[Wine] Re: Crazy (and just maybe awesome) idea: Winux

[oiaohm]

James McKenzie


> Actually, if a Linux or Windows system gets 'infected' it gets 'blown
> away'. That is because you cannot ever be certain that all affected
> files were removed, no matter what OS. Now, you can image any OS and
> 'blow' it onto an empty hard drive. This is done all the time in
> industry. The point is that there is a complete product suite to
> monitor Windows systems, called SCCM/SCOM. I don't know of a similar
> product for Linux, but there has to be one. This is where money is
> really made.... 


Myths again.  There is more than 1 way to clear a system ie blow it away.  Linux you can compare all application files install on a system to packages they came from and user data to backups and user data threw executable code clearing.  Ie only stuff without macros scripts... left.   It kinda impossible to sneak past a binary compare audit.  This can be done due to Linux's package management.  This is boot loaders kernels libs everything.

All altered files from the infected system can be archived.   Ie the reduces the size of the data to backup from an infected system to prevent the infection causing data loss.

Basically it possible to reset a Linux system to as if clean installed and in the process recover all the altered files and setting from the system.

Lot of poorly trained people will just blow a Linux system away like they did with windows.  Why is doing the windows way bad.    No good records and if something was installed by package and something is altered that should not have been hello we now have something to send to virus labs to develop a signature to locate viruses.

Package compare is a great way of reducing the size of system backups as well by the way.

I have run honeypots for years.   Yes a simple more user-friendly interfaces need to be built todo this.    Even with a windows honey put that does not take updates doing a full binary compare is how you sort out what attackers added to the system.   Windows updates and applications updates not from a common source make binary auditing not an option.

Linux does not have things like registry files that are hard to audit.  It is fairly simple to sort out what config files in Linux own to each application.

Nice thing about the audit method is the list of files removed can be inspected over time and valid ones brought back.

We are not talking data destruction or needing large backups.