www.kaiponte.com

Why I Don’t Run a Virus Scanner

Kai
Introduction

For those of you who know me, you are aware that I mostly use Linux (SuSE) at home on my desktop. I refuse to load Windows XP on my machine, and I only run Windows 2000 when necessary to perform video editing.

Now, when I am in Windows 2000, I have AGV Virus Scanner loaded, I have Outpost Firewall enabled, and I spot run both AdAware and Spybot Search and Destroy. In spite of this I recently found three backdoor Trojan viruses infecting my system.

Now, when I normally boot, I load Linux. Guess what – I don’t run any virus software.

Why?

I don’t have to.

There are well over 50,000 viruses written for the different versions of Windows. Most estimates put the number of “wild” viruses at around 400. This means that a large majority of viruses have been contained but that there are still many floating around. According to one source there are 32 “active” viruses infecting Windows systems as of this writing.

In fact, an unpatched Windows system will become infected within seconds of being brought up on the internet. (This has happened while installing Windows 2000 one of my machines.) Now why am I not worried?

I run Linux.


According to Virus Library there are currently six viruses for Linux. Of those, none are active.


Linux Viruses

I’ve been doing some research on this subject. According to this article the first Linux virus showed up back in January 1997. It appears to have been a worm designed to attack people running as root who played Doom.

And here’s my point.

A smart Linux user will always run as a normal user. I have been doing so for over nine months now and have only needed to login as root once (for a very obscure reason). Doing so, I ensure that any virus that hits my system will only potentially infect my files. With normal user privileges, I can never write or update system files. As such I can not run a program (or virus) that causes any system processes, such as writing to the master boot record of my hard drive or sending out spam.

There have been some people, arguing that the use of root is more difficult and that they should run as a Privileged User. I totally disagree with this analogy. I’ve been happy running Linux as a normal user and don’t have the issues I had while running under Windows (where I am forced to run as a privileged user).

Now, I’ve seen many false arguments as to why there are no viruses on Linux, the most popular fallacy being that “Linux isn’t popular” so there are no virus authors. What this argument doesn’t take into account is the fact that well over 70% of web servers run some form of Unix or Linux. This doesn’t take into account the huge number of Sendmail servers out there. If I were a virus writer and I thought I had a whelk’s chance in a supernova to let it loose and spread, I’d be on that track in a second. After all, unlike most home Windows systems, these servers are hooked up to high speed connections and will spread much faster.


But what if…?


What if the absolute worse happens? I happen to be an über geek and write a remotely-executable buffer overrun attack that targets an unidentified exploit in the Linux Kernel. I write this on Friday evening, and expect to get it out in the wild, and wreak havoc over the weekend.

Wouldn’t happen.

Here’s why:


Linux systems are designed to distrust and not rely (in the general case) on remote procedure calls (RPCs), especially not between hosts. RPC’s have been used for years in the Windows world to invoke exploits.

Linux has a very deep set of tools for each function. Thus if I find an exploit for Sendmail, an admin could quickly switch one aspect which will close off this exploit.

Linux is open source, and not reliant on one company (read locked into one vendor) to fix holes. A flaw of this nature would be fixed almost immediately and spread within days if not hours. Herein lies the beauty of Linux. Unlike Unix, where a system is released in the all-in-one format, patches can be released for a Linux flaw in a very short time.



Conclusion


So, that is why I don’t run anti-virus software on my system at home. Now, if I were a system admin, I’d be sure to get something like ClamAV to ensure that my mail system isn’t spreading Windows viruses, which is a common issue. However, I can be sure that my system hasn’t been comprised by the simple click of a button or an RPC flaw. Even if it were, I’d know that the only affected files will be mine. Since I run a weekly backup, I know there’s little that an be obtained by planting a virus.


Links:

Here are some reference links on Linux and Viruses:

http://freshmeat.net/news/2000/06/10/960695940.html

http://math-www.uni-paderborn.de/~axel/bliss/

http://linuxmafia.com/~rick/faq/index.php?page=virus#virus