On Tuesday 17 February 2009 17:11:20 Martin Hinner wrote:
Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc. It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media. Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
People who analyze malware seem to use wine to figure out what API calls the malware is making. Seems like a very good use of Wine to beat the bad guys.
I don't see anything childish about Wine's decision to be bug-for-bug compatible with Windows.
- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
What about having the system virus scanner scan all files you download before executing them in Wine or any other program? Just because there's not that many viruses/trojans for Linux yet doesn't mean it's going to stay that way.
- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty easily identified.
Yes, if you keep a virus data base like virus scanners do. It's a huge pain to keep those up-to-date. We don't want to deal with that stuff in Wine, there's enough work left without also pretending to be a virus scanner.
Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions. What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program? I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
Right. A pop-up box is going to be the solution. Especially as users (especially people used to Windows, like most Wine users) learned that these pop-ups have two buttons, one saying "Go away and do what I told you" and one saying "Annoy me by not running my program". How many normal users will ever bother to read the text on Vistas UAC pop-ups?
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
If you're really interested, look into resurrecting http://wiki.winehq.org/ClamAntiVirusIntegration
It has probably bitrottet in the last two years, but it'd at least get you an idea how something like this could be done.
Cheers, Kai