{{Header}}
{{title|title=
VirusForget - Design
}}
{{#seo:
|description=Stop malware persistence. Deactivate malware after reboot from non-root compromise. Make malware non-persistent after reboot.
}}
{{intro|
Stop malware persistence. Deactivate malware after reboot from non-root compromise. Make malware non-persistent after reboot.
}}
== Description ==
Deactivate malware after reboot from non-root compromise.

Similar to [https://github.com/tasket/Qubes-VM-hardening Qubes-VM-hardening], but designed for any (Debian) Linux system booted without root access.

== Issue ==
Most Linux desktop distributions are vulnerable to persistent malware even if only the user account was compromised. It would be expected and desirable that, after a reboot, non-root malware would get deactivated (i.e., be non-persistent).

This is currently not the case because malware can gain persistence (survive reboot) by using hooks such as the file <code>~/.bashrc</code>, the folder <code>~/.config/autostart</code>, and many others to autostart itself after reboot.

An effort to start enumerating these files and folders has been made in [https://github.com/{{project_name_short}}/security-misc/blob/master/usr/libexec/security-misc/virusforget Security-Misc VirusForget Source Code].

== Notes & Scratch Pad ==

=== Features ===
* Run at boot before mounting <code>/home</code>.
* Allow root to modify file and commit changes.
* File same as <code>/etc/skel</code> (root location) is acceptable.
* Carantaine.
* Delete.
* Diff.
* Init.
* Commit.
* Show.
* Extra file.
* Changed file.
* Whitelisting of files, such as for <code>netvm</code>.
* File by tag.
* Qubes root compromise with protected root image <code>/usr/local</code>, <code>/rw</code>.
* Move anything not part of <code>skel</code>.
* After PAM?
* Log a note if a dotfile does not exist.
* No root protections in Qubes Template.
* Ignore when running as root.
* Deploy.
* Duplicate files for later diff.

=== Considerations for Tor Browser in the Home Folder ===
* Snapshot binaries with:
** <code>find . -executable -type f</code>
* Upgrade mode to allow changing executables.

=== Command-Line Interface ===
* <code>--path</code>
** Home folder can be in any location, such as:
** <code>--path /home/user</code>
** <code>--path /rw/home/user</code>
** <code>--path /path/to/chroot/folder/home/user</code>
* <code>--simulate</code> - Perform a dry run, outputting what would be done.
* <code>--protect</code> - Remove important files after reboot.
* <code>--unprotect</code> - Disable protection.
* <code>--immutable</code> - Make important files immutable (cannot be written to).
* <code>--mutable</code> - Make files writable again.
* <code>--reset-to-skel</code> - Reset important files as if created from <code>/etc/skel</code>.
* <code>--skel /path/to/skel</code> - Specify an alternative skel location (default is <code>/etc/skel</code>).

=== Additional Considerations ===
* First boot.
* Subsequent boots.
* Handling newly added configuration files.

== Status ==
* Rewrite started but stalled for now.
** [https://github.com/tasket/Qubes-VM-hardening/issues/33#issuecomment-522476132 Related Issue]
** [https://github.com/{{project_name_short}}/security-misc/blob/master/usr/libexec/security-misc/virusforget Security-Misc VirusForget Source Code]

{{Footer}}
[[Category:Design]]
[[Category:Development]]