Do you need an antivirus on FreeBSD today ?

[ralphbsz]

Have you seen this paper? Do you remember when it was issued (month/year)? And which agency issued it?

No, I didn't get it on paper. I can roughly date it: the prohibition against using any SuperMicro hardware must have been around 2014 or 2015. Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.

The ban on Kaspersky virus scanners happened later; it seems plausible that it was 2017, as Phishfry reports. We had been using a different virus scanner on Windows anyway (I was using a Mac laptop as my daily driver, still had a Windows laptop too, and all our machines were centrally managed and configured), but at some point another edict came down that absolutely no Kasperksy software is allowed to be purchased, installed, or used in house.

In both cases, it was clear from context that this was coming not just from our internal computer security people, but from the federal government, which was one of our larger customers. Clearly, they wouldn't divulge which agency said so.

 

[Deleted member 67862]

When I used TDE, I would go ahead and install KlamAV which is just a nice KDE 3.x frontend to clamav (kept up-to-date by Trinity) since it comes with the git repo, but I've never actually had a positive scan. KlamAV is actually really good compared to the only other GUI frontend nowadays which is ClamTk and it integrated well into KDE 3.x. In any instance, I don't consider an antivirus to be necessary on FreeBSD so I don't use one.

 

[astyle]

No, I didn't get it on paper. I can roughly date it: the prohibition against using any SuperMicro hardware must have been around 2014 or 2015. Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.

The ban on Kaspersky virus scanners happened later; it seems plausible that it was 2017, as Phishfry reports. We had been using a different virus scanner on Windows anyway (I was using a Mac laptop as my daily driver, still had a Windows laptop too, and all our machines were centrally managed and configured), but at some point another edict came down that absolutely no Kasperksy software is allowed to be purchased, installed, or used in house.

In both cases, it was clear from context that this was coming not just from our internal computer security people, but from the federal government, which was one of our larger customers. Clearly, they wouldn't divulge which agency said so.

I can kinda relate to that - except that in my case, it's more brand loyalty (not Apple, though, thank god for small graces!). Antivirus is a running joke, though - if something is acting up (which is usually the case), it often gets traced back to the AV blocking something by mistake, and then admins are saddled with the cleanup.

 

[getopt]

Our department (working in one of the very large computer companies in the US) had bought some SuperMicro servers (because they had particularly good disk enclosures), and about half a year or a year later, around 2014-2015 we got an edict from internal security that they are to be taken offline, and shredded.

While this thread is mainly on antivirus software, the Super Micro story is a complete different beast. It's about hardware and China. If you look on the timeline there

Supermicro - Wikipedia

en.wikipedia.org

and "2014-2015" is shortly after the Snowden-Events, does that fit in?

And then this in Oct 2018:

Security researcher source in Supermicro chip hack report casts doubt on story | ZDNet

Updated: The explosive report "doesn't make sense," according to the expert which described hardware implant uses in theoretical attacks.

www.zdnet.com

Looks like a political spin in tit for tat game with China?

If politicians cannot publicly present scientific proof on their stories on hardware/software while using accusations for opportunistic and hypothetical spin narratives, one shouldn't buy the story. If there are hard facts on the public table everyone can make up one's mind.

 

[astyle]

If politicians cannot publicly present scientific proof on their stories on hardware/software while using accusations for opportunistic and hypothetical spin narratives, one shouldn't buy the story. If there are hard facts on the public table everyone can make up one's mind.

Those guys (the politicians) have a limited amount of time to study what's even involved. They have to schedule appointments with subject matter experts (whose job it is to explain), and to splash enough money to make the explanations even happen. Hard facts can be surprisingly difficult to come by, even if they are public information. This is why basic education and critical thinking are so important.

 

[Phishfry]

If there are hard facts on the public table everyone can make up one's mind.

We are in the same situation with Huawei.
Five Eyes Gov says it is bad...
Uses its massive purchasing clout and leans on technical committees.
Maybe just nationalistic?
Probably every countries intelligence service has a foothold in their countries products.

https://www.bloomberg.com/news/arti...sing-huawei-in-secret-australian-telecom-hack
https://www.businessinsider.com/us-accuses-huawei-of-spying-through-law-enforcement-backdoors-2020-2

So while USA flapping its lips SS7 is (ridiculously) still in use.
You see we like to criticize various dictatorships while we do the same using another method.

 

[getopt]

SS7 is (ridiculously) still in use.

Yeah! SS7 is a zombie, it will never die. It is too useful

See FCC 2017 risk assessment on SS7 and G5:

CSRIC5-WG10-FinalReport031517.pdf

www.fcc.gov

 

[SKull]

Antivirus software is snake oil. And often enough, it introduces new security vulnerabilities.
Lately some of them even mine bitcoin in the background.

 

[Phishfry]

All about layers. The question was 'Do YOU need an antivirus on FreeBSD today'.
YES I need it because I like knowing what lurks. Even if a post mortem analysis.
I have to download PDF's and until there comes another document format I have to deal with it.
ClamAV uses freshclam to update its definition. That is its only link to the outside.
You don't need to run the service continually. Fire it up, update definitions, run scan.
No bitminners running on Clam. You can disconnect the internet and it still works.
You can even use it offline and update via usb stick.
My layers are different than your layers. That don't make them wrong.
Obviously Clams definitions might lag Norton and others due to the fact that they are not monitoring machines like the other guys are. There is no reporting back to home on Clam. It only scans when I run ClamTk.

 

[astyle]

No bitminners running on Clam

How do you even verify that?

ClamAV is not an IDS, BTW. Snort is, but do you wanna buy an Epyc just for the privilege of having realtime IDS and AV running 24/7? Epycs run about $8k and up, and that's just the processor, not the rest of the server hardware. :/

 

[Phishfry]

How do you even verify that?

Look at the source code. ClamAV is open source.
Did you see the parts where it runs totally offline?
What are they running a background process I can't see or have a bitminner embedded inside ClamAV?
How are they getting the coin out if offline?

Most of those bitcoin miners headlines were browser JS hijinks. Run a browser based scan and get abused.

 

[aragats]

I have to download PDF's and until there comes another document format I have to deal with it.

Just an idea: open a PDF in LibreOffice, it becomes an .ODG file (ODF Drawing), then export it as PDF. I believe, the bad content will be removed.
It can be done via command line:

libreoffice --convert-to odg my.pdf --outdir temp
libreoffice --convert-to pdf temp/my.odg --outdir temp

 

[getopt]

I believe, the bad content will be removed.

"Believing" is not enough. Believing is like betting. It may work or it may not work.

If you have a hypothesis you MUST test it. This means working hard, but at the end you have a result. If others had done the work already you can and should cite your source of information properly.

 

[aragats]

"Believing" is not enough.
....
If you have a hypothesis you MUST test it.

Well, that's why I started with words "just an idea". Some people may have a better experience, that's why we have this forum. Nobody is writing scientific articles here.

I verified with sample pdfs from here (I know, it's not a proof).
If .fodg (flat odg) is used as an intermediate format, it can be easily checked for existence of <office:scripts> tags. Besides that, LibreOffice itself has the corresponding command:

libreoffice --script-cat my.odg
Libraries: 0

 

[astyle]

How are they getting the coin out if offline?

Why do you think it takes incredibly powerful hardware to mine? Mining can be done offline, just get a proper hash of a truckload of data. The hash itself is not that big, even if spelled out in hex format. Sometimes, you gotta step back and see the flow of data relative to the well-known diagrams of the von Neumann architecture to see the difference between what's an IDS (which can detect a mining process) and an AV (which cannot).