scanner on the client/endpoint? I‘d consider this „snake oil“:

It ads complexity (and therefore attack surface).
It’s of no use, because even if malware is detected you can‘t know what it did so far. The bad guy is in the house. I‘d assume any system with malware on it as pwned. „Please reinstall.“
You can‘t even calculate risks since it just „prevents“ only what it knows (by signature or functional analysis). But you can‘t know, what it doesn‘t. Those numbers aren‘t static.

All in all: Would you put/attach the padlock on/to the gold bars? Or would you rather put the gold bars in a safe? (And some stone walls around …)

solene · April 2, 2024, 7:01pm

I disagree, the antivirus purpose is to scan files before use.

OvalZero · April 2, 2024, 7:33pm

Ok. As long as there is no automation magic (indexing file types, opening previews, calculating thumbnails etc.) going on maybe only lesser things (if any) could happen. But here comes the av scanner … this scanner scans e.g. PDF files, even if I don’t have a PDF viewer installed at all. Then I would have been safe from attacks via PDF without antivirus, and only through the antivirus does a PDF parser come into play, which, like any parser code, is potentially vulnerable … some malware relies solely on those scanners. „Our scanner detects a bazillion of $EVILTYPEs.“ Well … you all are welcome.

PostedPortal · April 3, 2024, 7:53am

Just out of curiosity can LMD, Clamav, chrootkit, or rootkithunter be exploited using administer privileges? Wondering if the additional attack surface is worth it

solene · April 3, 2024, 7:55am

some programs like aide or rkhunter are just run occasionally so there is no risk of abuse.

clamav is a daemon that is always running, but it has a dedicated daemon user with restricted privilege, system users can send it files for analysis. If clamav is compromised, it can only do things on files that get analyzed, but it can’t modify them and return to the user either.

In an ideal setup, clamav doesn’t have network access, it has another daemon with another dedicated user, both named “freshclam” that can access network to fetch updates to feed clamav.

PostedPortal · April 3, 2024, 8:04am

what if rkhunter and others are scheduled to run daily via crontab. Would there be any risk of abuse?

OvalZero · April 3, 2024, 8:18am

Page 644 seq. (It is the old 2nd edition, but still good enough. You‘d have to pay for the 3rd.)

If you are still not sure about the implications, read the chapter on multilevel security (and maybe APIs).

https://www.cl.cam.ac.uk/~rja14/book.html

solene · April 3, 2024, 8:19am

thanks