An antivirus wouldn’t protect against the xz exploit. Imagine it did pull down the database of hashes and found a malicious xz binary, what is it going to do?

It can’t quarantine it, because that would break programs. It could update it, but shouldn’t your package manager be the one in charge of that? So the best it can do is notify you of the exploit… Which also feels like a thing the package manager should be doing.

I think instead of an antivirus, we should have a stricter permissions model. Certain applications can identity locations as “private” which blocks untrusted applications. So a random file you downloaded won’t be able to read your browser cookie jar or Discord session.

Random files you download from the internet should be executed in an unprivileged context which requires a “do you want this application to have access to this?” prompt whenever it does something sketchy.

Interestingly, afaik, Valve already runs Windows games in a secure container when using Proton. Fun fact.

By the way, all Fedora packages are scanned with ClamAV as part of bodhi tests. Here’s the test matrix where xz 5.6.0 passed the scan, and would have allowed the exploit in for the F40 beta if it wasn’t obsoleted by another build where the vulnerability’s mechanism was disabled because it triggered valgrind failures in other software.

Sure, there’s more sophisticated AV software out there, but at the end of the day, the F40 beta was temporarily saved because of luck, the beta freeze period, and valgrind. The ecosystem as a whole was saved because “Jia Tan” wasn’t aware that making Postgres run slightly slower immediately raises alarm bells.

Anti-viruses are a scam and always have been. They aren’t much more than security theater and box ticking. Don’t get into the mindset that you can outsourse security to a single product. Security is something that happens in depth. The more intrusive av software can itself become an attack vector as it often runs with lots of privileges.

Distros operate with webs of trust and cryptographically signed packages. Your distro installer verifies the integrity of the package. There is no need to check a third party signature database. It adds no value. Even well audited software could contain hidden vulnerabilities so increasingly we are running software with less capabilities via systemd, flatpak/brwrap or in containers. The environment is very different to the origins of av software on Window 9x where people would download random unsigned executables to a system with no privilege restrictions.

There are lots of challenge for the FOSS community. We love features and freedoms and those features and freedoms sometimes make security more complicated. We need to show more restraint packaging software like ssh and not add so many patches and additional dependencies. We also need to show more restraint in the typical rust, go or javascript project where adding dependencies is so easy we end up sometimes including hundreds of them for stupid crap like coloured messages or being able to handle a dozen config file formats. I don’t care about your garbage collection or advanced compile time checks, if you include hundreds of crates from other developers you are no better than npm and I would put more faith in a 20 year old c library.

That’s not how antimalware software works. They can do nothing against backdoors.

Nope. In Linux the typical action is to immediately get a fix out ASAP and be done with it.

Plus it’s unlikely that AntiVirus would actually make any difference. Even in Windows many things go undetected. All it does is bog down your system

What? Use a bloatware that consumes a lot of resources, slows down the whole system and increases the attack surface instead of regular updates? Are you kidding?

I dont think av would help with a backdoor, only things like malware, miners, ect. I feel most people that use linux can figure out not to run lil-uzi_leaked-song.mp3.exe

In this xz scenario an antivirus wouldn’t do shit. it’s better to find and fix vulnerabilities rather than bog your system down with malware

https://cyberplace.social/@GossiTheDog/112194735806991939

"4 days since XZ backdoor became public knowledge and most major Linux AV and EDR security vendors still have zero detections… they haven’t even set the static file hashes as malicious.

Can’t wait for all the vendor blogs in a week saying they fully protect against the threat. 👍"

The answer to your question: no.

Antivirus software is highly unlikely to detect a backdoor

The maintainer of xz was pressured into adding a new, unknown maintainer because he was alone and most likely unpaid. Had this critical piece of software been well-funded and the maintainer well-compensated, he probably never would’ve added the maintainer.

Regardless, I’m not sure how an antivirus would help here. This was a component upon which many others were built. How would this have been detected heuristically? Maybe somebody with a deeper understanding can also weigh in whether SELinux could’ve helped here, but if it’s a lib*, I guess not.

IMO the major problem is upstream: fund critical components. If you work in an org using opensource (and I bet you do), try and get them to set aside some kind of budget for opensource projects they use. For example a simple 100€ distributed across selected projects every month or every year. Or more, whatever… just something.

Also probably reproducible builds would help. The distributed archives should not differ from that of multiple build services.

Realistically, I think vendors will be trying to push their crap using this attack as leverage. They did it with Heartbleed, Shellshock and the Log4j issue. Their software won’t/wouldn’t accomplish anything, just like it didn’t with those issues, but they’re sure as hell gonna try to make it seem like it does.

In the specific case of xz-utils, many lazy people would never have been at risk because the issue is limited to xz-utils 5.6.x (a quite recent version). Not updating provided (unusually) a mitigation in this case.

I think you got the response we all expected you’d get.

I wonder why we don’t hear about open source anti-virus even though I think there are a couple of them out there.

Unless they’re running LFS, I don’t see the point. By the time the antivirus database is updated, surely an update will be available in the package repo?

The Linux ecosystem is built around package repos rather than manually installed software, so antivirus makes even less sense on Linux than it does on Windows. If there’s malware it’ll get removed from the repo as soon as it’s detected.