"I am sure you might have heard this many times that 'Linux doesn't need antivirus software,' but this is not the case anymore."

-- MS Defender for Linux, Android and iOS

https://thehackernews.com/2020/02/...

well that's a load to take in :D
How many of you fine lads have had a Linux virus on your personal devices (NOT servers)? Raise your hands and tell your stories! :D

It's not a bad antivirus, but no, I definitely don't really see the need. I imagine the target are windows admins introducing all sorts of entropy and failure to Linux like active directory who need this sort of thing.

I'm interested to know how that is going to work on iOS given the whole sandboxed environment for apps.

At "transfer points" (file servers, email servers) it may even be useful.

I currently have ClamAV on a personal device, but for testing and malware research and not for the classical "protection".

Anyway, quotes in the article like
'"The AI capabilities built into Microsoft Security solutions are trained on 8 trillion daily threat signals and the insights of 3,500 security experts. Custom algorithms and machine learning models make, and learn from, billions of queries every day," said Ann Johnson, Corporate Vice President of the Cybersecurity Solutions Group.'
sound like absolute bullshit.

'Despite the fact that the attack surface for Linux is much much smaller, Linux has its own share of vulnerabilities and malware threats, and you need proactive monitoring to keep your system safe.'
Not sure if this is just bad citation (e.g. it is from Microsoft, but this indicated at all), but makes the article sound... not very reputable, especially without any proof for this conclusion.
Additionally "more threats = antivirus needed" may be a bit far fetched (again, without proof).

How about the https://github.com/taviso/... community port of defender?

Kind of ironic that Microsoft announces this and, days before, we have this:

https://thehackernews.com/2020/01/...

You'd think they would first fix their own stuff before trying to move on to other areas.

I have never had any virus issues on GNU/Linux distros I've used (one had ClamAV tbf) so this MS AV for Linux is just a load of bullshit made to get their Extend (re. Embrace-Extend-Extenguish) phase progress.

Large companies that make AV software need to get together and get lectured for a full weekend to grind one simple fact into their skulls:

Nobody buys a computer so they can run an antivirus. Stop writing antivirus software as if that is the case!

@bahua except most muggle people do :)

@netikras
In for wizard aristocracy?

Antivirus on linux? Why?
Maybe for file servers so Windows machines don't get infected, but it's otherwise pretty pointless.

Oh, it's from Microsoft.
Yeah, they have an ulterior motive. And they're going to implement it poorly anyway. Best to stay away.

@SortOfTested a true pureblood! It's not like I have a choice, you know..

Business I've found is more about having a long enough buffer to outlast the competition than it is about stable income.

He who has the biggest war chest lasts the longest.

@Root distro repo becomes compromised and an update with malicious files is done, what's going to detect it at the PC level?

hiding behind the mindset of "linux is safe" is like saying you can't die if you don't go outside.

Ransomware already exists for *nix, malware is already distributed with dodgy packages, the only thing stopping linux from having a mass problem, is the lack of use by normies.

@C0D4 My apologies, but here I will raise an objection.

Linux is not used by home users too much, sure, but over half the internet infrastructure runs on *nix systems. It isn't like nobody tries to hit those; a successful exploit on those systems can net millions to the attackers.

The thing is, Microsoft's systems have different, *virus friendly* organization. You have the user accounts, the system account and the network account. If you get system account, it's game over. And, because most exploits actually elevate to system account...

*nix systems, on the other hand, have multiple system accounts that severely limit a virus' spread. Firefox got hit? Too bad it's chroot-jailed. Unless the user does something stupid (like running as root) even an 0-day will have a hard time spreading (if the system is configured correctly). Windows has this monolithic approach, that can simplify configuration a bit, but...

Oh, end of 1k char limit.

@C0D4
I don't entirely disagree, but the average windows strategy of have something that sits there and mucks with file watchers and reads memory signatures is a great way to dedicate 40% of your server hardware to antivirus. There's a middleground (patching, usually).

@C0D4 In that case, it will already have deleted / disabled my antivirus service or installed a kernel module / custom kernel. Additionally, most vendors would either whitelist system binaries or the users would treat it as false positives.

Whenever the OS is compromised by the distributor, you have lost - whatever AV you have, it will not protect you in this case.

Additionally this is not hiding behind "Linux is safe", but risk management:
- Attacks an antimalware can protect me against: malicious downloads, files send by mail, or bad files in general (I ignore servers here)
- The probability of this happening: How often do you download software from untrusted sources? Get unsafe documents per mail what affects Linux systems? How much Linux client malware is there?
- What in contrast what could be done instead: Only choose trusted sources; not enabling macros in Libre Office
-Downsides: Increased attack surface (AV needs root / kernel privileges; current AVs have a 15% slowdown on Linux due their syscall filter (e.g. Eset), if it crashes no syscall is possible anymore; high memory usage

@sbiewald @C0D4 @SortOfTested

So, in conclusion, a good user is the best antivirus there can be?

@bladedemon
Theoretical yes, but you will not get them.

Realistically the administrators have to care the users can't misbehave (and those measures can often be more effective than antivirus)

@bladedemon I wonder how profitable or effective a white hate company would be that just trains or catches employees who fail to follow procedure? Like those pentest corps but just for phishing and other common practices?

Whats the value in terms of compliance gained from grapevine news that someone was caught via audit while opening unsafe email attachments?

I imagine a lot of people would want to avoid looking gullible and foolish.

Would this procedure be considered antisocial?

@Wisecrack Training alone does not work, this is proven.
What does work, are technical measures. Example: If the email server flags all external mails with [External] people are less likely fall for phishing mails where the attackers try to impersonate colleagues.

Interestingly, those people found during an "audits" will be be the best recognising phishing mails.
Disciplinary actions or shaming (resulting from "failing" and audit would be the worst possible action.

Interesting talk ("Hacking brains", has an English synchronisation; example with the external mail is from it) about this thematic: https://media.ccc.de/v/...

@Wisecrack @sbiewald

White hat companies deal with much more than just employee training. The usual tendency is to restrict the users to just their work-related tasks, and just that. I did so when I set up the domain in my ship. It surely wasn't popular, but it worked.

Targeting the admins and the higher-ups is more efficient, as they tend to have better access (or be able to demand so).

Anyway, the ITSec is there just to find things. How to deal with them is the company's responsibility. So, if the company practices such disciplinary actions, blame the HR, or whatever/whoever is responsible for that.

To paraphrase a saying: shoot the sniper, not the spotter.