Kaspersky has released a new virus removal tool named KVRT for the Linux platform, allowing users to scan their systems and remove malware and other known threats for free.
The security firm notes that despite the common misconception that Linux systems are intrinsically secure from threats, there has been a constant supply of "in the wild" examples that prove otherwise, most recently, the XZ Utils backdoor.
Kaspersky's new tool isn't a real-time threat protection tool but a standalone scanner that can detect malware, adware, legitimate programs abused for malicious purposes, and other known threats and offers to clean them.
Copies of malicious files that are deleted or disinfected are stored in a quarantine directory at '/var/opt/KVRT2024_Data/Quarantine' (for root users) in a non-harmful form.
The application uses a frequently updated antivirus database to scan the entire system for matches, but users need to download a new copy each time for the latest definitions.
"Our application can scan system memory, startup objects, boot sectors, and all files in the operating system for known malware. It scans files of all formats — including archived ones," says Kaspersky.
One thing to note is that KVRT only supports 64-bit systems and requires an active internet connection to work.
Kaspersky has tested the tool on popular Linux distributions and confirmed it works on Red Hat Enterprise Linux, CentOS, Linux Mint, Ubuntu, SUSE, openSUSE, and Debian, among others.
Even if your distribution isn't on the list of supported systems, there's a good chance that KVRT will work without problems, so it wouldn't hurt to attempt to run a scan, Kaspersky says.
Source: Kaspersky
Using KVRT
KVRT can be downloaded from here, and once downloaded, the user needs to make the file executable and run it as root for maximum functionality.
KVRT can be executed both in a graphical user interface (GUI) or the terminal, as a command-line tool. So, it's also usable in lower init runlevels (down to 3) where people might be stuck following a malware infection.
If regular users execute the scanner, it won't have the required permissions to scan all directories and partitions where threats could be hiding.
During initialization, the scanner unpacks some necessary files into a temporary directory at '/tmp/<random_character_sequence,' but those are wiped once it's closed.
Kaspersky has provided detailed instructions on how to set up the binary for execution both via the GUI and the console on this webpage.
BleepingComputer has not tested the effectiveness, nor can it guarantee the safety of KVRT, so use the tool at your own risk.
Comments
ZeroYourHero - 4 weeks ago
Yeah, never mind that Kaspersky's headquarters are in Moscow. What could possibly go wrong?
0Willy - 4 weeks ago
I suppose what could go wrong would be the same as could go wrong if they were based in Ukraine, China, USA, Nigeria, Romania, North Korea etc.
Looking at it statistically, Russia tops the heap but that does not mean every company in Russia is out to get you, not does it mean Western companies are safe.
The other part of the equation probably relates to how well Eugene is getting along with Vladimir and how compliant he is with government. That's the stuff of rumor, so impossible for most of us to judge fact. Also, Eugene has a company reputation to protect. If that goes, so does his wealth.
povlhp - 3 weeks ago
"I suppose what could go wrong would be the same as could go wrong if they were based in Ukraine, China, USA, Nigeria, Romania, North Korea etc. "
Russia is half-at-war with the USA. The Russian propaganda says they are at war with all of NATO (aka USA).
And now even Putin is trying to keep his agent in the USA (Donald Trump) out of jail.
But yes, it can get worse
linuxgeex - 4 weeks ago
USE AT YOUR OWN RISK!!!! MAKE A FULL SYSTEM BACKUP FIRST!!! YOU HAVE BEEN WARNED!!!
The first thing that can go wrong, is that this is Alpha-quality software. I used it to scan my laptop, and I intentionally attached a system image which I know has archives containing backdoors. I ran it, and it didn't ask me what I want to do - it deleted everything - not just the backdoor - everything. And there was no prompt for options whether I want things to be deleted or quarantined etc.
Then I tried the options for scanning only a specific folder. It found zero files to scan, regardless of the volume I asked it to scan. Even though the above did work the one time.
There's more options from the commandline. This should scan only the /home folder, and not delete your files:
$ sudo bin/Kaspersky.Antivirus.app -- -processlevel 0 -custom /home -customonly -accepteula
Zero files found.
Apart from there being no way to configure the GUI whether to delete your files (including uninfected files), there's also no way to save your preferences, or even to have it remember that you've accepted the EULA from run to run... very very Alpha-quality software.
peek2much3 - 4 weeks ago
Don’t care who releases what and what it does… In the world of the FOSS and LINUX I’ve known for decades, no src is a deal breaker for me EVERY TIME!
Unless these folks release this in github or whatever, I ain’t going to even contemplate this as an option.
Plenty more true and tested well known options have existed for years. Lynis, tiger, openvas, etc…. Even if they offer commercial options, they are well known and have OSS versions.
Besides, this shit is Russian anyway!
h_b_s - 4 weeks ago
Cuz you've personally reviewed every program your distro has installed on your system. Oh wait... no you haven't, nor can you guarantee that anyone has audited arbitrary selection of binaries from your distro in full. XZ's problem actually proves distro package maintainers aren't auditing anything they're gating into their distro repositories. They, too, are hoping someone else has because as a general rule, none of them are qualified to do so.
Open source is not a silver bullet for the security of a system, nor is closed source automatically insecure or inauditable. They both require skilled auditors to check the integrity of any code base whether it's in source viewable form or as a binary (absence of reproduceable builds, you have no assurance the resulting binary came from a particular code base - which is another point to the XZ problem).
Geopolitics aside, technically there's no reason not to carefully test Kasperky's tool for its claims. There are numerous tools and utilities to do so even without source code. If it works as advertised with no adverse side effects, use it as intended. But that takes effort and using one's brain to solve problems rather than carping tired absolutist political stances... oh wait... so do source code audits! Granted it *might* be easier with source code, but see above. There's numerous ways to compromise an end product through the build process or runtime environment without ever touching the source code. In fact, normal Linux distros make it trivially easy to do so - read up on LD_LIBRARY_PATH. That doesn't even contemplate the nightmare scenario of compromised compiler suites.
Given the alternatives, I prefer FOSS myself, but I don't delude myself into believing FOSS is automatically more secure because "FOSS". It's more secure only if the environment it is developed and built in is provably secure. It's more private only because the environment that it's produced in generally values its privacy. If Jian Tan has proven anything, it's that those assumptions aren't always valid and should NEVER be taken for granted. The practical reality is that FOSS isn't magically secure because the source code is viewable. It's just possible for random people to view it, but there's no guarantee *skilled auditors* will do so. Linux servers are compromised hourly just as quickly and easily by both the skilled and unskilled as quickly as Windows systems are.
peek2much3 - 4 weeks ago
<p>If you feel that you need to remind folks about the pros and cons of software then bud, you just landed on this business. In my short statement I carefully made provisions (or so I thought) for folks just like you. I mean man I can’t spoon feed you what should be well known by most. Again, in my 28 years in dev and I need to see src for me to trust it. Reason why I don’t work Win or Apple. I had a hard time trusting VMS for sake not to mention Oracle. I don’t run desktops or any of that so I can’t really tell you much about bloatware and what’s become of the desktop Linux world. Give me repo and we’ll talk… easy enough now bud? Let me see it, build it and we can talk.</p>
Thomas53 - 4 weeks ago
I use ClamTk and have for decades.
h_b_s - 4 weeks ago
Signature based scanners are only as good as their signature database and basic assumptions. ClamAV doesn't handle the unique characteristics of the Linux threat environment very well. It's mostly focused on slowing the spread of Windows malware through intermediary services like mail, file servers, and the general exchange of files all work places must manage.
In fact, it doesn't really handle the threat of script based malware regardless of OS (Python, Bash, PowerShell, etc) very well at all - none of the commercial or open source malware scanners do. Maybe KVRT is better in this regard? It requires behavior based detection which is fraught.
The best methods of malware detection are still network traffic analysis, highly location/host specific hash based trip wires for (un)known/altered files (tripwire, veriexec, packaging hashes, etc), capability based security (eg properly set up, functioning, *enforcing* SELinux or AppArmor), and in certain circumstances read-only VMs or containers.
NoneRain - 3 weeks ago
ClamAV is a joke, unfortunately. If it's not an obvious known threat, it won't see it.
spookza - 4 weeks ago
Tested it on a sandbox. It may execute via command line, but won't even install on headless servers.
Running kvrt with args <>
=================================
compver: 24.0.4.0 x86-64 (Apr 12 2024 12:32:49)
Product folder </var/opt/KVRT2024_Data>
qt.qpa.screen: QXcbConnection: Could not connect to display
Thomas53 - 4 weeks ago
@h_b_s
I do read and understand the code for most of the extremely few applications that I employ on my computer and I do use SELinux to lock my computer down. I use ClamTK as a backup because I know exactly what and how it does what it does and don't see a problem with it.
No it's not going to find a 0-day exploit nor have I ever thought it would, no tool of any kind is ever going to find it,. The only guarantee for a completely secure system, is to never connect to the internet, any network, or plug any type of external data carrying device.