Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc. It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media. Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
- What about creating a configurable list of directories, where wine would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
- It's long time I have been interested in viruses, but I think that 90% of most common virus infected/trojan .exe files can be pretty easily identified. Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions. What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program? I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
I understand, that none of this is system solution. But are anti-viruses system solution? They solve real world problem.
Regarding API I have mentioned above I mean some hookdll() function that would re-direct GetProcAddress() or PE loader for defined functions, i.e.: http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639 http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
Martin
On Tuesday 17 February 2009, Martin Hinner wrote:
Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc. It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media. Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty easily identified. Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions. What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program? I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
I understand, that none of this is system solution. But are anti-viruses system solution? They solve real world problem.
Regarding API I have mentioned above I mean some hookdll() function that would re-direct GetProcAddress() or PE loader for defined functions, i.e.: http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639 http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
I think that soon there will no longer be a need to hack wine in order to prevent the spread of malware. There is already work in progress on an API (a derivative of dazuko) that will allow for antivirus scanners to intercept all filesystem accesses and scan for, well, viruses. It seems to me that this is the right way to go.
2009/2/18 Martin Hinner martin@hinner.info:
Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
It won't be very hot.
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc.
Well, that's a problem with, at most, the distribution or, at least, the user being silly.
It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media.
Removable media can be mounted literally anywhere. It'd be easier to find it with HAL, but it's not something suitable for Wine.
Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
Hmmm, let me think about this ... and again ... it's not a bug, it's a feature. There is no 100% fool-proof way to determine whether the user is about to run some malware or some legitimate application.
- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
Again, this is not something suitable for Wine. Perhaps getting the distributions to mount removable media with the noexec option would help. Of course, this wouldn't help if .exe files were associated with Wine via the file managers, but maybe you think that should stop too.
- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty easily identified. Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions.
Gee, this sounds like ever other networking application. Why? Because GOOD viruses, trojans, worms etc. are suitably disguised as genuine applications.
What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program?
What you're suggesting is to include a standard virus scanner in Wine. Not going to happen. Use clamav instead. It's opensource and has *nix-native versionns.
I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
I understand, that none of this is system solution. But are anti-viruses system solution? They solve real world problem.
"System solution"? Anti-viruses are the only reasonable solution. History of computer science has shown us that the harder you try to prevent something the harder other people try to do it. Anti-virus programs mitigate some of that, detecting known viruses and quarantining or deleting them. They're not perfect, but they're a lot better than what other options we have.
A new version of Wine is released every 2 weeks. This is too long to keep a virus database up-to-date, and a lot of people don't upgrade as soon as the release comes out any way.
Regarding API I have mentioned above I mean some hookdll() function that would re-direct GetProcAddress() or PE loader for defined functions, i.e.: http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639 http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127
Redirecting GetProcAddress() sounds more like a security hazard than a security feature to me. Someone correct me if I'm wrong.
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
Check out clamav and other *nix-native virus scanners. They're much more suited for this task than adding a full-blown virus scanner to Wine as standard. Who wants to maintain something like that?
2009/2/18 Mihai Donțu mihai.dontu@gmail.com:
I think that soon there will no longer be a need to hack wine in order to prevent the spread of malware. There is already work in progress on an API (a derivative of dazuko) that will allow for antivirus scanners to intercept all filesystem accesses and scan for, well, viruses. It seems to me that this is the right way to go.
Wine is not intended to prevent the spread of malware. It is assumed that the user is careful and sensible, just like it is assumed on Windows. What you mention here sounds like an API to allow Windows-based virus scanners to run, checking both loaded apps and scanning hardisk when changes occur, but there are better solutions for virus scanning on *nix systems. I keep mentioning clamav.
On Wednesday 18 February 2009, Ben Klein wrote:
2009/2/18 Martin Hinner martin@hinner.info:
Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
It won't be very hot.
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc.
Well, that's a problem with, at most, the distribution or, at least, the user being silly.
It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media.
Removable media can be mounted literally anywhere. It'd be easier to find it with HAL, but it's not something suitable for Wine.
Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
Hmmm, let me think about this ... and again ... it's not a bug, it's a feature. There is no 100% fool-proof way to determine whether the user is about to run some malware or some legitimate application.
- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
Again, this is not something suitable for Wine. Perhaps getting the distributions to mount removable media with the noexec option would help. Of course, this wouldn't help if .exe files were associated with Wine via the file managers, but maybe you think that should stop too.
- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty easily identified. Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions.
Gee, this sounds like ever other networking application. Why? Because GOOD viruses, trojans, worms etc. are suitably disguised as genuine applications.
What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program?
What you're suggesting is to include a standard virus scanner in Wine. Not going to happen. Use clamav instead. It's opensource and has *nix-native versionns.
I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
I understand, that none of this is system solution. But are anti-viruses system solution? They solve real world problem.
"System solution"? Anti-viruses are the only reasonable solution. History of computer science has shown us that the harder you try to prevent something the harder other people try to do it. Anti-virus programs mitigate some of that, detecting known viruses and quarantining or deleting them. They're not perfect, but they're a lot better than what other options we have.
A new version of Wine is released every 2 weeks. This is too long to keep a virus database up-to-date, and a lot of people don't upgrade as soon as the release comes out any way.
Regarding API I have mentioned above I mean some hookdll() function that would re-direct GetProcAddress() or PE loader for defined functions, i.e.: http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c3639 http://www.codeguru.com/cpp/w-p/dll/hooking/article.php/c127
Redirecting GetProcAddress() sounds more like a security hazard than a security feature to me. Someone correct me if I'm wrong.
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
Check out clamav and other *nix-native virus scanners. They're much more suited for this task than adding a full-blown virus scanner to Wine as standard. Who wants to maintain something like that?
2009/2/18 Mihai Donțu mihai.dontu@gmail.com:
I think that soon there will no longer be a need to hack wine in order to prevent the spread of malware. There is already work in progress on an API (a derivative of dazuko) that will allow for antivirus scanners to intercept all filesystem accesses and scan for, well, viruses. It seems to me that this is the right way to go.
Wine is not intended to prevent the spread of malware. It is assumed that the user is careful and sensible, just like it is assumed on Windows.
While I'm with you on this one, this method is yet to be widely adopted among desktop users.
What you mention here sounds like an API to allow Windows-based virus scanners to run, checking both loaded apps and scanning hardisk when changes occur, but there are better solutions for virus scanning on *nix systems. I keep mentioning clamav.
I was actually referring to this[1], which started when people wanted to create malware-free file servers in an easy way (without proprietary modules, Samba VFS, proxies etc.) and as with all good designs, it covers a wide range of cases, including this one.
[1] http://marc.info/?l=linux-kernel&m=123368869002717&w=2
On Tue, 17 Feb 2009 17:11:20 +0100 Martin Hinner martin@hinner.info wrote:
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc. It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media. Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
Why not make Wine honor the noexe flag on the mount?
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
On Wed, Feb 18, 2009 at 09:33:01PM +1100, Ben Klein wrote:
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
Likely will break installing all DVD/CD Software ;)
Ciao, Marcus
2009/2/18 Marcus Meissner meissner@suse.de:
On Wed, Feb 18, 2009 at 09:33:01PM +1100, Ben Klein wrote:
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
Likely will break installing all DVD/CD Software ;)
Depends on the mount flags ;) So possibly distro-dependant. noexec flag would still stop binfmt-misc, though ...
Ciao, Marcus
On Wednesday 18 February 2009 12:33:01 Ben Klein wrote:
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
It is usual to mount FAT filesystems noexec (since there are no POSIX executables on them anyway). That would prevent Wine running any EXE files off them. What is the user supposed to do, copy the files somewhere else?
It is already bad enough if users (or their "helpful" distro) delete the Z: drive and they can't execute files from outside drive_c. BTW, this is enough "protection" against removable media too.
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
This already doesn't work, even though Wine doesn't account for it. Wine can't mount sections of an exe file with executable permissions if it's on a noexec filesystem. It crashes trying to branch to the entry point.
Wine can't mount sections of an exe file with executable permissions if it's on a noexec filesystem.
Err, sorry, meant to say "map", not "mount".
On Wed, Feb 18, 2009 at 5:33 PM, Vincent Povirk madewokherd+8cd9@gmail.com wrote:
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
This already doesn't work, even though Wine doesn't account for it. Wine can't mount sections of an exe file with executable permissions if it's on a noexec filesystem. It crashes trying to branch to the entry point.
It could, for some executables, still work on a noexec filesystem, due to http://wiki.winehq.org/UnalignedMmap copying data instead of mmaping it.
Regards Damjan
2009/2/19 Vincent Povirk madewokherd+8cd9@gmail.com:
2009/2/18 IneedAname wineappdb@googlemail.com:
Why not make Wine honor the noexe flag on the mount?
This might not be a bad idea, if it's possible. Make Wine refuse to run apps on noexec filesystems.
This already doesn't work, even though Wine doesn't account for it. Wine can't map sections of an exe file with executable permissions if it's on a noexec filesystem. It crashes trying to branch to the entry point.
Worked for me. vfat filesystem mounted with noexec flag, kernel 2.6.28. I tested it before commenting.
On Tuesday 17 February 2009 17:11:20 Martin Hinner wrote:
Hi,
I will start one more hot discussion. Sorry if it was discussed earlier, I am not regular reader of this mailing-list. I tried to search google, found several discussions, but no real result:
http://www.linux.com/feature/42031 http://www.vnunet.com/vnunet/news/2116150/linux-experts-wine-virus https://bugs.launchpad.net/ubuntu/+source/wine/+bug/256880 wine-devel mailing list google results
The problem is that some (almost all?) distributions simply execute .exe file when you click on it. I was amazed when testing JTAGTest on Linux! This is in my opinion quite big issue as ordinary users do not have problem clicking on "New folder.exe" on their flashdisk etc. It's good that wine is so compatible that it runs even viruses, but I think there should be some (optional) protection. The biggest problem seem to be removable media, in many distributions mounted under /mnt or /media. Please think about this twice before writing "problem is in Microsoft not in Wine", "it's not a bug but feature", etc. It's too childish IMO.
People who analyze malware seem to use wine to figure out what API calls the malware is making. Seems like a very good use of Wine to beat the bad guys.
I don't see anything childish about Wine's decision to be bug-for-bug compatible with Windows.
- What about creating a configurable list of directories, where wine
would first ask if you really want to execute the program? It would be up to distribution what is set-up by default.
What about having the system virus scanner scan all files you download before executing them in Wine or any other program? Just because there's not that many viruses/trojans for Linux yet doesn't mean it's going to stay that way.
- It's long time I have been interested in viruses, but I think that
90% of most common virus infected/trojan .exe files can be pretty easily identified.
Yes, if you keep a virus data base like virus scanners do. It's a huge pain to keep those up-to-date. We don't want to deal with that stuff in Wine, there's enough work left without also pretending to be a virus scanner.
Almost every modern virus is trying to connect to the internet either by opening socket or using few standard DLL functions. What about adding some checks to Wine that would check the calling function code sample against some small database to see if this is a virus and ask user? Or adding some "API" functions to allow someone to write such program? I have done quite a lot of work with PE loading and code modification and I think it could be moved to level when it works without crashing anything.
Right. A pop-up box is going to be the solution. Especially as users (especially people used to Windows, like most Wine users) learned that these pop-ups have two buttons, one saying "Go away and do what I told you" and one saying "Annoy me by not running my program". How many normal users will ever bother to read the text on Vistas UAC pop-ups?
Obviously this would have to be global for wine (libwine.so?), not as a PE exported API function. Pre-loaded "antivirus" would be able to hook Winsock functions + some other important stuff and then check if the binary code is not on the list.
If you're really interested, look into resurrecting http://wiki.winehq.org/ClamAntiVirusIntegration
It has probably bitrottet in the last two years, but it'd at least get you an idea how something like this could be done.
Cheers, Kai
-
Ben Klein -
Damjan Jovanovic -
IneedAname -
Kai Blin -
Marcus Meissner -
Martin Hinner -
Mihai Donțu -
Paul Chitescu -
Vincent Povirk