Antivirus for FreeBSD

troublemaker Now you are discussing flaws but you really want to bring viruses into this without facts. All your posts are assumptions that there must be a boogy man cause there must be a boogy man. Until you have something substantial to add more than that, I don't see what else there is to discuss.
 
The plural of "anecdote" is not "fact".
Oh well, I'm sure you don't need me to show you the several cases of hacks of the past years, including cases involving supposed security professionals like Hacking Team, or companies that went bankrupt like DigiNotar because the asset their business was based on was compromised.
Why do you think companies working with sensitive data have a physically separate network? Thankfully I might say, or the F-35 would be even more Chinese than it already is. No offense to the Chinese on the forum intended :)

Do those cases involve Linux or FreeBSD? I don't know. But for sure the boogy man is there waiting for your mistake. I don't think assuming you don't make any is a good policy.
 
I'd just like to point out that in a thread about AV software, talking about real or possible vulnerabilities is not very relevant and likely off topic. Everything is vulnerable, that is a given, but having a vulnerability is not the same as having a virus. Vulnerabilities don't replicate. I won't bother giving a link to a definition of computer virus but if anybody is unclear, it is worth the search.
 
So if I understand correctly, there is no known malware for FreeBSD and that is why there is no AV software.
There are vulnerabilities, when they get known, they get published in CVE database, so admin gets informed what is vulnerable and can patch the system accordingly.

It is on admin to know what is running on the computer (software installed) and to check if there are any weird connections to internet or that something is not like it should be.

Are there any tools to help admin to check for unexpected behavior of the system?
 
Are there any tools to help admin to check for unexpected behavior of the system?
It depends on what you're doing. On servers I check /var/log/auth.log, /var/log/fail2ban.log, and also the apache logs, and most importantly on my mail server, /var/log/mail.log. I must admit that I don't check that often on my desktop computers though. But it's the same idea - keep an eye on what's going on. Perhaps get into the habit of typing sockstat on a regular basis. Also for home use you may like to just watch the real time bandwith on a side screen just because it looks really cool. That may have some practical value to tracking the outgoing traffic but I'm a complete amateur and do this stuff just for the fun and pleasure of fooling around. I presume you're in the same situation since you're asking. The professionals here will be serious log watchers. Seriously, outside of a basic awareness, I really don't think a desktop computer needs a lot of scrutiny as long as your security practices are half good.
 
So if I understand correctly, there is no known malware for FreeBSD and that is why there is no AV software.

I would not make that link. It is important to remember that AV software can only ever tell you about malware which is already out there, and even then you are relying on:
  1. the AV vendor has seen a sample of it;
  2. the AV vendor has written a signature for it;
  3. the AV vendor has published an updated signature file including the patterns for the malware in question, and;
  4. you have downloaded and applied that signature file to every ingress point where said malware could enter your environment.
There are vulnerabilities, when they get known, they get published in CVE database, so admin gets informed what is vulnerable and can patch the system accordingly.

Yes. Follow the FreeBSD Security Mailing List, the Twitter accounts, or keep an eye on the advisories.

It is on admin to know what is running on the computer (software installed) and to check if there are any weird connections to internet or that something is not like it should be. Are there any tools to help admin to check for unexpected behavior of the system?

I have used security/aide and security/tripwire to detect changes to files. Keep track of updates to ports/packages. Also look at using BSM Auditing and sending your BSM audit trails and syslogs to a secure central host. Be sure to review the logs. You could also send them on to something like Splunk, Huntsman, Loggly or Papertrail - these sorts of tools let you setup alerts if someone takes an action against particular files (e.g. etc/*) or if a certain level of message criticality appears. You could look at security/snort and net-mgmt/nfdump to help look at network traffic.

An attack from a competent adversary is often difficult to spot, so that is why you apply various layers of security, and do constant monitoring of logs and network traffic to see if something is out of the ordinary. We do log collection, NetFlow monitoring (behavioural profiling of traffic), and investigate abnormal exits in processes. We also monitor login activity, file modifications, and use of removable media. What you have to monitor will depend on what you have in the environment, and it won't be limited to just your FreeBSD system(s).
 
I would not make that link. It is important to remember that AV software can only ever tell you about malware which is already out there, and even then you are relying on:
  1. the AV vendor has seen a sample of it;
  2. the AV vendor has written a signature for it;
  3. the AV vendor has published an updated signature file including the patterns for the malware in question, and;
  4. you have downloaded and applied that signature file to every ingress point where said malware could enter your environment.
How about heuristic analysis?
 
I'm late to the party on this one. Although as broad as this is, I'll offer my 2 cents.

Malware on Unix systems is virtually unheard of. Although common on Windows and uncommon on Apple Macs, actual malware on Unix systems is pretty much non-existent. There is a cost/benefit analysis that must be done in order to determine if a worm/virus/trojan/rootkit is worth the effort to write on that platform. With Windows, well it's a no brainer there. Mac OS-X systems have a few, but not many (last time that I checked). As for Unix, haven't heard of one. But that's not to say they don't exist. The one exception to this is rootkits.

Consider the following scenarios:

1. Web Server Distributes Malware to Windows Machines
A web server runs Apache on one of the Unixes. An intruder hacks into the server and uploads a malicious flash object which exploits a zero-day vulnerability in Windows. Over the next two weeks, thousands of people visit that site and get infected without any indication at all. Although the malware is loaded onto the Unix system, it doesn't infect it. It does however infect the computers of the people who connect to it via a web browser. So in this case, the server has been hijacked into becoming a platform to spread malware to Windows systems. Here, the biggest threat to Unix systems is manual hacking and rootkit/backdoor installation and causing the machine to distribute malware. Quite frankly, I wouldn't be surprised if this was the most common one.

2. System Used to Attack Another Machine
An internet facing Unix machine is compromised via a zero-day vulnerability. The black-hat hacker gains root access and installs a rootkit with a backdoor. The rootkit hides itself and its related processes. Logs are tampered with to hide the intrusion. The hacker then uses this system as a springboard to attack other systems on the internet or to penetrate further into a corporate network. Once again, the threat here is manual hacking.

3. Source Code Repository Compromised
Source code on a master CVS/SVN/Github repository is deliberately altered to introduce a zero-day vulnerability. Now every system that is built from that source is vulnerable. Actual hardware execution environment (i386, amd64, Sparc, Z360, MIPS, etc...) most likely would not matter. Manual hacking is the threat. I would like to point out that this has happened. I don't know about FreeBSD (Someone care to enlighten me?), but this happened to the master Linux kernel repository that all the Linux distributions download from when building a new "distro." If memory serves me correctly, it was compromised for something like 5 or 8 months before it was discovered.

4. Windows Vulnerability Exploited Resulting in a Massive Worm Invasion
As funny as that title sounds, this happens more often than not, and it is no laughing matter. Case in point: MSBlaster worm. Within a few hours, every vulnerable machine on the internet which didn't take special precautions was infected. Then at a preset time and day, the infestation launched a DDoS (Distributed Denial of Service) attack directly against Microsoft's Windows Update service. Inside the packets (all of them) was the following message directed to then CEO Bill Gates: "Billy gates why do you let this happen? quit making so much money and fix your software." Now the threat here is some programmer releases an internet worm to infect as many machines as they can. It is interesting to note that this incident, and several others, caused Microsoft in the early 2000's to stop all software development for a month so their 8,000+ software engineers could take classes on secure programming techniques.

5. A Professional Group Targets Specific High-Value Individuals
This is the greatest threat there is. A group of hackers, who is sponsored by a Nation-State, has access to nearly unlimited resources. These are the people who generally write the APT (Advanced Persistent Threat) espionage software toolkits. These individuals go after certain high-profile or high-value targets to steal information from those individuals. The target system can be a computer, a cell phone, or even a tablet. Not even air-gapped networks are safe. There are several cases regarding this.

5.1. Flame Espionage Platform
This software was found on several computers belonging to individuals in various segments of industry in the Middle East. Primary target was Iran and their nuclear research programs. Interesting to note that the infection occurred using a MitM (Man in the Middle) attack with a spoofed Microsoft code signing certificate which allowed the attacker to masquerade as the Windows Update service. Analysis concluded that the attacker used a chosen prefix attack to force an MD5 hash collision so the fingerprint of the digital signature would match the legitimate certificate. One of the mathematicians who wrote a paper in 2007 about MD5 collision attacks stated "The attack vector that was used was previously unknown and different than the one in the 2007 paper. Whoever pulled this off used world-class cryptoanalysis." Due to strong similarities between Flame and Stuxnet (below), it is highly suspected that the United States and Israel are behind this.

5.2. Stuxnet Attack Software
Cyber-warfare attack software that could cross over into air-gapped control networks, using a previously unknown zero-day vulnerability, and reprogram the industrial PLCs (Programmable Logic Controllers) which controlled the gas centrifuges which are used for Uranium enrichment. The worm caused the PLCs to command the centrifuges to overspeed which then caused the components inside them to fly apart, destroying the centrifuge, all the while signalling to the operators via telemetry links that everything was A-OK. Iran was the target. It was later confirmed by the United States that this was a joint project between the US and Israel.

5.3. Kaspersky Labs Under Siege from Duqu 2.0
Kaspersky Labs in Russia who makes computer security software was hacked and penetrated via a compromised network device driver which was digitally signed by a code signing certificate which was stolen from the hardware manufacturer. The Windows based machines which had the software loaded onto them were internet facing. From there, a zero-day exploit was used to infect every Windows machine on their network. This malware was determined to be an APT which resided completely in memory, except for the internet facing machines. So every time the machine rebooted, the infection would be cleared from memory, but would be reinfected shortly afterwards when communication to the domain controller was established. Kaspersky stated that the APT used was at least a generation ahead of anything that they have seen thus far. Additionally, Kaspersky stated that Duqu 2.0 holds similarities to both Stuxnet and Flame, which suggests that the United States was behind this.

6. The Equation Group
Kaspersky Labs has recently identified a state sponsored hacking group that is considered to be completely out of everyone's league. Kaspersky has stated that this group, when it comes to computers, is for all intents and purposes, omnipotent. This group is known as The Equation Group. They are the ones who were behind the Flamer and Stutex malware as well as several others. It may have very well been them who also attacked Kaspersky Labs as well. These guys have been operating for at least 15 years under the radar and is only now coming to light. This group is state sponsored. It is highly suspected that they may even be part of an state intelligence agency quite possibly the United States National Security Agency.

Remember, these are the guys who wrote malware that will infect the firmware of your HDD. Yes, you read that right. The Equation Group has actually written malware that will take over the hard disk drive itself. And they've written it for at least a dozen different brands and manufacturers. What it does is section off a part of the drive to use as a storage vault to store stolen documents. It is hidden from the user and no anti-virus software can penetrate it. Even reformatting the drive won't clear it. Furthermore, reformatting the drive and reinstalling the operating system will just reinfect the computer with the APT software again. The only solution is to re-flash the firmware using a good copy from the manufacturer, or to replace the drive.

Another extraordinary capability is to perform mail interdiction. There are three known cases where this has happened. They intercepted and trojaned a Oracle database installation CD while it was traveling through the mail. They rewrote the firmware of a Cisco router while it was in transit to a customer. And the most known one was a CD from a scientific conference which was intercepted and trojaned while on its way to a scientist who attended the conference.

Conclusion
As most threats are generally the low skill script-kiddies, there are a few hackers out there with some skills who write their own tools that they use to attack with. Depending on who you think that your most likely threats are, that's what you need to tailor your security too. It is a given that a web server will eventually be compromised and the site that is hosted on it defaced. Since no system is perfect, the main objective is to make it so hard to hack into the machine/network that the cost/benefit makes it not worth it. In other words, the goal is to make them go away. But God help you if you draw the interest of the groups that are state sponsored. If they want you badly enough, chances are you will not be able to stop them.
 
Last edited:
To sum up, antivirus is mainly interesting if FreeBSD is acting as a fileserver and/or mailserver for a Windows based computer network. Even if Windows virus will not have any effect on BSD, if not detected the virus can be downloaded and can be distributed to windows computers when "Bill multiple Gates " access the server.

But, for a non corporate use this kind of protection is not quite necessary as Windows workstation can have his own antivirus solution. Today Comodo distributes for free his powerfull Comodo x64 native Workstation Internet Security Suite which is far better than Clamav.

But but... thinking further if we speak more generally about security, not dealing only with viruses and malwares....
Also there is very few malwares for BSD, having an heuristic protection is quite relevant because you can't ignore the case where a professional hacker like some Security Government Agencies create his own malware. As this code is not distributed so massively, the big problem is that you can ignore a very very long time his existence because there is an evidence, before a virus is declared "in the wild", security labs must first detect it...

One claims that there is no malware under BSD, but one will never be able to prove that and one can't claim that this will never be the case. The disadvantage of Windows is also... an advantage. Malwares are so massively distributed across the world that it facilitates his discovery by international security labs, for this reason having a good heuristic module under FreeBSD should be theoretically quite relevant.

Today Snort IDS solution can deal with some "security issues", but this solution is mainly based on rules. An heuristic protection offer an additional dynamic analysis against unknown threats (malware, rootkits...) by advising the user/administrator about suspicious activities.

Apart of the well known CLAMAV, today I know three commercial antivirus for FreeBSD, but I haven't tested any. For Linux there are more solutions. Almost every great security vendors have now a Linux solution, for BSD.... snif snif very few things.

- F-Prot : 3 versions, Workstation, Corporate file server, Corporate mail server

What is interesting is the fact that workstation version seems to have an heuristic real time module. I have never tried the product (today I simply use CLAMAV on my home made FreeBSD server, with Comodo Security Suite or Agnitum Security Suite on Windows workstations) so I can't give an opinion on the maturity of this heuristic module.
It seems that we can try the product 30 days. The price for the workstaion version seems to be the regular price for a common Windows license.

I don't speak about corporate versions as prices are generally not compatible with individual user budget.

http://www.f-prot.com/products/corporate_users/unix/

- Kaspersky : very very few info, it seems to be a corporate antivirus only (filer server and mail server) so likely too much expensive for a non corporate user, and I guess it does not offer a solid rock heuristic analysis as this product is targetting viruse analysis.

http://www.kaspersky.com/news?id=221

- AVG
Here is a link for a free Workstation version
http://free.avg.com/eu-en/129024

AVG seems to have a corporate FreeBSD build for FreeBSD email server
http://www.avgsecurity.co.za/component/avgproducts/?view=avgproducts&catid=84&Itemid=233

For all theses solutions, not much information about the FreeBSD platforms supported. For example KAV has long been only available for FreeBSD 9 ... i386. Same remark for AVG, you can see on the url link that source code for free workstation version is matching i386 platform only. For F-Prot they use the ambiguous terminology "x86" which would means "intel desktop platform including 32 and 64 bit) but you know there is a large misuse of this terminology as for a lot of people "x86" is faulty used as "32 bit"

The most reliable vendor for commercial FreeBSD AV solutions seems to be F-Prot. If it is working on "x86_64" one day I will probably make a try with Workstation version just to have a real idea.
 
I am not security or FreeBSD expert but I have some thoughts about current topic:

I see at least 3 type of security threats for FreeBSD and other non-Windows OS desktop users:

1. Browser extensions.
Browser extensions are not OS specific. Malicious browser extensions that are the security threat for Windows PC can also be threat for other other PCs that are using different OS but same browser (Chromium, Firefox).

2. Java software.
Many desktop PC users need Java. Java code is OS independent, so malicious Java software can be threat for other OS too that using Java.

3. Wine.
Wine is widely used at non-Windows desktop PCs and it can run malicious Windows software.

We can't say that malicious browser extensions, malicious Java software and malicious Windows software under Wine, that are targeted primarily at Windows user will also carry same level of security threat for other OS desktop users. Because some of them, no matter how cross platform can they could be, in fact can carry harm only for Windows users. But I am pretty sure that many of them can very seriously harm non-Windows desktop users.
No FreeBSD, no OpenBSD, nor any other OS can be panacea for security for desktop user. The main security concern is degree of security education of desktop user. We can only wish that people will be wise enough to not install browser extensions from non-trusted places, run Java software and Windows software in Wine that are downloaded only from trusted places and don't run with admin privileges Java software and Windows software in Wine from the email attachment that is send by anonymous person.
Creating such kind of security threats does not need huge resources.
Again, the main prevention for such threats is proper user security education. But there will always be huge amount of desktop users that need extra protection such as Antivirus to prevent them running malicious software. Antivirus is not panacea for such threats but it can give little bit extra security for such users and sometimes that extra security really helps.

So I think that best security threat prevention is proper user security education, but there is and always be demand for Antivirus software for any desktop OS including FreeBSD.
 
The only solution is to re-flash the firmware using a good copy from the manufacturer, or to replace the drive.
Who can say that the re-flash worked and that the drive not simply stored the new version string to answer it back? Who can say that the new drive will not be immediately be infected by some part of the malware which burrowed itself in your UEFI or some other "smart" part of your machine? Seems paranoid, but when you deal with people of that thread level, you should be able to afford good counteractivities. Say, burn the hardware. On a stake. And maybe keep some persons employed who play theater for the spooks, to decrease the signal-to-noise ratio.
 
I am pretty sure that many of them can very seriously harm non-Windows desktop users.
If they could, they would but, so far, they don't.

Again, the main prevention for such threats is proper user security education.
I say this over and over again. FreeBSD is a professional operating system for professionals. Of course, this isn't always the case but that can be said of anything.
there is and always be demand for Antivirus software for any desktop OS including FreeBSD.
I don't see this demand at all. I see the question come up from time to time but never a demand.
 
I don't see this demand at all. I see the question come up from time to time but never a demand.
This comes implicitly from the "server" qualification of FreeBSD. This is like the male gynecologist who once told me he liked his job also because he dealt mostly with infections he himself would not be able to catch. The same principle applies here - FreeBSD as a server can scan files for Windows systems, and exposing the OS to the malware would not risk an infection.
 
This comes implicitly from the "server" qualification of FreeBSD. This is like the male gynecologist who once told me he liked his job also because he dealt mostly with deseases he himself would not be able to catch. The same principle applies here - FreeBSD as a server can scan files for WIndows systems, and exposing the OS to the malware would not risk an infection.
+1 I second this. The fact that BSDs are generally immune to viruses doesn't excuse us from being good Internet citizens and making sure our BSDs machines are not passing malicious viruses to Windows, OS X, and Ubuntu boxes.
 
Also there is very few malwares for BSD, having an heuristic protection is quite relevant because you can't ignore the case where a professional hacker like some Security Government Agencies create his own malware.
Not necessarily a government agency. The point I have been trying to make for days.
 
The fact that BSDs are generally immune to viruses doesn't excuse us from being good Internet citizens and making sure our BSDs machines are not passing malicious viruses to Windows, OS X, and Ubuntu boxes.

First, OS X and Ubuntu are no more (or at least not much more) vulnerable to malware than FreeBSD is. They're all virtually malware-free for essentially the same reasons. Second, holding *nix users ethically responsible for infections on Windows systems is one hell of a leap in logic. Suppose my machine contains a piece of malware that I inadvertently pass on to a Windows user, with nasty results. Precisely how do I come to be responsible for those results? After all, it's unlikely that the malware truly originated from my machine--perhaps I picked it up from an e-mail-attached file that was stored on a machine running Windows, an operating system that already has an over-abundance of utterly superfluous AV/AM tools. But then, the e-mail happened to be sent from on a RHEL server, but received by and retrieved from an Outlook webmail account running on a Windows Server Edition machine.

So who is responsible for the consequences of malware infection? Remember, I didn't scan the attachment for viruses and trojans and such because I'm not affected by such things. I have no fear of them, no need to beware of them. Nor should the company handling the mail traffic be held responsible for guaranteeing the safety of the millions of messages they route every day, companies which almost certainly use Unix-like operating systems precisely for the increased security. The only people affected are the Windows user who sent me the message, and any Windows user that might later receive it. So shouldn't the Windows users be looking out for themselves and each other, rather than expecting the people who've already taken precautions to secure their systems as well?

This little thought exercise is of course moot, once one considers that actually holding the *nix-using minority responsible for rooting out infections for Windows users would accomplish absolutely nothing anyway: malicious users of all operating systems are still going to deliberately pass on malware anyway. The only people who would be held responsible are the minority of unlucky, unwitting saps who had nothing to do with the creation or initial distribution of the malware, who would get to play scapegoat for everyone else while the problem remained completely unchecked.
 
First, OS X and Ubuntu are no more (or at least not much more) vulnerable to malware than FreeBSD is. They're all virtually malware-free for essentially the same reasons. Second, holding *nix users ethically responsible for infections on Windows systems is one hell of a leap in logic. Suppose my machine contains a piece of malware that I inadvertently pass on to a Windows user, with nasty results. Precisely how do I come to be responsible for those results? After all, it's unlikely that the malware truly originated from my machine--perhaps I picked it up from an e-mail-attached file that was stored on a machine running Windows, an operating system that already has an over-abundance of utterly superfluous AV/AM tools. But then, the e-mail happened to be sent from on a RHEL server, but received by and retrieved from an Outlook webmail account running on a Windows Server Edition machine.

So who is responsible for the consequences of malware infection? Remember, I didn't scan the attachment for viruses and trojans and such because I'm not affected by such things. I have no fear of them, no need to beware of them. Nor should the company handling the mail traffic be held responsible for guaranteeing the safety of the millions of messages they route every day, companies which almost certainly use Unix-like operating systems precisely for the increased security. The only people affected are the Windows user who sent me the message, and any Windows user that might later receive it. So shouldn't the Windows users be looking out for themselves and each other, rather than expecting the people who've already taken precautions to secure their systems as well?

This little thought exercise is of course moot, once one considers that actually holding the *nix-using minority responsible for rooting out infections for Windows users would accomplish absolutely nothing anyway: malicious users of all operating systems are still going to deliberately pass on malware anyway. The only people who would be held responsible are the minority of unlucky, unwitting saps who had nothing to do with the creation or initial distribution of the malware, who would get to play scapegoat for everyone else while the problem remained completely unchecked.
You and me have completely different idea how FreeBSD is used. My scenario FreeBSD is a mail server or web proxy for a large organization (I actually work for small one of 65-80 people). If I don't scan that e-mail for malware or if my bosses Windows laptop which contains contracts with our customers gets infected by a virus because my web proxy is not doing its job the whole organization is in trouble. The fact that my FreeBSD server is virus clean is irrelevant because that server is also paid with the money from those contracts written in stupid M$ Word and sent to us by third parties.
 
How can it do it's job in case of https connections?

It's possible but it's never going to be 100% transparent to the users. You can create your own certificates and force your users to accept your certificate in place of the real ones but it's still very awkward because browsers are by default very paranoid about mismatched certificates.
 
Back
Top