# Do you need an antivirus on FreeBSD today ?



## _al (May 20, 2022)

If "yes", which one would you recommend to use ?
If "no", why ?


----------



## SirDice (May 20, 2022)

No. Not for a FreeBSD desktop system. Not for a server either. But you might want to add a virusscanner inline with your mailserver though. Or add one on a fileserver. Those are primarily intended to catch virusses for other systems like your Windows clients that use those services. Windows is still the primary target for 99% of the malware going around. De facto standard virusscanner in this case is security/clamav. 

You do need to watch out for web applications though. These could get infected through bad or incorrectly handled code. FreeBSD servers can just as easily be infected that way as any other Linux or Windows server that runs that broken web application. Then your server may be prone to become part of a botnet. But a virusscanner isn't going to protect you here, most virusscanners aren't able to detect those attacks, so they add nothing and will only give you a false sense of security.


----------



## zirias@ (May 20, 2022)

On a somewhat wider perspective: You never _really_ "need" antivirus software. Such software can only reliably detect viruses that are already known. Detecting unknown viruses can't be reliable, this can be proven by deducing it from the halting problem. But still, these products add _more code_ getting fed lots of potentially untrusted input, so they can even _add_ security holes (and yes, this actually happened in practice).

The much better malware protection is the combination of an informed admin configuring the system in a sane way and keeping it up to date, and an informed user who doesn't fall for phishing etc... (might be the same person of course on your private systems).

Antivirus software is actually a workaround that can _somewhat_ improve security when you can't rely e.g. on the informed users. On a system that's targeted as much as Windows, you could say you "need" such software.

BTW as for scanning mails, I have clamav in the incoming pipeline of my mail system as well. For me, it's more a convenience thing, it just helps filtering out crap I don't want to see


----------



## Phishfry (May 20, 2022)

Zirias said:


> You never _really_ "need" antivirus software.


I beg to differ. I use FreeBSD as a desktop and I have found many PDF's with embedded JS.
I would have never found that by hand.


----------



## _al (May 20, 2022)

Thanks.  
Unfortunately I should use my machine as a Server and as a Desktop.
I work in very small company, and my machine is our server too.
As a Desktop user I use a browser...
(for many years I use antivirus on Linux...and I believed that it protects me in the browser (at least))


----------



## Lamia (May 20, 2022)

Just to add to the above, an email milter e.g. https://www.freshports.org/security/clamav-milter is all you need for email service alongside a spam filter. Do not forget adding milters for DKIM, and the likes. If you run several jails with multiple services with fileshare, torrent, websites,etc, you may run -  https://www.freshports.org/security/clamav-lts/ - on your host only if each jail can't run one. ClamAV can be a resource-hog.


----------



## hardworkingnewbie (May 20, 2022)

Andrey Lanin said:


> (for many years I use antivirus on Linux...and I believed that it protects me in the browser (at least))


An anti virus scanner can only protect you against what it knows, so has signatures for it. For the time frame from release in the wild until first virus signature creation you are unprotected.


----------



## drhowarddrfine (May 20, 2022)

Phishfry said:


> I have found many PDF's with embedded JS.


How would that javascript ever get executed?




Andrey Lanin said:


> I should use my machine as a Server and as a Desktop.


As do I for decades and in my web dev company but I have never had a virus problem.


----------



## _al (May 20, 2022)

hardworkingnewbie said:


> An anti virus scanner can only protect you against what it knows, so has signatures for it. For the time frame from release in the wild until first virus signature creation you are unprotected.


Yes, I understand this. I would like to know FreeBSD's practice related to antivirus.


----------



## Cthulhux (May 20, 2022)

“Antivirus” software usually imposes another risk for your security, as it is potentially insecure software that runs with full admin privileges.

You shouldn’t need one on *any* OS.


----------



## getopt (May 20, 2022)

Andrey Lanin said:


> I would like to know FreeBSD's practice related to antivirus.


There is no "official policy". Largely because viruses like big numbers of dumb people or one specific well known OS.

As Linux gets more popular, expect the same there. Think twice before enabling LINUX_COMPAT in FreeBSD.

Antivirus software, some name it *snakeoil*, is big business.

I personally do not like it because it can be too invasive to a system and may increase the attack surface. Search the Internet for security advisories on antivirus software.

Also think about such stories:








						Germany issues hacking warning for users of Russian anti-virus software Kaspersky
					

Germany's cyber security agency on Tuesday warned users of an anti-virus software developed by Moscow-based Kaspersky Lab that it poses a serious risk of a successful hacking attack.




					www.reuters.com
				











						Kaspersky statement regarding the BSI warning
					

Kaspersky releases an official statement in response to the warning issued by the German Federal Office for Information Security agency (BSI) on March 15, 2022



					www.kaspersky.com


----------



## SirDice (May 20, 2022)

Phishfry said:


> I have found many PDF's with embedded JS.


There's a special place in hell for the developer that came up with the brilliant plan to embed active content in an otherwise benign format. PDFs used to be safe.


----------



## Cthulhux (May 20, 2022)

SirDice said:


> There's a special place in hell for the developer that came up with the brilliant plan to embed active content in an otherwise benign format.



jwz invented HTML e-mail. It went downhill from there.


----------



## getopt (May 20, 2022)

Cthulhux said:


> jwz invented HTML e-mail


YUP!








						"HTML email, was that your fault?"
					

tl;dr: "Probably". Just for the record, when this Unfrozen Caveman bitches about the horrors of the world, it is not without recognition of my culpability. Montulli and Weissman also deserve a portion of the blame, but I was the one who ran with it, so I'm sure they'd be happy to let me fall on...




					www.jwz.org


----------



## _al (May 20, 2022)

getopt said:


> Also think about such stories:


oh...no comment.

I tried to use Kaspersky only once - in late 90s. On Windows.  It broke my MS  Word. After that I never used it anymore.
In Linux I used DrWeb.


----------



## mer (May 20, 2022)

SirDice said:


> There's a special place in hell for the developer that came up with the brilliant plan to embed active content in an otherwise benign format. PDFs used to be safe.


The implication of that (at least to me) is a knob in the PDF rendering application/library that would "play" the active content.  If the knob is off by default, that is a good start, but the user can always turn it on or off as desired.
If the rendering has no mechanism to play the content, it doesn't matter if the content is there.


----------



## SirDice (May 20, 2022)

mer said:


> If the rendering has no mechanism to play the content, it doesn't matter if the content is there.


Absolutely. I'm sticking to PDF/A.



> Other key elements to PDF/A conformance include:[10][11][12]
> 
> Audio and video content are forbidden.
> *JavaScript and executable file launches are forbidden.*








						PDF/A - Wikipedia
					






					en.wikipedia.org


----------



## Cthulhux (May 20, 2022)

SirDice said:


> PDF/A - Wikipedia
> 
> 
> 
> ...



"PDF/A differs from PDF by prohibiting features unsuitable for long-term archiving[.] (...) PDF/A-1 files will not necessarily conform to PDF/A-2, and PDF/A-2 compliant files will not necessarily conform to PDF/A-1."

LMAO.


----------



## ShelLuser (May 20, 2022)

In addition to all the above: _always_ remember that computer security is an ever ongoing _process_, *not* a product which you can turn on or off.

For example: no virus scanner is going to protect you from someone trying to trick you into running their home-made ransomware. But a process where you always run strange software in a sandbox environment first would protect you (or maybe applying some common sense?).

I know it sounds awfully cliche, but that's also exactly the issue at hand: this is more than often completely overlooked.


----------



## mer (May 20, 2022)

ShelLuser your second paragraph.  Very true.  I've been having discussions/"lessons" with my wife about being safe, how to recognize potentially bad emails.  Even just the simple "don't ever blindly click on a link in an email".  She has actually listened, especially after hearing of friends/customers getting hacked, to the point where she's seen odd emails from someone, doesn't open it and will phone call/text the person "Hey you may want to check your systems/info".


----------



## Phishfry (May 20, 2022)

drhowarddrfine said:


> How would that javascript ever get executed?


I am not a hacker but here it goes. PDF has the payload and when you visit a website browser javacript runs the embedded code.

Flip side. Why would anybody embed a script inside a portable document file if not malicious.


----------



## astyle (May 20, 2022)

Andrey Lanin said:


> oh...no comment.
> 
> I tried to use Kaspersky only once - in late 90s. On Windows.  It broke my MS  Word. After that I never used it anymore.
> In Linux I used DrWeb.


Uhhhh... It was researchers at Kaspersky who uncovered the Stuxnet virus back in 2010's. To build an effective defense against a virus or a DDoS - it does take a bit of knowledge of how it even works, and what's targeted. 

It's unfortunate, but things did get to the point that you just gotta be aware of the dangers and not allow yourself to get careless. Otherwise, your device gets fried, and important personal information gets so messed up, you can't even get paid at work. This is a bit of a doomsday scenario, but mindlessly clicking on links and buttons can be like stepping on a mine - and we're still cleaning up actual mines from WWII!



Phishfry said:


> Flip side. Why would anybody embed a script inside a portable document file if not malicious.


To make the "P" part of "PDF" irrelevant, incorrect, and obsolete.


----------



## _al (May 20, 2022)

*astyle*, 
Thank you! Very informative articles.


----------



## mer (May 20, 2022)

Phishfry said:


> I am not a hacker but here it goes. PDF has the payload and when you visit a website browser javacript runs the embedded code.


That goes directly to my point about what is actually doing rendering of the document.  Most browsers have a knob that lets you disable automatic execution of javascript, of course doing that can break a lot of websites.

I've always preferred downloading and using my own application to open or explicitly set my application as the one to use in the browser.

Kaspersky:  I've used for a while in the past and always had reasonably good luck.  There have been times where an update caused too much cpu to be used, but it was fixed quickly.


----------



## cy@ (May 20, 2022)

SirDice said:


> No. Not for a FreeBSD desktop system. Not for a server either. But you might want to add a virusscanner inline with your mailserver though. Or add one on a fileserver. Those are primarily intended to catch virusses for other systems like your Windows clients that use those services. Windows is still the primary target for 99% of the malware going around. De facto standard virusscanner in this case is security/clamav.
> 
> You do need to watch out for web applications though. These could get infected through bad or incorrectly handled code. FreeBSD servers can just as easily be infected that way as any other Linux or Windows server that runs that broken web application. Then your server may be prone to become part of a botnet. But a virusscanner isn't going to protect you here, most virusscanners aren't able to detect those attacks, so they add nothing and will only give you a false sense of security.


Agreed. On the flip side of virus scanning is ensuring none of your critical O/S (and app) files have not been altered. This is where tripwire and aide can help out. Of course tripwire and aide are not a silver bullet. You simply can't install and forget them. Each needs a comprehensive change management strategy to work properly. Otherwise it's just noise.

Many companies want that silver bullet to solve this problem. They fail to realize that tripwire and aide are only 15% of the solution. The other 85% is organizational to track change and communicate that to the security officer who maintains the baseline signatures in tripwire and aide. Otherwise every alert is a "compromise" where in fact it's probably a patch or legitimate software install. The time spent doing this after the fact will quickly result in missing an unauthorized change to a critical file.


----------



## drhowarddrfine (May 20, 2022)

Phishfry said:


> PDF has the payload and when you visit a website browser javacript runs the embedded code.


And how would the browser access that code in a pdf on your computer? (Answer: it can't.)


----------



## astyle (May 20, 2022)

cy@ said:


> Agreed. On the flip side of virus scanning is ensuring none of your critical O/S (and app) files have not been altered. This is where tripwire and aide can help out. Of course tripwire and aide are not a silver bullet. You simply can't install and forget them. Each needs a comprehensive change management strategy to work properly. Otherwise it's just noise.
> 
> Many companies want that silver bullet to solve this problem. They fail to realize that tripwire and aide are only 15% of the solution. The other 85% is organizational to track change and communicate that to the security officer who maintains the baseline signatures in tripwire and aide. Otherwise every alert is a "compromise" where in fact it's probably a patch or legitimate software install. The time spent doing this after the fact will quickly result in missing an unauthorized change to a critical file.


There's kind of a difference between unauthorized changes to files and unauthorized network connections / host intrusions.  BTW, FreeBSD has security/snort and Wireshark for packet sniffing, if you like.  It's usually kind of a pain to remember to turn the antivirus off every time you need to upgrade/patch something. This is why most companies just have a few dedicated appliances set up as firewalls. You gotta have appropriate tools for the job.


----------



## Phishfry (May 20, 2022)

drhowarddrfine said:


> And how would the browser access that code in a pdf on your computer? (Answer: it can't.)


Totally agree. The JS bug was probably written for a windows client.
Nonetheless It is helpful to know that you have javascript embedded in files in your downloads directory.

I would rather weed thru 250 false positive Open Office macros just to find that one malicious file.
Even if not exploitable. I want to know about it.
Thanks to ClamTk I do.
I do like my firewalls tripwire.


----------



## cy@ (May 20, 2022)

astyle said:


> There's kind of a difference between unauthorized changes to files and unauthorized network connections / host intrusions.  BTW, FreeBSD has security/snort and Wireshark for packet sniffing, if you like.  It's usually kind of a pain to remember to turn the antivirus off every time you need to upgrade/patch something. This is why most companies just have a few dedicated appliances set up as firewalls. You gotta have appropriate tools for the job.


Firewall is not the same as patching, antivirus, file signatures and the like. Firewalls are one piece of the puzzle. People who stand up a firewall and consider the job done are always surprised when when their site is compromised. (Just like people who think a VPN will protect them.)

Security is a layered approach. One piece of the puzzle does not secure a site.


----------



## astyle (May 20, 2022)

cy@ said:


> Firewall is not the same as patching, antivirus, file signatures and the like. Firewalls are one piece of the puzzle. People who stand up a firewall and consider the job done are always surprised when when their site is compromised. (Just like people who think a VPN will protect them.)
> 
> Security is a layered approach. One piece of the puzzle does not secure a site.


I do agree that security is a layered approach. But there are appropriate tools for every layer.  You can't exactly tell snort to act like pf. This is partly why I'm not wild about solutions that claim to be all-in-one, like Aide or Tripwire. They tend to focus on just one layer, and other layers suffer as a result.


----------



## Phishfry (May 20, 2022)

mer said:


> That goes directly to my point about what is actually doing rendering of the document. Most browsers have a knob that lets you disable automatic execution of javascript, of course doing that can break a lot of websites.



Yes I figured out how to use Ublock very well. Site by site blockage, Some just multimedia elements off and some sites all javascript off. I like the granularity. Some slippery ones still get by.

Having a hosts blocklist right at the firewall is nice.
Firefox seems to hide the settings for how to handle pdf and wants to render it for you. SeaMonkey is respectful.



mer said:


> I've always preferred downloading and using my own application to open or explicitly set my application as the one to use in the browser.


Absolutely. On top of that I use xpdf which does not have modern virus prone features.

I realize ClamAV works by heuristics, and that is not perfect. But I cannot look inside every file.
Clam is a resource hog. I don't run it automatically just monthly. Usually run it overnight.

So my approach is layered in my mind. Security is a state of mind.
If you really wanted to be secure you would not be connected to the internet.


----------



## Lamia (May 21, 2022)

Lest I forget, you should consider a rootkit hunter too - see https://www.freshports.org/security/rkhunter. There is also Aide, Lynis, etc. Each does a marvellous job.


----------



## ralphbsz (May 21, 2022)

astyle said:


> Uhhhh... It was researchers at Kaspersky who uncovered the Stuxnet virus back in 2010's. To build an effective defense against a virus or a DDoS - it does take a bit of knowledge of how it even works, and what's targeted.


Well, Kaspersky is a particularly interesting case of virus work. It is well known that Kaspersky and InfoWatch are deeply tied to the Russian espionage service (the FSB), and to Russian black-hat culture (some of which work for the Russian government, some for criminal organizations). Kaspersky is also a white-hat business that sells legitimate virus scanning software, and it has gone to some effort to legitimize itself. This double-duty setup is very much like a bad mafia movie, where the mafioso guarantees your security, but also takes protection money for that.

Stuxnet is widely acknowledged to be an Israeli effort to damage the Iranian nuclear program, perhaps (or likely?) with assistance from US government agencies.

Would I buy or run Kaspersky software myself? Hell no. Might as well send to copy of my disk right to Moscow.


----------



## drhowarddrfine (May 21, 2022)

ralphbsz said:


> InfoWatch are deeply tied to the Russian espionage


I did not know this!


----------



## grahamperrin@ (May 21, 2022)

cy@ said:


> … Security is a layered approach. …





grahamperrin said:


> …
> Malwarebytes Browser Guard on FreeBSD
> …



I use it as much for blocking advertisements etc. as I do for blocking things such as scams. 


 



grahamperrin said:


> … I typically report to Newest IP or URL Threats - Malwarebytes Forums. …


----------



## getopt (May 21, 2022)

ralphbsz


ralphbsz said:


> InfoWatch are *deeply* tied to the Russian espionage service (the FSB), and to Russian *black-hat culture* ...


You you have citable sources or is it chitchat?

drhowarddrfine 


drhowarddrfine said:


> I did not know this!


Yeah! I did not know either. But I still do not know it.


----------



## Lamia (May 21, 2022)

grahamperrin said:


> I use it as much for blocking advertisements etc. as I do for blocking things such as scams.
> 
> View attachment 13983 View attachment 13984


Malware BrowserGuard would be replaced by ublock Origin, noScript, deCentralyse extensions here. Any reason to use it in addition or as a replacement? I know Malware coy is an antivirus coy though.


----------



## Menelkir (May 21, 2022)

Lamia said:


> Malware BrowserGuard would be replaced by ublock Origin, noScript, deCentralyse extensions here. Any reason to use it in addition or as a replacement? I know Malware coy is an antivirus coy though.


Also Trocker, CSS Exfil Protection and minerBlock. Bonus for Privacy Badger.


----------



## ralphbsz (May 21, 2022)

getopt said:


> You you have citable sources or is it chitchat?


Start at the Wikipedia page. In particular the ones for Mr. and Mrs. Kaspersky (they are the CEOs of the Kaspersky anti-virus company and of InfoWatch, an anti-leak company, respectively).

For more details, you just have to search the web. But, as I said above, Kaspersky tries to straddle both worlds: On one side they are white-hat hackers that sell legitimate and useful anti-virus or data protection products; on the other side they work closely with both government and non-government organizations in Russia.


----------



## shkhln (May 21, 2022)

Note that Mr. and Mrs. Kaspersky divorced quite a while ago. InfoWatch is definitely Putin-friendly, though.


----------



## getopt (May 21, 2022)

ralphbsz said:


> Start at the Wikipedia page. In particular the ones for Mr. and Mrs. Kaspersky


Be assured that I do at least low hanging research before pressing the "Post reply" button. My conclusions from reading Wikipedia was and still is, that what you said cannot be confirmed by reliable sources. As long as you cannot provide appropriate cites from credible sources you make assumptions.

There is nothing wrong with assumptions, they may be or not may be facts. And that is the point where beliefs are starting.

You write "InfoWatch *are deeply* tied to ..."
I would write Infowatch *may be* tied to ... and those are assumptions, which I'm not in the position to confirm from independent sources.

For this reason I asked for citable sources. It could have been that you know hard facts. I'm sorry that this is not the case. Talking about whatsoever deeply ties to any government secret services around the world as a not insider is just adding a little noise, I guess.


----------



## Phishfry (May 21, 2022)

drhowarddrfine said:


> And how would the browser access that code in a pdf on your computer? (Answer: it can't.)


Are you sure? I really don't think FreeBSD is that invincible.
CVE-2022-1802 looks like a foothold.








						Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1
					






					www.mozilla.org
				




Regardless having malware or virus infected files on you computer is not good.
Can we agree on that?


----------



## drhowarddrfine (May 21, 2022)

Phishfry That's a bug, not a normal event. That's not what we're talking about.



Phishfry said:


> Regardless having malware or virus infected files on you computer is not good.
> Can we agree on that?


Of course. If for no other reason than it allows you to pass it on to others.


----------



## grahamperrin@ (May 21, 2022)

Lamia said:


> Malware BrowserGuard would be replaced by ublock Origin, noScript, deCentralyse extensions here. Any reason to use it in addition or as a replacement? …



I can't imagine uBlock Origin being a suitable replacement for Malwarebytes Browser Guard. (Not unless uBlock Origin is set so aggressively that it breaks many websites.) Please see, for example: 

Test of web browser extensions for protection against malicious software | AVLab.pl (November 2018) : uBlockOrigin
Worth noting: Expanding a malware domain list : uBlockOrigin – too arduous, I abandoned attempts to improve what was used by the extension at the time.


----------



## ralphbsz (May 21, 2022)

getopt said:


> My conclusions from reading Wikipedia was and still is, that what you said cannot be confirmed by reliable sources.


I freely admit that I do not have citable sources for my opinion that both these businesses are tied to the Russian state intelligence operations. There is lots of circumstantial evidence on the web; search for "FSB Kasperskaya" or InfoWatch or Kaspersky (Kasperskaya is the last name of Mrs. Kaspersky in the Russian way of writing it, she's the CEO of InfoWatch, and co-founder and ex-wife of Kaspersky anti-virus). This includes legal documents and articles in respectable newspapers. Hard facts that are published tend to not exist when government intelligence is concerned.

For my personal taste, it is sufficient if US federal agencies tell their contractors (which includes pretty much all large computer companies) that they must not use Kaspersky antivirus products (nor SuperMicro motherboards) on any work that involves the federal government as a customer. That happened quite a few years ago, long before the current Ukraine kerfuffle, and long before the Trump presidency.


----------



## Lamia (May 22, 2022)

grahamperrin said:


> I can't imagine uBlock Origin being a suitable replacement for Malwarebytes Browser Guard. (Not unless uBlock Origin is set so aggressively that it breaks many websites.) Please see, for example:
> 
> Test of web browser extensions for protection against malicious software | AVLab.pl (November 2018) : uBlockOrigin
> Worth noting: Expanding a malware domain list : uBlockOrigin – too arduous, I abandoned attempts to improve what was used by the extension at the time.


I was sure that the Malware Browser Guard would focus on malware while uBO is meant to block scripts, XS scripts, etc almost similar to noScript. I was not so sure *ware was necessary on *BSD as most people have been saying here. 

Interestingly, there is pfblocker-ng at firewall to block these *wares thereby leaving the web-clients to block scripts etc.


----------



## Phishfry (May 22, 2022)

grahamperrin said:


> I can't imagine uBlock Origin being a suitable replacement for Malwarebytes Browser Guard.


It is.



grahamperrin said:


> Worth noting: Expanding a malware domain list : uBlockOrigin – too arduous,


None of that is needed. Complete waste. The provided lists are all you need. Keep it updated.
Then you use your buttons for screening individual sites.
They are very important.
At the far right is "Click to wholly disable Javascript on this site". This is nuclear.
To the left of that are lessor blockers for multimedia and popups.
These buttons maintain a site by site preference for your javascript.
That is the strength of uBlock to me. Blocklists are a dime a dozen.
Heck I used to keep a several megabytes /etc/host file now all done at the firewall.


----------



## grahamperrin@ (May 22, 2022)

Lamia said:


> I was sure that the Malware Browser Guard would focus on malware while uBO is meant to block scripts, XS scripts, etc …



Malwarebytes Browser Guard offers a good mixture.



Phishfry said:


> It is. …



When I last performed a comparison: for malware sites, uBlock Origin was _not_.



Phishfry said:


> … The provided lists are all you need. …



When I last performed a comparison: for malware sites, the lists that were used by uBlock Origin were _not_. That's why I aimed to improve the lists.

Is there evidence that the lists have improved so much since then, to _excel_?

Emphatically:



grahamperrin said:


> set so aggressively that it *breaks many websites*.



I don't want that breakage. You might accept that (as a side effect) from a complementary product, but Malwarebytes Browser Guard does not do that.


----------



## getopt (May 22, 2022)

ralphbsz said:


> I freely admit that I do not have citable sources for my opinion


Thank you for your honerable clarification.



ralphbsz said:


> ... if US federal agencies tell their contractors (which includes pretty much all large computer companies) that they must not use Kaspersky antivirus products (nor SuperMicro motherboards) on any work that involves the federal government as a customer.


Have you seen this paper? Do you remember when it was issued (month/year)? And which agency issued it?


----------



## Phishfry (May 22, 2022)

GSA issues blanket purchase agreement for purchases. So they are the purchasing agency.








						US bans Kaspersky software amid concerns over Russia ties
					

The US government has moved to block federal agencies from buying software from Russia-based Kaspersky Labs, amid concerns about the company's links to intelligence services in Moscow.




					phys.org
				












						Kaspersky Is Declared A US National Security Threat And Is Banned By The FCC
					

A 2017 Department of Homeland Security directive bares new teeth against Russian-based cybersecurity company Kaspersky.




					hothardware.com
				




Then there is this:








						iTWire - CIA created code to impersonate Kaspersky Lab: WikiLeaks
					

The CIA created code that could be used to impersonate exfiltration attempts from computers infected with its malware implants as being staged by others, according to WikiLeaks. Three examples of impersonating Kaspersky Lab were released by the whistle-blower website on Thursday. In a release...




					www.itwire.com


----------



## ralphbsz (May 23, 2022)

getopt said:


> Have you seen this paper? Do you remember when it was issued (month/year)? And which agency issued it?


No, I didn't get it on paper. I can roughly date it: the prohibition against using any SuperMicro hardware must have been around 2014 or 2015. Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.

The ban on Kaspersky virus scanners happened later; it seems plausible that it was 2017, as Phishfry reports. We had been using a different  virus scanner on Windows anyway (I was using a Mac laptop as my daily driver, still had a Windows laptop too, and all our machines were centrally managed and configured), but at some point another edict came down that absolutely no Kasperksy software is allowed to be purchased, installed, or used in house.

In both cases, it was clear from context that this was coming not just from our internal computer security people, but from the federal government, which was one of our larger customers. Clearly, they wouldn't divulge which agency said so.


----------



## Deleted member 67862 (May 23, 2022)

When I used TDE, I would go ahead and install KlamAV which is just a nice KDE 3.x frontend to clamav (kept up-to-date by Trinity) since it comes with the git repo, but I've never actually had a positive scan. KlamAV is actually really good compared to the only other GUI frontend nowadays which is ClamTk and it integrated well into KDE 3.x. In any instance, I don't consider an antivirus to be necessary on FreeBSD so I don't use one.


----------



## astyle (May 23, 2022)

ralphbsz said:


> No, I didn't get it on paper. I can roughly date it: the prohibition against using any SuperMicro hardware must have been around 2014 or 2015. Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.
> 
> The ban on Kaspersky virus scanners happened later; it seems plausible that it was 2017, as Phishfry reports. We had been using a different  virus scanner on Windows anyway (I was using a Mac laptop as my daily driver, still had a Windows laptop too, and all our machines were centrally managed and configured), but at some point another edict came down that absolutely no Kasperksy software is allowed to be purchased, installed, or used in house.
> 
> In both cases, it was clear from context that this was coming not just from our internal computer security people, but from the federal government, which was one of our larger customers. Clearly, they wouldn't divulge which agency said so.


I can kinda relate to that - except that in my case, it's more brand loyalty (not Apple, though, thank god for small graces!). Antivirus is a running joke, though - if something is acting up (which is usually the case), it often gets traced back to the AV blocking something by mistake, and then admins are saddled with the cleanup.


----------



## getopt (May 24, 2022)

ralphbsz said:


> Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.


While this thread is mainly on antivirus software, the Super Micro story is a complete different beast. It's about hardware and China. If you look on the timeline there








						Supermicro - Wikipedia
					






					en.wikipedia.org
				



and "2014-2015" is shortly after the Snowden-Events, does that fit in?

And then this in Oct 2018:








						Security researcher source in Supermicro chip hack report casts doubt on story | ZDNet
					

Updated: The explosive report "doesn't make sense," according to the expert which described hardware implant uses in theoretical attacks.




					www.zdnet.com
				




Looks like a political spin in tit for tat game with China?

If politicians cannot publicly present scientific proof on their stories on hardware/software while using accusations for opportunistic and hypothetical spin narratives, one shouldn't buy the story. If there are hard facts on the public table everyone can make up one's mind.


----------



## astyle (May 24, 2022)

getopt said:


> If politicians cannot publicly present scientific proof on their stories on hardware/software while using accusations for opportunistic and hypothetical spin narratives, one shouldn't buy the story. If there are hard facts on the public table everyone can make up one's mind.


Those guys (the politicians) have a limited amount of time to study what's even involved.  They have to schedule appointments with subject matter experts (whose job it is to explain), and to splash enough money to make the explanations even happen.  Hard facts can be surprisingly difficult to come by, even if they are public information. This is why basic education and critical thinking are so important.


----------



## Phishfry (May 24, 2022)

getopt said:


> If there are hard facts on the public table everyone can make up one's mind.


We are in the same situation with Huawei.
Five Eyes Gov says it is bad...
Uses its massive purchasing clout and leans on technical committees.
Maybe just nationalistic?
Probably every countries intelligence service has a foothold in their countries products.

https://www.bloomberg.com/news/arti...sing-huawei-in-secret-australian-telecom-hack
https://www.businessinsider.com/us-accuses-huawei-of-spying-through-law-enforcement-backdoors-2020-2

So while USA flapping its lips SS7 is (ridiculously) still in use.
You see we like to criticize various dictatorships while we do the same using another method.


----------



## getopt (May 24, 2022)

Phishfry said:


> SS7 is (ridiculously) still in use.


Yeah! SS7 is a zombie, it will never die. It is too useful 

See FCC 2017 risk assessment on SS7 and G5:








						CSRIC5-WG10-FinalReport031517.pdf
					






					www.fcc.gov


----------



## SKull (May 25, 2022)

Antivirus software is snake oil. And often enough, it introduces new security vulnerabilities.
Lately some of them even mine bitcoin in the background.


----------



## Phishfry (May 25, 2022)

All about layers. The question was 'Do _YOU_ need an antivirus on FreeBSD today'.
YES I need it because I like knowing what lurks. Even if a post mortem analysis.
I have to download PDF's and until there comes another document format I have to deal with it.
ClamAV uses freshclam to update its definition. That is its only link to the outside.
You don't need to run the service continually. Fire it up, update definitions, run scan.
No bitminners running on Clam. You can disconnect the internet and it still works.
You can even use it offline and update via usb stick.
My layers are different than your layers. That don't make them wrong.
Obviously Clams definitions might lag Norton and others due to the fact that they are not monitoring machines like the other guys are. There is no reporting back to home on Clam. It only scans when I run ClamTk.


----------



## astyle (May 25, 2022)

Phishfry said:


> No bitminners running on Clam


How do you even verify that?

ClamAV is not an IDS, BTW. Snort is, but do you wanna buy an Epyc just for the privilege of having realtime IDS and AV running 24/7?  Epycs run about $8k and up, and that's just the processor, not the rest of the server hardware. :/


----------



## Phishfry (May 25, 2022)

astyle said:


> How do you even verify that?


Look at the source code. ClamAV is open source.
Did you see the parts where it runs totally offline?
What are they running a background process I can't see or have a bitminner embedded inside ClamAV?
How are they getting the coin out if offline?

Most of those bitcoin miners headlines were browser JS hijinks. Run a browser based scan and get abused.


----------



## aragats (May 25, 2022)

Phishfry said:


> I have to download PDF's and until there comes another document format I have to deal with it.


Just an idea: open a PDF in LibreOffice, it becomes an .ODG file (ODF Drawing), then export it as PDF. I believe, the bad content will be removed.
It can be done via command line:
	
	



```
libreoffice --convert-to odg my.pdf --outdir temp
libreoffice --convert-to pdf temp/my.odg --outdir temp
```


----------



## getopt (May 25, 2022)

aragats said:


> I *believe*, the bad content will be removed.


"Believing" is not enough. Believing is like betting. It may work or it may not work. 

If you have a hypothesis you MUST test it. This means working hard, but at the end you have a result. If others had done the work already you can and should cite your source of information properly.


----------



## aragats (May 25, 2022)

getopt said:


> "Believing" is not enough.
> ....
> If you have a hypothesis you MUST test it.


Well, that's why I started with words "just an idea". Some people may have a better experience, that's why we have this forum. Nobody is writing scientific articles here.

I verified with sample pdfs from here (I know, it's not a proof).
If _.fodg_ (flat odg) is used as an intermediate format, it can be easily checked for existence of `<office:scripts>` tags. Besides that, LibreOffice itself has the corresponding command:
	
	



```
libreoffice --script-cat my.odg
Libraries: 0
```


----------



## astyle (May 25, 2022)

Phishfry said:


> How are they getting the coin out if offline?


Why do you think it takes incredibly powerful hardware to mine? Mining can be done offline, just get a proper hash of a truckload of data. The hash itself is not that big, even if spelled out in hex format. Sometimes, you gotta step back and see the flow of data relative to the well-known diagrams of the von Neumann architecture to see the difference between what's an IDS (which can detect a mining process) and an AV (which cannot).


----------

