For Linux, True. Which is why I said “Better solution would be to introduce
a GUI network HIPs”
Comodo offers a similar solution, and dare I say their HIPs is the best in the free segment for windows. Their signature database is nowhere near as good as what Kaspersky Or Bitdefender Or Sophos has to offers, But Comodo has the best HIPs module. Maybe try it out on a vm @dmknght and test it out with a bunch of malware samples, you’ll be impressed
I’M IN NO WAY, SHAPE OR FORM AFFILIATED WITH THEM. They do offer a solid good free firewall and hips module for windows free of cost, check it out if you want.
I like the way of your approach to this. But wouldn’t that mean obfuscated network packets would slide right through the filter if we only rely on packet signatures? Also, I’m not so sure how would you implement such a module which actually does the job.
At the end of the day, More than two-third (If not all) of protection mechanism relies on the end user. You give a brick to a spartan and he would give you a good fight, Give a full armor and a spear to sheep and you are basically burning your resources away (I may have underestimated sheeps here but you get the point)
As long as the user knows what he or she is upto, provided that they have a decent GUI (for users who, lets be honest here, we all know most users who install parrot are not professionals but newbies who dream to be a L33T hax0r bs, we cannot just flip them off now, can we?) network HIPs that alerts them and tells them to choose “allow/block/reject” every-time a new services tries to reach out outside world & a sandboxed environment working silently in the background, security shouldn’t be a major issue on Linux. We have already achieved that by firejail and app-armor. If the users know how to work with SElinux, that’s another bonus for them!
I do agree with what @dmknght said about having a good AV for linux, at least for home users since Linux threats are rising, not by an alarming speed, but increasing nonetheless. Maintaining a good set of signature database as the threat market keeps evolving every single minute, not to mention the amount of false positives we would get from it since pentesting OS comes with tons of stuff that an AV would flag, so excluding them out. TL;DR It would be a really REALLY extensive process to implement a good AV & keep it up-to-date
What does @palinuro think about this, curious to know.