ClamAv: is anyone paying attention?

Mario Vukelic mario.vukelic at dantian.org
Sat Nov 18 23:06:00 UTC 2006 

On Sat, 2006-11-18 at 22:40 +0000, Andy wrote:
> Symantec would disagree with you on that one:
> <http://www.symantec.com/security_response/writeup.jsp?docid=2001-032311-2042-99&tabid=1>

Not really. This is a worm; a virus scanner won't help you with that.
And it is old and while not harmless I figure it is pretty much dead. We
are talking about 0-2 (!) affected sites and 0-49 (!) infections
overall. I figure the hole is exploited has been closed for years.

Discovered: March 23, 2001
Updated: May 30, 2004 03:48:47 PM PDT
Type: Worm 
Systems Affected: Linux

(...) dangerous Linux worm (...)

Threat Assessment
Wild
      * Wild Level: Low
      * Number of Infections: 0 - 49
      * Number of Sites: 0 - 2
      * Geographical Distribution: Low
      * Threat Containment: Easy
      * Removal: Easy
Damage
      * Damage Level: Medium
Distribution
      * Distribution Level: Low

> I have seen others as well

Me too, I have searched the Symantec site when I wrote my statement. All
I found were conceptual or similarly harmless


> Maybe we need an AV scanner, lets not get careless, again with more
> distros targeted at getting new users then then its only a matter of
> time before virus writers start attacking Linux, though it is more
> secure are you willing to bet on it being unbreakable?

As I said, diligence is called for, our favorite system certainly is
also vulnerable. But it makes little sense to create and install
scanners before there is a tangible threat. Without one, how do you even
know what to guard against? Plus, I highly doubt that virus scanners are
the way to go, it would make more sense to prevent outbreaks by fixing
bugs. Windows seems to be a lost cause in that regard so the only
solution is to heap after-the-fact services on top.


> So the fact the engine is outdated doesn't cause a problem? oddly the
> clamAV FAQ suggests that you shouldn't use outdated engines

Certainly it is always a good idea to be fully up-to-date, but read the
changelogs, there really seems little reason to get upset:

Release Name: 0.88.5
Notes: This version fixes a crash in the CHM unpacker and a heap
overflow in the function rebuilding PE files after unpacking.
Bugfixes:
- libclamav/rebuildpe.c: fix possible heap overflow [IDEF1597]
- libclamav/chmunpack.c: fix possible crash [IDEF1736]
- freshclam/manager.c: "Cache-Control: no-cache" is now disabled by
default. If you're behind a broken proxy you can recompile freshclam
with --enable-no-cache.

Release Name: 0.88.6
Notes: Changes in this release include better handling of network
problems in freshclam and other minor bugfixes.
* Bugfixes:
    - freshclam: apply timeout patch from Everton da Silva Marques
      <everton*lab.ipaccess.diveo.net.br> (new options: ConnectTimeout and
      ReceiveTimeout)
    - clamd: change stack size at the right place (closes bug#103)
      Patch from Jonathan Chen <jon+clamav*spock.org>
    - libclamav/petite.c: sanity check the number of rebuilt sections (speeds
      up handling of malformed files)

More information about the ubuntu-users mailing list