Antivirus for Linux

I would consider many of the posts in this thread to provide an excellent answer. The question posted by the OP was: "Which AV is best for Linux?" And guys like Mrkvonic, me and, actually, you as well, answered something like: "No AV is best for Linux, because no AV is needed. " It was even stated that AVs on Linux are a waste of resources. I think that's a pretty good answer, really. And considering that the Wilders forum rules seem to discourage making "Which is the best AV?" and AV comparison threads, perhaps that's the only reasonable answer to give. See here: https://www.wilderssecurity.com/showthread.php?t=180128 Further, I'm sure most would know that what is best depends on a lot of factors, and therefore best is hard to define. Best detection rate? AV X. Best in avoiding false positives that destroy your files? AV Z. And so on... Ultimately, who can say which is best? I sure can't.

The impression a lot of posters want to leave? That sounds awfully vague... posters like who, and based on what? As I read this thread, most everyone is saying that no AV is needed. Actually, I don't see even one reply to the original post that says an AV is needed... Do you? I also don't see even one post that states as fact that Linux is "just as vulnerable as Windows". I don't see anyone even implying that. Well, except perhaps one post that says "I heard..." which suggests that even the poster himself isn't sure. Perhaps some people are being slightly too sensitive about this issue. I suspect the reason why people aren't telling the OP what is the best AV for Linux is that the question is very hard to answer, and most Linux users don't even want to run an AV. There need not be any conspiracy with evil Windows-using people making veiled implications that Linux - gasp - may be vulnerable to something.

 

Well, I'm running ClamAV just to check my emails, not because I'm afraid that my system could get infected but to warn my friends if they send me mails with infected attachments or to avoid that I forward such mails to them - as all of them are Windows users.

 

Just as a clarification (and having Blue's reminder in the back of my mind): With security concept I also meant the things mentioned by Mrk - the fact that you get your software from repos, the fact that all your apps get automatic security updates etc. I don't mind if you call that "security concept" or "infrastructure" or whatever - all these things count.

 

Exactly......

 

Yes, I fully agree that they count. Those are only some of many things I enjoy in Linux. And of course, with regard to this topic, just like most other Linux users I enjoy not running an AV in Linux. As wise men say, security is not a product - like for example an AV - it's a process. In some environments, it's an easier process than in some others. With Linux, it is easier. Actually, if there was a poll in this subforum about how many Linux users run AVs on their Linux systems, that might provide a good answer to the original poster.

 

I never use an AV in Linux either, and I agree with the others that it just isn't necessary. For me, that is one of the main attractions of Linux. It's a huge relief and peace of mind.

I think what Howard is saying in his original post is, given that he's hell-bent on using an AV in Linux, then what would be his best choice... Since most of us don't run one, we don't have any good answers for him. But perhaps all this discussion will change his mind.

 

Well, then the answer is basically the same as it always is for AV technologies....

• Since an AV requires a constant and high level of maintenance, most of the high profile commercial offerings should provide similar performance. The "constant and high level maintenance" is why I personally would shy away from an open source solution, but that's really a personal preference. For high profile threats, they're all likely to provide similar results.
• It is probably more important to develop an intimate feel for the tool being employed than it is to necessarily use the most comprehensive tool available. Again, personal opinion here, but based on fairly extensive observation in a number of areas.
• Any recommendation really needs to be made in the context of planned usage. Absent a sense of those details, any comment is a bit of a shot in the dark.

Blue

 

I suggest that this be accepted as "the official answer" and be made a "sticky." In the future, any question about AV's in Linux should referred to this sticky and any other response be declared "off topic."

 

This thread was about recommending which of several listed AV programs was best. NOT using an AV program was NOT listed as an option.

ALL the other jibber jabber was irrelevant to that request.

 

Unconstrained "what is best" threads are not played here. Please see here, including the clarification posts.

If you wish to provide some discussion guidance to focus the discussion, now is the time to establish some targets. Otherwise, this thread will be closed as per the guidance linked to above.

Blue

 

Sorry. Your desire to limit the thread to your original question is irrelevant. 'Tain't gonna happen..

 

I suggest you reread my posting, I tend to be precise with my wording when the situation warrants. I stated:

Presently, why would one devote resources towards attacking a rather heterogeneous platform with minor desktop penetration which, from a security perspective, has a much more sensible intrinsic default configuration? Simply stated - one wouldn't.

And how are these drive-by downloads implemented? This doesn't happen as depicted in the movie "Independence Day" with a simple "let's upload a virus to the alien mothership" scenario.

Where do you see my use of the word never? Actually, I took pains to place the discussion in the present only (although for the scenario you seem to be considering - never will likely operationally apply).

Logically, I could ask why you choose to not move around in the center of a Faraday cage to eliminate the possibility of being struck by lightening. You know, the statistics say it's possible. Really. Well, there's that convenience issue and those cages are a tad bulky. Things might be dragging by the middle of the day....

Getting more to your direct question - there is harm. The harm of devoting time and resources to address inconsequential issues while merrily neglecting issues of appreciable import.

No, it's out there. Rootkits. And?

The attitude is the same that's at work when I recommend rather simple approaches with minimal need for user configuration and interaction on other platforms - it's designing a solution to an appropriate level of security. There is such a thing as overkill, and unless the direct concern is passing questionable content onto others running susceptible OS's, use of an AV can be viewed as overkill today. There may be a time when that's not the case, but that time is not here yet.

Is there harm? Perhaps, see above and figure out how you would better spend your time. It's all about understanding what these solutions will and will not provide.

What does the anecdotal evidence tell you? What do the default system configuration ethics tell you? What does the package management capability tell you? Are there things out there? Sure. But what's the more likely scenario? Munging up your own machine due to a miscue or running malware? Right now, by my own informal estimate, it is the former by at least an order of magnitude, probably more. Given that, one should focus on where the greatest strides will be achieved - which is taking a moment to pick up some info on how to really use the platform and not spend it scouring the Internet for the best Linux AV.

At least that's my take on it. Just because you can do something doesn't mean that you should. If I see the tide shifting, my recommendation would certainly reflect that.

Blue

 

For me, that's it in a nutshell.

Sort of...., I have seen situations in which the impact has not been neutral (specific example - McAfee AV on OS-X - numerous severe performance degradation issues). It's probably useful to make a visit to the Wiki on Linux malware. Part of how I approach this is basic philosophy - do what's needed, and not a lot more.


Blue

 

You should give Linux a try ssj100

 

ssj,

why don't you, just for the fun of it, load up a Linux distro pre-loaded with, at least, basic apps such as Firefox, no anti-virus, don't put any personal information on the install, and use it to surf the most nefarious sites you can drum up and see if your install picks up a nasty infection. I'll bet it doesn't happen

 

ssj, if you want I can write a placebo anti-virus for you. I will even serverize it and all it will do is send emails every 30min telling you your system is perfectly clean ...

Mrk

 

The only claim of malware effecting Linux on this forum was far from genuine. Someone claimed that downloading a Windows virus using a Wine program caused the contents of desktop screen one to move to desktop two. Of course he couldn't/woudn't name what he claimed to have downloaded and the symptom he claimed can be caused by inadvertently moving the mouse when Compiz is turned on.

 

You would know by running a manual scan. And I'll bet you can't find a web-site that is successfully targeting Linux.

 

http://en.wikipedia.org/wiki/Linux_malware#Viruses_and_trojan_horses

 

Hm, what are you trying to tell us? Quote from that chapter:

 

"Sometimes, rather than argue with the guy and try to educate him, it's best to tell him what he wants to hear" rings true on this end.

 

A productive strategy to use in keeping Unix/Linux systems secure, aside from running a solid firewall and never web surfing in root mode (duh!), is to run intrusion detection software. Here is a Sans Institute PDF Linux cheat sheet (with some great tips) which is referenced on Computer Security Incident Handling.

Also, using ckrootkit and rkhunter are useful tools to use on a regular basis.

-- Tom

 

The only reason why I'm using AV on Linux is because I'm downloading file on Linux laptop and copy the files to windows pcs.

Edit:
I'm using F-prot, Avast!, and BitDefender.

 

Why don't you just let the Windows PC's AV detect it when it gets there, and keep your Linux free of AVs.

 

Either that or scan the files manually before copying them.