Tuesday, July 24, 2007

Choosing a good antivirus for linux

This post is the second in a series of posts about setting up a good antivirus for linux. The need for this is discussed in my previous post. This post deals with the factors that influenced my choice of an antivirus. For details about setting up the antivirus, see my next few posts.

So as I said in my previous post, the wine installation on my linux box was infected with a virus and thus I decided to get an antivirus. The points I considered while choosing my antivirus were:
  1. The program should be free - free as in free beer (monetarily).
  2. It should preferably be open sourced.
  3. It should not be resource-hungry. It should not slow down my computer. After all, I am running linux (Ubuntu 7.04) and a resource hogging antivirus for linux is kind of an oxymoron.
  4. It's scanning engine should be fast.
  5. It should have a provision of receiving updates over the internet. The release frequency of these updates should be high. Preferably, there should be a provision for updating using command-line (terminal) so that automatic updates can be configured easily using cron.
  6. The updates should preferably be differential - which makes them much smaller and hence they download faster.
  7. It should have all standard features of a good antivirus - heuristic scanning, scanning archives, ability to define custom tests etc.
  8. It should support on-close or on-access scanning. Preferably, there should be an option to limit this to certain directories so that the overall impact on system performance is minimized.
  9. It should be able to function as an email scanner for desktop (non-mailserver) use. That is, it should be able to work with mutt / pine / thunderbird / evolution and other commonly used clients and scan email messages for viruses.
  10. It should be able to quarantine / heal infected files.
  11. The program should have a good command-line interface so that piping its output to other scripts etc. becomes easy. This vastly increases the power of the program as one can write scripts that can move infected files to a safe directory, make them non-executable etc. A GUI is also preferred , but not a must.
Considering these, I hold the opinion that:
  • Norton / Symantec, NOD32, McAfee fail on at least 1, 2, 3
  • Avast! free edition fails on the cron part of 5 and also on at least 2, 6, 8.
Thus, good alternatives left are ClamAV / KlamAV and AVG free edition for linux. I decided to install AVG. At this point I must admit that I was a little biased towards AVG because of past experience on a windows machine. However I did try to sort out this case objectively. I did dry out ClamAV + KlamAV first.

ClamAV + KlamAV satisfy 1, 2, 3, 5, 6, 7, 9, 11 but not 4 IMHO. About 8, the feature exists, (it took me a while to figure out how to configure the on close scanning on Ubuntu Linux 7.04 - I will write a post soon on how I managed to get it to work) but on my machine, I found the scanning engine to be slow and that directly affects 8 and reduces its usability. Consider my experience: I use Ubuntu 7.04 and in particular, nautilus. Nautilus shows previews of .txt, pdf, avi etc files as their icon. Now, when on-access scanning is on and all the files in a folder have not been scanned, nautilus waits for them to be scanned and what happens is that if the scanning engine / daemon is slow, after clicking on the icon of a folder having lots of items, I have to wait for quite a while before anything opens to a usable level. This is very annoying.

You might ask why I need on-close / on-access scanning on a linux machine in the first place. Well, I thought it would be good to have it because then I can configure it to automatically scan places in /media, /mnt and also .wine so that whenever any removable media is used on my computer, it will be scanned automatically. Also, I thought that I could discipline myself and other users to download stuff to only certain directories and enable on-close / on-access scanning in them. I believe that this is a pretty good way of securing against viruses - I did manage to get all this working and then tested my system with 3 known virus (apart from the good old eicar test file) and none of them could be copied / run (wine) / accessed from my box. As I said, I will post the details soon.

About 10, the quarantine feature exists, but to the best of my knowledge, the heal feature does not. Also, the method of quarantine is to move the infected file to a directory and change its permissions so that an ordinary user cannot access it. I am not very sure that this is the best way of quarantining - encrypting the files in some way and then changing the permissions would have made me happier.

Now about AVG: AVG fails on 2 and 9 - I managed to get all other aspects, including quarantine and healing to work. (I mention this because the official support forum says this is not possible.) I think there is a way to implement 9 using p3scan (a transparent mail proxy which uses iptables for redirection) but I haven't tested it. I will work on it when I find more time, but it is pretty low on the priority list because all the mail I receive is already scanned by someone else - MIT or Gmail or my home ISP. If you have got p3scan to work, please email me the details / post them as a comment and I will update my post to mention the details and give credit to you for your contribution.

About 2: I would love to use an open source program. I do not consider myself to be a comparable programmer to the clamav guys who are doing a great job, but nevertheless, I am trying to contribute - I am currently studying the clamav source and cvd (signature) files.

I hope this post explains my reasons for the choice of AVG and gains your trust while making it clear that I am not being paid by AVG guys to advertise. In my next post, I will write about the technical details of configuring the antivirus and in particular, about getting the on-close / on-access scanning feature to work. I will try to be both specific to AVG and also fairly general - thus if you decide to choose a different antivirus, my post may still be useful!

Sunday, July 22, 2007

A good reason to have an antivirus on your linux machine - a first-hand account

My Linux box was recently infected by the Brontok virus - well, not Ubuntu, but the Wine installation that I have. However, because newer versions of wine integrate the wine desktop with your actual desktop and some other wine folder with your home directory by default, my home directory had hundreds of copies of the virus, which was highly irritating.

I traced the source of the virus infection to a USB drive that my friend had used for transferring data to my computer. She is a windows user and it seems that she had a virus on her windows USB drive. She accidentally clicked on an exe file when she opened the USB drive on my box. I wasn't really worried because I was running Ubuntu 7.04 and didn't realize that wine would automatically run the exe without first asking; but this is what it did and thus got itself infected.

After I realized, I tried cleaning the .wine folder in my home directory, but that didn't suffice because of wine's integration of the wine-dows desktop with the actual desktop and a bunch of other similar things. Thus I decided to get myself an antivirus on linux - to prevent my machine from spreading windows viruses. See my next post for the details of installing a good antivirus on Linux. (Ubuntu 7.04 in my case, but the procedure is pretty general.) I also managed to get the on-close scanning feature to work correctly and completely without affecting my system performance.

Tuesday, July 3, 2007

Cheap college text-books ... ubersweet!

I found a site which was selling cheap international editions of many popular text-books and good stuff in general. I ordered from some of them and my experience was pretty good. The websites I am talking about are (no, these are not referral links):

From these, my experience with firstandsecond.com has been better - I bought a new copy of 'Vibrations and Waves' by A.P French for less than $3.00 from this store.
For the record, I bought a new copy of 'Classical Dynamics of Particles and Systems' by Thornton & Marion for ~ $9.00 from bsbazaar.com/

Gist of my email exchanges with bsbazaar.com:

Jun 29, 2007 6:32 PM

I received my order # blah by courier today.
However, The book has a damaged spine and is separated into two
'parts' due to improper binding. I would like to receive a
Jun. 30:
I would like to inform you that we pickup the damaged and torn book and place an replacement for the same .
Please accept my sincere apology for the inconvenience caused.
Jul. 1:
Great! Please let me know the courier details (tracking # and company)
when you dispatch the replacement.
Jul. 2:
Our pickup partner will pickup the book form you first, then the replacement book will be shipped to you.
Jul 2:
Giving the book first is unacceptable to me as that would disturb my study schedule which is not an option. Moreover, your website clearly says that 'When we ship
out the replacement item to you, we will also have the defective / damaged item picked up from you at our cost.' Please send me the replacement book first and I will return the damaged book to the courier person who delivers the replacement.
Jul 3:
We have initiated for pickup and as per your request we will also check on this matter and ship the book to you at the earliest.
Jul. 3:
Thank you for your prompt reply, but I am not sure I
understand what you mean... As I said, I need to have a copy of the
book with me at all times. Thus, I need you to
send me a new copy of the book and then and then only can I return the
old copy. I am ready to return the torn copy to the delivery man who
delivers the new copy.

The pickup cannot happen before the delivery of the replacement book.
Jul. 4:
On the receipt of the replacement book you can intimate us, so that we will pick up the damaged book from you.
Jul. 4:
Please let me know the tracking number and courier company
details when you send the replacement book.

And yes, I must thank you for agreeing to my request. Your
understanding in this matter is greatly appreciated. I am sorry for
the inconvenience I may have caused.

Music - Chopin's Etudes

After reading xx's blog entry, I decided to listen to Chopin today... it's been a while since I have heard someone play his Etudes. I used to like the ones that were being played very fast by the artistes, but today I felt that I like the ones that are played fast, but not so fast that they seem mechanical. I kinda now feel that the tempo should not take away the life of the composition.

That makes the Valentina (Igoshina & Lisitsa) my favorites - she seems to have mastered the fine art of achieving a good tempo that's neither too slow nor too fast. And yes, for the record, Sviatoslav Richter is also one of my favorites, but he's kind of a legend now which means most people like him.

Okay, so I asked google if Chopin has prescribed the tempo for any of his etudes, but it seems he hasn't. BTW, have a look at these 3 videos that came up in the search results and see if you agree with me... kinda amazing...

(Her Boesendorfer seems to be the same model as the one in the Media Lab.)

Sunday, July 1, 2007

Anonymity + New Books

I purged my fairly popular blog today in favor of this new, anonymous one. The last few days were just as eventful as always, except that I also watched an episode of 'Heroes' and bought some new books:

Introduction to Mechanics (Kleppner & Kolenkow): I had borrowed it from Jim when I had used it for 8.012 and I liked it, so I decided to buy a copy.

I am sick of reading stuf fon my computer, so I also bought:
Feynman Lectures vol.II
Introduction to Special Relativity (Resnick)
Classical Mechanics (Goldstein et al)

Now the best part: Since all these were international editions, I spent a total of less than $25, which is ubersweet!.