# Antivirus for FreeBSD



## Max212 (Sep 4, 2015)

Hi,

I am looking for Antivirus for FreeBSD besides ClamAV. I've searched for any AV that would be supported on FreeBSD, but I could not find any. Or if I did, it was for old versions and/or it is not developed any more.

I am intending to use FreeBSD as desktop and the question is how to secure it from possible viruses etc.

Thank you!


----------



## Deleted member 9563 (Sep 5, 2015)

I have used FreeBSD on the desktop for a number of years and don't use any anitvirus program. What kind of virus were you thinking about?


----------



## kpa (Sep 5, 2015)

You pretty much won't find anything else but products that run on Linux or BSD OSes but are only for finding MS Windows viruses/malware and MS Office macro viruses. There is a very good reason for lack of antivirus products for native FreeBSD viruses, such viruses don't really exist in the wild. FreeBSD as any UNIX/UNIX-like OS has a proper privilege separation and the OS is configured by default in such a way that it discourages unsafe practices. It is of course possible to write a virus for FreeBSD but getting to spread from machine to machine is not a reality. Practically all of the software installed on a FreeBSD system comes from a known safe source, packages are now signed to prevent tampering, base system distributions can be verified if the user wishes to do so. Also, quite a few people do their base system updates/upgrades using the source code and that already closes many possibilities for tampering with the system using compromised binaries.


----------



## hanzer (Sep 5, 2015)

I did a quick search and found BitDefender - security/bdc.

There are also several ports related to Rootkits - security/chkrootkit, security/revealrk, security/rkhunter.


----------



## kpa (Sep 5, 2015)

hanzer said:


> I did a quick search and found BitDefender - security/bdc.
> 
> And there are several ports related to Rootkits - security/chkrootkit, security/revealrk , security/rkhunter.



The rootkit detectors are aimed at people who host web services on their systems and run unsafe CGI applications that are often (poorly) written in PHP and can potentially allow a remote attacker to inject something nasty into the system. A desktop user would never be vulnerable to rootkits unless they do something totally stupid like run web browsers as root.

The BitDefender port you linked is a FreeBSD 5 binary only product with last real updates done in 2007-2008 and has no maintainer, I wouldn't use it.


----------



## Deleted member 9563 (Sep 5, 2015)

kpa said:


> A desktop user would never be vulnerable to rootkits unless they do something totally stupid like run web browers as root.



Thanks for that. I run security/rkhunter once in a while but was wondering if it actually was useful for me.


----------



## Max212 (Sep 5, 2015)

I come from Windows world and AV is a must. It is a bit uncomfortable to use system without AV, especially today where everything is online and "easy" target.

Ok, I understand that viruses for UNIX/UNIX-like systems can not spread easy or fast enough but the question that comes to my mind is how can you check if your computer is infected.


----------



## Deleted member 9563 (Sep 5, 2015)

What _actual_ virus did you have in mind? I've never heard of anybody in the *nix world getting a virus. Yes, there are people who insist on laboratory proof of concept being the same as what happens in the wild, but they never offer any proof other than a machine can be compromised if you have physical or root access. Besides, from everything I've read a normal antivirus program isn't going to help you with that since those programs only detect last generation infections. That's McAfee's take on it and I'll go with that. In any case how about just watching what goes out to see if there's anything suspicious? That's what I do.


----------



## abishai (Sep 5, 2015)

kpa said:


> FreeBSD as any UNIX/UNIX-like OS has a proper privilege separation


User privileges are usually enough, for example for file cryptors type viruses.



Max212 said:


> I am looking for Antivirus for FreeBSD besides ClamAV


Dr Web (commercial) supports FreeBSD https://www.drweb.com/?lng=en


----------



## hanzer (Sep 5, 2015)

This isn't limited to "virus" (methods of attack, compromise, and disruption are only limited by the imagination (I imagine )) but the links might be interesting to readers of this thread:

https://www.freebsd.org/security/advisories.html
https://web.nvd.nist.gov/view/vuln/search-results?query=FreeBSD&search_type=all&cves=on
http://www.kb.cert.org/vuls/byid?searchview (search for FreeBSD)
http://www.rapid7.com/db/search?utf8=✓&q=freebsd&t=a
Off the top of my head, I would guess that a large scale attack on FreeBSD systems could be done through the ports system (if some people were sufficiently motivated). There is a lot of trust involved in compiling and installing third-party software (and running the scripts in the ports system).


----------



## kpa (Sep 5, 2015)

hanzer said:


> Off the top of my head, I would guess that a large scale attack on FreeBSD systems could be done through the ports system (if some people were sufficiently motivated). There is a lot of trust involved in compiling and installing third-party software (and running the scripts in the ports system).



Very unlikely. All of the distfiles are checksummed with a strong cryptographic hash method called SHA256. An attacker would first have to falsify these checksums on selected important ports and then find a way to distribute his compromised version of the ports tree in place of the real thing to the unsuspecting users. This would have to involve compromising the main SVN repository of the project because that is the authoritative source for the source code of FreeBSD and also for the ports tree. Another way of achieving such compromise would be falsifying DNS records for the SVN and portsnap main sites and mirrors but given how DNS works it's very hard to implement such attacks on scale larger than a few local LAN networks that you have immediate access to.


----------



## hanzer (Sep 5, 2015)

The creators of the third-party source code could do a lot. The creators of the distribution tarball could do a lot. The port developers could do a lot.

As a thought experiment (or take it all the way), if you were to develop some software, a distribution tarball, and a set of /usr/ports scripts, could you find ways in that process to rootkit your system? (Assuming yes) Can you imagine any of those methods making their way through the ports development process and into the distributed ports system?


----------



## ANOKNUSA (Sep 6, 2015)

Max212 said:


> I come from windows world and AV is a must. It is a bit uncomfortable to use system without AV, especially today where everything is online and "easy" target.
> 
> Ok, I understand that viruses for UNIX/UNIX-like systems can not spread easy or fast enough but the question that comes to my mind is how can you check if your computer is infected.



You can wonder how to check for viruses, but it seems odd to do so without wondering _why_ to check as well. I've been using Linux and Unix for almost a decade, and in that time I haven't even heard a single report of a *nix virus found spreading around the Net, and I've never seen any sign on any of my systems that might suggest any sort of malware might be running rampant. It's possible for a latent vulnerability to allow some black-hat to compromise an LAN, but malware? Never heard anything of it.

Incidentally, along with the fact that viruses are virtually non-existent in the *nix world, another thing you'll often hear when the subject comes up on forums and mailing lists is that many people attracted to Unix-like systems--who also likely use Windows in the workplace, or even at home--may be the sort of cautious, security-conscious people less susceptible to virus infections in the first place, and many of them use Windows themselves. Frankly, most serious malware infections stem from poor user choices and habits, and AV software serves as an incentive to perpetuate those (what psychologists call "risk compensation" or the "Peltzman effect"). Many people--more than you might suspect--use Windows without AV software, and get by just fine.


----------



## Terry_Kennedy (Sep 6, 2015)

kpa said:


> This would have to involve compromising the main SVN repository of the project because that is the authoritative source for the source code of FreeBSD and also for the ports tree.


Someone has been there, did that.


----------



## drhowarddrfine (Sep 6, 2015)

Notice that most of stories of problems in the past involve someone having their hands on the system to cause the damage. That's a different story from those trying to cause problems from a distance. If you have a system in front of you, you can do a lot of damage to anything. There has not been any widespread malware on a Unix system since 2001, iirc.


----------



## kpa (Sep 6, 2015)

Terry_Kennedy said:


> Someone has been there, did that.



Yes but has there been any wide scale compromises where an attacker has managed to cover his tracks completely and users have in fact installed compromised software? In the incident you're referring to there was never any proof that the packages were in fact compromised.


----------



## Beastie7 (Sep 6, 2015)

Even with a "hardened" Windows machine, it can be easily cracked. UAC for example, is a terrible joke.


----------



## troublemaker (Sep 6, 2015)

You can have the best system in the world, but it will never be perfect. Thinking that FreeBSD is immune is honestly wishful thinking. The fact that FreeBSD has a very small market share should definitely be considered when thinking that these things don't happen on FreeBSD.
Personally I don't run any antivirus, even on Windows. But I understand that you might want to have a more serious check in some cases.


----------



## naali (Sep 6, 2015)

Risk of getting infected by malware on FreeBSD is in my opinion very small. The work required to create such malware is too great for the potential benefit. A scenario for infecting could be in the line of getting a browser or an email reader to execute arbitrary code, this code would know a zero day vulnerability on something that runs with higher privileges. Something that runs with root privileges on a UNIX like system. After  the second stage vulnerability has rooted the system, the malware would contact master and ask for further instructions, ready to install key loggers or whatever. To calculate that only a portion of the installed systems would be vulnerable to one specific attack, and the size of the user base is tiny, it would not be cost efficient to target FreeBSD. Overall, it is not necessarily harder or easier to target FreeBSD desktops, but the time and work it takes to find zero day vulnerabilities and turning those into exploits can be too high for the practically non-existent benefit. This is just my personal opinion and not a fact.


----------



## sk8harddiefast (Sep 6, 2015)

Do you really believe that anyone is going to create any kind of virus for FreeBSD? And you will be a FreeBSD user, you will made it to setup this Monster OS and you will just execute the virus as windows user with none idea about what you are doing? Virus and this things doesn't exist here. The only danger is that of hacking from someone but still is very secure OS and should be very good cracker to made it. But if you still want the most secured OS, then go to OpenBSD!


----------



## Beastie7 (Sep 7, 2015)

troublemaker said:


> You can have the best system in the world, but it will never be perfect. Thinking that FreeBSD is immune is honestly wishful thinking. The fact that FreeBSD has a very small market share should definitely be considered when thinking that these things don't happen on FreeBSD.
> Personally I don't run any antivirus, even on Windows. But I understand that you might want to have a more serious check in some cases.



Operating system security has nothing to do with Market share. This is a false dichotomy, security through obscurity-like thinking (from the Windows crowd) that needs to stop. iOS has more than 2/3 of the U.S. smartphone market share and yet Android has more reports of huge vulnerabilities, and it's open source.


----------



## protocelt (Sep 7, 2015)

Android has over 80% worldwide market share. Most virus/malware writers, but certainly not all, aim to maximize infection. That said, I agree, it's a very bad idea to consider market share when securing your operating system.

FreeBSD itself is pretty much immune to Windows viruses, yes, but it can still be used to spread the infection to Windows clients. Using FreeBSD as a mail server for a small business is one example.


----------



## Beastie7 (Sep 7, 2015)

protocelt said:


> Android has over 80% worldwide market share. Most virus/malware writers, but certainly not all, aim to maximize infection. That said, I agree, it's a very bad idea to consider market share when securing your operating system.
> 
> FreeBSD itself is pretty much immune to Windows viruses, yes, but it can still be used to spread the infection to Windows clients. Using FreeBSD as a mail server for a small business is one example.



But I thought with many eyes, all bugs are shallow!


----------



## troublemaker (Sep 7, 2015)

Beastie7 said:


> Operating system security has nothing to do with Market share.


I'm not sure where you read that in my post; unless by security you mean lower risk of security incidents. In that case that is indeed what I wrote. I really don't think people are willing to write malware for a system used by very few people, unless it's trivial or unless those few people are very important. The reward is simply not worth the effort.
Otherwise said: if FreeBSD doesn't have security issues it's not because it's perfect. It isn't. It may be better than others, but there will always be ways to do bad things.


----------



## Deleted member 9563 (Sep 7, 2015)

troublemaker said:


> I really don't think people are willing to write malware for a system used by very few people, unless it's trivial or unless those few people are very important.



We're getting off topic here, but since the OP hasn't been back I guess that's OK.  Anyway, I'm not sure that the idea that because FreeBSD is used by few people there's a lack of value in compromising it. I would think that most intrusions to home computers are of little value other than collecting nodes for a botnet. I've known a lot of people over the years (who use MS-Windows) and not one has ever reported their bank account as being compromised, for example. I suspect that it is very few that get pwned in that way. Perhaps I'm wrong but isn't it in servers where the real value lies? Judging by the barrage of break in attempts I see I'd say there's certainly a lot of interest.


----------



## troublemaker (Sep 7, 2015)

OJ said:


> We're getting off topic here


Not so much I think. The thread is about an antivirus for FreeBSD; it's pretty much related to how secure your system is. And I think FreeBSD can be more secure than other systems (and this might be considered a bold statement by some, but we will leave those losers alone ), but no system is 100% secure. So if you are really concerned any extra check is always welcome.
You know the saying: the only secure system is turned off, in a safe, in a bunker, deep underground,  guarded by 200 men. And even then I wouldn't be so sure.



OJ said:


> Anyway, I'm not sure that the idea that because FreeBSD is used by few people there's a lack of value in compromising it


Not necessarily a lack of value, but (much) less than Windows or Linux. And don't get me wrong, I'm not saying this is the only factor. But I think it can be a relevant factor if the market share is small.



OJ said:


> I would think that most intrusions to home computers are of little value other than collecting nodes for a botnet.


That's not nothing. Try to imagine how many machines are zombies. How many zombie candidates are running FreeBSD?



OJ said:


> I've known a lot of people over the years (who use MS-Windows) and not one has ever reported their bank account as being compromised, for example. I suspect that it is very few that get pwned in that way.


I don't know much about that. But for example here:

http://www.zdnet.com/article/dyre-wolf-attacks-your-corporate-bank-account-door/

Can be very few people, but apparently more than enough



OJ said:


> Perhaps I'm wrong but isn't it in servers where the real value lies? Judging by the barrage of break in attempts I see I'd say there's certainly a lot of interest.


Could be, but even in that case Linux is far more popular. So if you have a FreeBSD server that allows you to get into Fort Knox then obviously FreeBSD can be of some interest, but I would say this is not the case. If I had to write some malicious software I would definitely target Linux first, unless I wanted to target a specific company that uses FreeBSD. Besides, Linux is much easier to attack


----------



## ANOKNUSA (Sep 7, 2015)

protocelt said:


> FreeBSD itself is pretty much immune to Windows viruses, yes, but it can still be used to spread the infection to Windows clients. Using FreeBSD as a mail server for a small business is one example.



Yes, but this raises the already answered question of responsibility: nearly every mail server in the world runs on some Unix-like operating system, yet we don't hold our mail service providers responsible for infecting our Windows systems, nor do we blame the operating system the mail server is running on for the unwanted content of our mail. Likewise, it is of course possible to benignly store a virus or trojan or malicious macro on a FreeBSD system, and unwittingly transfer that malware to Windows--just as it's possible to do so on Linux and OS X. Yet we don't hold users of those more secure alternatives responsible for the security of others' Windows systems.

The long and short of it is that everyone is responsible for their own system security, and the only people who really have to worry about malware are Windows users. And we all implicitly agree that holding the minority that use Unix-like systems--possibly because they're conscientious about malware--responsible for the problems of the majority who can't be bothered, isn't right.


----------



## Max212 (Sep 8, 2015)

Saying that FreeBSD is secure because of low market share is a illusion. If you or your system that you are using is a target, than you will get hacked. Check Stuxnet case*.*
The question here is how to check that your system is not compromised in a way that it is not leaking data or that it is used to compromise other non UNIX/UNIX-like systems.


----------



## drhowarddrfine (Sep 8, 2015)

Max212 Stuxnet was a Windows attack. There has not been an effective malware attack on Unix systems since 2001 and, even then, that was on Linux, iirc.


----------



## kpa (Sep 8, 2015)

Max212 said:


> Saying that FreeBSD is secure because of low market share is a illusion. If you or your system that you are using is a target, than you will get hacked. Check Stuxnet case*.*
> The question here is how to check that your system is not compromised in a way that it is not leaking data or that it is used to compromise other non UNIX/UNIX-like systems.



You keep arguing that such infections take place and are common on UNIX and UNIX-like system. Where's you evidence, post some reputable reports for known recent incidents of UNIX viruses and malware.


----------



## Beastie7 (Sep 8, 2015)

troublemaker said:


> I'm not sure where you read that in my post; unless by security you mean lower risk of security incidents. In that case that is indeed what I wrote. I really don't think people are willing to write malware for a system used by very few people, unless it's trivial or unless those few people are very important. The reward is simply not worth the effort.
> Otherwise said: if FreeBSD doesn't have security issues it's not because it's perfect. It isn't. It may be better than others, but there will always be ways to do bad things.



The "value" is what to be gained from the objective; regardless of the platform. Infrastructure involves a lot more than just servers. For instance, adversaries are hitting things like edge switches, PLC devices, telecom networks, etc. a lot more compared to your average x86 server or ARM embedded device, yet they are way less deployed (in volume). Your post basically says "If FreeBSD had more market share, there would be more reports of breaches. That's a wrong way to look at systems security. Good design, and simplicity will trump any number of possible attack vectors.


There are a lot more reports of vulnerabilities in Windows because it's terribly designed, and complex; thus more breaches. Not market share. If Redmond actually gave two shits about secure design and preventative responsibility; Windows wouldn't be the way it has been.



drhowarddrfine said:


> Max212 Stuxnet was a Windows attack. There has not been an effective malware attack on Unix systems since 2001 and, even then, that was on Linux, iirc.



Windows was just one piece of the pie, a lot more was exploited in getting those centrifuges to a halt.



protocelt said:


> Android has over 80% worldwide market share. Most virus/malware writers, but certainly not all, aim to maximize infection. That said, I agree, it's a very bad idea to consider market share when securing your operating system.
> 
> FreeBSD itself is pretty much immune to Windows viruses, yes, but it can still be used to spread the infection to Windows clients. Using FreeBSD as a mail server for a small business is one example.




When a company operates under a horizontal business model, it's a lot easier (and faster) to distribute an operating system globally because you have OEMs (I call these "naked" hardware makers) to do all the leg work for you. Vertical companies like Apple, SUN (RIP), SGI (RIP), etc. where you control the entire stack of product; peak market saturation is more challenging. Still, it has very little to do with systems security.

Anyway, I'm done here.  talking about windows makes me depressed.


----------



## kpa (Sep 8, 2015)

Beastie7 said:


> There are a lot more reports of vulnerabilities in Windows because it's terribly designed, and complex; thus more breaches. Not market share. If Redmond actually gave two shits about secure design and preventative responsibility; Windows wouldn't be the way it has been.



They also have their own POLA issues. Everyone should remember the backlash they got for introducing the UAC in Windows Vista. That alone makes it very scary to think about how safe Windows machines are in reality.


----------



## drhowarddrfine (Sep 8, 2015)

Beastie7 said:


> Windows was just one piece of the pie, a lot more was exploited in getting those centrifuges to a halt.


Maybe so but Stuxnet is still a Windows-only thing.


----------



## drhowarddrfine (Sep 8, 2015)

getopt said:


> Given all the vulnerabilities we run behind, how probable is it, that there are (a few?)  viruses out in the FreeBSD world (that we even deny to find)?



Lone Ranger: "Tonto, we're surrounded by Indians ready to attack. What are we going to do?!"

Tonto: "What you mean 'we', white man?"

Don't base your perception of FreeBSD security on this thread. There's a lot going on.

Note: Maybe only Americans my age will get who those TV characters are.


----------



## Beastie7 (Sep 8, 2015)

getopt said:


> It's getting funny here. And this is because there is a lot of belief (and hubris?) in the discussion and a lack of information or evidence.
> 
> But how can there ever be an evidence if nobody scans the BSD world for viruses?
> 
> ...



Given FreeBSDs history of being the basis of covert infrastructure products that usually aggregate raw data (routers, load balances, storage, etc) I'm sure there are some virus' in the wild. It's easier to extract data from such devices. But I doubt the severity is those vulnerabilities are high, and you rarely see reports of those from FreeBSD based products.

I'd say FreeBSD is less "virus prone" than is it "virus free".


----------



## troublemaker (Sep 8, 2015)

Beastie7 said:


> The "value" is what to be gained from the objective


Yes, that's what I said. I also added that it's not only the value, but also the effort you put in it



Beastie7 said:


> Your post basically says "If FreeBSD had more market share, there would be more reports of breaches. That's a wrong way to look at systems security


I'm afraid there is a misunderstanding somewhere. Again, I never said a system is secure when it has little market share, if this is what you are saying. I'm saying you can't say a system is secure just because there are no reports, for the simple reason that no system with some complexity can be 100% secure. And you are right, simplicity helps, but a complex system will still be complex, and complexity is a bitch; you can't pretend something the size of FreeBSD to be perfect. If a little used system has no reports, the fact itself that the system is little used can be a relevant factor in explaining the lack of reports. Give it more users and reports will start coming in. Even if it's FreeBSD, sorry. Maybe you will have less reports compared to other systems, but you will still have them.


----------



## drhowarddrfine (Sep 8, 2015)

troublemaker said:


> Maybe you will have less reports compared to other systems, but you will still have them.


That's an assumption and a guess, not a fact. Perhaps possible but, still, not a known fact, afaik.

The problem I see in this thread is people mixing up viruses which get installed and run on the OS with malware with other things that exist on other OSes, specifically Windows, as if they can be installed and executed in the same manner on FreeBSD  which, of course, is not true and the assumption that such things must be on FreeBSD is only a guess.

I get irritated when the only proof of an intrusion into a system is when someone installs a piece of software from an unknown source and runs it which brings down  one user. Then they point and exclaim, "See! FreeBSD isn't secure either!!"


----------



## shepherdAZ (Sep 8, 2015)

drhowarddrfine said:


> ...when someone installs a piece of software from an unknown source and runs it which brings down one user.



And there we have the security model we are forced to deal with. Most general operating system security mechanisms are centred around protecting users (and their files) from each other, rather than protecting users from their applications (or a piece of malware) running amok. We still live in a world where we default accept, rather than default deny. There are additional protections that can be applied, but the tools landscape is messy and confusing for most users.

I have been a primarily Linux/grsecurity user for many years, using grsecurity's RBAC to set policies that restrict what an application can do within the user security context it operates (i.e. you're a PDF reader, of course you can't bind to a network socket or read .ssh/*). I am now slowly moving stuff over to FreeBSD, where I can use Jails and Capsicum to achieve compartmentalisation and fine grained control (without the filesystem cock-ups, systemd farce, distro wars, and other Linux drama).

In my experience, anti-virus products have generally been riddled with security holes of their own, cause system resource exhaustion, and unnecessary overheads whilst delivering little actual security return.


----------



## Beastie7 (Sep 8, 2015)

troublemaker said:


> Yes, that's what I said. I also added that it's not only the value, but also the effort you put in it
> 
> 
> I'm afraid there is a misunderstanding somewhere. Again, I never said a system is secure when it has little market share, if this is what you are saying. I'm saying you can't say a system is secure just because there are no reports, for the simple reason that no system with some complexity can be 100% secure. And you are right, simplicity helps, but a complex system will still be complex, and complexity is a bitch; you can't pretend something the size of FreeBSD to be perfect. If a little used system has no reports, the fact itself that the system is little used can be a relevant factor in explaining the lack of reports. Give it more users and reports will start coming in. Even if it's FreeBSD, sorry. Maybe you will have less reports compared to other systems, but you will still have them.



Oh boy... more "he said, she said" non-sense. Look, I'm simply highlighting the common fallacy of relativity that X operating system will be equally exploited as Y operating system per market share. You seem to be conflating the two.

Now, it's perfectly logical to say the more widespread system will be attacked more often, but actually being exploited or breached by an attack vector is something else.


----------



## troublemaker (Sep 8, 2015)

drhowarddrfine said:


> That's an assumption and a guess, not a fact. Perhaps possible but, still, not a known fact, afaik.


You mean it's an assumption to say that reports will come if (when) FreeBSD becomes more popular? Could be, the assumption is based on the fact that popularity attracts hackers. Sort of what happened to Linux. Many years ago people were thinking Linux unbreakable. I don't hear that anymore.
Ah, I found an interesting link:

https://en.wikipedia.org/wiki/Linux_malware


> The growth in Linux malware is simply due to its increasing popularity, particularly as a desktop operating system ... The use of an operating system is directly correlated to the interest by the malware writers to develop malware for that OS.






Beastie7 said:


> Oh boy... more "he said, she said" non-sense.


sorry, just trying to explain myself



Beastie7 said:


> Look, I'm simply highlighting the common fallacy of relativity that X operating system will be equally exploited as Y operating system per market share. You seem to be conflating the two.


Is it bad if I say it's not what I said? No, never mentioned equality, and never tried to build a mathematical relationship. Of course there are other factors, and more important ones too. At the end I think there are three factors:

1) effort (how hard is the system to crack?). And this is pretty much related to the security of the system
2) reward (how much money can I make? Can I make once a lot of money, or many times little money?)
3) risk (how likely is it that I get caught? How long is the jail term?). I actually forgot this one.

Market share is only related to point 2. Not even 100%


----------



## Beastie7 (Sep 8, 2015)

troublemaker said:


> You mean it's an assumption to say that reports will come if (when) FreeBSD becomes more popular? Could be, the assumption is based on the fact that popularity attracts hackers. Sort of what happened to Linux. Many years ago people were thinking Linux unbreakable. I don't hear that anymore.
> Ah, I found an interesting link:
> 
> https://en.wikipedia.org/wiki/Linux_malware
> ...



No not at all! By all means, say what you want. It's just irritating when people (in general) bring up market share in regards to systems security; to some like it's justification for a vendors/organizations apathy to it.


----------



## troublemaker (Sep 8, 2015)

Beastie7 said:


> No not at all! By all means, say what you want. It's just irritating when people (in general) bring up market share in regards to systems security


I would never do such a thing. I am a software developer, and to me security is based on a valid concept, solid code and thorough testing. With a good process controlling the steps, and good tools for the implementation. Anything necessary to put some quality, basically. Low market share is only (in part) related to the likelihood of an attack.
Which brings me to my original point: no matter what, you will always have a flaw. Why people don't put more effort in using better tools is beyond me, but even with the best tools and coders you will always miss something. So an antivirus can be a useful extra


----------



## Deleted member 9563 (Sep 8, 2015)

shepherdAZ said:


> In my experience, anti-virus products have generally been riddled with security holes of their own, cause system resource exhaustion, and unnecessary overheads whilst delivering little actual security return.



I alluded to it earlier but here is a relevant quote from John McAfee:

_"I don’t use AV, I think it’s dead and based on an ancient tech that is no longer relevant. Hacker kits come out 10x faster. AV is a meaningless system."_


----------



## drhowarddrfine (Sep 8, 2015)

getopt said:


> OS X is based on BSD. Are there any viruses running on OS X?


It is not. Please stop with this. Look at the Wikipedia article about OSX.


> The heritage of what would become OS X had originated at NeXT, a company founded by Steve Jobs following his departure from Apple in 1985. There, the Unix-like NeXTSTEP operating system was developed, and then launched in 1989.
> 
> The kernel of NeXTSTEP is based upon the Mach kernel, which was originally developed at Carnegie Mellon University, with additional kernel layers and low-level user space code derived from select parts of BSD.


----------



## drhowarddrfine (Sep 8, 2015)

troublemaker said:
			
		

> Could be, the assumption is based on the fact that popularity attracts hackers.


Which means nothing much to Fort Knox. It's one thing for a mouse to attack the cat and another to think the mouse can win.



troublemaker said:


> Ah, I found an interesting link:
> 
> https://en.wikipedia.org/wiki/Linux_malware


You found an interesting quote from Kaspersky, a seller of anti-virus programs who now sells them for Linux, not an unbiased statement. In fact, the rest of that section goes on to say the main reason some Linux(Unix) installations may need AV is when they're connected to Windows machines or handling Windows software and components; and only then to protect the users of Windows machines!


----------



## ANOKNUSA (Sep 9, 2015)

getopt said:


> It's getting funny here. And this is because there is a lot of belief (and hubris?) in the discussion and a lack of information or evidence.
> 
> But how can there ever be an evidence if nobody scans the BSD world for viruses?



New malware are not discovered by AV/AM software, as the latter scan files and check them against a database of _known malware_. New viruses, trojans, etc. are discovered by savvy system administrators who monitor their systems' behavior for unexpected or undesired activity.

It is getting funny in here, though: the original question mainly concerned desktop/laptop/personal server systems, and now we're off on a national security/infrastructure security tangent...


----------



## Deleted member 9563 (Sep 9, 2015)

ANOKNUSA said:


> New malware are not discovered by AV/AM software, as the latter scan files and check them against a database of _known malware_.


And that is exactly relevant to the original question. Until we get "known malware" we can't have a meaningful scanner. (I hope the OP is hearing this.)


----------



## Beastie7 (Sep 9, 2015)

OJ said:


> And that is exactly relevant to the original question. Until we get "known malware" we can't have a meaningful scanner. (I hope the OP is hearing this.)



Such a thing already exists; it's called the CVE database.


----------



## Deleted member 9563 (Sep 9, 2015)

Beastie7 said:


> Such a thing already exists; it's called the CVE database.



I thought those were vulnerabilities, but perhaps I misunderstand what your are trying to say.


----------



## troublemaker (Sep 9, 2015)

drhowarddrfine said:


> Which means nothing much to Fort Knox. It's one thing for a mouse to attack the cat and another to think the mouse can win.
> 
> You found an interesting quote from Kaspersky, a seller of anti-virus programs who now sells them for Linux, not an unbiased statement. In fact, the rest of that section goes on to say the main reason some Linux(Unix) installations may need AV is when they're connected to Windows machines or handling Windows software and components; and only then to protect the users of Windows machines!


I am not sure what are we discussing here. Is it that a more popular system is more likely to be attacked or that Linux and/or FreeBSD have flaws? Because if it is the latter I don't think there are doubts; every developer that has written a bit of more or less complex code should know that bug free code doesn't exist. Flaws are always present. Assuming that your system is perfectly secure is a recipe for disaster.


----------



## drhowarddrfine (Sep 9, 2015)

troublemaker Now you are discussing flaws but you really want to bring viruses into this without facts. All your posts are assumptions that there must be a boogy man cause there must be a boogy man. Until you have something substantial to add more than that, I don't see what else there is to discuss.


----------



## troublemaker (Sep 9, 2015)

drhowarddrfine said:


> All your posts are assumptions that there must be a boogy man cause there must be a boogy man


More properly, because there usually is a boogy man. I guess you can call it a fact.


----------



## Crivens (Sep 9, 2015)

troublemaker said:


> More properly, because there usually is a boogy man. I guess you can call it a fact.


The plural of "anecdote" is not "fact".


----------



## troublemaker (Sep 9, 2015)

Crivens said:


> The plural of "anecdote" is not "fact".


Oh well, I'm sure you don't need me to show you the several cases of hacks of the past years, including cases involving supposed security professionals like Hacking Team, or companies that went bankrupt like DigiNotar because the asset their business was based on was compromised.
Why do you think companies working with sensitive data have a physically separate network? Thankfully I might say, or the F-35 would be even more Chinese than it already is. No offense to the Chinese on the forum intended 

Do those cases involve Linux or FreeBSD? I don't know. But for sure the boogy man is there waiting for your mistake. I don't think assuming you don't make any is a good policy.


----------



## Deleted member 9563 (Sep 9, 2015)

I'd just like to point out that in a thread about AV software, talking about real or possible vulnerabilities is not very relevant and likely off topic. Everything is vulnerable, that is a given, but having a vulnerability is not the same as having a virus. Vulnerabilities don't replicate. I won't bother giving a link to a definition of computer virus but if anybody is unclear, it is worth the search.


----------



## drhowarddrfine (Sep 10, 2015)

troublemaker said:


> Do those cases involve Linux or FreeBSD? I don't know.


That is my point.


----------



## Max212 (Sep 10, 2015)

So if I understand correctly, there is no known malware for FreeBSD and that is why there is no AV software.
There are vulnerabilities, when they get known, they get published in CVE database, so admin gets informed what is vulnerable and can patch the system accordingly.

It is on admin to know what is running on the computer (software installed) and to check if there are any weird connections to internet or that something is not like it should be.

Are there any tools to help admin to check for unexpected behavior of the system?


----------



## drhowarddrfine (Sep 11, 2015)

Max212 said:


> there is no AV software.


There is AV software. security/clamav is the best known.


----------



## Deleted member 9563 (Sep 11, 2015)

Max212 said:


> Are there any tools to help admin to check for unexpected behavior of the system?


It depends on what you're doing. On servers I check /var/log/auth.log, /var/log/fail2ban.log, and also the apache logs, and most importantly on my mail server, /var/log/mail.log. I must admit that I don't check that often on my desktop computers though. But it's the same idea - keep an eye on what's going on. Perhaps get into the habit of typing `sockstat` on a regular basis. Also for home use you may like to just watch the real time bandwith on a side screen just because it looks really cool. That may have some practical value to tracking the outgoing traffic but I'm a complete amateur and do this stuff just for the fun and pleasure of fooling around. I presume you're in the same situation since you're asking. The professionals here will be serious log watchers. Seriously, outside of a basic awareness, I really don't think a desktop computer needs a lot of scrutiny as long as your security practices are half good.


----------



## shepherdAZ (Sep 11, 2015)

Max212 said:


> So if I understand correctly, there is no known malware for FreeBSD and that is why there is no AV software.



I would not make that link. It is important to remember that AV software can only ever tell you about malware which is already out there, and even then you are relying on:

the AV vendor has seen a sample of it;
the AV vendor has written a signature for it;
the AV vendor has published an updated signature file including the patterns for the malware in question, and;
you have downloaded and applied that signature file to every ingress point where said malware could enter your environment.



Max212 said:


> There are vulnerabilities, when they get known, they get published in CVE database, so admin gets informed what is vulnerable and can patch the system accordingly.



Yes. Follow the FreeBSD Security Mailing List, the Twitter accounts, or keep an eye on the advisories.



Max212 said:


> It is on admin to know what is running on the computer (software installed) and to check if there are any weird connections to internet or that something is not like it should be. Are there any tools to help admin to check for unexpected behavior of the system?



I have used security/aide and security/tripwire to detect changes to files. Keep track of updates to ports/packages. Also look at using BSM Auditing and sending your BSM audit trails and syslogs to a secure central host. Be sure to review the logs. You could also send them on to something like Splunk, Huntsman, Loggly or Papertrail - these sorts of tools let you setup alerts if someone takes an action against particular files (e.g. etc/*) or if a certain level of message criticality appears. You could look at security/snort and net-mgmt/nfdump to help look at network traffic.

An attack from a competent adversary is often difficult to spot, so that is why you apply various layers of security, and do constant monitoring of logs and network traffic to see if something is out of the ordinary. We do log collection, NetFlow monitoring (behavioural profiling of traffic), and investigate abnormal exits in processes. We also monitor login activity, file modifications, and use of removable media. What you have to monitor will depend on what you have in the environment, and it won't be limited to just your FreeBSD system(s).


----------



## troublemaker (Sep 11, 2015)

shepherdAZ said:


> I would not make that link. It is important to remember that AV software can only ever tell you about malware which is already out there, and even then you are relying on:
> 
> the AV vendor has seen a sample of it;
> the AV vendor has written a signature for it;
> ...


How about heuristic analysis?


----------



## Maelstorm (Sep 15, 2015)

I'm late to the party on this one.  Although as broad as this is, I'll offer my 2 cents.

Malware on Unix systems is virtually unheard of.  Although common on Windows and uncommon on Apple Macs, actual malware on Unix systems is pretty much non-existent.  There is a cost/benefit analysis that must be done in order to determine if a worm/virus/trojan/rootkit is worth the effort to write on that platform.  With Windows, well it's a no brainer there.  Mac OS-X systems have a few, but not many (last time that I checked).  As for Unix, haven't heard of one.  But that's not to say they don't exist.  The one exception to this is rootkits.

Consider the following scenarios:

*1. Web Server Distributes Malware to Windows Machines*
A web server runs Apache on one of the Unixes.  An intruder hacks into the server and uploads a malicious flash object which exploits a zero-day vulnerability in Windows.  Over the next two weeks, thousands of people visit that site and get infected without any indication at all.  Although the malware is loaded onto the Unix system, it doesn't infect it.  It does however infect the computers of the people who connect to it via a web browser.  So in this case, the server has been hijacked into becoming a platform to spread malware to Windows systems.  Here, the biggest threat to Unix systems is manual hacking and rootkit/backdoor installation and causing the machine to distribute malware.  Quite frankly, I wouldn't be surprised if this was the most common one.

*2. System Used to Attack Another Machine*
An internet facing Unix machine is compromised via a zero-day vulnerability.  The black-hat hacker gains root access and installs a rootkit with a backdoor.  The rootkit hides itself and its related processes.  Logs are tampered with to hide the intrusion.  The hacker then uses this system as a springboard to attack other systems on the internet or to penetrate further into a corporate network.  Once again, the threat here is manual hacking.

*3. Source Code Repository Compromised*
Source code on a master CVS/SVN/Github repository is deliberately altered to introduce a zero-day vulnerability.  Now every system that is built from that source is vulnerable.  Actual hardware execution environment (i386, amd64, Sparc, Z360, MIPS, etc...) most likely would not matter.  Manual hacking is the threat.  I would like to point out that this has happened.  I don't know about FreeBSD (Someone care to enlighten me?), but this happened to the master Linux kernel repository that all the Linux distributions download from when building a new "distro."  If memory serves me correctly, it was compromised for something like 5 or 8 months before it was discovered.

*4. Windows Vulnerability Exploited Resulting in a Massive Worm Invasion*
As funny as that title sounds, this happens more often than not, and it is no laughing matter.  Case in point: MSBlaster worm.  Within a few hours, every vulnerable machine on the internet which didn't take special precautions was infected.  Then at a preset time and day, the infestation launched a DDoS (Distributed Denial of Service) attack directly against Microsoft's Windows Update service.  Inside the packets (all of them) was the following message directed to then CEO Bill Gates: "Billy gates why do you let this happen? quit making so much money and fix your software."  Now the threat here is some programmer releases an internet worm to infect as many machines as they can.  It is interesting to note that this incident, and several others, caused Microsoft in the early 2000's to stop all software development for a month so their 8,000+ software engineers could take classes on secure programming techniques.

*5. A Professional Group Targets Specific High-Value Individuals*
This is the greatest threat there is.  A group of hackers, who is sponsored by a Nation-State, has access to nearly unlimited resources.  These are the people who generally write the APT (Advanced Persistent Threat) espionage software toolkits.  These individuals go after certain high-profile or high-value targets to steal information from those individuals.  The target system can be a computer, a cell phone, or even a tablet.  Not even air-gapped networks are safe.  There are several cases regarding this.

*5.1. Flame Espionage Platform*
This software was found on several computers belonging to individuals in various segments of industry in the Middle East.  Primary target was Iran and their nuclear research programs.  Interesting to note that the infection occurred using a MitM (Man in the Middle) attack with a spoofed Microsoft code signing certificate which allowed the attacker to masquerade as the Windows Update service.  Analysis concluded that the attacker used a chosen prefix attack to force an MD5 hash collision so the fingerprint of the digital signature would match the legitimate certificate.  One of the mathematicians who wrote a paper in 2007 about MD5 collision attacks stated "The attack vector that was used was previously unknown and different than the one in the 2007 paper.  Whoever pulled this off used world-class cryptoanalysis."  Due to strong similarities between Flame and Stuxnet (below), it is highly suspected that the United States and Israel are behind this.

*5.2. Stuxnet Attack Software*
Cyber-warfare attack software that could cross over into air-gapped control networks, using a previously unknown zero-day vulnerability, and reprogram the industrial PLCs (Programmable Logic Controllers) which controlled the gas centrifuges which are used for Uranium enrichment.  The worm caused the PLCs to command the centrifuges to overspeed which then caused the components inside them to fly apart, destroying the centrifuge, all the while signalling to the operators via telemetry links that everything was A-OK.  Iran was the target.  It was later confirmed by the United States that this was a joint project between the US and Israel.

*5.3. Kaspersky Labs Under Siege from Duqu 2.0*
Kaspersky Labs in Russia who makes computer security software was hacked and penetrated via a compromised network device driver which was digitally signed by a code signing certificate which was stolen from the hardware manufacturer.  The Windows based machines which had the software loaded onto them were internet facing.  From there, a zero-day exploit was used to infect every Windows machine on their network.  This malware was determined to be an APT which resided completely in memory, except for the internet facing machines.  So every time the machine rebooted, the infection would be cleared from memory, but would be reinfected shortly afterwards when communication to the domain controller was established.  Kaspersky stated that the APT used was at least a generation ahead of anything that they have seen thus far.  Additionally, Kaspersky stated that Duqu 2.0 holds similarities to both Stuxnet and Flame, which suggests that the United States was behind this.

*6. The Equation Group*
Kaspersky Labs has recently identified a state sponsored hacking group that is considered to be completely out of everyone's league.  Kaspersky has stated that this group, when it comes to computers, is for all intents and purposes, omnipotent.  This group is known as The Equation Group.  They are the ones who were behind the Flamer and Stutex malware as well as several others.  It may have very well been them who also attacked Kaspersky Labs as well.  These guys have been operating for at least 15 years under the radar and is only now coming to light.  This group is state sponsored.  It is highly suspected that they may even be part of an state intelligence agency quite possibly the United States National Security Agency.

Remember, *these are the guys who wrote malware that will infect the firmware of your HDD*.  Yes, you read that right.  The Equation Group has actually written malware that will take over the hard disk drive itself.  And they've written it for at least a dozen different brands and manufacturers.  What it does is section off a part of the drive to use as a storage vault to store stolen documents.  It is hidden from the user and no anti-virus software can penetrate it.  Even reformatting the drive won't clear it.  Furthermore, reformatting the drive and reinstalling the operating system will just reinfect the computer with the APT software again.  The only solution is to re-flash the firmware using a good copy from the manufacturer, or to replace the drive.

Another extraordinary capability is to perform mail interdiction.  There are three known cases where this has happened.  They intercepted and trojaned a Oracle database installation CD while it was traveling through the mail.  They rewrote the firmware of a Cisco router while it was in transit to a customer.  And the most known one was a CD from a scientific conference which was intercepted and trojaned while on its way to a scientist who attended the conference.

*Conclusion*
As most threats are generally the low skill script-kiddies, there are a few hackers out there with some skills who write their own tools that they use to attack with.  Depending on who you think that your most likely threats are, that's what you need to tailor your security too.  It is a given that a web server will eventually be compromised and the site that is hosted on it defaced.  Since no system is perfect, the main objective is to make it so hard to hack into the machine/network that the cost/benefit makes it not worth it.  In other words, the goal is to make them go away.  But God help you if you draw the interest of the groups that are state sponsored.  If they want you badly enough, chances are you will not be able to stop them.


----------



## Wozzeck (Sep 15, 2015)

To sum up, antivirus is mainly interesting if FreeBSD is acting as a fileserver and/or mailserver for a Windows based computer network.  Even if Windows virus will not have any effect on BSD, if not detected the virus can be downloaded and can be distributed to windows computers when "Bill multiple Gates " access the server.

But, for a non corporate use this kind of protection is not quite necessary as Windows workstation can have his own antivirus solution. Today Comodo distributes for free his powerfull Comodo x64 native Workstation Internet Security Suite which is far better than Clamav.

But but... thinking further if we speak more generally about security, not dealing only with viruses and malwares....
Also there is very few malwares for BSD, having an heuristic protection is quite relevant because you can't ignore the case where a professional hacker like some Security Government Agencies create his own malware. As this code is not distributed so massively, the big problem is that you can ignore a very very long time his existence because there is an evidence, before a virus is declared "in the wild", security labs must first detect it...

One claims that there is no malware under BSD, but one will never be able to prove that and one can't claim that this will never be the case. The disadvantage of Windows is also... an advantage. Malwares are so massively distributed across the world that it facilitates his discovery by international security labs, for this reason having a good heuristic module under FreeBSD should be theoretically quite relevant.

Today Snort IDS solution can deal with some "security issues", but this solution is mainly based on rules. An heuristic protection offer an additional dynamic analysis against unknown threats (malware, rootkits...) by advising the user/administrator about suspicious activities. 

Apart of the well known CLAMAV, today I know three commercial antivirus for FreeBSD, but I haven't tested any. For Linux there are more solutions. Almost every great security vendors have now a Linux solution, for BSD.... snif snif very few things.

- F-Prot : 3 versions, Workstation, Corporate file server, Corporate mail server

What is interesting is the fact that workstation version seems to have an heuristic real time module. I have never tried the product (today I simply use CLAMAV on my home made FreeBSD server, with Comodo Security Suite or Agnitum Security Suite on Windows workstations) so I can't give an opinion on the maturity of this heuristic module.
It seems that we can try the product 30 days. The price for the workstaion version seems to be the regular price for a common Windows license. 

I don't speak about corporate versions as prices are generally not compatible with individual user budget.

http://www.f-prot.com/products/corporate_users/unix/

- Kaspersky : very very few info, it seems to be a corporate antivirus only (filer server and mail server) so likely too much expensive for a non corporate user, and I guess it does not offer a solid rock heuristic analysis as this product is targetting viruse analysis. 

http://www.kaspersky.com/news?id=221

- AVG
Here is a link for a free Workstation version
http://free.avg.com/eu-en/129024

AVG seems to have a corporate FreeBSD build for FreeBSD email server
http://www.avgsecurity.co.za/component/avgproducts/?view=avgproducts&catid=84&Itemid=233

For all theses solutions, not much information about the FreeBSD platforms supported. For example KAV has long been only available for FreeBSD 9 ... i386. Same remark for AVG, you can see on the url link that source code for free workstation version is matching i386 platform only. For F-Prot they use the ambiguous terminology "x86" which would means "intel desktop platform including 32 and 64 bit) but you know there is a large misuse of this terminology as for a lot of people "x86" is faulty used as "32 bit"

The most reliable vendor for commercial FreeBSD AV solutions seems to be F-Prot. If it is working on "x86_64" one day I will probably make a try with Workstation version just to have a real idea.


----------



## vasili111 (Sep 15, 2015)

I am not security or FreeBSD expert but I have some thoughts about current topic:

I see at least 3 type of security threats for FreeBSD and other non-Windows OS desktop users:

*1. Browser extensions.*
Browser extensions are not OS specific. Malicious browser extensions that are the security threat for Windows PC can also be threat for other other PCs that are using different OS but same browser (Chromium, Firefox).

*2. Java software.*
Many desktop PC users need Java. Java code is OS independent, so malicious Java software can be threat for other OS too that using Java.

*3. Wine.*
Wine is widely used at non-Windows desktop PCs and it can run malicious Windows software.

We can't say that malicious browser extensions, malicious Java software and malicious Windows software under Wine, that are targeted primarily at Windows user will also carry same level of security threat for other OS desktop users. Because some of them, no matter how cross platform can they could be, in fact can carry harm only for Windows users. But I am pretty sure that many of them can very seriously harm non-Windows desktop users.
No FreeBSD, no OpenBSD, nor any other OS can be panacea for security for desktop user. The main security concern is degree of security education of desktop user. We can only wish that people will be wise enough to not install browser extensions from non-trusted places, run Java software and Windows software in Wine that are downloaded only from trusted places and don't run with admin privileges Java software and Windows software in Wine from the email attachment that is send by anonymous person.
Creating such kind of security threats does not need huge resources.
Again, the main prevention for such threats is proper user security education. But there will always be huge amount of desktop users that need extra protection such as Antivirus to prevent them running malicious software. Antivirus is not panacea for such threats but it can give little bit extra security for such users and sometimes that extra security really helps.

*So I think that best security threat prevention is proper user security education, but there is and always be demand for Antivirus software for any desktop OS including FreeBSD.*


----------



## Crivens (Sep 15, 2015)

Maelstorm said:


> The only solution is to re-flash the firmware using a good copy from the manufacturer, or to replace the drive.


Who can say that the re-flash worked and that the drive not simply stored the new version string to answer it back? Who can say that the new drive will not be immediately be infected by some part of the malware which burrowed itself in your UEFI or some other "smart" part of your machine? Seems paranoid, but when you deal with people of that thread level, you should be able to afford good counteractivities. Say, burn the hardware. On a stake. And maybe keep some persons employed who play theater for the spooks, to decrease the signal-to-noise ratio.


----------



## drhowarddrfine (Sep 15, 2015)

vasili111 said:


> I am pretty sure that many of them can very seriously harm non-Windows desktop users.


If they could, they would but, so far, they don't.



> Again, the main prevention for such threats is proper user security education.


I say this over and over again. FreeBSD is a professional operating system for professionals. Of course, this isn't always the case but that can be said of anything. 
*



			there is and always be demand for Antivirus software for any desktop OS including FreeBSD.
		
Click to expand...

*I don't see this demand at all. I see the question come up from time to time but never a demand.


----------



## Crivens (Sep 15, 2015)

drhowarddrfine said:


> I don't see this demand at all. I see the question come up from time to time but never a demand.


This comes implicitly from the "server" qualification of FreeBSD. This is like the male gynecologist who once told me he liked his job also because he dealt mostly with infections he himself would not be able to catch. The same principle applies here - FreeBSD as a server can scan files for Windows systems, and exposing the OS to the malware would not risk an infection.


----------



## Oko (Sep 15, 2015)

Crivens said:


> This comes implicitly from the "server" qualification of FreeBSD. This is like the male gynecologist who once told me he liked his job also because he dealt mostly with deseases he himself would not be able to catch. The same principle applies here - FreeBSD as a server can scan files for WIndows systems, and exposing the OS to the malware would not risk an infection.


+1 I second this. The fact that BSDs are generally immune to viruses doesn't excuse us from being good Internet citizens and making sure our BSDs machines are not passing malicious viruses to Windows, OS X, and Ubuntu boxes.


----------



## troublemaker (Sep 15, 2015)

Wozzeck said:


> Also there is very few malwares for BSD, having an heuristic protection is quite relevant because you can't ignore the case where a professional hacker like some Security Government Agencies create his own malware.


Not necessarily a government agency. The point I have been trying to make for days.


----------



## ANOKNUSA (Sep 17, 2015)

Oko said:


> The fact that BSDs are generally immune to viruses doesn't excuse us from being good Internet citizens and making sure our BSDs machines are not passing malicious viruses to Windows, OS X, and Ubuntu boxes.



First, OS X and Ubuntu are no more (or at least not much more) vulnerable to malware than FreeBSD is. They're all virtually malware-free for essentially the same reasons. Second, holding *nix users ethically responsible for infections on Windows systems is one hell of a leap in logic. Suppose my machine contains a piece of malware that I inadvertently pass on to a Windows user, with nasty results. Precisely how do I come to be responsible for those results? After all, it's unlikely that the malware truly originated from my machine--perhaps I picked it up from an e-mail-attached file that was stored on a machine running Windows, an operating system that already has an over-abundance of utterly superfluous AV/AM tools. But then, the e-mail happened to be sent from on a RHEL server, but received by and retrieved from an Outlook webmail account running on a Windows Server Edition machine.

So who is responsible for the consequences of malware infection? Remember, I didn't scan the attachment for viruses and trojans and such because _I'm not affected by such things_. I have no fear of them, no need to beware of them. Nor should the company handling the mail traffic be held responsible for guaranteeing the safety of the millions of messages they route every day, companies which almost certainly use Unix-like operating systems precisely for the increased security. The only people affected are the Windows user who sent me the message, and any Windows user that might later receive it. So shouldn't the Windows users be looking out for themselves and each other, rather than expecting the people who've already taken precautions to secure their systems as well?

This little thought exercise is of course moot, once one considers that actually holding the *nix-using minority responsible for rooting out infections for Windows users would accomplish absolutely nothing anyway: malicious users of all operating systems are still going to _deliberately pass on malware anyway_. The only people who would be held responsible are the minority of unlucky, unwitting saps who had nothing to do with the creation or initial distribution of the malware, who would get to play scapegoat for everyone else while the problem remained completely unchecked.


----------



## drhowarddrfine (Sep 17, 2015)

ANOKNUSA said:


> how do I come to be responsible for those results?


While I understand Oko 's point, I also thoroughly agree with your post.


----------



## Oko (Sep 17, 2015)

ANOKNUSA said:


> First, OS X and Ubuntu are no more (or at least not much more) vulnerable to malware than FreeBSD is. They're all virtually malware-free for essentially the same reasons. Second, holding *nix users ethically responsible for infections on Windows systems is one hell of a leap in logic. Suppose my machine contains a piece of malware that I inadvertently pass on to a Windows user, with nasty results. Precisely how do I come to be responsible for those results? After all, it's unlikely that the malware truly originated from my machine--perhaps I picked it up from an e-mail-attached file that was stored on a machine running Windows, an operating system that already has an over-abundance of utterly superfluous AV/AM tools. But then, the e-mail happened to be sent from on a RHEL server, but received by and retrieved from an Outlook webmail account running on a Windows Server Edition machine.
> 
> So who is responsible for the consequences of malware infection? Remember, I didn't scan the attachment for viruses and trojans and such because _I'm not affected by such things_. I have no fear of them, no need to beware of them. Nor should the company handling the mail traffic be held responsible for guaranteeing the safety of the millions of messages they route every day, companies which almost certainly use Unix-like operating systems precisely for the increased security. The only people affected are the Windows user who sent me the message, and any Windows user that might later receive it. So shouldn't the Windows users be looking out for themselves and each other, rather than expecting the people who've already taken precautions to secure their systems as well?
> 
> This little thought exercise is of course moot, once one considers that actually holding the *nix-using minority responsible for rooting out infections for Windows users would accomplish absolutely nothing anyway: malicious users of all operating systems are still going to _deliberately pass on malware anyway_. The only people who would be held responsible are the minority of unlucky, unwitting saps who had nothing to do with the creation or initial distribution of the malware, who would get to play scapegoat for everyone else while the problem remained completely unchecked.


You and me have completely different idea how FreeBSD is used. My scenario FreeBSD is a mail server or web proxy for a large organization (I actually work for small one of 65-80 people). If I don't scan that e-mail for malware or if my bosses Windows laptop which contains contracts with our customers gets infected by a virus because my web proxy is not doing its job the whole organization is in trouble. The fact that my FreeBSD server is virus clean is irrelevant because that server is also paid with the money from those contracts written in stupid M$ Word and sent to us by third parties.


----------



## abishai (Sep 17, 2015)

Oko said:


> because my web proxy is not doing its job


How can it do it's job in case of https connections?


----------



## kpa (Sep 17, 2015)

abishai said:


> How can it do it's job in case of https connections?



It's possible but it's never going to be 100% transparent to the users. You can create your own certificates and force your users to accept your certificate in place of the real ones but it's still very awkward because browsers are by default very paranoid about mismatched certificates.


----------



## abishai (Sep 17, 2015)

kpa said:


> browsers are by default very paranoid


The users will become paranoid as well, as such actions can easily be discovered with a mouseclick on certificate


----------



## ANOKNUSA (Sep 17, 2015)

Oko said:


> if my bosses Windows laptop which contains contracts with our customers gets infected by a virus because my web proxy is not doing its job the whole organization is in trouble.



If your boss is storing the sole copy of a vital contract--or any copy of a confidential contract--on a laptop, malware isn't your organization's biggest concern.


----------



## junovitch@ (Sep 18, 2015)

abishai said:


> The users will become paranoid as well, as such actions can easily be discovered with a mouseclick on certificate


It's quite likely in large organizations that there is already some notice or an agreement signed at the start of employment to the effect that everything is being monitored.


----------

