Antivirus for Linux

I raised this question a few years ago.
My calendar indicates that it's time for a fresh thread.

Which is the best free AV program for Linux.

I am aware of the following, but which is best, and why?

AVAST
AVG
Bit Defender
ClamAV
F-PROT

This thread assumes that an AV program is needed.

 

I thought so too, but when I went there with my bookmark, I did not find he Linux version.

Anybody know the URL?

 

Thanx, I found it too.
Hard to do with these ole eyes.

 

I dont use any AV on my Ubuntu here.

Earlier today I was reading that many Linux AV apps not only spend a lot of time looking for Windows-type viruses, but also have a high rate of FP's.

Not running as root (ie using SUDO when root is required) is central to protecting your Linux system.

I am still a relative Linux newbie - I dare say others here will be able to provide more info

 

AV is not necessary for Linux, expect for maybe stopping propagation of Windows viruses via email and such - blind forwarding etc. The way the OS is built, viruses are no threat - no more than user executing files deliberately.
Mrk

 

i heard linux was just as susceptible to viruses, but its the exploits linux doesnt have.... i just remember reading this somewhere

 

There there is an attitude of fixing a security issue rather than relying on AV product in the Linux world.

 

Obviously there is nothing in Linux that makes malware infections in any way impossible. This is simply a fact, and should be painfully obvious. Any OS that allows a user to run software of their choice is automatically also vulnerable to malware. Because, if the user can download and run this new mail client called Thunderbird, nothing really stops them from downloading and running this spam trojan called Spammerbird.

What Linux has is least privilege by default - unlike in Windows, every account isn't admin/root by default - a solid security model, quick patching, users that are a lot smarter about computers and computer security than average Windows users and a lot less desktops out there than Windows meaning there are fewer targets for the bad guys. And then there's always that there are so ridiculously many Linux distros out there, using various different kernel versions and installed software, that it just isn't as easy to find a common target to attack as it is in Windows.

There is very little malware made for Linux. Not because it's impossible, but because it's inefficient - why waste your time making Linux malware for the modest number of Linux desktop (not server) systems out there when you could spend the same time writing some lame malware for hundreds of millions of Windows desktops that are administrated by people who are completely ignorant of security and run as admin all the time, protected only by some blacklisting security software that is ridiculously easy to evade. But sure, if someone had nothing better to do with their lives, they could make all kinds of nasty Linux malware. Even the kind of drive-by malware that infects without any approval from the user - provided that they could find some Linux system still running software that has the right vulnerabilities for that still unpatched, or find some new vulnerabilities. In other words, a lot of work put to waste, since the same time could've been used to own a far greater number of Windows systems. Windows and Linux are like friends running from a bear. You don't have to be faster than the bear to escape. Just be faster than the other guy, so the bear will catch him instead of you. Linux is the harder target. Harder, but nowhere near impossible.

I've never used antiviruses on Linux. Unless the user is extremely foolish (and let's face it, a lot of people are when it comes to computers), there is practically zero risk of any kind of malware infection. But even if the user is foolish, the risk is still small, because there just isn't that much malware out there. If you feel like it, you could run an AV to scan email, so you don't accidentally send infected stuff to Windows users, but in a home environment I wouldn't bother with that. Just don't forward random attachments to people and that'll solve that.

Something to think about: Windows is patched all of the time, but there are "security issues" that can't be "fixed". For example, a great number of malware works based on social engineering - it just asks the user to run it, and the user does. How could you fix the operating system to stop that, hmm? The "issue" there is that the OS allows users to run software - something people generally want, right? Too bad the OS cannot possibly know whether that software is malicious, or not. So, there's only two ways to "fix" that problem: 1) A "psychic" OS that can magically tell what some software does before executing it - impractical and rather impossible too. 2) An OS that does not allow the user to run any software at all - less than brilliant solution. In fact, there is no practical way to fix this "flaw" that would be acceptable to the user. That's the reason it's not fixed in Linux, either.

 

Not quite as easy, since there's still the difference between default settings for example, and malware authors seem to be a little lazy in developing malware that works properly without admin/root privileges. But certainly "easy enough" to allow a lucrative malware business and cause a lot of pain to the users who don't know how to secure themselves.

But in the end, it's all about the user. I like to say that if Windows was used only by the kind of people that mostly use Linux now, the malware issue on Windows would be a lot smaller. And on the other hand, if the average Windows users all moved to Linux, soon we'd be seeing massive amounts of infected Linux systems, operated by these new users who still don't know much of anything when it comes to computers and security.

Actually, if Windows users could just bother to learn to do things more like Linux users, they would be a lot more safe: Don't run as root/admin. Don't execute files that come from untrusted sources. Patch. If people could do even just that, then a large part of malicious software would stop being an issue, and they'd have to deal then only with the malware that uses vulnerabilities to infect - those are always harder to create than just good old social engineering attacks. And most vulnerabilities are very easy to mitigate.

I don't think anyone should stop recommending Linux for fear that malware authors may target Linux more when Linux gains popularity. That's a pretty defeatist way of thinking about it, I think. Rather, I think people should recommend what they know to be good, and also attempt to teach others about security and basic measures to take, like not running as root/admin. That would help a lot.

In my previous post, I stated I don't use AVs on Linux. I don't think they are necessary at all. So, for anyone considering an AV on Linux in spite of that, I think it would come down to only two things: 1) Which AV has the best detection of Windows malware, because chances are that's about all that it will ever be detecting and 2) Which AV runs best on Linux, wasting as little resources as possible and causing as few problems as possible. On the other hand, I don't use AVs on Windows, either. If you follow the same kind of basic security measures on Windows that an educated Linux user follows on Linux, Windows is very safe, as well.

 

No that is not an issue. The issue would be an OS the allows the entire system to be infected when it is run. Without root permissions in Linux you won't get far at all (unlike windows which does not have cleanly segregated OS structure).

I disagree there is third and commonly employed option and one that applies to windows and linux, create a system policy that allows a user to run only known, white listed apps.

 

Very true.

 

Without root permissions in Linux you won't get far at all, that is true - without privilege escalation exploits. But the part you forgot was that without admin permissions in Windows you also won't get far at all. Actually, you'll get only as far as you'd get in Linux without root permissions. Somehow, though, some people seem to always "forget" to mention this. Not to mention that even without root or admin permissions you can still send spam, make DDoS attacks, steal or delete the user's personal files... that's not bad, is it?

"Windows does not have cleanly segregated OS structure"? Now what is that supposed to mean? A very vague statement, and no proof to support it. Windows NT - note, NT, not Windows 9x - has a security model very similar to that of Linux. It clearly separates between admin/system which are the Windows equivalents of root in Linux and regular users with limited privileges and access to the system. Don't run as root in Linux and don't run as admin in Windows, and you'll have very similar access to the system and very similar protection for the OS and other user accounts. No-one who actually knows anything about the security models of these operating systems would dispute that. The most meaningful difference in technology is the default settings: Linux prefers to make accounts non-root by default which is safer, and Windows on the other hand makes accounts admin by default which is less safe. But that does not change the fact that Windows allows you to run with very limited privileges for the user, just like Linux. Only, in Windows you have to make that choice yourself, while in Linux it's the standard.

Yes, and that cannot be made the default in any operating system intended to be sold to hundreds of millions of different users, some of which are normal home users and some of which are businesses running large networks. Whitelisting is great. I advocate whitelisting. But, you can't include whitelisting in a default configuration of something like Windows, unless the whitelist is absurdly large. Users would not approve of having to go ask Microsoft for permission to execute some program. Hell, most Linux users I know wouldn't want there to be a default whitelist that only allows "known good" software.

 

Some questions have been raised re; Linux virusability:

1) By default, you run as user and not root - this is roughly equivalent to running as limited user in Windows, this means exploits aimed against system binaries won't work. You can't change them.

2) Newly created files - assuming a trojan dropped them - have their permissions defined by umask. By default, in Linux, newly created files are not executables. Therefore, even if they're malicious, they can't execute.

3) System updates - you get them daily, for virtually ALL apps installed on your system. The chances of a program with remotely exploitable vulnerability that results in privilege escalation is virtually nil.

4) You download stuff from digitally signed repositories. You have no reason to stumble upon malicious software.

Now, what can happen and why it's not an issue:

Here's how you can easily "infect" your Linux. Login as root. Open terminal. Delete fstab. Reboot. Your machine is inoperable. Congratulations. Very simple. Very deliberate. Nothing can protect against that.

So, what we need to focus is not if Linux can get infected - the answer is yes, it's just dumb software doing what user wants - the question is, what is the chance of a user accidentally causing harm?

The answer to this is: very low.

This is why you don't need an anti-virus. You won't get to have a malicious file on your machine, unless you deliberately download it from somewhere and deliberately execute. But as we've ascertained, there's no protecting the user from himself/herself.

Those who raised Windows issue. True, on Windows you don't need much either. Run SuRun and that's it. Or even run admin, just be careful about unknown files and use a good browser. You don't even have to patch the machine or run fancy anti-virus software. Personal case here.

The big difference between Windows and Linux is - given the average computer user, someone with the skills of a retarded chipmunk - the chances of self-inflicted damage is much higher in Windows because of default mechanisms in place.

Mrk

 

I downloaded the Personal edition manual, makes no mention of *ix.

I downloaded the Linux njstall file, expanding the file, I find a manual for the
Unix server edition. It does list the Linux distributions supported.

Oh well, it's hard enough to get documentation for non-free software.

If this thread could get back on topic, how's about comments on the other free versions available?

Several years ago, I looked at this question and found two very signoficant differences:

1. Some software did not do real time scanning.
2. Some software did not scan email.

 

Well said. That's how it is. I particularly like the "retarded chipmunk" part!

 

Mrk, your post summarizes it very well. Actually it should be made sticky as the same questions come up every other week or so. People coming from the Windows world simply don't understand how Linux is different.

BTW: The pure fact that Ubuntu doesn't even have a root account by default makes this distro particularly suitable for Linux newbies. Most other distros still have a root account - who knows how many converts use it out of habit.

@Windchild:

"not server" - very true. As has been also discussed many times here, a large percentage of web servers are Linux based and they are definitely a rewarding target. But still there is hardly any Linux malware in the wild. So the modest number of Linux desktop systems is not really a convincing argument - it's rather the superior security concept of Linux.

 

I mention "not server" because servers are entirely different targets than desktop computers. For example, who runs servers? Mostly they are run and controlled by IT professionals or serious hobbyists, not Joe Average home users with no knowledge. That alone makes them a far harder target than the average desktop. But there's more. How do these people run servers? They don't use these servers to browse the web with an unprotected browser or open random email attachments or install unknown "freeware". That stops many attack avenues entirely. That pretty much leaves either local physical attacks - tends to be hard given how servers are usually located - or attacking the actual server software like Apache, and that's an entirely different ballgame from attacking home desktop systems. And the biggest problem with attacking servers is that even if you do own them, there's a good chance that the pesky server admin spots it and wipes your hard work out quickly - whereas when you own some desktop home PCs, they'll likely stay infected for at least weeks, often months and even years.

Infecting a random server with malware is a bit more tricky than infecting some random home desktop. First, how would you deliver the malware? It's likely that with the server as a target, no-one is going to open your infected attack email or browse to your exploit site using the server. So, those methods of attack are out (unless the admin is just stupid). Can you just walk to the server and install the malware via local physical access? Almost never. So what does that leave you with? You'd have to deliver the malware by exploiting some vulnerability in the running server software. And there's about a gazillion people looking for such vulnerabilities and fixing them, all of the time. So, good luck with that. Even if you succeed, chances are that it takes about two days for someone to patch that hole, and then all your hard work will be gone. If you had just concentrated on desktop systems, you would have likely gained much more.

The fact that servers aren't owned all the time really doesn't prove anything about the superior security of some platform. Servers, for previously mentioned reasons, are a different type of target than home desktops. Though servers tend to have powerful hardware and may contain juicy data, the problem for the attacker is that servers tend to be protected by professionals who know what they are doing, unlike home desktops. And, if you do attack a server, you're facing a risk of legal action against you that is much greater than what you would face attacking and owning thousands of home systems.

I really wouldn't agree to Linux having a superior security concept as compared to NT. There's very little difference in the underlying security model, if you look at the internals of both systems. On the other hand, I will definitely agree that Linux has far more sensible default configurations, with regard to for example least privilege by default.

 

You will never keep an AV thread on topic here. There is a contingent of people who ALWAYS turn it into a debate about how Linux is just as vulnerable as Windows but suffers fewer exploits simply because of the numbers. This is pure BS but it happens EVERY TIME!! And the same tired old arguments are used every time.

Personally, I wish the moderators would just ban AV discussions in this forum.

The fact is very few Linux people use AV's because, in Linux, they are counter-productive. For an AV to be effective it must check all code being written to disk for thousands of upon thousands of known "code snippets" containing malware. This is a very time consuming and resource intensive process that interferes with the user's enjoyment and productivity. In a Linux systems this degradation of performance serves NO PURPOSE.

No matter what the Windoze people try to tell you, even dumb, ignorant, computer illiterate people who will click on any button you stick in front of them, don't get viruses in Linux. It just doesn't happen. So all of the discussion of how it CAN happen is meaningless.

I'm a 70 year old living in a retirement building with about 400 other retirees and I build computer systems for a lot of my neighbors who have never used a computer before. I put Linux on all of them and have yet to have a single virsus problem.

OTOH, I also help my neighbors, who already have computers, keep them running. 90% of the problems I run into on these Win machines are due to malware.

That is the bottom line.

 

Just out of sheer morbid curiosity. Who in this thread has said that Linux is "just as vulnerable as Windows but suffers fewer exploits simply because of the numbers", and where exactly did they say that? And if someone says that they "heard" about something being the case, I don't think that counts, really.

I realize that some people love to fight petty little wars over everything - browsers, operating systems, which hockey or baseball team is the best - but that's quite a pointless exercise. The reality of it is quite simple:

- AV for Linux is not necessary, and one could justly call it a waste of processor cycles. One could even call it an outright scam, especially if someone tries to make you pay money for a Linux AV.
- most Linux users do not use AVs
- Linux malware is... rare. So rare, that if you ever meet any, consider putting more money in the lottery, because you have special luck (hey, even backwards luck is still "luck").
- In spite of all this, there is nothing in Linux that makes it invulnerable against malware, which is what some people in the world mistakenly think after hearing so many people say that malware is not a problem in Linux.
- But with that said, Linux is a much harder target for malware authors than Windows, for reasons such as better default settings, and most definitely better users. And for those reasons it's unlikely that we'll ever see major malware troubles with Linux, unless an enormous number of newbies migrate from Windows to Linux - unlikely, since most of those newbies quite likely don't know that Linux even exists.

 

You will never get a legitimate answer to this question. True Linux users, with the expertise to give such an answer, don't use AV applications. So you won't get an answer from them.

But you will get many responses because it pushes people's buttons. No matter what your intent, this question will ALWAYS revert to a Windows vs Linux security debate.

 

See, you did it too. The question from the OP wasn't whether or not an AV was necessary in Linux but, rather, which was the best AV. No one, including me, has even attempted to answer that question.

And of course, no one directly made the statement you quoted but that is the impression a lot of posters want to leave. If that isn't true, why are there over twenty post in this thread without a single one of them addressing the original question?

 

Folks,

A few points:

• Don't drag other OS's into this discussion. Let it go.
• Mrkvonic has provided a concise summary of why an AV isn't needed at the moment for Linux based systems. I'm sure that could change at some point in the future due to potential developments, however that's a vanishingly small possibility. The reality today is that a Linux based AV is not needed unless your Linux system is an intermediate transit point for material and you want to provide downstream filtering for other OS's. That can make sense, but you need to appreciate that you're not protecting the Linux system, you're providing protection for the downstream systems.
• For the vast majority of users (read probably 95+% of any installed base just pulling a number out of thing air), the instrinsic security of an OS platform is controlled by the default configuration employed. Some OS providers have made good selections here, others have made unfortunately selections. Possible configurations implemented by advanced users don't really matter, the field installed base does. In this regard, the situation with Linux is quite good. With other systems the situation decidedly mixed although improving in some respects, but the focus of this forum is Unix/Linux, so let's stay on point.

Blue

 

I have avast on Ubuntu Hardy only for the occasional on demand scan - mainly
as a courtesy to those I frequently send stuff to via email. Unfortunately I am
too stupid to configure it for real time scans compiling the kernel with 'dazuko'.
On Jaunty I have clamav with clamTK as frontend, also for infrequent on demand scans (have not enabled deamon).
So far only a few FP's were found.

 

Same here Ocky. I have Avast on Ubuntu (nothing on PCLinuxOS) only to occasionally scan files that I will be forwarding to windows users who are clueless about proper security. I set it up in nautilus actions so the scan option is in the context menu. It was easy to install, does not seem to run any processes or services when not in use, and I am not hurting for disk space. However, I don't know if this makes me a thoughtful user or an enabler.

 

If as Blue mentioned Howard Kaikow, you're neither running a server nor concerned with downstream filtering, are you still looking to have those shoes filled? Your query's a common one not frequently encountered on Linuxquestions - https://www.linuxquestions.org/questions/linux-security-4/virus-scanner-29319/

These keywords "ms windows virus scanning linuxmafia" will lead you directly to the rest of this reply on Linuxmafia.

Check Rick Moen's "rant" on the topic - seriously!